Computer Viruses

Computer viruses generally refer the programs that unintentionally get into computers, disrupt the normal operation and, and cause damage to data and programs. A virus is best defined not by what it does, but by how spreads and infects other programs.

A biological virus enters a body, damages the body, spreads to other bodies, and eventually is eradicated by the internal immune system or by external means. Similarly, the computer virus enters the computer system and gets attached with a program (or set of programs or applications). As the application(s) is invoked, the virus becomes activated and spreads to the other parts of the system.

Viruses can be either benign or destructive. The first one cause less serious damage unlike the second one.

Types of viruses

This section presents a broad classification of viruses. Most viruses are in fact “hybrid” combinations of various properties from multiple classes.

File infectors. These most often attach to program files, but can infect any file with executable code, including script files or program configuration files. When the program, script or configuration is executed, the virus is executed as well.

System or boot-record infectors. System or boot-record infectors do not necessarily infect a file. They target, instead, certain areas of a hard disk used exclusively for system processes. These areas include the boot-record, which is a section of the disk dedicated to booting the operating system. Having infected a Master Boot Record, the virus spreads to the boot sectors of the inserted media.

Multi-partite viruses. Multi-partite viruses infect boot records as well as files. With its hybrid nature, a multipartite virus inherits the worst qualities of each of its parents, and consequently is far more contagious and destructive than either.

Macro viruses. Macro virus is a program that is implemented in a macro language, that is to say, a language built into some systems of data processing such as text editors, electronic spreadsheets etc. A macro virus can be spread through the features of macro languages by infecting new files (document or spreadsheet) via already infected file. The vast majority of macro viruses are spread within Microsoft Office Applications.

Stealth viruses. Stealth viruses use many techniques to thwart detection. One technique is to redirect the addresses within a program that point to other programs or system information, and have them point to the virus file instead. When the program calls for that supplementary program or system information, it actually runs the virus code. This infects the file without actually injecting additional code, which could show up as a symptom to virus scanning software. Another common stealth technique changes a file, but displays its size as it was before infection. Thus, it nullifies the ability to use the file length as an indicator of infection.

Encrypted viruses. Encrypted viruses enjoy the advantages of other encrypted material. Initially, encrypted viruses appear not as viruses, but as nondescript gibberish. But when an infected program is executed, a small piece of plain, unencrypted code decrypts the rest of the virus, which then proceeds to do its damage. When, and if, an encrypted virus is detected, it is very difficult to analyze since it is not subject to reverse engineering like the unencrypted viruses. This makes it hard to determine the structure of the virus and the precise scope of its payload. Encryption is most useful when coupled with a polymorphic strategy.

Polymorphic viruses. Polymorphic viruses try to evade detection by altering their structure or the encryption techniques. Each time an infection occurs, a polymorphic virus changes its form, confusing virus (detection) scanning software. Because virus scanners use certain unique “signature” characteristics to identify viruses, any virus that changes its form presents a formidable new challenge.

Stages in the life of a virus

During its lifetime, a virus typically goes through the following four stages:

1. Dormant phase. In this phase the virus is idle.

2. Propagation phase. In this phase virus replicates itself.

3. Triggering phase. Phase of processing of special functions.

4. Execution phase. In fact, the virus activation starts exactly in this phase.

Virus detection

There are following methods of virus detection:

  1. Signature-based scanning. This scheme searches for unique strings of code, i.e., the virus’s signature specific to particular viruses. When this string of code is found, the file is declared infected. Relying on signatures for detection poses two problems. First, users must update their virus scan software frequently in order to ensure the latest possible protection is installed. Secondly, signature-based scanners are only effective in identifying known viruses.
  2. Emulation. This mimics the execution of the infected file to determine any malicious intent. Essentially, the file is contained in what is referred to as a sandbox or virtual environment. In plain language, the file is tricked into believing its interacting with the operating system, when in fact, it is not. Emulation can be time-consuming and result in a noticeable performance slowdown.
  3. Heuristics. These attempt to detect unknown viruses and often employ generalized signature scanning geared to detect families of viruses. If the virus is related to a known family, heuristics will detect it and report it as suspicious or infected with an unknown virus. Heuristics also rely on emulation or a combination of signatures and emulation. Due to heuristics’ penchant for false positives (identifying a clean file as infected) and performance concerns, many vendors have suppressed the level of heuristics employed. As a result, only a very small number of products have gained a track record for detecting previously unknown threats.
  4. Behavioral analysis. This monitors the execution of the file and gives the user an opportunity to either prevent or undo any proposed or taken action. For example, if a file attempts to write to the system registry, the action can be blocked, either by the user or automatically, depending on configuration. In many respects, behavioral analysis and emulation are closely related, though behavioral analysis often lets the file execute in real-time, stopping it only when suspicious behavior is detected. This method overcomes the performance slowdown side effect of emulation.
  5. Check summing. This is essentially a count of bits that is used to verify file integrity. An initial scan of system files is performed; the numerical quotient for each file is derived and stored in a database. When subsequent scans are performed, the program checks the database to ensure that the numerical quotient matches. If it has changed, the file is considered suspicious and/or infected.

Suggestions to prevent virus infection

· Install the antivirus software.

· Do not open not requested email attachments.

· Keep computer software updated.

· Use firewall.

· Customize the confidentiality options of browser.

· Disable pop-up windows within browser.

· Enable the accounts control.