I | INTRODUCTION |
Virus
(computer), a self-duplicating computer program that spreads from
computer to computer, interfering with data and software. Just as biological
viruses infect people, spreading from person to person, computer viruses infect
personal computers (PCs) and servers, the computers that control access to a
network of computers. Some viruses are mere annoyances, but others can do
serious damage. Viruses can delete or change files, steal important information,
load and run unwanted applications, send documents via electronic mail (e-mail),
or even cripple a machine’s operating system (OS), the basic software that runs
the computer.
II | HOW INFECTIONS OCCUR |
A virus can infect a computer in a number of
ways. It can arrive on a floppy disk or inside an e-mail message. It can
piggyback on files downloaded from the World Wide Web or from an Internet
service used to share music and movies. Or it can exploit flaws in the way
computers exchange data over a network. So-called blended-threat viruses spread
via multiple methods at the same time. Some blended-threat viruses, for
instance, spread via e-mail but also propagate by exploiting flaws in an
operating system.
Traditionally, even if a virus found its way
onto a computer, it could not actually infect the machine—or propagate to other
machines—unless the user was somehow fooled into executing the virus by opening
it and running it just as one would run a legitimate program. But a new breed of
computer virus can infect machines and spread to others entirely on its own.
Simply by connecting a computer to a network, the computer owner runs the risk
of infection. Because the Internet connects computers around the world, viruses
can spread from one end of the globe to the other in a matter of minutes.
III | TYPES OF VIRUSES |
There are many categories of viruses,
including parasitic or file viruses, bootstrap-sector, multipartite, macro, and
script viruses. Then there are so-called computer worms, which have become
particularly prevalent. A computer worm is a type of virus. However, instead of
infecting files or operating systems, a worm replicates from computer to
computer by spreading entire copies of itself.
Parasitic or file viruses infect executable
files or programs in the computer. These files are often identified by the
extension .exe in the name of the computer file. File viruses leave the contents
of the host program unchanged but attach to the host in such a way that the
virus code is run first. These viruses can be either direct-action or resident.
A direct-action virus selects one or more programs to infect each time it is
executed. A resident virus hides in the computer's memory and infects a
particular program when that program is executed.
Bootstrap-sector viruses reside on the first
portion of the hard disk or floppy disk, known as the boot sector. These viruses
replace either the programs that store information about the disk's contents or
the programs that start the computer. Typically, these viruses spread by means
of the physical exchange of floppy disks.
Multipartite viruses combine the abilities
of the parasitic and the bootstrap-sector viruses, and so are able to infect
either files or boot sectors. These types of viruses can spread if a computer
user boots from an infected diskette or accesses infected files.
Other viruses infect programs that contain
powerful macro languages (programming languages that let the user
create new features and utilities). These viruses, called macro viruses, are
written in macro languages and automatically execute when the legitimate program
is opened.
Script viruses are written in script
programming languages, such as VBScript (Visual Basic Script) and JavaScript.
These script languages can be seen as a special kind of macro language and are
even more powerful because most are closely related to the operating system
environment. The 'ILOVEYOU' virus, which appeared in 2000 and infected an
estimated 1 in 5 personal computers, is a famous example of a script virus.
Strictly speaking, a computer virus is
always a program that attaches itself to some other program. But computer virus
has become a blanket term that also refers to computer worms. A worm operates
entirely on its own, without ever attaching itself to another program.
Typically, a worm spreads over e-mail and through other ways that computers
exchange information over a network. In this way, a worm not only wreaks havoc
on machines, but also clogs network connections and slows network traffic, so
that it takes an excessively long time to load a Web page or send an
e-mail.
IV | ANTI-VIRAL TACTICS |
A | Preparation and Prevention |
Computer users can prepare for a viral
infection by creating backups of legitimate original software and data files
regularly so that the computer system can be restored if necessary. Viral
infection can be prevented by obtaining software from legitimate sources or by
using a quarantined computer—that is, a computer not connected to any network—to
test new software. Plus, users should regularly install operating system (OS)
patches, software updates that mend the sort of flaws, or holes, in the
OS often exploited by viruses. Patches can be downloaded from the Web site of
the operating system’s developer. However, the best prevention may be the
installation of current and well-designed antiviral software. Such software can
prevent a viral infection and thereby help stop its spread.
B | Virus Detection |
Several types of antiviral software can be
used to detect the presence of a virus. Scanning software can recognize the
characteristics of a virus's computer code and look for these characteristics in
the computer's files. Because new viruses must be analyzed as they appear,
scanning software must be updated periodically to be effective. Other scanners
search for common features of viral programs and are usually less reliable. Most
antiviral software uses both on-demand and on-access scanners. On-demand
scanners are launched only when the user activates them. On-access scanners, on
the other hand, are constantly monitoring the computer for viruses but are
always in the background and are not visible to the user. The on-access scanners
are seen as the proactive part of an antivirus package and the on-demand
scanners are seen as reactive. On-demand scanners usually detect a virus only
after the infection has occurred and that is why they are considered
reactive.
Antivirus software is usually sold as
packages containing many different software programs that are independent of one
another and perform different functions. When installed or packaged together,
antiviral packages provide complete protection against viruses. Within most
antiviral packages, several methods are used to detect viruses. Checksumming,
for example, uses mathematical calculations to compare the state of executable
programs before and after they are run. If the checksum has not changed, then
the system is uninfected. Checksumming software can detect an infection only
after it has occurred, however. As this technology is dated and some viruses can
evade it, checksumming is rarely used today.
Most antivirus packages also use
heuristics (problem-solving by trial and error) to detect new viruses.
This technology observes a program’s behavior and evaluates how closely it
resembles a virus. It relies on experience with previous viruses to predict the
likelihood that a suspicious file is an as-yet unidentified or unclassified new
virus.
Other types of antiviral software include
monitoring software and integrity-shell software. Monitoring software is
different from scanning software. It detects illegal or potentially damaging
viral activities such as overwriting computer files or reformatting the
computer's hard drive. Integrity-shell software establishes layers through which
any command to run a program must pass. Checksumming is performed automatically
within the integrity shell, and infected programs, if detected, are not allowed
to run.
C | Containment and Recovery |
Once a viral infection has been detected,
it can be contained by immediately isolating computers on networks, halting the
exchange of files, and using only write-protected disks. In order for a computer
system to recover from a viral infection, the virus must first be eliminated.
Some antivirus software attempts to remove detected viruses, but sometimes with
unsatisfactory results. More reliable results are obtained by turning off the
infected computer; restarting it from a write-protected floppy disk; deleting
infected files and replacing them with legitimate files from backup disks; and
erasing any viruses on the boot sector.
V | VIRAL STRATEGIES |
The authors of viruses have several strategies
to circumvent antivirus software and to propagate their creations more
effectively. So-called polymorphic viruses make variations in the copies of
themselves to elude detection by scanning software. A stealth virus hides from
the operating system when the system checks the location where the virus
resides, by forging results that would be expected from an uninfected system. A
so-called fast-infector virus infects not only programs that are executed but
also those that are merely accessed. As a result, running antiviral scanning
software on a computer infected by such a virus can infect every program on the
computer. A so-called slow-infector virus infects files only when the files are
modified, so that it appears to checksumming software that the modification was
legitimate. A so-called sparse-infector virus infects only on certain
occasions—for example, it may infect every tenth program executed. This strategy
makes it more difficult to detect the virus.
By using combinations of several virus-writing
methods, virus authors can create more complex new viruses. Many virus authors
also tend to use new technologies when they appear. The antivirus industry must
move rapidly to change their antiviral software and eliminate the outbreak of
such new viruses.
VI | VIRUS-LIKE COMPUTER PROGRAMS |
There are other harmful computer programs
that can be part of a virus but are not considered viruses because they do not
have the ability to replicate. These programs fall into three categories: Trojan
horses, logic bombs, and deliberately harmful or malicious software programs
that run within a Web browser, an application program such as Internet Explorer
and Netscape that displays Web sites.
A Trojan horse is a program that pretends to
be something else. A Trojan horse may appear to be something interesting and
harmless, such as a game, but when it runs it may have harmful effects. The term
comes from the classic Greek story of the Trojan horse found in Homer’s
Iliad.
A logic bomb infects a computer’s memory,
but unlike a virus, it does not replicate itself. A logic bomb delivers its
instructions when it is triggered by a specific condition, such as when a
particular date or time is reached or when a combination of letters is typed on
a keyboard. A logic bomb has the ability to erase a hard drive or delete certain
files.
Malicious software programs that run within
a Web browser often appear in Java applets and ActiveX controls. Although these
applets and controls improve the usefulness of Web sites, they also increase a
vandal’s ability to interfere with unprotected systems. Because those controls
and applets require that certain components be downloaded to a user’s personal
computer (PC), activating an applet or control might actually download malicious
code.
A | History |
In 1949 Hungarian American mathematician
John von Neumann, at the Institute for Advanced Study in Princeton, New Jersey,
proposed that it was theoretically possible for a computer program to replicate.
This theory was tested in the 1950s at Bell Laboratories when a game called Core
Wars was developed, in which players created tiny computer programs that
attacked, erased, and tried to propagate on an opponent's system.
In 1983 American electrical engineer Fred
Cohen, at the time a graduate student, coined the term virus to describe
a self-replicating computer program. In 1985 the first Trojan horses appeared,
posing as a graphics-enhancing program called EGABTR and as a game called
NUKE-LA. A host of increasingly complex viruses followed.
The so-called Brain virus appeared in 1986
and spread worldwide by 1987. In 1988 two new viruses appeared: Stone, the first
bootstrap-sector virus, and the Internet worm, which crossed the United States
overnight via computer network. The Dark Avenger virus, the first fast infector,
appeared in 1989, followed by the first polymorphic virus in 1990.
Computer viruses grew more sophisticated
in the 1990s. In 1995 the first macro language virus, WinWord Concept, was
created. In 1999 the Melissa macro virus, spread by e-mail, disabled e-mail
servers around the world for several hours, and in some cases several days.
Regarded by some as the most prolific virus ever, Melissa cost corporations
millions of dollars due to computer downtime and lost productivity.
The VBS_LOVELETTER script virus, also
known as the Love Bug and the ILOVEYOU virus, unseated Melissa as the world's
most prevalent and costly virus when it struck in May 2000. By the time the
outbreak was finally brought under control, losses were estimated at U.S.$10
billion, and the Love Bug is said to have infected 1 in every 5 PCs
worldwide.
The year 2003 was a particularly bad year
for computer viruses and worms. First, the Blaster worm infected more than 10
million machines worldwide by exploiting a flaw in Microsoft’s Windows operating
system. A machine that lacked the appropriate patch could be infected simply by
connecting to the Internet. Then, the SoBig worm infected millions more machines
in an attempt to convert systems into networking relays capable of sending
massive amounts of junk e-mail known as spam. SoBig spread via e-mail, and
before the outbreak was 24 hours old, MessageLabs, a popular e-mail filtering
company, captured more than a million SoBig messages and called it the
fastest-spreading virus in history. In January 2004, however, the MyDoom virus
set a new record, spreading even faster than SoBig, and, by most accounts,
causing even more damage.
No comments:
Post a Comment