Viruses: Booting and the Beasts
Anyone who?s seen Independence Day knows computer viruses come in handy for zapping aliens, but in reality they are themselves the enemy. Chris Long reports
Its discovery produces the computing equivalent of standing on a kitchen chair shrieking ?Eek, a mouse!? But this time normally sanguine users put their hands to their face and yell ?Eek, a virus!? At this point there follows an orderly panic as the user tries to work out just how bad things are ? and who else they may have infected. Before too long they are wondering if they should start phoning people to warn them that files they would have received may have been infected.
As things escalate it starts to get messy: users start to eye piles of disks wondering if they will ever have time to check them all. If the user is on a network there ensues a round of arguments from other users who are unwilling to log off and let the systems people run an antivirus program. On some networks, users are unwilling to log off while the systems people run out to buy an antivirus program.
Then there are the users that have an antivirus package that didn?t pick up the virus ? in general, these are the unhappiest of the lot.
The computer virus has been with us almost since we have had computer programs, and generally they have been (and still are) created by young people. Most university systems had at least one student who would attempt to write something that made the university?s machine hiccup. More often than not that student would be male, and the attempts would stop when he discovered women.
In the 60s and 70s, computer systems had ever more sophisticated prank programs, generally the worm type, where the program introduced to the computer would take up more and more space and processing time until everything ground to a halt.
The first PC viruses weren?t really noticed until 1985/86. One of the first was the Brain virus, which was apparently written by two brothers who owned a software house in Pakistan. The virus didn?t do too much damage ? it just replicated itself ? but it was enough and it signalled the start.
Brain?s discovery brought the area to the attention of the public and other potential virus writers. An area that had hitherto been mostly inhabited by jokers became much more serious, and by 1988 the virus industry had kicked off.
Even though the US is the main breeding ground for PC technology, it is surprising to note that it is the rest of the world that has taken to virus writing like so many ducks to water. Three years ago, a director of the Laboratory of Computer Virology at the Bulgarian Academy of Sciences claimed that just under nine per cent of the world?s viruses originated in Bulgaria ? which given the size of its computing population is rather a lot. He also pointed the finger at Russia, The Netherlands, Italy, and the US as major virus producing countries.
Viruses aren?t an insignificant business ? they have reportedly cost companies nearly $2 billion in lost data, repair costs and lost productivity since 1990.
Despite its medical associations, the term virus refers to a computer program that reproduces itself and spreads. It is an unfortunate allusion simply because the computer virus is a man-made malicious device, no matter whether its actual effect is harmful, something that can?t be applied to its organic namesake.
Another important difference between the computer and organic virus is that the computer virus has to be activated before a computer catches the equivalent of a cold. The virus is just another program, so nothing can be infected until it is run.
The other thing the virus does is carry a payload ? a pre-programmed action that is executed when the right conditions exist.
A virus is designed to copy itself on to a hard disk and into a PC?s memory. Once on board, it can interfere with the operating system, corrupt program and data files, or simply post messages on the screen. The two commonest ways a virus enters a system are by the operating system reading it at boot time or by it loading itself into memory along with a system file or application.
Some viruses really go for it, infecting as many files as they can before they are detected. Others are sneakier: they contaminate files over a long period of time in an attempt not to arouse suspicion. These virus programs attach themselves to executable files that would be modified during normal use, such as software packages that incorporate new configuration information in their program files. This tactic can help avoid detection by antivirus utilities that track file date and size.
Many viruses in the wild are not programmed to erase files or inflict damage, but they can still be destructive ? sometimes not through malicious intent, just straightforward incompetence. The Stoned virus was supposed to simply display the messages ?Your PC is Stoned? and ?Legalise Marijuana? every eighth time the infected system booted. But the author calculated his code for a 5.25in 360Kb low-density floppy disk. When the virus found its way on to higher capacity floppies, it destroyed their boot sectors, making the files on the floppy disks inaccessible.
New viruses proliferate at a rate of about 100 to 150 a year. But in 1996 the rate approached epidemic proportions, shooting up to between three and six new viruses a day.
In 1996, a survey of users suggested that the chances of getting a virus were about 10 out of every 1,000 machines a month. In 1997, the same survey came up with an infection rate of about 33 out of 1,000 machines in a month, with 406 of 1,000 machines infected in a given year. And not only are viruses increasing in number, they are also growing in type.
Boot sector viruses such as Michelangelo and Stoned used to be the commonest means of PC infection. They are typically transmitted when an infected floppy disk is left in a drive and the PC is rebooted; the operating system reads the boot record of the floppy, and the virus is transferred to the hard disk?s master boot record. The familiar ?non system disk? error message may appear, but the damage has probably already been done, with the boot sector virus loaded into memory.
Then there are file viruses, bits of code that attach themselves to system files, such as Command.com, or other applications. When an infected program is run, the virus also loads into memory. Some viruses rename themselves as a Com file on a system that has the same named file with an Exe extension, because when the program is run Dos will always pick a Com file to run first, thus running the virus.
Multipartite viruses are sneakier ? they start off as a boot sector or file virus, but once loaded into memory, they exhibit traits of both a boot sector and file virus. Tequila is a multipartite that starts as a file virus but eventually infects boot sectors; AntiCad attacks a system from a floppy boot record and then invades the Exe and Com files on a hard disk.
Viruses can sometimes disguise themselves to evade discovery even by sophisticated detection utilities. Stealth viruses can fool detection programs by remembering what the file looked like before it was infected and returning that information to the antivirus detectors. Some antivirus utilities find viruses by checking the disk?s boot sector and files for byte patterns that indicate virus code. But clever virus writers break code into encrypted segments that decrypt only when the virus loads into memory.
Polymorphic viruses, on the other hand, change their form with each reproduction, typically by encrypting themselves with a randomly generated code. By storing this code with the copy, the virus can decrypt itself once it?s in memory.
Executable virus code, therefore, generally attacks by adding itself to executable files or by infecting the boot sector of disks. But a new kid on the block has changed all that.
The new kid is called Macro and it has come from nowhere to top the league table in number of hits. Macro viruses account for over 25 per cent of all reported problems ? in August 1996, 42 were known to exist; by the middle of this year it was 205, and that number isn?t likely to get smaller.
In a similar way to file viruses, a macro virus conceals itself as a macro in a document. When the document is opened, the macro can execute any instructions supported by the application?s macro language. It can prevent the document being saved, corrupt templates and styles and, worst of all, it can delete files on the hard disk.
Almost all reported macro viruses infect Microsoft Word, although a few Excel, Ami Pro, and 1-2-3 macro viruses exist. Events such as opening, closing or saving a file can trigger a macro virus. Once run, these viruses usually infect the Normal.dot file that Word uses to store global customisations.
Microsoft itself has a few defences in place. Copies of Word that shipped since January clean out known macro viruses when upgrading. Word 97 warns you if a file you are opening has macros and offers not to load them. If you get such a warning on a Doc file that you didn?t know was a template it would seem sensible to say no.
The cleaning up of contaminated files has become a controversial subject. Some systems try to remove the entire virus while others, concerned that removing too much code may damage original files, try to remove only enough to disable it .
Others contend that the only way to be sure of removing a virus is to delete the entire infected file. But macro viruses have changed this. Although it may be practical to delete an infected program file and reinstall a clean copy, users don?t want to lose work by deleting infected wordprocessing documents and spreadsheets. Macro viruses must be removed without destroying the data.
In general, antivirus software works on a very simple basis: it looks for a byte signature ? in effect, a finger print ? of a file and if it matches the signature it has in a virus definition file then it rings the alarms. This approach, however, requires extra definitions as more viruses are invented. Companies such as Symantec, which claims to be the world?s largest supplier of antivirus programs, are using the internet to supply the latest virus definitions and modifications.
There is a stricter way to stop viruses though: do not allow unknown disks to be accessed. UK company Reflex, for example, gives each disk to be used on its system a unique number ? and a disk only gets a number if it has been scanned for viruses. The PCs are set up so that they will only read disks that have an authentication number. While thorough, this approach introduces extra work. Although it is popular with companies that want to monitor every disk transaction, it isn?t particularly useful for the small user.
The future seems to be the heuristic approach, which has been around for a while but has lacked the computing power to achieve its ends. The heuristic system creates a virtual machine within the PC where the file is executed and the file is watched and monitored for bad behaviour. The file is started, say, 75 times and if it changes size, name or tries to access the boot sector then the antivirus program has a pretty good idea that it is up to no good and clobbers it.
The internet comes into play as soon as the issue of security is raised. A recent US survey found that 45 per cent of the most recent infections began either with a download (19 percent) or through an electronic mail attachment (26 per cent).
The answer for companies tying to filter out loaded email is to use an antivirus firewall (or virus wall), where the attachment of an email is stripped out and checked and then ? if it is clear ? put back with the email message and sent on. Unfortunately, this is not possible with encrypted files.
Another, much bigger problem is just waiting to happen on the internet: Java applications and Active X programs can be downloaded and run in the background without the user necessarily knowing about it. Which means that a virus can run in the background without the user knowing about it. A virus on a button is a relatively simple thing to achieve and it really is only a matter of time until it happens in a big way. The solution to this is to switch off a browser?s Java or Active X systems, but how many users will do that?
All in all the virus market is still in its youth and it seems that things are going to get a lot worse before they get better. In the next five years, advice on antivirus methods is going to be a part of the sales pitch of any company that sells computers. Better to learn now than be forced to learn in the future.
Meeting the viruses by name
There are supposed to be 12,000 computer viruses, but only 200 or so are in the wild. Here are some of the more common ones you are likely to meet.
AntiCMOS
This boot sector virus doesn?t do its stuff right away ? it only kicks in after the disk it is on is accessed 256 times. Then it changes the computer?s CMOS, changing the floppy type and uninstalling the hard disk, although this will just be a nuisance if you have the CMOS setup program and setup details. If you don?t, it is going to be a long haul.
AntiExe
Another boot sector virus that spreads whenever you access a floppy?s system area (using the Dir command, for example). Currently, all researchers can tell is that it damages only one Exe file. Unfortunately, for some reason, they?ve not yet figured out which file that is.
Form
A simple boot sector virus. On the 18th of the month, it marks hard disk sectors as damaged, makes keys beep when you press them, and displays a very rude message.
NYB (New York Boot)
A relatively simple boot sector virus that spreads to other hard drives and floppy disks if you boot with an infected floppy. You?ll be pleased to know that it isn?t particularly malicious, but perhaps less pleased to know that virus experts say it?s so badly written that it can inadvertently damage floppy and hard disk boot sectors.
Ripper
A rather nasty boot sector virus that slowly corrupts hard disk data. Because it is slow, it generally isn?t noticed until it has caused serious damage.
Stoned, Empire, Monkey
A boot sector virus that encrypts hard disk partition tables, making the drive?s contents inaccessible. This sounds worse than it is: the virus doesn?t destroy files, so running an antivirus program allows you to regain access to the disk and its data.
Concept
Macro virus ? in fact, the first Word macro virus. It is now all over the world thanks to its ability to circulate through shared documents and email attachments. Luckily it doesn?t cause much damage (there is even a newer version that displays the message ?Have a nice day!?), but its more destructive relatives still continue to surface. For example, Wazzu rearranges words in your document and inserts the word wazzu at random and Format C is a trojan horse macro that formats your hard disk when you open the infected file.
Junkie
A multipartite virus that doesn?t cause much damage. That is, if you don?t consider occasionally displaying the message ?Junkie virus ? written in Malmo? and preventing Com files larger than 64K from running, much damage.
One Half
A multipartite, polymorphic stealth virus that isn?t quite so friendly. The virus gradually encrypts hard disk sectors. Irritatingly, it isn?t obvious because for a little while it decrypts the data as and when you access infected files, but when half the disk is infected, the message ?Dis is one half? appears, and the decryption ceases. Antivirus programs can spot and remove the virus but can?t decrypt the data.
Parity Boot
A multipartite virus that doesn?t cause any real damage but displays the message ?Parity check? and locks up a PC until it is restarted.