Professional Documents
Culture Documents
Mayur Hemani
Shreyansh Jain
PROLOGUE
Some call this creature a VIRUS (Vital Information Resource under Siege), a term
coined by Fred Cohen in the late 1980s. The contemporary rationalists would have
probably called it a “Very-Intelligent Reproducing Undaunted System”. However, the
word remained, and haunted those who planned to conquer the silicon world by
means of sheer monopoly.
The very word disturbs the serenity of the heaven in which the software giants live
peacefully, indifferent of the difficulties of a common computer user.
WHAT IS A VIRUS?
In fact, out of the millions of viruses that are created only a few thousand ever make it
into the open, and only about a few hundreds are known to cause widespread damage.
A virus, therefore, is just another computer program with the special ability to
multiply, i.e. create copies of itself. There are many viruses that do no harm to the
computer, yet are dangerous in their own self. And there are yet other programs that
are not viruses, but can cause a lot of damage.
ANATOMY OF A COMPUTER VIRUS
A computer virus is a program capable of replicating on its own, i.e. create its
functional copies, which in turn can self-reproduce. The computer virus structure
looks something like what is shown in the figure above. The diagram shows three
parts of a computer virus – the payload, the replication routine, and the target-search
programs.
The payload of a virus is the effect that a user feels when the virus infects his/her
computer. The visible effects such as irritating messages, error messages caused by
the malicious program, the erasure or disclosure of some private, valuable data etc.
are some possible payloads of a program. The payload is the malignant effect for
which most viruses are actually despised. Payloads can range from simple, crazy
messages, drive cleansing programs, to sophisticated spy programs capable of
collecting specific information from the infected computers and sending them to
specified locations on a network (as the Internet).
The Replication Routine is the heart and soul of the computer virus. It is the program
that is responsible for the replication feature of the virus. Viruses are basically
programs, and so comprise of a few lines of code. This code (or a part of it) is referred
to as the signature of the virus, and is used for identifying different types of viruses.
The replication routine is responsible for two things – search and copy.
The tentacle like projections in the diagram refers to the target-search routine, which
may or may not be a part of the replication routine.
The first problem the replication routine must solve is how to find suitable objects.
A virus is always written so as to work attached to a certain type of carrier object,
such as a program file or text document created by MS Word, or a limited number of
carrier object types. The replication routine must be able to locate objects of the
correct type. This can be done by searching through the computer, file by file.
However, this is rather inefficient and requires a great deal of computer power. A
more elegant approach is for the virus to remain in memory and monitor system
activity. This enables the virus to infect files when they are used. The performance
impact of infecting a single file is so small that the user would not notice it. This
behaviour also improves the ability of the virus to spread, as recently accessed files
are more likely to be transmitted to another system.
The idea that viruses can remain in the memory of a computer is taken from a class of
programs called TSR (Terminate and stay resident) programs. These programs remain
in the memory, once executed and are activated whenever a specific event (called the
trigger) occurs. A computer virus does things similarly. It latches onto particular
interrupt services, and whenever they occur, these interrupts result in the execution of
the viral code. This is followed by the normal routine being executed in order to cloak
the presence of the virus. Thus, in a way, the virus gains control over the system and
does what it wants to without getting detected in a direct way.
An example of viral activity can be shown by means of a virus called the ‘STONED’
virus. This virus belongs to a class of viruses, called boot-sector viruses. The virus
infected the boot sector of floppy disks (floppies were used for booting systems,
then). Each time the system booted, the viral code was loaded into the memory,
allowing it monitor all the floppy disks that are used on the computer, and copying
itself to their boot-sectors. The virus in this case, however, yields its identity by
flashing a message – “Your computer is now stoned”.
Several classes of viruses exist, of which the commonest are – boot-sector viruses,
macro viruses, and parasitic viruses. Macro viruses affect documents that allow
specific instructions to their respective document-processors, such as Microsoft Word
Documents. User-defined macros are replaced by new virus-infected versions that are
executed whenever the document is accessed. Viruses may also be classified on the
basis of the domain that they affect. PC-viruses and Network-viruses ( WORMS) are
the two main clans of viruses in this respect. The most widespread viruses are actually
worms. The notorious SirCam, Nimda, Melissa etc. are worms that use Internet
services such as e-mail to spread.
In the context of virus types and the focus of this paper, a special mention must be
made to a rather new kind of virus-class called Polymorphic viruses. These are highly
sophisticated viruses that possess equally deadly payloads as those of common
viruses, as well as a very special way of escaping detection. These viruses appear in
different places in different forms (hence the name).
Polymorphic viruses change their signatures from target to target to escape detection.
While even a single copy of the virus survives, the virus dwells on the computer. This
is a feature that cannot be accounted for even by programs specifically written to
detect and remove viruses from computer systems.
By varying the code sequences written to the file (but still functionally equivalent to
the original), or by generating a different, random encryption key, the virus in the
altered file will not be identifiable through the use of simple byte matching. To detect
the presence of these viruses requires that a more complex algorithm be employed
that, in effect reverses the masking to determine if the virus is present. This stealth
technique makes a Polymorphic virus a dangerous adversary, and an interesting object
of study.
POLYMORPHISM IN VIRUSES
Computer viruses of all classes are so despised that it is hardly noticed how closely a
computer virus can resemble living creatures. Viruses are associated with destructive
perspectives of computing. Following is an analogy that can be drawn between a
microbial organism and a computer virus.
Computer viruses can actually represent a form of life that is known to mankind –
microbes. These viruses bear a close resemblance to their biological counterparts.
Real creatures are born. So are viruses. Real creatures feed and reproduce, and so do
computer viruses. The real ones evolve and adapt, and it is possible for computer
viruses to do the same.
VIRUSES FEED: -
Computer viruses use up system resources for their own survival. Important resources
like, memory (it cocoons the memory with certain protection measures to prevent
direct access to the viral code), disk-space (inconspicuous), network bandwidth (in
case it is made in order to slow a network down), interrupt services for its own
existence, and so on. The items on the menu are too many. Some viruses are known to
modify hardware configurations (the CIH virus tries to modify the Flash BIOS).
True, this is destructive. Yet, considering the fact, that very much like computer
viruses, we human beings are never useful to any other species, and yet we use up
resources, the viruses are perhaps better than us (atleast they exist only in the
computer world).
VIRUSES GROW/SPREAD: -
Computer viruses are known to spread rapidly and undetected owing to the stealth and
anti-detection mechanisms built into them, from computer to computer. The only
restriction to a computer virus is that it is a program and so cannot go beyond the
realm of computers.
VIRUS METABOLISM: -
All computer programs use up computer resources. However, they do so for the user
of the program, and not for themselves. Real organisms metabolize material into
energy, for their existence. It goes for the computer viruses as well. If a virus would
not lock up certain resources of the computer it infects, its survival would be out of
question. Thus, it is possible to understand this phenomenon as a form of viral
metabolism.
The concept of evolution and adaptation is alien to computer programs. The idea that
a computer program could change with time and adapt to its changing environment is
a bizarre one. But it is possible, atleast in theory to build such a virus that can adapt to
changes in its environment, and evolve with generations.
Adaptation here means the changing of a virus’ appearance in its lifetime, in order to
nullify the effects of its changing environment (typical of that caused by anti-virus
software). Evolution on the other hand refers to changes inculcated in the virus
program over the generations (mutations). Computer viruses of the present era are not
capable of evolving and adapting. Consider, for example, the polymorphic viruses.
These viruses use a very special stealth technique that involves changing the virus
signature in the files that it has infected. However, this is not really an adaptive
measure, as it does not have any intelligent real-time decision making involved.
Consider a new virus – one that can evolve as well as adapt autonomously. To
accomplish the making of such a virus, the following things must be taken into
consideration: -
The main threats to a virus are: -
i) Anti-virus software which uses signature-scanning to detect the presence
of viruses.
ii) Accidental erasure of viral code.
iii) Firewalls and other preventive software that filter data packets entering a
network-node.
iv) Hostile conditions – such as inoculations.
Then again, it IS possible to make such a virus, on a computer (or perhaps a whole
network), dedicated to this virus. But who would ‘waste’ valuable infrastructure on
computer viruses? After all they are ‘useless’.
In our opinion, research in the field of computer viruses can prove to be really useful
to mankind as a whole, and can find utility in several arenas.
Some software companies try to play God. They disallow programs of other
vendors to work properly on their platforms, integrating features for their own
programs to run predictably well. If this is allowed for long, and the platform does
succeed in climbing the consumer’s preference levels, the company could
monopolize the entire market with their products, and there would be no laws
(because we live in a truly capitalist world) against them.
Viruses specific to such vendors products are often the breakthroughs needed to
crack open the corporal conspiracy.
Human beings always like staying in control of things. We have tried to build
technology that tries to bring even natural things under control, some for welfare
of mankind, some just to prove our power. It is difficult to shift our attitude from
that of controlling everything to infesting chaos in our environment.
A computer virus represents chaotic behaviour. This is one of the reasons why the
viruses are so despised. Controlling a virus is equivalent to building a dam on a
river when it is raging with flood.
Viruses are uncontrollable creatures, much like real viruses. The idea that the virus
introduces chaos in a computing environment is detested because human beings
love order, order that is not natural. Nature does not build gardens, we do.
Are virus makers a bunch of frustrated losers, or are they some of the most
brilliant programmers in the world? Such questions hold no meaning to the
corporate world. They lose their valuable data and time to viruses in the wild.
There is no reason for them to be in favour of making viruses. But they must
realize a few things about virus attacks: -
i) Viruses spread because of a monoculture in software usage. Most
organizations prefer the standardization of the platforms and the software
that everybody in the organization uses. Consider this fact – one of the
deadliest worms ever, Melissa, spreads to only those systems that use MS-
WORD 97, MS-Outlook mail-client and MS-Windows. Since these are
some of the most widely used software the virus did create havoc. But to
users of Linux, or Mac-OS, or other operating systems, the virus was just
plain news.
In a managed forest, where all the trees/plants are the same, a disease
spreads like wildfire, because all the victims have the same defenses and
the same biology. Thus, monoculture is a prime reason for virus attacks.
ii) Computer viruses are targeted at specific software vendors, often to break
their monopoly.
iii) A virus does not always mean damage. Computer viruses are creatures,
just like us. They live in their own world. Isolate them, and they are the
most interesting pieces of software.
Does anyone think about it – an average human being does not even do a single
thing for the welfare of another species of life on this planet. Why condemn the
computer virus when mankind itself is a ‘disease’ to this planet?
Computer virus making is an art. Not everyone can do it with the finesse of an
artist. Virus programming is one of the most sophisticated programming in the
software world. The keyword for a virus programmer should be responsibility.
Viruses can do a lot of harm, if they are let loose. But then, it is in the hands of the
creator to control the virus from spreading. After all, a virus must not do
intentional harm to others.
The author of the book ‘the little black book of computer viruses’, Mark Ludwig
says in his book – “I am convinced that computer viruses are not evil and that
programmers have a right to create them, possess them and experiment with
them”.
As long as it does not hurt others, virus making is pure programming genius.