Edited by Ross Stone
- Article ID: 26
Your Laptop is Sick: The Guide to Viruses
A computer virus is a form of hostile software, or malware, that infects a computer and then spreads itself to other computers. By nature, computer viruses cause damage, either by disrupting a user's access to computer files or by transmitting sensitive information to third parties. Computer viruses can spread in a variety of ways, including email, via a boot disk (CD/DVD, floppy disk, or a USB thumb drive), browsing a web page with hostile code or downloading and running a file that is infected. Viruses are created for a number of reasons, ranging from random malicious intent to corporate espionage or, in the case of the Stuxnet virus, industrial sabotage and military applications. Viruses are most commonly found on computers running Microsoft Windows-based operating systems; however, they can also infect Macintosh systems and computers running Linux operating systems. Laptops are especially vulnerable to infections because they can move from one wireless network to another, increasing the odds that they will encounter a network with a virus.
History and Origins
In the beginning, computer viruses were nothing more than theory and conjecture. The first official paper on computer viruses was titled Theory of Self-Reproducing Automata (PDF), written by John Von Neumann in 1966, where he speculated that computer programs could self-replicate. The first self-replicating program, the Creeper, was created by Robert “Bob” Thomas in 1971 for the TENEX mainframe system. He then created another program, the Reaper, to eliminate the virus from any system where it was discovered. The Creeper virus wasn't harmful, however; it was created in a computer lab for experimental reasons. The first known harmful virus in history was called (c)Brain, which was created by Basit and Amjad Farooq, two programmers from Pakistan. Even in the realm of harmful viruses, (c)Brain was benign; it spread by floppy diskette, and it only overwrote the volume label with its name. The modern age of computer viruses came in the 1980s, where they evolved new methods of spreading, such as infecting executable files and software libraries (.dll files in Windows). Encrypted viruses and stealth viruses then followed. In the 1990s, a powerful new polymorphic virus called “Whale” appeared, which altered itself to avoid detection. While various computer virus epidemics ensued from that point forward, the most alarming to date is Stuxnet, which appeared in 2010 and was rumored to be targeted at Iran's nuclear program.
Viruses are feared because they can cause extensive damage to individuals and to society in general. Primarily, viruses cause damage by impeding access to files, spying on people and organizations, or by putting a heavy additional workload on a computer or its hard drive. Viruses may shut off fans, keep hard drives working (thus potentially overheating or wearing them out); and since a virus is essentially another process, it may also slow a computer down. Some viruses are simply designed to prevent a computer from booting up. In addition, they can delete or corrupt files, essentially making them unusable. Some viruses encrypt files and demanding that the user pay a ransom to regain access; these are called “ransomware”. Viruses may also install keyloggers that send anything a user types back across the Internet to another location for someone else to use: this may include social security numbers, bank account information or other sensitive data. Viruses also exist for the purpose of industrial espionage. Viruses have the power to cause significant economic damage (PDF), by doing things like crashing an entire country's stock exchange system. The most dangerous virus to date, however, is Stuxnet, which actually shut down an Iranian nuclear enrichment facility. Other viruses are feared to be capable of taking over utility grid computer systems, which would make them capable of cutting off access to electricity or running water for an entire population.
Viruses employ four basic strategies to infect computers and replicate. These strategies call for infecting the BIOS, the boot sector, the operating system, or programs.
A boot sector attack, works at the disk level, by infecting the Master Boot Record (MBR) of a data storage medium (hard drive, floppy disk, USB drive, etc.). This kind of virus can make a computer infectious even before its operating system boots up. These viruses can potentially infect every storage medium that is connected to the system, unless the computer is booted from an operating system on an uninfected CD-ROM. Boot sector viruses can spawn operating system viruses and also infect programs at will. They can be removed using an uninfected anti-virus boot disk.
The system-level strategy calls for the activation of the virus whenever the computer's operating system boots up. They can hide in system library (.dll) files, executables or device driver files. They are easily removed by anti-virus boot disks, and can sometimes be deleted or fixed by anti-virus programs resident in the operating system. These programs often deliver boot sector virus payloads that embed themselves in the computer before the operating system tries to boot.
Application-based infections are the weakest of all virus strategies. This technique calls for the infection of programs (typically, but not limited to, Windows files that end in .exe or .com) and, like all the other viruses, spreading to any attached medium and across the network. Few viruses are strictly application-based in nature; most deliver a payload that infects the operating system or boot sector. Purely application-based viruses are rare because they are the easiest to remove by anti-virus software.
Vectors and Hosts
Methods to Avoid Detection
Modern computer viruses use various techniques to avoid being spotted by anti-virus software. The two main techniques are polymorphic mutations and encryption. Polymorphic viruses re-encrypt themselves so no two infections look alike. Encrypted viruses are simpler in that they scramble themselves and make it hard for programmers to see what they do. There are also rootkit viruses which hide themselves from system process lists so users do not see them running.
Viruses work by exploiting vulnerabilities either in the system or in people. Viruses seek to acquire elevated user privileges (Administrator in Windows, root in various Unix/Linux-based systems), where they can control the entire system. They can spread by the use of social engineering, which is defined as tricking people into executing the hostile code; this is often done by sending an email with an infected program attached, waiting to be executed. Other viruses are worms which exploit weaknesses in system security to gain access and control.
The key to avoiding infection is prevention. To prevent infection, users should never open email attachments that include executable files, especially if their system is not running any anti-virus program configured specifically to scan email attachments. Installing an anti-virus program and keeping it updated is an absolute necessity for any Macintosh or Windows-based computer, and may become necessary for Linux and Unix-based systems in the future. Users should avoid pirated software, which is notorious for being infected with viruses, and they should avoid clicking links to unsavory websites, which may contain hostile code. If possible, users should not run as Administrator or root. Only download and install software from trusted software repositories or software vendors. All programs and emails should be filtered through an anti-virus program before being accessed.
Anti-virus programs defeat viruses by using a list of recognized virus signatures, keeping track of digital pathogens much like the human immune system does. Anti-virus software also use heuristic scanning techniques which are based on a form of artificial intelligence. In effect it profiles all data that it scans and assigns a threat level based on known virus behaviors; if it crosses a certain threshold, the anti-virus software blocks execution of the file and warns the user. The disadvantage of this is that it sometimes causes false alarms. Anti-virus software can be installed where it is embedded deep in an operating system, making it difficult for anything but boot-sector infections to defeat. Occasional scanning with the use of anti-virus boot disks allows even boot-sector infections to be detected and removed. Some computer motherboards come with a BIOS that has rudimentary anti-virus scanning capabilities.
Anti-Virus Software Brands
There is a thriving market for the anti-virus industry. Symantec's Norton Internet Security Suite is the most popular and well-known option, offering every aspect of anti-virus protection and internet security in a single package. It checks the origin of files and verifies its authenticity, scans incoming files, and updates its virus data every 5 minutes. It scans emails and instant messages for viruses and spam, plus it keeps a database of safe and harmful web pages, steering users away from the dangerous and infected sites. It also boasts the ability to provide these services without slowing down the PC. BitDefender Total Security protects users from dangerous websites, and it offers the ability to monitor a child's Internet activities via their parents' cell phone. In addition, BitDefender's security suite protects users from viruses and other threats in cloud computing environments. It also includes a firewall and software to block or remove spyware. Avast! is an anti-virus company that offers an Internet Security suite that protects users from virus attacks via social networks and general web surfing. In addition, it offers all the standard anti-virus protection, defending against infected emails, worms and trojans. Avast! also offers a free version of its anti-virus software. AVG is another company that has both commercial and free anti-virus services. In addition to the standard anti-virus protection, AVG also produces an anti-virus Rescue CD which can be used to remove boot-sector, system or application viruses. Zone Alarm offers the Extreme Security suite which combines its popular firewall product with an anti-virus system. In addition, it includes protection from hostile downloads, screen grabbers and keyloggers, while also blocking spam via email.
Viruses and the 1st Amendment
Creating viruses has limited protection under the First Amendment to the United States Constitution. Distributing information on how to make viruses is often compared with manuals about how to make explosives. The Supreme Court has ruled that such activity must amount to speech that is intended to incite criminal activity. Therefore, people who write viruses or discuss their makeup and design for the express purpose of developing anti-virus software are protected under the First Amendment. Practically, this is a necessary right because without it, software that prevents computer virus pandemics could not be written. However, those who distribute viruses onto networks, are clearly intending to do harm, and are not protected under the First Amendment. The First Amendment is why conventions like DEFCON can legally exist, where computer security experts mingle with hackers to stay up to date with the latest cyberspace threats.
Other Harmful Infections
There are other harmful computer infections that like viruses can do extensive damage to software. These other computer infections include worms, macro viruses, and Trojans. Worms do not need to infect programs to spread from one computer to another. They simply take advantage of weaknesses in a system's security to enter a computer and then spread to others that are connected via a local network or the Internet. Macro viruses, also known as scripting viruses, infect documents which allow executable code. The most infamous examples are the viruses that infect Microsoft Word, Excel, Powerpoint and Access document formats, but they can also infect any type of spreadsheets or databases that use macros. Even the open source OpenOffice application can be vulnerable to infection, although it does require a certain level of user intervention to spread. Trojan viruses, named after the famous Trojan Horse of Greek legend, poses as a legitimate program to trick a user into running it on their system, resulting in an infection. They may also, like the Trojan horse of legend, open the system to access and control by outside users. There are also rootkits, a form of Trojan, which hide on a computer system while infecting system files so as to ensure multiple means of re-entry. Rootkits are nasty in that it is difficult to find all the files they have infected, much less remove them.
Old and New Harmful Infections
The first true self-replicating computer program, the Creeper, was created in 1971. It was completely harmless, and its author followed up with the Reaper, which served as the world's first anti-virus program to remove the Creeper. The first PC virus capable of overwriting data (the disk's volume ID) was (c)Brain, written in 1986. Truly malicious viruses appeared subsequently, in 1987, starting with the Jerusalem (PDF), Cascade, Lehigh, and Stoned viruses. In the same year, the Christmas Tree EXEC virus crippled computer networks on an international scale. In 1988, the first boot-sector virus, the Ping-Pong virus, appeared, followed by the Morris Worm. In 1992, Michaelangelo was the first virus to cause mass hysteria in anticipation of its activation. Fears of millions of computers being wiped of all their data, never came to pass. In 1995, the “Concept” virus spread through macros inside Microsoft Word documents. In 1998, the Win32/CIH virus infected certain computer BIOS systems; this crude version was removable by the use of an anti-virus program. The Melissa virus struck in 1999, spreading as an infected Word document via email; it caused widespread damage by overloading email servers, including those at Microsoft Corporation. In 2000, the VBS/Loveletter@MM aka “ILOVEYOU”, "LoveBug," or “Love Letter” virus, was one of the first devastating computer pandemics, infecting the Pentagon, the CIA, and millions of Windows-based computers through email, all in a single day; with each infection resulting in the loss of countless music and graphics files. As a final insult, it also installed a keylogger. In 2003, the SQL slammer worm spread through Microsoft SQL Server, while the Blaster worm spread through vulnerabilities in Windows XP and 2000. In 2004 the MyDoom worm struck, infecting millions of PCs which it then took control of to launch a denial-of-service attack on Microsoft. In 2007 the Storm worm spread through email on Microsoft-based PCs, hijacking up to 50 million computers into the service of suspected organized criminals and spammers. In 2008, the Conficker worm infected up to 15 million Windows-based computers; it affected the German, French and British military as well. In 2010, the world-infamous Stuxnet trojan struck Iran's nuclear enrichment systems.