A Computer Virus

A computer virus is a computer program that can copy itsel and infect a computer. The term “virus” is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.

Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. 

The term “computer virus” is sometimes used as a catch-all phrase to include all types of malware, adware, and spyware programs that do not have the reproductive ability. Malware includes computer viruses, worms, trojans, most rootkits, spyware, dishonest adware, crimeware, and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with computer worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to either a computer system’s hosted data, functional performance, or networking throughput, when they are executed.

Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or go unnoticed. 

Infection strategies 

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs.

If a user attempts to launch an infected program, the virus’ code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started.

Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.  

Nonresident viruses Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file Resident viruses Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module, however, is not called by a finder module.

The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. 

The replication module can be called, for example, each time the operating system executes a file. In this case the virus infects every suitable program that is executed on the computer. Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible.

A fast infector, for instance, can infect every potential host file that is accessed. This poses a special problem when using anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory the virus can “piggy-back” on the virus scanner and in this way infect all files that are scanned. 

Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently.

Some slow infectors, for instance, only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably and will, at most, infrequently trigger anti-virus software that detects suspicious behavior by programs. 

The slow infector approach, however, does not seem very successful.

Stealth Some viruses try to trick antivirus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the antivirus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the antivirus software, so that it seems that the file is “clean”. Modern antivirus software employs various techniques to counter stealth mechanisms of viruses.

The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean Spyware is a type of malware that is installed on computers and collects little bits information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. 

Typically, spyware is secretly installed on the user’s personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users. While the term spyware suggests that software that secretly monitors the user’s computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity.

Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. 

In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software. In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security practices for computers, especially those running Microsoft Windows. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user’s computer.

The US Federal Trade Commission has placed on the Internet a page of advice to consumers about how to lower the risk of spyware infection, including a list of “do’s” and “don’ts. ” Routes of infection Malicious websites attempt to install spyware on readers’ computers. Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities. 

Most spyware is installed without users’ knowledge. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method).

Some “rogue” spyware programs masquerade as security software. The distributor of spyware usually presents the program as a useful utility—for instance as a “Web accelerator” or as a helpful software agent.

Users download and install the software without immediately suspecting that it could cause harm. 

For example, Bonzi Buddy, a program bundled with spyware and targeted at children, claims that: He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you’ve ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he’s FREE! Spyware can also come bundled with other software. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software.

In other cases, spyware authors have repackaged desirable freeware with installers that slipstream spyware. Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. 

The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a “drive-by download”, which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime.

The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser’s behavior to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system’s screen. By directing traffic to ads set up to channel funds to the spyware authors, they profit personally. Examples of spyware 

• CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.

com. It displays pop-up ads, rewrites search engine results, and alters the infected computer’s hosts file to direct DNS lookups to these sites. 

• Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising.

 

When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.

• HuntBar, aka WinTools or Adware. Websearch, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements Computer worm A computer worm is a self-replicating computer program.

 

It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to the poor security the computers infected have. Unlike a virus, it does not need to attach itself to an existing program. 

Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted compute Worms with good intent Beginning with the very first research into worms at Xerox PARC, there have been attempts to create useful worms. The Nachi family of worms, for example, tried to download and install patches from Microsoft’s website to fix vulnerabilities in the host system – by exploiting those same vulnerabilities. 

In practice, although this may have made these systems more secure, it generated considerable network traffic, rebooted the machine in the course of patching it, and did its work without the consent of the computer’s owner or user. Some worms, such as XSS worms, have been written for research to determine the factors of how worms spread, such as social activity and change in user behavior, while other worms are little more than a prank, such as one that sends the popular image macro of an owl with the phrase “O RLY? ” to a print queue in the infected computer. 

Most security experts regard all worms as malware, whatever their payload or their writers’ intentions.

Protecting against dangerous computer worms Worms spread by exploiting vulnerabilities in operating systems. All vendors upply regular security updates (see “Patch Tuesday”), and if these are installed to a machine then the majority of worms are unable to spread to it. If a vendor acknowledges a vulnerability, but has yet to release a security update to patch it, a zero day exploit is possible. However, these are relatively rare.

Users need to be wary of opening unexpected email, and should not run attached files or programs, or visit web sites that are linked to such emails. However, as with the ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks, it remains possible to trick the end-user into running a malicious code. Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least every few days. The use of a firewall is also recommended. In the April-June, 2008, issue of IEEE Transactions on Dependable and Secure Computing, computer scientists describe a potential new way to combat internet worms. 

The researchers discovered how to contain the kind of worm that scans the Internet randomly, looking for vulnerable hosts to infect.

They found that the key is for software to monitor the number of scans that machines on a network sends out. When a machine starts sending out too many scans, it is a sign that it has been infected, allowing administrators to take it off line and check it for viruses A Trojan horse (sometimes shortened to trojan[n 1]), is non-self-replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user’s computer system.

The term is derived from the Trojan Horse story in Greek mythology. Purpose and operation Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, it is possible for a hacker to access it remotely and perform various operations. The operations that a hacker can perform are limited by user privileges on the target computer system and the design of the Trojan horse.

Operations that could be performed by a hacker on a target computer system include: 

• Use of the machine as part of a botnet (i. e. to perform spamming or to perform Distributed Denial-of-service (DDoS) attacks)
• Data theft (e. g. passwords, credit card information, etc.

) 

• Installation of software (including other malware) Downloading or uploading of files
• Modification or deletion of files
• Keystroke logging 
• Viewing the user’s screen 
• Wasting computer storage space 

 

Trojan horses require interaction with a hacker to fulfill their purpose, though the hacker need not be the individual responsible for distributing the Trojan horse. In fact, it is possible for hackers to scan computers on a network using a port scanner in the hope of finding one with a Trojan horse installed, that the hacker can then use to control the target computer. A trojan differs from a virus in that only a file specifically designed to carry it can do so. edit] Installation and distribution Trojan horses can be installed through the following methods: 

• Software downloads (i.

e. a Trojan horse included as part of a software application downloaded from a file sharing network) 

• Websites containing executable content (i. e. a Trojan horse in the form of an ActiveX control)
• Email attachments 
• Application exploits (i. e.

 

flaws in a web browser, media player, messaging client, or other software that can be exploited to allow installation of a Trojan horse) 

Also, there have been reports of compilers that are themselves Trojan horses. citation needed] While compiling code to executable form, they include code that causes the output executable to become a Trojan horse.

[edit] Removal Antivirus software is designed to detect and delete Trojan horses, as well as preventing them from ever being installed. Although it is possible to remove a Trojan horse manually, it requires a full understanding of how that particular Trojan horse operates. 

In addition, if a Trojan horse has possibly been used by a hacker to access a computer system, it will be difficult to know what damage has been done and what other problems have been introduced. In situations where the security of the computer system is critical, it is advisable to simply erase all data from the hard disk and reinstall the operating system and required software. [edit] Current use Due to the growing popularity of botnets among hackers, Trojan horses are becoming more common.

According to a survey conducted by BitDefender from January to June 2009, “Trojan-type malware is on the rise, accounting for 83-percent of the global malware detected in the wild”

Cite this page