"The only truly secure system is one that is powered
off, cast in concrete, and sealed in a lead-lined room with armed
guards - and even then I have my doubts."
E.H. Spafford, Dept of Computer Sciences, Purdue University.
This document is provided as source material for the EXTENDED WRITING
TASK: SE1. It is meant as a starting
point for research and ideas.
Definitions
The 'Computer Virus' is a relatively recent phenomenon. The first
reported (as a news item) 'viral' infection was in 1987, prior there
were unsubstantiated reports of 'nasty' programs being picked up from
pirated games software as early as 1985. It is obvious that such activity
must have been going on well before that (many hackers and normal
users alike were doubtlessly coping with rogue programs long before
this and failing to report it for fear of being caught pirating software
- which is, of course, illegal).
Minimum criteria for the definition of a program as a VIRUS are the
following:
- the program must be executable
- it must be capable of cloning(replicating) itself
- it must convert other executable objects into viral clones (ie
'infect' them)
In addition to this, the vast majority of these viruses load and
run without users requesting them to run, 'hide' inside normal (host)
programs and run when the hosts are run, they act without prompting
users for permission, without warning of consequences and internally
error trap (so as not to alert the user to their presence).
'Destructive' behaviour/action, as used in this unit, refers to any
action that the user did not specifically request (or that he/she
did not knowingly allow to happen, or could reasonable anticipate)
which causes changes to software/hardware.
'Rogue' software, as used in this unit, is any software illegally
or illicitly obtained, by choice or by default (ie. you get it without
any say in the matter) that causes unwanted changes to a computer
system.
Most of this document deals with IBM or IBM compatible viral infections
(specifically MS-DOS,OS/2 systems). There are, as one would predict,
an equally daunting array of 'rogue' programs available for all other
computer systems.
Material for this unit was compiled from a variety of sources, including:
The Computer Virus Handbook. R.B. Levin, 1990. Osborne/McGraw-Hill
(Lib ref 005.16 LEV)
Fact and Fiction
Viruses are not some form of electronic life, nor do they employ
some form of artificial intelligence (for them to do this, they would
need memory far in excess of the vast majority of PCs they infect)
- contrary to whatever the X-Files would have you believe.
When dealing with, and describing computer viruses, it is difficult
not to use terms and phrases associated with living things, and to
think of them as having a personality (a pretty bizarre and vicious
one at that). Therefore it is important to continually remind ourselves
that viruses follow specific algorithms designed by programmers, where
all actions are pre-meditated, and the motives of the designer are
many and varied (though usually destructive).
They cannot spread from an infected computer (called a host) to a
non-infected computer unless they are physically (and electronically)
connected, and/or share executable files. Viruses cannot remain active
when the computer is turned off (that is not to say that the 'infected'
files are eliminated when power is off, rather they cease their action).
'Rogue' Software Classified
BUG-WARE
lawful programs that, due to inadequate testing or logic
errors, damage hardware/software accidentally.
TROJAN HORSES
programs that appear useful and that have well written 'shells',
but that contain one (or more) destructive commands acting under the
surface.
CHAMELEONS
programs that act like other familiar, trusted programs
while underneath they are being destructive.
SOFTWARE BOMBS
designed to erase data from the instant they are run, they
rarely clone.
LOGIC BOMBS
designed to execute destructive computer commands depending
on the status of particular environmental variables (eg. key sequence,
disk read/write etc.)
TIME BOMBS
designed to execute destructive computer commands depending
on the status of particular numeric or time-related environmental
variable (eg. a particular date, after two runs etc.)
REPLICATORS
(commonly called rabbits) typically clone themselves, then
their offspring clone, and so on until memory is used up and processing
is halted.
WORMS
programs that travel through a networked environment either
collecting information (passwords, documents etc) or leaving messages.
VIRUSES
programs that modify other programs to include an executable
and possible modified copy of themselves (ie. they clone). Once all
executable files are infected, the viruses then may begin destructively
tampering with system operations and data files.
It should be noted that rogue programs come in many forms, with many
and varied actions, but programs called viruses are a nasty step above
your average rogue, and as such, demand a separate classification.
Virus Classification
BSIs - Boot Sector Infectors
programs that specialise in altering, overtaking files in
the boot sector. This makes the BSIs the first programs run when computers
are booted (ie before DOS, Batch files or any anti-virus software
is executed) and so assume total control.
CPIs - Command Processor Infectors
programs that infect COMMAND.COM, and affect the computers
ability to process user commands at DOS level.
GPIs - General Purpose Infectors
programs designed to seek out, and infect all executable
programs (other than low-level system operating files), rendering
them faulty, unpredictable or inoperative.
MPIs - Multi-Purpose Infectors
programs that adopt two or more of the previously mentioned
viral strategies, thus greatly increasing its chances of 'survival'
in the infected system.
FSIs - File Specific Infectors
programs that are designed to target specific types of files,
although they can be 'carried' on other types of files waiting for
the opportunity to damage their target.
MRIs - Memory-Resident Infectors
like BSIs and CPIs, these programs stay resident (ie. aren't
lost when power is turned off), and are engaged immediately garbling
screen output, scrambling keyboard input, disk data shuffled, and
during lulls in processor activity infect any uninfected files.
Popular Methods Of Viral Infection
The five most commonly implemented infection strategies at the moment
(in detected viruses at least) are:
Appending
viruses that attach rogue code to the end of .EXE or .COM
files, and become active upon completion of execution of the infected
file. These viruses increase the file size by the number of bytes
of viral code appended.
Insertion
viruses that place their code directly inside unused code
and data segments of a host file to infect them. Their size is kept
to a minimum and they do not alter the size of the file, becoming
active when the host file has begun execution.
Redirection
disk partition tables, hidden files and 'bad' sectors are
used to store the 'control centre' for a viral infection which consists
of a 'network' of inserted viral code (often only a few bytes here
and there) scattered through a number of infected files.
Replacement
viruses that delete and replace target files with viral
code. This typically alters file size and attribute values, and usually
file names also.
Viral Shell
This is more a post-infection survival technique where the
viral code is designed to emulate the executable files actions, so
all appears to be normal, and any attempt to find out otherwise is
resisted. Directories, File allocation tables, attributes and so on
are all manipulated to prevent the viral presence from being detected.
Some Viruses (in summary)
What follows is a partial listing of the DETECTED viruses around
in 1990 infecting IBM and IBM compatible PCs. It should be pointed
out here that these programs represent only those viruses that have
been DETECTED, and that can be ELIMINATED (or at least deactivated)
- that is not to say that there doesn't exist a plethora of undetected
rogue programs merrily working away without detection (this is most
likely the case).
NAME (aliases) type
AIDS (Hahaha, VGA2CGA) O N C
Alabama P R E T
Alameda (Peking, Seoul) B R F
Ashar (Shoe, UIUC) B R
Brain (Pakastani) B R
Cascade A,B (blackjack) P R C
Chaos B R
Dark Avenger P R A K
Datacrime (many versions) P N A K
dBASE P R C
Den Zuk (search) B R F
Devil's Dance (mexican) P R C T
Disk Killer (ogre) B R T
EDV B R X
Friday The 13th P N C
Fu Manchu P R A
Ghost Boot B P N C
Golden Gate B R
Halloechen P A
Icelandic P R E
Jerusalem (PLO, Russian) P R A K
Joker P N E
Lehigh O R K T
Lisbon P N C
Michaelangelo A M O T X
Ohio B F
Oropax (music virus) P R C
Payday P R A
Pentagon B R F
Perfume P N C K
Ping Pong(bouncing ball) B R F
Saratoga (one in two) P R E
Stoned (marijuana) B R X
Sunday P R A T
Surviv 1.01 (April 1st) P R A T
Swap (Falling letters) B R F
SysLock P N A
Taiwan P N C K
Traceback P R A
Typo (mistake, fumble) B R P C
Vacsina P R A
Vcomm P R E
Vienna (Unesco, Dos-62) P N C
Virus P R A F
W13 P N C
Yankee Doodle P R A
Zero Bug (Palette) P R C
Codes: A = infects all program files (.COM and .EXE)
B = boot sector virus
C = infects .COM files only
D = infects DOS boot sector on hard disk
E = infects .EXE files only
F = floppy (360K) only
K = infects COMMAND.COM
M = infects master boot sector on hard disk
N = nonresident (in memory)
O = overwriting
P = parasitic virus
R = resident (in memory)
T = manipulation of file allocation table (FAT)
X = manipulation/infection of the partition table