1 Definition — What is Malicious Code?
Malicious code refers to any instruction or set of instructions that perform a suspicious function without the user’s consent.
2 Definition — What is a Computer Virus?
A computer virus is a form of malicious code. It is a set of instructions (ie. a program) that is both self-replicating and infectious thereby imitating a biological virus.
3 Program Viruses and Boot Sector Infectors
Viruses can first be classified in terms of what they infect. Viruses that infect the user’s programs such as games, word processors (Word), spreadsheets (Excel), and DBMS’s (Access), are known as program viruses. Viruses that infect boot sectors (explained later) and/or Master Boot Records (explained later) are known as boot sector infectors. Some viruses belong to both groups. All viruses have three functions: Reproduce, Infect, and Deliver Payload. Let’s look at program viruses first.
3.1 How Does a Program Virus Work?
A program virus must attach itself to other programs in order to exist. This is the principal characteristic that distinguishes a virus from other forms of malicious code: it cannot exist on its own; it is parasitic on another program. The program that a virus invades is known as the host program. When a virus-infected program is executed, the virus is also executed. The virus now performs its first two functions simultaneously: Reproduce and Infect.
After an infected program is executed, the virus takes control from the host and begins searching for other programs on the same or other disks that are currently uninfected. When it finds one, it copies itself into the uninfected program. Afterwards, it might begin searching for more programs to infect. After infection is complete, control is returned to the host program. When the host program is terminated, it and possibly the virus too, are removed from memory. The user will probably be completely unaware of what has just happened.
A variation on this method of infection involves leaving the virus in memory even after the host has terminated. The virus will now stay in memory until the computer is turned off. From this position, the virus may infect programs to its heart’s content. The next time the user boots his computer, he might unknowingly execute one of his infected applications.
As soon as the virus is in memory, there is a risk that the virus’s third function may be invoked: Deliver Payload. This activity can be anything the virus creator wants, such as deleting files, or slowing down the computer. The virus could remain in memory, delivering its payload, until the computer is turned off. It could modify data files, damage or delete data files and programs, etc. It could wait patiently for you to create data files with a word processor, spreadsheet, database, etc. Then, when you exit the program, the virus could modify or delete the new data files.
3.1.1 Infection Process
A program virus usually infects other programs by placing a copy of itself at the end of the intended target (the host program). It then modifies the first few instructions of the host program so that when the host is executed, control passes to the virus. Afterwards, control returns to the host program. Making a program read only is ineffective protection against a virus. Viruses can gain access to read-only files by simply disabling the read-only attribute. After infection the read-only attribute would be restored. Below, you can see the operation of a program before and after it has been infected.
1. Instruction 1
2. Instruction 2
3. Instruction 3
4. Instruction n
End of program
1. Jump to virus instruction 1
2. Host Program
3. Host Instruction 1
4. Host Instruction 2
5. Host Instruction 3
6. Host Instruction n
7. End of host program
8. Virus Program
9. Virus Instruction 1
10. Virus Instruction 2
11. Virus Instruction 3
12. Virus Instruction n
13. Jump to host instruction 1
14. End of virus program
3.2 How Does a Boot Sector Infector Work?
On hard disks, track 0, sector 1 is known as the Master Boot Record. The MBR contains a program as well as data describing the hard disk being used. A hard disk can be divided into one or more partitions. The first sector of the partition containing the OS is the boot sector.
A boot sector infector is quite a bit more advanced than a program virus, as it invades an area of the disk that is normally off limits to the user. To understand how a boot sector infector (BSI) works, one must first understand something called the boot-up procedure. This sequence of steps begins when the power switch is pressed, thereby activating the power supply. The power supply starts the CPU, which in turn executes a ROM program known as the BIOS. The BIOS tests the system components, and then executes the MBR. The MBR then locates and executes the boot sector which loads the operating system. The BIOS does not check to see what the program is in track 0, sector 1; it simply goes there and executes it.
To prevent the following diagram from becoming too large, boot sector will refer to both the boot sector and the MBR. A boot sector infector moves the contents of the boot sector to a new location on the disk. It then places itself in the original disk location. The next time the computer is booted, the BIOS will go to the boot sector and execute the virus. The virus is now in memory and might remain there until the computer is turned off. The first thing the virus will do is to execute, in its new location, the program which used to be in the boot sector. This program will then load the operating system and everything will continue as normal except that there is now a virus in memory. The boot-up procedure, before and after viral infection, can be seen below.
1. Press power switch
2. Power supply starts CPU
3. CPU executes BIOS
4. BIOS tests components
5. BIOS executes boot sector
6. Boot sector loads OS
1. Press power switch
2. Power supply starts CPU
3. CPU executes BIOS
4. BIOS tests components
5. BIOS executes boot sector
6. BSI executes original boot sector program in new location
7. Original boot sector program loads OS (BSI remains in memory when boot-up process completes)
BSI = Boot Sector Infector
4 Stealth Virus
Another way of classifying viruses deals with the way in which they hide inside their host, and applies to both program and boot sector viruses. A regular virus infects a program or boot sector and then just sits there. A special type of virus known as a stealth virus, encrypts itself when it is hiding inside another program or boot sector. However, an encrypted virus is not executable. Therefore, the virus leaves a small tag hanging out which is never encrypted. When the host program or boot sector is executed, the tag takes control and decodes the rest of the virus. The fully decoded virus may then perform either its Infect and Reproduce functions or its Deliver Payload function depending on the way in which the virus was written.
An advanced form of a stealth virus is a polymorphic stealth virus, which employs a different encryption algorithm every time. The tag, however, must never be encrypted in any manner. Otherwise, it will not be executable and unable to decode the rest of the virus.
5 Logic Bomb
Viruses are often programmed to wait until a certain condition has been met before delivering their payload. Such conditions include: after it has reproduced itself a certain number of times, when the hard disk is 75% full, etc. These viruses are known as logic bombs because they wait until a logical condition is true before delivering the payload.
5.1 Time Bomb
The term time bomb is used to refer to a virus that waits until a certain date and/or time before delivering its payload. For example, some viruses go off on Friday 13th, April 1st, or October 31st. The Michelangelo virus had March 6th as its trigger date. Waiting until a specific date and/or time before delivering the payload means a time bomb is a specific type of logic bomb (discussed earlier) because waiting for a date/time means the virus is waiting for a logical condition to be true. There is considerable overlap in these areas of describing viruses. For example, a particular virus could be a program virus, and a polymorphic stealth virus. Another virus could be a boot sector infector, a stealth virus and a time bomb. Each term refers to a different aspect of the virus.
II More On Malicious Code
1 Trojan Horses
A trojan horse is an independent program and a form of malicious code. It is not a virus but a program that one thinks would do one thing but actually does something else. The user is mislead by the program’s name which entices unsuspecting users to run it, and once executed, a piece of malicious code is invoked. The malicious code could be a virus but it doesn’t have to be. It might simply be some instructions that are neither infectious nor self-replicating but do deliver some type of payload. A trojan horse from the DOS days was SEX.EXE which was intentionally infected with a virus. If you found a program with this name on your hard disk, would you execute it? When the program was loaded, some interesting images appeared on the screen to distract you. Meanwhile, the included virus was infecting your hard disk. Sometime later, the virus’s third function scrambled your hard disk’s FAT (File Allocation Table), which meant you couldn’t access any of your programs, data files, documents, etc.
A trojan horse could find its way onto your hard disk in different ways. The most common involve the Internet.
– It could download without your permission while you’re downloading something else.
– It could download automatically when you visit certain websites.
– It could be an attachment in an email.
As said earlier, the filename of a trojan horse entices unsuspecting users to run it. If a trojan horse is an attachment in an email, the subject line of the email could also be written to entice the user to run it. For example the subject line could be “You have won 5 million dollars!” and the filename of the attachment could be “million dollar winner.exe”.
A worm is not a virus. Rather, it is a form of malicious code that reproduces and delivers a payload but is not infectious. It is an independent program that exists on its own like a trojan horse or any regular program. Viruses cannot exist on their own. Worms do not infect programs, but they do reproduce, and are usually transmitted using the trojan horse technique.
3 Deliver Payload – What Can Malicious Code Do?
– Display a message or graphic on the screen, such as a number of crabs that slowly crawl around devouring and destroying whatever they find. This very old virus was called Crabs.
– Making a demand that the user perform a certain function such as pressing a certain sequence of keys before allowing normal operation to resume. An example of this is the Cookie Monster virus, in which the Cookie Monster would appear on your screen and demand a cookie before he would return control of your computer to you. You would have to respond by typing cookie. Several minutes later, he would reappear and demand another cookie.
– Causing the computer and/or mouse to lock up and become inoperable until the system is re-booted.
– Redefining the keyboard (press r and a k appears, etc.).
– Causing the computer to operate at a fraction of its regular speed.
– Erasing one or more of the computer’s files.
– Changing or corrupting the contents of data files (subtly or otherwise), often in a manner almost undetectable to the user until a much later date. For example, malicious code could move a decimal point in a spreadsheet budget file, or change the first word of every paragraph in a word processor file to “gotcha!”
III Preventative Maintenance
The best way to avoid being a victim of a virus attack is to prevent your system from ever contracting a virus. By taking simple, precautionary measures, you can reduce the chances of your system ever being infected.
– Install antivirus software. I recommend Avast Free Antivirus. It’s free, comprehensive protection and it works well.
– Only visit websites you trust
– Make backups of your data