Computer Crime Research Center

Viruses: Know your enemy
(By Jonathan Harker)

In the second of this special series of articles focusing on IT and network security for small and medium-sized businesses, vnunet.com examines one of the most serious threats facing today's IT managers: viruses.

The first computer virus arrived in the mid-1980s, so legend has it. Computer store owners the Amjad brothers, frustrated by computer piracy, wrote the first virus: a boot sector infector which went by the almost comical name of 'Brain'.

From these simple and almost innocent beginnings, a large and usually insidious counterculture focusing on virus making and propagation has emerged, with expensive and often disastrous consequences.

Andrew Armstrong, UK managing director at antivirus specialist Trend Micro, warned that the danger from malicious viruses is growing exponentially.

"With an average of 500 new and increasingly sophisticated viruses each month, companies using traditional antivirus and content security products and practices remain vulnerable to attack," he told vnunet.com.

"Each new network service, device or application that opens up remote access to the internal network creates a potential access point for computer viruses and other malicious code.

"Each new operating system or protocol may contain security vulnerabilities that are not yet identified."

The first stage in effectively fighting this plague of viruses must be to know your enemy.

The definition of a virus is conceptually simple: it is any piece of executable code that infects a computer by automatically reproducing itself while causing some, usually undesired, event.

But the damage that viruses deliver as their so-called 'payload' can be complex and potentially devastating.

Virus code is usually distributed hidden in email attachments or files downloaded from corporate networks or from the internet.

In broad terms there are three main types of viruses: file infectors, boot records and macros.

File infectors

These nasties are so-called because they attach themselves to executable program code, usually .com or .exe files. However, some of the more virulent examples can infect any program for which operating system execution is enabled, including .sys, .ovl, .prg, and .dll files.

When the program is loaded, the virus piggybacks on the legitimate code to access the host system. Malicious Trojan horse code, which is contained within apparently harmless applications, can be propagated as part of a file infector virus.

System, or boot-sector, infectors

These viruses work by infecting executable code found in system areas. They target the DOS boot sector on floppies or the Master Boot Record on hard drives.

Once these types of infection have been loaded into a host system, through booting with an infected floppy disk or compromised hard drive, the viruses hide in memory, which makes them very difficult to detect.

When the virus has taken up residence in system memory it can infect any uninfected file that is executed. The only way to remove the virus is to turn off the power on the infected computer.

One of the most devastating types of system virus is called a worm. Worms do not change files, but place themselves in active system memory where they propagate, usually without being seen by the user of the host computer.

The presence of such viruses is often noticed only when their uncontrolled replication consumes system resources and brings the host to a standstill.

Macro viruses

These are among the most common, but do not typically have substantially destructive payloads.

Generally using visual basic scripts, macros 'infect' a Microsoft Office or similar application and cause their payloads to be triggered when the application is started. They are usually distributed via email.

A high-profile example was the Melissa virus of March 1999, which distributed itself by infecting Microsoft Outlook and automatically mailing itself to entries in its victims' address books.

Having identified the threat, the next stage is to establish what measures need to be taken to fight against viruses.

In the next edition of this special series vnunet.com will investigate what companies can do to protect themselves.

Source: www.vnunet.com

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83