|
|
|
Parasitic Viruses More numerous than boot sector viruses but less prevalent, parasitic viruses are also referred to as file infectors, because they infect executable files. According to Virus Bulletin “they generally leave the contents of the host program relatively unchanged, but append or prepend their code to the host, and divert execution flow so that the virus code is executed first. Once the virus code has finished its task, control is passed to the original program which, in most cases, executes normally.” While such a complex operation sounds at first like it would be immediately noticeable to the user, this is often not the case since virus code is typically very compact. The temporary diversion of program flow is often indiscernible from normal operations. Multipartite and Companion Viruses You now know what boot sector and file infector viruses do. Put the two together and you have multipartite viruses, such as Tequila, which are capable of spreading by both methods. At the other end of the sophistication scale are companion viruses which take advantage of this simple fact about DOS: if you launch a program at the DOS prompt by entering its name, as in FORMAT, and DOS finds that there are two program files in the current directory, one called FORMAT.COM and the other called FORMAT.EXE, the COM file will be executed before the EXE file. A companion virus thus hides and spreads as a COM variant of a standard EXE file. Examples include the rare AIDS II and Clonewar viruses. Other Types of Virus Link viruses are a type of virus rare in the wild, despite the fact that they have considerable potential for spreading rapidly owing to the way they manipulate the directory structure of the media on which they are stored, pointing the operating system to virus code instead of legitimate programs. Academic viruses researchers and underground virus writers both spend a lot of time thinking about new ways in which viruses may be spread. This leads to many “in the zoo” or “in theory” viruses which exist more on paper than in practice. Several approaches to infection that fit into this category are source code and object code viruses. The idea behind a source code virus is to insert virus instructions into programs at the source code level, rather than through the compiled program. A source code virus would add itself to the source code file, then get compiled into the executable file when the program code was compiled. From the complied program the virus code then seeks out further source code files to infect. This method of infection could be quite effective in some environments since most source code files have common and easily identifiable attributes, such as file extensions (like.C and.BAS). There is little evidence of such viruses on desktop machines, but widespread use of an interpreted language, like Microsoft Visual Basic, could make this an appealing path for infection. To understand the object code virus, of which at least one example, Shifting_Objectives, has been discovered, you need to know that all of the source code for a complex program, such as Microsoft Windows or Microsoft Excel, is not compiled into one large EXE or COM file. Instead, these programs use sections of code, called objects, that are loaded into RAM and linked together only when they are needed. Programmers like to write code in the form of objects because these can be recycled very easily. For example, if treated as an object, the code required to create a dialog box can also be used in many places within a program, without the programmer having to code each dialog box individually. By infecting an object rather than an executable, the object code virus makes itself less open to normal methods of detection (for example, many antivirus strategies concentrate on protecting and monitoring executable files). The term kernel is used to describe the core of the operating system. In DOS, for example, the kernel is stored in the hidden file IO.SYS. The idea behind a kernel infector, of which there are currently very few, is to operate at one level above the boot sector, but within the heart of the operating system, replacing the instructions in the real IO.SYS with its own agenda. This makes the virus more difficult to track than if it infected visible COM files such as COMMAND.COM. By loading its own code into memory ahead of the operating system the virus can achieve “stealthing” to avoid many traditional forms of virus detection. Stealth and Polymorphism Stealth viruses use traditional techniques for infection, such as boot sectors and executable files, but they have code which stays in memory to monitor and intercept operating system calls, thus disguising its presence. As Jonathan Wheat, one of the antivirus experts at NCSA puts it “when the system seeks to open an infected file, the stealth virus leaps ahead, uninfects the file and allows the operating system to open it, so that all appears normal. When the operating system closes the file, the stealth virus reverse the actions, reinfecting the file. If you look at a boot sector on a disk infect by a stealth boot sector virus what you see looks normal, but it is not the real boot sector.” Stealth viruses pose numerous problems for traditional antivirus products, which may even propagate the virus as they examine files when looking for infections. The term polymorphic is used to describe computer viruses that mutate to escape detection by traditional antivirus software which compares suspect code to an inventory of known viruses. Polymorphic viruses can infect any type of host software. Polymorphic file viruses are most common but polymorphic boot sector viruses have also been discovered (virus writers use a free piece of software called the Mutation Engine to transform simple viruses into polymorphic ones, which ensures that polymorphic viruses are likely to further proliferate). Some polymorphic viruses have a relatively limited number of variants or disguises, making them easier to identify. The Whale virus, for example, has 32 forms. Antivirus tools can detect these viruses by comparing them to an inventory of virus descriptions that allows for wildcard variations. Polymorphic viruses derived from tools such as the Mutation Engine are tougher to identify, because they can take any of four billion forms!
|