Identifying The Common Behaviors Of Viruses Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In today's context it is important for both the companies and individuals to protect their computers from virus attacks. Result of a virus attack could vary from loosing some personal data in a PC to loosing data worth of millions in a server. Along with the developement of new technologies in computer field, it is obvious that viruses too have evolved to a greater extent. Most recent viruses developed has spreaded across the world very fast, providing antivirus developers a very small time to react and develope antivirus programs. So computer users cannot totally rely on antivirus softwares to protect their computers. They should have some basic knowledge about viruses to understand and prevent those virus attacks. Main purpose of this literature survey is to identify the common behaviors of viruses and to provide knowledge about state of the art virus protection methods.This will help both the individuals and companies to protect their computers from virus attacks using the state of the art virus protection methods.

\section{Introduction}

In modern world many organizations have confidential data worth of millions of dollers which needs to be protected aganist virus attacks. For example if we think about Google or Facebook, they have such important data and a major virus attack on their servers may end up in loosing millions of dollers. Traffic generated by viruses could bring Internet to a standstill and such a situation could result in a financial crisis too. The behavior of a virus could vary from simply starting many programs without the permission of the user to deleting Master boot recorder of a computer which will result in a change of hardware too.

Users will have to spent lot of money on buying antivirus software to protect their computers against viruses. But they could have saved those money if they were more careful and had some knowledge about the behavior of viruses. Sometimes they will have to use state of the art virus protection methods to save their computers because their are some viruses which could totally destroy their computer system.

\newpage

\section{History behind virus protection}

\subsection{What is a virus?}

In 1984 Dr. Frederick Cohen introduced a mathematical model to define computer viruses using a Turing machine. He defined a virus in the following way.

\\

\\

{\it "A virus is a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself"} \cite{key-1}

\\

\\

Though many have defined a virus, it is very difficult to provide an exact definition for a virus. This is due to the fact that viruses too evolve very rapidly. We cannot rely on a certain definition and think viruses behave and has only those characteristics. For an example if we consider the above definition, it should change because some modern viruses does not modify the code of other programs. Most important feature considered in classifying a program as a virus or not is the ability to reproduce itself recursively and explicitly. Viruses are a subset of the malicious programs. So it is important for both the antivirus developers and the computer users to update their knowledge about computer viruses.

\\

\\

Though there were many viruses like programs written earlier the first virus for a microcomputer was written by Rich Skrenta in 1982. It was called "Elk Cloner" and it was designed for the Apple-2 computer. Since then viruses have evolved greatly.

\subsection{Introduction to virus protection}

Virus protection is all about developing detection techniques, reverse engineering malicious code, disinfecting, and developing defense systems with the help of optimized algorithms. The level of difficulty in identifying the behavior of a virus and the development of an antivirus depends on the virus code which needs to be analyzed to identify the behavior of it. For an example a binary form of a virus needs to be reverse-engineered to identify the behavior of it.

\\

\\

Though we could use antivirus softwares to protect our computers it will not provide us a total solution because nobody cans developed an antivirus to detect future viruses. Antivirus softwares use many techniques to detect viruses and disinfect their effects on computers. Antivirus software developers will have to detect more than 500 viruses a month because now a days viruses spread very quickly and they use different techniques to spread themselves.

\newpage

\section{How viruses spread themselves?}

There are some common techniques used by viruses to spread themselves. Viruses could spread in following ways.

\\

\begin{itemize}

\item Viruses could spread via storage media such as USB pen drives, hard discs, memory cards and so on. This is the most common and earliest way of spreading viruses. Though we do not talk about floppy diskettes much these days it is the earliest method used to spread viruses.

\item Another way of spreading viruses is via networks. This is the easiest and efficient way of spreading viruses. Viruses could spread very quickly across a very large area through this method. So it could damage a large number of computers within a very short time period. They will generate lot of traffic in Internet and use infected hosts to spread themselves to other computers on the network.

\item Viruses could spread via softwares too. There are many keygens and crack programs developed to crack proprietary softwares, so they can be used freely. But most of these crack programs contain viruses.

\item Emails are another virus spreading technique used by virus developers to spread viruses. This is also a very quick way of spreading viruses across a large area within a very short time period like networks. Virus developers use attachments to attach viruses to emails.

\end{itemize}

\cite{key-5}

\newpage

\section{Types of viruses and attacks}

Viruses could be categorized in to several categories depending on several characteristics of them. One such categorization is created by considering the behavior and the dependency on computer architectures by viruses. There are three main categories. They are,

\begin{center}

\begin{enumerate}

\item Boot Sector viruses

\item File viruses

\item Macro viruses

\end{enumerate}

\end{center}

\ \\

{\indent \bf Boot Sector viruses}\\\\

Boot sector of a storage media has historically become a common attacking place for viruses. Viruses plant themselves in boot sectors, so that they will be trigged very easily because boot sector contains code which is automatically executed when a computer is booted. Even the first well known virus {\it Elk Cloner} is a boot virus. {\it Brain} virus detect in 1987 is also a boot sector virus.\cite{key-9} It modified the boot sector and hooked itself to the operating system. These types of viruses use storage media such as USB pen drives to spread themselves.

\\

\\

{\indent \bf File viruses}\\\\

These types of viruses are also known as file infector viruses. Earlier overwriting file viruses overwrote original files entirely with their malicious code. But these types of infected files were very easily detected by the antivirus softwares because those files did not have the original code, so they acted differently or did not provide the expected result.

\\

\\

Now a day a file virus would infect executable or system files by inserting its own code into a part of original file. So then virus code will be executed when user access those files. This method has made it very difficult to detect these viruses because it has the original code plus the virus code. Most of the time their behavior seems normal and it misbehaves only when virus code part is executed. Modern file viruses use some stealth techniques to hide the presence of themselves. A common method used by these viruses to spread themselves is via email. "Loveletter" is one such file virus which overwrote certain file types with its own code.\cite{key-10}

\\

\\

{\indent \bf Macro viruses}\\\\

These are viruses written in macro languages. This is a very powerful language which comes with applications such as a word processor or with some high level languages such as "Visual Basic for Applications (VBA)". A macro is a set of commands and actions which would help to automate certain tasks. Most of the macro viruses start execution when an infected document is opened. Macro viruses infect computers by replacing the normal macros with virus. Macro viruses can replace the regular commands without changing the name of the command. By doing so it will be executed when that command is selected. Common methods used by these viruses to spread are through email attachments, discs and networks. A well known macro virus is "Melissa virus" which is released in 1999. It spread itself via email attachments.

\cite{key-6}

\newpage

Viruses can also be categorized in to two categories by considering the infection methods. They are,

\\

\begin{enumerate}

\item Non-resident viruses

\item Resident viruses

\end{enumerate}

\ \\

{\indent \bf Non-resident viruses}\\\\

Nonresident viruses can be thought of as consisting of a {\it finder module} and a {\it replication module}. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. These viruses do not store themselves in main memory. Non-resident viruses infect other targeted programs and then using those programs they execute themselves in the main memory.\cite{key-2}

\\

\\

{\indent \bf Resident viruses}\\\\

These viruses too have a replication module but that module is not called by a finder module, instead these viruses load into the main memory and get executed each time when operating system performs a certain operation. These viruses can be divided into two sub categories. They are {\it fast infectors} and {\it slow infectors}. Fast infectors try to infect as many files as it can within a very short time period. In contrast to fast infectors slow infectors try to hide themselves and infect hosts infrequently.

\\

\\

There is another categorization done based on the purpose of developing the viruses. They are,

\\

\begin{enumerate}

\item Viruses for research purposes

\\

\\

These viruses are not released to the world. They are developed for the research purposes only.

\item In wild viruses

\\

\\

These are the viruses released to the world which are developed for the purpose of destroying computer systems. They create all the harmful effects.

\end{enumerate}

\newpage

\section{State of the Art virus protection}

Many viruses depends on the computers architecture because it is very difficult to develope multi-architecture viruses. But virus developers have succeded in developing viruses which would run in several architectures but not in all. They have achieved this via translating virus codes to a sort of pseudoformat and then translating or adapting it to another architecture.

\\

\\

\subsection{Techniques used by Antivirus softwares to detect viruses}

\begin{enumerate}

\item Scanning

\item Heuristics

\item Emulation

\item Rootkit detection

\item System monitoring/interceptors

\end{enumerate}

\ \\

{\indent \bf Scanning}\\\\

\cite{key-8}

Antivirus softwares detect viruses by scanning and matching the signatures of viruses with the signatures in their own database. Sequence of binary pattern of the machine code of a virus is known as the signature of the virus. Signature of a virus could be considered as the finger print of it because most of the viruses have a unique signature.

\\

\\

Scanners can scan critical areas of the hard disks such as boot sectors. They can detect viruses before they get executed and they are very efficient in detecting viruses.

\\

\\

A huge drawback in this technique is that it could only detect viruses which have the signatures that are matched with the signatures in their database. Users will have to update their antivirus softwares regularly to stay safe. Most modern viruses disable these scanners in their infection step.

\\

\\

{\indent \bf Heuristics}\\\\

Antivirus softwares use heuristic scanners to detect virus�s behaviors. This uses a technique to detect the family of a virus. This is done by identifying a generic signature for a group of viruses. Through this method antivirus softwares could very quickly identify a range of viruses which differs very slightly from each other.

\\

\\

Advantages of this method are that antivirus softwares are able to detect even future viruses which have similar virus signatures or characteristics. Drawbacks of this method are that it is less efficient and it would only detect viruses in the execution phase, so viruses could disable these antivirus programs before they get detected.

\\

\\

{\indent \bf Emulation}\\\\

This technique uses virtual operating systems called sandbox to detect viruses. They execute suspected programs in sandbox environment and they analyze the behavior of those programs. If they detect those programs as viruses then those will be removed from the system.

\\

\\

{\indent \bf Rootkit detection}\\\\

A rootkit is a software or hardware device designed to gain administrator-level control over a computer system without being detected. It is very hard to detect these rootkit viruses.

But modern antivirus softwares are able to detect these rootkits.\cite{key-3}

\\

\\

{\indent \bf System monitoring/interceptors}\\\\

Antivirus softwares which use this technique continuously monitor the system and the network. Programs that behave suspiciously will be blocked by these antivirus softwares. Sometimes these softwares continuously generate popups for users, which is very annoying for the users and sometimes they ask users what it should do. Users will have to have some knowledge about the behaviors of the viruses to use these softwares to protest their computers.

\newpage

\subsection{Techniques used by viruses to avoid detection}

When antivirus software developers developed new methods to detect viruses, virus developers developed new techniques to avoid detection of viruses. Some of those newly developed techniques are,

\\

\begin{enumerate}

\item Stealth

\item Polymorphic code

\item Metamorphic code

\item Self modification

\item Encryption with a variable key

\end{enumerate}

\ \\

{\indent \bf Stealth}\\\\

Viruses avoid detection from antivirus softwares by intercepting its request to the operating system. It will hide itself by passing antivirus software's request to read some file to itself, instead of passing it to the operating system. After that it will return an uninfected version of that file to the antivirus software. This will make antivirus software to think that those files are clean or not infected.

\\

\\

{\indent \bf Polymorphic code}\\\\

This method has posed a major threat to the virus scanners. Viruses infect files using an encrypted copy of itself.This copy will be decoded by a decryption module. To create this type of viruses it need a polymorphic engine. A well written such a virus would not have two identical infections, making it very difficult for an antivirus software to detect those. Antivirus softwares use emulators to detect such viruses.

\\

\\

{\indent \bf Metamorphic code}\\\\

These type of viruses rewrite themselves each time when they to infect new executables. Viruses do this to avoid being detected by emulators. A metamorphic virus needs a metamorphic engine to rewrite itself. These viruses are very complex hard to develope. {\it W32/Simile} is one such virus.

\cite{key-7}

\newpage

\section{Conclusion and future research areas}

The battle between the virus developers and antivirus developers will not end in the future. This will continue in the future too, but this will get more and more competitive since both types of developers want to dominate each other. This field changes very rapidly because there are many research done in this field.Some of the research areas are as follows,

\\

\\

\begin{itemize}

\item Intrusion detection systems to monitor live traffic

\item Honeypots to catch viruses

\end{itemize}

\cite{key-4}

\ \\

{\indent \bf Intrusion detection systems to monitor live traffic}\\\\

This monitoring systems are designed to detect virus breakouts very early and react to those very early. Epidemic models are developed to detect the spread of viruses and their behaviors.

\\

\\

{\indent \bf Honeypots to catch viruses}\\\\

These are computers configured to appear vulnerable to virus attacks. By doing so these could collect data about the behavior of viruses. These will prevent viruses from spreading in networks.

\\

\\

Viruses will continue to spread in computer world. State of the art technologies will be used to disinfect or destroy these viruses. So it is important for users to use state of the art virus protection to stay safe from virus attacks.

\newpage

\begin{thebibliography}{20}

\bibitem{key-1}Peterszor {}"The Art of Computer Virus Research and Defense", \textquotedblleft{}Addison Wesley Professional 2005.

\bibitem{key-2}wikipedia from<[http://en.wikipedia.org/wiki/Computer\_virus\# Nonresident\_viruses]>

\bibitem{key-3}wikipedia from<[http://en.wikipedia.org/wiki/Rootkit]>

\bibitem{key-4}Tom Chen {}"Research in Computer Viruses and Worms"

\bibitem{key-5}How virus spread from<[http://www.newton.dep.anl.gov/teachers/compvir.htm]>

\bibitem{key-6}How types from<[http://www.pcguide.com/care/data/virus/bgTypes-c.html]>

\bibitem{key-7}Computer virus from<[http://en.wikipedia.org/wiki/Computer\_virus]>

\bibitem{key-8}Antivirus from<[http://en.wikipedia.org/wiki/Antivirus\_software]>

\bibitem{key-9}Malicious computer programs from<[http://www.rbs2.com/virus.htm]>

\bibitem{key-10}File virus from<[http://antivirus.about.com/cs/glossary/g/filevirus.htm]>

\end{thebibliography}

\end{document}

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.