Documente Academic
Documente Profesional
Documente Cultură
In our health-conscious society, viruses of any type are an enemy. Computer viru
ses are especially pernicious. They can and do strike any unprotected computer s
ystem, with results that range from merely annoying to the disastrous, time-cons
uming and expensive loss of software and data. And with corporations increasingl
y using computers for enterprise-wide, business-critical computing, the costs of
virus-induced down-time are growing along with the threat from viruses themselv
es. Concern is justified - but unbridled paranoia is not. Just as proper diet, e
xercise and preventative health care can add years to your life, prudent and cos
t-effective anti-virus strategies can minimize your exposure to computer viruses
.
· A history of computer viruses
· Who writes viruses - and how they can reach you
· The early warning symptoms of virus infection
· The real numbers behind the growth of viruses and their costs
· How viruses work - and how virus protection can stop them
· In a 1991 study of major U.S. and Canadian computer users by the market research
firm Dataquest for the National Computer Security Association, most users blame
d an infected diskette (87 percent). Forty-three percent of the diskettes respon
sible for introducing a virus into a corporate computing environment were brough
t from home.
· Nearly three-quarters (71 percent) of infections occurred in a networked environ
ment, making rapid spread a serious risk. With networking, enterprise computing
and inter-organizational communications on the increase, infection during teleco
mmunicating and networking is growing.
· Seven percent said they had acquired their virus while downloading software from
an electronic bulletin board service.
· Other sources of infected diskettes included demo disks, diagnostic disks used b
y service technicians and shrink-wrapped software disks - contributing six perce
nt of reported infections.
What Is Ahead?
The industry's latest buzz-phrase is "data superhighway" and, although most peop
le haven't thought about those superhighways in the context of virus infections,
they should. Any technology that increases communication among computers also i
ncreases the likelihood of infection. And the data superhighway promises to expa
nd on today's Internet links with high-bandwidth transmission of dense digital v
ideo, voice and data traffic at increasingly cost-effective rates. Corporations,
universities, government agencies, non-profit organizations and consumers will
be exchanging far more data than ever before. That makes virus protection more i
mportant, as well.
In addition to more opportunities for infection, there'll be more and more-damag
ing strains of virus to do the infecting. Regardless of the exact number of viru
ses that appear in the next few years, the Mutation Engine, Virus Creation Labor
atory and other virus construction kits are sure to boost the virus population.
Viruses that combine the worst features of several virus types - such as polymor
phic boot sector viruses - are appearing and will become more common. Already, W
indows-specific viruses have appeared. Virus writers, and their creations, are g
etting smarter. In response to the explosion in virus types and opportunities fo
r transmission, virus protection will have to expand, too.
Computer anti-virus program manufacturers had a speed bump in which many used to
profit: 32-bit applications. DOS and Windows 3.1 used a 16-bit architecture,
and other 32-bit platforms such as Windows NT, UNIX, and a variety of other serv
er operating systems had anti-virus programs already made. McAfee and Symantec,
two giants in the anti-virus industry, prepared for the release of a new 32-bit
home operating system. In August, Microsoft released Windows 95 for resale and
it stormed across the nation. A large number of virus problems surfaced in the
short months after the release. This was due to the neglect of a readily-avail
able 32-bit anti-virus for the home user, and the fact that old 16-bit anti-viru
s programs could not detect 32-bit viruses. McAfee introduced Virus Scan 95 and
Symantec released Norton Antivirus 95 shortly after the Windows 95 release. As
the future progresses and the data architecture increases, anti-virus programs
will have to be upgraded to handle the new program structure.
Technical Overview
Computer Viruses And How They Work
Viruses are small software programs. At the very least, to be a virus, these pro
grams must replicate themselves. They do this by exploiting computer code, alrea
dy on the host system. The virus can infect, or become resident in almost any so
ftware component, including an application, operating system, system boot code o
r device driver. Viruses gain control over their host in various ways. Here is a
closer look at the major virus types, how they function, and how you can fight
them.
File Viruses
Most of the thousands of viruses known to exist are file viruses, including the
Friday the 13th virus. They infect files by attaching themselves to a file, gene
rally an executable file - the .EXE and .COM files that control applications and
programs. The virus can insert its own code in any part of the file, provided i
t changes the hosts code, somewhere along the way, misdirecting proper program e
xecution so that it executes the virus code first, rather than to the legitimate
program. When the file is executed, the virus is executed first.
Most file viruses store themselves in memory. There, they can easily monitor acc
ess calls to infect other programs as they're executed. A simple file virus will
overwrite and destroy a host file, immediately alerting the user to a problem b
ecause the software will not run. Because these viruses are immediately felt, th
ey have less opportunity to spread. More pernicious file viruses cause more subt
le or delayed damage - and spread considerably before being detected.
As users move to increasingly networked and client-server environments, file vir
uses are becoming more common. The challenge for users is to detect and clean th
is virus from memory, without having to reboot from a clean diskette. That task
is complicated because file viruses can quickly infect a range of software compo
nents throughout a user's system. Also, the scan technique used to detect viruse
s can cause further infections; scans open files and file viruses can infect a f
ile during that operation. File viruses such as the Hundred Years virus can infe
ct data files too.
Multi-Partite Viruses
These viruses combine the ugliest features of both file and boot sector/partitio
n table viruses. They can infect any of these host software components. And whil
e traditional boot sector viruses spread only from infected floppy boot disks, m
ulti-partite viruses can spread with the ease of a file virus - but still insert
an infection into a boot sector or partition table. This makes them particularl
y difficult to eradicate. Tequila is an example of a multi-partite virus.
Trojan Horses
Like its classical namesake, the Trojan Horse virus typically masquerades as som
ething desirable - e.g., a legitimate software program. The Trojan Horse general
ly does not replicate (although researchers have discovered replicating Trojan H
orses). It waits until its trigger event and then displays a message or destroys
files or disks. Because it generally does not replicate, some researchers do no
t classify Trojan Horses as viruses - but that is of little comfort to the victi
ms of these malicious stains of software.
File Overwriters
These viruses infect files by linking themselves to a program, keeping the origi
nal code intact and adding themselves to as many files as possible. Innocuous ve
rsions of file overwriters may not be intended to do anything more than replicat
e but, even then, they take up space and slow performance. And since file overwr
iters, like most other viruses, are often flawed, they can damage or destroy fil
es inadvertently. The worst file overwriters remain hidden only until their trig
ger events. Then, they can deliberately destroy files and disks.
Polymorphic viruses
More and more of today's viruses are polymorphic in nature. The recently release
d Mutation Engine - which makes it easy for virus creators to transform simple v
iruses into polymorphic ones - ensures that polymorphic viruses will only prolif
erate over the next few years. Like the human AIDS virus that mutates frequently
to escape detection by the body's defenses, the polymorphic computer virus like
wise mutates to escape detection by anti-virus software that compares it to an i
nventory of known viruses. Code within the virus includes an encryption routine
to help the virus hide from detection, plus a decryption routine to restore the
virus to its original state when it executes. Polymorphic viruses can infect any
type of host software; although polymorphic file viruses are most common, polym
orphic boot sector viruses have already been discovered.
Some polymorphic viruses have a relatively limited number of variants or disgui
ses, making them easier to identify. The Whale virus, for example, has 32 forms.
Anti-virus tools can detect these viruses by comparing them to an inventory of
virus descriptions that allows for wildcard variations - much as PC users can se
arch for half-remembered files in a directory by typing the first few letters pl
us an asterisk symbol. Polymorphic viruses derived from tools such as the Mutati
on Engine are tougher to identify, because they can take any of four billion for
ms.
Stealth Viruses
Stealth aircraft have special engineering that enables them to elude detection b
y normal radar. Stealth viruses have special engineering that enables them to el
ude detection by traditional anti-virus tools. The stealth virus adds itself to
a file or boot sector but, when you examine the host software, it appears normal
and unchanged. The stealth virus performs this trickery by lurking in memory wh
en it's executed. There, it monitors and intercepts your system's MS-DOS calls.
When the system seeks to open an infected file, the stealth virus races ahead, u
ninfects the file and allows MS-DOS to open it - all appears normal. When MS-DOS
closes the file, the virus reverses these actions, reinfecting the file.
Boot sector stealth viruses insinuate themselves in the system's boot sector and
relocate the legitimate boot sector code to another part of the disk. When the
system is booted, they retrieve the legitimate code and pass it along to accompl
ish the boot. When you examine the boot sector, it appears normal - but you are
not seeing the boot sector in its normal location. Stealth viruses take up space
, slow system performance, and can inadvertently or deliberately destroy data an
d files. Some anti-virus scanners, using traditional anti-virus techniques, can
actually spread the virus. That is because they open and close files to scan the
m - and those acts give the virus additional chances to propagate. These same sc
anners will also fail to detect stealth viruses, because the act of opening the
file for the scan causes the virus to temporarily disinfect the file, making it
appear normal.
Signature-Based Scanners
Scanners - which, when activated, examine every file on a specified drive - can
use any of a variety of anti-virus techniques. The most common is signature-base
d analysis. Signatures are the fingerprints of computer viruses - distinct stran
ds of code that are unique to a single virus, much as DNA strands would be uniqu
e to a biological virus. Viruses, therefore, can be identified by their signatur
es. Virus researchers and anti-virus product developers catalog known viruses an
d their signatures, and signature-based scanners use these catalogs to search fo
r viruses on a user's system. The best scanners have an exhaustive inventory of
all viruses now known to exist. The signature-based scanner examines all possibl
e locations for infection - boot sectors, system memory, partition tables and fi
les - looking for strings of code that match the virus signatures stored in its
memory.
When the scanner identifies a signature match, it can identify the virus by nam
e and indicate where on the hard disk or floppy disk the infection is located. B
ecause the signature-based scanner offers a precise identification of known viru
ses, it can offer the best method for effective and complete removal. The scanne
r can also detect the virus before it has had a chance to run, reducing the chan
ce that the infection will spread before detection. Against these benefits, the
signature-based scanner has limitations. At best, it can only detect viruses for
which it is programmed with a signature. It cannot detect so-called unknown vir
uses - those that have not been previously discovered, analyzed and recorded in
the files of anti-virus software. Polymorphic viruses elude detection by alterin
g the code string that the scanner is searching for; to identify these viruses,
you need another technique.
There is more than this... but it won't fit. PLease, let me email you the copy
so I can have the password.