Now that the first victims of the Heartbleed web vulnerability…
A quick & dirty guide to malware (part 2: viruses)
This is the second posting in a three-part series covering common threats a user may encounter.
This series serves as a rough and ready guide, highlighting key features and trends relevant to most users.
The One That Left
Viruses have always loomed large in users’ minds as the poster child of malicious programs – heck, we even call it the anti-virus industry. In the last 10 years or so however, the number of virus infections has nosedived; our Labs, which once dealt with viruses routinely, now sees a proper virus infection about once or twice a month. Today when people talk of ‘viruses’, more often than not what they’re describing is technically a trojan or a worm, and they’re using the term in a general, ‘any malware will do’ kind of way.
That’s not to say viruses are extinct; we still receive a small, if persistent, number of queries about viruses. This may be because many businesses, households and users (both in developed countries and in recently connected developing ones) still use old, out-dated, unpatched machines or programs, or haven’t yet developed a security-conscious habits.
Whatever the case, virus infections will probably still cling on to life for a weary day after, so let’s take a look at them.
Highlights of a virus
The Merriam-Webster online dictionary’s bare-bones definition of a computer virus touches on important elements most users should know, so I’ll just elaborate a bit more on some key concepts:
“usually hidden within another seemingly innocuous program”
Last week I compared a virus to a parasite, because not only does it ‘hide’ in another program, but also depends on its host to function. For the virus to run, the unsuspecting user must actively launch the infected program, which in turn launches the virus.
For this reason, virus writers usually create viruses that infect executable files (especially popular programs such as word processors or media files), which have a higher chance of being run; programs with files that get passed around a lot are extra attractive, since they can affect even more potential victims.
A good example is the Microsoft Office suite which, with their huge community of business and personal users, used to be a popular target for macro viruses. We still see queries related to this virus type, though thankfully far less than previously.
“Produces copies of itself and inserts them into other programs”
If you think of the common cold virus spreading from one person to another, you’ll have a pretty good idea of why this behavior can be so damaging. When a infected file is executed, it searches for and infects new files; if the newly infected files are launched, they find and infect new files in turn, like some evil Multi-Level Marketing operation. At worst, this pattern can lead to every targeted file on the system being infected.
“Usually performs a malicious action”
The damage a virus can do by replicating and infecting new files is bad enough; its payload, a completely separate set of nasty actions, can be worse. The range of actions a virus can take is huge – connecting to a remote site, changing the desktop wallpaper, displaying silly notification messages, deleting data files…it really just depends on the virus author’s imagination and programming skills.
If you’re lucky, they’re not that good and you get failed viruses like Virus:W32/Stardust; if they’re good, then you get really nasty beasts like Virus:W32/Virut or Virus:W32/Sality.AA (one of the few viruses we still find regularly active).
Appending, prepending, cavity…who cares?
With thousands of unique viruses out in the wild, antivirus companies find it necessary to divide them into sub-types. Unlike trojans though, viruses don’t fall into neat categories reflecting their actions; instead, they naturally fall into groupings based on technical differences in the way they infect a file – which is basically gobbledeegook to a user not interested in detailed analysis.
Gnerally, viruses can be divided into two groups – system infectors and file infectors. The majority of viruses are the latter and infect programs or data files. System infectors on the other hand write their malicious code to specific, critical sections of the hard disk containing the operating system, so that while the OS is running its normal routines, it’s also unintentionally executing the virus code.
Fortunately, for most users a virus’s classification is largely academic. For better or for worse, the sheer variety of possible effects each unique virus can have on a file or system makes it more practical to take each virus on a case by case basis.
Back to what’s important – why should the user care?
So let’s go back to the original question that sparked off this series: do you really need to know if it’s a virus – as opposed to, say, a trojan or worm – infecting your computer?
Well, it helps to know because the two malware types tend affect your data and computer in different ways. As a (very) general rule, trojan infections is more about data theft and loss of control over the computer; virus infections tend to result in software disruptions or damage.
Trojans may copy and steal your data, but they don’t usually destroy the data file itself; they may stop programs from running but they don’t destroy the program. A virus on the other hand, insert its own code into a program or data file, and depending on how it does so, may either leave the host completely unharmed and functional, slightly disrupted, or completely non-functional.
Another difference between trojans and viruses that really affects the user involves disinfection. For one thing, a trojan is usually a single, discrete program – getting rid of it tends to be fairly simple, a matter of removing the malicious file and its residuals (registry keys, processes, icons, etc). Removing the trojan also generally doesn’t affect the integrity of other files on the computer.
Viruses are far more nebulous by design – they can be present in multiple files, in different locations. Identifying a virus-infected file may require scanning the entire computer to be sure every affected file is caught. Removing malicious code from an infected file or – if it can’t be saved, deleting the infected file entirely – can also be problematic if the damaged data is important or the program is a critical system component.
And this doesn’t even take into account the virus’s payload, which can produce a whole other set of worries.
If you’re still interested
Still, there is a ray of hope. If current malware trends persist, we may soon see adware or backdoors promoted to being the newest member of The Big Three, and viruses – as a distinct malware type – can finally be relegated to joining 3½” floppy disks in Computer Hell.
In the meantime, here’s some links to other, more in-depth resources on viruses:
- How to tell if a malfunctioning PC has a virus by TechRepublic
- Computer viruses: description, prevention, and recovery by Microsoft Support
- Trends in Viruses and Wormsby Thomas M. Chen (Cisco)
Or partially available on Google Books:
- “Elements of Computer Security” by David Salomon
- “Cybercrimes: A Multidisciplinary Analysis” by Sumit Ghosh
Coming soon – Worms!