Viruses are programs that infects applications. They modify the application and include a copy of the virus program in to it. Then they run in stealth while the host application is running. Viruses are also specific to operating systems and hardware. They can be designed to specifically take advantage of particular operating systems and hardware. A general virus goes through the following life-cycle: Dormant, propagation, triggering, and execution.
The components of a virus are infection mechanism, trigger, and payload. Infection mechanism enables replication, trigger is the event that starts the payload, and payload is the malicious activity that the virus is designed to perform. A virus can be prepended, postpended, or embedded. When an infected program executes, the virus code is executed first then the actual program runs. A virus can also be compressed to become harder for detection.
The following is a virus classification:
- Boot sector virus is a virus that infects a boot record or a master boot record
And propagates when the system is booted.
- File infector infects the executable files on a particular operating system.
- Macro virus is a virus that seem to certain applications as a legitimate code. Then this code is interpreted by the application and becomes infected. Macro viruses became common in the mid 90’s. They are platform independent and infect documents. They are also very easily spread.
- Encrypted virus creates a random key and stores it with itself in an encrypted version. Then when the virus is invoked, the code is decrypted by the key and it infects further and encrypts itself again. Each time the virus uses a different encryption key. These viruses exploit macro capability of office applications.
- Stealth virus hides itself from anti-virus software and runs itself in stealth mode. In this virus, its not just the virus that’s hidden, the payload is also hidden.
- Polymorphic virus changes itself with every infection. This makes it very hard to detect.
- Metamorphic virus is also like a polymorphic virus where it changes every time it infects, but this virus changes its code completely from the prior version. This makes it even more harder to track it down.
Virus countermeasure:
Obviously prevention is the ideal solution but it is very difficult to achieve. Realistically speaking, we need detection, identification, and removal. Antivirus first scans for signatures, then uses heuristic rules to search for probable virus infections. Thirdly it detects a pattern of common actions that a virus may perform. It uses that method to do a more thorough detection. Lastly an anti-virus can use a combination of the prior rules to do its job.
Recent Comments