Computer viruses are mysterious and grab our attention. On the one hand, viruses show us how vulnerable we are. A properly engineered virus can have an amazing effect on the worldwide Internet. On the other hand, they show how sophisticated and interconnected human beings have become.
For example, the things making big news right now are
the MS Blaster worm and the So Big virus. The Melissa virus -- which became a global phenomenon in March 1999 -- was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The I LOVE YOU virus in 2000 had a similarly devastating effect. That's pretty impressive when you consider that the Melissa and I LOVE YOU viruses are incredibly simple.
In this article, we will discuss viruses -- both "traditional" viruses and the newer e-mail viruses -- so that you can learn how they work and also understand how to protect yourself. Viruses in general are on the wane, but occasionally a person finds a new way to create one, and that's when they make the news.
Early viruses were pieces of code attached to a common program like a popular game or a popular word processor. A person might download an infected game from a bulletin board and run it. A virus like this is a small piece of code embedded in a larger, legitimate program. Any virus is designed to run first when the legitimate program gets executed. The virus loads itself into memory and looks around to see if it can find any other programs on the disk. If it can find one, it modifies it to add the virus's code to the unsuspecting program. Then the virus launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time either of those programs gets executed, they infect other programs, and the cycle continues.
For example, the things making big news right now are
the MS Blaster worm and the So Big virus. The Melissa virus -- which became a global phenomenon in March 1999 -- was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The I LOVE YOU virus in 2000 had a similarly devastating effect. That's pretty impressive when you consider that the Melissa and I LOVE YOU viruses are incredibly simple.
In this article, we will discuss viruses -- both "traditional" viruses and the newer e-mail viruses -- so that you can learn how they work and also understand how to protect yourself. Viruses in general are on the wane, but occasionally a person finds a new way to create one, and that's when they make the news.
Types
of Infection
When
you listen to the news, you hear about many different forms of electronic
infection. The most common are:
•
Viruses - A
virus is a small piece of software that piggybacks on real programs.
For example, a virus might attach itself to a program such as a spreadsheet
program. Each time the spreadsheet program runs, the virus runs, too, and it has
the chance to reproduce (by attaching to other programs) or wreak havoc.
For example, a virus might attach itself to a program such as a spreadsheet
program. Each time the spreadsheet program runs, the virus runs, too, and it has
the chance to reproduce (by attaching to other programs) or wreak havoc.
•
E-mail viruses - An
e-mail virus moves around in e-mail messages, and usually
replicates itself by automatically mailing itself to dozens of people in the victim's e-
mail address book.
replicates itself by automatically mailing itself to dozens of people in the victim's e-
mail address book.
•
Worms - A worm is a small
piece of software that uses computer
networks and
security holes to replicate itself. A copy of the worm scans the network for another
machine that has a specific security hole. It copies itself to the new machine using
the security hole, and then starts replicating from there, as well.
security holes to replicate itself. A copy of the worm scans the network for another
machine that has a specific security hole. It copies itself to the new machine using
the security hole, and then starts replicating from there, as well.
•
Trojan horses - A
Trojan horse is simply a computer program. The program claims
to do one thing (it may claim to be a game) but instead does damage when you run it
(it may erase your hard disk). Trojan horses have no way to replicate automatically.
to do one thing (it may claim to be a game) but instead does damage when you run it
(it may erase your hard disk). Trojan horses have no way to replicate automatically.
What's
a "Virus"?
Computer viruses are
called viruses because they share some of the traits of biological viruses.
A
computer virus passes from computer to computer like a biological virus passes
from person to person.
There are similarities at a deeper level, as
well. A biological virus is not a living thing. A virus is a fragment of DNA inside a protective jacket. Unlike
a cell, a virus has no
way to do anything or to reproduce by itself -- it is not alive. Instead, a
biological virus must inject its DNA into a cell. The viral DNA then uses the
cell's existing machinery to reproduce itself. In some cases, the cell fills
with new viral particles until it bursts, releasing the virus. In other cases,
the new virus particles bud off the cell one at a time, and the cell remains
alive.
A
computer virus shares some of these traits. A computer virus must piggyback
on top of some other program or document in order to get executed. Once it is
running, it is then able to infect other programs or documents. Obviously, the
analogy between computer and biological viruses stretches things a bit, but
there are enough similarities that the name sticks.
What's
a "Worm"?
A
worm is a computer program that has the ability to copy itself from
machine to machine. Worms normally move around and infect other machines through computer networks. Using a
network, a worm can expand from a single copy
incredibly quickly. For example, the Code Red worm replicated itself
over 250,000 times in approximately nine hours on July 19, 2001.
A
worm usually exploits some sort of security hole in a piece of software
or the operating system. For example,
the Slammer worm (which caused mayhem
in January 2003) exploited a hole in Microsoft's SQL server. This
article offers a fascinating look inside Slammer's tiny (376 byte) program.
Code Red
Worms use up computer time and network
bandwidth when they are replicating, and they often have some sort of evil intent. A worm
called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the
Internet so effectively that things would completely grind to a halt.
The Code Red worm slowed down Internet traffic
when it began to replicate itself, but not nearly as badly as
predicted. Each copy of the worm scanned the Internet for Windows NT or Windows
2000 servers that do not have the Microsoft security patch installed. Each time
it found an unsecured server, the worm copied itself to that server. The new
copy then scanned for other servers to infect. Depending on the number of
unsecured servers, a worm could conceivably create hundreds of thousands of
copies.
The Code Red worm was
designed to do three things:
• Replicate
itself for the first 20 days of each month
• Replace Web pages on infected servers with a page that
declares "Hacked by Chinese"
• Launch
a concerted attack on the White House Web server in an attempt to overwhelm it
The
most common version of Code Red is a variation, typically referred to as a mutated
strain, of the original Ida Code Red that replicated itself on July 19, 2001. According to the National Infrastructure Protection Center:
The Ida Code Red Worm, which was first reported by eEye
Digital Security, is taking advantage of known vulnerabilities in the Microsoft
IIS Internet Server Application Program Interface (ISAPI) service. Un-patched
systems are susceptible to a "buffer overflow" in the Idq.dll, which
permits the attacker to run embedded code on the affected system. This memory
resident worm, once active on a system, first attempts to spread itself by
creating a sequence of random IP addresses to infect unprotected web servers.
Each worm thread will then inspect the infected computer's time clock. The NIPC
has determined that the trigger time for the DOS execution of the Ida Code Red
Worm is at 0:00 hours, GMT on July 20, 2001. This is 8:00 PM, EST.
Upon
successful infection, the worm would wait for the appointed hour and connect to
the www.whitehouse.gov domain. This attack would consist of the infected
systems simultaneously sending
100 connections to port 80 of
www.whitehouse.gov (198.137.240.91).
The U.S. government changed the IP address of
www.whitehouse.gov to circumvent that particular threat from the worm
and issued a general warning about the worm, advising users of Windows NT or Windows 2000 Web servers to make sure
they have installed the security patch.
How They Spread
Early viruses were pieces of code attached to a common program like a popular game or a popular word processor. A person might download an infected game from a bulletin board and run it. A virus like this is a small piece of code embedded in a larger, legitimate program. Any virus is designed to run first when the legitimate program gets executed. The virus loads itself into memory and looks around to see if it can find any other programs on the disk. If it can find one, it modifies it to add the virus's code to the unsuspecting program. Then the virus launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time either of those programs gets executed, they infect other programs, and the cycle continues.
If one of the infected
programs is given to another
person on a floppy disk, or if it is uploaded to a bulletin board, then
other programs get infected. This is how the virus spreads.
The spreading part is the infection phase of the
virus. Viruses wouldn't be so violently despised if all they did was replicate
themselves. Unfortunately, most viruses also have some sort of destructive attack
phase where they do some damage. Some sort of trigger will activate the attack
phase, and the virus will then "do something" -- anything from
printing a silly message on the screen to erasing all of your data. The trigger
might be a specific date, or the number of times the virus has been replicated,
or something similar.
As
virus creators got more sophisticated, they learned new tricks. One important
trick was the ability to load viruses into memory so they could keep running in
the background as long as the computer remained on. This gave viruses a much
more effective way to replicate themselves. Another trick was the ability to
infect the boot sector on floppy disks and hard disks. The boot sector is a small program that
is the first part of the operating
system that the computer loads. The boot sector contains a tiny program that
tells the computer how to load the rest of the operating system. By
putting its code in the boot sector, a virus can guarantee it gets executed.
It can load itself into memory immediately, and it is able to run whenever the
computer is on. Boot sector viruses can infect the boot sector of any floppy
disk inserted in the machine, and on college campuses where lots of people
share machines they spread like wildfire.
In general, both executable and boot sector viruses are
not very threatening any more. The first reason for the decline has been the
huge size of today's programs. Nearly every program you buy today comes on a compact disc. Compact
discs cannot be modified, and that makes viral infection of a CD impossible.
The programs are so big that the only easy way to move them around is to buy
the CD. People certainly can't carry applications around on a floppy disk like
they did in the 1980s, when floppies full of programs were traded like baseball
cards. Boot sector viruses have also declined because operating systems now
protect the boot sector.
Both
boot sector viruses and executable viruses are still possible, but they are a
lot harder now and they don't spread nearly as quickly as they once could. Call
it "shrinking habitat," if you want to use a biological analogy. The
environment of floppy disks, small programs and weak operating systems made
these viruses possible in the 1980s, but that environmental niche has been
largely eliminated by huge executable unchangeable CD's and better operating
system safeguards.
E-mail
Viruses
The
latest thing in the world of computer viruses is the e-mail virus, and the Melissa virus in March
1999 was spectacular. Melissa spread
in Microsoft Word documents sent via e-mail, and it worked like this:
Someone
created the virus as a Word
document uploaded to an Internet newsgroup. Anyone who downloaded the
document and opened it would trigger the virus. The virus would then send the
document (and therefore itself) in an e-mail message to the first 50 people in
the person's address book. The e-mail message contained a friendly note that included
the person's name, so the recipient would open the document thinking it was
harmless. The virus would then create 50 new messages from the recipient's
machine. As a result, the Melissa virus was the fastest - spreading virus ever
seen! As mentioned earlier, it forced a number of large companies to shut down
their e-mail systems.
The I LOVE YOU virus, which appeared on May 4, 2000,
was even simpler. It contained a piece of code as an attachment. People
who double clicked on the attachment allowed the code to execute. The
code sent copies of itself to everyone in the victim's address book and then
started corrupting files on the victim's machine. This is as simple as a virus
can get. It is really more of a Trojan horse distributed by e-mail than it is a
virus.
The
Melissa virus took advantage of the programming language built into Microsoft
Word called VBA, or Visual Basic for Applications. It is a complete
programming language and it can be programmed to do things like modify
files and send e-mail messages. It also has a useful but dangerous auto-execute
feature. A programmer can insert a program into a document that runs instantly
whenever the document is opened. This is how the Melissa virus was programmed.
Anyone who opened a document infected with Melissa would immediately activate
the virus. It would send the 50 e-mails, and then infect a central file called
NORMAL.DOT so that any file saved later would also contain the virus! It
created a huge mess.
Microsoft applications have a feature called Macro
Virus Protection built into them to prevent this sort of thing. With Macro
Virus Protection turned on (the default option is ON), the auto-execute feature
is disabled. So when a document tries to auto-execute viral code, a dialog pops
up warning the user. Unfortunately, many people don't know what macros or macro
viruses are, and when they see the dialog they ignore it, so the virus runs
anyway. Many other people turn off the protection mechanism. So the Melissa
virus spread despite the safeguards in place to prevent it.
In
the case of the I LOVE YOU virus, the whole thing was human-powered. If a person
double-clicked on the program that came as an attachment, then the program ran
and did its thing. What fueled this virus was the human willingness to
double-click on the executable.
An
Ounce of Prevention
You can protect
yourself against viruses with a few simple steps:
• If you are truly worried about traditional
(as opposed to e-mail) viruses, you should be running a more secure operating
system like UNIX. You never hear about viruses on these operating systems
because the security features keep viruses (and unwanted human visitors) away
from your hard disk.
• If
you are using an unsecured operating system, then buying virus protection
software is a nice safeguard.
• If you simply avoid programs from unknown
sources (like the Internet), and instead stick with commercial software
purchased on CD's you eliminate almost all of the risk from traditional
viruses. In addition, you should disable floppy disk booting -- most
computers now allow you to do this, and that will eliminate the risk of a boot
sector virus coming in from a floppy disk accidentally left in the drive.
• You should make sure that Macro Virus
Protection is enabled in all Microsoft applications, and you should NEVER
run macros in a document unless you know what they do. There is seldom a
good reason to add macros to a document, so avoiding all macros is a great
policy.
 |
Open the Options dialog from the Tools menu
in Microsoft Word and make sure that Macro Virus Protection is enabled, as
shown.
|
• In the case of the I LOVE YOU e-mail virus, the
only defense is a personal discipline. You should never double-click on an
attachment that contains an executable that arrives as an e-mail
attachment. Attachments that come in as Word files (.DOC), spreadsheets (.XLS),
images (.GIF and .JPG), etc., are data files and they can do no damage (noting
the macro virus problem in Word and Excel documents mentioned above). A file
with an extension like EXE, COM or VBS is an executable, and an executable can
do any sort of damage it wants. Once you run it, you have given it permission
to do anything on your machine. The only defense is to never run executable that arrive via e-mail.
By following those
simple steps, you can remain virus free.
Origins
People create viruses. A person has to write the code,
test it to make sure it spreads properly and then release the virus. A person
also designs the virus's attack phase, whether it's a silly message or
destruction of a hard disk. So why do people do it?
There
are at least three reasons. The first is the same psychology that drives
vandals and arsonists. Why would someone want to bust the window on someone
else's car, or spray-paint signs on buildings or burn down a beautiful forest?
For some people that seems to be a thrill. If that sort of person happens to
know computer programming, then he or she may funnel energy into the creation
of destructive viruses.
The
second reason has to do with the thrill of watching things blow up. Many people
have a fascination with things like explosions and car wrecks. When you were
growing up, there was probably a kid in your neighborhood who learned how to
make gunpowder and then built bigger and bigger bombs until he either got bored
or did some serious damage to himself. Creating a virus that spreads quickly is
a little like that -- it creates a bomb inside a computer, and the more
computers that get infected the more "fun" the explosion.
The
third reason probably involves bragging rights, or the thrill of doing it. Sort
of like Mount Everest. The mountain is there, so someone is compelled to climb
it. If you are a certain type of programmer and you see a security hole that
could be exploited, you might simply be compelled to exploit the hole yourself
before someone else beats you to it. "Sure, I could TELL someone about the
hole. But wouldn't it be better to SHOW them the hole???" That sort of
logic leads to many viruses.
Of
course, most virus creators seem to miss the point that they cause real damage
to real people with their creations. Destroying everything on a person's hard
disk is real damage. Forcing the people inside a large company to waste
thousands of hours cleaning up after a virus is real damage. Even a silly
message is real damage because a person then has to waste time getting rid of
it. For this reason, the legal system is getting much harsher in punishing the
people who create viruses.
History
Traditional
computer viruses were first widely seen in the late 1980s, and they came about
because of several factors. The
first factor was the spread of personal Computers (PCs).
Prior to the 1980s, home
computers were nearly non-existent or they were toys. Real computers were rare,
and they were locked away for use by "experts." During the 1980s,
real computers started to spread to businesses and homes because of the
popularity of the IBM PC (released in 1982) and the Apple Macintosh (released
in 1984). By the late 1980s, PCs were widespread in businesses, homes and
college campuses.
The second factor was
the use of computer bulletin
boards. People could
dial up a bulletin board with a modem and download
programs of all types. Games were extremely popular, and so were simple word processors, spreadsheets, etc.
Bulletin boards led to the precursor of the virus known as the Trojan horse.
A Trojan horse is a program that sounds really cool when you read about it. So
you download it. When you run the program, however, it does something uncool
like erasing your disk. So you think you are getting a neat game but it wipes
out your system. Trojan horses only hit a small number of people because they
are discovered quickly. Either the bulletin board owner would erase the file
from the system or people would send out messages to warn one another.
The
third factor that led to the creation of viruses was the floppy disk. In
the 1980s, programs were small, and you could fit the operating system, a word
processor (plus several other programs) and some documents onto a floppy disk
or two. Many computers did not have hard disks, so you would turn on your
machine and it would load the operating system and everything else off of the
floppy disk.
Viruses took advantage
of these three facts to create the first self-replicating programs.
