TID Article #04

Viruses and Trojans

What is a Virus?

Well according to the dictionary a virus is " a computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs and that usually performs a malicious action (usually destroying data)". While this definition is correct, it is also very general and does not cover all side of viruses. The anti-virus community usually breaks what them media calls viruses into several categories. These categories are: Virus:Hoax, Virus:Boot, Virus:W32, Trojans, and Worms. Later in the article I will describe each of these categories and how a virus category is determined. I will also describe how best to protect your self from viruses.

History of viruses

The first computer viruses were written as defensive programs to protect government mainframes from external access. These small programs would "infect" a computer that did not contain certain hardware components (called dongles), causing the other computer to stop functioning. These programs were written by computer coders under the employ of the NSA (National Security Agency) and CIA (Central Intel. Agency). Remember that at this time there was no internet and you had to have access to a mainframe to use it for any purpose. These early viruses were effective, but very risky in a general security sense. As the first remote terminals came into general use this type of virus became obsolete (despite being obsolete many security nuts, like myself, use updated forms of these viruses to defend our machines from intrusion). Flash forward about 12 years to when the first true personal computers started to appear in homes and offices. The computers (early Apple I and IIa models) did not have a direct connection to a network or any kind of media other than a 5 1/4 floppy disk. This disk contained any program that you wanted to run. If you were lucky your computer had two disk drives that could be used simultaneously (one for program the other for data). Computer hackers (those who were specialists not the kind the media portrays today), some of whom may have written the first "viruses" soon were writing programs that would play a "joke" on unsuspecting co-workers (the famous Cookie Monster Program was one such joke. The way it worked was once started it would randomly ask the user for a cookie. The user could type whatever he wanted and the program would reset. However the interval between "begging" sessions would grow smaller after each question until every action resulted in a request for cookie (RFC-yum). The only way to exit the program was to type "COOKIE"). To place one of these program on a unsuspecting persons computer could be done one of two ways. Either the prankster had to have access to the computer or place the program on a machine that they did have access to and have it "infect" a diskette which would them be carried to the persons machine and start Cookie Monster. This infection process is what all modern viruses are based on. Usually it involves placing a small program in the "boot sector" of your computer. These programs execute when your computer first turns on and begins to load the operating system. Now fast forward to the present day (sounds like bad movie doesn't it). Modern computer viruses use loopholes and features of the operating systems to replicate and cause their damage. Most modern computer viruses attack Micro$oft operating systems and programs.

Types of Viruses

Virus:Hoax

A virus that fits into this category is actually not a virus at all. Sometimes malicious people start rumors of a "new" virus be sending out a batch email to a large group of computer users (aol.com email addresses are a prime target because aol users tended not to have a "great" level of computer literacy). These emails often tell the recipient to "forward to all your friends and family" (this also occurs in chain letters). Most people would say that this does not fit the definition of a virus, but in sending the emails you decrease the bandwidth and storage space going to and from email servers which does fall into the more detailed definition of a virus (definition used by security and anti-virus programmers).

Virus:Boot

A virus that fits into this category inserts itself into your computers MBR (Master Boot Record), the part of the hard drive that tells the computer were to go to load the operating system. When the computer starts to load, after its POST (Power On Self Test, where it checks RAM, etc.) is completed and before the OS loads, the computer will execute any commands found in the MBR. Although not common today, in the 1980-1995 time period it was the most common type of virus in existence. Modern computers protect their MBR by creating a CRC (Content Reference Check), which is a string of letters and numbers unique to a particular PC, of the MBR. Any change to the MBR CRC results in the computer alerting its user to the change and giving the user a choice to ignore it or accept it. This simple precaution has more or less wiped out the Boot Sector type of virus, although modern virus scanners still do check for them.

Virus:Win32/16

A virus that fits into this category is any virus that uses a Micro$oft programming feature, hole, or bug to damage a computers' OS (Operating System) or data. Today this is the largest category of virus with over 1,997,258 different viruses recorded (number current as of Sat Apr 6 21:46:54 EST 2002). On average 16 new viruses or virus-clones are registered each day. Many of these viruses are created using VTK or Virus ToolKits, a collection of tools and source code that allow a inexperienced programmer to slightly alter a segment of code and create his/her own personalized copy of a virus for distribution. Since many Script-kiddies use these VTK's to prove that they "know" how to "hack" a computer, computer system administrators and many home users must upgrade their anti-virus software on a daily basis.

Virus:Trojan

A Trojan is a small program that masquerades as another type to get you to allow it to run its instructions on your PC. Any good programmer can hide instructions in his code that only execute under certain circumstances. Many programs that are used on the internet today contain trojans. These programs, while not acknowledged as trojans by their authors, keep track of where you go, what you do, and how you do it, then send this information back to their authors. Now. before everybody panics about you loss of privacy, you should be aware that in those little License Agreements that you click through (EULAs), you agreed to let the authors do this monitoring. These programs can be identified by using a search engine and searching for "spyware". If you happen to have a firewall setup for your computer, you can block the transmission of this data by setting your firewall to refuse outgoing connections from these programs. Other things that trojans can do is setup your computer so that is accessible from the outside by means, reset passwords to their default values so that that hacker can, once in front of the machine, easily breach your computer security, and other sneaky tricks along these lines.

Virus:Worm

A Worm is a smaller computer program that attacks and breaches your computer security on its own. Once inside it gives a external user access to your files / programs as if it was you. These types of viruses are typically only found in true multi-user systems (UNIX, BSD, Linux, new versions of Windows). They may or may not affect a single user style system (Mac, Win9x, Dos) depending on whether or not the machine has multi-user access. Worms can only be detected by looking for files, passwords, and programs that you do not use or install yourself on a system. Worms also usually target a specific security flaw to gain user access to your system.

Protect Yourself

So how should you go about protecting yourself from all the nasty viruses on the internet and elsewhere? Well the easiest thing to do is get a good antivirus program from McAfee or Norton and keep its virus definition file as up-to-date as possible. Get yourself a good firewall package and block all non-essential communications to and from your computer. Be aware of what your machine is doing, running, at reporting by reading its log files, watching to see what is being sent out and to who. For more information on how to do this, see the links below.