Infected! Computer viruses and Trojan horses

In this document

See also

Computer viruses are one of the biggest problems when using software. A virus is a program that attaches itself to another program, and distributes itself when the user executes that program. Usually it also carries out some other task, for example formatting the hard disk on April 1st or displaying a text after the computer has been restarted 100 times. Trojan horses require active user intervention to reproduce themselves.

Viruses and Trojans can distribute itself only amongst one platform. To avoid detection it must be as small as possible. By far the vast majority of the viruses are aimed at MS-DOS and its successor Windows 95. The popularity of this operating system, and the large amount of software available, make DOS an excellent distribution platform. And because the platform has no security, a virus can reproduce itself without limitation. Platforms like Linux are much less vulnerable to viruses.

Reproduction

A virus consists of a few hundred bytes with instructions. An important part of these instructions has as its task the reproduction of the virus. This is done by adding all the instructions of the virus to another program file. If that program is subsequently executed, the virus becomes active and can distribute itself further. After this "infection" the actual program is executed, so that the user doesn't notice. Some viruses do not affect programs, but diskettes or hard disks. In that case the virus copies itself to the boot sector of that disk. Reproduction than occurs when the user boots from this diskette or hard disk.

After infection the virus usually carries out some specific command. Usually this happens only on a specific date or when a particular criterion is met, because otherwise the virus would get noticed, or because it would hamper distribution of the virus. For example, if a virus formats the entire hard disk, it cannot longer reproduce itself, so it would be better to wait awhile before formatting. Some older MS-DOS viruses used to "drop" some letters on the screen to the bottom line. This is of course quite innocent, but immediately alerts the user that he may have a virus.

Anti-virus

A virus must attach itself to other programs in order to reproduce. This means that these programs have to be modified. One way of detecting viruses therefor is to check all programs for modifications. Almost all virus detection programs operate in this fashion. Some generate a list with "checksums" of all the programs, and regularly check whether the checksums of the programs still match the value stored in the list. A checksum is a code which is unique for the file to which it belongs. It is computed by combining all the bytes in the file in a particular way, such that modifying even a single byte results in a different combination. een andere checksum op.

The disadvantage of this method is that you must know for sure that the system is virus-free when generating the list. A checksum can only prove that a particular file has been modified, but if the file had been infected when computing the checksum, the checksum will not change later on. Another disadvantage is that most checksum computation algorithms are not very robust. It is often possible to modify the file without affecting the checksum.

Another way of detecting viruses is checking whether their "signature" occurs somewhere in a file. A signature is a piece of code of the virus that is always the same. This could be for instance a piece of code which copies the virus to another program, or a piece of code that is capable of formatting a hard disk. If this piece of code is detected in a program, it is almost certain that the program has been infected with a particular virus. The biggest advantage of this method is that the signature of the virus must be known. This trick therefor only works against known viruses, not against new ones. In addition, there are viruses that modify themselves completely every time they copy themselves to other files. This means that you can't create a signature for such a virus.

A third trick is to check the instructions carried out by a particular program. If the end of the program contains a series of instructions that would copy portions of the program to another file, or that would format a hard disk, it is likely that the program has been infected by a virus. However, it could also be a hard disk formatting utility. This type of heuristic checking is not without its problems, but they work better against known viruses than checksums and signatures.

Good antivirus programs offer a combination of all three methods. By using all three it is almost certain that a virus will be detected when it attempts to infect a system. Particular care is required, however, when installing the antivirus program. Generate checksums directly after installing the operating system, and check all downloaded files before installing them.

Safe source?

Many people believe that downloading a program from an official source is sufficient security against viruses and other malicious code. Unfortunately this is not always the case. There are many examples of software distributors who offered their program for download while it was infected with a virus. Infected shareware CD-ROMs are also not uncommon unfortunately. If you simply check everything before installing it, the chances of a virus infecting your system are much smaller.

Macro-viruses

Today there are many antivirus programs which constantly check the system and detect any changes to program files. Ordinary viruses today have great difficulties distributing themselves. The latest trends for virus programmers therefor doesn't focus on programs but on ordinary documents.

Modern word processors and spreadsheet programs have extensive macro facilities. Macro's are instructions which can be carried out during editing of a document for example in a spreadsheet to carry out a calculation, or in a word processor to ease filling out a form. It is possible to write a macro that is carried out when the document is opened. This provides an excellent entry point for macro viruses. Every time the user opens the document, the macro virus is executed and copies itself to another document. If the virus attaches itself to a template, then all documents based on that template are infected automatically.

Today's macro viruses (April 1999) are usually innocent. They copy themselves to other files and sometimes put some text on the screen. One macro virus changes in any document it finds the text "Microsoft" by "Micro$oft". This type of modification can be disastrous for a company. For example imagine that a macro virus in a spreadsheet would cause any additions to come out consistently a few cents too high or too low.

Trojan horses

A Trojan horse is not a virus, but closely related. It does not copy itself, but needs the help of a human to distribute itself. Usually it comes in the form of a handy utility program, a funny screen saver or by posing as an upgrade to some system components. When the user executes the Trojan horse, it infects the system automatically by installing a copy of itself in a hidden location. The program Back Orifice is the most famous example of a Trojan horse. This program installs a backdoor, allowing complete remote control over the "trojaned" computer.

The advantage that Trojan horses have over viruses is that they can be much bigger. An upgrade of 1 MB is normal for most people, so a fake upgrade of 1 MB does not draw any attention. However, a virus that attaches 1 MB to every file it infects will draw a lot of attention.

Viruses as well as Trojan horses are a big problem for computer security. Viruses mainly can render a system unusable. Trojan horses often let others control a particular system. They can both be fought in the same way: do not download software from an unknown source, always check downloaded code with a virus scanner and do not install anything unless you are sure it is the official version of a legitimate program.

TIPS

  1. Download software only from the official source, and always check for viruses before installing the software.
  2. Never open documents which were sent to you by someone else. If possible, use a "viewer" instead of the full program, because viewers do not have macro facilities. If you open Word documents in e-mail directly in Word, you run a very high chance of getting infected by macro viruses. An alternative is to simply turn off macros together.
  3. Regularly check the entire system for viruses. The safest way to do this is to boot from a "clean" floppy disk, because this is the only way to check whether the operating system itself has been infected. Most antivirus programs offer this type of functionality.
  4. Regularly download the latest upgrade of the antivirus program you use. This way you are also protected against the latest viruses.
  5. Make sure that all important diskettes and tape backups are write-protected. When recovering from an infection it is essential to be able to install everything from a trusted and clean source. Backups made after the date of infection cannot be trusted and must not be used.