Computer VirusesDone by Youssef Bahaa Al-Din MahmoudGrade 9 AUnder the supervision of Mr. Mohammed Salah Omar
Introduction• A computer virus is a computer program that can replicateitself, and spread from one computer to another. The term"virus" is also commonly, but erroneously, used to refer toother types of malware, including but not limited to adwareand spyware programs that do not have a reproductive ability.Malware includes computer viruses, computerworms, ransom ware, Trojan horses, key loggers, mostrootkits, spyware, dishonest adware, malicious BHOs andother malicious software.
Intoduction• The majority of active malware threats are usually Trojans orworms rather than viruses. Malware such as Trojan horsesand worms is sometimes confused with viruses, which aretechnically different: a worm can exploit securityvulnerabilities to spread itself automatically to othercomputers through networks, while a Trojan horse is aprogram that appears harmless but hides malicious functions.
Introduction• Worms and Trojan horses, like viruses, may harm a computersystems data or performance. Some viruses and othermalware have symptoms noticeable to the computer user, butmany are surreptitious or simply do nothing to call attentionto themselves. Some viruses do nothing beyond reproducingthemselves.
Types of viruses• Non-resident virusesNon-resident viruses can be thought of as consisting of a findermodule and a replication module. The finder module isresponsible for finding new files to infect. For each newexecutable file the finder module encounters, it calls thereplication module to infect that file.
Types of viruses• Resident virusesResident viruses contain a replication module that is similar tothe one that is employed by non-resident viruses. Thismodule, however, is not called by a finder module. The virusloads the replication module into memory when it is executedinstead and ensures that this module is executed each time theoperating system is called to perform a certain operation. Thereplication module can be called, for example, each time theoperating system executes a file. In this case the virus infectsevery suitable program that is executed on the computer.
Vectors and hostsViruses have targeted various types of transmission media orhosts. This list is not exhaustive:•Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, the Mach-O format in OSX, and ELF files in Linux)•Volume Boot Records of floppy disks and hard disk partitions•The master boot record (MBR) of a hard disk•General-purpose script files (such as batch files in MS-DOS andMicrosoft Windows, VBScript files, and shell script files on Unix-like platforms).
Vectors and hosts• System specific auto run script files (such as Autorun.inf fileneeded by Windows to automatically run software stored onUSB memory storage devices).• Documents that can contain macros (such as Microsoft Worddocuments, Microsoft Excel spread sheets, AmiProdocuments, and Microsoft Access database files)• Cross-site scripting vulnerabilities in web applications (see XSSWorm)
Vectors and hosts• Cross-site scripting vulnerabilities in web applications (see XSSWorm)• Arbitrary computer files. An exploitable bufferoverflow, format string, race condition or other exploitablebug in a program which reads the file could be used to triggerthe execution of code hidden within it. Most bugs of this typecan be made more difficult to exploit in computerarchitectures with protection features such as an executedisable bit and/or address space layout randomization.
The vulnerability of operating systems to virusesJust as genetic diversity in a population decreases the chance ofa single disease wiping out a population, the diversity ofsoftware systems on a network similarly limits the destructivepotential of viruses and malware. This became a particularconcern in the 1990s, when Microsoft gained market dominancein desktop operating systems, web browsers, and office suites.Microsoft software is targeted by writers of viruses and malwaredue to Microsofts desktop dominance.Although Windows is by far the most popular target operatingsystem for virus writers, viruses also exist on other platforms.Any operating system that allows third-party programs to runcan theoretically run viruses.
The vulnerability of operating systems to viruses• As of 2006, there were at least 60 known security exploitstargeting the base installation of Mac OS X (with a Unix-basedfile system and kernel). The number of viruses for the olderApple operating systems, known as Mac OS Classic, variesgreatly from source to source, with Apple stating that thereare only four known viruses, and independent sources statingthere are as many as 63 viruses. Many Mac OS Classic virusestargeted the HyperCard authoring environment. Thedifference in virus vulnerability between Macs and Windowsis a chief selling point, one that Apple uses in their Get a Macadvertising. In January 2009, Symantec announced thediscovery of a trojan that targets Macs. This discovery did notgain much coverage until April 2009.
Antivirus software and other preventivemeasures• Many users install antivirus software that can detect andeliminate known viruses when the computer attempts todownload or run the executable (which may be distributed asan email attachment, or on USB flash drives, for example).Some antivirus software blocks known malicious web sitesthat attempt to install malware. Antivirus software does notchange the underlying capability of hosts to transmit viruses.Users must update their software regularly to patch securityvulnerabilities ("holes"). Antivirus software also needs to beregularly updated in order to recognize the latest threats.
Antivirus software and other preventivemeasures• Examples of Microsoft Windows anti-virus and anti-malwaresoftware include the optional Microsoft Security Essentials(forWindows XP, Vista and Windows 7) for real-timeprotection, the Windows Malicious Software Removal Tool(now included with Windows (Security) Updates on "PatchTuesday", the second Tuesday of each month), and WindowsDefender (an optional download in the case of Windows XP).Additionally, several capable antivirus software programs areavailable for free download from the Internet (usuallyrestricted to non-commercial use).
How Antivirus software works• Different anti-virus programs use different "signatures" toidentify viruses. The disadvantage of this detection method isthat users are only protected from viruses that are detectedby signatures in their most recent virus definition update, andnot protected from new viruses (see "zero-day attack"). Asecond method to find viruses is to use a heuristic algorithmbased on common virus behaviors. This method has theability to detect new viruses for which anti-virus security firmshave yet to define a "signature", but it also gives rise to morefalse positives than using signatures. False positives can bedisruptive, especially in a commercial environment.
How Antivirus software works• There are two common methods that an antivirus softwareapplication uses to detect viruses, as described in theantivirus software article. The first, and by far the mostcommon method of virus detection is using a list of virussignature definitions. This works by examining the content ofthe computers memory (its RAM, and boot sectors) and thefiles stored on fixed or removable drives (hard drives, floppydrives, or USB flash drives), and comparing those files againsta database of known virus "signatures".
How Antivirus software works• A second method to find viruses is to use a heuristic algorithmbased on common virus behaviors. This method has theability to detect new viruses for which anti-virus security firmshave yet to define a "signature", but it also gives rise to morefalse positives than using signatures. False positives can bedisruptive, especially in a commercial environment
Virus removal• Many websites run by antivirus software companies provide freeonline virus scanning, with limited cleaning facilities (the purpose ofthe sites is to sell anti-virus products). Some websites—like Googlesubsidiary VirusTotal.com—allow users to upload one or moresuspicious files to be scanned and checked by one or more antivirusprograms in one operation. Additionally, several capable antivirussoftware programs are available for free download from theInternet (usually restricted to non-commercial use). Microsoftoffers an optional free antivirus utility called Microsoft SecurityEssentials, a Windows Malicious Software Removal Tool that isupdated as part of the regular Windows update regime, and anolder optional anti-malware (malware removal) tool WindowsDefender that has been upgraded to an antivirus product inWindows 8.
Virus removal• Some viruses disable System Restore and other importantWindows tools such as Task Manager and Command Prompt.An example of a virus that does this is CiaDoor. Many suchviruses can be removed by rebooting the computer, enteringWindows safe mode with networking, and then using systemtools or Microsoft Safety Scanner. System Restore onWindows Me, Windows XP, Windows Vista and Windows 7can restore the registry and critical system files to a previouscheckpoint. Often a virus will cause a system to hang, and asubsequent hard reboot will render a system restore pointfrom the same day corrupt. Restore points from previous daysshould work provided the virus is not designed to corrupt therestore files and does not exist in previous restore points.
History• Academic workThe first academic work on the theory of computer viruses(although the term "computer virus" was not used at that time)was done in 1949 by John von Neumann who gave lectures atthe University of Illinois about the "Theory and Organization ofComplicated Automata". The work of von Neumann was laterpublished as the "Theory of self-reproducing automata". In hisessay von Neumann described how a computer program couldbe designed to reproduce itself.