Academy of Graduate Studies-Benghazi branch 2010.1.

26
Department of Computer Sciences
CS970 Seminar on Computer virus
Fall 2010: mbarghathy@yahoo.com

Computer Virus
Abdouljalil Barghathy

3605

Supervisor
Dr.Omer Alsallabee
 Computer Virus
By Abdouljalil Barghathy
Department of Computer Sciences
Academy of Graduate Studies-Benghazi branch
mbarghathy@yahoo.com

1. Introduction:-
The purpose of this paper is to present computer virus which is ambiguity and confused to many
computer specialists, so I select it as seminar subject to illustrate background, mechanisms and
classification of computer virus.
First brief history is introduced then taxonomy of malware to emphases that virus is class of
malware not any malware is virus (common misconception). Second details introduction to computer
virus (definition from father of computer virus Fred Cohen, comparison it with biological one, life
cycle and its phases). Third mechanism of virus is explained (anatomy, function elements and simple
virus) .finally virus classification according to place of infection and hidden techniques.

2. Brief history:-
John von Neumann – the brilliant mathematician who helped bring us nuclear energy, game theory
and quantum theory’s operating mechanics – theorized about the existence of computer viruses as
early 1944. In a series of lectures called “Theory of self-reproducing automata” von Neumann
contemplated the difference between computers and the human mind, and also about the possibility of
self-replicating computer code.
In 1984 Fred Cohen from the University of Southern California wrote his paper "Computer Viruses
- Theory and Experiments". It was the first paper to explicitly call a self-reproducing program a
"virus"; a term introduced by his mentor Leonard Adleman.
The first computer virus popularly known as the 'Brain virus' was created in 1986 by two Pakistani
brothers, Amjad and Basit Farooq Alvi. This virus, which spread via floppy disks, was known only to
infect boot records and not computer hard drives like most viruses today[1].

3. Malicious Software:-
The following are general terms for any computer program that is designed to harm its victim(s):

 Malicious code
 Malicious program
 Malware
 Rogue program
 Figure 1 classification of malware

A trap door is a secret entry point into a program that allows someone that is aware at the trap door to
gain access without going through the usual security access procedure.
The logic bomb is code embedded in some legitimate program that execute when a certain predefined
events occurs, these codes surreptitiously inserted into an application or operating system that causes it to
perform some destructive or security – compromising activity whenever specified conditions are met.
A Trojan horse is a useful, or apparently useful program or command procedure containing hidden code
that when invoked performs some unwanted or harmful function.
A zombie is a program that secretly takes over another internet-attached computer and then uses that
computer to launch attacks that are difficult to trace to the zombie’s creator.
A virus is a program that can ' infect ' other programs by modifying them , the modification include a
copy of the virus program.
Worm is self-replicating but a stand-alone program that exploits security holes to compromise other
computers and spread copies of itself through the network[2].

There are three characteristics associated with malware:

1 Self-replicating malware actively attempts to propagate by creating new copies, or instances, of itself.
Malware may also be propagated passively, by a user copying it accidentally, for example, but this isn't
self-replication.
2 The population growth of malware describes the overall change in the number of malware instances
due to self-replication. Malware that doesn't self replicate will always have a zero population growth, but
malware with a zero population growth may self-replicate.
3 Parasitic malware requires some other executable code in order to exist. "Executable" in this context
should be taken very broadly to include anything that can be executed, such as boot block code on a disk,
binary code in applications, and interpreted code. It also includes source code, like application scripting
languages, and code that may require compilation before being executed[3].

Malicious code Trap Logic Trojan horse Virus Worm Zombie

door Bomb
Self-replicating: No no no yes yes yes
Population growth: Zero zero zero positive Positive positive
Parasitic: possibly possibly yes yes no no
Table 1 Summarize characteristics of malware

4. An introduction to computer virus

4.1 Definition of computer virus:-

A virus is a program that can ' infect ' other programs by modifying them , the modification include a
copy of the virus program , which can then go on to infect other programs . Therefore the key
characteristic of virus is the ability to self replicate by modifying a normal program file with a copy of
itself. [On Nov, 1983 Fred Cohen ("father of computer virus")[4].

4.2 Biological vs. computer viruses:-

Biological viruses and Computer viruses share many similar characteristics, as demonstrated in the
following table 2:-
Biological virus Computer Virus
Viruses require infected cells to spread them. Viruses require infected files to
They can not auto generate. spread them. They can not auto generate.
Viruses attack/infect specific cell types. Viruses attack/infect specific file types.
Viruses modify the victim's genetic material in Viruses modify the victim's data in some way to
some way to make reproduction possible make reproduction possible.
Viruses take all or most of the control of their Virus code is executed before passing control to
host cell. the host.
Most viruses will not infect cells already Most viruses will not infect files already infected
infected by their own strain. by their own strain.
Symptoms may not appear, or may be delayed Symptoms may not appear, or may be delayed
from the time of initial infection. from the time of initial infection.
Viruses often mutate, making detection and Viruses often contain mutating code, or other
disinfection difficult. "safeguards“, making detection and disinfection
difficult.
Cells can be vaccinated against particular Files can be protected against particular viruses
viruses
Table 2 comparison between biological and computer virus[3]

4.3 Virus phases

Dormant phase: The virus is idle the virus will eventually be activated by some event, such as a date. The
presence of another program or file, or the capacity of the disk exceeding some limit, not all viruses have
this stage.
Propagation phase: The virus places an identical copy of itself into other programs or into certain system
areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a
propagation phase.
Triggering phase: The virus is activated to perform the function for which it was intended. As with the
dormant phase, the triggering phase can be caused by a variety of system events, including a count of the
number of times that this copy of the virus has made copies of itself.
Execution phase: The function is performed. The function may be harmless, such as a message on the
screen, or damaging, such as the destruction of programs and data files.

4.4 Life cycle of viruses

Computer viruses have a life cycle that starts when they're created and ends when they're completely
eradicated as in figure 2. The following outline describes each stage:-
Creation
Until a few years ago, creating a virus required knowledge of a computer programming language. Today
anyone with even a little programming knowledge can create a virus. Usually, though, viruses are created
by misguided individuals who wish to cause widespread, random damage to computers.
Replication
Viruses replicate by nature. A well-designed virus will replicate for a long time before it activates, which
allows it plenty of time to spread.
Activation
Viruses that have damage routines will activate when certain conditions are met, for example, on a certain
date or when a particular action is taken by the user. Viruses without damage routines don't activate,
instead causing damage by stealing storage space.
Discovery
This phase doesn't always come after activation, but it usually does. When a virus is detected and isolated,
it is sent to the International Computer Security Association in Washington, D.C., to be documented and
distributed to antivirus developers. Discovery normally takes place at least a year before the virus might
have become a threat to the computing community
Assimilation
At this point, antivirus developers modify their software so that it can detect the new virus. This can take
anywhere from one day to six months, depending on the developer and the virus type.
Eradication
If enough users install up-to-date virus protection software, any virus can be wiped out. So far no viruses
have disappeared completely, but some have long ceased to be a major threat[6].

Figure 2 Life cycle of viruses

4.5 Evolution of viruses
With time the virus incorporates new feature to overcome detect and remove, these lead to generate new
classes of virus, we can classified viruses to five generation according to features add from first virus to
now as following:-
First generation: Simple
The first generation of viruses were the simple viruses. These viruses did nothing very significant other
than replicate. Many new viruses being discovered today still fall into this category. Damage from these
simple viruses is usually caused by bugs or incompatibilities in software that were not anticipated by the
virus author.
First generation viruses do nothing to hide their presence on a system, so they can usually be found by
means as simple as noting an increase in size of files or the presence of a distinctive pattern in an infected
file.
Second generation: Self-recognition
First generation has weak point which is repeated infection of the host, leading to depleted memory and
early detection. To prevent this unnecessary growth of infected files, second-generation viruses usually
implant a unique signature that signals that the file or system is infected. The virus will check for this
signature before attempting infection, and will place it when infection has taken place; if the signature is
present, the virus will not reinfect the host.
Third Generation: Stealth
Second generation has weak point which is signature that enables antivirus programs to detect and
remove them (the signature does provide a method of detection), so third generation counteracts antivirus
scans, by employ stealth techniques which subvert selected system service call interrupts when they are
active. Requests to perform these operations are intercepted by the virus code. If the operation would
expose the presence of the virus, the operation is redirected to return false information, so virus scanners
are unable to locate the virus on disk when the virus is active in memory.
Fourth Generation: Armored
As anti-virus researchers have developed tools to analyze new viruses and craft defenses, virus authors
have turned to methods to obfuscate the code of their viruses. This “armoring” includes adding confusing
and unnecessary code to make it more difficult to analyze the virus code. The defenses may also take the
form of directed attacks against anti-virus software, if present on the affected system. These viruses
appeared starting in 1990.
Viruses with these forms of defenses tend to be significantly larger than simpler viruses and thus more
easily noticed. Furthermore, the complexity required to significantly delay the efforts of trained anti-virus
experts appears to be far beyond anything that has yet appeared
Fifth Generation: Polymorphic
The most recent class of viruses to appear on the scene are the polymorphic or self-mutating viruses.
These are viruses that infect their targets with a modified or encrypted version of themselves. By varying
the code sequences written to the file (but still functionally equivalent to the original), or by generating a
different, random encryption key, the virus in the altered file will not be identifiable through the use of
simple byte matching. To detect the presence of these viruses requires that a more complex algorithm be
employed that, in effect, reverses the masking to determine if the virus is present.
Several of these viruses have become quite wide-spread. Some virus authors have released virus
“toolkits” that can be incorporated into a complete virus to give it polymorphic capabilities. These toolkits
have been circulated on various bulletin boards around the world, and incorporated in several viruses[7].
5 Virus mechanism

5.1 Virus Anatomy

Virus Structure has four ports:-
1.Mark can prevent re-infection attempts.
2.Infection Mechanism How a virus spreads, by modifying other code to contain a (possibly altered)
copy of the virus. The exact means through which a virus spreads is referred to as its infection vector.
This doesn't have to be unique - a virus that infects in multiple ways is called multipartite
3.Triggers The means of deciding whether to deliver the payload or not.
4.Payload What the virus does, besides spread. The payload may involve damage, either intentional or
accidental. Accidental damage may result from bugs in the virus, encountering an unknown type of
system, or perhaps unanticipated multiple viral infections the following [2].

Mark(optional)
Infection Mechanism
Triggers (optional)
Payload(optional)

Figure 3 Anatomy of Virus

5.2 Simple virus :-

The following pseudo-program shows how a virus might be written in a pseudo-computer language. The
":= symbol is used for definition, the ":" symbol labels a statement, the ";" separates statements, the "="
symbol is used for assignment or comparison, the "~" symbol stands for not, the "{" and "}" symbols
group sequences of statements together, and the "..." symbol is used to indicate that an irrelevant portion
of code has been left implicit.
program virus:=
{1234567;

subroutine infect-executable:=
{loop:file = get-random-executable-file;
if first-line-of-file = 1234567 then goto loop;
prepend virus to file;
}
subroutine do-damage:=
{whatever damage is to be done}
subroutine trigger-pulled:=
{return true if some condition holds}

main-program:=
{infect-executable;
if trigger-pulled then do-damage;
goto next;}

next:}
 This example virus (V) searches for an uninfected executable file (E) by looking for executable files
without the "1234567" in the beginning, and prepends V to E, turning it into an infected file (I). V then
checks to see if some triggering condition is true, and does damage. Finally, V executes the rest of the
program it was prepended to. When the user attempts to execute E, I is executed in its place; it infects
another file and then executes as if it were E. With the exception of a slight delay for infection, I appears
to be E until the triggering condition causes damage[4].
A common misconception of a virus relates it to programs that simply propagate through networks. The
worm program, 'core wars', and other similar programs have done this, but none of them actually involve
infection. The key property of a virus is its ability to infect other programs, thus reaching the transitive
closure of sharing between users. As an example, if V infected one of user A's executables (E), and user B
then ran E, V could spread to user B's files as well[4].

5.3 The Functional Elements of a Virus:-

Figure 4 The Functional Elements of a Virus

Search, copy, and anti-detection routines are the only necessary components of a computer virus many
computer viruses have other routines added in on top of the basic three to stop normal computer
operation, to cause destruction, or to play practical jokes. Such routines may give the virus character, but
they are not essential to its existence.
The search routine locates new files or new areas on disk which are worthwhile targets for infection.
This routine will determine how well the virus reproduces, e.g., whether it does so quickly or slowly,
whether it can infect multiple disks or a single disk, and whether it can infect every portion of a disk or
just certain specific areas. As with all programs, there is a size versus functionality tradeoff here. The
more sophisticated the search routine is, the more space it will take up. So although an efficient search
routine may help a virus to spread faster, it will make the virus bigger, and that is not always so good.
The copy routine will only be sophisticated enough to do its job without getting caught. The smaller it
is, the better. How small it can be will depend on how complex a virus it must copy. For example, a virus
which infects only COM files can get by with a much smaller copy routine than a virus which infects
EXE files. This is because the EXE file structure is much more complex, so the virus simply needs
to do more to attach itself to an EXE file.
Anti-detection routines can either be a part of the search or copy routines, or functionally separate from
them. For example, the search routine may be severely limited in scope to avoid detection[8].
A routine which checked every file on every disk drive, without limit, would take a long time and cause
enough unusual disk activity that an alert user might become suspicious.

5.4 Computer virus classifications

Viruses can be classified in a variety of ways, by the type of target the virus tries to infect, and the method
the virus uses to conceal itself from detection by users and anti-virus software.
5.4.1 Classification by Target
One way of classifying viruses is by what they try to infect. ( boot-sector infectors, executable file
infectors, and data file infectors).
5.4.1.1 Boot-Sector Infectors
Boot sector viruses infect the system area of the disk that is read when the disk is initially accessed or
booted. both. A virus infecting these areas typically takes the system instructions it finds and moves them
to some other area on the disk. The virus is then free to place its own code in the boot record. When the
system initializes, the virus loads into memory and simply points to the new location for the system
instructions. The system then boots in a normal fashion except the virus is now resident in memory. A
boot sector virus can replicate without your executing any programs from an infected disk. Simply
accessing the disk is sufficient.

Figure 5 Boot-Sector Infectors

5.4.1.2 File Infectors

Program viruses infect executable programs, such as EXE or COM, by attaching themselves to them. The
virus executes and infects other executables when its host file is executed. To infect an EXE file, a virus
has to modify the EXE Header and the Relocation Pointer Table, and add its own code to the Load
Module. This can be done in many ways.
Beginning of File
Older, very simple executable file formats like the .COM MS-DOS format would treat the entire file as a
combination of code and data. When executed, the entire file would be loaded into memory, and
execution would start by jumping to the beginning of the loaded file. In this case, a virus that places itself
at the start of the file gets control first when the infected file is run, as illustrated in Figure 6. This is
called a prepending virus. Inserting itself at the start of a file involves some copying, which isn't difficult,
but isn't the absolute easiest way to infect a file.
 Figure 6 Beginning of File
End of File
In contrast, appending code onto the end of a file is extremely easy. A virus that places itself at the end of
a file is called an appending virus. How does the virus get control? There are two basic possibilities:
• The original instruction(s) in the code can be saved, and replaced by a jump to the viral code. Later, the
virus will transfer control back to the code it infected. The virus may try to run the original instructions
directly in their saved location, or the virus may restore the infected code back to its original state and run
it.
• Many executable file formats specify the start location in a file header. The virus can change this start
location to point to its own code, then jump to the original start location when done.

Figure 7 End of File

Overwritten into File
An overwriting virus places itself atop part of the original code. This avoids an obvious change in file size
that would occur with a prepending or appending virus, and the virus' code can be placed in a location
where it will get control. Obviously, overwriting code blindly is almost certain to break the original
code and lead to rapid discovery of the virus.
The Zippy virus is an example of an overwriting virus. It is devoid of any extraneous code, and
only contains the functions needed to successfully propagate itself. The source code is simple
and well documented; a debug script plus instructions for creating the virus using DEBUG.COM
appears in the appendices[5].

COMMENT~===============================================================
=
= Zippy Overwriting Virus
=
= -----------------------
=
= Dissassembly (c)1993 Karsten Johansson, PC Scavenger
========================================================================

.model tiny
.code
org 100h
zippy:
mov ax,4Eh ;Search for a file
xor cx,cx ; with NORMAL attributes
lea dx,comfile ; and has a .COM extension.
int 21h
mov ax,3D01h ;Open file with write access
mov dx,9Eh ; using ASCIIZ filename from DTA
int 21h
xchg bx,ax
mov ah,40h ;Write the virus code
mov dx,si ; starting from the beginning
mov cx,virend-zippy ; until all virus bytes are written
nt 21h
ret ;Drop to DOS
comfile:
db '*.COM',0 ;Used for victim search
virend: ;Simple marker to calculate length
of
; virus code
end zippy

The following diagram represents the overwriting reproductive method. Generally all
overwriting viruses work via the same modus operendi.
Inserted into File
A virus can insert itself into the target code, moving the target code out of the way, and even interspersing
small pieces of virus code with target code. This is no easy feat: branch targets in the code have to be
changed, data locations must be updated, and linker relocation information needs modification.
Not in File
A companion virus is one which installs itself in such a way that it is naturally executed before the
original code. The virus never modifies the infected code, and gains control by taking advantage of the
process by which the operating system or shell searches for executable files.
 Figure 8 Not in File
There are only three filename extensions that DOS will search for when an attempt is made to execute a
file. They are .BAT, .COM and .EXE. Whenever something is typed at the DOS command line, the
command interpreter (COMMAND.COM) assumes that it is a command. For example, type:
ATTRIB
at the command line, and press enter.
When this has been completed, the command interpreter checks whether it is an internal command, like
DIR or CD. Since it is not, all directories listed by the PATH command are searched for a file called
ATTRIB.COM. One is not found, so the search begins again, but for ATTRIB.EXE. This time, it should
find ATTRIB, as it is an .EXE file. It will then be executed. If ATTRIB.EXE does not exist on your drive,
DOS will search for ATTRIB.BAT before giving up, and generating an error message. Companion
viruses exploit this process. To infect ATTRIB.EXE, a companion virus creates a copy of itself in the
same directory as the command itself, store the name of the file it is infecting, then name the copy of itself
ATTRIB.COM[5].
5.4.1.3 Macro Viruses
Some applications allow data files, like word processor documents, to have "macros" embedded in them.
Macros are short snippets of code written in a language which is typically interpreted by the application, a
language which provides enough functionality to write a virus. Thus, macro viruses are better thought of
as data file infectors, but since their predominant form has been macros, the name has stuck.
When a macro-containing document is loaded by the application, the macros can be caused to run
automatically, which gives control to the macro virus. Some applications warn the user about the presence
of macros in a document, but these warnings may be easily ignored.
Concept's operation is shown in Figure 9. Word has a persistent, global set of macros which apply to all
edited documents, and this is Concept's target:
once installed in the global macros, it can infect all documents edited in the future. A document infected
by Concept includes two macros that have special properties in Word.
AutoOpen Any code in the AutoOpen macro is run automatically when the file is opened. This is how an
infected document gains control.
FileSaveAs The code in the FileSaveAs macro is run when its namesake menu item (File... Save As...) is
selected. In other words, this code can be used to infect any as-yet-uninfected document that is being
saved by the user[3].
 Figure 9 Concept's operation of macro virus

5.4.2 Classification by Concealment Strategy

Another way of classifying viruses is by what techniques they use to hide themselves, both from users
and from anti-virus software.
5.4.2.1 No Concealment
Not hiding at all is one concealment strategy which is remarkably easy to implement in a computer virus.
And it's not very effective - once the presence of a virus is known, it's trivial to detect and analyze.
5.4.2.2 Encryption
An encrypted virus is that the virus body (infection, trigger, and payload) is encrypted in some way to
make it harder to detect. When the virus body is in encrypted form, it's not runnable until decrypted. So
first executes a decryptor loop, which decrypts the virus body and transfers control to it.
Figure 10 shows pseudo code for an encrypted virus. A decryptor loop can decrypt the virus body in
place, or to another location; this choice may be dictated by external constraints, like the writability of the
infected program's code[3].
Before Decryption After Decryption
for i in 0...length (body): for i in 0...length (body):
decrypt body1 decrypt body1
goto decrypted_body goto decrypted_body
decrypted_body:
infect()
if trigger() is true:
??? payload()

Figure 10 An encrypted virus

5.4.2.3 Stealth
Stealth viruses exploit various operating system functions to remain as invisible as possible.
Many of these techniques make it virtually impossible to find a virus if it is in memory.
Some examples of stealth techniques:-
 An infected file's original timestamp can be restored after infection, so that the file doesn't look
freshly-changed.
 The virus can store (or be capable of regenerating) all pre-infection information about a file, including
its timestamp, file size, and the file's contents. Then, system I/O calls can be intercepted, and the virus
would play back the original information in response to any I/O operations on the infected file,
making it appear uninfected. This technique is applicable to boot block I/O too[3].
5.4.2.4 Oligomorphic Viruses
As long as the code of the decryptor is long enough and unique enough the detection of an encrypted
virus is a simple task for the antivirus software. In order to challenge the antivirus software, virus writers
invented new techniques to create mutated decryptors.
Oligomorphic viruses, as described in , change their decryptors in new generations, unlike encrypted
viruses. One very simple technique is to have several decryptors instead of one. The Whale virus was the
first virus to use this technique. It carried a few dozens of different ecryptors and picked one randomly[9].
5.4.2.5 Polymorphism
The term polymorphic comes from the Greek words “poly," which means many, and “morhi," which
means form. A polymorphic virus is a kind of virus that can take many forms. Polymorphic viruses can
mutate their decryptors to a high number of different instances that take millions of different forms . They
use their mutation engine to create a new decryption routine each time they infect a program. The new
decryption routine would have exactly the same functionality, but the sequence of instructions could be
completely different .
The mutation engine also generates an encryption routine to encrypt the static code of the virus before it
infects a new file. Then the virus appends the new decryption routine together with the encrypted virus
body onto the targeted file. Since the virus body is encrypted and the decryption routine is different for
each infection, antivirus scanners cannot detect the virus by using search strings. Mutation engines are
very complex programs { usually far more sophisticated than their accompanying viruses. Some of the
more sophisticated mutation engines can generate several billions of different decryption routines[9].

6. Conclusion

By the end of this paper we covered the concepts of computer virus, mechanism and how virus infect
host. Its noted that writers of computer virus use and develop many techniques which is used to
overcome antivirus, so they introduce complex and sophisticated techniques. These techniques may be
used to fight virus or in benefit programs. For example compression file idea was first mention in virus by
Fred Cohen 1984 also encryption of disk is first introduce in virus by Mark Ludwig.
Finally I can say computer virus is good area for discover or develop new techniques which useful for
fighting virus or applied in useful programs.
References:-
[1] http://en.wikipedia.org/wiki/Computer_virus .
Last access on January 2011

[2] http://www.securitydocs.com/library/2742 .
Last access on January 2011

[3] J. Aycock, Computer Viruses and Malware,

pages :16-18,27-38, University of Calgary, Springer (2006)

[4] F. Cohen. Computer viruses: Theory and experiments.

Computers & Security, 6(1):22-35, 1987.

[5] http://www.penetrationtest.com/computer_viruses/ComputerViruses-Evolution-KSAJ.pdf.
Pages:25-25,140-147. Last access on January 2011

[6] http://media.wiley.com/product_data/excerpt/77/07821412/0782141277-2.pdf.
Pages:4-18. Last access on January 2011

[7] http://spaf.cerias.purdue.edu/tech-reps/985.pdf. Pages:11-13.

Last access on January 2011

[8] Mark A. Ludwig, The Little Black Book of Computer,

pages: 16-20, American Eagle Publications, electronic edition,1996

[9] E.Konstantinou, Metamorphic Virus: Analysis and Detection thesis,

pages 23-28, Department of Mathematics, Royal Holloway, University of London, 15 January 2008