Viruses | Research & Encyclopedia Articles

Less than a generation ago, computer viruses were considered an urban myth. They were found more often in movies than on actual computer systems. Now, however, malicious software constitutes a material threat to businesses, government, and home computer users.

Currently, there are three categories of malicious software threats: viruses, worms, and Trojan horses. All of these threats are built from the same basic instructions and computer logic that make up application programs on one's computer such as word processors, games, or spreadsheets. Like traditional application programs, malicious software is written by peopleand must be intentionally designed and programmed to self-replicate or cause damage.

While almost all Trojan horses attempt to cause harm to the computer system, more than 70 percent of all computer viruses and worms are designed only to self-replicate. Those viruses, worms, and Trojan horses that do inflict intentional damage to computer systems are said to deliver a "payload." Common payloads include formatting a hard drive, deleting files, or gathering and sending passwords to an attacker. These threats typically have trigger criteria. They wait until the criteria are met before delivering the payload (for example, waiting until July 28 to reformat the hard drive).

The typical malicious software author is male between fourteen and twenty-five years of age (only a few female virus writers are known). These demographics are expected to change as organized crime, terrorist groups, and rogue organizations begin to target the Internet. In addition, many governments around the world are researching how to use malicious software for both offensive and defensive information warfare.

A virus is a computer program that is designed to replicate itself from file to file (or disk to disk) on a single computer. Viruses spread quickly to many files within a computer, but they do not spread between computers unless people exchange infected files over a network or share an infected floppy diskette.

By 1990, there were roughly 50 known computer viruses. During the late 1990s, the number of viruses skyrocketed more than 48,000! Despite the many thousand virus strains that exist, very few viruses have found their way out of research labs to end-user computers. Based on industry statistics, of the more than 48,000 known computer viruses, only 200 to 300 are in general circulation at any one time.

Viruses are classified by the type of file or disk that the virus infects:

• Boot viruses attach themselves to floppy diskettes and hard drives. When a user boots from an infected floppy diskette or hard drive, the virus is activated and the computer becomes infected. The virus spreads to other floppy diskettes as they are used on the system.
• Application viruses spread from one application to another on the computer. Each time an infected application program is run, the virus takes control and spreads to other applications.
• Macro viruses spread through documents, spreadsheets, and other data files that contain computer macros. A macro is a small, self-contained program that is embedded directly within a document or spreadsheet file. Typically, macros are used to automate simple computer tasks such as summing a set of numbers in a spreadsheet. Modern macros are powerful enough to copy themselves between documents or spreadsheets.
• Script viruses infect other script files on the computer. Script viruses, which are written in high-level script languages such as Perl or Visual Basic, gain control when a user runs an infected script file.

A typical computer virus works as follows: First, the user runs infected program A. Program A immediately executes its viral logic. The virus locates a new program, B, that it thinks it can infect. The virus checks to see if the program is already infected. If program B is already infected, the virus goes back to locate another program to infect. If it is not already infected, the virus appends a copy of its logic to the end of program B and changes program B such that it, too, will run the malicious logic. The virus then runs program A so the user does not suspect any malicious activities.

Viruses can be written in numerous computer programming languages including assembly language, scripting languages (such as Visual Basic or Perl), C, C, Java, and macro programming languages (such as Microsoft's VBA).

A worm is a computer program that exploits a computer network to copy itself from one computer to another. The worm infects as many machines as possible on the network, rather than spreading many copies of itself on a single computer, as a computer virus does. Usually, a worm infects (or causes its code to run on) a target system only once; after the initial infection, the worm attempts to spread to other machines on the network. Because computer worms do not rely on humans to copy them from computer to computer, they can spread much more rapidly than computer viruses.

The first computer worms were written at Xerox Palo Alto Research Center in 1982 to understand how self-replicating logic could be leveraged in a corporation. A bug, however, in the worm's logic caused computers on the Xerox network to crash. Xerox researchers had to build the world's first "antivirus" solution to remove the infections. In 1987 the "CHRISTMA EXEC" worm made millions of copies of itself in the IBM and BITNET e-mail systems. In 1988 the "Internet" worm spread itself to roughly 6,000 machines (10 percent of the Internet at the time).

More recently, worms such as Melissa, ExploreZip, and LoveLetter have captured the attention of the public and the media due to their vast ability to spread over the Internet. These worms, collectively, produced millions of copies of themselves, and caused millions—some say billions—of dollars of damage.

The typical computer worm works as follows: The user unknowingly runs a worm program. The worm accesses a "directory" source, such as an e-mail address list, to obtain a list of target computers on the network. The worm sends itself to each of the target computers. A user on a target computer receives a copy of the worm in e-mail, unknowingly runs the worm e-mail attachment, and starts the process over again.

Some worms, like the Internet worm of 1988, automatically connect to target computers and use a "back door" to install and run themselves on the target without human intervention. Like viruses, computer worms can be written in assembly language, scripting languages, macro languages, or in high level languages like C, C, or Java.

Trojan horses are software programs that are designed to appear like normal computer programs, yet, when run, can cause some type of harm to thehost computer. Most often, Trojan horses either steal information (such as passwords or files) from the computer or damage the contents of the computer (by deleting files). Because Trojan horses do not attempt to replicate themselves like viruses or worms, they are placed into their own class of computer threat. Like viruses and worms, Trojan horses can be written in virtually any computer language.

Virus and worm authors have invented a number of techniques to avoid detection by antivirus software. Three of the more interesting techniques are the polymorphic virus, the retrovirus, and the stealth virus.

The term "polymorphic" means many-formed. Polymorphic viruses (or worms) mutate themselves each time they spread to a new file or disk.This behavior eliminates any consistent digital fingerprint and makes virus detection much more difficult. These digital pathogens avoid detection in the same way that HIV (human immunodeficiency virus) and other viruses evade the human immune system.

Computer retroviruses actively seek out and disable antivirus programs. The retrovirus deletes components of the antivirus program as an offensive attack to prevent detection.

Finally, stealth viruses inject themselves into the computer operating system and actively monitor requests to access infected files. The virus automatically disinfects infected files before they are accessed by other software on the computer, then reinfects them at a later time. This technique enables the viruses to sneak past antivirus software because every time the antivirus program attempts to scan an infected file, the virus disinfects the file first.

While computer virus writing is not considered an illegal act in the United States, intentionally spreading malicious programs is a crime punishable by fine or imprisonment. Countries outside the United States are beginning to draft computer crime laws that are far stricter than those in the United States. For instance, Germany has laws restricting mass exchange of computer viruses for any reason and Finland has recently made writing a computer virus an illegal act.

Industry watchers expect a great deal of future legislation in this area as computer threats increasingly affect mainstream computer users.

Carey Nachenberg

Ethics; Hackers; Hacking; Programming; Security.

Atkins, Derek, et al. Internet Security, Professional Reference. Indianapolis, IN: New Riders Publishing, 1996.

Cohen, Frederick B. A Short Course on Computer Viruses, 2nd edition. New York: John Wiley & Sons, 1994.

This complete Viruses contains 1,484 words.