What Viruses Are

Webster’s alternative definition of virus, the one that is relevant to computer security (online or off), is:

 

 

Let’s look at the key phrases in this definition:

Computer program. A virus is a type of computer program, just like a word processor, a Web browser, or an operating system. It does what it’s designed to do by running just like any other computer program. Because a virus usually is hidden, however, it almost never looks like a program. Would you run an application called Malicious Virus? As the definition says, a virus usually is embedded within another program, such as an application, a document (many documents are in fact programs that run in the environment of their application), or the OS itself.

Hidden. A virus almost always is hidden so that it can do its dirty work without your realizing it. Viruses can hide in many places, most commonly within an application or part of the OS, but also in documents (see “macro viruses” under “Types of viruses” later in this chapter) or even in places on disks that aren’t used for files at all, such as the boot blocks of a disk that you use to start your computer in the first place. Viruses also can hide in invisible files.

Produces copies of itself. Technically, a virus must be self-replicating, which is how it moves from one file and one computer to another. A virus makes copies of itself and inserts those copies where they will be run later. Trojan horses, described later in this chapter, are not always self-replicating but have come to be included with viruses because they meet all the other aspects of the definition.

Malicious. A virus does something bad, even if the bad thing is just use your computer to replicate. Usually, a virus does something worse, either intentionally or unintentionally. See “What Viruses Can Do” later in this chapter for details.

How they work

A virus works through stealth. Because it’s a computer program, a virus must be run before it can do anything. But unlike most other computer programs, a virus isn’t a program that you run on purpose. The virus has to be stealthy, embedding itself in programs that you do run.

A virus usually embeds itself in, or infects, applications. Some viruses infect specific applications; others infect all applications that they can find. Regardless, when the unaware user runs the infected application, the virus runs as well (or sometimes instead). Viruses also can infect the OS itself— a particularly effective way of making sure that they’re run, because the OS is always running. Newer viruses can infect certain types of documents, running when the document is opened by its application.

What can the virus do when it’s run? Anything its designer wants it to do within the environment in which it’s run. If a virus is run as part of the OS, it can do anything that the OS can do, which is essentially anything the computer can do. If it’s run from an application, it can do anything that an application can do (which, up through Mac OS 9, was anything the OS could do but is more limited in Mac OS X). If it’s run from a document, it’s limited to doing things that documents from that application can do. The fundamental thing that a true virus always does is make copies of itself, which is how it spreads. Then it inserts the copies of itself into other programs, so that it will run again when those programs are run. It also can copy itself to programs on other machines across the Internet or an internal network, in which case it is called a worm (see “Types of viruses” later in this chapter).

Beyond copying itself, what a virus does when run may be hidden. A virus hides most of its operations so that you won’t notice it and try to wipe it out. Some viruses do only hidden things, such as copy all your passwords as you type them and send them out over the network. The goal of such viruses is to remain hidden, never alerting you to their presence. Other viruses do things that are not hidden, such as display messages or delete files.

Where they come from

Viruses, like other programs, are written by software developers. Most software developers write programs because they can make money by selling them to users or because they think the programs will be useful. The motivation of virus writers is quite different. Many virus writers create viruses for the thrill of being able to affect many computers at a distance. Also, writing viruses is a “cool” thing for a certain subset of people to do. Others write viruses to use your machine for things they want to hide, or need many machines to do, like sending spam. Virus writing has become so popular that virus-writing kits are available, making it easy for just about any software developer to create a virus. Just as script kiddies use pre-made scripts to launch attacks over the Internet, beginning virus writers use virus kits to create their first viruses.

After virus writers create a virus, they need to unleash it on the world. Viruses usually are buried in legitimate (as Webster says, seemingly innocuous) applications that are distributed in the same ways as other applications. Adding insult to injury, you often pay for applications that contain viruses.

Before the Internet became popular, most viruses were distributed through applications on floppy disks. Viruses are one of the many aspects of online security that apply in the offline world as well.

 

 

The Internet has made viruses a much bigger threat than before. Floppies had to be delivered physically, so a virus might take days or weeks to spread from one machine to another. The Internet, on the other hand, provides many mechanisms for the immediate delivery and spread of viruses:

·     You can purchase an application containing a virus and immediately download, install, and run that application.

·     You can download and try out an “evaluation” version of an application that contains a virus.

·     You can download a virus in an e-mail attachment.

·     You can download a virus through any application that copies files from the Internet to your computer (such as those listed in Chapter 5).

The popularity of the Internet has made virus writing much more desirable in certain hacking circles, because viruses can do much more damage much faster, and because they can be used for other nefarious purposes like phishing and sending spam. Before the Internet, significantly fewer computers were being used, and those machines were much less accessible. Now machines number in the hundreds of millions, and they can be reached almost instantly. Gratification can be immediate; the virus writer doesn’t have to wait weeks for results anymore.

Despite that they originated in the offline world, viruses have evolved into the single biggest security threat in the online world. For that reason, understanding and protecting yourself against viruses is critical to your online safety.

Types of viruses

Viruses come in several types. You need to understand the different types and how they work so that you can take precautions against each type.

Traditional viruses. Traditional viruses infect a piece of software on your computer that is run directly. Usually, that software is an application that you will run as part of your day-to-day activities, but it could also be a piece of operating-system software that is run by the OS itself. On the Mac OS, for example, a virus could infect an application you’ve set up to run at boot or login time. It could also infect a system file, the Finder, or other pieces of software that need to run for the Mac OS to do its job.

Macro and script viruses. A macro virus infects a document, as opposed to an application. A macro is a set of instructions in a document that execute together within the scope of the document’s application. Macros usually can automate a complex or commonly performed task and can sometimes even do anything you can do manually within an application. A word processing document, for example, might include a macro that changes the font, size, and style of a word at the same time. A spreadsheet might have a macro that duplicates a column of numbers and makes the copies red. Many macros execute automatically when the document in which they reside is opened, guaranteeing that they’re invoked whenever that document is opened.

Although a macro virus can execute only instructions that its application allows (as opposed to instructions that the OS allows), many applications have powerful macro capabilities, such as the capability to change and delete documents and to send e-mail. Some of these viruses can move across platforms, because many applications have the same document and macro format on more than one platform (in particular, on Windows and the Macintosh). Macros are powerful but risky from a security perspective.

A script virus is essentially the same as a macro virus, being just a complex macro written in a scripting language. Some scripting languages, such as the one used in Apple’s old HyperCard (called HyperTalk), execute in an application. Other scripting languages, such as AppleScript or Visual Basic Script in the Windows world, can execute as applications themselves. Macro and script viruses can be easier to write than traditional viruses, because the macros and scripts are intended more for users of applications than for programmers. When HyperCard first came out, so did many HyperCard viruses. A side effect of HyperTalk’s ease of use was that HyperCard viruses were easy to write. VB Script has had a much worse effect on the Windows world in this regard. As many as half of all the Windows viruses reportedly have been written in VB Script. Macro viruses have been growing steadily in popularity. One source estimates that almost half of all viruses are macro viruses.

Worms. A worm is a special type of virus that spreads from computer to computer, not just from file to file within a computer. When worms are run, they look for other computers to jump to, not other files on the same computer. They must use the Internet or a local network for this purpose. Worms most commonly find another machine by emailing themselves as attachments. How do they know where to e-mail themselves? Simple—they go through the address book of your e-mail program and e-mail themselves to every address in that list. Because the e-mail appears to come from you, the recipient is more likely to be tricked into opening the attachment (and activating the virus) than if it came from an unknown sender. Worms can spread very quickly in this way.

Worms can also spread by exploiting vulnerabilities in the underlying OS or commonly running programs. If a certain vulnerability allows an attacker to take over the machine, a worm written to exploit that vulnerability can take over the machine, install itself, and then look for other machines with the same vulnerability to attack and take over (all without any user interaction).

Trojan horses. A Trojan horse (or just Trojan) has all the characteristics of a virus except that it doesn’t necessarily go around making copies of itself and infecting other files or machines. But it is a computer program, it is hidden, and it is malicious. Most antivirus software offers protection again Trojans as well as true viruses. Computer Trojan horses are just like the original Trojan horse, which the Greeks presented to the Trojans in the guise of a peace offering. The horse actually harbored warriors who, once inside the otherwise-insurmountable gates of Troy, sneaked out in the dead of night and opened the gates for the invading army. Computer Trojans are not what they appear to be, either; they contain something hidden that has malicious intent. Being applications, they still must be run to carry out their purpose however, just as the Trojan horse had to be brought within the gates of Troy.

Spyware. Spyware is simply a particular type of virus or Trojan horse with a particular purpose. As its name implies, a piece of spyware’s purpose is to spy on what you do on your computer and, assumedly, to report that information back to its author.