Types and Examples
If you have read the last article, I assume that you have become familiar with
the definition and anatomy of a computer virus. As in medicine, in cases of
Computer viruses too we have specialization depending on area of infection and
amount of damage. So let us study the basic category of viruses.
Types of Viruses
Boot viruses: These viruses infect floppy disk
boot records or master boot records in hard disks. They replace the boot record
program (which is responsible for loading the operating system in memory) copying
it elsewhere on the disk or overwriting it. Boot viruses load into memory if
the computer tries to read the disk while it is booting.
Examples: Form, Disk Killer, Michelangelo,
and Stone virus
Program viruses:
These infect executable program files, such as those with extensions like .BIN,
.COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are
loaded in memory during execution, taking the virus with them. The virus becomes
active in memory, making copies of itself and infecting files on disk.
Examples: Sunday, Cascade
Multipartite viruses:
A hybrid of Boot and Program viruses. They infect program files and when the
infected program is executed, these viruses infect the boot record. When you
boot the computer next time the virus from the boot record loads in memory and
then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila
Stealth viruses:
These viruses use certain techniques to avoid detection. They may either redirect
the disk head to read another sector instead of the one in which they reside
or they may alter the reading of the infected file’s size shown in the
directory listing. For instance, the Whale virus adds 9216 bytes to an infected
file; then the virus subtracts the same number of bytes (9216) from the size
given in the directory.
Examples: Frodo, Joshi, Whale
Polymorphic viruses:
A virus that can encrypt its code in different ways so that it appears differently
in each infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101
Macro Viruses:
A macro virus is a new type of computer virus that infects the macros within
a document or template. When you open a word processing or spreadsheet document,
the macro virus is activated and it infects the Normal template (Normal.dot)-a
general purpose file that stores default document formatting settings. Every
document you open refers to the Normal template, and hence gets infected with
the macro virus. Since this virus attaches itself to documents, the infection
can spread if such documents are opened on other computers.
Examples: DMV, Nuclear, Word Concept.
Active X:
ActiveX and Java controls will soon be the scourge of computing. Most people
do not know how to control there web browser to enable or disable the various
functions like playing sound or video and so, by default, leave a nice big hole
in the security by allowing applets free run into there machine. There has been
a lot of commotion behind this and with the amount of power that JAVA imparts,
things from the security angle seem a bit gloom.
These are just few broad categories. There are many more specialized types.
But let us not go into that. We are here to learn to protect our self, not write
a thesis on computer virus specification.
What About Good Viruses?
The general consensus is
that there are none. |
By definition, viruses do not have to do something bad. An early (and current) virus researcher, Fred Cohen, has argued that good computer viruses are a serious possibility. In fact, he has offered a reward of $1,000 for the first clearly useful virus; but, he hasn't paid yet.
Most researchers, however, take the other side and argue that the use of self-replicating
programs are never necessary; the task that needs to be performed can just as
easily be done without the replication function.
Vesselin Bontchev has written a paper originally delivered at the 1994 EICAR
conference, titled Are "Good" Computer Viruses Still a Bad Idea?.
The paper covers all aspects of the topic. As of this writing, the paper is
available at:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
Lest you think others have not been thinking about this, here are some of the
proposals (from the above-referenced paper) for a good virus that have not worked
out:
1. The "Anti-Virus" Virus. Several people have had the idea to develop
an "anti-virus" virus - a virus which would be able to locate other
(presumably malicious) computer viruses and remove them.
2. The "File Compressor" Virus. This is one of the oldest ideas for
"beneficial" viruses. The idea consists of creating a self-replicating
program, which will compress the files it infects, before attaching itself to
them.
3. The "Disk Encryptor" Virus. This virus has been published. The
idea is to write a boot sector virus, which encrypts the disks it infects with
a strong encryption algorithm (IDEA in this particular case) and a user-supplied
password to ensure the privacy of the user's data.
4. The "Maintenance" Virus. The idea consists of a self-contained
program, which spawns copies of itself across the different machines in a network
(thus acting more like a worm) and performing some maintenance tasks on those
machines (like deleting temporary files).
All of the above viruses fail one or more of the standard measures typically
used to judge if a virus is "good" or not. These are (again, from
the above-referenced paper):
A. Technical Reasons
o Lack of Control. Once released, the person who has released a computer virus
has no control on how this virus will spread.
o Recognition Difficulty. In general it is not always possible to distinguish
between a virus and a non-virus program. There is no reason to think that distinguishing
between "good" and "bad" viruses will be much easier. Many
people are relying on generic anti-virus defenses (e.g., activity monitoring
and/or integrity checking) which will trigger a response to changes.
o Resource Wasting. A computer virus eats up disk space, CPU time, and memory
resources during its replication.
o Bug Containment. A computer virus can easily escape a controlled environment.
o Compatibility Problems. A computer virus that attaches itself to user programs
would disable several programs on the market that perform a checksum on themselves
at runtime.
B. Ethical and Legal Reasons
o Unauthorized Data Modification. It is usually considered unethical to modify
other people's data without their authorization. In many countries this is also
illegal.
o Copyright and Ownership Problems. In many cases, modifying a particular program
could mean that copyright, ownership, or at least technical support rights for
this program are voided.
o Possible Misuse. An attacker could use a "good" virus as a means
of transportation to penetrate a system.
o Responsibility. Declaring some viruses as "good" and "beneficial"
would just provide an excuse to the crowd of irresponsible virus writers to
condone their activities and to claim that they are actually doing some kind
of "research."
C. Psychological Reasons
o Trust Problems. Users like to think that they have full control on what is
happening in their machine.
o Negative Common Meaning. For most people, the word "computer virus"
is already loaded with negative meaning.
More Virus Type On