Computer virus[1] edit
- ^ "Wikipedia". www.wikipedia.org. Retrieved 2023-01-07.
Computer Virus
A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.
Design
Parts[
A computer virus generally contains three parts: the infection mechanism, which finds and infects new files, the trigger, which determines when to activate the payload, and the payload, which is the malicious code to execute.
Infection mechanism
Also called the infection vector, this is how the virus spreads. Some viruses have a search routine, which locate and infect files on disk. Other viruses infect files as they are run, such as the Jerusalem DOS virus.
Trigger
Also known as a logic bomb, this is the part of the virus that determines the condition for which the payload is activated. This condition may be a particular date, time, presence of another program, size on disk exceeding a threshold, or opening a specific file.
Payload
The payload is the body of the virus that executes the malicious activity. Examples of malicious activities include damaging files, theft of confidential information or spying on the infected system. Payload activity is sometimes noticeable as it can cause the system to slow down or "freeze". Sometimes payloads are non-destructive and their main purpose is to spread a message to as many people as possible. This is called a virus hoax.
Phases[edit | edit source]
Virus phases is the life cycle of the computer virus, described by using an analogy to biology. This life cycle can be divided into four phases:
Dormant phase
The virus program is idle during this stage. The virus program has managed to access the target user's computer or software, but during this stage, the virus does not take any action. The virus will eventually be activated by the "trigger" which states which event will execute the virus. Not all viruses have this stage.
Propagation phase
The virus starts propagating, which is multiplying and replicating itself. The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often "morph" or change to evade detection by IT professionals and anti-virus software. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.
Triggering phase
A dormant virus moves into this phase when it is activated, and will now perform the function for which it was intended. The triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. The trigger may occur when an employee is terminated from their employment or after a set period of time has elapsed, in order to reduce suspicion.
Execution phase
This is the actual work of the virus, where the "payload" will be released. It can be destructive such as deleting files on disk, crashing the system, or corrupting files or relatively harmless such as popping up humorous or political messages on screen.
Detection[edit | edit source] edit
To avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however, especially those which maintain and date cyclic redundancy checks on file changes. Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example, the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file. Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them (for example, Conficker). A Virus may also hide its presence using a rootkit by not showing itself on the list of system processes or by disguising itself within a trusted process. In the 2010s, as computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.[citation needed]
Infection vectors[edit | edit source] edit
As software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit and manipulate security bugs, which are security defects in a system or application software, to spread themselves and infect other computers. Software development strategies that produce large numbers of "bugs" will generally also produce potential exploitable "holes" or "entrances" for the virus.
Countermeasures[edit | edit source]
See also: Malware § Vulnerability to malware, Anti-malware, and Browser security § Browser hardening
Screenshot of the open-source ClamWin antivirus software running in Wine on Ubuntu Linux
In 1989 The ADAPSO Software Industry Division published Dealing With Electronic Vandalism, in which they followed the risk of data loss by "the added risk of losing customer confidence."
Many users install antivirus software that can detect and eliminate known viruses when the computer attempts to download or run the executable file (which may be distributed as an email attachment, or on USB flash drives, for example). Some antivirus software blocks known malicious websites that attempt to install malware. Antivirus software does not change the underlying capability of hosts to transmit viruses. Users must update their software regularly to patch security vulnerabilities ("holes"). Antivirus software also needs to be regularly updated to recognize the latest threats. This is because malicious hackers and other individuals are always creating new viruses. The German AV-TEST Institute publishes evaluations of antivirus software for Windows and Android.
REFRENCES edit
