Abtrusion Security Click here to send someone a link to this page Click here to Bookmark this page
home   products   buy   download   support   about   news   links   contact

Abtrusion Security home

Security products

Purchase Abtrusion Protector

Download of security software for Windows

Abtrusion Protector support

About Abtrusion Security

Security related news

Security links

 

Download Abtrusion Protector

 

Information for

> Corporate Management

> System Administrators

> Security Professionals

> Software Developers

> Home Users

About Viruses

by Torbjörn Hovmark, president of Abtrusion Security AB

Originally, the term virus was used for a particular type of software that could infect other programs. Today we normally use the term much more loosely to describe any kind of software program that spreads more or less by itself.

A virus can take many forms. There are the Trojans that hide within other, seemingly useful programs. There are the macro viruses that will infect documents - typically Office documents, as everyone has some version of Microsoft Office installed these days. There are the worms and mail viruses, mutating viruses and many other types.

Once upon a time, viruses spread from computer to computer by means of floppy disks. These were the days of the infecting viruses, as they would have to sneak along with another program to spread. At that time, Macintosh computers were especially hard hit. A Macintosh floppy disk includes a piece of code that is automatically run whenever the disk is inserted into a computer.

Then came bulletin boards, download areas and CompuServe. Virus makers found new ways of spreading their creations by infecting software for download. This all culminated with the advent of the Internet.

Along with the Internet came large scale use of e-mail. Along with e-mail came e-mail worms. They use the e-mail system to spread and have proven to be the most effective creatures invented by the virus makers so far.

Recently, a couple of viruses using regular hacker techniques have also shown up in the wilderness out there on the Internet. They hack into web servers and then spread to the web site's visitors or to other web servers.

As soon as viruses started to appear, so did anti-virus software and virus scanners. Most virus scanners work by reading files and comparing sequences of bytes from these files to a database of sequences from known viruses. The database is continually updated by the anti-virus software vendors to keep it up to date. This is of course a problem. No matter how often the database is updated, it will only protect you from the last wave of viruses but not from the next one. To address this problem, some anti-virus software has gone back to using other techniques of recognizing viruses as well.

In the early days of anti-virus software there were really two types around - those that matched sequences of bytes like today's anti-virus scanners and those that tried to recognize "virus behavior". However, when the number of viruses grew, it was soon clear that virus behavior detection was becoming far too complex, and it was abandoned. What some current anti-virus software is trying to do is to combine the two methods. Unfortunately, they guys writing the viruses have access to anti-virus software too, and they will most likely test their creations before letting them off into the wild.

Mutating viruses were the talk of the industry not many years ago. They would change every time they spread so that no string of bytes would ever be the same. They would not be recognized no matter how often virus databases were updated. Regular toolkits for writing mutating viruses appeared on the Internet. That craze died out for some reason. Maybe it is that spreading viruses has become so easy that using more advanced techniques is overkill. I don't know. A clever mutating viruses is my biggest fear. (There are still viruses around that modify themselves, but not in any clever way.) It is relatively easy to come up with a mutating virus for anyone who knows a little bit about programming. It would use some encryption technique to hide most of its code and would constantly modify the rest. It would be really hard for virus scanners to detect. It is only a matter of time, I think. Instead, the latest craze are viruses that disable anti-virus scanners. I believe that is a technique that is here to stay. Each generation of viruses keeps getting better at it.

Copyright © 2002 Abtrusion Security AB. All rights reserved. This document may be reproduced provided that it is reproduced in its entirety and that this copyright message is retained.