by Torbj√∂rn Hovmark, president of Abtrusion Security AB
Originally, the term virus was used for a particular type of
software that could infect other programs. Today we normally use the term
much more loosely to describe any kind of software program that spreads more
or less by itself.
A virus can take many forms. There are the Trojans that
hide within other, seemingly useful programs. There are the macro viruses
that will infect documents - typically Office documents, as everyone has
some version of Microsoft Office installed these days. There are the worms
and mail viruses, mutating viruses and many other types.
Once upon a time, viruses spread from computer to computer by means of
floppy disks. These were the days of the infecting viruses, as they would
have to sneak along with another program to spread. At that time, Macintosh
computers were especially hard hit. A Macintosh floppy disk includes a piece
of code that is automatically run whenever the disk is inserted into a
Then came bulletin boards, download areas and CompuServe. Virus makers
found new ways of spreading their creations by infecting software for
download. This all culminated with the advent of the Internet.
Along with the Internet came large scale use of e-mail. Along with e-mail
came e-mail worms. They use the e-mail system to spread and have proven to be
the most effective creatures invented by the virus makers so far.
Recently, a couple of viruses using regular hacker techniques have also
shown up in the wilderness out there on the Internet. They hack into web
servers and then spread to the web site's visitors or to other web servers.
As soon as viruses started to
appear, so did anti-virus software and virus scanners. Most virus scanners
work by reading files and comparing sequences of bytes from these files to a
database of sequences from known viruses. The database is continually
updated by the anti-virus software vendors to keep it up to date. This is of
course a problem. No matter how often the database is updated, it will only
protect you from the last wave of viruses but not from the next one. To
address this problem, some anti-virus software has gone back to using other
techniques of recognizing viruses as well.
early days of anti-virus software there were really two types around - those
that matched sequences of bytes like today's anti-virus scanners and those
that tried to recognize "virus behavior". However, when the number of
viruses grew, it was soon clear that virus behavior detection was becoming
far too complex, and it was abandoned. What some current anti-virus software is
trying to do is to combine the two methods. Unfortunately, they guys writing
the viruses have access to anti-virus software too, and they will most
likely test their creations before letting them off into the wild.
Mutating viruses were the talk of the industry not many years ago. They
would change every time they spread so that no string of bytes would ever be
the same. They would not be recognized no matter how often virus databases
were updated. Regular toolkits for writing mutating viruses appeared on the
Internet. That craze died out for some reason. Maybe it is that spreading
viruses has become so easy that using more advanced techniques is overkill.
I don't know. A clever mutating viruses is my biggest fear. (There are
still viruses around that modify themselves, but not in any clever way.) It is
relatively easy to come up with a mutating virus for anyone who knows a
little bit about programming. It would use some encryption technique to hide
most of its code and would constantly modify the rest. It would be really hard for virus scanners to detect. It
is only a matter of time, I think. Instead, the latest craze are viruses
that disable anti-virus scanners. I believe that is a technique that is here
to stay. Each generation of viruses keeps getting better at it.
Copyright © 2002 Abtrusion Security AB.
All rights reserved. This document may be reproduced provided that it is
reproduced in its entirety and that this copyright message is retained.