Viruses as a type of malicious code (software)
A virus a program that can spread the malicious code to other non malicious programs by modifying them. This virus is similar to biological virus because it affects the other healthy file by attaching itself to the program and either destroying it or coexisting with it.
Because viruses are insidious, we cannot assume that a clean program yesterday is still clean today. Moreover, a good program can be modified to include a copy of the virus program, so the infected good program itself begins to act as a virus, infecting other programs. The infection usually spreads at a geometric rate, eventually overtaking an entire computing system and spreading to all other connected systems.
A virus can be either transient or resident
A transient virus has a life that depends on the life of its host; the virus runs when its attached program executes and terminates when its attached program ends. (During its execution, the transient virus may have spread its infection to other programs.) A resident virus locates itself in memory; then it can remain active or be activated as a stand-alone program, even after its attached program ends.
A Trojan horse
This is malicious code that, in addition to its primary effect, has a second, nonobvious malicious effect. As an example of a computer Trojan horse, consider a login script that solicits a user’s identification and password, passes the identification information on to the rest of the system for login processing, but also retains a copy of the information for later, malicious use.
In this example, the user sees only the login occurring as expected, so there is no evident reason to suspect that any other action took place.
The name is a reference to the Greek legends of the Trojan war, which tell how the Greeks tricked the Trojans into breaking their defense wall to take a wooden horse, filled with the bravest of Greek soldiers, into their citadel. In the night, the soldiers descended and signalled their troops that the way in was now clear, and Troy was captured.
A logic bomb
This is a class of malicious code that “detonates” or goes off when a specified condition occurs. A time bomb is a logic bomb whose trigger is a time or date.
A trapdoor or backdoor
This is a feature in a program by which someone can access the program other than by the obvious, direct call, perhaps with special privileges. For instance, an automated bank teller program might allow anyone entering the number 990099 on the keypad to process the log of everyone’s transactions at that machine. In this example, the trapdoor could be intentional, for maintenance purposes, or it could be an illicit way for the implementer to wipe out any record of a crime.
This is a program that spreads copies of itself through a network. The primary difference between a worm and a virus is that a worm operates through networks, and a virus can spread through any medium (but usually uses copied program or data files). Additionally, the worm spreads copies of itself as a stand-alone program, whereas the virus spreads copies of itself as a program that attaches to or embeds in other programs.
White et al. also define a rabbit as a virus or worm that self-replicates without bound, with the intention of exhausting some computing resource. A rabbit might create copies of itself and store them on disk, in an effort to completely fill the disk, for example.
Types of Malicious Code
Code Type Characteristics. Virus Attaches itself to program and propagates copies of itself to other programs. Trojan horse Contains unexpected, additional functionality. Logic bomb Triggers action when condition occurs. Time bomb Triggers action when specified time occurs. Trapdoor Allows unauthorized access to functionality Worm Propagates copies of itself through a network Rabbit Replicates itself without limit to exhaust resource
These definitions match current careful usage. The distinctions among these terms are small, and often the terms are confused, especially in the popular press. The term “virus” is often used to refer to any piece of malicious code. Furthermore, two or more forms of malicious code can be combined to produce a third kind of problem. For instance, a virus can be a time bomb if the viral code that is spreading will trigger an event after a period of time has passed. The kinds of malicious code are summarized in table 6.1.
Because “virus” is the popular name given to all forms of malicious code and because fuzzy lines exist between different kinds of malicious code, we will not be too restrictive in the following discussion. We want to look at how malicious code spreads, how it is activated, and what effect it can have. A virus is a convenient term for mobile malicious code, and so in the following sections we use the term “virus” almost exclusively. The points made apply also to other forms of malicious code
A Virus defined to do a malicious work has to be executed until then it is inactive only and it does nothing and threatens no one. Even executable virus code sitting on a disk does nothing.. Fortunately for virus writers, but unfortunately for the rest of us, there are many ways to ensure that programs will be executed on a running computer. For example, recall the SETUP program that you initiate on your computer. It may call dozens or hundreds of other programs, some on the distribution medium, some already residing on the computer, some in memory. If any one of these programs contains a virus, the virus code could be activated.
Let us see how.
Suppose the virus code were in a program on the distribution medium, such as a CD; when executed, the virus could install itself on a permanent storage medium (typically, a hard disk), and also in any and all executing programs in memory. Human intervention is necessary to start the process; a human being puts the virus on the distribution medium, and perhaps another initiates the execution of the program to which the virus is attached. (It is possible for execution to occur without human intervention, though, such as when execution is triggered by a date or the passage of a certain amount of time.) After that, no human intervention is needed; the virus can spread by itself. One way of virus activation is through the attachment in the e-mail. In this attack, the virus writer tries to convince the victim (the recipient of an e-mail message) to open the attachment.
Once the viral attachment is opened, the activated virus can do its work. Some modern e-mail handlers, in a drive to “help” the receiver (victim), will automatically open attachments as soon as the receiver opens the body of the e-mail message. The virus can be executable code embedded in an executable attachment, but other types of files are equally dangerous.
For example, objects such as graphics or photo images can contain code to be executed by an editor, so they can be transmission agents for viruses. In general, it is safer to force users to open files on their own rather than automatically; it is a bad idea for programs to perform potentially security-relevant actions without a user’s consent