Saturday, May 31, 2008

Extinct viruses

We use Micrsoft Windows for development in our office. The biggest menace/threat is trojans and worms. Every single day, new trojans are released into the Internet, and i doubt whether the 'heuristic engine's of various anti-virus and firewall software can detect the new ones. Recently, i saw my friends Core2Duo machine become totally unresponsive after installing a popular antivirus. Trojans which spread and clog the network are less harmful than keyloggers!

Trojans remind me of viruses - beasts which spread from executable to executable on the same machine. IIRC, viruses would not spread from one machine to another unless you carried them yourselves in a floppy/cd/usb drive. Viruses do not seem be as common these days, as they were during the days of DOS and Windows 95/98. The requirement of logic, programming skill and knowledge of system internals required to write a virus is much higher than writing a trojan. The reason for that, i think is - viruses traditionally have no independent existence, unlike trojans which are full-fledged executables in themselves. Computer viruses are very much like bio-viruses, they need a target to attach to. The big point is - the virus has to live inside the executable(analogous to a cell) without killing it, that is, without destroying the executability of the file(or killing the cell immediately). If the file no longer remains an executable, the virus fails to spread and more importantly, it will be discovered. Tampering with the exe header, changing offsets, adding jumps and appending its payload at the end were common things done by viruses in the past. Of course, with .com files the matters were easier.

Boot sector viruses too, seem to have vanished these days. BIOSes had a 'boot sector write protection' option. I vividly remember the blue window which used to pop up, when i tried to write to my HDD's boot sector through my program or using Norton DiskEdit at times. What i appreciated and revered the most were, the so-called polymorphic viruses - those which could change themselves(and yet remain effective!) to avoid being detected by the signature scanning technique used by most of the AVs. I find the concept of mutating one's own self to avoid detection very interesting. Bio-viruses survive anti-viral drugs using the similar technique of mutation. But, of course, computer viruses are programmed to mutate, while, bio-viruses mutate by accident - since viruses(generally) lack enzymes which ensure perfect replication. Writing polymorphic code is a not an easy task, and writing a polymorphic virus which would survive in the wild is an appreciably difficult task. Those who wrote them must have been really good programmers, unlike today's 'script kiddies' who have caused millions of dollars of losses without requiring to write a single line of assembly or even C at times.


Even though they've caused me trouble, I respect those viruses writers for their skill and knowledge...

Related Content

1 comment:

Ajay Mahendru said...

Good.. You should read the book by Peter Szor, especially his pappers on polymorphic/metamorphic viruses and worms.. Peter Szor is gthe security architect for Symantec Security Response..