Skip to main content
Version: 1.0.2

Viruses

Virus type

Stealth virus

  • Virus takes active steps to conceal infection from antivirus
  • 📝 Characteristic behaviors
    • Restores original file timestamp
    • Intercepts system calls to play back original information of file to e.g.
      • change system libraries to hide its existence from antiviruses
      • run the rootkit

Tunneling virus

  • Backtracks interrupt chain to go directly to DOS and BIOS interrupt handlers
  • Avoids monitoring
  • Kernel software protected in other OS
  • Legacy, was only possible in MS-DOS

Logic Bomb virus

  • Not self-replicating, zero population growth, possibly parasitic
  • Consists of
    • Payload
    • An action to be performed
    • Trigger
      • Boolean condition to be executed
  • E.g. if Bob is not getting paid then delete the cloudarchitecture.io website

Polymorphic virus

  • 📝 Modifies their payload to avoid signature detection
  • Mutates its payload and usually encrypts it.
  • Can hide file changes against simple checksums

Metamorphic virus

  • Viruses that can reprogram/rewrite itself.
  • In polymorphic virus, the mutation engine is always the same while payload is mutated, metamorphic virus can also mutate its own mutation engine.
  • Usually
    • Inserts dead code
    • Reshapes the expressions
    • Reorders instructions
    • Encrypts program code
    • Modifies the program control structure
  • E.g. Win32/Simile and Zmist

Macro virus

  • Changes or creates new macro for MS Office products
  • 📝 Macros
    • Code that is part of documents.
    • Used extensively in MS Office Tools
      • Written in or translated to Visual Basic for Applications (VBA) code
    • Macro language: a programming language which is embedded inside a software application
  • Protective strategies
    • Later versions of MS Office have security levels for execution of macros
      • Level high only executes signed macros
    • MS Office provides warnings when files contain macros
  • E.g. Concept, first macro virus for Microsoft Word (1995-1997)
    • Infects Word's global document-template NORMAL.DOT
    • Creates PayLoad and FileSaveAs macros
    • Infects all documents saved with the Save As command
  • E.g. Laroux, first macro virus for Microsoft Excel (1996)
    • Consists of auto_open and check_files
      • auto_open executes whenever an infected spreadsheet is opened, followed by check_files
      • Virus looks for PERSONAL.XLS
    • Virus contains no malicious payload

File infectors

  • Virus infects executables

Appending virus

  • At the end
  • To get control
    1. Save original instruction in code
    2. Replace by jump to viral code
    3. Execute virus
    4. Restore original instruction and jump to them
      • or run original instruction at saved location followed by jump to the rest of the code

Overwriting file virus

  • 📝 Also known as cavity virus or spacefiller virus
  • 📝 Houses itself in target files without altering their size.
  • Virus gets control in normal execution of file
  • Placement Strategies
    • Place virus in superfluous data
    • Place virus in file slack or unused allocated file space
    • Stash overwritten contents in a companion file
    • Compress (parts of) the original file, decompress
  • E.g. Lehigh (an early DOS virus)

Inserting virus

  • Move target code out of way
  • Intersperse small pieces of virus with infected file

Companion virus

  • Virus gets executed before infected file
  • Infected file barely changed
  • Examples
    • Change name of target file
      • Copy notepad.exe to notepad.exp
      • Virus is in new notepad.exe, which calls notepad.exp
    • Virus placed earlier in search path
      • notepad.exe in a different directory than real notepad.exe
      • notepad.com is executed before notepad.exe
    • Use Windows registry to change association for .exe files
    • Change interpreter in ELF files
      • Typically the run-time linker, but now virus
    • Associate icon of target with virus

Boot sector infectors

  • Contains code that runs when a system starts up.
  • Also known as boot sector virus
  • 📝 Copies itself into the MBR or VBR on hard disk
    • Typically after making copy of MBR in a "safe location"
  • Extinct in the wild
    • Floppies are rarely used to boot, disabling the propagation mechanism
    • OS prevent writing to a disk's boot sector without proper authorization
    • BIOS can enable boot block protection
  • E.g. Michelangelo (1991)
    • Moves original boot sector to safe location
    • Infects all floppy disks inserted into computer
    • Payload: overwrites file system with zeroes
  • E.g. Stoned Virus (1988)
    • Infects 360KB diskettes and MBR
    • Many variants
    • Payload: Shows "Your PC is now stoned!"

Boot record types

  • Volume Boot Record
    • First sector of an unpartitioned storage device
    • First sector of an individual partition
  • Master Boot Record
    • First sector of data storage device that has been partitioned

Booting

  • Bootstrap loader
    • Loads software to start OS
  • Multi-stage bootstrap loader
  • Boot sequence on IBM-PC
    • Runs instruction at memory location F000:FFF0 of BIOS
    • Jumps to execution of BIOS startup program
    • Executes Power-On Self-Test (POST)
      • Checks, initializes devices
    • Goes through preconfigured list of devices
    • If it finds bootable device, loads, and executes boot sector
      • Assume MBR on hard drive
      • MBR contains address of bootable partition
      • Load boot sector of bootable partition
      • Boot sector moves OS kernel into memory and starts it

Multipartite viruses

  • Also known as hybrid virus
  • 📝 Combines file infectors and boot record infectors
  • Re-infects a system repeatedly
  • In order for it to be eradicated, the whole virus has to be removed from the system
  • E.g. Ghostball, first multipartite virus (1989)
    • Infects both executable .COM-files and boot sectors.

Other virus types

  • Camouflage virus: Disguise as legit files.
  • Network: Spreads via network shares.
  • Shell virus
    • Like boot sector but wrapped around application code, and run on application start.
  • Sparse infector
    • Only fire when a specific condition is met
    • E.g. a virus which infects only the 20th time a file is executed.