This section will give a brief introduction to viruses. We will define them and discuss how they have evolved from the desktop. In addition, we will examine how they might evolve in the near future over wireless media.
A computer virus is a program that has the capability to reproduce itself into other files or programs on the infected system and/or systems connected via a network. The difference between a virus and other forms of malicious code is that the offspring of the original virus must also be able to reproduce. However, simply because a program can do this doesn't necessarily mean that it's a virus. For example, some versions of Windows have the capability to copy themselves to other computers; these copies can in turn make copies of themselves. Although many consider Windows itself to be a virus, it really isn't.
One standard defines a computer virus: human interaction.
Generally, a virus must have human interaction in order to spread. This means that a human must physically launch the program that contains the malicious instructions. The definition also clarifies that a virus must infect the host machine. Again, it is the computer operator who is responsible for the spread of a virus, although he might not realize he is doing it. For this reason, an important rule of thumb is to avoid executing programs if you do not know exactly what they will do to your system.
Each virus has three main parts that determine how far and wide it will spread: the social attraction of the virus, the reproductive aspect of a virus, and the payload of the virus. Each of these is necessary if the virus is to be successful.
The social aspect of a virus is the most important. If a virus does not offer some form of temptation , it might never be executed. For example, if you send a virus to someone with the title "Hello, I'm a virus," it would probably be ignored and deleted. The second part is the reproductive element of a virus. This is the part of the virus that is programmed to keep it alive and spreading. The final part is the payload; this is what makes the virus dangerous to the host.
A virus, once executed, will begin its work. A virus will often copy itself into system files and adjust the settings of your computer to fulfill its requirement for multiple execution. For example, if a virus inserted itself into a program such as Pocket Word, the virus would run every time you opened a document file.
Different types of viruses attach themselves to their host systems in different places. This is one way viruses are classified . For example, some viruses work in Pocket Office documents only, whereas others attack your filesystem. Although their location might vary, the outcome is still the same.
One of the most prevalent types of virus is the macro virus . A macro is a set of commands that requires an interpreting program for execution. The most well-known macros are used in Microsoft Office products. The bonus for macro virus writers is that Microsoft Office comes with a full programming language built right into it: Visual Basic for Applications (VBA). VBA is a very useful tool that can automate and assist a programmer and even basic users in performing many tasks with Microsoft Office. For example, VBA can be used to create a template program that asks the user a series of questions and then provides the user with a formatted document that's already filled with the correct information. However, when a virus corrupts the power of VBA, the results can be devastating. One famous example of such a virus is the Melissa virus.
The Melissa virus ties right into VBA through Outlook (another Microsoft product that is closely related to Microsoft Office); it then reproduces itself and mails itself to everyone in the infected computer's address book. The recipients, trusting the sender of the email, open the email and thereby infect themselves; they in turn infect everyone else in their respective address books. This generates a geometric progression with a high exponent. When this virus was first released, a large share of the world's email servers ground to a halt within a few short hours because they were so busy sending and receiving emails. Although the virus itself did not have a traditional "destructive" payload, the resulting deluge of email nevertheless brought the servers to their knees for days.
Another distinct type of virus is classified as a file infector. A file infector attaches itself to another file and is executed when the host file is launched. For example, if a virus infects the autoexec.bat file (which is one of the files used when Windows starts up), the virus is executed every time your computer is started.
Some viruses employ a combination of classes. Regardless of the type, all viruses are bad news. They can result in massive losses of data and money. Thus, your best defense is a good offense. You should spend the time to learn virus-safe practices. For example, never launch a program without knowing its result. Furthermore, do not trust attachments, even if it appears that your friend sent them. Commercial mobile anti-virus solutions have proven to be ineffective , so your best protection is using your brain.
A worm is very similar to a virus. In fact, worms are often confused for viruses. The difference is found in how a worm "lives," and in how it infects other computers. The outcome is essentially the same ”a worm can delete, overwrite, or modify files just as a virus can. However, a worm is potentially much more dangerous. A worm is a program that can run independently, will consume the resources of its host from within in order to maintain itself, and can propagate a complete working version of itself on to other machines.
This means that a worm needs no human interference or stimulation after it is released. A worm will find ways, or holes , into another computer using the resources of the host computer. In other words, if you have a network connection to another computer on a network, a worm can detect this and automatically write itself to the other computer, all without your knowledge.
Worms are dangerous because of their "living" aspect. For example, a famous worm was released from MIT on November 2, 1988. It was named the Morris Worm after its creator, a 23-year-old student. The worm was released onto the network and quickly infested a large university mainframe computer. It started replicating and attacking the password file on the computer. After a short time, it cracked the passwords and used them to connect to other computers and replicate itself there, as well. Although the worm had no destructive code in it, it still managed to shut down entire systems designed to handle the workloads of thousands of students. The cost was estimated to be between $100,000 “10,000,000 in lost computer and Internet time, depending on whom you believe.
An even more dramatic example was the "I Love You" worm. Although thought by many to be a virus, it was a worm because it used existing network connections to reproduce on other computers. The worm copied itself into several different types of files on the connected computer and then waited for someone to open what they assumed was a simple picture or Web page file. When the infected file was executed, users inadvertently infected themselves. The "I Love You" worm was estimated to have caused up to $15 billion in damages.
Worms can also do the work of hackers and script kiddies. For example, there are worms that scan for computers with open shares. In the latter part of 2000, a worm was discovered that scanned several hundred computers at once looking for those that had their C: drive shared. The worm would automatically turn tens of thousands of vulnerable computers into slaves for one master.
Trojan Horses (Trojans)
Although viruses are still the greatest threat to businesses in terms of lost money and data, Trojans are the greatest threat to security. Whereas the stereotypical virus simply destroys your data, a Trojan actually allows others to own your computer and the information stored on it.
A virus will only do what it is programmed to do. Although this can be very damaging , the outcome is predetermined by the instructions of the virus. Conversely, a Trojan has very little in the way of instructions; it simply creates a backdoor into the infected computer through which any instructions can be sent. These instructions can range from deleting files to uploading personal financial files. It all depends on the imagination of the person who is sending the instructions.
The term Trojan originates from an ancient Greek legend. In this legend, the invading army, intent on capturing the great walled city of Troy, built a massive hollow wooden horse. This horse was then filled with elite soldiers and placed outside the city gates of Troy as a peace offering. The Trojans (inhabitants of Troy) were then convinced by a spy to take the horse inside the city walls as a gift. At night, the soldiers climbed out of the horse and overcame the gate guard. The invading army then swept in and sacked the city of Troy.
The digital Trojan horse fulfills the destiny of its great wooden ancestor . A computer Trojan is a malicious program that can be cleverly hidden inside an innocuous -appearing program. When the host program is launched, the Trojan is activated. The Trojan then opens a connection, known as a backdoor , through which a hacker can easily enter and take over the computer, much like the soldiers who sacked Troy so long ago.
There are numerous Trojan-like programs for desktop computers. Some of the more famous Trojans are even used legitimately as remote access programs by information technology workers. Programs like Netbus and Back Orifice, which are two of the most common Trojans on the Internet, are actually used for legitimate reasons everyday. In fact, Windows XP lets you easily access your server remotely with the built-in Remote Desktop, which acts like a benign Trojan.
Although there are many legitimate programs that provide backdoors, or remote control, it is how a true Trojan runs that makes it dangerous. One of the main differences between an honest backdoor and a Trojan can be found in how the program is running on its host computer. When a program is first executed, it can be made to operate in one of two different modes: hidden or visible. A normal program runs as a window or as an icon in the Windows taskbar (in the lower right corner where your digital clock is located). A hidden program, on the other hand, is invisible to all but the most intense scrutiny. In other words, you will not see a Trojan on your taskbar, and it can even keep itself off the Ctrl-Alt-Del list of processes. Hackers might use the same programs that IT technicians use, but this hidden feature turns a backdoor into the ultimate spying and control tool.
The level of control that a Trojan gives over your computer depends on what the programmer has built into it. Trojans usually give a hacker total control of all the files on your computer. Certain Trojans can even enable a hacker to remotely switch your mouse buttons , disable your keyboard, open and close your CD-ROM drawer , send messages to the screen, play sounds, or send you to any Web site the hacker happens to think is funny . In fact, some Trojans give a remote hacker more control over your computer than you yourself have.
How a Trojan Works
Every Trojan has both a client and a server . The server is installed on your computer, whereas the client is installed on the hacker's remote computer. Hackers use the client program to connect to the matching server program running on your computer, thus giving themselves a backdoor into your files.
The server side of a Trojan creates an open port on your computer. An open port in itself is not bad. In fact, your computer probably has several open ports right now. Ports are just open doors or windows through which programs communicate. A port receives a request from one side of the computer and passes it to the other side. When the server side of a Trojan opens a port, it is waiting for commands from its corresponding client. Nothing else can use this port, and if by random chance another program attempted to connect to the Trojan server, it would be ignored. When the server receives the incoming client request, it listens to the commands, performs the request and sends back any information requested . The port is just a virtual doorway through which the Trojan sends information.
Until recently, Trojans always created the same open port and accepted any incoming request on that port only. This made diagnosing a Trojan easy. However, modern Trojans change ports and even disguise themselves by sending data through innocuous ports or by encrypting the communication between client and server.