Information Technology Reference
In-Depth Information
tempt to thwart detection by string-matching algorithms. The method and implemen-
tation of self-replication used by a virus depends upon the software environment in
which it executes. The method used also depends on and must support the other
phases of the lifespan of the virus, including activation and spreading.
The basic virus types each exist in a unique environment and must make use of
available resources to implement self-replication, so the software environment has a
significant impact on modes of self-replication. Boot sector viruses exist within the
boot sector of a disk and are activated during the host computer's boot-up procedure.
These viruses must make use of the software environment available at boot time,
which consists of a set of basic input/output (BIOS) routines. Executable file viruses
generally have the same access to operating system functions as their host program,
and therefore can make full use of these functions to implement self-replication.
Macro viruses operate within the specific set of operations provided by the macro
language and must function in the environment provided by the interpreter. Worms
exist completely within the environment of a specific application and must make use
of the limited set of mechanisms available within the application.
The activation and spreading methods used by a virus also have a significant im-
pact on its method of self-replication, which should provide a high likelihood of fu-
ture activation. The virus can accomplish this by making a large number of copies of
itself, by placing a small number of copies in highly selective locations, or by using
several distinct methods of activation. The spreading method determines the basic
mechanism available to the virus to implement self-replication. Methods of spreading
include email, network file shares, manual transport by floppy disk, and Internet pro-
tocols such as HTTP and IRC.
3
Fundamentals of an Attack
In order to study malicious code, the fundamentals of operation need to be studied.
Upon activation, a malicious program performs several operations. These operations
are determination of environment, infection, replication and payload delivery. The
Melissa virus, first detected in March 1999, will serve as an example here. Melissa is
a Microsoft Word macro virus. It attacks when a user opens an infected Word docu-
ment and spreads using electronic mail over the Internet.
The operating environment is very important for viral code. Since there are nearly
unlimited combinations of operating system and user software installations in the
world, it is important to determine some fundamental parameters in order to prevent
detection and ensure that infection, replication and payload delivery occur flawlessly.
Some examples of the types of information collected are the system path, determina-
tion of previous infection, operating system version, date, time and e-mail client soft-
ware.
The first few lines of code show this operation within Melissa. In order to function
properly, Melissa needs the security settings in Microsoft Word to allow it to execute
freely. The settings are first detected then modified, if needed. After detecting and
setting up the proper environment for execution, Melissa performs a check to see if it
has already infected the host. If it has, the self-replication section of the code is
skipped and it continues to infect non-infected files.
