The Pathology of Computer Viruses

17MILITARY REVIEW l March-April 2001

THE RECENT denial-of-service attacks againstInternet service providers and content provid-

ers suggest that computer networks are vulnerableto widespread attack from various adversaries. Theglobal nature of such activities and the disparate at-tacks complicate providers� defensive tasks.

Dispersed tool kits available to hackers make itall but certain that sniffing out, tracking down andeliminating these threats will frustrate the best net-work minds. As webmasters, systems administratorsand network security managers rethink the problem,they will focus much of their effort on mitigatingall forms of virus attacks.

The similarity between computer network sys-tems and biological systems is uncanny. This com-parison is common both within information technol-ogy publications and among computer networksystem users. Comparing computer networks toliving systems suggests their numerous vulnerabili-ties. One of the greatest threats to an organization�scomputer networks is viral infections or contagion.Containing these contagion and eradicating thembefore a network is degraded requires understand-ing and real-time vigilance from users, networkadministrators and software developers.

The Pathology of Computer VirusesA computer virus is a program, software code,

designed to replicate and spread, generally withoutthe victim�s knowledge. The mere mention of these

two words sends computer novices and expertsscrambling to download the latest updates ofantivirus software. Without exception, every largecompany and organization experiences viral infec-tions�many experience them monthly. Accordingto TruSecure�s ISCA Labs 6th Annual ComputerVirus Prevalence Survey 2000, in one two-monthperiod, corporations experienced virus attacks at therate of 91 infected personal computers (PCs) per1000, which represents the fifth consecutive year ofincrease.1 The number of virus attacks appears tobe unusually high if viewed independently. How-ever, when Department of Defense (DOD�s) anti-viral software supplier defines and categorizes21,389 known viruses and DOD�s other antiviralsoftware supplier categorizes more than 40,000 vi-ruses, the number of virus attacks appears in a newlight. These viruses, usually benign or annoying, canslow performance, absorb resources, change screendisplays and disrupt or deny service, affecting or-ganizations� profit or mission.

Computer viruses come from a variety of sourcesand spread by attaching themselves to other pro-grams, such as word processors or spreadsheet ap-plications, or to the boot sector of a disk. When theinfected file is activated, or executed, or when thecomputer is started from an infected disk, the virusis also executed. Viruses can also lurk in computermemory, waiting to infect the next activated pro-gram or the next accessed disk.

18 March-April 2001 l MILITARY REVIEW

The TruSecure study found that e-mail attach-ments were responsible for 87 percent of infections,up from just nine percent in 1996. Infected disk-ettes, while accounting for 57 percent of infec-tions in 1996 declined to just 8 percent in 2000.About one percent ofcomputer users said theyhad acquired their viruswhile downloading soft-ware from an electronicbulletin board service orweb-site. Other sources ofinfected diskettes (sixpercent) included demodisks, diagnostic disksthat service techniciansuse and shrink-wrappedsoftware disks.2

Although no new statis-tics are available, net-working, enterprise computing and interorgani-zational communications are growing. As telecom-muting and networking increase, so do infections�in number, complexity and variety. In 1986 therewere just four known PC viruses. Today more thanthree viruses are created daily for an average of 110new viruses in a typical month. There are severalvariations of viruses, but there are only three waysa virus can access a system.3

File viruses. Most of the thousands of existingviruses are file viruses, including the Friday the 13thvirus. They generally infect files by attaching them-selves to executable files, such as the .EXE and.COM files that execute applications and programs.The virus can insert its own code in any part of thefile, then changes the host�s code and misdirects theprogram to execute the virus code first rather thanthe legitimate program.

Boot-sector/partition-table viruses. About 200different boot-sector viruses make up 75 percent ofall virus infections. Boot-sector viruses include themost common virus of all time, Stoned, and the mostnotorious, Michelangelo. These viruses are so preva-lent because they are difficult to detect. They do notchange a file�s size or slow PC performance and,thus, are invisible until their trigger event occurs.Events such as reformatting a hard disk or scanninga disk serve as triggers. The boot-sector virus in-fects floppy and hard disks by inserting itself intothe boot sector, which contains code that is executedduring the system boot-up process. Booting from aninfected floppy allows the virus to jump to thecomputer�s hard disk. The virus executes first andgains control of the system boot program code evenbefore the operating system (OS) is loaded.

Because the virus executes before the OS isloaded, it is not OS-specific and can infect any PC

operating system platform. The virus goes directlyto the random access memory (RAM) and infectsevery disk that is accessed until the computer isrebooted and the virus is removed from memory.Partition-table viruses attack the hard disk partition

table by moving it to adifferent sector and re-placing the original parti-tion table with its owninfectious code. These vi-ruses spread from the par-tition table to the bootsector of floppy disks asfloppy disks are accessed.

Multipartite viruses.These viruses combinethe ugliest features ofboth file and boot-sector/partition-table viruses.They can infect any of

these host software components. While traditionalboot sector viruses spread only from infected floppyboot disks, multipartite viruses can spread with theease of a file virus but still insert an infection into aboot sector or partition table. This makes them par-ticularly difficult to eradicate. Tequila is an exampleof a multipartite virus.

Although there are only three ways to infect asystem, there are hundreds of variations of viruses.4Like its classical namesake, the Trojan Horse virustypically masquerades as a legitimate software pro-gram. The Trojan Horse generally does not repli-cate; it waits until its trigger event and then displaysa message or destroys files or disks. Alongside theTrojan Horse is the Trojan Mule. The Trojan Mulefools authorized users into giving their LOGIN in-formation�passwords and user-IDs. Once theytype in their user-ID/password LOGIN information,the virus sends that information to the file im-plementers and prints out a LOGIN error message.As the authorized user retypes the information, thevirus exits, and the real LOGIN program regainscontrol without the user suspecting the LOGIN in-formation has been revealed. The difference be-tween Trojan Horse and Trojan Mule is that themule does not even try to perform useful functions,such as games or applications. The mule disappearsfrom the system it has infected, but the horse re-mains until it is cleaned out.

File overwriters. These viruses infect files bylinking themselves to a program, keeping the origi-nal code intact and adding themselves to as manyfiles as possible. Innocuous versions of fileoverwriters may not be intended to do anythingmore than replicate, but even then they take up spaceand slow performance. Since file overwriters, likemost other viruses, are often flawed, they can dam-

In one two-month period,corporations experienced virus

attacks at the rate of 91 infectedPCs per 1000. . . . DOD�s antiviral

software supplier defines andcategorizes 21,389 known virusesand DOD�s other antiviral software

supplier categorizes more than40,000 viruses.


age or destroy files inadvertently. The worst fileoverwriters remain hidden until their trigger events,then deliberately destroy files and disks.

Polymorphic viruses. More and more of today�sviruses are polymorphic. The recently releasedMutation Engine�whichmakes it easy for viruscreators to transform sim-ple viruses into polymor-phic ones�ensures thatpolymorphic viruses willproliferate over the nextfew years. Like the ac-quired immunodeficiencysyndrome (AIDS) virusthat mutates frequently toescape detection by thebody�s defenses, the poly-morphic computer virusmutates to escape detec-tion by antivirus software that compares it to an in-ventory of known viruses. Code within the virus in-cludes an encryption routine to help the virus hide,plus a decryption routine to restore the virus to itsoriginal state when it executes. Polymorphic virusescan infect any type of host software. Although poly-morphic file viruses are most common, polymorphicboot sector viruses have already been discovered.

Stealth viruses. Stealth viruses have special en-gineering that enables them to elude detection bytraditional antivirus tools. The stealth virus adds it-self to a file or boot sector, but when you examinethe host software, it appears normal and unchanged.The stealth virus performs this trick by lurking inmemory when it is executed. There it monitors andintercepts the OS�s calls. When the OS tries to openan infected file, the stealth virus races ahead,disinfects the file and allows the OS to open it�all appears normal. When the OS closes the file,the virus reverses these actions, reinfecting thefile. Boot sector stealth viruses insert themselves inthe system�s boot sector and relocate the legitimateboot-sector code to another part of the disk. Whenthe system is booted, it retrieves the legitimate codeand passes it along to accomplish the boot. Theboot-sector appears normal, but is not in its nor-mal location.

Macro viruses. Macros are miniprogramsthat take much of the legwork out of repetitive ortemplate-oriented documents. For example, to mini-mize the work involved in typing out the currentdate, a user might simply type the letter �D� toinsert the day, month and year all at once. Macroviruses are carried in the types of data files that busi-ness computer users most often exchange� word-processed documents and spreadsheets. These datafiles are often exchanged by e-mail, so they some-

times bypass the checks that virus-aware organiza-tions already have in place. Experts estimate that 40percent of virus attacks are made this way.

Macro viruses are created with the aid of themacro routines contained in all word-processing and

spreadsheet applicationsoftware. They attachthemselves to any docu-ment files that includethe macrocode so theycan be executed throughthe application software.The purpose of macrolanguages is to insert use-ful functions into docu-ments that are then ex-ecuted as the documentsare opened. This is whatmakes macro viruseseasy to write. One reason

they have become so prevalent is the success ofMicrosoft Office, which has 80 percent of the glo-bal market for integrated packages�a tempting tar-get for macro virus writers.

Memory-resident viruses. This characteristic isthe most common among viruses. When virusesload into memory via a host application, they remainin memory until the computer is turned off. Thisstage of existence allows easy replication into sub-sequently launched boot sectors or applications.

Nonmemory-resident viruses. These viruses caninfect a system only when the host application isrunning. Closing the host application also closesdown the virus. Therefore, opening applications af-ter closing a host application cannot infect the sys-tem with that specific virus.

Companion viruses. Understanding this charac-teristic requires understanding the sequential orderin which system files work. When launching an ex-ecutable file, users either manually issue commandsor have the interface execute them. Most applica-tions have a file-type (FT) extension of .EXE. Wheninvoking these commands, the user or the computerenters the name of the application without the ex-tension. The computer executes other system fileswith the same name before executing the .EXE ap-plications FT. A companion virus creates a namethat matches the .EXE file name but with a differ-ent extension such as .COM. The .EXE still ex-ecutes; however, the .COM (infected file) launchesfirst and infects the system. Most antiviral softwarepackages can identify this characteristic.

Bomb. This type of Trojan Horse releases a vi-rus, a worm or some other system attack. It is ei-ther an independent program or a piece of code thata system developer or programmer has planted. Abomb triggers some kind of unauthorized action

BURNING ZONE

As telecommuting andnetworking increase, so do

infections�in number, complex-ity and variety. In 1986 there

were just four known PC viruses.Today more than three viruses

are created daily for an averageof 110 new viruses in a

typical month.


when a particular date, time or condition occurs.There are two types of bombs: time and logic. Abomb that is set to go off on a particular date or af-ter some period of time has elapsed is a time bomb.Friday the 13th was a time bomb. A bomb set togo off when a particular event occurs is a logicbomb. Software developers have been known toexplode logic bombs at key moments�for ex-ample, if a customer fails to pay a bill or tries tomake an illegal copy.

Spoof programs trick the unsuspecting users intogiving away privileges. Often the spoof is perpe-trated by a Trojan Horse mechanism in which anauthorized user is tricked into inadvertently runningan unauthorized program. The program then takeson the privileges of the user and runs amok.

Bacteria programs do nothing but copy them-selves, but by doing so, they eventually use allsystem resources such as memory and disk space.

Rabbits are rapidly reproducing programs.Crabs attack the display of data on computer

terminal screens.Salami slices (rather than hacks) away tiny pieces

of data. For example, a salami alters one or twonumbers or a decimal point in a file or shaves apenny off a customer�s bank interest calculationsand deposits the penny in the intruder�s account.

Viruses affect computers and networks differ-ently. Viruses are intended to remain undetected andspread throughout the organization until they de-grade performance or destroy data. Most virusesgive no symptoms of their infections, thus drivingthe use of antivirus tools. Antivirus tools allow us-ers to identify these quiet killers. However, someviruses are flawed and provide some tip-offs ofinfection. Watch for these indications:l Changes in the length of programs.l Changes in the file date or time stamp.l Longer program load times.l Slower system operation.l Reduced memory or disk space.l Bad sectors on your floppy.l Unusual error messages.l Unusual screen activity.l Failed program execution.l Failed system bootups when booting or ac-

cidentally booting from the A: drive.l Unexpected writes to a drive.5

This list of virus variations and symptoms isnot all-inclusive.6 These are only the most com-mon variations of computer viruses and theirsymptoms. Computer viruses have cost compa-nies worldwide nearly $2 billion since 1990, withcosts accelerating by another $1.9 billion in 1994alone. This cost is directly related to virus cleanup,not profit loss, which is impossible to calculate.Organizations are combating the virus problem

with antivirus software. The software cost is ex-pected to grow from $700 million in 1997 to $2.6billion by 2001.7

What can organizations do to prevent computerviral infections, and what is the best response in


the event of an infection? Analysis of a real eventprovides the best answers. The US federal govern-ment, DOD and industry responded impressivelyto infection according to System AdministrationNetworking and Security.

Containing Contagion: A Case StudyThe mythical god of love, Cupid, shot a poison-

tipped arrow felt around the computer world. Hisaim was true, attacking millions of commercial,military, educational and home PCs with the I Love

BURNING ZONE


You virus. On 3 May 2000, the first �socially engi-neered� worm was released on the computer world.By 4 May 2000, more than 350,000 computers� fileswere infected in the United States, 30 percent ofBritain�s business e-mail systems were broughtdown, Sweden experienced an 80-percent businesse-mail systems effect, and there were reports from18 other countries.8

A worm �reproduces by copying itself from onecomputer to another, usually over a network. Likea virus, a worm compounds the damage it does byspreading rapidly from one site to another; however,instead of spreading fromfile to file like a virus,worms spread from com-puter to computer, infect-ing an entire system. Also,a worm does not destroydata like a virus; a wormtypically does its damageby harnessing resourcesin a network by tying upthese resources and even-tually shutting down thenetwork.�9 This was adenial-of-service attack.

More precisely I LoveYou was a visual basic script (VBS) worm withoverwriting VBS virus-like qualities that spreadthrough e-mail as a chain letter and attempted to usecompanion techniques by adding a secondary filenext to the existing file.10 I Love You was not a par-ticularly complicated or sophisticated worm, andthere were no original components in its code, butit combined several techniques, thus becoming ex-tremely destructive. The social engineering of the ILove You worm made it subtle and menacing. First,the worm disguised itself as a love letter, which re-cipients were pleased and usually eager to receive.The letter was probably from someone they knew,and they opened the e-mail attachment withoutthinking of a potential infection.

It also added an extra extension onto files, but thesecond extension was usually hidden in Windowsso it appeared to be a simple text file.11 When theattachment was executed, it first copied itself to theWindows system directory and to the Windows di-rectory. Then it added itself to the registry so itwould be executed when the system was restarted.Then the worm replaced the Internet Explorer homepage with a link that pointed to an executable pro-gram, �WIN-BUGSFIX.exe.� If the file was down-loaded, the worm added this to the registry as well,causing the program to be executed when the sys-tem was restarted.12

The worm then creates a Hyper Text MarkupLanguage (HTML) file, �LOVE-LETTER-FOR-

YOU.HTM,� in the Windows system directory.This file contained the worm, and it would be sentusing the Mardam-Bey�s Internet Relay Chat(mIRC) whenever the user joined an IRC channel.The worm then used Outlook to mass mail itself toeveryone in each address book, and after the mailhad been sent, it added a marker to the registry anddid not mass mail itself again. The virus thensearched for certain file types in all folders on alllocal and remote drives and overwrote them withits extension codes�vbs, vbe, js, jse, css, wsh, sctand hta. The worm then used companion techniques

by adding a secondaryfile next to an existingfile, tempting the user toclick on the wrong file.13

For example, a picturenamed dog.jpg causedthe computer to create anew file called dog.jpg.vbs alongside the actualfile. For computer usersand network managers,this was just the begin-ning of the I Love Younightmare. Within daysof the first attack, the

Symantec AntiVirus Research Center identified29 versions of the worm.

Imagine that you receive an e-mail titled LOVE-LETTER-FOR-YOU with an attachment. A smallsmile spreads across your face as you see it is froma friend (or not). Your default Windows system doesnot show the .vbs extension, which may have givenyou a subtle warning of the impending disaster. Youeagerly open the attachment. That is when the wormuses your Microsoft Outlook to send a message toeveryone in any address books you have, includingglobal address books that could potentially holdthousands of addresses. If connected to a network,you just became the Typhoid Mary of your organi-zation. When co-workers receive your e-mail andopen the attachment, they again send an e-mail toeveryone in the organization. The organization serv-ers soon become overloaded and are brought downwithin minutes.

The story does not end there. In early June, an-other VBS worm plagued computer networks.Symantec named it �VBS.Stages.A.� It was amass mailer that spread over e-mail in an attach-ment, always 39,939 bytes, in the form of aMicrosoft Scrap Object file (.SHS file). The SHSextension was not visible, even when Windows Ex-plorer properties were changed to show all exten-sions. The worm was a multiple-application Internetworm, designed to spread using one of four spread-ing mechanisms�Pirch, Outlook, mIRC and

I Love You was nota particularly complicated or

sophisticated worm, and therewere no original components in its

code, but it combined severaltechniques, thus becoming ex-

tremely destructive. . . . [causing]an estimated $2.6 billion

worth of damage.


available mapped drives.14 The worm sent an e-mail to all contacts in an MS Outlook addressbook with a LIFE_STAGES.TXT.SHS attachmentand a randomly generated 12-string subject. The at-tachment was titled �Life stages,� �Funny� or�Jokes.� Some began with �Fw:� or were followedby �text.� After it sent the e-mail, the worm imme-diately deleted copies of the e-mails to ensure norecord of its presence.15

Disinfecting computer networks of these wormswas a fairly simple process involving downloadingupdated definitions from Norton and McAfee andsome manual processes, but it was disruptive andtime-consuming. While fixes were being imple-mented, DOD agencies took steps to mitigate fur-ther infection. Several Army installations limited thesize of incoming/outgoing attachments and limiteddistribution lists to 10 or fewer addresses. Thesepositive controls, in addition to working with Nortonand McAfee, permitted DOD agencies to limit dam-age and stall the infection�s spread.

These worms and their variants were identifiedearly in May and June, and although quickly con-tained, were very destructive. I LoveYou may havesurpassed Melissa, a macro virus that infected about

70,000 e-mails on 26 March 2000, in both speed anddestructiveness. In the end, I Love You was a singleworm that infected millions of computers worldwideand caused an estimated $2.6 billion worth ofdamage.16

The lessons learned from these attacks are beinginstitutionalized. Major Army commands and DODagencies are establishing comprehensive standingoperating procedures to interface between planningand information management directorates, redefin-ing the process for disseminating urgent informa-tion assurance (IA) messages, organizing informa-tion operations (IO) cells, continuing to use IA toolsand conducting IA/IO training. DOD also is con-sidering a standardized status reporting system forArmy networks and information.17

In the private sector, companies are building orrevamping disaster recovery plans, ensuring proac-tive measures are taken to avoid or contain these vi-ruses. Automated and centralized approaches allowinformation technology departments to restore PCsto their previous configurations simultaneously with-out physically touching each station.18 With proac-tive plans, rapid response and improved technology,we can contain contagion in cyberspace.

Colonel John C. Deal, US Army, is commander, US Army Information Systems Engineering Com-mand, Fort Huachuca, Arizona. He received an M.S. from the Naval Postgraduate School, and hasearned two M.A. degrees from the Naval War College and Salve Regina University. He is a graduateof the US Naval Command and Staff College and the US Army War College Fellowship Program atthe University of Pittsburgh. He has served in various command and staff positions, including execu-tive officer, Office of the Director of Information Systems for Command, Control, Communications andComputers (ODISC

4), Alexandria, Virginia; staff member of the Secretary of Defense Strategic StudiesGroup, Washington, DC; and deputy director of Standards, Architecture Directorate, ODISC

4.

Major Gerrie A. Gage, US Army, is the operations officer, New Systems Training Office, Director-ate of Combat Development, 306th Military Intelligence Battalion, Fort Huachuca. She received a B.S.from Florida Southern College, an M.S. from Florida Institute of Technology, an M.S. from the Uni-versity of Missouri at Rolla and an M.A. from Webster University. She has served in various commandand staff positions, including concepts officer, Maneuver Support Battle Laboratory, Fort Leonard Wood,Missouri; and operations officer, Operational Test and Evaluation Command, Alexandria, Virginia.

Robin Schueneman is a Sytex support contractor to the Information Assurance Directorate,ODISC

4. She received a B.A. from the University of North Carolina at Chapel Hill. She has beenintegral in spreading hacker threat awareness by presenting a �live hack� to the Army�s seniorleadership. She is currently leads the ODISC

4 Information Assurance Vulnerability Alert Compli-ance Verification Team.

NOTES1. TruSecure Corporation, �2000 Computer Virus Prevalence Survey,� online

at <www.icsa.net/html/communities/index.shtml>.2. Ibid.3. Symantec Corporation, �Computer Viruses: Past, Present and Future,� Anti-

Virus Research Center, online at <www.symantec.com/avcenter/reference/corpst.htm.>

4. Ibid.5. Lowenthal, �Overview of Computer Viruses,� Information Paper, School of

Advanced International Studies - Institute for Advanced Study, March 1999.6. Ibid.; and additional information concerning virus variations and symptoms

is found at the following websites:<www.rootshell.com> exploits; <www.insecure.org/sploits.html> (exploits);<http://sourceofkaos.com/homes/madokan/virusindex.html> (virus in-

formation);<http://ciac.llnl.gov/ciac/CIACVirusDatabase.html> (virus information);<www.snafu.de/~madokan/mvic/viruscont.html> (virus creators);<www.symantec.com/avcenter/reference/corpst.html> (virus paper);<http://vil.mcafee.com/villib/alpha.asp> (virus information); and<www.virusbtn.com> (virus information).7. Jo Ann Davy, �Virus Protection,� Managing Office Technology (1998), online

at <http://proquest.umi.com.pqweb>.8. V-One, ��I Love You� Virus Demonstrates Businesses Vulnerability to Elec-

tronic Terrorism,� V-One News, online at <www.v-one.com/news/00-05-05.html>.9. Deborah Russell and G. T. Gangemi, �Viruses and Other Wildlife,� Com-

puter Security Basics (1992), 82.10. DOD Computer Emergency Response Team (DOD-CERT), �VBS/

LOVELETTER VBScript WORM,� online at <http://coeeng.ncr.disa.mil/diicoe_iava/2000-a-0002.htm>.

11. Kristen Philipkoski, �How the Slimy Worm Works,�2000 Wired Digital Inc.,online at <www.wirednews.com/news/technology/0,1282,36129,00.html>..

12. DOD-CERT.13. Ibid.14. F-Secure Corporation, �F-Secure Virus Information Pages,� online at

<www.f-secure.com/v-descs/stages.htm>.15. DOD-CERT, �Life Stages Worm,� online at <www.cert.mil/pub/bulletins/

dodcet2000/2000-t-0009.htm>.16. ON Technology, �ON Technology Delivers Rapid Disaster Recovery as Well

as Future Prevention for Love Bug and Other Viruses,� online at <www/on.com/presslib/pressre;/on051000,htm>.

17. Assured Information for America�s Power Projection Army, �I Love You,� Vi-rus Lessons Learned Report, US Army Forces Command, Fort McPherson, Geor-gia, online at <http://freddie.forscom.army.mil/jwsd/11_report.pdf</jwsd/11%20report.pdf>.

18. ON Technology.

BURNING ZONE

The Pathology of Computer Viruses

Documents

Transcript of The Pathology of Computer Viruses