|
|
| Previous | Table of Contents | Next |
Macro Viruses on Peer-to-Peer Networks
The peer-to-peer network doesn’t differ significantly from the file server case described above. The only difference is that data files are stored on local hard drives comprising the peer-to-peer network rather than the file server.
Macro Viruses on the Internet
Infected documents can easily be sent over the Internet many different ways, such as through e-mail, FTP, or web browsers. As with file viruses, macro viruses can’t infect files at a remote location through the Internet. The Internet acts only as an infected data file carrier.
Over the years, virus authors have created many different types of viruses, each of which uses different techniques to propagate and to thwart antivirus products. This section describes several of the more interesting types.
Most simple computer viruses work by copying exact duplicates of themselves to each file they infect. When an infected program executes, the virus gains control of the machine and attempts to infect other programs. If it locates a target executable file for infection, it copies itself byte-for-byte from the infected host to the target executable. This type of virus can be easily detected by searching in files for a specific string of bytes (or signature) extracted from the virus body, because the virus replicates identical copies of itself each time it infects a new file.
The polymorphic virus, like the early viruses, consists of an unchanging viral program that gets copied from file to file as the virus propagates. As a rule, however, the body of the virus is typically encrypted and hidden from antivirus programs.
For an encrypted virus to properly execute, it must decrypt the encrypted portion of itself. This decryption is accomplished by what is known as the virus decryption routine. When an infected program launches, the virus decryption routine gains control of the computer and decrypts the rest of the virus body so that it can execute normally. The decryption routine then transfers control to the decrypted viral body so that the virus can spread.
The first nonpolymorphic encrypting viruses employed a decryption routine that was identical from one infection to another. Even though the bulk of the virus was encrypted and hidden from view, antivirus programs could detect these viruses by searching for their unchanging virus decryption routine. The basic idea here is that even though the bulk of the iceberg remains unseen, its tip is discernible.
The polymorphic virus addresses the inability of the simple encrypting virus to conceal itself. When the polymorphic virus infects a new executable file, it generates a new decryption routine that differs from those found in other infected files. The virus contains a simple machine-code generator, often referred to as a mutation engine, that can build random machine language decryption routines on the fly. In many polymorphic viruses, the mutation engine generates decryption routines that are functionally the same for all infected files; however, each routine uses a different sequence of instructions to accomplish its goal.
During the infection process, a complementary encryption routine is used to encrypt a copy of the virus before the virus attaches this copy to a new target file. After the virus body is encrypted, the virus appends the newly generated decryption routine along with the encrypted virus body (and mutation engine) onto the target executable. So, not only is the virus body encrypted, but the virus decryption routine uses a different sequence of machine language instructions in each infected program. The polymorphic decryption routine often takes so many different forms that identifying the viral infection based on the routine’s appearance can prove difficult. Files infected with the newer polymorphic viruses display few similarities from one infection to another, making antivirus detection a formidable task.
| Previous | Table of Contents | Next |