Introduction to the antivirus protection - Computer viruses classification
Computer viruses and malicious codes in general can be divided with respect to various aspects and attributes. The attempt to classify codes according to some attributes is not easy at all and in practice, one can come across codes that combine properties of several categories. Well, there is not everything only black or white in the real world.
We point out that the computer viruses field is developing very dynamically and that some following categories belong to the museum at this moment - nevertheless, we list them all for completeness sake.
According to the visible symptoms:
Viruses without symptoms
The most of malicious codes try to show themselves as little as possible - at least in the way that the attacked user doesn't notice them. The reason is quite simple: any evidence causes the revelation and the user starts to fight against the malicious code and if she or he does it a little adroitly, she or he will usually win. This is just the reason why programmers intend to restrict these symptoms to absolutely unavoidable minimum.
Viruses with a graphic exhibition
If an author of a malicious code decides to involve some exhibition, it is usually the graphic one. It may be displaying some message on the screen (stop testing products on animals, stop wildwood felling etc.) or it can modify the desktop. Often programmers take advantage of graphic exhibition for hiding the virus presence in the computer. It can concern for example showing some prepared pictures that look like operating system alarm when executing the malicious code. The user is announced that a file has been corrupted, that this and that driver is missing or that she or he does not have the actual version of programs used and so on. In the meantime the dangerous program is being installed. The user thinks that some other software has initiated a defect that cannot be easily influenced and discards it.
Viruses with a special exhibition
Some malicious codes exhibit in a special way that shows evidence of their authors' sense of humour. For example, there are programs that force the system clock to go counterclockwise. Funny? Not so much when thinking of the problem to decide which data backup is the older and which is the newer.
According to the way of spread:
We can say that they are computer viruses that use services of any network (both local and global) for their spread. But it is not as simple as that. While a computer virus needs host applications for its spread (with the exception of so called accompanying viruses, which adopt the name of exe files, but they have the com extension and presume on the fact that this extension is preferred by operating systems), a worm is generally malicious by itself.
According to exhibition time:
Viruses activated immediately
The times when rules like "do not start your computer that particular day" were held are gone. The most contemporary malicious codes are being activated right after entering the computer. This is because contemporary antivirus methods are able to react to the virus occurrence in a few hours. Just these few hours are the only time when the code can do what it wants. After this period, the antivirus protection begins to win.
Viruses activated on a certain date
"Attention, do not start your computer tomorrow! Danger of loosing all your data, a malicious virus is going to strike!" We used to meet such or similar prognoses quite regularly in the beginning of the nineties. The antivirus protection was still in swaddling clothes (if ever) and it took months to react to a virus occurrence - on the other hand it took many months before the virus could spread all over the world in the time before the presence of e-mail and the Internet. If the programmer wanted to start a real global epidemy, it was enough to set a suitable date. Not too early in order to enable the virus spread, and not too far to let the antivirus companies eradicate it.
Viruses activated on a certain act
Special kind of viruses are those that are activated on some interesting act - for example on every eighth reboot or on every pressing a certain key (or a key combination). Especially some macroviruses, which used to add their comments to the politicians' names written by the user, were extremely interesting...
According to the seriousness:
Most of contemporary viruses belong to this category. The main reasons are two. Firstly, classical computer viruses (using a host file for their spread) are almost moribund; present codes create their own files. Secondly, programmers do their best to hide their work, because not hiding it would mean a cleanup by the attacked user. Data destruction in the whole computer means a retreat from the seized control.
This category should be split into two subcategories: purposely destructive viruses and inadvertently destructive viruses. For purposely destructive viruses it is their job specification to destroy: they delete files, damage data etc. Viruses destructive inadvertently do harm as a side effect: due to an error in the program code or due to some other defect. But from the user's view, the result is the same in both cases: the loss of data.
According to the infected region:
Boot sector viruses infect the executable code stored in certain parts of system region on the disk. It can concern floppy disk boot sectors, harddisk partition table or harddisk boot sector.
Boot sector exists on every floppy disk that has been formatted using MS-DOS, no matter if this floppy disk is a system disk or data disk. Boot sector contains a short program that uses DOS for executing the system before passing control to other system programs or command compiler.
There are very important instructions in the boot sectors that load operating system to the main memory on every startup, therefore it is enough if the virus or its activating mechanism (jump to executable code) is stored in this sector, and the virus will be loaded to main memory with every bootup.
Mentioned viruses usually rewrite the boot sector with their own code and the original part of the boot sector save on different part of disk. The infection then spreads using floppy disk boot sectors that got in touch with the infected system and that the resident boot virus replicates into immediately.
The DOS operating system was an optimum host for them regarding little possibilities to control it, above all due to frequent usage of the simplest commands such as read and write from/to disk, floppy disk copying, searching directories etc. The spread of boot sector viruses in 32bit systems is much more difficult than in DOS because a boot sector virus is detected right away on the system boot.
We should subdivide file viruses according to the target of infection - they are typically executable files, because the virus's aim is to activate virus through executing host code and therefore the possibility of its spread. The most frequent file extensions are com, exe, ovl, bin, sys, bat, obj, prg, mnu etc.
In all cases, the file viruses act in a similar way. They most often rewrite the beginning of a file where they either write the jump command referring to themselves (to the so-called virus body), or store themselves to this place. The second case may concern so-called overwriting or destructive viruses. One of their drawbacks is that they destroy or damage the host program. When you try to execute it, the virus is activated, but the program itself is not able to run. It is disadvantageous not only for users but also for the virus itself, because the user is warned about its existence. Hence the overwriting viruses are less common than the nonoverwriting ones.
It is not sometimes possible to detect, and almost never cure, some file viruses, without checking writing to disk. The viruses are very simple and direct in their actions. They overwrite the host program with their own code which devaluates it. That is why they are called overwriting viruses.
When calling the host program the viruses need not to be installed to memory at all (although there are some cases when they do it) and they just overwrite some program on the disk by themselves. The program is chosen using some key that is specific for every virus. The program itself becomes worthless and calling it only activates the malefactor and then an error occurs.
If the file virus already got into the system and has not been preventively detected, it can become parasitic. Viruses know several ways of replication and one of them is the method of adding the virus body to the end (or the beginning) of the file, whichever executable file it is (the most frequent are com or exe files). This leads to the length extension of the infected file. If it is a resident virus capable of so-called stealth techniques, this length extension is invisible to the user when the virus controls the system because all changes are hidden by the virus.
Infection means overwriting first bytes of the infected file that cause immediate passing control to the virus, or in exe file, first header bytes that refer to the beginning of the program, are overwritten. "Cleverer" viruses contain self-identification mechanism to avoid multiple attack. But there are exceptions, for example twentyfold infection by the 'Jerusalem' virus is not anything unusual. The process of the self-identification becomes a problem in case of polymorphic viruses, namely due to decrease of the detection rate, because all decoding is slow.
These viruses are easy to remove by repairing the beginning of the program and removing the virus from its beginning or end according to factual virus body localization.
Companion viruses create a new file with a different extension, which is composed of the original file and the appended virus. The name of this virus comes from the fact that the virus accompanies the infected file with an companion file. The virus can be given name for example file.com. Everytime the user executes file.exe, operating system loads file.com first and therefore infects the system. The companion virus is often generated by a "phage".
Phages modify other programs or databases in an unauthorized way. Specialists gave them their name after the real phages, which are especially destructive, because they replace the infected cell by their own genetic code.
The computer phage really replaces the executable file with its own code instead of appending to it. It often generates an accompanying file too. Phages are extremely destructive because they annihilate every infected file.
Not always a virus has to write its body to the beginning or the end of an exe or com file. There are exceptions, fortunately not many, which inserts its body into host file cavities (usually command.com). According to our definition, they are not link viruses, because the infection does not cause file lengthening.
Cluster viruses form rather interesting group. They modify only the directory trees reference such that it refers to one copy of virus located for example at the end of disk, instead of direct writing to the data region.
The most dangerous aspect of macroviruses is that they are platform independent - like Internet - unlike file or boot-sector viruses. Moreover, macroviruses do not confine to executable or object files, but they primarily take aim at data files.
According to the memory location:
Resident virus, as its name prompts, is a virus that stays illegally in the memory. It usually becomes resident in the memory at the first executing of the infected file (if it is a file virus) or at the first loading to the main memory from the infected boot sector (if it is a boot sector virus) and does harm from there. The virus stays in the memory until the system shutdown. These viruses got into trouble on the 32bit systems, where their acting and survival is dependent on their code. Generally, it can be said that the more sophisticated the virus is and the more unusual commands uses, the less is the chance to stay active and unnoticed after the 32bit system start.
Resident TSR viruses
Some file viruses can install themselves into the memory using DOS services as resident TSR and then they can secretly harm and replicate themselves. It is a sort of subgroup of the mentioned resident viruses.
The difference between these two groups is that TSR viruses are installed "legally" and can be identified by checking interrupt vectors or searching the memory with some of standard programs. Although it is not easy to find out and localize, it is possible in principle. It is necessary to watch the changes in the interrupt vectors of resident programs installation and alert any program attempting to install itself into the memory immediately. Afterwards it is possible to enable or disable the installation in a software way and to annihilate the program by the computer reset. Watching viruses trying installing as TSR can be successful. The weak point of this method is difficult distinguishing between illegal and legal programs.
Viruses do not need to be permanently loaded in memory for their malign activity. It is enough if they are activated together with the host program. Then they take control as first, do their activity - most often replicate, and then pass the control back to the host program. This is just the case of nonresident viruses or direct-action viruses.
Nonresident viruses are mostly file viruses. It is quite an extensive group. These viruses are not very expanded, because they cannot, due to the absence in the memory, apply advanced techniques such as a stealth technique (see below) and therefore cannot hide. If they are not loaded in the memory, they cannot monitor and analyze functions leading to their revealing.
According to the activity:
Stealth and substealth
Invisible viruses hide their modifications of files or boot sectors. They monitor system functions used by the operating system for reading files or sectors from a memory medium, and then they simulate the results by calling these functions. It means that the program trying to read the infected file or sector reads the original, unchanged one. Antivirus program would not necessarily reveal the modification. To avoid a detection, such a virus has to be loaded into the main memory during the run of an antivirus software. A good antivirus program should be able to recognize any infection on the instant that the virus code is loaded into the memory.
Invisible viruses are usually capable to mask the file size or its contents on reading. Viruses masking size belong to the group of viruses attacking files. The virus appends to the target program and replicates, by which the file size increases. But the virus masks the file size, so the user normally does not notice its activity.
It is quite easy to reveal an invisible virus. The most of standard antivirus programs detects invisible viruses providing that the antivirus system is executed on "healthy" system (without active virus). If you do boot system from clean, safe system disk with overwrite protection before scanning, invisible viruses should be detected. As we mentioned above, invisible viruses can hide only if they are resident and active in the memory.
A polymorphic virus encodes its body in order to hide its signature from an antivirus program. Polymorphic or other encoded viruses spread by decoding the encoded part using a special decoding routine (it converts the encoded file into the original one). The decoding routine takes control over the computer for a while to decode the virus body. Afterwards it passes control to the extracted virus that can start its activity.
First encoded viruses ever were not polymorphic. In other words, they used decoding routines which did not vary from infection to another one. Although the virus itself was encoded and hidden, the antivirus program still had a chance to identify and clean the virus due to the constant signature of the decoding routine.
Recognizing a polymorphic virus is much more complicated because it generates a brand new decoding routine at every infection so its signature is changing with every virus installation. A polymorphic virus generally changes its signature using a simple machine code generator, so-called mutator (Mutation Engine). A mutator changes the signature with the help of random numbers generator and a simple mathematic algorithm. Using a mutator, every virus can be changed into a polymorphic one. A simple modification of the source code in assembler is enough to make the virus calling a mutator before copying itself.
Even though basic scanning methods (for example code strings comparison) cannot reveal polymorphic viruses, specially constructed lookup machines modified for encoding schemas identification are able to find them. Polymorphic viruses are not undefeatable but they have made scanning programs a hard and expensive task. The majority of antivirus programs contains searching for encoding mechanism because of protection from polymorphic viruses.
Retrovirus is a computer virus that tries to evade a capture or protects itself from antivirus programs operations by attacking an antivirus software. Experts sometimes call retroviruses "anti-antiviruses" (do not confuse anti-antiviruses with antivirus viruses that are called to paralyze other viruses!)
It is not a difficult task to create a retrovirus. Of course, authors of viruses can get to any antivirus on the market. The only thing that they have to do is to study the software they want to defeat, find some weak point in it and think of how to abuse it. For example, a retrovirus finds a data file in which an antivirus program stores signatures of viruses, and deletes it. In that way it decreases the ability of the antivirus software to detect viruses. More sophisticated retroviruses can find integrity information database and delete it. The removal of the database has the same consequences for the controller as the removal of data files for the antivirus software.
Other retroviruses detect the activation of an antivirus program and then they hide from it or stop it, eventually start a destructive routine before discovery. Some retroviruses change the computation environment so that it affects operations of the antivirus program. Others use specific weak points and loopholes of individual antivirus programs to weaken or break their activity.
A tunneling virus searches for the original interrupt vectors in DOS and BIOS and calls them directly and thereby avoids any eventual monitoring program in system that could detect any attempts to call these interrupt vectors.
Such tunneling methods are sometimes used by viruses enemies too - some antivirus programs use them to avoid any unknown or undetected viruses that might be active at the time of their execution.
Armored viruses protect themselves with a special program code that makes tracing, reverse compiling and virus code understanding difficult for the antivirus software. Armored virus can be shielded for example by an "envelope code" that draws away watcher's attention. Another possibility is to hide with a help of a load code that simulates being at a different location.
Multipartite viruses affect executable files, disk boot sectors and sometimes also floppy disks sectors. Their name comes from the fact that they do not restrict to any specific disk region or any specific file type, but infect computers in several ways. If you execute any application affected by the multipartite virus, the virus infects the boot sector of your machine. The virus is activated on the next system load and infects any suitable program that you execute.
According to the spread rate:
By fast infectors we mean file viruses that infect not only executed files, but also opened files (when copying, moving etc.)
Slow viruses are hard to reveal as they infect files that are modified or copied by operating system. In other words, "slow" virus affects only file user works with. For instance, it affects floppy disk boot sector when the boot sector is written by the FORMAT or SYS command. A slow virus can infect only a file copy, not the original.
The fight with slow viruses is a difficult task. An integrity controller should detect a new file and alert the user to it, because there is no control sum for this file available. The integrity controller is an antivirus application that monitors contents of disk devices, size of all files and control sums. It alerts the user to any case of inconsistence. However, the user probably finds nothing suspicious in error sums, because he himself ordered the instruction to create a new file. Most often - quite logically - orders to compute a new sum for the new (infected) file.
This term is used for viruses that infect their victims only occasionally or on completing some condition of little likelihood. Thus they infect only sparsely, which gives them their name. This behavior minimizes the risk of getting caught by a user.
This term denotes viruses that do not spread in the real world at all. They exist, antivirus programs are able to detect them, but there is no chance to meet them. They were created for study purposes or the number of their errors makes them non-vital. Some of them might be created by programmers in order not to spread, or by programmers who wanted to gain the primacy in some field (first virus for Windows 2000 and so on) at any price (malfunction). Sometimes it is contrasted with so-called In-the-wild viruses: malicious codes that can be met with some (bad) luck.
Introduction to the antivirus protection
Copyright © 2010, TrustPort, a.s., All Rights Reserved.