Computer Viruses and Countermeasures

By

This article was published by ComputorEdge, issue #2201, 2004-01-02, as a feature article, in both their print edition (on pages 20 and 22) and their website.

Everyone is all too familiar with biological viruses, such as influenza, which spread from infected hosts to new victims. Computer viruses are similar, in that they are self-replicating pieces of computer code that spread easily, and usually alter the behavior of the host, causing problems ranging from mild annoyance to extensive damage. In addition, natural viruses are generally not considered living organisms, since they only reproduce parasitically. Likewise, computer viruses are not stand-alone executable programs, but depend upon such programs for their potency and reproduction.

That's where the similarities end, for biological viruses evolve naturally without any design, while computer viruses are intentionally designed and written by "humans". (To those victims whose computers and even businesses have been devastated by a virus, the status in the animal kingdom of virus authors is somewhere below that of the bubonic plague.) Biological viruses contain genetic code, most of which is common to all forms, while their virtual equivalents comprise computer logic, specifically targeted at particular programs. In sheer numbers, the human cold virus has less than 400 variants; but there are almost 60,000 computer viruses reported so far "in the wild". Historically, biological viruses are probably as old as life itself, while their cyber cousins have only plagued us for two decades. Finally, each computer virus exists for a purpose, whether it be notoriety for the programmer, underhanded marketing, identity theft, system cracking, retaliation by spammers against anti-spam websites, or just plain vandalism.

Viruses fall into several categories, defined largely by how they transmit themselves. The most common variety are file-infecting, in that they insert themselves into the machine code of the target program, typically changing the program's instructions to run the virus first (to replicate itself in new locations) and then perform the program's normal functionality. Years ago, boot-code viruses were common, especially with people sharing copies of DOS using bootable diskettes, many of which were infected. Such viruses spread easily, when the unsuspecting user started their computer and it booted off an infected diskette (intentionally or accidentally); the virus would then copy itself into the boot sector of the victim's primary hard drive. Fortunately, boot sector viruses are encountered less frequently now, as diskettes gradually approach extinction.

An increasingly common type of virus are macro viruses, which are written in the scripting languages of their host applications. For instance, Microsoft's Office products (such as Word and Outlook) can be tricked into running macro viruses written in the Visual Basic language. This allows virus writers to include malicious code in innocent-looking documents and e-mail attachments. Years ago, documents and e-mail consisted only of plain text, which alone could not do any damage to one's computer. But they are now increasingly "enhanced" with embedded code, which can be beneficial as well as dangerous. Also vulnerable are e-mail messages written in HTML, which are becoming more popular, partly because the HTML can spice up otherwise plain text messages. But that power comes at a price, in that the HTML file can also contain nasty JavaScript code.

Effective Countermeasures

The key to protecting your computer against infection from viruses, is understanding how they spread. As noted above, they are hidden in infected executable programs, macro-enabled documents and e-mail messages, and bootable diskettes. Your primary defense against viruses should be high-quality antivirus software. There are many competent products available, including commercial offerings such as Symantec's Norton Antivirus and Network Associates' McAfee VirusScan. Many users report excellent results using free products, such as H+BEDV's AntiVir.

The particular product selected is not nearly as important as how well it is used. A key aspect is how frequently the product's virus signature files are updated, in order to maximize the chances that it will detect the very latest viruses. In addition, all of these antivirus systems can scan files as they are downloaded, executable programs before they are run, and e-mail messages and their attachments before they are opened. Be sure to activate this capability when you install your chosen product, unless it significantly degrades your computer's performance. In that case, it is probably time for a new computer, or more system memory. If that's not an option, then at least manually scan downloaded files and non-shrink-wrap software prior to use.

Antivirus software vendors are always collecting, isolating, and analyzing previously unseen viruses — and then updating their products. In response to this, virus authors develop brand-new viruses and stronger variations of proven ones, as well as better cyber camouflage for their malicious code, to avoid detection. Antivirus companies then employee smarter scanning utilities, which detect viral activity, offer up decoy programs as bait to attract viruses, and then dissect the infected decoys to learn the latest virus signatures and techniques. The virus authors then create "polymorphic viruses", which ingeniously change themselves, and thus their signature, with every infection. In some cases, viruses even modify the victim's antivirus software so as not to be able to detect or eradicate the virus! This escalating arms race between the virus writers and virus fighters, is similar to the way biological viruses evolve to overcome the immune systems of their hosts, which in turn grow stronger — at least, for those hosts that survive!

With new viruses constantly being released, it is critical that users of antivirus software keep their virus signature files up-to-date, which most of the programs can do automatically by downloading updates from the vendors' websites. There are additional safe computing practices to follow: Never open e-mail attachments from unknown sources. Quarantine downloaded software, and do not run it for at least a few weeks, to give antivirus software time to catch up to new viruses. When you first acquire an antivirus product, preferably before any infection, immediately create a bootable diskette or CD for emergency recovery, per the vendor's instructions. For both physical and computer health, an ounce of prevention is definitely worth a pound of cure.

Enduring an Attack

If you follow these precautions, the odds of your computer being hit by a virus are practically nil. But if an earlier-working program misbehaves or crashes, immediately follow the antivirus software vendor's instructions for removing any virus that somehow evaded their screening process. This typically involves using a recovery diskette or CD, with the latest virus signature files from the vendor, to scan your system. After all viruses have been detected and removed, and all infected files have been repaired or deleted, be sure to scan or format any backup media that may have also been infected. Otherwise, using infected media in your computer could reintroduce the virus. In addition, if the virus appears to have infected your e-mail client program (such as Microsoft Outlook), there is a good chance that the virus mailed itself to some or all of the e-mail addresses it was able to find, including everyone in your address book. Warn all such recipients not to open any attachments from your e-mail account that may have been infected.

Above all, don't panic! For every computer virus, there is a cure. It's just a matter of taking the time and effort to follow smart precautions to keep your computer healthy… just like avoiding the flu bug.

Copyright © 2003 Michael J. Ross. All rights reserved.

Content topics: