4.2 COMPUTER VIRUS
4.2 COMPUTER VIRUS
It's March 14, 11:55 PM. A group of business partners are putting the finishing touches on an important report. After celebrating the completion of their efforts they identify a previously unnoticed typo. At 12:05 AM they turn the computer back on only to be greeted with a message saying “Beware the Ides of March”. The hard drive spins furiously and the report is deleted by a computer virus.
Computer viruses are just one example of what is commonly referred to as malicious code or malicious programs. Malicious programs are created to perform a series of harmful actions on a computer system. Examples of some actions include file deletion, file corruption, data theft, and the less harmful but equally annoying practical joke. These programs often remain dormant and hidden until an activation event occurs. Examples of activation events are program execution and specific access dates such as March 15, system reboot, and file access. When the predetermined activation event occurs, the malicious program begins its task. In the example above, this task was the deletion of all files in the computer system.
To better understand what a virus can do, it is helpful to understand how a virus performs its task. Fig. 4-1 contains a flow chart describing the basic actions of a virus. Each action identified in the figure is numerically labeled for explanatory purpose only. The order in which these actions are performed is indicated both pictorially, in Fig. 4-1 and in the discussion which follows. While the order of these actions may vary with each virus, the general process remains unchanged—perform an undesirable task and infect other programs and operating systems.
For this discussion two terms are defined:virus activation and virus execution. Virus activation will refer to the initiation of the virus. Virus execution, however, will refer to the initiation of the portion of the virus that performs the possibly harmful activity the code not directly concerned with infecting a system. Thus, virus execution must be preceded by activation, but activation may not necessarily lead to execution.
Once an infected program is executed or an infected operating system performs a task, the virus is activated. The virus will first determine whether it should be executed. In the event that it should not be executed, it will attempt to locate and identify other susceptible programs, disks, or systems. Any such item will then be infected. After determining that all susceptible items carry a copy of the virus, the virus will stop and allow normal operations to proceed. If the virus meets all of its internal conditions to execute, it will do so. Upon completion of execution, the virus may either reset its conditions or remove itself. The virus will complete and allow normal computation to continue. While this process may seem time consuming and obvious to the user, it is not. Computers operate so quickly nowadays that this process may go easily unnoticed, and often does.
Fig. 4-1 A flow chart describing the basic actions of a virus
KEYWORDS
|
typo |
非正式的打印错 |
|
malicious code |
恶意代码 |
|
malicious program |
恶意程序 |
|
activation event |
激活事件 |
|
system reboot |
系统重新引导 |
NOTES
(1)reboot(重新引导)。通过重新装入操作系统来重新启动计算机。
(2)computer virus(计算机病毒)。一种传染性程序,它能将自身的副本插入到计算机文件中从而感染这些文件。当受到感染的文件被加载到内存时,这些副本开始执行,又开始感染别的文件,这样一直循环下去。病毒通常具有破坏性,例如毁坏计算机的硬盘或占据其他程序所用的内存空间。这种破坏可能是有意的,也可能是无意的。
EXERCISES
1. Multiple choices.
(1)Computer viruses are .
A.useful programs B.malicious code
C.malicious programs D.harmful programs
(2)Virus program consists of .
A.two parts B.three parts
C.four parts D.five parts
(3)The harmful actions performed by viruses include .
A.data theft B.practical joke
C.file corruption D.file deletion
(4)The virus execution is .
A.the virus activation
B.the code not directly concerned with infecting a system
C.the initiation of the portion of the virus
D.the code directly concerned with infecting a system
(5)The virus is activated when .
A.an infected program is executed
B.a computer is accessing a mailbox through the Internet
C.a computer is in shutdown status
D.an infected operating system performs a task
(6)Objects that are susceptible from the viruses are .
A.CPU B.disks
C.systems D.programs
(7)A virus program often remains .
A.dormant B.open
C.hidden D.awaked
(8)If a virus does not begin its activity, it .
A.stops its activity
B.performs its activity
C.updates its execution condition
D.finds the infect programs after updating its execution condition
2. True/False.
(1)Viruses can cause programs crashing or entire hard disk deleting.
(2)Some one died as the result of a computer virus.
(3)Before performing any actions you'd better treat all files and programs with virus check software.
(4)An infected computer may lose its data.
(5)In reality the viruses and their destructive capabilities have been grossly exaggerated by people.
READING MATERIALS
Autoimmune Computer Systems
For half a century, developers have protected their systems by coding rules that identify and block specific events. Edit rules look for corrupted data, firewalls enforce hard-coded permissions, virus definitions guard against known infections, and intrusion-detection systems look for activities deemed in advance to be suspicious by systems administrators.
But that approach will increasingly be supplemented by one in which systems become their own security experts, adapting to the threat as they unfold and staying one step ahead of the action. A number of research projects are headed in that direction.
At the University of New Mexico, computer science professor Stephanie Forrest is developing intrusion-detection methods that mimic biological immune systems. Our bodies can detect and defend themselves against foreign invaders such as bacteria and parasites, even if the invaders haven't been seen before. Forrest's prototypes do the same thing.
Her host-based intrusion-detection system builds a model of what is normal by looking at short sequences of cells by the operating system kernel over time. The system learns to spot deviations from the norm, such as those that might be caused by a Trojan horse program or a buffer-overflow attack. When suspicious behavior is spotted, the system can take evasive action or issue alerts.
The central challenge with computer security is determining the difference between normal activity and potentially harmful activity. The common solution is to identify the threat and protect against it, but in many ways, this is the same as constantly fighting the last war, and it can be quite inefficient in environments that are rapidly changing.
In another project Forrest and her students are developing intrusion-detection systems even more directly modeled on how the immune system works. The body continuously produces immune cells with random variations. As the cells mature,the ones that match the body's own proteins are eliminated, leaving only those that represent deviations as guides to what the body should protect against. Likewise, Forrest's software randomly generates “detectors”,throws away those that match normal behavior and retains those that represent abnormal behavior.
Each machine in the network generates its own detectors based on that machine's unique behavior and experiences, and the detectors work with no central coordination or control. In fact, just how the detectors work isn't precisely known, Forrest says.
Indeed, these experimental approaches don't work perfectly, Forrest acknowledges, but she points out that no security measure, including encryption or authentication, works perfectly either. She says the most secure systems will employ multiple layers of protection, just as the human body does. The advantage of this type of system is that it is largely self-maintaining and doesn't require continual updating by experts.
Computer virus
The computer virus is an outcome of the computer overgrowth in the 1980s. The cause of the term “computer virus” is the likeness between the biological virus and the evil program infected with computers. The origin of this term came from an American science fiction “The Adolescence of P-1” written by Thomas J. Ryan, published in 1977. Human viruses invade a living cell and turn it into a factory for manufacturing viruses. However, computer viruses are small programs. They replicate by attaching a copy of themselves to another program.
Once attached to a host program, the viruses then look for other programs to “infect”. In this way, he virus can spread quickly throughout a hard disk or an entire organization when it infects a LAN or a multi-user system. At some point, determined by how the virus was programmed the virus attacks. The timing of the attack can be linked to a number of situations, including a certain time or date, the presence of a particular file, the security privilege level of the user, and the number of times a file is used. Likewise, the mode of attack varies. So-called “benign” viruses might simply display a message, like the one that infected IBM’s main computer system last Christmas with a season's greeting. Malignant viruses are designed to damage the system. The attack is to wipe out data, to delete flies, or to format the hard disk.
1. What Kind of Viruses Are There?
There are four main types of viruses: shell, intrusive, operating system and source code.
Shell viruses wrap themselves around a host program and don't modify the original program. Shell programs are easy to write, which is why about half of viruses are of this type.
Intrusive viruses invade an existing program and actually insert a portion of themselves into the host program. Intrusive viruses are hard to write and very difficult to remove without damaging the host file.
Shell and intrusive viruses most commonly attack executable program flies-those with a .com or .exe extension, although data files are also at some risk.
Operating system viruses work by replacing parts of the operating system with their own logic. It is very difficult to write operating system viruses and these viruses have the ability once booted up, to take total control of your system. For example, some operating system viruses have hidden large amounts of attack logic in falsely marked bad disk sectors.
Source code viruses are intrusive programs and they are also inserted into a source program such as those written in Pascal prior to the program being complied. They are the least common viruses because they are not only hard to write, but also have a limited number of hosts compared to the other types.
2. Be Wary of the Second Network Viruses
Do you believe it? Network viruses can steal money! So far Internet has become the main channel through which the computer viruses spread. Look, here come the second network computer viruses. Even without “snatching” information from the network your computer can be infected by the second network computer viruses, which are hidden in some machines on the network. Your computer is, so to speak, in danger once being connected to the network to browse.
The virus that can steal your money belongs to a kind of the second network viruses. It was designed and put in some machines on the network. When your computer is linked to one of these machines, the virus will invade your hard disk and search whether Intuit Quicken, an accounting software, is installed. One of this accounting software's functions is to transfer accounts automatically. Once infected, your money will be transferred to an additional account opened by the virus program without anybody knowing it.
Advanced Encryption Standard
For the past three years, the National Institute of Standards and Technology (NIST) has been working to develop a new encryption standard to keep government information secure. The organization is in the final stages of an open process of selecting one or more algorithms, or data-scrambling formulas, for the new Advanced Encryption Standard (AES) and plans to make a decision by late summer or early fall. The standard is slated to go into effect next year.
AES is intended to be a stronger, more efficient successor to Triple Data Encryption Standard (3DES), which replaced the aging DES, which was cracked in less than three days in July 1998.
“Until we have the AES, 3DES will still offer protection for years to come. So there is no need to immediately switch over”. says Edward Roback, acting chief of the computer security division at NIST and chairman of the AES selection committee. “What AES will offer is a more efficient algorithm. It will be a federal standard, but it will be widely implemented in the IT community.”
According to Roback, efficiency of the proposed algorithms is measured by how fast they can encrypt and decrypt information, how fast they can present an encryption key and how much information they can encrypt.
The AES review committee is also looking at how much space the algorithm takes up on a chip and how much memory it requires. Roback says the selection of a more efficient AES will also result in cost savings and better use of resources.
“DES was designed for hardware implementations, and we are now living in a world of much more efficient software, and we have learned an awful lot about the design of algorithms”. says Roback. “When you start multiplying this with the billions of implementations done daily, the saving on overhead on the networks will be enormous”.
The process of selecting the algorithm for AES has been notable for its openness and transparency. This is a marked departure from the government's past inclination toward secrecy in discussing encryption standards, which led to the public cracking of DES after critics questioned the government's assertion that the standard was still secure.
NIST kicked off the selection process in September 1997. Conferences were held in August 1998 and March 1999; cryptographers from around the world discussed the algorithm candidates and helped narrow the list to 15 and then to five finalists: IBM's MARS; RSA Lab’s RC6; Joan Daemen and Vincent Rijmen's Rijndael; Ross Andersen, Eli Baham and Lars Knudsen's Serpent; and Counterpane Lab's Twofish.
While most evaluators of the algorithms want to avoid complexity by selecting one to serve as a standard, there's a minority that wants to select more than one.