We recommend Computer System Security- an Overview, as prerequisite reading for this technology description.
Technologies for Computer System Security in C4I Systems (see Computer System Security- an
Overview) introduced virus detection software as one of the system
security mechanisms included in Intranets used to support C4I systems. Viruses
are malicious segments of code, inserted into legitimate programs, that
execute when the legitimate program is executed. The primary characteristic of
a virus is that it replicates itself when it is executed and inserts the
replica into another program which will replicate the virus again when it
executes. A computer is said to be infected if it contains a virus. Detecting
that a computer is infected is the process of virus detection. Viruses have
existed since the early 1980s and programs to detect them have been developed
since then
[Denning 90].
Since viruses are executable code, they are written for a particular
processor. They have been written for mainframes, for UNIX machines, and for
personal computers (IBM PC compatibles and Apple Macintoshes). By far the most
viruses have been developed to attack 80x86-based IBM PC compatible
computers. By 1996, there have been over 2000 kinds of viruses developed that
attack IBM PC compatible computers. The IBM PC compatible is a frequent target
of viruses because there are so many of that type of computer in use and the
operating system (DOS and Windows) has no provision to prevent code from being
modified. A few viruses, written using word processing or spreadsheet macros,
infect any processor that runs the word processor or spreadsheet program that
can interpret those macros. There were some early, much publicized, viruses on
UNIX machines, but they are rare. The 1988
Morris Worm was an early example of
malicious code that attacked UNIX machines
[Spafford 88]. Viruses are hard to write because they require detailed knowledge of how the operating system works; there are much easier ways to damage or copy information on a UNIX computer. There have been a few mainframe viruses but they are also rare because mainframe operating systems make it difficult for a program to gain access to and modify other programs.
Within some viruses is a portion of code called the
payload. The payload is designed to do something malicious such as corrupt files, display a message on the screen, or prevent the computer from booting. When the virus executes or at some future execution after a trigger condition has been met, the virus will execute the payload. A favorite trigger condition is the occurrence of a particular date, such as Friday the 13th. A virus still causes harm, even if it does not contain a payload, by consuming processor and storage resources as it replicates itself.
The two general types of PC viruses are boot-record infectors and program file infectors. The type is determined by where the virus code copy is written when it is replicated.
Boot-record infectors, also called system infectors, infect the boot records on hard disks and floppy disks. When the system is booted, they are loaded into memory. They may execute and replicate themselves every time a disk is loaded. Once a hard disk boot record is infected the virus will be loaded into memory each time the system is booted from the hard disk.
The program file infectors attach their replicas to program file (.EXE or .COM files) hosts on disk whenever the virus is executed. When the host is executed the virus replicates itself again. When the virus is added to a file it makes the file larger. In order to not cause an obvious growth in a file, viruses include a signature pattern in the copy that it can recognize so that it will not add to a file again if the virus is there already.
There are three basic types of virus detection software:
- virus scanner
- activity monitor
- change detection
Virus scanner software looks for the virus signature in memory or in program files and looks for code in the boot record that is not boot code. Once suspicious code is found, a message is displayed to the operator that the system is infected. Some virus scanners have the capability to remove viruses as well as to detect them.
Activity monitors are memory resident programs that watch for suspicious
activity such as a program other than the operating system trying to format
disks, delete an executable file, or change the file allocation table on a
disk. They also may look for programs trying to go memory resident, scanning
for other program files, or trying to modify their own code
[Slade 96b].
Change detection software scans the executable program files in the system before a system is used and records vital statistics about each program, such as program file length or a calculated CRC or checksum. After the system is in operation, the change detection software periodically scans the program files looking for changes compared to the pre-stored data. These changes could have been caused by a virus.
Virus scanners are executed periodically, when the system is started up, or whenever a disk is initially put into the system. When new software (commercial, freeware, or downloaded) is added to the system, it should be checked with a virus scanner before the new software is executed to identify known viruses if they are present. Although virus scanners are very useful in finding known viruses they will not detect new kinds of viruses. They therefore must be updated frequently to include the "signatures" of new viruses.
Activity monitors are more likely to find new types of viruses than virus scanners since activity monitors are not limited to finding a known bit pattern in memory or on disk. Activity monitors have considerable performance overhead since they must be constantly scanning for unusual activity. Activity monitors also must be incorporated into software change processes so that its baseline of "correct" software files can be maintained.
Of the three types of virus detection software, change detection software has
the best chance of detecting current and future virus types but is most likely
to produce false alarms
[Slade 96b]. The database for change detection software must be updated every time system files or executable program files are updated. This adds maintenance overhead to the system if the system is frequently modified.
More than 100 virus detection products are listed on the National Institute of
Standards and Technology (NIST) list of products reviewed
[Slade 96a]. Most of those products are virus scanners. Virus scanners are also the most rapidly changing as they must be updated to check for new virus "signatures" as new viruses are identified. The challenge to virus detection product vendors is in the constant race to keep up with the host of smart computer hackers and malicious software developers creating new strains of viruses.
Effective use of virus detection software requires system administrators familiar with virus types and their mode of attack, the operation of the virus detection software, the ability to evaluate the virus detection program output, and the ability to recognize a true attack versus a false alarm. This requires knowledge of the system and its normal operation, training in the use of the virus detection software, and frequent retraining as the virus detection software is routinely updated.
This technology is classified under the following categories. Select a
category for a list of related topics.
|
[Abrams 95]
|
Abrams, Marshall D.; Jajodia, Sushil; & Podell, Harold J. Information
Security An Integrated Collection of Essays. Los Alamitos, CA: IEEE
Computer Society Press, 1995.
|
|
[Denning 90]
|
Denning, Peter J. Computers Under Attack Intruders, Worms and
Viruses. New York, NY: ACM Press, 1990.
|
|
[Garfinkel 96]
|
Garfinkel, Simson & Spafford, Gene. Practical UNIX and Internet
Security Second Edition. Sebastopol, CA: O'Reilly & Associates, Inc.,
1996.
|
|
[Russel 91]
|
Russel, Deborah & Gangemi, G.T. Sr. Computer Security Basics.
Sebastopol, CA: O'Reilly & Associates, Inc., 1991.
|
|
[Slade 96a]
|
Slade, Robert.
Quick Reference Antiviral Review Chart [online].
Available WWW
<URL:
http://csrc.ncsl.nist.gov/virus/quickref.rvw> (1996).
|
|
[Slade 96b]
|
Slade, Robert. Reviewing Anti-virus Products [online]. Available WWW
<URL:
http://www.bocklabs.wisc.edu/~janda/sladerev.html> (1996).
|
|
[Spafford 88]
|
Spafford, Eugene H. The Internet Worm Program: An Analysis
(CSD-TR-823). West Lafayette, IN: Purdue University, 1988.
|
