How Computer Viruses Work

Strange as it may sound, the computer virus is something of an Information Age marvel. On one hand, viruses show us how vulnerable we are -- a properly engineered virus can have a devastating effect, disrupting productivity and doing billions of dollars in damages. On the other hand, they show us how sophisticated and interconnected human beings have become.

For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected. That's pretty impressive when you consider that many viruses are incredibly simple.

When you listen to the news, you hear about many different forms of electronic infection. The most common are:

• Viruses: A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
• E-mail viruses: An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click -- they launch when you view the infected message in the preview pane of your e-mail software [source: Johnson].
• Trojan horses: A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.
• Worms: A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.

Virus Evolution

Virus creators have added new tricks to their bag throughout the years. One such trick is the ability to load viruses into memory so they can keep running in the background as long as the computer remains on. This gives viruses a much more effective way to replicate themselves. Another trick is the ability to infect the boot sector on floppy disks and hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads. It contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it's executed. It can load itself into memory immediately, and run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine, and in places like college campuses, where lots of people share machines, they can spread like wildfire.

In general, neither executable nor boot sector viruses are very threatening today. The first reason for their decline has been the huge size of today's programs. Most programs you buy today come on compact discs. Commercially distributed compact discs (CDs) cannot be modified, and that makes viral infection of a CD unlikely, unless the manufacturer permits a virus to be burned onto the CD during production. People certainly can't carry applications around on floppy disks like they did in the 1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses have also declined, because operating systems now routinely protect the boot sector.

Infection from boot sector viruses and executable viruses is still possible. Even so, it's a lot less likely than it once was. Call it "shrinking habitat," if you want to use a biological analogy. The environment of floppy disks, small programs and weak operating systems made these viruses possible in the 1980s, but that environmental niche has been largely eliminated by huge executables, unchangeable CDs and better operating system safeguards.

E-mail Viruses

Virus authors adapted to the changing computing environment by creating the e-mail virus. For example, the Melissa virus in March 1999 was spectacular in its attack. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this:

Someone created the virus as a Word document and uploaded it to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message contained a friendly note that included the person's name, so the recipient would open the document, thinking it was harmless. The virus would then create 50 new messages from the recipient's machine. At that rate, the Melissa virus quickly became the fastest-spreading virus anyone had seen at the time. As mentioned earlier, it forced a number of large companies to shut down their e-mail systems to control the spread.

The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double-clicked on the attachment launched the code. It then sent copies of itself to everyone in the victim's address book and started corrupting files on the victim's machine. This is as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail than it is a virus.

The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be used to write programs that do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus. It created a huge mess.

Microsoft applications have a feature called Macro Virus Protection built into them to prevent this sort of virus. With Macro Virus Protection turned on (the default option is ON), the auto-execute feature is disabled. So, when a document tries to auto-execute viral code, a dialog pops up warning the user. Unfortunately, many people don't know what macros or macro viruses are, and when they see the dialog they ignore it, so the virus runs anyway. Many other people turn off the protection mechanism. Because of this, the Melissa virus spread despite the safeguards in place to prevent it.

In the case of the ILOVEYOU virus, the whole thing was human-powered. If a person double-clicked on the program that came as an attachment, then the program ran and did its thing. What fueled this virus was the human willingness to double-click on the executable. The same kinds of exploits have also been passed over instant messaging networks like AIM and Windows Live Messenger. Commandeered accounts will send out links to viruses in instant messages; anyone who clicks the link and installs a Trojan application will have their own account hijacked and unwittingly spam their own friends with the compromising link.

Worms

A worm is a computer program that has the ability to copy itself from machine to machine. Worms use up computer processing time and network bandwidth when they replicate, and often carry payloads that do considerable damage. A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt.

A worm usually exploits some sort of security hole in a piece of software or the operating system. For example, the Slammer worm (which caused mayhem in January 2003) exploited a hole in Microsoft's SQL server. Wired magazine took a fascinating look inside Slammer's tiny (376 byte) program.

Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. The Code Red worm replicated itself more than 250,000 times in approximately nine hours on July 19, 2001 [Source: Rhodes].

The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that did not have the Microsoft security patch installed. Each time it found an unsecured server, the worm copied itself to that server. The new copy then scanned for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies.

The Code Red worm had instructions to do three things:

• Replicate itself for the first 20 days of each month
• Replace Web pages on infected servers with a page featuring the message "Hacked by Chinese"
• Launch a concerted attack on the White House Web site in an attempt to overwhelm it [source: eEyeDigitalSecurity]

Upon successful infection, Code Red would wait for the appointed hour and connect to the www.whitehouse.gov domain. This attack would consist of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov (198.137.240.91).

The U.S. government changed the IP address of www.whitehouse.gov to circumvent that particular threat from the worm and issued a general warning about the worm, advising users of Windows NT or Windows 2000 Web servers to make sure they installed the security patch.

A worm called Storm, which showed up in 2007, immediately started making a name for itself. Storm used social engineering techniques to trick users into loading the worm on their computers. And boy, was it effective -- experts believe between 1 million and 50 million computers have been infected [source: Schneier]. Anti-virus makers adapted to Storm and learned to detect the virus even as it went through many forms, but it was easily one of the most successful viruses in Internet history and could someday rear its head again. At one point, the Storm worm was believed to be responsible for 20 percent of the Internet's spam mail [source: Kaplan].

When the worm is launched, it opens a back door into the computer, adds the infected machine to a botnet and installs code that hides itself. Botnets are small peer-to-peer groups, rather than a larger, more easily identified network. Experts think the people controlling Storm rent out their micro-botnets to deliver spam or adware, or for denial-of-service attacks on Web sites.