Viruses or Worms Life Cycle

Leaving aside the phase in which the virus or the worm is conceived and tested, three main stages in their “life” can be distinguished. Their life can be more or less long, depending on the type of the virus or the desired effect. The starting point of the life of a virus, once it has been inserted in an apparently innocuous program called the dropper, is precisely its release “in the wild” (diffusion phase). The virus writer will use (depending on whether there is a single or more targets to hit) a program which more or less extensively will use social engineering techniques [67] in order to fool the victim into dropping his guard. As for target attacks (a small group of victims), the virus writer will have to gather some information beforehand (intelligence phase) about this group’s habits, desires and so on. Generally, illegal games softwares (cracked softwares or warez), jokes, hoaxes, flash animations, pornography,... are the most successful ways to fool the victim, thus allowing the worm or the virus to be executed along with the dropper and then to operate.

The infection phase

During this stage, the virus will spread throughout the target environment. Two scenarii can be envisaged:

• Passive infection.- The virus will spread throughout the target environ- ment in a passive way: the dropper is put at intended victims’ disposal (copied on a device like floppy disks or CD-ROMs, put on ftp sites or newsgroups, and so on). The latter then may copy it into their own envi- ronments, before executing it. Let it be said in passing, experience showed that there are known cases where some software publishers or computer professionals, themselves either accidentally or carelessly, have published software that contained viruses or worms on the market:

– the 1099 virus was released throughout northern Europe and France via preformatted blank floppy disk. The formatting software which was used during the manufacturing process had been accidentally in- fected by the worm.

– the Warrier virus was released via a downloading shareware site. In this case, the technique consisted in urging the victim to activate a popular game calledPackman.

– The Yamaha company published a compatible driver for its CDR-400 device on the market which contained the cih virus while the IBM company in March of 1999 sold computers belonging to the Aptiva serie, which were also infected by the same virus [62];

– As for Microsoft, it spread the Concept macro-virus as it was present on three CDROMs distributed by two retailers [63].

• Active infection.- The virus will spread in the target environment actively. The user or the system executes either the dropper (the system is infected for the first time, in other words, it is referred as the primary infection primo infectio) or an infected file (which may be a primary infection or not).

The main feature which distinguishes self-replicating programs from simple (Epeian) infections is code replication. Whenever a program makes a exact copy its own code even only once, we have a true viral replication mechanism: at least two copies of the code are present on the machine at the same time. Such a phenomenon does not occur in the case of simple computer infection program (or Epeian programs).

The incubation phase

This phase represents the longest one in the life of a virus. It is worth men- tioning the examples of spy viruses which are an exception to the rule insofar as they keep their stay in this infected environment down to a minimum and disinfect themselves once their offensive action has been completed (in this respect, the interested reader will refer to theymun 20virus whose descrip- tion is provided in Chapter 13).

The main purpose here is the virus’s survival in the infected system. Accordingly, it must escape detection by either:

• the user himself. While writing a viral program, a virus writer will try hard to avoid any execution error (bugs) which could alert the user (please refer to Section 4.2.6);

• or antivirus programs. The virus will use various techniques designed to evade antiviral detection. These techniques will be presented in Sec- tion 4.4.6.

The disease phase

The final payload is activated at this stage. The way it is triggered depends on various factors and especially on the location where the offensive routine was inserted in the code:

• if the offensive routine is located at the very beginning of the viral code, the payload will then be systematically executed before the spreading of the infection. This approach is hardly ever chosen mainly because it tends to limit the survival phase of viruses or worms;

• if the offensive routine is located at the end of the viral code, the payload will be triggered only after the infection process;

• if the offensive routine is inserted in the middle of the code, the payload will be triggered depending on whether the infection was successful or not. This case will be addressed in the second part of the book devoted to viral algorithmics.

The activation of the payload can also be delayed by using a trigger mecha- nism. In this case, the final payload is a logic bomb which uses a viral vector. For example, the following special incidents or events may trigger a payload:

• a system BIOS date (for example, the Friday 13th virus, the Century

virus or the cihviruses);

• after a certain number of infections (viral replications);

• after a fixed number of times a given keystroke sequence is hit (as an example, whenever the CTRL+ALT+SUPP key sequence has been hit 112 times);

• the number of times word documents have been opened (for example, the Colorsvirus was triggered after 300 requests to open Word files);

• ...

Indeed, the nature of these payloads has no other limit but the imagination of the virus writer who may look for either an insidious selective effect or, on the contrary, a mass effect. Effects caused by the final payload may be very different:

• they may have a “nonlethal” nature: display of pictures, animations, mes- sages; playing music or sounds effects... Mostly, these attacks are simply recreational, their goal is to make jokes, or to draw the users’attention on such or such topic (for instance the Mawanellavirus aimed at denoucing the persecutions of muslims in northern Sri Lanka. As for the release of the Coffee Shop virus, its mobile was to launch a campaign to legallize marijuana);

• they may have a “lethal” nature: the attackers’s aim in this case is to fraudulently endanger data confidentiality (theft of data), to corrupt or destroy system or data integrity (attempt to format hard disks, delete of all or some of data, random modifications of data and so on), to attack

the system availability (random reboots of the operating system, satu- ration, simulation of device breakdowns), to manipulate data (hard disk encryption) and to attempt to frame users in fraud or crimes (falsifying or introducing illegal data, attempts to use the users operating system with a view to committing offences or crimes7.

For a long time, the question whether viral programs can damage hardware has been raised and many experts came to an agreement on the fact that such a technical hitch remains impossible. One of the surprising arguments currently put forward at that time, was that no existing case of viral pro- grams damaging hardware had ever been found in the wild. However later, when the cihvirus was released, row over this question resurfaced.

Strictly speaking, the cihvirus do not damage hardware, but overwrites some pieces of software which are stored in hardware (in some way,biosare comparable to a firmware). The solution which is mostly chosen is to replace the motherboard rather than to replace only thebios chip. In this case, the launched attack is simply a simulation of hardware damage (the interested reader will read [62] for further details).

Does it mean that viral programs really damaging hardware is simply a myth? Definitely not. There exist real – though old – examples of diskette drive units or hard disks which have been abnormally damaged due to repet- itive function calls in read/write mode beyond the maximum cylinder num- ber. However, destructive codes do not affect all disks, mainly because some of them have protection functions at the harware or firmware level. That is where people and some experts usually get confused. Indeed, any damage on hardware is obviously very specific to a given device model or brand, or to a variant of a firmware. Unlike viruses intended for all systems equipped with a given target operating system, hardware damaging or destructive code is deprived of any generic capability. Only a dedicated virus with a limited infective power designed to hit a specific target will be able to damage hard- ware. Consequently, this implies a major danger insofar as such a virus is unlikely to be detected by any antivirus software. It is worth mentioning that such destructive codes do not produce an immediate effect but rather an effect staggered over a long period of time.

Different kinds of hardware physical damage may be caused such as dam- age to monitors, video cards, processors, or hard disks. But surprisingly 7 _{The purpose of thePedoworm virus, via emails sent to police forces, was to denounce}

the owner of infected machines containing pedophile material (in this respect, please refer to Section 11.3).

enough, these damages tend to be neither rapid nor spectacular (a period of time may be required to get the desired damaging effect).

Without going too far into detail (the aim is not to give too many ideas), this is precisely because computer hardware resources are increasingly man- aged by software components, that such damages can occur. For a long time, configuration jumpers and other hardware tools were used to set up the sys- tem at the hardware level. Nowadays, software is mostly in charge of this task with varying degrees of success. Another aspect worth mentioning as far as viral programs damaging hardware is concerned is that, as the effects of the virus are sporadic, the user mostly tends to consider them as simple computer breakdowns.

Let us also precise that current firmware includes many functionalities enabling to avoid and prevent basic attacks against hardware. Other func- tionalities have been added to improve both ergonomy and hardware safety. But these functionalities may be diverted and misused to produce a real destructive effect on hardware. These functions mostly are undocumented and require a thorough analysis of the firmware. Given their very specific features and their strong dependency on hardware and device variant, all these will not have the same scope and portability as virus written to attack software resources (operating system and programs).