Anatomy of Computer Viruses

Very dangerous viruses

Biological viruses infect cells and alter their DNA to make them create copies of themselves. Computer viruses are similar in the sense they infect programs to replicate. Obviously their aim is not to indefinity replicate according to the evolution law, but to execute a payload upon certain conditions:

  • After a certain time when a high number of targets are infected, to maximize the amount of damages,
  • When a special condition is encountered, for example if the infected program is run with administrator privileges.

They have to be as light as possible to disguise themselves. That’s why they are written in assembly or possibly in C. Rust is also a good candidate, as a system programming language with a very optimized compiler, no garbage collection and a good interoperability with assembly.

In this article, we will give a quick overview of the two most common types of computer viruses, but others exist:

  • Executable viruses,
  • Macro viruses.

1. Executable viruses

1.1 Overwriting viruses

The simplest type of virus, which differs from the biologic one, overwrites other binaries with itself.

This basic virus could be improved in many ways:

  • Check the binary we are going to infect has not already been infected (by writing a magic code),
  • Infect only a small fraction of the binaries in order to not be discovered instantly.

1.2 Parasitic viruses

A better model for a virus to hide is to attach itself to an existing program, letting it work as usual in addition to replicate.

The virus is generally attached to the end of the executable program because not having to relocate the executable section make it way easier to program.

The virus has to alter the starting address field to point to itself to be executed and use relative adressing because its position depends of the target binary. That’s the kind of operations that require low programming languages:

Virus attached to the end of the executable

Indeed, to attach itself to the front, the virus as to copy the entire program to RAM, put itself, then copy the program back from RAM and then relocate the program after it has been executed:

Virus attached to the front of the executable

There is a third possibility, more difficult to program but resolutely possible, which offers the advantage to hide the virus from antiviruses in almost of cases.

Nearly all modern binary formats on Linux and Windows allow programs to have multiple texts and data segments in order to be relocated on fly. Those segments are of fixed size (512 bytes for Windows Portable Executable exe) and filled out with 0s when not full. The magic happens when viruses hide themselves in holes. That’s why they are called “cavity viruses”:

Virus spred over program free space

2. Macro viruses

Excel and others programs are able to execute macros. Excel uses VBA, an interpreted but complete language, powerful enough to contain a macro virus.

It’s pretty easy to send emails to employees and have them open our tricked excel sheet attachment (impersonating as the boss or the consultant or the supplier…). As everyone, including myself, accepts the warning genuinely displayed at the document opening, it has been a very efficient way of attacking companies for years.

The marketing guy who thought it was a great feature to add to Excel may regret his decision. As usual, keep it simple is the greatest tip to those who think cybersecurity matters.

3. Other type of viruses

We discussed the two most common virus types but others exist:

  • Companion viruses: it’s just a program that gets to run instead of the one that is supposed to run. They were common in the time of MS-DOS: when a user typed prog, MSDOS searched to execute prog.com before prog.exe. It’s a rare but possible thing today (strange java classpath for example),
  • Device drivers viruses: viruses that focus on device drivers. They are started at the OS boot and run in kernel mode!
  • Source Code Viruses: programs that try to add their payload to sources rather than binaries (our python example above belongs to this category),
  • And also viruses hidden in the BIOS and viruses hidden in RAM to intercept traps…