Malware Exposed: Understanding the Menace of Virus its Patterns and Behaviors

Ravitej Bandlekar
10 min readJul 12, 2023
Source: arstechnica.com

Now that we have a good understand of malware and have looked at some real-world case studies, let’s go far into this fascinating topic. We shall reveal a wide range of characteristics and complexities in our continuous investigation of malicious software. Our focus will include an in-depth look of several malware types, including viruses, worms, and trojans, each having specific traits and ways of operation. We can better identify and reduce their hazards if we increase our understanding of these many forms of malware.

Prior to continuing with the current article, I recommend that you read the previous piece on malware, if you haven’t done so already.

Let’s take a closer look at viruses and unravel their mysteries in this article.

Virus

A computer virus is code that recursively replicates a possibly evolved copy of itself. Viruses infect a host file or system area, or the simply modify reference to such objects to take control and then multiply again to form new generations.

Otherwise, it is a type of malicious software program that is designed to infect and spread within computer systems and networks. It is analogous to a biological virus that can replicate and spread from one host to another.

A. File Virus

A file virus is a type of malware that infects executable files on a computer system. When an infected file is executed, the virus code activates and starts replicating itself by infecting other files on the system. These viruses often attach themselves to legitimate program files, such as .exe, .com, or .dll files, and spread when those files are executed.

Case:

The “Melissa” virus, which emerged in 1999, was a file virus that infected Microsoft Word documents. When an infected document was opened, the virus replicated itself and sent infected emails to the first 50 contacts in the user’s Microsoft Outlook address book.

B. Boot Sector Virus

A boot sector virus infects the boot sector of a computer’s storage device, such as the Master Boot Record (MBR) or Volume Boot Record (VBR). When the infected device is booted, the virus is loaded into memory, enabling it to control the system and spread to other devices.

Otherwise, a boot sector virus is a type of computer virus that infects the boot sector of storage devices, such as floppy disks or hard drives. It typically targets the Master Boot Record (MBR) or the boot sector of a partition. When an infected storage device is accessed during the boot process, the virus code is executed, allowing the virus to load before the operating system.

The vulnerable stage where boot sector viruses can infect the system is during the process of loading the code from the first sector of the boot disk. This applies to both early systems booting from diskettes and newer systems booting from hard drives.

In early systems, where booting from diskettes was common, the boot sector virus could infect the diskette’s boot sector, which would execute the virus code when the system attempted to boot from the infected diskette. This was possible because the boot order was fixed and the system would automatically load the code from the diskette without any additional checks.

In newer systems with hard drives, the boot sector virus could infect the Master Boot Record (MBR) or the boot sector of a specific partition. The MBR contains code that runs during the boot process and helps locate the active boot partition. If the MBR or boot sector is infected, the virus code would be executed during the boot process, allowing the virus to gain control before the operating system loaded.

In both cases, the presence of a boot sector virus in the boot sector could allow the virus to load before the operating system and potentially cause harm, such as spreading to other storage devices or damaging data.

Case:

The “Stoned” virus, first discovered in 1987, was a boot sector virus that infected the boot sector of floppy disks. When an infected disk was inserted and the computer was booted from it, the virus loaded into memory and infected the computer’s hard drive.

C. Macro Virus

A macro virus infects documents and spreadsheets that support macros, such as Microsoft Word or Excel files. These viruses embed their malicious code within the macro programming language, and when a file containing the virus is opened, the code is executed, allowing the virus to spread.

Case:

Today there are thousands of macro viruses, and many of them are in the wild. Users often exchange documents that were created with a Microsoft Office product such as Word, Excel, PowerPoint, Visio, or even Access or Project. The first wild-spread macro virus, WM/Concept.A17, appeared in late 1995. Within a couple of months, only a few dozen such viruses were found, but by 1997 there were thousands of similar creations. The XM/Laroux18, discovered in 1996, was the first wild-spread macro virus to infect Excel spreadsheets. The first known Word macro virus was WM/DMV, written in 1994. The author of the WM/DMV virus also created a nearly functional Excel macro (XM) virus at the same time.

D. Source Code Virus

A source code virus inserts its own code into the source code of the application it has infected. As a result, when the compromised software is built or run, the virus code is also run, enabling further virus spread. As each infected software becomes a carrier for the virus, possibly infecting additional systems, this sort of infection can spread quickly. Because they can infect numerous programs and can be difficult to find and eliminate, source code viruses can be highly harmful. They may carry out a number of malicious acts, including stealing confidential data, corrupting files or data, or granting unauthorized access to the infected system.

Case:

The “W32/SQLSlammer” virus, discovered in 2003, targeted Microsoft SQL Server databases. It exploited a vulnerability in the server software and spread rapidly, causing widespread internet congestion and disrupting services.

E. Memory-Resident Virus

Malware known as memory-resident viruses can infect other computer files without even being executed by becoming embedded in the machine’s memory. By loading its replication module into the RAM, it accomplishes this. The memory-resident virus is one of the worst kinds of computer viruses because the operating system might activate it whenever it loads or executes operations. It can affix to antivirus software, impact the overall system, and obstruct normal operation.

The typical work of this virus.

1. The virus gets control of the system.
2. It allocates a block of memory for its own code.
3. It relocates its code to the allocated block of memory.
4. It activates itself in the allocated memory block.
5. It hooks the execution of the code flow to itself.
6. It infects new files and/or system areas

Case:

he “CIH” or “Chernobyl” virus, discovered in 1998, infected executable files and the system’s BIOS. On specific dates, it triggered destructive payloads that could render the infected system inoperable by overwriting critical system files or corrupting the BIOS.

F. Swapping Virus

Another unusual method of creating computer viruses involves constantly putting a little amount of infection code into memory. Possibly, this tiny line of code represents a hook event. The virus loads a section of viral code from the disk and infects a new object each time the hook event is triggered. The virus then erases the loaded section from memory once more.
Although it seems like this technique has some benefits, such as the fact that the virus uses less physical memory and can typically keep its code encrypted in files, there are also a lot of drawbacks. For example, it’s possible to introduce significantly increased disk activity, which makes it much easier to detect the attack.

G. Tunneling Virus

Based on Self-Protecting strategies, a tunneling virus attempts to bypass security measures by creating a covert communication channel, or “tunnel,” between an infected system and an external command-and-control server. This allows the attacker to remotely control the infected system and potentially exfiltrate data.

This virus attempts to bypass detection by antivirus scanner by installing itself in the interrupt handler chain. Interception programs, which remain in the background of an operating system and catch viruses, become disabled during the course of a tunneling virus. Similar viruses install themselves in device drivers.

Memory-resident viruses are a type of malicious software that stay in your computer’s memory to hide and carry out their harmful actions. One way they try to avoid detection is by using a technique called tunneling. Imagine a line of people waiting to talk to someone, and each person represents a program or application in your computer.

The resident tunneling virus tries to be the first person in line so that it can control the conversation. It does this by installing itself at the front of the line, before other programs. When a specific action, called an interrupt, occurs, the virus jumps in and takes control before any other program can respond. It then pretends to be the original program and carries out its malicious activities.

The goal of the virus is to bypass antivirus programs that are designed to monitor and stop malicious software. By being the first in line and taking control, the virus can execute its own code without being detected by the antivirus software.

This technique can be used by both resident (stays in memory) and nonresident (not in memory) viruses, but it is commonly used by memory-resident viruses to locate the original program handler and call it directly, allowing the virus to go unnoticed by antivirus programs.

Case:

The “Zeus” Trojan, discovered in 2007, infected computers and established a hidden communication channel with a command-and-control server. This allowed attackers to remotely control infected systems, steal sensitive information, and initiate fraudulent transactions.

H. Armored Virus

The term armored virus was coined by the computer crime unit of New Scotland Yard to describe computer viruses that make it even more difficult to detect and analyze their functions quickly. A computer virus’s primary goal is to spread as far as possible without being noticed. The authors of armored viruses want to be sure that the virus code is even more difficult for scanners to detect, even if the scanners use techniques such as
heuristics that can pinpoint previously unknown computer viruses.

Furthermore, if a virus sample is obtained by any means, its author wants to make the analysis of the virus code as difficult as possible to further delay rapid response to the virus attack.

The following techniques are used by threat actors to armor the virus.
Anti disassembly-Computer viruses written in Assembly language are challenging to understand because they often use tricks that normal programs never or very rarely use.
Anti debugging- Attackers can use a number of tricks as Anti debugging features. The attacker’s goal is to prevent you from using a debugger easily. Because hardware supports debugging, the Anti debug features can be rather platform specific.

Anti heuristics and Anti emulation- In 1998, Windows virus development was in a relatively early stage. This is why a wide variety of different infection methods were introduced, making it possible to consider heuristic analysis against 32-bit Windows viruses. Heuristic analysis can
detect unknown viruses and closely related variants of existing viruses using static and dynamic methods. Static heuristics rely on file format and common code fragment analysis. Dynamic heuristics use code emulation to mimic the processor and the operating system environment and detect suspicious operations as the code is “running” in the virtual machine of the scanner. Virus writers developed Anti heuristic and Anti emulation techniques to fight back against heuristic analyzers.

■ Antigoat- A goat file is an executable file with a known structure and/or file size , designed to be infected by a file-infecting computer virus in order to facilitate the study of such.

The infection of goat files facilitates virus analysis since it visibly distinguishes the virus body from the known file content. The goat files often have do-nothing instructions (like NOPs) and return the operating system to its default state without doing any additional tasks. For different types of viruses, goat files are made with a variety of file formats and internal architecture. For instance, a collection of goat files with sizes of 4, 8, 16, or 32 KB is produced.

Antigoat viruses use heuristic rules to detect possible goat files. For example, a virus might not infect a file if it is too small or if it contains a large number of do-nothing instructions, or if the filename contains numbers.

I. Encrypted Virus

From the very early days, virus writers tried to implement virus code evolution. One of the easiest ways to hide the functionality of the virus code was encryption. An encrypted virus encrypts its malicious code, making it difficult for antivirus software to detect or analyze them. The virus decrypts itself when executed, allowing it to infect the system.

J. Oligomorphic Virus

infection creators rapidly learned that as long as the decryptor’s code is lengthy and distinctive enough, antivirus software can still easily detect an encrypted virus. They made the decision to use methods to produce mutant decryptors in order to further test the antiviral software. Oligomorphic viruses do alter their decryptors in new generations, unlike viruses that are encrypted. Using a set of decryptors rather than just one makes changing the decryptors the simplest process possible. Whale was the first virus to be discovered to employ this method. The virus chose one of the many dozen distinct decryptors that Whale was carrying at the time.

K. Polymorphic viruses

Polymorphic viruses can mutate their decryptors to a high number of different instances that can take millions of different forms. A polymorphic virus is designed to change its code or appearance with each infection. This makes it difficult for antivirus software to detect them using traditional signature-based detection methods.

Case:

The “Storm Worm” or “Nuwar” virus, observed in 2007, was a polymorphic email worm that used social engineering techniques to entice users to open infected email attachments. Its constantly changing code made it difficult to detect and eliminate.

To ensure our safety and mitigate the potential consequences of different types of malware, it is crucial to maintain a state of alertness and implement necessary precautions. This involves regularly updating our software, employing reputable antivirus programs, and exercising caution when dealing with attachments or clicking on suspicious links. By staying vigilant, individuals can effectively shield themselves from these potential threats.

Reference:

The Art of Computer Virus Research and Defense- Peter Szor

Let’s connect?

LinkedIn: www.linkedin.com/in/ravitejmbandlekar

--

--