You might be familiar with the term, but what does it really mean? Hear from our expert about how these self-replicating programs infiltrate systems, propagate, and cause your computer to slow down, along with what you should know to stay ahead of them.
You likely understand the basic concept of how a computer virus operates, even if you’re unclear on the specifics. Somehow, it manages to enter your computer, leading to a significant slowdown or errors occurring, right? In reality, a virus is a specific kind of program that possesses the unique ability to replicate itself, similar to a biological virus. Having reviewed programs that combat viruses (and other types of malware) for nearly 40 years, I’ve gained some insights. I’d like to explain how these harmful programs function and what you can do to prevent them.
However, before we move forward, I want to clear up a common misconception regarding antivirus applications. When I began examining them, antivirus programs were solely focused on defending against viruses, and only viruses. Some even documented the specific viruses they could disinfect in their (printed) user manuals. The image below is a replica of a manual I came across at a malware conference in 2010; the manual itself dates back to the 80s. Today, various forms of malicious software have largely overtaken viruses. We still refer to the application as an antivirus, but it now performs much more.
What Exactly is a Computer Virus?
A computer virus is, fundamentally, a program. As with other programs, its definition rests on its functionalities, and the primary action of a virus is to self-replicate. The virus exists as a series of computer instructions linked to another program, known as the host. When the host program executes, the virus code is the first to run. Its main goal is to find other programs and inject its code into them, thereby infecting them and transforming them into new hosts.
If replication were the only action performed by a virus, it wouldn’t be as problematic. Sure, there’s a bit of additional processing time wasted each time the virus code executes. However, similar to a biological virus, a successful computer virus aims to avoid compromising its host. Continually infecting the same file could lead to endless growth, ultimately crashing the system. Most viruses are programmed to avoid reinfecting the same host.
The real issue arises from what we call the payload, which is the action a virus performs in addition to self-replication. Early experimental viruses might simply display messages or share jokes. However, other payloads became increasingly troublesome, even to the extent of issuing commands that could physically damage disks. These would typically activate after reaching a trigger event, such as a specific date, allowing them to spread widely before drawing attention.
Can My Smartphone Get Infected by a Virus?
When I first started evaluating PC software in the 80s, there was a vast array of PC-compatible brands and countless variations of DOS. To maintain compatibility, systems had to be sufficiently open, creating plenty of vulnerabilities for virus creators. Simultaneously, Apple’s computers developed within a tightly controlled ecosystem. This resulted in a much more secure system, not immune to malware, but certainly more resilient.
With the introduction of the iPhone and iOS, Apple enhanced security further. Essentially, no iOS application can interact with another program on disk or in memory. This controlled environment makes creating iOS malware impractical, if not impossible. When I attend security conferences like RSAC and Black Hat, I notice numerous iPhones in use because security experts are aware of this. Yes, I also use an iPhone myself.
Various companies manage their own iterations of Android, so it’s not as secure as iOS, but they typically keep up with ongoing security updates (as long as you continue to purchase new devices, that is).
The virus method, which involves spreading malware by infecting other programs, isn’t really viable in the smartphone context. What malware developers can do is design applications that appear useful while secretly serving a malicious purpose—these are known as Trojans. Apple’s strict control over its app store largely prevents such attacks, and efforts targeting the iPhone usually depend on physical access to the device. Conversely, on the Android platform, harmful applications frequently show up in the Google Play Store until they are removed.
In summary, smartphones generally aren’t ideal targets for virus attacks, but you could still download a Trojan from the app store. It’s essential to remain cautious, although not specifically concerning viruses.
Why Are Viruses Less Prevalent Than They Used to Be?
Before I considered researching computer viruses, I encountered them in the news. They had peculiar names such as Brain, Lehigh, and Jerusalem, and the news media gave them significant coverage. For many years, viruses consistently made headlines. Other types of malicious software were rarely mentioned, except for the occasional network worm. However, nowadays, the focus is primarily on ransomware, data breaches, and Trojan Horse programs. What has changed?
Firstly, as I will discuss below, the transition from original-PC COM files to contemporary PE programs has made it much more difficult to create viruses. Moreover, when your PC starts up from a hard drive, an old-school virus that only replicates itself through booting from a diskette stands little chance. Furthermore, modern UEFI drives utilize a distinct boot-time technology that can be safeguarded against alterations.
Secondly, the increase in virus outbreaks naturally led to a response in the form of antivirus software. A well-crafted antivirus program can disinfect host files and eliminate boot sector viruses from memory, as well as repair the disk. With the emergence of Windows and multitasking, antivirus software gained the ability to monitor in real-time to prevent virus infections. Additionally, Microsoft has integrated Defender Antivirus into Windows 10 and 11, offering antivirus protection to any PC without third-party security.
Thirdly, and perhaps most significantly, the rise of the widespread internet rendered previous virus attack methods outdated. In the days when PC fans (including myself) exchanged programs and ASCII art by swapping diskettes, each exchange created the risk of infecting a new computer. However, with universal internet access, diskettes are seldom traded. It is far simpler to create a Trojan Horse program (a seemingly legitimate program containing malicious code) and deceive users into executing it than to develop a virus that infects other applications.
I observe this transition in my own professional experience. Each year, I collect thousands of real-world malware samples to select a representative sample for my hands-on evaluations. During this process, I compare each sample against the VirusTotal database, which identifies the vast majority of them as Trojans.
As a final point, viruses are not profitable. Today, a comprehensive malware ecosystem exists with distributors, affiliates, supply chains, and all the characteristics of a legitimate business. Wrongdoers can earn money by leasing out networks of infected computers, selling personal information extracted by data-stealing Trojans, or employing ransomware that encrypts files and demands hefty payments for their restoration. There is no return on investment (ROI) for a virus that corrupts hard drives.
How Does a Virus Infect a Program?
In the early days of the IBM PC, it operated on an operating system cleverly named DOS, which stands for disk operating system. Program files for DOS had the extension COM, and a COM file on a disk simply contained a list of machine-level instructions for the computer’s CPU.
To execute a program, DOS copied it byte for byte into memory and began executing the first instruction. It continued executing instructions sequentially, except when an instruction directed it to jump to a different location within the program. Eventually, it would encounter an instruction indicating the end of the program. It was that straightforward.
When a virus targets such a program, its first action is to store the program’s initial instruction in memory. It then appends its own code to the end of the host program’s file and replaces that initial instruction with a jump to the virus code. The virus code manages replication and determines whether to execute its payload. Once completed, it reinstates the saved initial instruction and jumps back to it. At this point, the host program operates normally.
As demonstrated in the virus manual replica at the start of this article, these simple viruses consistently increased the size of the host file by a specific amount. The Cascade virus, one of the earliest samples I obtained for testing antivirus tools, always added 1701 bytes, which is why it was sometimes referred to as the 1701 virus.
Modern Windows applications utilize the portable executable (PE) file format and have the EXE extension. These PE files are significantly more complex than the older COM files. They are structured into various types of chunks, including headers, indexes, data sections, and executable code. The Windows program loader knows how to manage these chunks. A virus infecting such a file faces a more challenging task, but the fundamental approach remains the same—attach virus code to the host and ensure that the virus code executes prior to handing off control to the host.
How Does a Virus Infect a Disk?
Reflecting once again on the exciting early days, the first IBM PC lacked a hard drive. You would start up from the DOS disk, then switch in a program disk, and possibly use yet another disk to save your work. When the PC powered up, it looked for instructions to load the operating system at a location on the disk known as the boot sector, which would then stay in memory to manage launching programs and writing data files.
Some clever individuals discovered that they could insert their own commands into the boot sector, causing it to load virus code into memory along with DOS. Whenever another disk was inserted, the virus would replicate its code to the boot sector. Similar to file infecting viruses, these often came with a payload.
What Is a Worm? Is It a Kind of Virus?
Another type of malicious software is called a worm, and it’s easy to confuse worms with viruses since both can replicate themselves. The key difference is that a virus activates only when initiated from its host program or disk, while a worm is a standalone program that spreads across networks without needing to infect other programs or disks.
A worm proliferates by copying itself to other compatible computers on a network. In 1971, prior to the internet’s emergence, a worm named Creeper circulated through a portion of ARPANET, displaying the message “I’M THE CREEPER: CATCH ME IF YOU CAN.” Its distribution was limited because there were only a few dozen compatible machines on the network, and a subsequent program called Reaper was created solely to eliminate Creeper from the network.
Creeper and Reaper existed long before the PC was developed. As the internet expanded, so did the potential for damage caused by worms. The Morris worm, released in 1988, aimed to gauge the development of the emerging internet, but due to a programming flaw, it nearly brought the network to a standstill. Be sure to check out PCMag’s documentary about the Morris worm, where I make a brief appearance.
What Are Some Famous Viruses?
In 1986, two programmers at a computer shop in Lahore, Pakistan, developed an anti-piracy tool that effectively functioned as a boot sector virus. Its code included the creators’ names and addresses. To their surprise, the “Pakistani Brain” virus, recognized as the first PC virus, spread globally. After 25 years, security expert Mikko Hyppönen located the creators, who were still at their original address, and made a mini-documentary about the search. I attended an initial screening of the video, which I’m sharing here (with Mikko’s consent).
While the Brain virus was relatively harmless, the Jerusalem virus, released the following year, was quite the opposite. It could reside in memory and infect every program that was executed, affecting both COM and EXE files. On any Friday the 13th, it would reveal its malicious nature by deleting every program launched and continually infecting EXE files until they became unmanageably large.
Around this time, a virus emerged at Lehigh University in Pennsylvania. It specifically targeted the crucial DOS program COMMAND.COM, and after four infections, it would erase the boot sector of the active DOS disk. Thankfully, it was detected and removed before it could spread beyond the university. In 1989, PCMag utilized the Lehigh virus to evaluate antivirus software.
The Michelangelo virus from 1991 was another problematic one. Security researchers named it Michelangelo because its payload activated on March 6, the celebrated artist’s birthday. Most of the time, it merely replicated itself like any other boot sector virus. However, if your computer started up on that significant day, the virus would overwrite critical data on all connected diskettes and hard drives, making the system unbootable.
Even as these viruses gained notoriety, other forms of malware were increasing as well. As mentioned, the Morris worm, which almost took down the internet, appeared in 1988. In 1999, the Melissa virus disrupted email systems around the world. However, Melissa is an email-based attack employing macro technology to propagate itself to others, rather than being a true virus. With the widespread use of email and the internet, the peak era of the computer virus had ended.
Leave a Reply