Malware spotlight: What is a virus?
People have many misconceptions about computer-based viruses. This generally involves treating virus as a generic umbrella term for malware, in the vein of Kleenex and Coke. Viruses are actually one specific type of malware that operates a certain way, apart from other information security maladies affecting systems.
This article will go into detail about viruses, including what they are, how they operate, the different phases of virus attacks and some different types of viruses that are around today. Viruses are not as prevalent as they used to be, especially with the rise of the other types of malware in recent years, but knowing how they stand on their own in the world of malware will still be useful.
What are viruses?
A virus is a type of malware that hides within legitimate application code and replicates itself until its programmed task is done. When not reproducing itself, a virus can modify legitimate programs in the compromised system and insert its own code. Computer-based viruses behave like viruses in our physical world, which is the reason for their name.
Viruses are some of the oldest pieces of malware, around long before the prevalent use of the internet. Floppy disks infected with viruses were the main infection vectors and spreading from computer to computer required circulating these infected disks. With changes in technology came new ways to infect computers (such as USB drives) and with the proliferation of the internet came more effective methods to spread virus (such as email and infected code on websites).
How viruses operate
Viruses are not standalone computer programs. Rather, a virus is a piece of code that inserts itself into a legitimate application. This means that the virus cannot do anything on its own but needs to depend on the user to activate the virus.
Activation is normally caused by the user using the application for its intended purpose. When the application runs, the virus code runs. The programmed task is achieved when the virus code runs, and the user is the one left holding the proverbial pieces of their compromised system.
Phases of a virus attack
Information security researchers and computer scientists have likened the life cycle of the virus to that of a biological actor. There are four distinct phases of a virus attack that begin once the virus has infected a system. These phases are presented below.
The dormant phase is when the virus is present in a system but is idle. This is a classic virus life cycle phase, though it should be noted that with changes in viruses over the years, not all viruses exhibit this phase. When a virus is in the dormant phase, it takes an action by the user to activate the virus code and trigger its malicious action.
This is the phase that many associate with virus activity at its most characteristic — that is, reproduction and further system infection. When the virus reproduces, it creates a clone of itself that can infect different programs and different parts of a disk. These clones may not be exact copies of the original virus but may change over time to avoid antivirus software and information security professionals.
What really stings for an infected system is that each of these clones can replicate in the same way, meaning that in a system can become inundated with infection after just a short amount of time.
The triggering phase describes when the virus becomes activated, allowing it to perform the task(s) that it was programmed to perform. This triggering can be caused by a direct user action, such as running an application, or even by a system event.
This is where the virus really gets to work. Their true intention is not to overwhelm a system with infection but to perform some task within a system when activated. Once triggered, the virus can achieve the purpose of its existence — delivering a payload.
Viruses exist for a certain reason, usually to deliver a malicious payload onto the infected system. This payload may be relatively small, like causing a popup to appear, or massively damaging where files and folders are deleted.
Different types of viruses
There are different types of viruses, each with their own characteristics and uses for attackers. Some of the most common and prolific are presented below.
Resident versus non-resident viruses
Resident viruses are inserted into the memory of a system. Once there, it can perform different actions, including leaving the original file it infected to run on its own. Resident viruses remain in the memory after execution. Non-resident viruses perform their actions and then leave the memory after execution.
Web scripting virus
This type of virus is widely used and is characterized by the attacker inserting malicious code into the web scripting of a webpage. Webpages that play videos, including YouTube, are often easy targets because all the attacker needs to do is leave a comment on the video with the infected code in order to infect the webpage.
This type is one of the greatest challenges for information security professionals. Polymorphic viruses evade antivirus solutions by changing its code each time the infected file is executed, making this type near impossible to hunt.
A macro virus may appear just like a Word document on its face, but do not let this fool you. This type is capable of not only bring users of infected systems to websites but can also hijack the user’s email contact list to send the infected file to everyone it finds.
Viruses are a classic mainstay of malware that has been around for decades. From its humble beginnings on infected floppy disks to hyper-infected websites, viruses have evolved to suit the global information security landscape, similarly to how physical viruses change over time. Information security professionals need to stay current on virus trends as they change frequently, having a dramatic effect on their effectiveness.