Computer Viruses: It's Alive, It's Alive...

Computer viruses are programs that make your computer sick by attaching themselves to another program, copying themselves and sending those copies to other computers. Just like a human virus invades a cell in your body, a virus must invade an existing program. Also, a virus has to have help getting to another computer. That help can be an email, web page, file sharing services, etc.

Computer viruses do bad things like change the way a program works in order to deliver a display a message from the virus programmer or re-direct your browser to a porn site, or just crash your computer altogether.

Sometimes, there are symptoms like really slow performance or having your entire contact list get an email from you that you didn't send. If these things happen, you should be suspicious and run your AV scanner.

Viruses today are smart. Just like antibiotic resistant bacteria, they re-write themselves to look different each time they infect a computer.

Here's an example:

Let's say these equations are the virus:

a = 1  b = 2   c = a + b

So, the result is that c = 3, right? But, the virus will carry another program with it that will change the equations to look different and then make a copy of itself with the new equations. For example:

We introduce a new variable called d that does nothing but take up space:

a = 1   b = 2

d = a * b - (b - a)   and so d = 1

Now, c = (a + b) * d and c is still equal to 3

So, I've changed the program code but not the answer. This is how computer viruses change themselves to look different but still do the same damage.

There are other terms that describe this type of code

Self-modifying code: computer program that modifies itself as it is executed. The resulting program does the same thing but looks different

Metamorphic code: 1. changes itself to another form so that the children never look like the parents 2. can carry viruses with itself that can infect differnet OSs or platforms. It just creates a version of itself to fit what it's running on.

Polymorphic code: encrypts itself to acheive the same end

Yep, like chameleons, they can change their color to avoid detection.

Since viruses are just computer program, they are written in computer languages such as BASIC. It could look something like this:

If you know nothing about programming, this looks bizarre to you but I assure you this fragment comes from an actual virus program. The bottom line is that it instructs your computer to do something malicious and hides itself in the process.

As computer viruses began to spread, antivirus companies began to pop up. So how did they solve the problem? Originally, they would get a copy of the virus, study the computer code behind it, and then write a code fragment for their antivirus program.

This code fragment, known as a "signature" in the industry, would raise an alarm if it matched against that particular virus again. You would download the updates from the vendor and run a scan of your computer to see if you had that virus.

In those days, there were no automatic scans and no auto updates. You had to update and scan manually. Then, over time, new features were added that included those capabilities as well.

Eventually, there were other types of malware such as Trojans, spyware, rootkits, etc that worked with viruses to infect computers. There were so many new ones coming out every day that antivirus companies just couldn't keep up.

Part of the solution was to create a new way to detect malware. Instead of using a signature that only matched one variant of one virus, the programmers started using sets of rules that watched for suspicious activities. These rules were called "heuristics". In this way, antivirus programs could identify various threats from one set of rules.

It's not quite that simple but I hope that helps you understand what computer viruses are and how they're detected. The malware programmers will always be ahead of the antivirus programmers since the latter reacts to new threats created by the former. That's why you can't just run the latest Internet security suite and assume your protected.