Types of viruses:

i. Parasitic Virus: The traditional and still most common form of virus. A parasitic virus attaches itself to executable and replicates when the infected program is executed.

ii. Memory resident Virus: Lodges in main memory as part of a resident system program. From that point on, the virus infects every program that executes.

iii. Boot-Sector Virus: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.

iv. Stealth Virus: A form of virus explicitly designed to hide itself from detection by antivirus software.

v. Polymorphic Virus: A virus that mutates with every infection, making detection by the “signature” of the virus impossible.

vi. Metamorphic Virus: A metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behaviour as well as their appearance.

Examples of recent viruses:

i. Macro viruses:

• Macro virus is platform independent. Virtually all of the macro viruses infect Microsoft Word documents. Any hardware platform and operating system that supports word can be infected.
• Macro viruses infect documents, not executable portions of code. Most of the information introduced onto a computer system is in the form of a document rather than a program.

• Macro viruses are easily spread. A very common method is by e-mail.

  ii. E-Mail viruses:

  A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses such as Melissa, made use of a Microsoft word macro embedded in an attachment. If the recipient opens the e-mail attachment, the word macro is activated. Then,

• The e-mail virus sends itself to everyone on the mailing list in the user’s email package.
• The virus does local damage.

Worms:

• A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again.
• In addition to propagation, the worm usually performs some unwanted function. An e-mail virus has some of the characteristics, of a worm, because it propagates itself from system to system. A worm actively seeks out more machines launching pad for attacks on other machines.
• Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions.

State of worm technology

• Multiplatform: Worms are not limited to windows machines but can attack a variety of platforms, especially the popular varieties of UNIX.
• Multiexploit: New worms penetrate systems in a variety of ways, using exploits against web servers, browsers, e-mail, file sharing and other network based applications.
• Ultrafast Spreading: One technique to accelerate the spread of a worm is to conduct a prior internet scan to accumulate internet addresses of vulnerable machines.
• Polymorphic: To evade detection, skip past filters and foil real-time analysis, worms adopt the virus polymorphic technique. Each copy of the worm has new code generated on the fly using functionality equivalent instructions and encryption techniques.
• Metamorphic: In addition to changing their appearance, metamorphic worms have a repertoire of behaviour pattern that are unleashed at different stages of propagation.
• Transport Vehicles: Because worms can rapidly compromise a large no.of systems, they are ideal for spreading other distributed attack tools, such as distributed denial of service zombies.
• Zero-Day exploit: To achieve maximum surprise and distribution, a worm should exploit an unkown vulnerability that is only discovered by the general network community when the worm is launched.

Antivirus Techniques:

A. Antivirus Approaches

i. The ideal solution to the threat of viruses is prevention. Do not allow a virus to get into the system in the first place. This goal is, in general, impossible to achieve, although prevention can reduce the number of successful viral attacks. The next best approach is to be able to do the following :

ii. Detection: Once the infection has occurred, determine that it has occurred and locate the virus.

iii. Identification: Once detection has been achieved, identify the specific virus that has infected a program.

iv. Removal:

• Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the disease cannot spread further.
• If detection succeeds but either identification or removal is not possible, then the alternative is to discard the infected program, and reload a clean backup version.
• Advances in virus and antivirus technology go hand in hand. Early viruses were relatively simple code fragments and could be identified and purged with relatively simple antivirus software packages. As the virus arms race has evolved, both viruses and, necessarily, antivirus software have grown more complex and sophisticated.

B. Four generations of antivirus software have been identified:

• First generation: Simple Scanners. A first-generation scanner requires signature to identify a virus. The virus may contain “wildcards” but has essentially the same structure and bit pattern in all copies. Such signature-specific scanners are limited to the detection of known viruses. Another type of first-generation scanner maintains a record of the length of programs and looks for changes in length.
• Second generation: Heuristic Scanners. A second-generation scanner does not rely on a specific signature. Rather, the scanner uses heuristic rules to search for probable virus infection. One class of such scanners looks for fragments of code that are often associated with viruses. For example, a scanner may look for the beginning of an encryption loop used in a polymorphic virus and discover the encryption key. Once the key is discovered, the scanner can decrypt the virus to identify it, then remove the infection and return the program to service.
• Third generation: Activity Traps. Third-generation programs are memory-resident programs that identify a virus by its actions than its structure in an infected program. Such programs have the advantage that it is not necessary to develop signatures and heuristics for a wide array of viruses. Rather, it is necessary only to identify the small set of actions that indicate an infection is being attempted and then to intervene.
• Fourth generation: Full-featured protection. Fourth-generation products are packages consisting of a variety of antivirus techniques used in conjunction. These includes scanning and activity trap components. In addition, such a package includes access control capability, which limits the ability of viruses to penetrate a system and then limits the ability of a virus to update files in order to pass on the infection.