Computer virus a. What is a computer virus? Types of computer viruses

What is a computer virus?

A computer virus is usually a small program that spreads on a computer network from one computer to another, disrupting both communication between computers and the operation of the operating system itself. This computer virus is usually designed to damage or even completely destroy computer data, while simultaneously using email agent programs to continue on its way to the next victims.

What is a computer virus?

Just like a biological virus, a computer virus can cause serious damage to a computer. A virus is an infection that the system can “catch” in several ways. His unlike other malware(from a technical point of view) – ability to reproduce, from computer to computer. So formally a virus is just a drop in the ocean of malicious software . But among other things, the most common threats on the network it could be considered:

Mail virus. This computer virus is attached by a hacker to an email sent to victims. Most likely, the virus, by analogy with its biological counterpart, will multiply and send itself to the addresses listed in your address book. Your friends open the letter they received from your address, and problems begin to snowball. Some viruses can run even if you do not view the attached files.

Virus life stages

• the body code of the virus is written from a ready-made template or by hand, as well as using special KITs
• the virus is duplicated at the initial stage for some time on specific victim machines, after which it is injected into the network
• Thanks to the slackness of users, the virus spreads across the network, continuously filling unprotected machines
• antivirus programs, separately from each other, begin to recognize the virus as malware and enter data on the virus into their database
• Thanks to timely updates of anti-virus software, the speed of virus spread is reduced, infected machines are freed from malicious code and virus activity is reduced to a minimum

How does a computer virus start?

Typically, a virus runs along with a program to which it is attached, invisible to the user. Once in the computer's memory, it can do all sorts of things, depending on its purpose. Some viruses attach themselves to the system in a “sleeping” format and lie dormant until certain circumstances foreseen by the hacker are met. And usually the range of actions is:

• infection of other applications and system files with damage (or without it)
• functions of transmitting itself further over the network

How does a computer virus work?

The malware toolkit here is extremely wide. Some live while the parent application is running, some just need to be on your computer, and they completely seize power over it, continuing to infect the network to which the computer is connected. Some are designed just to ruin the user's mood by overloading the processor and eventually simply turning off the computer. Thus, users often suffer from system failure due to a fake or infected system service svchost.

There are several phases of antivirus operation:

• Stage of infection. The virus duplicates itself, attaching itself to a certain executive file .exe systems. He does not have to change the program code (he often does not know how to do this - why such difficulties?). The task is to gain a foothold at the entry point, so that the next time the program is launched, first the virus will start, and then the program itself:

• Attack phase. Either:

1. User activation (program launch)
2. Triggering of a preset trigger (for example, a certain date or time)
3. Reproduction and the beginning of active activity (files are deleted and the system slows down in the current session - this happens if the virus has completed the programmed task)

How does a computer virus spread?

Through mail, through programs and utilities downloaded online. This is especially true for illegal content of all forms and types. Hence the first piece of advice: do not open unfamiliar emails, do not download illegal content. Today there are many psychological forms of hiding viruses: Easy So don’t be surprised if your friend denies the infected letter that you allegedly received yesterday from her.

Who needs this?

This trivial question can be answered with a list of goals that a computer virus pursues:

• computer vandalism and simple hooliganism
• computer jokes
• field testing by a hacker
• black methods of fighting competitors
• cyber terrorism
• use as an instrument of financial gain

How do I know if I have contracted a computer virus?

The surest signs of a virus in the system are:

• The computer runs slower than usual; It is Explorer that slows down a lot
• The computer “freezes” or turns off (you simply can’t touch the processor cooling radiator and the cooling system has nothing to do with it)
• Applications work “somehow wrong”, especially noticeably when launching a specific program; the hard drive is constantly loaded with something - and the LED for accessing the hard drive continuously signals this
• Unable to access hard and removable drives
• The printer does not work
• Strange errors that interfere with work
• Changed appearance of dialog boxes
• Your antivirus freezes or does not work properly
• An attempt to install an antivirus fails; portable versions of antiviruses give a startup error
• Unfamiliar icons and shortcuts appeared on the desktop
• Some of the programs disappeared altogether

Next time we’ll talk about how to properly build system protection and take a closer look at viruses.

Defining a computer virus is a historically problematic issue, since it is quite difficult to give a clear definition of a virus, while outlining properties that are unique to viruses and do not apply to other software systems. On the contrary, giving a strict definition of a virus as a program that has certain properties, one can almost immediately find an example of a virus that does not have such properties.

Another problem associated with the definition of a computer virus lies in the fact that today a virus most often means not a “traditional” virus, but almost any malicious program. This leads to confusion in terminology, further complicated by the fact that almost all modern antiviruses are capable of detecting these types of malware, so the “malware-virus” association is becoming more and more stable.

Classification

Currently, there is no unified system for classifying and naming viruses, however, in various sources you can find different classifications, here are some of them:

Classification of viruses by method of infection

Resident

Such viruses, having gained control, one way or another remain in memory and search for victims continuously until the environment in which it is executed is shut down. With the transition to Windows, the problem of remaining in memory ceased to be relevant: almost all viruses executed in the Windows environment, as well as in the Microsoft Office application environment, are resident viruses. Accordingly, the resident attribute is applicable only to file DOS viruses. The existence of non-Windows resident viruses is possible, but in practice they are a rare exception.

Non-resident

Having received control, such a virus performs a one-time search for victims, after which it transfers control to the object associated with it (the infected object). This type of virus includes script viruses.

Classification of viruses by degree of impact

Harmless

Viruses that do not affect the operation of the computer in any way (except for reducing the free memory on the disk as a result of their spread);

Non-hazardous

Viruses that do not interfere with the operation of the computer, but reduce the amount of free RAM and disk memory; the actions of such viruses are manifested in some graphic or sound effects;

Dangerous

Viruses that can lead to various problems with your computer;

Very dangerous

Viruses, the impact of which can lead to the loss of programs, the destruction of data, and the erasure of information in system areas of the disk.

Classification of viruses by camouflage method

When creating copies for camouflage, the following technologies can be used:

Encryption- the virus consists of two functional parts: the virus itself and the encoder. Each copy of the virus consists of an encryptor, a random key, and the virus itself, encrypted with this key.

Metamorphism- creating different copies of the virus by replacing blocks of commands with equivalent ones, swapping pieces of code, inserting “junk” commands between significant pieces of code that do practically nothing.

Encrypted virus

This is a virus that uses simple random key encryption and an immutable encryptor. Such viruses are easily detected by the encryption signature.

Ransomware virus

In most cases, the ransomware virus arrives via email as an attachment from a person unfamiliar to the user, and possibly on behalf of a well-known bank or operating large organization. Letters come with headings like: “Reconciliation report...”, “Your debt to the bank...”, “Verification of registration data”, “Resume”, “Blocking of current account” and so on. The letter contains an attachment with documents purporting to confirm the fact stated in the header or body of the letter. When you open this attachment, a ransomware virus is instantly launched, which will quietly and instantly encrypt all documents. The user will detect the infection by seeing that all files that previously had familiar icons will now be displayed with icons of an unknown type. The criminal will demand money for decryption. But often, even after paying the attacker, the chances of recovering data are negligible.

Malicious email attachments are most often found in .zip, .rar, .7z archives. And if the function of displaying file extensions is disabled in the computer system settings, then the user (recipient of the letter) will only see files like “Document.doc”, “Act.xls” and the like. In other words, the files will seem completely harmless. But if you enable the display of file extensions, you will immediately see that these are not documents, but executable programs or scripts; the file names will take on a different form, for example, “Document.doc.exe” or “Act.xls.js”. When opening such files, it is not the document that is opened, but a ransomware virus that is launched. Here is just a short list of the most popular “dangerous” file extensions: .exe, .com, .js, .wbs, .hta, .bat, .cmd. Therefore, if the user does not know what was sent to him in the attachment, or the sender is not familiar, then most likely the letter contains an encrypting virus.

In practice, there are cases of receiving an ordinary Word file (with the .doc extension) by email, inside of which, in addition to text, there is an image, a hyperlink (to an unknown site on the Internet) or an embedded OLE object. When you click on such an object, an immediate infection occurs.

Ransomware viruses have become increasingly popular since 2013. In June 2013, the well-known company McAfee released data showing that they collected 250,000 unique examples of ransomware viruses in the first quarter of 2013, which is more than double the number of viruses detected in the first quarter of 2012.

In 2016, these viruses reached a new level, changing the principle of operation. In April 2016, information appeared on the Internet about a new type of ransomware virus, which, instead of encrypting individual files, encrypts the MFT table of the file system, which leads to the fact that the operating system cannot detect files on the disk and the entire disk is in fact encrypted.

Polymorphic virus

A virus that uses a metamorphic encryptor to encrypt the main body of the virus with a random key. In this case, part of the information used to obtain new copies of the encryptor can also be encrypted. For example, a virus can implement several encryption algorithms and, when creating a new copy, change not only the encoder commands, but also the algorithm itself.

Classification of viruses by habitat

The “habitat” refers to the system areas of the computer, operating systems or applications into the components (files) of which the virus code is embedded. Based on their habitat, viruses can be divided into:

• boot;
• file
• macro viruses;
• script viruses.

During the era of DOS viruses, hybrid file-boot viruses were common. After the massive transition to operating systems of the Windows family, both boot viruses themselves and the mentioned hybrids practically disappeared. Separately, it is worth noting the fact that viruses designed to work in the environment of a specific OS or application turn out to be ineffective in the environment of other OSes and applications. Therefore, the environment in which it is capable of executing is identified as a separate attribute of the virus. For file viruses, these are DOS, Windows, Linux, MacOS, OS/2. For macro viruses - Word, Excel, PowerPoint, Office. Sometimes a virus requires a specific version of the OS or application to work correctly, then the attribute is specified more narrowly: Win9x, Excel97.

File viruses

File viruses, when they reproduce in one way or another, use the file system of any (or any) OS. They:

• are embedded in executable files in various ways (the most common type of virus);
• create duplicate files (companion viruses);
• create copies of themselves in various directories;
• use peculiarities of the file system organization (link viruses).

Everything that is connected to the Internet needs anti-virus protection: 82% of detected viruses were “hidden” in files with the extension PHP, HTML and EXE.

The number of malware is growing steadily and may soon reach epidemic proportions. The spread of viruses in the digital world has no boundaries, and even with all the available opportunities, it is no longer possible to neutralize the activities of the criminal cyber community today. It is becoming increasingly difficult to fight hackers and virus writers who are constantly improving their skills. Thus, attackers have learned to successfully hide digital channels for spreading threats, which makes it much more difficult to track and analyze their online movements. The distribution routes are also changing; if previously cybercriminals preferred email to spread viruses, today real-time attacks take the leading position. There has also been a rise in malicious web applications, which have proven to be more than suitable for attack by cybercriminals. According to Govind Rammurthy, CEO and Managing Director of eScan MicroWorld, today's hackers have learned to successfully evade detection by traditional antivirus signatures, which for a number of reasons are doomed to fail when it comes to detecting web threats. Based on samples examined by eScan, web threats dominate the malware category. 82% of detected malware are files with the extension PHP, HTML and EXE, and MP3, CSS and PNG - less than 1%.

This clearly suggests that hackers' choice is the Internet rather than attacks using software vulnerabilities. Threats are polymorphic in nature, meaning that malware can be effectively recoded remotely, making it difficult to detect. Therefore, a high probability of infection is associated, among other things, with visiting websites. According to eScan MicroWorld, the number of redirect links and hidden downloads (drive-by-downloads) on hacked resources has increased by more than 20% over the past two months. Social networks also greatly expand the ability to deliver threats.

Take, for example, a banner circulating on Facebook that asked the user to change the color of the page to red, blue, yellow, etc. The enticing banner contained a link that directed the user to a fraudulent site. There, confidential information fell into the hands of attackers, which was used or sold to obtain illegal profits to various Internet organizations. Thus, antiviruses based on traditional signatures are ineffective today, since they cannot reliably protect against web threats in real time. An antivirus that is based on cloud technologies and receives information about threats from the cloud can handle these tasks.

Boot viruses

Boot viruses write themselves either to the boot sector of the disk (boot sector), or to the sector containing the system boot loader of the hard drive (Master Boot Record), or change the pointer to the active boot sector. This type of virus was quite common in the 1990s, but practically disappeared with the transition to 32-bit operating systems and the abandonment of the use of floppy disks as the main method of exchanging information. Theoretically, it is possible that boot viruses could appear that infect CDs and USB flash drives, but to date no such viruses have been detected.

Macro viruses

Many spreadsheet and graphic editors, design systems, and word processors have their own macro languages ​​for automating repetitive actions. These macro languages ​​often have a complex structure and a rich set of commands. Macro viruses are programs in macro languages ​​built into such data processing systems. To reproduce, viruses of this class use the capabilities of macro languages ​​and, with their help, transfer themselves from one infected file (document or table) to others.

Script viruses

Script viruses, like macro viruses, are a subgroup of file viruses. These viruses are written in various script languages ​​(VBS, JS, BAT, PHP, etc.). They either infect other script programs (MS Windows or Linux command and service files) or are parts of multicomponent viruses. Also, these viruses can infect files of other formats (for example, HTML), if scripts can be executed in them.

Classification of viruses according to the method of infecting files

Overwriting

This infection method is the simplest: the virus writes its own code instead of the code of the infected file, destroying its contents. Naturally, in this case the file stops working and is not restored. Such viruses reveal themselves very quickly, since the operating system and applications stop working quite quickly.

Injecting a virus at the beginning of a file

Thus, when an infected file is launched, the virus code is the first to receive control. In this case, viruses, in order to preserve the functionality of the program, either disinfect the infected file, re-run it, wait for its completion and write again to its beginning (sometimes a temporary file is used for this, in which the neutralized file is written), or restore the program code in the computer memory and configure the necessary addresses in its body (i.e., duplicate the operation of the OS).

Injecting a virus at the end of a file

The most common way to introduce a virus into a file is to append the virus to the end of it. In this case, the virus changes the beginning of the file in such a way that the first commands of the program contained in the file to be executed are the virus commands. In order to gain control when the file starts, the virus adjusts the start address of the program (entry point address). To do this, the virus makes the necessary changes to the file header.

Injecting a virus into the middle of a file

There are several methods for introducing a virus into the middle of a file. In the simplest of them, the virus moves part of the file to the end or “spreads” the file and writes its code into the free space. This method is largely similar to the methods listed above. Some viruses compress the transferred file block so that the length of the file does not change during infection.

The second is the “cavity” method, in which the virus is written to obviously unused areas of the file. The virus can be copied into unused areas of the header of an EXE file, into “holes” between sections of EXE files, or into the text message area of ​​popular compilers. There are viruses that infect only those files that contain blocks filled with some kind of constant byte, and the virus writes its code instead of such a block.

In addition, copying a virus into the middle of a file may occur as a result of a virus error, in which case the file may be irreversibly damaged.

Viruses without an entry point

Separately, it should be noted that there is a rather small group of viruses that do not have an “entry point” (EPO viruses - Entry Point Obscuring viruses). These include viruses that do not change the starting point address in the header of EXE files. Such viruses write a command to transfer their code to some place in the middle of the file and receive control not directly when the infected file is launched, but when calling a procedure containing code for transferring control to the virus body. Moreover, this procedure can be performed extremely rarely (for example, when a message about a specific error is displayed). As a result, a virus can “sleep” inside a file for many years and emerge free only under certain limited conditions.

Before writing a command to switch to its code in the middle of the file, the virus must select the “correct” address in the file - otherwise the infected file may be corrupted. There are several known ways in which viruses determine such addresses inside files, for example, searching a file for a sequence of standard code of programming language procedure headers (C/Pascal), disassembling the file code, or replacing the addresses of imported functions.

Companion viruses

The category of companion viruses includes viruses that do not change the infected files. The operating algorithm of these viruses is that a duplicate file is created for the infected file, and when the infected file is launched, it is this duplicate, i.e., the virus, that receives control.

Viruses of this type include those that, when infected, rename a file to some other name, remember it (for subsequent launch of the host file) and write their code to disk under the name of the infected file. For example, the file NOTEPAD.EXE is renamed NOTEPAD.EXD, and the virus is recorded under the name NOTEPAD.EXE. On startup, control receives a virus code, which then launches the original NOTEPAD.

There may be other types of companion viruses that use other original ideas or features of other operating systems. For example, PATH companions that place copies of themselves in the main Windows directory, taking advantage of the fact that this directory is the first in the PATH list, and Windows will first look for startup files in it. Many computer worms and Trojan programs also use this self-launch method.

Link viruses

Link viruses do not change the physical contents of files, but when an infected file is launched, they “force” the OS to execute its code. They achieve this goal by modifying the necessary fields of the file system.

File worms

File worms do not in any way associate their presence with any executable file. When they reproduce, they simply copy their code to some disk directories in the hope that these new copies will someday be launched by the user. Sometimes these viruses give their copies “special” names to encourage the user to run their copy - for example, INSTALL.EXE or WINSTART.BAT.

Some file worms can write copies of themselves into archives (ARJ, ZIP, RAR). Others write the command to run the infected file in BAT files.

OBJ-, LIB-viruses and viruses in source texts

Viruses that infect compiler libraries, object modules, and program source codes are quite exotic and practically uncommon. There are about a dozen of them in total. Viruses that infect OBJ and LIB files write their code in them in the format of an object module or library. The infected file is therefore not executable and is unable to further spread the virus in its current state. The carrier of the “live” virus is a COM or EXE file obtained during the process of linking an infected OBJ/LIB file with other object modules and libraries. Thus, the virus spreads in two stages: in the first stage, OBJ/LIB files are infected, in the second stage (linking) a working virus is obtained.

Infecting program source codes is a logical continuation of the previous propagation method. In this case, the virus adds its source code to the source texts (in this case, the virus must contain it in its body) or its hexadecimal dump (which is technically easier). An infected file is capable of further spreading the virus only after compilation and linking.

Spreading

Unlike worms (network worms), viruses do not use network services to penetrate other computers. A copy of the virus reaches remote computers only if the infected object, for some reason beyond the functionality of the virus, is activated on another computer, for example:

• when infecting accessible disks, the virus penetrated into files located on a network resource;
• the virus has copied itself to removable media or infected files on it;
• the user sent an email with an infected attachment.

Kaspersky Lab specialists prepared in the summer of 2012 a list of the 15 most notable malware programs that have left their mark on history:

• 1986 Brian – the first computer virus; it spread by writing its own code to the boot sector of floppy disks.
• 1988 The Morris worm infected approximately 10% of computers connected to the Internet (that is, about 600 computers).
• 1992 Michelangelo is the first virus to attract media attention.
• 1995 Concept - the first macro virus.
• 1999 Melissa ushered in the era of mass malware distributions leading to global epidemics.
• On April 26, 1999, the first global computer disaster occurred. The programmers, perhaps, did not scare their children with the Chernobyl or CIH virus. According to various sources, about half a million computers around the world were affected, and never before have the consequences of virus epidemics been so widespread and accompanied by such serious losses
• 2003 Slammer – a fileless worm that caused a widespread epidemic throughout the world.
• 2004 Cabir – the first experimental virus for Symbian; distributed via Bluetooth.
• 2006 Leap is the first virus for the Mac OSX platform.
• 2007 Storm Worm - for the first time used distributed command and control servers to manage infected computers.
• 2008 Koobface is the first virus to deliberately attack users of the social network Facebook.
• 2008 Conficker is a computer worm that caused one of the largest epidemics in history, as a result of which the computers of companies, home users and government organizations in more than 200 countries were infected.
• 2010 FakePlayer – SMS Trojan for Android smartphones.
• 2010 Stuxnet is a worm that was used to carry out a targeted attack on SCADA (Supervisory Control And Data Acquisition) systems, marking the beginning of the era of cyber warfare.
• 2011 Duqu is a complex Trojan program that collects information from industrial facilities.
• 2012 Flame is a complex malware that is actively used in a number of countries as a cyber weapon. The complexity and functionality of the malware exceeds all previously known types of threats.

Panda Security: Virus Ranking 2010

• Evil Mac lover: This is the name given to the remote access program with the frightening name Hellraiser.A (HellRaiser.A). It only affects Mac systems and requires user permission to install on the computer. If the victim installs it, the program will gain full remote access to the computer and will be able to perform a number of functions... right down to opening the drive!
• Good Samaritan: Surely some have already guessed what we are talking about... This is the file Bredolab.Y. It's disguised as a Microsoft support message telling you that you urgently need to install a new security patch for Outlook... But be careful! If you download the proposed file, a fake Security Tool will be automatically installed on your computer, which will warn you that the system is infected and the need to purchase a particular security solution to combat the virus. If you pay for the program offered, you will, of course, never receive it, it will not solve your problem, and you will not get your money back.
• Linguist of the Year: Without a doubt, times are difficult... And hackers are increasingly forced to adapt to new trends and do everything possible to catch their next victim. The lengths they are willing to go to to deceive users knows no bounds! To do this, they are even ready to learn foreign languages. Therefore, we decided to award the award in the “Linguist of the Year” category to a virus called MSNWorm.IE. This virus, which is nothing special in itself, spreads through messaging programs, inviting users to look at a photo... in 18 languages! Although the smiley at the end remains the universal “:D”...

So, if you want to know how to say “Look at the photo” in another language, this list will save you time:

• The bravest: In 2010, Stuxnet.A received this award. If there was a soundtrack to go with this threat, it would be something like "Mission: Impossible" or "Saint." This malicious code was developed to attack supervisory control and data collection systems, i.e. on critical infrastructures. The worm exploits a flaw in Microsoft USB security to gain access to the very core of nuclear power plants... Sounds like the plot of a Hollywood movie!
• The most annoying: Remember what viruses used to be like? After infecting your computer once, they constantly ask: “Are you sure you want to quit the program? - Not really?". Regardless of your answer, the same question appeared again and again: “Are you sure you want to quit the program?”, capable of pissing off even a saint... This is exactly how the most annoying worm of 2010, Oscarbot.YQ, works. Once you install it, you can start praying, meditating or sitting in a yoga pose, because it will drive you crazy. Every time you try to close the program, you will see a window with another question, and another, and another... The most annoying thing is that this is inevitable.
• The safest worm: Clippo.A. This name may remind some users of the name Clippy - the nickname for the Microsoft Office assistant in the form of a paper clip. This is the safest of all existing worms. Once installed on your computer, it protects all documents with a password. This way, when the user tries to open the document again, they won't be able to do so without the password. Why does the virus do this? The most interesting thing is that it’s just like that! No one is offering to buy a password or buy an antivirus. This is just to annoy you. However, for those users who were infected, it is not funny at all, because... there are no visible symptoms of infection.
• Victim of the crisis: Ramsom.AB. The economic crisis has affected many people around the world, including cyber criminals. A few years ago, so-called “ransomware” (viruses that lock your computer and ask for ransom) demanded more than $300 to unlock it. Now, due to the crisis, recession and competition among cyber scammers, victims are offered to buy back their computer for only $12. Hard times have come... I almost feel sorry for the hackers.
• The most economical: in 2010, the winner in this category was SecurityEssentials2010 (of course, a fake, not the official MS antivirus). This malicious code acts like any other fake antivirus. It informs the user that his computer has been attacked by viruses and can only be saved by purchasing this antivirus. The design of the fake antivirus is very convincing: messages and windows look very believable. So be careful! And don't take my word for it.

Computer virus- a type of malicious software capable of injecting itself into the code of other programs, system memory areas, boot sectors, and distributing copies of itself through various communication channels.

The main purpose of a virus is to spread it. In addition, its often accompanying function is to disrupt the operation of software and hardware systems - deleting files and even deleting the operating system, rendering data storage structures unusable, blocking the work of users, etc. Even if the author of the virus has not programmed harmful effects, the virus can cause to computer failures due to errors, unaccounted for subtleties of interaction with the operating system and other programs. In addition, viruses, as a rule, take up space on storage devices and consume system resources.

In everyday life, all malicious software is called “viruses,” although in fact this is only one type of it.

Story

The foundations of the theory of self-replicating mechanisms were laid by an American of Hungarian origin, John von Neumann, who in 1951 proposed a method for creating such mechanisms. Working examples of such programs have been known since 1961.

The first known viruses are Virus 1,2,3 and Elk Cloner for the Apple II PC, which appeared in 1981. In the winter of 1984, the first antivirus utilities appeared - CHK4BOMB and BOMBSQAD by Andy Hopkins. In early 1985, Gee Wong wrote the DPROTECT program, the first resident antivirus.

The first virus epidemics date back to -1989: Brain (spread in the boot sectors of floppy disks, causing the largest epidemic), Jerusalem(appeared on Friday May 13, 1988, destroying programs when they were launched), the Morris worm (over 6,200 computers, most networks were out of order for up to five days), DATACRIME (about 100 thousand infected PCs in the Netherlands alone).

At the same time, the main classes of binary viruses took shape: network worms (Morris worm, 1987), “Trojan horses” (AIDS, 1989), polymorphic viruses (Chameleon, 1990), stealth viruses (Frodo, Whale, 2nd half of 1990).

At the same time, organized movements of both pro- and anti-virus orientation were taking shape: in 1990, a specialized BBS Virus Exchange, “The Little Black Book of Computer Viruses” by Mark Ludwig, and the first commercial antivirus Symantec Norton AntiVirus appeared.

In addition, monolithic viruses are largely giving way to complex malware with separation of roles and auxiliary tools (Trojans, downloaders/droppers, phishing sites, spambots and spiders). Social technologies - spam and phishing - are also flourishing as a means of infection that bypasses software security mechanisms.

At first, based on Trojan programs, and with the development of p2p network technologies - and independently - the most modern type of viruses - botnet worms - is gaining momentum (Rustock, 2006, about 150 thousand bots; Conficker, 2008-2009, more than 7 million bots ; Kraken, 2009, approx. 500 thousand bots). Viruses, among other malware, are finally being formalized as a means of cybercrime.

Etymology of the name

A computer virus was named by analogy with biological viruses due to a similar mechanism of spread. Apparently, the word “virus” was first used in relation to a program by Gregory Benford in the science fiction story “The Scarred Man,” published in Venture magazine in May 1970.

The term “computer virus” was subsequently “discovered” and rediscovered more than once. Thus, the variable in the PERVADE() subroutine, the value of which determined whether the ANIMAL program would be distributed across the disk, was called VIRUS. Joe Dellinger also called his programs a virus, and this was probably what was first correctly labeled as a virus.

Formal definition

There is no generally accepted definition of a virus. In an academic environment, the term was used by Fred Cohen in his work “Experiments with Computer Viruses,” where he himself attributes the authorship of the term to Leonard Adleman.

Formally, the virus is defined by Fred Cohen with reference to the Turing machine as follows:

M: (S M , I M , O M: S M x I M > I M , N M: S M x I M > S M , D M: S M x I M > d)

with a given set of states S M, a set of input symbols I M and mappings (O M, N M, D M), which based on its current state s ∈ S M and input character i ∈ I M, read from a semi-infinite tape, determines: the output symbol o ∈ I M to write to tape, the next state of the machine s" ∈ S M and movements along the tape d ∈ (-1,0,1).

For this machine M character sequence v: v i ∈ I M can be considered a virus if and only if the sequence is processed v at a point in time t entails that at one of the following moments in time t subsequence v′(not intersecting with v) exists on the tape, and this sequence v′ was recorded M at the point t′, lying between t And t″:

∀ C M ∀ t ∀ j: S M (t) = S M 0 ∧ P M (t) = j ∧ ( C M (t, j) … C M (t, j + |v| - 1)) = v ⇒ ∃ v" ∃ j" ∃ t" ∃ t": t< t" < t" ∧ {j" … j" +|v"|} ∩ {j … j + |v|} = ∅ ∧ { C M (t", j") … C M (t", j" + |v"| - 1)} = v" ∧ P M (t") ∈ { j" … j" + |v"| - 1 }

• t ∈ N number of basic “movement” operations performed by the machine
• P M ∈ N position number on the machine belt at a time t
• S M 0 initial state of the machine
• C M (t, c) cell contents c at a point in time t

This definition was given in the context of the viral set VS = (M, V)- a pair consisting of a Turing machine M and many character sequences V: v, v" ∈ V. From this definition it follows that the concept of a virus is inextricably linked with its interpretation in a given context or environment.

It was shown by Fred Cohen that "any self-replicating sequence of symbols: singleton VS, according to which there are an infinite number VS, and not- VS, for which there are machines for which all sequences of characters are a virus, and machines for which no sequence of characters is a virus, makes it possible to understand when any finite sequence of characters is a virus for some machine.” He also provides evidence that in general the question of whether a given pair is (M, X) : X i ∈ I M virus, is unsolvable (that is, there is no algorithm that could reliably identify all viruses) by the same means that prove the unsolvability of the stopping problem.

Other researchers have proven that there are types of viruses (viruses containing a copy of a program that catches viruses) that cannot be accurately identified by any algorithm.

Classification

Nowadays, there are many varieties of viruses, differing in their main method of distribution and functionality. If initially viruses spread on floppy disks and other media, now viruses spreading through local and global (Internet) networks dominate. The functionality of viruses, which they adopt from other types of programs, is also growing.

Via the Internet, local networks and removable media.

Mechanism

Viruses spread by copying their body and ensuring its subsequent execution: introducing themselves into the executable code of other programs, replacing other programs, registering themselves in autorun through the registry, and more. A virus or its carrier can be not only programs containing machine code, but also any information containing automatically executed commands, for example, batch files and Microsoft Word and Excel documents containing macros. In addition, to penetrate a computer, a virus can use vulnerabilities in popular software (for example, Adobe Flash, Internet Explorer, Outlook), for which distributors inject it into ordinary data (pictures, texts, etc.) together with an exploit that uses vulnerability.

Once a virus has successfully infiltrated a program, file, or document, it will remain dormant until circumstances force the computer or device to execute its code. For a virus to infect your computer, you must run the infected program, which in turn will lead to the execution of the virus code. This means that the virus can remain dormant on the computer without any symptoms of infection. However, once the virus takes effect, it can infect other files and computers on the same network. Depending on the goals of the virus programmer, viruses either cause minor harm or have a destructive effect, such as deleting data or stealing confidential information.

Channels

• Floppy disks. The most common channel of infection in the 1980-1990s. Now practically absent due to the emergence of more common and efficient channels and the lack of floppy drives on many modern computers.
• Flash drives (“flash drives”). Currently, USB drives are replacing floppy disks and repeating their fate - a large number of viruses are spread through removable drives, including digital cameras, digital video cameras, portable digital players, and since the 2000s, mobile phones, especially smartphones, have played an increasingly important role (mobile phones have appeared viruses). The use of this channel was previously primarily due to the ability to create a special file on the drive, autorun.inf, in which you can specify the program that Windows Explorer will launch when opening such a drive. In Windows 7, the ability to autorun files from portable media was disabled.
• Email . Typically, viruses in emails are disguised as harmless attachments: pictures, documents, music, links to websites. Some letters may actually only contain links, that is, the letters themselves may not contain malicious code, but if you open such a link, you can get to a specially created website containing virus code. Many email viruses, having landed on a user's computer, then use the address book from installed email clients such as Outlook to send themselves further.
• Instant messaging systems. It is also common here to send links to supposedly photos, music or programs that are actually viruses via ICQ and other instant messaging programs.
• Web pages. Infection through Internet pages is also possible due to the presence of various “active” content on World Wide Web pages: scripts, ActiveX components. In this case, vulnerabilities in the software installed on the user’s computer or vulnerabilities in the site owner’s software are used (which is more dangerous, since respectable sites with a large flow of visitors are exposed to infection), and unsuspecting users who visit such a site risk infecting their computer .
• Internet and local networks (worms). Worms are a type of virus that penetrates a victim computer without user intervention. Worms use so-called “holes” (vulnerabilities) in operating system software to penetrate a computer. Vulnerabilities are errors and flaws in software that allow machine code to be remotely downloaded and executed, as a result of which a worm virus enters the operating system and, as a rule, begins infecting other computers via a local network or the Internet. Attackers use infected user computers to send spam or carry out DDoS attacks.

Anti-detection

Prevention and treatment

Currently, there are many antivirus programs used to prevent viruses from entering the PC. However, there is no guarantee that they will be able to cope with the latest developments. Therefore, some precautions should be taken, in particular:

1. Do not work under privileged accounts unless absolutely necessary (administrator account in Windows).
2. Do not run unfamiliar programs from dubious sources.
3. Try to block the possibility of unauthorized changes to system files.
4. Disable potentially dangerous system functionality (for example, autorun media in MS Windows, hiding files, their extensions, etc.).
5. Do not go to suspicious sites, pay attention to the address in the address bar of the browser.
6. Use only trusted distributions.
7. Constantly make backup copies of important data, preferably onto media that cannot be erased (for example, BD-R) and have a system image with all the settings for quick deployment.
8. Perform regular updates to frequently used programs, especially those that ensure system security.

Economy

Also called millions and even billions of damages from the actions of viruses and worms. Such statements and estimates should be treated with caution: the amount of damage estimated by different analysts differs (sometimes by three to four orders of magnitude), and calculation methods are not provided.

Criminalization

To the creator of the virus Scores, who caused damage to Macintosh computer users in 1988, was not charged because his actions did not fall under the law available in the United States at that time Computer Fraud and Abuse Act or other laws. This incident led to the development of one of the first laws related to computer viruses: Computer Virus Eradication Act(1988) Similarly, the creator of the most destructive virus, ILOVEYOU, escaped punishment in 2000 due to the lack of appropriate laws in the Philippines.

The creation and distribution of malicious programs (including viruses) is prosecuted in some countries as a separate type of offense: in Russia according to the Criminal Code of the Russian Federation (), in the USA according to Computer Fraud and Abuse Act, in Japan

Computer viruses– special programs that are created by attackers to obtain some benefit. The principle of their operation can be different: they either steal information or encourage the user to perform some actions for the benefit of the attackers, for example, top up an account or send money.
Today there are many different viruses. The main ones will be discussed in this article.

Worm– a malicious program whose purpose is to fill the computer with all sorts of garbage so that it becomes slow and clumsy. The worm is capable of self-replication, but cannot be part of a program. Most often, infection with this virus occurs through emails.

Trojan program (Trojan, Trojan horse)– this program fully lives up to its name. It penetrates other programs and hides there until the host program is launched. Until the host program is launched, the virus cannot cause harm. Most often, a Trojan horse is used to delete, change or steal data. The Trojan cannot reproduce on its own.

Spy programs– these Stirlitz are engaged in collecting information about the user and his actions. Most often, they steal confidential information: passwords, addresses, card/account numbers, etc.
Zombies - malware received this name because it actually turns a computer into a “weak-willed” machine that obeys attackers. Simply put, bad people can control someone's computer through these malware. Most often, the user does not even know that his computer is no longer his only.

Blocker program (banner)– these programs block access to the operating system. When turning on the computer, the user sees a pop-up window that usually accuses him of something: violating copyrights or downloading pirated software. Next comes the threat of completely deleting all information from the computer. In order to avoid this, the user must top up a specific phone account or send an SMS. Only now, even if the user performs all these operations, the threat banner will not go away.

Boot viruses– affects the boot sector of the hard drive (hard drive). Their goal is to significantly slow down the operating system boot process. After prolonged exposure to these viruses on the computer, there is a high probability that the operating system will not load at all.

Exploit- These are special programs that are used by attackers to penetrate the operating system through its vulnerable, unprotected areas. They are used to infiltrate programs that steal information necessary to obtain access rights to the computer.

Phishing– this is the name for actions when an attacker sends emails to his victims. The letters usually contain a request to confirm personal data: full name, passwords, PIN codes, etc. Thus, a hacker can impersonate another person and, for example, withdraw all the money from his account.

Spyware– programs that send user data to third parties without his knowledge. Spies study the user's behavior and his favorite places on the Internet, and then show advertisements that will definitely be of interest to him.

Rootkit– software tools that allow an attacker to easily penetrate the victim’s software and then completely hide all traces of his presence.
Polymorphic viruses are viruses that disguise themselves and transform. They can change their own code as they work. And therefore they are very difficult to detect.

Software virus– a program that attaches itself to other programs and disrupts their operation. Unlike a Trojan, a computer virus can multiply and, unlike a worm, to work successfully it needs a program to which it can “stick.”
Thus, we can say that a malicious program (Malware) is any program that was created to provide access to a computer and the information stored in it without the permission of the owner of that computer. The purpose of such actions is to cause harm or steal any information. The term “malware” is a general term for all existing viruses. It is worth remembering that a program that has been infected with a virus will no longer work correctly. Therefore, it needs to be removed and then installed again.

Good afternoon friends. We return again to the topic of computer viruses. As you know, a virus is a pest program that can do quite a lot of damage to a computer.

We can say that this is the nightmare of a modern person. At the same time, this nightmare has been present in our world for about seventy years. During this time, quite a lot of viruses appeared.

It can be said that a whole series of books could be written about computer pests. But, let's return to our topic, how, and, most importantly, when did the first one appear?

When did the computer virus appear? Computer pests on the Internet first began to appear with the emergence of the Internet itself. The premise of the first virus was laid by programmer John von Neumann in 1949. This scientist created a theory about programs that can reproduce themselves.

In 1969, the American company AT&T Bell Laboratories created a multi-level operating system - UNIX. At the same time, another company, Research Projects Agency, is creating an operating system - ARPANET. Since these operating systems are multitasking, it became possible to use them to create more complex programs, and, consequently, viruses.

First computer virus

In 1979, programmers from the Xerox Palo Alto Research Center created a program that, in fact, was the first computer worm. By modern standards, the program is quite simple and elementary. Its essence was to search for computers on the Internet.

A little later, in 1983, a scientist at the University of California created the very concept of a computer virus. This concept describes a program, the essence of which is to influence other programs and introduce changes into their code, thanks to which it can reproduce itself without effort.

Creator of the first computer virus

In 1986, the first malware came out of Pakistan. It was called – The Brain. This “Brain” caused the first destruction on the network in 1988. It primarily affected computers on the ARPANET network.

A certain Robert Morris invented a pest that infected about 6,000 PCs around the world. Robert was only 23 years old at this time. After this, a gigantic scandal took place all over the world. Three years after this incident, Symantec developed the first antivirus, Norton Anti-Virus software.

In 1998, approximately five hundred US government and military departments were infected. Iraq was blamed for this hacker attack. However, it was revealed that a couple of Californian teenagers were involved in this infection of systems.

In 1999, the pest Melissa appeared. This virus was able to infect several thousand computers very quickly, causing damage of approximately $80,000,000. At the same time, antiviruses broke sales records. In the same year, a certain Robot Melissa infected office documents, mainly Word programs. The infection occurred through the Outlook mailing list.

Note! Text files have been infected! What I mean is that many users believe that text files cannot contain a virus!

I think you've heard about the virus: - “I love you.” At one time, he managed to become famous. This pest appeared in 2000. If I can say so, this is a successful virus. In just one day, it infected several million computers.

This malware sent various passwords, ciphers, and confidential data about the computer owner to its creator. Anna Kournikova stated in 2001 that the pest was created using tools. It is noteworthy that using this toolkit, even an inexperienced programmer can create a similar virus.

Viruses even threaten the White House government website. For example, the Code Red virus infected several tens of thousands of PCs in 2001. The damage amounted to more than $200,000,000. Infected computers at a certain point produced the White House.

The virus was defeated in time. In the same year, 2001, the Nimda virus appeared. It is considered a particularly sophisticated virus. In 2003, the Slammer pest managed to infect several hundred thousand computers within three hours.

This is a unique virus; it could delay the flight of almost any plane in the world. It also spread very quickly.

In 2004, the MyDoom malware claimed to be the fastest-spreading email virus. But, it did little damage. I described the history of computer sabotage until 2004.

After that, there were no such large-scale damages, with the exception of isolated cases. Mainly due to improvements in antivirus programs and firewalls!

Video virus “I love you”

P.S. It's now the end of 2018, and it's been two years since I purchased ESET Antivirus. On the official website there are various versions of this antivirus, for home, business, phone, etc.