Viruses and vaccines seem to be all the hot topic lately ;)... Since I'm not a virologist, or a vaccinologist, I'm not overly qualified to discuss them except to say that I and my family have been vaccinated and we're fine. Instead of talking about the subject of viruses in the human body, for which I'm not at all qualified, I instead decided I'd segue into something more my style.

For the next few posts I'm going to examine with you the world of computer viruses, worms, and trojan horses. Hopefully after this we'll get into some malware analysis. I'll get back to the security series after this series.

The posts that I'll be writing will go into some insight into how viruses, worms and trojans work, what they do, how to disassemble and examine them safely, how scanners find "virus like" activity, and techniques for analyzing malware.
This will hopefully give you some insight into how to protect yourself, your network, and your systems. It should also give you some insight into how to design a strategy for anti-virus/malware, and infection response, and how to recognize and investigate strange behavior that may be malware related, even if your scanner doesn't quite find it.

This being the first post in the series I guess I should start with the basics.

What is a computer virus?

A computer virus is any self-replicating program that attaches itself to a host program, and uses the transportation of that host program to infect other executables. These two distinctions are important. If it makes copies of itself and those copies don't require a host, then it's not a virus. If it doesn't make copies of itself, but instead just does really bad things when you run it, it's not a virus either.

The self-replicating infection mechanism of a virus seems fairly benign. Truthfully it is, so long as it works and doesn't break the infected host, or replace some of it's program code in such a way as to render the infected host unusable. If that portion of the virus is all that exists for the virus then the virus pretty much just swells up program files. Not that this is desired behavior by any means, but it's certainly not system threatening.
The infection mechanism however is interesting because the code written for infection and finding potential hosts defines exactly how aggressive the virus is when spreading. Thus, the algorithm for infection plays a role in determining infection rate and thus in determining the severity level of the virus.

The other problem with computer viruses is that they generally carry a payload. That payload is like a bomb which is set to go off under certain conditions that the author of the virus has defined. This, coupled with that infection mechanism is what makes the things so insidious, and indeed in many cases difficult to get rid of.

What is a worm then?
Well a worm, like a computer virus spreads infecting other machines. However the mechanism for propagation is drastically different. The worm's host is an infected machine not an infected program. Worms tend to spread not by transference of infected binaries but instead of exploiting known vulnerabilities in systems to which they can connect. A worm's propagation mechanism, like a viruses infection mechanism determines how aggressive the worm is when spreading, and thus plays a role in determining the severity level of the worm.

However, it's interesting to note that if a worm is particularly aggressive regarding propagation, it's more likely to trip off some alarm that will make a good security auditor, systems administrator, or even an automated system take notice. Viruses have this problem too but in many cases to a lesser extent as generally they don't perform network activities and for the most part file sizes aren't that meaningful a metric when doing a casual glance scan for viral activity.

OK, and a Trojan?

A trojan is a malicious program that doesn't self-replicate. Instead it appears to do something the user might like to have done for them, but in the background it performs some nefarious task the author has defined. It is like a virus without the replication mechanism, but with the bomb, and a pretty front end that looks useful to the unsuspecting user. The terminology comes from Greek mythos, specifically that of the Trojan horse used by the greeks to infiltrate the compound of Troy.

Why make the distinction?
It's important to make the distinction between a virus, a worm, a trojan horse, and just general malware because, with regards to security, the general attack vectors vary widely. To come up with a comprehensive strategy for blocking these types of attacks against your systems and networks you have to understand what targets and vulnerabilities these bits of evil software are gunning for. Furthermore, to come up with a comprehensive strategy for preventing the spread of malicious software you have to understand the general infection vectors being used.

In addition the activity patterns of these peices of malicious software are different. They might appear similar and in some respects they are (as computing resources are computing resources after all), but they way they go about things is different. For example you won't see any signs of replication with a trojan horse, while you are likely to see tell tale signs of replication with a worm.

Plans for this series: In the next few blogs I will start covering the internals of virus structure in detail. I'll show some ways that a scanner would look for known viruses and how heuristics work to detect virus like behavior. I'll take apart a common virus and show you how they work inside, show you how they're initially deployed, and give you some strategies that might help you combat viral infection. After that, the series of blogs will continue to do the same for worms, and then for trojan horses. Finally we'll settle on general malware, and how to rip that apart and see how it works inside as well.  We will come up with some useful strategies for combating and preventing malware issues on your systems and networks.

Stay tuned, it's going to be a wild, in depth, and fun ride! :)

Social media:
We've come out with this social media presence as a company. Part of that is using Twitter, and part of it I suspect will be doing video blogging on YouTube, as well as our regular blogs here.

For now, I have a Twitter account and you can follow me by clicking this:

See what I'm saying on a daily basis and feel free to have conversations with me :). I'm looking forward to your input!