Read the original article here.

---

Computer Viruses: Self-Replication and Stealth in the Digital Underground

Welcome to a deep dive into one of the most fundamental concepts in the world of digital security – and insecurity: the computer virus. Often misunderstood and frequently conflated with other digital threats, the true computer virus represents a specific, sophisticated, and historically significant class of malicious software. In the context of "The Forbidden Code," understanding viruses isn't about learning to create them, but about dissecting their inner workings, their history, and the ingenious (and often clandestine) techniques used for replication, stealth, and impact. These are the mechanics that security professionals counter daily, and knowing them is key to truly grasping digital defense.

What is a Computer Virus?

At its core, a computer virus is defined by a single, specific behavior: self-replication by modifying other executable code.

Computer Virus: A type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected."

This is a crucial distinction. Unlike a computer worm, which is an independent program that replicates on its own, a virus relies on a "host" program. It embeds its code within the host, so that when the host program is run, the virus code executes first, seeking to infect other programs.

Malware: A broad term encompassing various forms of malicious software, including viruses, worms, ransomware, spyware, adware, Trojan horses, keyloggers, rootkits, and more.

The term "virus" itself is a metaphor borrowed from biology, highlighting its ability to "infect" healthy hosts and replicate within them, spreading the infection.

Motivations for creating viruses vary widely, from financial gain (like ransomware) and political messages to demonstrating vulnerabilities, personal amusement, sabotage, or simply exploring complex cybersecurity concepts, artificial life, and evolutionary algorithms. Regardless of motive, their impact can be severe, causing billions in economic damage annually and driving the multi-billion dollar antivirus industry.

The Anatomy of a Virus: Core Components and Life Cycle

To understand how a virus operates, we must dissect its fundamental structure and trace its typical path through a system.

Core Components

A computer virus generally comprises three main parts, each serving a distinct purpose in its malicious lifecycle:

• Infection Mechanism (Infection Vector):

  Infection Mechanism (or Infection Vector): The part of the virus that locates and modifies new programs or system areas to insert its own code, enabling replication.

  This is how the virus spreads. It might scan the disk for specific file types (.exe, .com), or it might infect programs specifically as they are executed by the user or the system. The mechanism dictates where and how the virus finds its next host.

• Trigger:

  Trigger (or Logic Bomb): The component that defines the condition(s) under which the virus's payload will be activated and executed.

  Viruses don't always execute their damaging payload immediately upon infection. The trigger acts as a fuse. Conditions can be diverse: a specific date or time, the presence or absence of a particular file or program, reaching a certain number of infections, exceeding a disk size threshold, or simply the nth execution of the infected program. This delay can make tracing the initial infection difficult.

• Payload:

  Payload: The malicious code or activity that the virus is designed to perform once the trigger condition is met.

  This is the "action" part of the virus. Payloads range from the relatively benign (displaying messages) to the highly destructive (deleting files, corrupting data, crashing the system) or covert (stealing information, spying, installing other malware, logging keystrokes). Sometimes, payloads are non-destructive, aiming primarily to spread a message or make a political statement, sometimes even resulting in virus hoaxes, though the act of unauthorized modification and replication is inherently undesirable.

The Virus Life Cycle

Drawing an analogy to biology, computer viruses can be described as having a life cycle, typically divided into four phases:

1. Dormant Phase: The virus exists on the system but is inactive. It has successfully infected a program or system area but is waiting for its trigger condition to be met. Not all viruses have this phase; some become active immediately. This phase helps the virus evade immediate detection.

2. Propagation Phase: Once the trigger for propagation is met (often simply the execution of the infected host program), the virus begins to replicate. It uses its infection mechanism to find new targets (programs or system areas) and insert copies of its code. These copies may be slightly modified ("morphed") in an attempt to evade detection by security software. Each newly infected host then contains a copy of the virus, capable of entering its own propagation phase.

3. Triggering Phase: This phase occurs when the trigger condition for the payload is met. The virus, which has been dormant or propagating, now prepares to execute its primary malicious function. This phase transitions directly into the execution phase.

4. Execution Phase: The virus's payload is released and performs its intended actions. This is the phase where the virus's effects become apparent, whether it's deleting files, displaying a message, encrypting data for ransom, or stealing information.

How Viruses Operate: Targets and Replication

Viruses target specific areas and types of files where they can embed their code and ensure execution. Understanding these targets helps illuminate common infection vectors.

Viruses can infect:

• Binary Executables: Programs with extensions like .EXE, .COM, .DLL (Windows) or executable files in Linux/Unix systems. The virus modifies the executable code, often at the entry point, to ensure its own code runs first.
• Data Files: Documents, spreadsheets, or presentations that support embedded macro programming languages (e.g., Microsoft Word .doc, .docx, Excel .xls, .xlsx).
• Boot Sectors: Special areas on storage devices (hard drives, SSDs, floppy disks, USB drives) that contain the necessary code to start the operating system.

Based on where they reside and how they behave, viruses can be classified:

Residence in Memory

• Memory-Resident Viruses:

  Memory-Resident Virus: A virus that, upon execution, installs itself into the computer's RAM (Random Access Memory) and remains active from boot-up until shut-down. It typically hooks into operating system functions or interrupt handlers to intercept calls and infect files as they are accessed.

  These viruses are potent because they don't need to wait for an infected program to run again to spread or act. They are constantly active in the background, waiting for opportunities to infect or trigger their payload by intercepting system calls.

• Non-Memory-Resident Viruses:

  Non-Memory-Resident Virus: A virus that scans the system for potential targets, infects them, and then exits from memory. It does not remain active in RAM after its initial execution cycle.

  These viruses are simpler; they execute, perform their infection routine, and terminate. Their continued spread relies on the execution of the newly infected programs they created.

Specific Target Types

• Macro Viruses:

  Macro Virus: A virus written in a macro language (like VBA for Microsoft Office) that is embedded within documents or spreadsheets. When the document is opened (and macros are enabled), the virus code executes.

  These became prevalent due to the widespread use of applications supporting macros, particularly Microsoft Office. They exploited the feature that allows small programs to be embedded in documents, often designed to run automatically. This highlights why opening unexpected attachments, even seemingly harmless documents, can be dangerous, especially if the virus uses social engineering to appear to come from a trusted source.

• Boot Sector Viruses:

  Boot Sector Virus: A virus that specifically targets the boot sector and/or the Master Boot Record (MBR) of a storage device.

  These viruses infect the critical code that runs when a computer starts up. By modifying the boot sector, the virus ensures it is loaded into memory before the operating system, giving it significant control. They historically spread effectively via physical media like floppy disks, as systems were often configured to attempt booting from a floppy first if present.

• Email Viruses:

  Email Virus: A virus designed to spread specifically using email systems. They often harvest email addresses and automatically send copies of themselves as attachments or links to contacts.

  While any virus might be sent via email as an attachment, an email virus is aware of email functions (like address books) and actively uses them to propagate. They frequently rely on social engineering (making the email look legitimate or urgent) to trick recipients into opening infected attachments or clicking malicious links.

Viruses can also spread via network file systems, infecting files shared across a network, and historically relied heavily on the exchange of software on platforms like Bulletin Board Systems (BBSs).

The Forbidden Arts: Stealth and Evasion

One of the most sophisticated aspects of virus writing lies in evading detection by security software and users. The "underground" development of viruses has historically pushed the boundaries of self-modification and stealth techniques.

Early viruses used simple tricks like preserving the original file's "last modified" timestamp or infecting unused sections of executable files ("cavity viruses") so the file size didn't change. These methods are now easily thwarted by modern antivirus software which uses more robust checks like cyclic redundancy checks (CRCs) or file hashes.

More advanced techniques directly target the detection process itself:

• Attacking Antivirus Software: Some viruses attempt to identify and terminate antivirus processes running in the background before they can perform scans or updates (e.g., Conficker).

• Rootkits:

  Rootkit: A collection of software tools used by malicious actors to gain and maintain persistent access to a computer, often while hiding their presence from legitimate users and security software.

  Viruses can use rootkit techniques to hide their files, processes, or registry entries, making it appear as if they are not on the system or are part of a legitimate process.

• Intercepting System Calls: On operating systems like Windows, viruses can inject code into core system files or kernel structures. This allows them to intercept requests that security software makes to read or examine files. When the antivirus asks to read an infected file, the virus intercepts the request, serves up an uninfected copy of the file from memory or another location, and the antivirus is fooled into thinking the file is clean. Countering this often requires booting the system from a known clean medium (like a live CD or clean USB) to examine the dormant system files without the virus being active and able to intercept requests.

Evading Signature Scanning

The primary method antivirus software uses for detection is signature scanning.

Virus Signature: A specific pattern of bytes or code unique to a known virus. Antivirus software scans files and memory for these patterns to identify infections.

This method works well for known viruses. However, virus writers developed techniques to change their code with each infection, making static signatures useless.

• Simple Encryption: The virus body is encrypted using a simple algorithm and a key. Only a small decrypting module and the key are left in cleartext. The virus code decrypts itself in memory before executing. If the key changes with each infection, only the decrypting module remains constant across infected files. While this module can be signed, it forces antivirus vendors to create signatures for the decryptor rather than the virus body itself. The presence of self-modifying/decrypting code is also highly suspicious and often flagged heuristically.

• Polymorphic Code:

  Polymorphic Virus: A virus that encrypts its body and uses a "polymorphic engine" or "mutation engine" to modify and obfuscate the decrypting module with each new infection. This makes both the virus body (being encrypted) and the decrypting module (changing) difficult to detect with static signatures.

  This was a significant leap in virus design. The decrypting module itself changes its appearance every time it replicates. This means there's no fixed byte sequence (signature) for either the encrypted virus or the code that decrypts it. Antivirus software must use more complex methods like emulation (running the suspicious code in a safe virtual environment to see if it decrypts into known malicious code) or statistical analysis.

• Metamorphic Code:

  Metamorphic Virus: An even more advanced type of virus that does not use encryption. Instead, it completely rewrites its entire code structure with each new infection using a "metamorphic engine," while retaining the original functionality.

  Metamorphic viruses achieve variation by translating their code into a temporary representation, applying transformations (like instruction reordering, code substitution, inserting junk instructions, changing registers), and then generating new, functionally identical but structurally different code. Because they don't use encryption and decryption, they bypass emulation techniques targeting decryption. These viruses are typically very large and complex due to the sophisticated metamorphic engine required (as seen with examples like W32/Simile).

Some viruses use "slow polymorphism," mutating only slightly or only under specific rare conditions. This makes it harder for researchers to collect enough distinct samples to analyze the full range of mutations and create reliable detection.

How Viruses Get In: Infection Vectors

Understanding the "how" behind initial system compromise is critical. Viruses exploit various pathways to gain execution privileges and find hosts.

• Exploiting Security Bugs: Software often has vulnerabilities – flaws that can be exploited. Viruses can leverage these bugs to bypass security restrictions, execute their code without authorization, and gain necessary write permissions to infect other files or system areas. Poor software development practices that leave many bugs increase the attack surface for viruses and other malware.
• Attaching to Executables (Code Injection): The classic method. The virus modifies a legitimate program (.exe, .com) to ensure its code runs when the user launches the program.
• Hiding File Extensions: In operating systems where file extensions determine the program type (like Windows), attackers can use social engineering by naming a malicious executable something like "picture.png.exe". If extensions are hidden by default, the user sees "picture.png" and assumes it's a harmless image file, unknowingly running the virus when they open it.
• Removable Media: Flash drives, external hard drives, or historically, floppy disks, are potent vectors. A drive infected with a boot sector virus or an infected executable can compromise a system when inserted, especially if the system is configured to auto-run from removable media or if the user clicks on a malicious file. The tactic of leaving infected drives in public places relies purely on human curiosity.
• Network File Systems: Infecting files stored on network shares allows a virus to spread rapidly to other computers that access those shares.
• Macro and Email Vectors (Revisited): As discussed earlier, macro viruses use document applications, and email viruses use email systems, often combining technical execution with social engineering to spread.
• Web-Based Vectors: While less common for true viruses (which modify local executables), web vulnerabilities like Cross-Site Scripting (XSS) have been used to spread malware, often worms or other types, sometimes incorrectly referred to as viruses in this context.

The prevalence of viruses targeting Microsoft Windows systems historically stemmed from its large market share and, importantly, its less restrictive default user permissions in older versions compared to Linux/Unix. Unix-like systems generally require administrator ("root") privileges to modify system files or install software system-wide. Since typical users operate with limited privileges, a virus run by a standard user can usually only infect files that user owns or has permission to modify, greatly limiting its system-wide spread. Early Linux viruses like "Bliss" failed to become widespread precisely because they required explicit user execution and couldn't gain root privileges easily on well-configured systems.

The Impact: Effects of Infection

Beyond just replication and stealth, viruses often aim to cause harm. The effects can be varied and costly:

• System Failure/Crash: Viruses can corrupt system files, drivers, or the operating system itself, leading to instability, crashes, or rendering the system unbootable.
• Data Corruption/Loss: Deleting, encrypting (ransomware), or corrupting user files and system data.
• Wasting Resources: Consuming excessive CPU time, memory, disk space, or network bandwidth through replication or malicious activity, slowing the system to a crawl.
• Increased Maintenance Costs: The time and effort required to detect, remove, and recover from infections.
• Information Theft: Stealing sensitive data like passwords, credit card numbers, personal information, or confidential documents.
• Displaying Messages: From humorous to political or threatening messages displayed on the screen.
• Rendering the Computer Useless: Severe corruption or locking mechanisms (like ransomware) can make the system unusable.

A specialized type is the Power Virus:

Power Virus: A computer program designed to execute specific machine code sequences intended to push the CPU to its maximum power dissipation (thermal output). This can cause overheating and potentially permanent physical damage if the system's cooling or protective thermal throttling is insufficient or bypassed.

Unlike general malware, power viruses are often used maliciously but also as stress testing tools in hardware development or overclocking, though in those cases, they are run under controlled conditions.

Fighting Back: Countermeasures and Recovery

Understanding how viruses work is the first step in defense. Countering viruses involves a multi-layered approach of prevention, detection, and recovery.

Prevention

• Antivirus Software: The most common defense. Antivirus programs scan files and memory for known virus signatures and behavioral patterns. Crucially, antivirus software must be kept up-to-date with the latest virus definitions (signatures) to recognize new threats and with software updates to improve its detection engines and patch vulnerabilities within the AV software itself.
• Operating System and Software Updates: Keeping the OS and all installed software patched regularly is vital. Updates often fix security vulnerabilities that viruses and other malware exploit to gain access and propagate. Using tools that automate this process (like Secunia PSI historically, or built-in OS updaters) is recommended.
• Careful Browsing and Downloads: Avoiding suspicious websites, being cautious about clicking links in emails or messages from unknown sources, and downloading software only from trusted sources reduces exposure.
• Using Non-Administrator Accounts: On systems like Windows, performing daily tasks under a standard user account with limited privileges (rather than an administrator account) can significantly restrict a virus's ability to infect system files and spread.
• Firewalls: While not directly stopping viruses on infected files, firewalls can prevent unauthorized network connections initiated by a virus attempting to spread or communicate with a command-and-control server.

Ransomware: A type of malware (often delivered via a Trojan or worm, though sometimes associated with viruses) that encrypts a user's files or locks their system, demanding a ransom payment for decryption or access restoration. Phishing: A social engineering technique where attackers impersonate trustworthy entities (like banks, companies, or even friends) via email, messages, or fake websites to trick individuals into revealing sensitive information like passwords or credit card details, or clicking malicious links/attachments.

Detection Methods (Revisited)

Antivirus software uses two main approaches:

1. Signature-Based Detection: Comparing scanned files/memory against a database of known virus signatures.
   • Pro: Highly accurate for known viruses.
   • Con: Useless against new ("zero-day") viruses or viruses employing strong polymorphic/metamorphic techniques before their signatures are added to the database.
2. Heuristic-Based Detection: Analyzing code for suspicious behaviors, structures, or patterns commonly found in malware, even if the specific signature isn't known.
   • Pro: Can potentially detect new or modified viruses.
   • Con: Higher chance of "false positives" (flagging legitimate software as malicious), which can cause disruption.

Recovery Strategies

If a system becomes infected, recovery focuses on removing the virus and restoring data/system integrity.

• Backups: The most reliable defense against data loss. Regular backups of important data (and ideally, the entire system) on media that is stored offline, is read-only (like a finalized CD/DVD), or uses different file systems inaccessible to the virus, are crucial. If infected, data can be restored from a recent, clean backup.
• Using Clean Media for Scanning/Recovery: Booting the infected computer from a known clean source (e.g., a bootable antivirus CD, a live Linux USB) allows scanning and cleaning the main hard drive while the virus is dormant and unable to interfere or hide.
• Antivirus Scanning (often in Safe Mode): Running a full scan with up-to-date antivirus software. Sometimes, running in Windows Safe Mode can prevent the virus from fully loading and interfering with the cleaning process. Tools like Microsoft's Malicious Software Removal Tool or third-party online scanners (use cautiously and from reputable sources) can help.
• System Restore/File Checker: Windows System Restore (if not disabled by the virus) can roll back system files and the registry to a previous state. System File Checker can verify and repair corrupted core Windows files. However, these may not remove the virus if it has infected restore points or hides effectively.
• Reimaging or Reinstallation: For severe or persistent infections, restoring the entire operating system partition from a clean image or performing a complete reinstallation of the OS and applications from trusted original media is often the most reliable way to ensure the virus is gone. Data can often be recovered first by booting from clean media or connecting the drive to another clean computer (with care not to execute anything from the infected drive).

A Glimpse into History

The concept of self-replicating programs predates actual computer viruses.

• Theoretical Foundations: John von Neumann laid the theoretical groundwork in 1949 with his work on self-reproducing automata, considered the "father" of theoretical computer virology. Later work by Veith Risak (1972) and Jürgen Kraus (1980) further explored self-reproduction in code.
• Early Examples:
  • Creeper (Early 1970s): An experimental self-replicating program on the ARPANET (precursor to the Internet). It was more of a worm than a virus by modern definition, displaying a message as it spread.
  • Elk Cloner (1982): The first known personal computer virus "in the wild," infecting Apple DOS 3.3 via floppy disks. It displayed a poem on its 50th execution.
  • Brain (1986/1987): The first IBM PC compatible virus in the wild, a boot sector virus targeting unauthorized software copying.
• The Term "Virus": Coined by Fred Cohen in his 1984 paper "Computer Viruses – Theory and Experiments," based on a suggestion from his mentor Leonard Adleman. Cohen also famously demonstrated the theoretical impossibility of creating a perfect virus detector.
• Platform Evolution: Viruses evolved to target new platforms as they gained popularity: Amiga (SCA virus, 1987), Windows 3.0 (WinVir, 1992), Windows 95 (Bizatch, 1996), Windows NT (Win32.Cabanas, 1997). Macro viruses became prominent in the mid-1990s with the rise of Microsoft Office.

The history shows a constant arms race between those developing methods of infection and stealth and those creating detection and prevention techniques.

Understanding Malware Beyond Viruses

It's important to reiterate that the term "virus" is often used incorrectly to describe any kind of malicious software. While computer viruses are a specific type of malware, many prevalent threats today are not true viruses by definition.

The majority of active threats might be:

• Worms: Self-replicating programs that spread independently, often exploiting network vulnerabilities, without needing to modify host programs.
• Trojan Horses: Programs that appear legitimate but contain hidden malicious functionality (e.g., providing backdoor access, installing other malware). They don't self-replicate.
• Ransomware: (As defined above) Primarily focused on holding data hostage.
• Spyware/Adware: Designed to steal information or display unwanted advertisements.
• Keyloggers: Record keystrokes to capture passwords and other sensitive input.
• Rootkits/Bootkits: Focus on maintaining hidden persistence on a system.

While viruses are a fundamental and historically significant class of malware, understanding the full spectrum of digital threats requires recognizing these other categories and their distinct behaviors. The defining trait of the classic computer virus remains its method of self-replication: infecting and modifying other executable code.

---

Understanding computer viruses – their design, propagation, stealth techniques, and impact – provides essential insights into the foundational challenges of digital security. While the age of widespread, classic file-infecting viruses may have been overshadowed by worms, ransomware, and Trojans exploiting different vectors, the techniques developed in the "underground" world of virus writing, particularly in areas like polymorphism and metamorphism, continue to influence and challenge security measures today. Studying these "forbidden" techniques is crucial not for malicious intent, but for building effective defenses in the complex digital landscape.