Read the original article here.

---

The Forbidden Code: Understanding Computer Viruses

Delving into the mechanics of computer viruses is akin to studying the blueprints of sophisticated digital parasites. While ethically fraught and legally prohibited for malicious creation, understanding how they function is crucial knowledge – both for defense and for appreciating the complex, sometimes ingenious, programming techniques they employ. This resource explores the core concepts behind computer viruses, revealing the "forbidden code" that allows them to replicate and persist.

What is a Computer Virus? The Core Concept

At its heart, a computer virus is defined by a single, critical characteristic: self-replication.

Definition: Computer Virus A type of malicious software (malware) that, when executed, replicates itself by modifying other computer programs and inserting its own code. When the modified program is run, the virus code is also executed, allowing it to further replicate and potentially carry out malicious actions. It requires a "host" program to spread.

Think of it like a biological virus: it injects its genetic code into a host cell (a program or system area), hijacking the host's machinery to create more copies of itself. These copies then go on to infect other hosts. Unlike independent programs, viruses must attach to or embed themselves within existing code structures to spread.

A Glimpse into History: The Genesis of Digital Parasites

The idea of self-replicating programs wasn't born malicious. Early concepts explored the theoretical possibilities of self-reproducing automata, notably by pioneering mathematician John von Neumann in the 1940s. These were abstract ideas about complex systems that could build copies of themselves.

The first practical (though largely harmless) examples appeared much later:

• Creeper (early 1970s): An experimental self-replicating program that merely displayed the message "I'M THE CREEPER : CATCH ME IF YOU CAN." It traversed the ARPANET but didn't infect files. More of a "worm" precursor by modern definitions.
• Elk Cloner (1982): Considered one of the first widely spreading computer viruses in the wild. Written for Apple II systems, it infected the boot sectors of floppy disks. When an infected disk was used to boot a computer, the virus loaded into memory and would then infect any non-infected floppy disk inserted. Its "payload" was relatively benign: displaying a short poem about itself on every 50th boot. This demonstrated the fundamental boot sector infection technique.

These early examples were proof-of-concept, exploring the technical feasibility of self-replication before the malicious potential was fully exploited.

The Anatomy of a Virus: Deconstructing the Code

Despite variations, most viruses share fundamental components that allow them to function:

1. Replication Mechanism: The core code responsible for finding new targets (files, boot sectors, scripts) and copying the virus code into them. This often involves searching directories or system structures.
2. Targeting/Infection Strategy: The specific method used to insert the virus code into a host. This might involve:
   • Overwriting: Replacing the host code entirely (destructive, easy to detect).
   • Prepending: Adding the virus code to the beginning of the host file.
   • Appending: Adding the virus code to the end of the host file.
   • Inserting/Injecting: Placing the virus code somewhere in the middle of the host file, often modifying the host's entry point (where execution begins) to jump to the virus code first.
   • Modifying Pointers: For formats like boot sectors, changing pointers to load the virus code instead of the legitimate operating system loader.
3. Payload (Optional): The code that performs malicious or unwanted actions other than replication. This code is typically executed after the virus has replicated successfully or after certain conditions are met (e.g., a specific date, number of infections). Payloads are what cause the visible damage or undesirable effects associated with viruses.
4. Trigger/Activation Mechanism: The condition that causes the virus to replicate or the payload to execute. This is often simply the execution of the infected host file, but can also be time-based, event-based (e.g., opening a specific document), or count-based (e.g., after infecting 10 files).

How Viruses Spread: Infection Vectors

Viruses don't magically appear; they need a way to get onto a system and a way to find new hosts. Common infection vectors and spread methods include:

• Executable Files: Infecting .exe, .com, .bat, .vbs, or other executable formats. When a user runs the infected program, the virus runs too.
• Document Files with Macros: Infecting documents (like Microsoft Word's .docm or Excel's .xlsm) that support scripting languages (like VBA - Visual Basic for Applications). If macros are enabled, the virus code in the macro can execute when the document is opened.
• Boot Sectors: Infecting the initial section of a hard drive or floppy disk that loads the operating system. The virus loads into memory before the OS, giving it low-level control and the ability to infect other disks.
• Script Files: Embedding in web pages (less common now due to browser security), email attachments, or standalone scripts.
• Removable Media: Spreading via USB drives, external hard drives, or (historically) floppy disks when they are accessed on different computers.
• Network Shares: Infecting executable files located on network drives that are accessed by multiple users.

Virus Classification: Techniques of the Digital Parasite

Viruses are often categorized by how they infect and how they attempt to evade detection. Understanding these techniques reveals the programming challenges faced by their creators.

By Target/Infection Area:

• Boot Sector Viruses: Infect the Master Boot Record (MBR) or Volume Boot Record (VBR) of storage devices. They execute before the operating system loads, making them difficult to remove while the OS is running. (Historical significance, less common now).
• File Infector Viruses: The most common type. They attach themselves to or modify executable files (.exe, .com, etc.).
• Macro Viruses: Written in scripting languages supported by applications (like VBA in Microsoft Office). They infect documents (.docm, .xlsm, etc.) and run when the document is opened and macros are enabled.
• Multipartite Viruses: These viruses are sophisticated as they attack both boot sectors and executable files, potentially using different infection mechanisms for each, making them harder to fully eradicate.

By Evasion Technique:

These categories highlight advanced programming methods designed to fool security software.

• Polymorphic Viruses:

  Definition: Polymorphic Virus A virus that mutates its code each time it replicates, while maintaining its original functionality. This is typically achieved by encrypting the virus body and attaching a varying decryption routine. Since the encrypted body and the decryptor code change with each infection, the virus presents a different signature to antivirus software.

  • How it Works (Simplified): The core malicious code remains constant, but it is encrypted. Attached to this encrypted blob is a small piece of code – the "decryptor" – which is responsible for decrypting the main virus body in memory so it can execute. To achieve polymorphism, the decryptor itself is mutated or generated differently for each infection. The encrypted virus body might also change slightly (e.g., using a different encryption key). Antivirus software relying on simple signatures (specific patterns of bytes) of the virus body struggles because that pattern is always encrypted and the decryptor pattern keeps changing. Creating a working polymorphic engine is a significant programming challenge involving complex code generation and encryption routines.

• Metamorphic Viruses:

  Definition: Metamorphic Virus A virus that rewrites its entire code body on each iteration before infecting a new executable. Unlike polymorphic viruses which encrypt their core and change the decryptor, metamorphic viruses actually change their underlying instructions and appearance, while preserving the original malicious logic.

  • How it Works (Simplified): This is a much more advanced technique than polymorphism. Instead of just encrypting and changing the decryptor, the metamorphic engine analyzes its own code, rewrites sections, adds junk instructions, changes the order of operations (while preserving logical flow), swaps instruction sets for equivalent ones, and generally transforms its entire structure. There is no static encrypted body or separate decryptor. Every new copy looks fundamentally different at the code level. This makes signature detection extremely difficult and requires heuristic or behavioral analysis techniques from antivirus software. Developing a functional metamorphic engine requires a deep understanding of assembly language, code parsing, and dynamic code generation.

• Stealth Viruses:

  Definition: Stealth Virus A virus that attempts to hide its presence by intercepting operating system calls. When security software or the operating system tries to read the infected file or boot sector, the virus redirects the call to a clean, original version of the file or boot sector, or it modifies the data being read to make it appear uninfected.

  • How it Works (Simplified): Stealth viruses hook or patch functions within the operating system's kernel (like those for reading files or checking file sizes). For example, if antivirus software asks the OS "What is the size of file X?", a stealth virus might intercept this request, calculate what the size would be if the virus wasn't there, and return that false value. Similarly, if asked to read the contents of an infected file, the virus might provide the original, uninfected contents stored elsewhere, or reconstruct them on the fly. This requires low-level systems programming knowledge and the ability to manipulate OS internals.

Payloads: The Malicious Act

While replication is the definition of a virus, the payload is usually the reason they are created maliciously. Payloads can range from annoying pranks to devastating attacks:

• Data Destruction: Deleting files, formatting drives, corrupting data.
• System Corruption: Modifying system files, changing configuration settings, causing crashes.
• Data Theft: Searching for and transmitting sensitive information (passwords, financial data, personal files) to an attacker.
• Backdoor Creation: Installing code that allows remote access and control over the infected system.
• Spam Relay: Using the infected computer to send spam emails.
• Denial of Service (DoS): Making the infected computer participate in coordinated attacks against websites or services.
• Ransomware: Encrypting user data and demanding payment for the decryption key (often delivered via Trojan horses, but the encryption payload itself is a technique).
• Display Messages/Pranks: Displaying images, text, or playing sounds (common in older, less malicious viruses).

Detection and Defense: Countering the Forbidden Code

Understanding virus techniques is essential for developing defenses. Countermeasures rely on analyzing the virus's code and behavior:

• Signature Detection: Scanning files for known byte patterns (signatures) associated with specific viruses. Effective against simple viruses, easily defeated by polymorphic and metamorphic ones.
• Heuristic Analysis: Analyzing code for suspicious instructions or patterns commonly found in viruses (e.g., code that modifies executable files, attempts to hook OS functions). Can detect unknown or modified viruses, but prone to false positives.
• Behavioral Monitoring: Observing the actions of a program as it runs in a controlled environment (like a sandbox). Detecting suspicious behaviors such as attempting to write to executable files, modify the boot sector, or communicate with unknown external servers. This is more effective against sophisticated, evasive viruses.
• Integrity Checking: Calculating checksums or hashes of legitimate files and comparing them later to detect unauthorized modifications.
• Sandboxing: Running potentially infected files in an isolated virtual environment to observe their behavior without risking the actual system.

Not Quite Viruses: Worms and Trojans

It's important to distinguish viruses from other types of malware often confused with them:

Definition: Computer Worm A standalone malware program that replicates itself to spread to other computers, often using a computer network. Unlike viruses, worms do not require a host program to spread, nor do they require user interaction to replicate (though they may use social engineering to get initial access). They exploit network vulnerabilities or use social engineering.

Definition: Trojan Horse (Trojan) A type of malware that is disguised as legitimate software. Trojans do not self-replicate like viruses or worms. They rely on deception to trick users into executing them. Once running, a Trojan performs malicious actions hidden from the user, such as installing backdoors, stealing data, or downloading other malware.

While viruses, worms, and Trojans often work together (e.g., a worm spreads a Trojan, a virus payload installs a backdoor), the core definition of a virus rests on its self-replication by infecting other files or system areas.

Conclusion: The Programmer's Insight

Studying computer viruses from a technical standpoint reveals sophisticated programming challenges: self-modification, code injection, low-level system interaction, encryption, and evasion techniques. The creation of polymorphic or metamorphic engines represents a deep dive into the complexities of code generation and analysis. While the application of these techniques for malicious purposes is harmful and illegal, understanding the underlying principles is invaluable for comprehending digital security, analyzing threats, and building resilient systems. Knowing the "forbidden code" isn't about embracing malice, but about gaining the knowledge required to defend against it.