The Code behind the Malware: The Digital DNA of a Computer Virus

February 28th, 2020 |

When Programmers decide to ‘go bad’ and make malicious content, they will typically answer some basic questions in regards to the type of Malware they seek to design. This entails deciding what operating system and vulnerability their creation will focus on. If these questions are defined well, there is a good chance that the programmer will create a functional computer virus, capable of inflicting massive amounts of damage. Because computer viruses cause so much damage to individuals and organizations alike, it is worth deconstructing their ‘DNA’, so to speak, so that ethical programmers can reverse engineer their makeup, and improve upon existing Antivirus codes.

The ‘Biology’ of a Computer Virus

 

  • Method of Infection

A virus is made up of three parts: The first is its method of infection. This is concerned with how a virus propagates/spreads itself. A computer virus does this by changing the code of the software that it is infecting. This alteration copies the virus inside the code of the host software. The specific method in which this is done in called a ‘Vector’. There are many Vectors from which a virus could spread, such as through Network Protocol Vulnerabilities, Infected PDFs, Windows File Sharing, or Buffer Overflows (Which are the means that the infamous ‘Blaster Worm’ was able to spread).

  • Trigger

The next part is called a Trigger. This are the set conditions in which a virus decides to deliver its infection or not. After the virus enters a device, some viruses begin to infect programs as soon as they are executed. Other viruses spread only when specific triggers are activated, which could be many things including a certain date, upon logging in, the version of the operating system, an update, or external events on the computer. Because it is hard to understand when the virus will ‘go off,’ it may lay dormant in a device for long periods of time before it is executed.

  • Payload

Lastly, a computer virus is made up of a payload. Indeed, a virus does not need to have a Payload to be considered a virus; there have been many examples of a virus simply spreading, and not damaging its hosts. Unfortunately, this is mostly not the case. Indeed, its payload is the part of the virus that executes activities which cause harm to the host device. The stronger the payload, the more harmful the damage tends to be. When the trigger is executed, the virus infects the code of a software. The difficulties faced by virus programmers are making sure the virus’ payload does not target code which is already infected. This presents a major flaw in its structure, as it requires the virus to be able to detect itself. If it does this, antivirus software will also be able to detect it.

The diagram below outlines the code structure of a typical computer virus. Here, we can see that the select_target function outlines the conditions that a program should meet. Similarly, infect_code is the function that unleashes the payload by injecting the viral code into the host code.

 

 

Exploiting Weaknesses

 

The design of each virus is different. A major difference lies in the specific weakness of a system that the virus was built to target. Because Computer systems come with a variety of different weaknesses, certain viruses are programmed to capitalize on specific vulnerabilities. Although Hardware related vulnerabilities exist, Software related weaknesses are much more common. Specifically, these include Technological, Configuration and Security Policy Weaknesses. Technological Weaknesses encompasses a large scope, and include Buffer Overflows, the HTTP, FPT and ICMP being inherently insecure, Firewall holes, or a lack of password protection for routers, firewalls and switches.

 

  • Buffer Overflows and Shellcodes

A Buffer Overflow is a code weakness which is exploited when a Buffer with a fixed length takes in more data than it is supposed to. The common result of a Buffer Overflow is usually a system crash. However, this presents an opportunity for the virus to ‘fit’ its own code into the buffer, thereby infiltrating it. This gives the virus enough space to execute arbitrary code, the purpose of which is to hopefully bring about a shellcode, which is an interface by which the infiltrator can gain access to an operating system. A shellcode is extremely useful to the hacking process, as it allows the virus to gain deeper access to the system through a command line interpreter. Any privileges specific to the system will automatically be granted to the newly created shell, as well.

 

 

Diagram outlining the ‘Stack Smashing’ method of a Buffer Overflow Attack.

Conclusion

Overall, the main goal in understanding how viruses work should be to gain insight into how to destroy them. No one likes to have their data stolen, or privacy exposed. Therefore, the first step in preventing these crimes is to understanding the inner mechanisms of malware, so that programmers can predict and target exactly where and how malicious types of software will attack, through fixing the many existing vulnerabilities which exist, creating patches, and improving Antivirus software.

Services offered by Logique Digital Indonesia

To improve your company’s website security and application systems, Logique Digital Indonesia is offering penetration testing services. We have an IT security team to help ensure that your website and applications don’t have security holes. Please contact us in order to improve your application or website’s cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *