How did your computer get a virus

This is how viruses and worms get onto the PC

Thorsten Eggeling

New malware pops up every day. The manufacturers of security software react as promptly as possible to the threats and almost always provide an update for the virus scanner on the day of discovery. For this reason there are also updates every minute on some days. For most users, this means comprehensive protection. However, if you downloaded the malware before the update, your PC is infected and the virus scanner may be deactivated by the malware. Even if only a few thousand PCs are victimized every day, it is obviously worth it for the criminals. The fight of security companies against malware is an eternal game of rabbits and hedgehogs. The malware always gets to its destination first. The next day, new pests are released and the game starts all over again.

Viruses, worms and Trojans - what's the difference?

The difference between viruses, worms and Trojans is how they spread. A virus requires - similar to biology - a host for its transport. A program file, a program library, a script file or a document with macros can serve as the host. The PC user has to copy an infected file to his computer himself and start it. The malicious code it contains then infects other files and spreads it on its own, for example via the network.

In contrast, uses a worm Vulnerabilities on the target system. He actively tries to get to the PC, for example through errors in network services, insecure access or removable media. The ultimate goal of a worm is to keep spreading. To do this, he tries to attack network services on other PCs or he copies himself to removable media in order to infect other PCs from there, for example via the autorun function. A worm can also email itself. Here, however, the demarcation from the virus becomes blurred because the e-mail recipient has to open the received file himself. Many known worms aimed to paralyze the IT infrastructure. A prominent example is the Blaster worm, which attacked in 2003. Current worms often set up back doors on the attacking PCs, through which you can reload further malware.

Also a trojan the user must first allow entry himself. It disguises itself as useful software or an email attachment, for example. Most of the time, the Trojan works as a "dropper" for unwanted software. It can place viruses on the computer, display advertisements on websites or spy on personal data. In contrast to viruses or worms, the Trojan does not spread automatically. But it can contain viruses that do that.

EnlargeThe Zeus / Zbot Trojan collects data and uploads it to the servers marked in the map.

Analysis of a virus

Before you can fight viruses - or create them yourself - you should look at historical models. Take the Jerusalem virus - also known as Friday the 13th virus or PLO virus - as an example. The virus had the goal of deleting all COM and EXE files on floppy disks or the hard drive of a PC every Friday the 13th from 1988 onwards. On other days, he reduced the speed of the infected PCs for 30 minutes when infected. When the first computer viruses appeared in the 1980s, they had one goal above all else: They wanted to harm the user by destroying data. Current viruses, on the other hand, usually want to spy on data, for example to gain access to the victim's bank access data.

The original author of the Jerusalem Virus is unknown and his intentions can only be speculated. It owes its name to the discovery in Jerusalem, where infections were detected in the Israeli armed forces in 1988. What makes this virus so interesting are the principles on which it is based and according to which viruses still arise today.

This is how the Jerusalem virus is structured: The Jerusalem virus consists of several building blocks that probably originated as early as 1987 or earlier. The first and oldest part, named sURIV 1 (the text “sUriv” appears in the code), infects COM files. It activates on April 1st and outputs the text “APRIL 1ST HA HA HA YOU HAVE A VIRUS.”. The second part, sURIV 2, can infect EXE files, while sURIV 3 infected both types of executable files. The virus, programmed in assembler, was easy to analyze and modify. That is why it was particularly suitable as a template for new malware. Figure 2 shows an excerpt from the disassembled code of the virus with comments (in green) by the author of this article. Other virus authors only had to change the date values ​​here in order to use the code for their purposes.

The Jerusalem virus was arguably the most successful file-infecting virus ever, and it probably had more variants than any other virus. However, their damaging function sometimes gave rise to a smile. The Frère virus, for example, played the song Frère Jacques every Friday the 13th.

Some bugs in the original Jerusalem virus code favored its discovery. EXE files were infected again and again and grew in size as a result. In the case of certain EXE files, the infection did not work and the program was then unusable. If it hadn't been for these programming errors, the Jerusalem virus would probably still be in circulation today undetected - at least if the DOS operating system as its host hadn't nearly died out. Some of the virus copyists fixed the bugs, others added new ones. One variant wanted to activate itself on Sundays, i.e. on the seventh day of the week. Unfortunately or fortunately, the author did not consider that the week for computers starts on Sunday with day zero and ends on Saturday with the sixth day. So this virus never activated.

Again and again, programming errors in viruses and worms lead to their early detection. A prominent example of this is the blaster worm, also known under the names W32.Blaster, W32-Lovsan or MSBlast. It spread through a bug in the Windows Remote Procedure Call (RPC) interface. It should only become active on August 16, 2003 and start a distributed denial of service (DDoS) attack on the Microsoft update server. However, the worm did not test whether it had already infected a computer. It crashed the PCs if they were already infected. This made it easy to spot. In addition, he did not achieve his actual goal because the crashed computers failed for the DDoS attack.

EnlargeThe picture shows an excerpt from the code of the Jerusalem virus.

Where does the malware come from?

What started with the Jerusalem virus continues today. However, today - unlike in the 1980s - there are hardly any hackers who simply bring a few viruses into the world for the fun of being happy or causing damage. Business-minded criminals create virus or Trojan horse kits that they sell or license for dearly money. The hacker's customers can use it to continuously produce new variants and only have to ensure that the pest is not discovered immediately. To do this, the virus manufacturer simply uploads the malware to Virustotal and has it checked with all common virus scanners. Should one strike, the virus will be modified in the kit until there is no more warning.

However, a virus or Trojan horse alone is not enough. The malware also has to find its way onto the victim's computer. The following methods are available for this:

Scareware: The visitor to a website is led to believe that his computer is infected. He is put into fear ("scare") and asked to download a supposed anti-virus software (fake anti-virus) that is supposed to solve the problem. The actual infection only occurs when this program is started.

Email and Social Engineering: An email promises insights into the life of a celebrity, accuses the recipient of illegal downloads or informs about a lottery win. If you let yourself be lured by this and open the e-mail attachment, you will transport a Trojan onto your computer.

Drive-by exploits / drive-by downloads: When visiting a website, the PC becomes infected. The victim accessed the website either via a search engine or a link in an email. The web server does not have to belong to the criminals. They can also be the victim of a cyber attack themselves and spread malware without the knowledge of the owner or forward them to URLs with malware.

Attacks via infected web servers

Drive-by exploits and drive-by downloads in particular are now widespread. According to a report by Sophos, these methods were responsible for 67 percent of all attacks in 2011. Exploit toolkits are used to check the operating system, browser and browser plugins for vulnerabilities. The most widely used exploit toolkit currently is Blackhole. It consists of some PHP scripts that are called up when websites are called and usually display content from other infected servers in an iFrame. The scripts are encrypted and not easy to discover by the server operator. If Blackhole has found an exploitable vulnerability, for example in Java, Adobe Reader or Adobe Flash Player, the malicious code is delivered to the PC. In order to smuggle in the malware, buffer overflows or other vulnerabilities are usually exploited.

In principle, every conceivable infection is possible. Most recently, Blackhole has been used primarily for delivering the Zeus banking Trojan.

Blackhole is very flexible and is constantly being expanded for new vulnerabilities. The infected servers can be rented for certain periods of time and used during this time to spread the desired malware.

EnlargeThe Backhole Exploit Kit can be conveniently controlled and customized.