Virus' Explain

[ast3r3x]

Somone explain how a virus works, to me I always thought it was a program that ran, but I dont understand how if its attached to a file that it has the privledge, or execution code to actually do what it wants to do.

Lets say its an mp3...if iTunes is looking for mp3 information wouldn't it gather mp3 information, not try to run the mp3 like an program?

Can i have a link to some indepth detail or an explanation...couldnt really find anything that explained it in hard core deep computer terms... its all more vague stuff

[ 10-29-2002: Message edited by: ast3r3x ]</p>

[Cake]

<a href="http://www.howstuffworks.com/virus.htm" target="_blank">Basic virus info</a>

[quote]For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.<hr></blockquote>

[alcimedes]

i don't have any links to hard core explanations, but you're basically right.

what it comes down to often times are the rights that a program gives a file type, and the rights that the filetype has by defintion. some file types can't be infected, as the programs that open them aren't made to execute anything.

usually most viruses exploit holes in programs to grab more rights than they're supposed to have, then go to town on your system.

of course, if you're running OSX you don't have to worry as of yet, not a single OSX virus exists.

[Amorph]

There are basically three approaches:

1) Get a bona fide executable onto the system by piggy-backing on an installer, an auto-run facility (like QuickTime Autostart) or another application.

2) Get a script to run in a context with access to the system - Word macros and VBScript are fine examples. Again, auto-run functionality is especially desirable.

3) This is a particularly tricky one: Embed an executable in a document of whatever description aimed at an application that handles memory carelessly, so that when loaded, the executable ends up looking like a separate executable to the kernel, which cheerfully runs it. This is how the infamous Internet Worm worked: Older UNIXen used gets() to collect login and password information. gets() reads information from standard input into a preallocated buffer - but it doesn't bother to see whether the information is too big to fit in the buffer! So the Worm was prefixed with enough junk data to fill the buffer, and from its no-man's-land in memory it was able to get scheduled as a process (running as root, IIRC, because of the permissions level of the login process) and infect the server.

That's a high-level explanation. I've never really understood the exact mechanism by which worms (a type of virus) of type 3 actually worked - I've never really been interested. But I know they exploit sloppy memory allocation and/or bounds checking.

[ast3r3x]

but how does norton antivirus work then, doesn't it just check every file and program for that stuff?

how does it know what the original file was like and how can it be sure it was a virus...also the speed in which it takes to check a single file makes me wonder why programs couldn't just check themselves when you open a data document (.mp3/.txt/.jpg...ect) would that be hard to program?

just curious...and glad to see OS X is virus free

[Overhope]

Virus checkers tend to either look for specific bits of viral code that's programmed into their libraries (those big downloads of virus update), sort of like DNA fingerprinting. If you've got something like Norton Realtime Protection running (like I have on the POS Win 95 laptop I have to use at work), it keeps an eye out for virus-like system calls, and denies them.

Thing is, this all comes at a cost to speed, since you have to be continually running all system calls for anything suspicious.

As for every application checking for viral content, you'd either need to program a virus-checker and associated libraries into every application (eating memory, launch-speed and hard-drives) or have an anti-virus framework in the system. Preferable, but you'd still take a speed hit.

In any event, a bit of basic informational hygiene when it comes to introducing files from elsewhere to your machine and not running security-hole ridden software from certain large corporations should keep your system clean.

In eight years of Mac use, I have never had a virus, but I still keep some medicine around just in case.

[ThinkingDifferent]

Check this site out:
<a href="http://online.securityfocus.com/virus" target="_blank">Virus Info</a>

=========================================

Apollo 13 was rocket science.