See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/26445696

Analysis of Virus Algorithms

Article  in  Journal of Computer Science · October 2006

DOI: 10.3844/jcssp.2006.785.788 · Source: DOAJ

CITATION READS
1 784

4 authors, including:

Karanjeet Singh Kahlon

Guru Nanak Dev University
40 PUBLICATIONS   225 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Karanjeet Singh Kahlon on 15 February 2017.

The user has requested enhancement of the downloaded file.

Journal of Computer Science 2 (10): 785-788, 2006
ISSN 1549-3636
© 2006 Science Publications

Analysis of Virus Algorithms

1
Jyoti Kalyani, 2Karanjit Singh Kahlon, 3Harpal Singh and. 4Anu Kalyani
1
CBM Department, GNDU Amritsar, Punjab, India
2
Department of Computer Science and Engineering, GNDU, Amritsar, Punjab, India
3
Department of Computer Science, LIM, Jalandhar, Punjab, India
4
Departement of Computer Science, Punjab Technical University, Jalandhar, Punjab, India

Abstract: Security of wired and wireless networks is the most challengeable in today’s computer
world. The aim of this study was to give brief introduction about viruses and worms, their creators and
characteristics of algorithms used by viruses. Here wired and wireless network viruses are elaborated.
Also viruses are compared with human immune system. On the basis of this comparison four
guidelines are given to detect viruses so that more secure systems are made. While concluding this
study it is found that the security is most challengeable, thus it is required to make more secure models
which automatically detect viruses and prevent the system from its affect.

Key words: TSR, viruses, worms, malware

INTRODUCTION code to harm several computers and networks. After

some time this group becomes most dangerous section
Virus programs use the most basic computer of the computer underground[3]. After creating
functions and operations like copying, deleting and destructible softwares and hardwares, their main aim is
automatic operations like decision making. It should to spread their creations and to ensure whether their
also be clear that no additional functions are necessary creations are spreading, they use social engineering.
for the operation of viral programs. Because of these
characteristics it is difficult to differentiate between Stage III: Actually virus writers are programmers who
virus program and valid program. Without running the feel themselves as researchers but this research is
program, or simulating its operation, there is no way to illegal. They use their ability to harm the community.
say that this program is viral and that one is valid. It Their motive behind writing these infected programs is
will focus on understanding how virus writers operate, fair because they do it for their research purpose only
how they perceive their world and the world around not for money[4]. They do not spread their creations like
them and how they think. Broadly virus writers can be viruses but they do discuss innovations on the internet.
categorized according to three stages: Still there are researchers who are actually working to
detect and remove viruses. They create different
Stage I: In early times, viruses were written by young patches and anti viruses to detect and prevent viruses.
programmers who had just learned programming. They
try to use their skills[1]. But viruses created by such FEATURES OF VARIOUS VIRUS ALGORITHMS
writers do not spread because of disk reformation or
system up gradation. Viruses written by these writers Remember virus is a program. Therefore each virus has
are not written for some specific purpose but only to different code and algorithm. These virus algorithms
show their talent. They were still at their learning stage, can be differentiated according to their features as each
but had already made a conscious decision to devote algorithm is designed for some specific task.
their skills to virus writing. They were people who had Features of operating algorithms:
chosen to disrupt the computing community by * Ability of virus to cover traces
committing acts of cyber hooliganism and cyber * Use of Self encryption
vandalism[2]. Viruses written by members of this group * Polymorphic capability
were usually extremely primitive and the code * Metamorphic code Algorithm
contained a large number of errors. They learn new * Terminate and Stay Resident capability
techniques and share their views with professional virus * Use of non-standard techniques
writers through chat rooms or emails. Ability of virus to cover its traces with the help
of Stealth algorithm viruses can completely or partially
Stage II: And then these young programmers grew up. cover their traces inside the Operating System. A
Not all of them grew up, but rest of them becomes Stealth virus gets its name because it is very difficult to
professional virus writers who have the ability to create find and it uses various complex techniques for
Corresponding Author: Jyoti Kalyani, CBM Department, GNDU Amritsar, Punjab, India, E-mail: [email protected]
785
 J. Computer Sci. 2 (10): 785-788, 2006

avoiding detection. The virus has the ability to redirect them. These resident viruses stay in memory and are
system pointers and information in order to infect a file used to be operative until power down or until
without actually changing the infected program file. operating system reboot. But nonresident viruses not at
Another Stealth technique is to conceal an increase in all infect computer memory and are active for a limited
file size by displaying the original uninfected file time only. Some nonresident viruses leave their small
size[5]. The most common Stealth algorithm is resident parts in RAM which do not spread the virus
interception of OS read/write calls to infected objects. still such viruses are called nonresident[11]. Some other
In such cases Stealth viruses either temporarily cure viruses like macro viruses can also be considered
them or substitute themselves with uninfected pieces of residents because they reside in computer memory
information. In case of macro viruses the most popular during all the run time of the infected editor program.
technique is to disable the View Macro menu(s). Frodo Here the editor plays the role of operating system and
is one of the first file Stealth virus, Brain is the first system reboot means the editor program termination. In
boot Stealth virus[6]. multitasking operating systems, the lifetime of a
Use of self encryption algorithm This is more resident DOS virus can also be limited by the moment
advanced method in which virus uses simple encryption of closing of the infected DOS window, the activity of
algorithm to encipher itself. Here, the virus consists of a boot viruses in some operating systems is limited to the
small decrypting module and an encrypted copy of moment of installation of OS disk drivers.
virus code. For each infected file virus is encrypted Nonstandard techniques Viruses uses many
with different key but decrypting module remain the nonstandard techniques to avoid detection in OS kernel
same. Therefore, a virus scanner cannot directly detect to protect its residents copy from being detected and
the virus using signatures but it can still detect the make curing more difficult.
decrypting module which still makes indirect detection
of virus possible[7]. Mostly, the decrypting techniques PROPOSED GUIDELINES FOR CONTROLLING
that these viruses use are very simple and can be done VIRUSES ON THE BASIS OF HUMAN IMMUNE
by just xoring each byte with randomized key that was SYSTEM
saved by parent virus. The advantage of using xor-
operations is that the encryption and decryption Human immune system is itself a network which
routines are same. consists of human webs, sexual webs, food webs etc. So
Polymorphic code was the virus algorithm that these are the transmission mediums for spreading
posed a serious threat to virus scanners[8]. Just like self viruses but in computer system technological networks
encrypted viruses, a polymorphic virus infects files with exist such as internet, email which transports computer
an encrypted copy of itself, which is decoded by a viruses. Humans are self-regulating against viruses,
decryption module. But in the case of polymorphic while computers are not. That is why strong immune
viruses however, this decryption module is also system is required for virus control. Biological viruses
modified on each infection[9]. Therefore, polymorphic and computer viruses both have different level of
virus has no parts that stay the same on each infection, sophistication like biological viruses are autonomous,
making it impossible to detect directly using signature. evolving and sequential whereas computer viruses are
Metamorphic code Algorithm This virus has highly regulated and static. In general, biological
distinguished characteristic i.e. every time it changes its viruses are less connected than computer viruses. There
code completely to infect any executable file. Viruses are various analogies between biological and computer
that use this algorithm are called metamorphic viruses. viruses. Based on principles extracted from mapping
It require metamorphic engine to enable between computer system and immune system, some
metamorphism. These virus programs used to be very guidelines are proposed for computer security which is
large and complex e.g. W32/Smile is metamorphic given as follows:
virus consist of 14,000 lines out which 905 code is part
of metamorphic engine. Data protection: Computer viruses are the programs
TSR stands for terminate but stay resident This which infect programs or boot sectors by inserting
virus will remain resident in your computer's memory instructions into program files stored on disk.
after it executes. There are number of viruses, According to this definition of viruses, the protection
particularly boot sector viruses, which remain resident problem is essentially the same as that of protecting any
in memory so that they can spread to other disks and kind of stored data. Many change-detection algorithms
programs much faster and more transparently[10]. It is have been devised to address this problem including
very difficult to find the virus if it has become the some inspired by biology. Immunization exists here
memory resident because it can monitor every action also; they are patches, alerts, virus scanning and OS
taken by your computer and cover its traces updates etc. Here an antibody counter measure
accordingly. When TSR virus infect any system it corresponds to virus scanner, which acts like antibody
leaves its resident part in RAM which then intercepts cells for the protection of data.
system calls to target objects and incorporates into
786
 J. Computer Sci. 2 (10): 785-788, 2006

Single host protection (active processes): Suppose possibly replicating and circulating itself to find similar
every active process in computer is cell as similar as problems on other hosts.
adaptive human immune system which is made up of This guideline is similar to the previous one,
cells which monitor and interact with other cells. Then difference is mobile detector processes or mobile agents
it can be said that a computer runs multiple processes as are added here. Now it is able to detect the same class
a multicellular organism and network of such of anomalies. With the help of mobile agents anomalies
computers can be considered as a population of such detected on one computer could also be quickly
organisms. Different security mechanisms, such as eliminated from other computers in the network. It has
passwords, groups and file permissions etc. would similar requirements as before, except that it also
protect the computer analogous to that of a computer’s depends upon a robust mobile agent framework.
skin and innate immune system[12]. With the help of
lymphocyte an adaptive immune system layer can be Network protection of mutually trusting disposable
created which could check other processes that whether computers: Now regard each computer as a cell, with a
processes are running properly[13]. If the process is not network of mutually-trusting computers being the
running properly that means process is under attack and individual. By default the normal defense the cell has is
to cure the damaged process kernel which is performing host-based security.. For computer the innate immune
the functions of lymphocyte can kill, suspend or restart system consists of the network’s defenses, such as
that process just as in human immune system. As each Kerberos and firewalls. By creating a set of lymphocyte
lymphocyte process could have a randomly-generated machines adaptive immune system layer can be
detector or set of detectors, living for a limited amount implemented. Now the purpose of these machines is to
of time, after which it would be replaced by another monitor the state of other machines on the network. If
lymphocyte. Therefore, it is impossible to attack the any machine found infected, the problematic machine
protection system because there would be no predefined could be isolated perhaps by reconfiguring hubs and/or
location or control thread. If some lymphocytes are routers, rebooted, or shut down. But if the problematic
performing well and are useful for the system e.g. machine were outside the network, a lymphocyte could
detecting new anomalies then the life span of these stand in for the victimized machine, doing battle with
lymphocytes can be increased. Additionally, the malicious host, potentially sacrificing itself for the
autoimmune responses e.g., false alarms could be good of the network.
prevented through a censoring process analogous to These guidelines could address problems regarding
clonal deletion in the thymus. compromised hosts, network flooding, denial-of-service
System using lymphocytes has the ability to adapt attacks and even hardware failures[16]. However, this
to changes in user behavior and system software by guideline is significantly more required than the
changing lymphocytes. Different security levels could previous two. An implementation of this guideline
be adopted by increasing the life span of lymphocytes requires an MHC/peptide analog at the host level and
and number of detectors in the lymphocytes. should be based on a machine’s network traffic, or
For implementation of these guidelines, an analog based on the behavior of its kernel. To allow
for peptide/MHC binding and a technique for lymphocyte machines to isolate a given host a
eliminating self-reactive detectors is required[14]. dynamically configurable network topology would be
necessary. As used previous guideline, a thymus-type
Network protection of mutually trusting computers: mechanism would be needed to prevent autoimmune
Next guideline is to think of each computer as responses[17]. An implementation would require that
corresponding to an organ in an animal. Consider each hosts must be somewhat interchangeable-otherwise the
process as a cell, but now a human being is a network network could not afford the loss of any hosts.
of mutually trusting computers. Here the innate immune
system is composed of host-based security mechanisms, CONCLUSION
combined with network security mechanisms and
firewalls[15]. Kernel-assisted lymphocyte processes Present world is the era of information technology
implement the adaptive immune system layer, with the which has made the sharing of information a click
one more characteristic that these lymphocytes could away. But this technology has generated adverse effects
migrate between computers, making them mobile also one of which is virus i.e. with the generation of
agents. Now one computer or a set of computers could new technologies new viruses are also coming up every
then be reserved as a thymus for the network, which day. There are new anti-virus programs and techniques
will select and propagate lymphocytes, each of which developed too. It is good to be aware of viruses and
searches for a specific pattern of abnormal behavior. other malware and it is cheaper to protect your
Centralized system is not required to coordinate environment from them using latest antivirus software
response to security breach if these lymphocyte rather than being sorry. If your system starts behaving
processes use negative detection. The detecting differently it means your system has been infected. This
lymphocyte can take whatever action is necessary,
787
 J. Computer Sci. 2 (10): 785-788, 2006

infection can harm your computer in different ways like 4. Fred, C., 1987. Computer viruses. Computers &
it may restrict some functions, delete files, format your Security, 6: 22-35.
disk and automatically shutdown your system. It is 5. Blakley, R., 1997. The emperor’s old armor. Proc.
required to be little conscious of spyware and adware New Security Paradigms’96. ACM Press.
when you surf in the Internet and download files. 6. Forrest, S., A. Somayaji and D.H. Ackley, 1997.
Malware might be hidden in the files which looks Building diverse computer systems. Sixth
interesting. A computer virus is a program that Workshop on Hot Topics in Operating Systems.
replicates itself and its motive is to spread out. 7. Computer Virus Classification. http://www.avp.ch
Therefore by following above four guidelines which are 8. Kephart, J.O., A biologically inspired immune
based upon human immune system can be used to make system for computers. R.A. Brooks and P. Maes,
more secure system from viruses. Not all viruses are Eds. Artificial Life IV: Proc Fourth Intl. Workshop
harmful but some viruses might cause random damage on the Synthesis and Simulation.
to data files. There are many viruses which behave 9. Hanshisals, M., Computer Viruses, Department of
differently from general concepts regarding viruses e.g. Computer Science, Helsinki University of
Trojan horse virus and Macros. A Trojan horse is not a Tecnology.
virus because it doesn't reproduce. The Trojan horses 10. Tonegawa, S., 1983. Somatic generation of
are usually masked so that they look interesting. These antibody diversity. Nature, 302: 575-581.
viruses that steal passwords and format hard disks. 11. Inman, J.K., 1978. The antibody combining region:
Macro viruses spread from applications which use Speculations on the hypothesis of general
macros. These viruses spreads fast through internet multispecificity. In G.I. Bell, A.S. Perelson and
because people share so much data, email documents Jr.G.H. Pimbley, Eds., Theoretical Immunology,
and use the Internet to get documents. Macros are also pp: 243-278. M. Dekker, NY.
very easy to write. Some people want to experiment 12. Forrest, S., A.S. Perelson, L. Allen and R.
how to write viruses and test their programming talent. Cherukuri, 1994. Self-nonself discrimination in a
But they do not understand about the results for other computer. Proc. IEEE Symp. Research in Security
people or they simply do not bother. The mission of and Privacy, Los Alamos, CA, 1994. IEEE
viruses is to move from one program to other and this Computer Society Press.
can happen via floppy disks, Internet FTP sites, 13. Inman, J.K., 1978. The antibody combining region:
newsgroups and via email attachments. Viruses are Speculations on the hypothesis of general
mostly written for PC-computers and DOS multispecificity. In G.I. Bell, A.S. Perelson and
environments. Today every user has to deal with Jr.G.H. Pimbley, Eds., Theoretical Immunology,
viruses. pp: 243-278. M. Dekker, NY.
For good security appropriate passwords, proper 14. Somayaji, A., S. Forrest and S. Hofmeyr,
access controls and careful design are still needed. Principles of a Computer Immune System.
These protection measures act as similar as the body’s Department of Computer Science, University of
skin and innate immune system, which are responsible New Mexico, Albuquerque.
for preventing most infections. This paper has focused 15. Neuman, B.C. and T. Ts’o, 1994. Kerberos: An
on the human immune system’s adaptive responses, authentication service for computer networks.
because these are the types of mechanisms current IEEE Commun. Mag., 32: 33-38.
computer systems do not have. By removing these 16. Forrest, S., S. Hofmeyr, A. Somayaji and T.
shortcomings, it is possible to make computer systems Longstaff, 1996. A sense of self for UNIX
much more secure. processes. Proc. IEEE Symposium on Computer
Security and Privacy. IEEE Press.
REFERENCES 17. Forrest, S., S. Hofmeyr, A. Somayaji and T.
Longstaff, 1996. A sense of self for UNIX
1. Wulf, W.A., C. Wang and D. Kienzle, 1995. A new processes. Proc. IEEE Symp. Computer Security
model of security for distributed systems.Technical and Privacy, IEEE Press
Report CS-95-34, University of Virginia.
2. Who writes malicious programs and why?
http://www.viruslist.com/
3. Forrest, S., A. S. Perelson, L. Allen and R.
Cherukuri, 1994. Self-nonself discrimination in a
computer. In Proceedings of the 1994 IEEE
Symposium on Research in Security and Privacy,
Los Alamos, CA, 1994. IEEE Computer Society
Press.

788

View publication stats