Malware 101: Viruses and how they propagate

While worms utilize networks to spread to multiple devices, viruses instead focus on spreading to other parts of the same device — essentially copying the same code to infect files on the device, much like biological viruses replicate themselves within a host and attach to cells within that host.

Viruses can still spread to other devices by infecting removable media, but unlike worms this process is not completely automatic because it relies in a user plugging the media into additional devices. Also like worms, viruses started out more as experiments rather than intentionally malicious software.

A short history of viruses

The first virus was Elk Cloner, a boot sector virus written in 1982 that was intended as a prank. When an infected disk was loaded into memory, it would copy itself to any other disks that were inserted. It mainly targeted games for Apple II, and on the 50th time the game was booted it would simply display a poem rather than booting the game. It also would mark disks that were already infected to prevent the boot sector from being rewritten.

Again targeting the boot sector of floppy disks, Brain was a virus written in 1986 that was the first to target IBM PCs. Brain also would display a message to the user, but rather than a prank, the motivation behind Brain was to combat piracy of the medical software written by the virus's authors. The message even included contact information for the authors with instructions to contact them for "vaccination."

This motive was again used by Sony BMG when two virus/rootkits were included on 22 million CDs in 2005 with the intention of preventing CD copying. This resulted in scandal not only for the shady tactics and introduction of rootkits on customer systems — a type of malware notoriously difficult to detect and remove — but also because both pieces of malware created vulnerabilities on the user's system that were exploited by other malware. Plus, one of the pieces of malware would send back the users' private listening habits regardless of whether they accepted this behavior via the end user license agreement (EULA).

When viruses act as time bombs

Perhaps even more so than worms, it is also possible for viruses to maintain a degree of stealth. The Michelangelo virus — written in 1986 — was the first to employ a common stealth tactic among viruses, which is to remain dormant until a specific condition is met — in this case, the birthday of the Renaissance artist that is its namesake.

On March 6, if a computer infected with Michelangelo was running it would overwrite the first 100 sectors of the hard disk with nulls, essentially rendering it unreadable without data recovery techniques. Unlike most wipers, however, the majority of the users' data was still left intact and simply inaccessible by conventional means. The technique of only executing a malicious payload under specific conditions is referred to as a “time bomb.” Michelangelo was also a boot sector virus as it infected the boot sector of floppy disks and the master boot record of hard disks.

How viruses avoid detection

Less sophisticated viruses are far from stealthy, and in fact a noticeable reduction of computer performance is one of the warning signs of a virus infection. Because viruses seek to infect other files, this process done indiscriminately can significantly impact computer performance as well as give away which files have been infected when unexpected software is suddenly running on the system.

As a result, more stealthy viruses will aim to infect software that is meant to be running all the time, especially processes that run as part of the operating system, or boot sectors of disks as mentioned in the previous examples. Boot sectors are less accessible to users, and every disk has one. They are limited to the bootup time to actually run the virus, though, which is why some viruses will target (or additionally target) long-running system processes.

Boot sectors do provide the best means for viruses to infect additional systems, which is one advantage worms certainly have over viruses from an attacker perspective. Much like worms, the term virus simply describes a propagation method — a method by which malware can replicate itself automatically — and the actual payload(s) attached to these propagation methods may vary and fall under other malware terminology (as with the Sony BMG rootkit example above).