The rapid development of computer technology and network technology has brought great convenience to people's work, study and life. Computer has become an indispensable modern tool for people. However, the emergence of computer viruses has brought people uneasiness and anxiety, and at the same time presented challenges to people.
1 Overview of computer viruses
The concept of Computer Virus was first proposed by Dr. F. Cohen, an American computer virus research expert. For the definition of computer virus, different countries and different experts give different definitions from different angles. According to Article 28 of the Regulations of the People’s Republic of China on the Protection of Computer Information Systems: “A computer virus refers to a group of computers that are compiled or inserted into computer programs that destroy computer functions or destroy data, affect the use of computers, and can replicate themselves. Instructions or program codes.” This definition has legal force and authority in my country.
Like biological viruses, the ability of computer viruses to replicate allows computer viruses to spread quickly and is often difficult to eradicate. They can attach themselves to the host system or files, and when the system is run or files are transferred from one user to another, they spread along with the system run or file transfer.
In the life cycle of a virus, a virus generally goes through four stages: incubation stage, infection stage, trigger stage and attack stage. Most viruses work in a specific way and therefore also depend on a specific operating system or a specific hardware platform. Therefore, attackers often use the details and weaknesses of a particular system to design virus programs.
1.1 Characteristics of computer viruses
There are many kinds of computer viruses, but they all have common characteristics, namely, infectious, unauthorized, latent and destructive. The infectivity of computer viruses refers to the ability of viruses to replicate themselves to other hosts such as systems or files. This is the basic feature of viruses.
Unauthorization means that the execution of the virus program does not require the user's consent and is unknown to the user. Latency is a necessary condition for the survival of the virus, that is, the virus lurks in the system without being noticed by people. Destructiveness means that the virus can be triggered automatically under certain conditions and destroy the computer, which is a characteristic of the virus. The unauthorised and latent nature of the virus makes the behavior of the virus unpredictable and also increases the difficulty of virus detection. The more destructive triggering conditions of the virus, the stronger the contagion, but at the same time its latency decreases. A virus must be infectious, but it does not necessarily need to possess other attributes.
1.2 Classification of computer viruses
There are many different classifications of computer viruses according to different classification standards:
According to the operating system, it can be divided into viruses that attack DOS systems, viruses that attack Windows systems, viruses that attack Unix/Linux systems, viruses that attack OS/2 systems, viruses that attack Macintosh systems, viruses that attack mobile phones, and other operating systems On the virus.
According to the link method, computer viruses can be divided into source code viruses, embedded viruses, Shell viruses, macro viruses, script viruses, and operating system viruses.
According to the damage, computer viruses can be divided into benign viruses and vicious viruses.
According to the transmission media, computer viruses can be divided into stand-alone viruses and network viruses.
1.3 The composition of computer viruses
The virus program is generally composed of an infection module, a trigger module, a destruction module and a main control module, and correspondingly complete tasks such as virus infection, triggering and destruction. There are also a few viruses that do not have all the modules.
(1) Infection module
The infection module is the part where the virus spreads and is responsible for spreading computer viruses from one system or file to more systems or files. Every virus has a self-identifying mark called an infectious mark or virus signature. When a virus program infects a system or file, the infection mark should be written into a specific area in the system or file, such as the host program, registry, physical track, etc., as a mark that the system or file has been infected to prevent repeated infections , Enhance the latent effect of the virus. The main functions of the infection module are: looking for an infectious system or file; checking whether there is an infection mark in the system or file, and judging whether the system or file has been infected; if there is no infection mark, then carrying out the infection operation and replacing the virus code It is implanted in the host system or file to complete an infection.
(2) Trigger module
The virus trigger module mainly checks whether the predetermined trigger condition is met, and if it is met, the corresponding infection or destruction module is called to carry out infection and destruction actions. The triggering condition of the virus has many forms, such as date, time, keyboard, specific program found, network connection found, system vulnerability found, number of infections, number of specific interrupt calls, etc. According to the trigger conditions, the frequency of virus infection and destruction can be controlled, so that the virus can carry out infection and destruction actions in a hidden state.
(3) Destroy the module
The destructive module is responsible for implementing the destructive actions of the virus. These destructive actions may damage programs and data, reduce system performance, interfere with system operation, and some viruses can even damage computer hardware. There are also a few virus damage modules that do not have obvious malicious damage behaviors, and only show specific phenomena on the infected system equipment. This module is sometimes called the performance module.
(4) Main control module
The main control module generally controls the operation of the virus program. When the infection program runs, the main control module of the virus runs first.
2 New trends in virus development under the network environment
While the Internet has brought convenience to people's work and life, it has also brought "convenience" to the generation and development of a large number of new viruses. Today, when the Internet is highly developed, the number of computer viruses has increased sharply, their transmission channels have become more diverse, and the speed of infection has become faster.
In addition to the past methods such as mutual copying of files and cross-infection between systems, the current computer viruses are more automatically spread on the network through web pages, e-mails, local area network sharing, and system vulnerabilities. Some epidemic viruses often spread quickly across the country and the world within two or three days with the help of the Internet.
For example, E-mail virus is one of the most popular types of Internet viruses at present. It adds dangerous virus execution programs to email attachments and temptation texts in the body of the email to induce recipients to execute attachment virus programs. In order to achieve its activation purpose. At present, most of these viruses target Microsoft Outlook and Outlook Express programs, and spread in the form of virus emails sent using Windows address book contacts. It not only harms individuals, but also may cause Internet mail servers to consume a large amount of network resources due to sending and receiving a large number of virus-attached mails, until the mail server crashes. In addition, because Internet instant messaging is widely used, the use of MSN, QQ, OICQ, etc. to spread viruses has become a trend of virus epidemics in recent years. It is very likely that viruses can automatically transmit harmful information through these software to achieve automatic transmission.
At present, there are many viruses spreading through local area network sharing. In the widely used Windows system, management sharing, special ports, etc. are turned on by default, and some versions of the system even have write permissions. In this way, the virus can directly infect the files in the corresponding folder of the target computer or write the virus into the corresponding system after searching for the shared resources of the local area network, so as to get the opportunity to execute on the target computer. It is also for this reason that many viruses will cause widespread infection in a local area network after infecting a computer, and it is difficult to remove the virus without disconnecting the network connection.
In the current network environment, the most common malicious programs are Trojan horse programs, also known as backdoor programs. Most of them use system vulnerabilities or free ports, install corresponding Trojan horse programs in the system, and use special software to monitor the host computer through the Internet, in this way to obtain host system file access authorization, and collect host system information, such as User personal information, bank account number and password, online game account number, etc. Because the network transmission speed is very fast, the virus infection speed in the network environment is also very fast. The once sensational "Shockwave", "Sasser" and other viruses are all within a few days after the corresponding system vulnerabilities are discovered. It spread across the world. It can be said that the variety and spread of computer viruses today are faster than ever before.
3 Detection and removal of computer viruses
3.1 Signature detection
The so-called feature code virus checking method is to extract the feature code after obtaining the virus sample, (for example, the feature code of Yankee virus is hexadecimal "F47A2C00", the "Fun Time" string in happy hour virus, etc. ), and then scan the target file or memory through the feature code. If such a signature is found, it means that you have been infected with this virus, and then remove the virus in a targeted manner.
The signature technology is the first virus detection method adopted by many anti-virus software. The signature detection method detects viruses. The method is simple, accurate and fast. It can identify the name of the virus and has a low false alarm rate. However, the signature technology can only diagnose known computer viruses, and its response speed will always lag behind that of viruses, and it cannot check for unknown viruses and deformed viruses, and cannot deal with hidden viruses.
With the development of computer viruses, new viruses continue to appear, and even some viruses have automatic deformation functions. For example, "stuck neck" viruses, anti-virus software using traditional virus signature search technology often find it difficult to deal with these deformed viruses. For this reason, people have proposed a broad-spectrum signature filtering technology, which can compensate for the above shortcomings to a certain extent.
3.2 Checksum detection
First calculate the checksum of the normal file content and normal system sector data, and write the checksum into the database for storage. During detection, check whether the checksum of the current content of the file is consistent with the original saved checksum, so that it can be found whether the file or sector is infected. This method is called checksum detection.
The advantages of the checksum detection technology are: the method is simple, unknown viruses can be found, and subtle changes in the checked files can also be found. However, it cannot recognize the type of virus. Moreover, because virus infection is not the only reason for file content changes, file content changes may be caused by normal programs, so checksum detection technology is subject to various restrictions, and this method will also affect the running speed of files. In addition, the checksum cannot detect new files, such as files transferred from the network, files copied from disks and CDs, files in backup files and compressed files, etc.
3.3 Behavior monitoring
With the continuous escalation of virus and anti-virus struggles in recent years and the increasing speed of new viruses, the traditional anti-virus technology lags behind viruses and is increasingly unable to meet the needs of anti-virus. It is more necessary to use general anti-virus technology to protect computers Security. Common virus detection technologies that have been widely studied and adopted at this stage include virus behavior monitoring technology, heuristic scanning technology and virtual machine technology.
Through research, it is found that no matter how cleverly disguised, viruses always have some behaviors that are different from normal programs, and these behaviors are very rare in normal applications. This is the behavioral characteristics of viruses.
Common virus behavior characteristics include: writing executable files, writing the boot area of the disk, switching between virus programs and host programs, relocating the programs themselves, and obtaining API function addresses by searching the function index table.
Using these features, you can monitor the virus and issue an alarm when the virus program is active. Using this behavioral characteristic detection method can not only detect known viruses, but also new unknown viruses, no matter what type of virus or whether it is deformed. However, behavioral monitoring technology may also false alarms and fail to identify virus names.
3.4 Heuristic scanning
On the basis of the signature scanning technology, use the analysis of the virus code to obtain some statistical and static heuristic knowledge, which can be used in the static heuristic scanning technology (Heuristic Scanning). Heuristic scanning mainly analyzes the sequence of instructions in a file, and based on statistical knowledge, it is judged that the file may be infected or not, so that unknown viruses may be found. Therefore, heuristic scanning technology is a probabilistic method that follows the laws of probability theory.
Early heuristic scanning software used code decompilation technology as its implementation basis. This type of virus detection software stores tens of thousands of types of virus behavior code jump tables internally, and each entry corresponds to the necessary code sequence of a type of virus behavior, such as the code used by the virus to format a disk. Heuristic virus scanning software uses code decompilation technology to decompile the code of the detected file, and then with the support of these tables, using effective methods such as "static code analysis" and "code similarity comparison method" can effectively Detect variants of known viruses and determine whether the file contains unknown viruses.
Due to the ever-changing virus code, the specific implementation of heuristic virus scanning technology is quite complicated. Generally, this type of virus detection software must be able to identify and detect many suspicious program code instruction sequences, such as formatting disk operations, searching and locating various executable programs, implementing memory-resident operations, and executing only subroutine calls. Stack operations, instructions to jump to the head of the file at a long distance (such as more than two-thirds of the file length). Generally speaking, only a suspicious function operation is not enough to trigger a virus alarm. But if there are multiple suspicious operations at the same time, the target program is likely to be a virus program.
3.5 Virtual Machine
Automorphic virus, also known as polymorphic virus or polymorphic virus. Automatically deformed viruses automatically change their own program codes and signature codes each time they infect the host. Representatives of this type of virus include "ghost" viruses.
Generally speaking, the automatic deformation virus uses the following operations to continuously change itself: replace the original code with equivalent code; change the order of instructions that are not related to the execution order; add many garbage instructions; compress the original virus code Or encryption, etc. Because the automatic deformation virus continuously changes its code, and each infection uses a different key. Comparing the virus codes of infected files with each other, it is also difficult to find the same stable signature codes that can be used as virus characteristics. Therefore, it is impossible to detect such viruses by traditional detection methods. However, auto-morphing viruses also have a common rule: that is, no matter how the virus changes, each auto-morphing virus must restore itself when it executes itself.
In order to detect automatically deformed viruses, a new virus detection method-"virtual machine technology" has emerged. This technology uses software methods to allow the virus to simulate part of the system instructions and function calls in a virtual environment, and interpret and execute the virus code. Moreover, the simulation operation does not have an actual impact on the system, and the results of the program operation can be obtained. Based on the analysis of the program operation, and then determine whether there is a virus.
No matter what kind of encryption, invisibility and other camouflage methods are used by the virus, as long as it is in the virtual environment created by the virtual machine, the virus will automatically fade away with the running process (actually it is dynamically restored by the virtual machine). Based on the above-mentioned design principles, the virtual machine has strong advantages in processing encryption, transformation, and deforming viruses. The virtual machine detection method actually uses software to realize the process of simulating manual decompilation, intelligent dynamic tracking, and analyzing code running, which is more efficient and more accurate. The anti-virus has entered a new era of combining dynamic and static analysis from pure static analysis, greatly improving the detection level of known and unknown viruses. For a long period of time in the future, the virtual machine technology will have great development.
3.6 Removal of viruses
Removing the virus code from the host and restoring it to a system or program that can run normally is called virus removal. In most cases, anti-virus software or manual processing can be used to restore infected files or systems. Not all infected files can be disinfected, and not all infected hosts can be effectively restored.
Depending on the type of virus and its destruction behavior, after a virus is infected, if the host data is not deleted, it can often be restored; if the host data is deleted or covered by the virus, or the logical relationship of the host data is destroyed by the virus, it often cannot be restored.
4 Prevention of computer viruses
"Prevention is more important than cure", the same is true for computer viruses. In the process of daily computer use, preventive work can be done at the same time to avoid virus infection to a large extent and reduce unnecessary material and data loss.
The best way to prevent computer viruses is not to exchange files with the outside world, but this is impossible. In work, people often exchange various data with the outside world. Exchanging a large amount of information with the outside world creates conditions for the infection and spread of the virus. In order to protect your computer from virus damage, you must at least:
(1) Anti-virus software must be installed on the computer.
(2) Do not use software of unknown origin or unconfirmed software; be very careful about programs and documents downloaded from the Internet. Before executing files or opening documents, check for viruses; media obtained from outside and its contents Files should be checked for viruses before use; compressed files should be decompressed and checked for viruses.
(3) E-mail attachments should be checked for viruses before opening, and check for viruses before sending the email; do not run E-mail attachments from unknown sources, especially attachment programs suggested to be implemented in the body of the email with seductive text.
(4) Use anti-virus software to scan the system regularly.
(5) Ensure that the scan engine and virus code base of the anti-virus software used are up to date, because the old scan engine and virus code base will not detect new viruses.
(6) In order to prevent boot-type viruses from damaging the system, an emergency startup disk should be made immediately after the system is installed, so that if the hard disk partition table is damaged, the emergency disk can be booted and the backup boot area and partition Tables etc. are restored directly.
(7) Some important files should be backed up regularly so that they can be restored from the backup in case the system is damaged by a virus.
(8) Use the security scanning tool to scan the system and the host regularly. If vulnerabilities are found, find solutions in time to reduce the chance of being infected by viruses and worms.
(9) When using anti-virus software, it is best to check the virus first, and then determine whether to perform the anti-virus operation after finding the virus file. Because virus checking is not a dangerous operation, it may produce false positives, but it will never cause any damage to the system; while antivirus is a dangerous operation, and some operations may destroy files.
(10) Establish the computer virus prevention and control management system of the unit; conduct anti-virus training for computer users.
