An Attacker’s Day into Human Virology 4: Which World Wins the Race?

Ruchna Nigam proceeds with the analysis of self-preservation techniques, attack hallmarks, and individual advantages of the viruses from both worlds concerned.

Attacking the Defenses

Some viruses attack the defenses proper

Some viruses attack the defenses proper

Something really smart that you can see in human viruses is that instead of trying to penetrate the defenses of the body, some viruses actually directly attack the defense. This can be seen in viruses like HIV and Flavivirus. What it does is it attacks your defense system, so there is nothing that can protect you from these viruses.

Something similar can be seen in viruses like Sality, where it dominates all the antiviruses running on your PC, so, again, you are exposed. And what it also does is it adds itself to the authorized applications on your machine, so it’s basically granting itself elevated privileges, and basically you are then defenseless to the virus.

Targeting a System’s Specific Components

Selective targeting strategy

Selective targeting strategy

In the world of human virology, you see there are some viruses that attack specific parts or specific components of the system. You have the Rotavirus that attacks the small intestine, or Poliovirus that attacks motor neurons. Similarly, in the computer world we have viruses that attack a particular component of the system. There are viruses that attack particular applications, like FileZilla or Internet Explorer, or a virus that attacks the Windows Protected Storage (see left-hand image).

A very good example of this is the Eeki virus for iPhone. What it would do is it would attack jailbroken iPhones and it would verify if the password on the phone is actually the default password, and if it is a match then basically your phone is completely in control of the attacker.

Incubation and Other Time-Based Constraints

Time-based patterns for virus propagation

Time-based patterns for virus propagation

Another phenomenon that is in common is something called Incubation. Incubation is the time period between the point where you get infected by a virus and the point where the symptoms of the virus become evident. For example, you might have the flu but it takes about two-three days for the symptoms to be apparent and for you to know that you have the flu.

The same strategy is used in some viruses that are called Time Bombs. They are designed to go off at a particular point of time. For example, the Michelangelo virus back in 1991 was designed to go off on the birthday of Michelangelo. Then you have the CodeRed virus which only spreads itself from the 1st to the 19th of each month and it’s dormant for the rest of the month. This is, again, another idea which has been taken from the biological world.

Sticking with the Target

Stayin' alive, virus-wise

Stayin’ alive, virus-wise

How these viruses ensure that the system stays infected is also similar between the two worlds. For example, what the HIV virus does is it infects the memory T cells. As Guillaume explained before, memory cells help your body cope better every time you are attacked by a virus. If you are attacked by a particular virus at one point of time, the memory T cells will register that and basically they will help you cope with the same virus better the next time you are infected with it again. What HIV does is it directly attacks these cells, so, that means your body will have no memory of being attacked by HIV.

This is somewhat similar to what we saw in a rootkit called TDL4 which would infect directly the master boot record on a machine. That meant your machine would stay infected even if you reinstalled the OS on it. The ZeuS botnet also makes sure machines stay infected by sending frequent updates, making sure all of its bots have the latest version of the virus.

And the Winner Is…

Human virology gets the prize

Human virology gets the prize

Until now, we’ve seen that, for the most part of it, God won (see left-hand image). The computer attackers didn’t really come up with very brilliant ideas. Their ideas are mostly already seen in human virology. However, the one area where the attackers did manage to beat God is something called anti-debugging tricks. The essence of this is that the attackers anticipate how the virus might be analyzed or detected by an antivirus company, and they put in measures to prevent this or to make this process somewhat more complicated.

Where Computer Viruses Outperform Their Biological Counterparts

What are computer viruses better at?

What are computer viruses better at?

Some of the means of doing this is something called URL redirection. For example, you have this virus called DNSChanger, and if your infected machine would try and connect to an AV website, you would automatically be redirected to another website, which basically prevents you from knowing your machine is infected at all.

Other techniques are detection of some tools such as reverse engineering tools, debuggers, virtual machines, which basically makes the job of AV analysts more difficult. Because if I am trying to run a sample of the virus, and if the virus knows the kind of tools I’m using and what to look for, it might not run or it can hide itself form these tools, making analysis more difficult.

The reason this is possible in computer viruses and fortunately not possible in the biological world is because the code for computer viruses is a lot more complex, it is much bigger in size as compared to biological viruses. For example, if we consider the code for the common flu, it’s about 22 KB, which is merely a fraction of most of the viruses we see.

Read previous: An Attacker’s Day into Human Virology 3: Common Properties of Human and Computer Viruses

Read next: An Attacker’s Day into Human Virology 5: Thoughts on Designed Biological Viruses and Darwinian Computer Viruses

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: