Computer viruses: origin, real threat and methods of protection. Computer viruses. Definition, classification and methods of protection Computer viruses and their types briefly

Household viruses sector bootstrap. Programs that are written to the tail of the boot program on drive C: or replace it, performing both it and their own functions from the moment of infection. These viruses enter the machine when booting from an infected floppy disk. When the boot program is read and executed, the virus is loaded into memory and infects whatever it is “designed” to do.

Boot viruses of the master boot record. Infect the main boot entry systems (Master Boot Record) on hard drives and the boot sector on floppy disks. This type of virus takes control of the system at the lowest level by intercepting instructions between the computer's hardware and the operating system.

• · Macro viruses: Some computer programs use macro languages ​​to automate frequently performed procedures. As computers have become more powerful, the problems they solve have become more complex. Some macro languages ​​provide the ability to write files in formats other than the original document. This feature can be used by virus authors to create macros that infect documents. Macro viruses are usually spread through Microsoft files Word and Excel.
• · Combination viruses: viruses that exhibit a combination of the properties listed above. They can infect files, boot sectors, and master boot records.
• · File viruses: now let's look at how a simple file virus works. Unlike boot viruses, which are almost always resident, file viruses are not necessarily resident. Let's consider the functioning scheme of a non-resident file virus. Let's say we have an infected executable file. When such a file is launched, the virus gains control, performs some actions and transfers control to the “host”

What actions does the virus perform? It looks for a new object to infect - a file of a suitable type that has not yet been infected. By infecting a file, the virus injects itself into its code in order to gain control when the file is executed. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - this already depends on the imagination of the author of the virus. If the file virus is resident, then it will install itself in memory and will be able to infect files and exhibit other abilities not only while the infected file is running. When infecting an executable file, a virus always changes its code - therefore, infection of an executable file can always be detected. But by changing the file code, the virus does not necessarily make other changes:

• · he is not obliged to change the file length
• unused sections of code
• · not required to change the beginning of the file

Finally, file viruses often include viruses that “have some relation to files” but do not have to be embedded in their code.

Thus, when any file is launched, the virus gains control (the operating system launches it itself), installs itself resident in memory and transfers control to the called file.

• · Boot-file viruses: we will not consider the boot-file virus model, because you will not learn any new information. But here is an opportune opportunity to briefly discuss the extremely “popular” Lately The OneHalf boot file virus infects the master boot sector (MBR) and executable files. The main destructive effect is the encryption of hard drive sectors. Each time the virus is launched, it encrypts another portion of sectors, and, having encrypted half hard drive, happily reports this. The main problem in treating this virus is that it is not enough to simply remove the virus from the MBR and files; you must decrypt the information encrypted by it.
• · Polymorphic viruses: Most questions are related to the term “polymorphic virus”. This type of computer virus seems to be the most dangerous today. Let us explain what it is.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two copies of the same virus may not match in a single bit.

Such viruses not only encrypt their code using different encryption paths, but also contain encryptor and decryptor generation code, which distinguishes them from ordinary encryption viruses, which can also encrypt sections of their code, but at the same time have a constant encryptor and decryptor code.

Polymorphic viruses are viruses with self-modifying decryptors. The purpose of such encryption: if you have an infected and original file, you still will not be able to analyze its code using regular disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself during execution. In this case, options are possible: he can decrypt himself all at once, or he can perform such decryption “on the fly,” he can re-encrypt sections that have already been used. All this is done to make it difficult to analyze the virus code.

· Stealth viruses: During a computer scan antivirus programs read data - files and system areas from hard drives and floppy disks using the operating system and the basic BIOS input/output system. A number of viruses are left in random access memory computer special modules that intercept programs accessing the computer's disk subsystem. If such a module detects that a program is trying to read an infected file or system area of ​​the disk, it replaces the data being read on the fly, as if there was no virus on the disk.

Stealth viruses trick antivirus programs and, as a result, remain undetected. However, there is a simple way to disable the camouflage mechanism of stealth viruses. It is enough to boot the computer from a non-infected system floppy disk and immediately, without launching other programs from the computer disk (which may also be infected), scan the computer with an anti-virus program.

When loaded from a system floppy disk, the virus cannot gain control and install a resident module in RAM that implements the stealth mechanism. An antivirus program will be able to read the information actually written on the disk and will easily detect the virus.

· Trojan horses, software bookmarks and network worms: A Trojan horse (see Appendix 2, Fig. 2) is a program that contains some destructive function that is activated when a certain trigger condition occurs. Usually such programs are disguised as some kind of useful utilities. Viruses can carry Trojan horses or “Trojanize” other programs - introduce destructive functions into them.

“Trojan horses” are programs that, in addition to the functions described in the documentation, also implement some other functions associated with security violations and destructive actions. There have been cases of such programs being created to facilitate the spread of viruses. Lists of such programs are widely published in the foreign press. They are usually disguised as gaming or entertainment programs and cause harm accompanied by beautiful pictures or music.

· Software bookmarks also contain some function that is harmful to the aircraft, but this function, on the contrary, tries to be as inconspicuous as possible, because The longer the program does not arouse suspicion, the longer the bookmark can work.

If viruses and Trojan horses cause damage through avalanche-like self-propagation or outright destruction, then the main function of worm-type viruses operating in computer networks is to hack the attacked system, i.e. overcoming protection to compromise security and integrity.

In more than 80% of computer crimes investigated by the FBI, "crackers" penetrate the attacked system through the Internet. When such an attempt succeeds, the future of a company that took years to build can be jeopardized in a matter of seconds.

This process can be automated using a virus called a network worm.

· Worms are viruses that spread across global networks, infecting entire systems rather than individual programs. This is the most dangerous type of virus, since in this case the objects of attack are Information Systems on a national scale. With the advent of the global Internet, this type of security breach poses the greatest threat, since any of the 40 million computers connected to this network can be exposed to it at any time.

COMPUTER VIRUSES, THEIR CLASSIFICATION. ANTI-VIRUS SOFTWARE

Computer virus - This special program, Capable of spontaneously attaching to other programs and, when the latter is launched, performing various unwanted actions: corruption of files and directories; distortion of calculation results; clogging or erasing memory; interfering with computer operation. The presence of viruses manifests itself in different situations.

1. Some programs stop working or start working incorrectly.
2. Extraneous messages, signals and other effects are displayed on the screen.
3. The computer slows down significantly.
4. The structure of some files turns out to be corrupted.

There are several signs of classification of existing viruses:

• by habitat;
• according to the affected area;
• according to the features of the algorithm;
• by method of infection;
• according to destructive possibilities.

Based on their habitat, they distinguish between file, boot, macro and network viruses.

File viruses are the most common type of virus. These viruses are embedded in executable files, create companion files (companion viruses), or exploit organizational features file system(link-viruses).

Boot viruses write themselves to the boot sector of the disk or to the boot sector of the hard disk. They start working when the computer boots and usually become resident.

Macro viruses infect files of commonly used data processing packages. These viruses are programs written in programming languages ​​built into these packages. The most widespread are macroviruses for Microsoft applications Office.

Network viruses use protocols or commands of computer networks and email to spread. The main operating principle of a network virus is the ability to independently transfer its code to a remote server or workstation. Full-fledged computer viruses have the ability to launch their code for execution on a remote computer.

In practice, there are various combinations of viruses - for example, file-boot viruses that infect both files and boot sectors of disks, or network macro viruses that infect edited documents and send copies of themselves by e-mail.

As a rule, each virus infects files of one or more operating systems. Many boot viruses alsoare focused on specific formats for the location of system data in boot sectors of disks. Based on the characteristics of the algorithm, resident ones are distinguished; viruses, stealth viruses, polymorphic, etc. Resident viruses are capable of leaving copies of themselves in the operating system, intercepting event processing (for example, accessing files or disks) and causing procedures to infect objects (files or sectors). These viruses are active in memory not only while the infected program is running, but also after. Resident copies of such viruses are viable until the OS is rebooted, even if all infected files on the disk are destroyed. If a resident virus is also bootable and is activated when the OS boots, then even formatting the disk if this virus is present in the memory will not delete it.

Macro viruses should also be classified as a type of resident viruses, since they are constantly present in the computer’s memory while the infected editor is running.

Stealth algorithms allow viruses to completely or partially hide their presence. The most common stealth algorithm is to intercept OS requests to read/write infected objects. Stealth viruses either temporarily cure these objects or substitute uninfected pieces of information in their place. Partially, stealth viruses include a small group of macro viruses that store their main code not in macros, but in other areas of the document - in its variables or in Auto-text.

Polymorphism (self-encryption) is used to complicate the virus detection procedure. Polymorphic viruses are viruses that are difficult to detect and do not have a constant section of code. In general, two samples of the same virus are not a match. This is achieved by encrypting the main body of the virus and modifying the decryption program.

When creating viruses, non-standard techniques are often used. Their use should make it as difficult as possible to detect and remove the virus.

Based on the method of infection, a distinction is made between Trojan programs, hidden administration utilities, Intended viruses, etc.

Trojan horses get their name by analogy with the Trojan horse. The purpose of these programs is to imitate any useful programs, new versions of popular utilities or additions to them. When the user writes them to his computer, Trojan programs are activated and perform unwanted actions.

Hidden administration utilities are a type of Trojan programs. In their functionality and interface, they are in many ways reminiscent of network computer administration systems developed and distributed various companies- manufacturers of software products. During installation, these utilities independently install a hidden system on the computer. remote control. As a result, it becomes possible to covertly control this computer. Implementing the underlying algorithms, the utilities, without the user's knowledge, receive, launch or send files, destroy information, reboot the computer, etc. These utilities can be used to detect and transmit passwords and other confidential information, launch viruses, and destroy data.

Intended viruses include programs that are unable to reproduce due to errors existing in them. This class also includes viruses that reproduce only once. Having infected a file, they lose the ability to further reproduce through it.

According to their destructive capabilities, viruses are divided into:

1. non-hazardous, the impact of which is limited by a decrease in free disk memory, slowdown of the computer, graphic and sound effects;
2. dangerous, which could potentially lead to irregularities in the file structure and computer malfunctions;
3. very dangerous, the algorithm of which specifically includes data destruction procedures and the ability to ensure rapid wear of moving parts of mechanisms by introducing into resonance and destroying the read/write heads of some HDDs.

To combat viruses, there are programs that can be divided into main groups: monitors, detectors, doctors, auditors and vaccines.

Monitor programs(filter programs) are located resident in the computer operating system, interceptand inform the user about OS calls that are used by viruses to reproduce and cause damage. The user has the ability to allow or deny the execution of these calls. The advantage of such programs is the ability to detect unknown viruses. Using filter programs allows you to detect viruses at an early stage of infecting your computer. The disadvantages of the programs are the inability to track viruses that access the BIOS directly, as well as boot viruses that are activated before the antivirus starts when loading DOS, and the frequent issuance of requests to perform operations.

Detector programs check whether files and disks contain a combination of bytes specific to a given virus. If it is detected, a corresponding message is displayed. The disadvantage is that it can only protect against known viruses.

Doctor programs restore infected programs by removing the virus body from them. Typically, these programs are designed for specific types of viruses and are based on comparing the sequence of codes contained in the body of the virus with the codes of the programs being scanned. Doctor programs must be periodically updated to obtain new versions that detect new types of viruses.

Auditor programs analyze changes in the state of files and system areas of the disk. Check the status of the boot sector and FAT table; length, attributes and creation time of files; checksum codes. The user is notified if any discrepancies are detected.

Vaccine programs modify programs and risks in a way that does not affect program work, but the virus against which the vaccination is carried out considers the programs or disks already infected. Existing anti-virus programs mainly belong to the hybrid class (detector doctors, doctor auditors, etc.).

In Russia, the most widely used antivirus programs are Kaspersky Lab (Anti-IViral Toolkit Pro) and DialogScience (Adinf, Dr.Web). The AntiViral Toolkit Pro (AVP) antivirus package includes AVP Scanner, resident guard AVP Monitor, and an administration program for installed components. Control center and a number of others. AVP Scanner, in addition to traditional scanning of executable files and document files, processes email databases. Using the scanner allows you to detect viruses in packed and archived files (not protected by passwords). Detects and removes macroviruses, polymorphic, stealth, Trojan, and previously unknown viruses. This is achieved, for example, through the use of heuristic analyzers. Such analyzers simulate the operation of the processor and analyze the actions of the diagnosed file. Depending on these actions, a decision is made about the presence of a virus.

The monitor monitors typical virus penetration paths, such as file and sector access operations.

AVP Control Center - a service shell designed to set the scanner startup time, automatic update package component, etc.

If your computer is infected or is suspected of being infected with a virus, you must:

1. assess the situation and not take actions that lead to loss of information;
2. restart the computer OS. In this case, use a special, pre-created and write-protected system floppy disk. As a result, the activation of boot and resident viruses from the computer’s hard drive will be prevented;
3. run existing antivirus programs until all viruses are detected and removed. If it is impossible to remove the virus and if there is valuable information in the file, archive the file and wait for it to exit new version antivirus. After finishing, restart your computer.

E. KASPERSKY and D. ZENKIN

The “LoveLetter” computer virus epidemic that broke out in May of this year once again confirmed the danger that such “computer fauna” poses. Having penetrated hundreds of thousands of computers around the world, the virus destroyed a huge number of important information, literally paralyzing the work of the largest commercial and government organizations.

This is what “love letters” look like, sent by the “LoveLetter” virus via email. To launch the virus, just click on the icon.

This picture shows the "Tentacle" virus when you try to view any file with a GIF extension on infected computers. The inscription on the picture: "I am the Tentacle virus."

The "Marburg" virus shows these lovely crosses and... deletes files from disks.

Script virus "Monopoly" mocked the head Microsoft Bill Gates. In addition to displaying a funny picture, the virus quietly sends secret information from the computer.

Unfortunately, the phenomenon of a “computer virus” still evokes superstitious awe rather than a desire to soberly understand the situation and take safety measures. What are these viruses? How dangerous are they? What antivirus protection methods exist today and how effective are they? Experts from the leading Russian manufacturer of antivirus programs, Kaspersky Lab, discuss these and other topics.

WHAT IS A COMPUTER VIRUS?

A clear answer to this seemingly simple question has not yet been found. In the specialized literature you can find hundreds of definitions of the concept “computer virus”, many of them differing almost diametrically. Domestic “virology” usually adheres to the following definition: a computer virus is a program that, without the user’s knowledge, infiltrates computers and performs various unauthorized actions there. This definition would be incomplete if we did not mention one more property that is mandatory for a computer virus. This is his ability to “multiply”, that is, to create duplicates of himself and introduce them into computer networks and/or files, system areas of the computer and other executable objects. Moreover, duplicates of the virus may not coincide with the original.

The ability of viruses to “reproduce” makes some people want to compare them with a “special form of life” and even endow these programs with some kind of “evil intelligence” that forces them to commit vile tricks in order to achieve their goal. However, this is nothing more than fiction and a game of fantasy. This perception of events is reminiscent of medieval ideas about evil spirits and witches, whom no one saw, but everyone was afraid of. The “reproduction” of viruses is no different from, for example, a program copying files from one directory to another. The only difference is that these actions are performed without the user’s knowledge, that is, no messages appear on the screen. In all other respects, a virus is a very ordinary program that uses certain computer commands.

Computer viruses are one of the subtypes of a large class of programs called malicious codes. Today these concepts are often identified, however, from a scientific point of view this is not true. The group of malicious codes also includes so-called “worms” and “Trojan horses”. Their main difference from viruses is that they cannot “multiply”.

The worm spreads across computer networks(local or global), without resorting to "reproduction". Instead, it automatically, without the user's knowledge, sends out its original, for example, by email.

Trojan programs are generally devoid of any built-in distribution functions: they get onto computers exclusively with the help of their authors or persons who illegally use them. Let's remember Homer's Iliad. After many unsuccessful attempts to take Troy by storm, the Greeks resorted to cunning. They built a statue of a horse and left it to the Trojans, pretending to retreat. However, the horse was empty inside and hid a detachment of Greek soldiers. The Trojans, who worshiped the deity in the form of a horse, themselves dragged the statue into the city gates. "Trojan" programs use a similar method of introduction: they get into computers under the guise of useful, funny and, often, very profitable programs. For example, the user receives an email with an offer to run the sent file, which contains, say, a million rubles. After running this file, a program silently enters the computer and performs various unwanted actions. For example, it can spy on the owner of an infected computer (monitor what sites he visits, what passwords he uses to access the Internet, etc.) and then send the received data to its author.

Recently, cases of the appearance of so-called “mutants”, that is, malicious codes that combine the features of several classes at once, have become more frequent. A typical example is the Melissa macrovirus, which caused a major epidemic in March last year. It spread across networks like a classic Internet worm. "LoveLetter" is also a cross between a network worm and a virus. In more complex cases malware may contain characteristics of all three types (for example, the “BABYLONIA” virus).

ORIGIN OF COMPUTER VIRUSES

Oddly enough, the idea of ​​computer viruses arose long before the advent of personal computers. In 1959, the American scientist L. S. Penrose published an article in the journal Scientific American on self-replicating mechanical structures. This article described the simplest model of two-dimensional structures capable of activation, reproduction, mutation, and capture. Soon, US researcher F. G. Stahl implemented this model using machine code on an IBM 650.

In those days, computers were huge, complex to operate, and extremely expensive cars, therefore, only large companies or government computing and research centers could become their owners. But on April 20, 1977, the first “people’s” personal apple computer II. Price, reliability, simplicity and ease of use predetermined its wide distribution in the world. The total sales volume of computers in this series amounted to more than three million units (excluding its numerous copies, such as Pravets 8M/S, Agat, etc.), which was an order of magnitude higher than the number of all other computers available at that time. Thus, millions of people of various professions, social classes and mentalities gained access to computers. It is not surprising that it was then that the first prototypes of modern computer viruses appeared, because two of the most important conditions for their development were met - the expansion of “living space” and the emergence of means of distribution.

Subsequently, conditions became more and more favorable for viruses. The range of personal computers available to the average user expanded; in addition to flexible 5-inch magnetic disks, hard disks appeared, and local networks, as well as technologies for transmitting information using regular dial-up telephone lines. The first network data banks BBS (Bulletin Board System), or “bulletin boards,” arose, greatly facilitating the exchange of programs between users. Later, many of them grew into large online help systems (CompuServe, AOL, etc.). All this contributed to the fulfillment of the third most important condition for the development and spread of viruses - individuals and groups of people involved in their creation began to appear.

Who writes virus programs and why? This question (with a request to provide an address and telephone number) is especially of concern to those who have already been subjected to a virus attack and have lost the results of many years of painstaking work. Today, the portrait of the average “virus writer” looks like this: male, 23 years old, employee of a bank or financial organization, responsible for information security or network administration. However, according to our data, his age is somewhat lower (14-20 years old), he is studying or has no classes at all. The main thing that unites all virus creators is the desire to stand out and prove themselves, even in the heroic field. In everyday life, such people often look like touching quiet people who wouldn’t hurt a fly. All their vital energy, hatred of the world and selfishness find an outlet in the creation of small “computer scoundrels”. They shake with pleasure when they learn that their “brainchild” has caused a real epidemic in the computer world. However, this is already the area of ​​competence of psychiatrists.

The 90s, marked by the rise of the global Internet, turned out to be the most fertile time for computer viruses. Hundreds of millions of people around the world have become “users” willy-nilly, and computer literacy has become almost as necessary as the ability to read and write. If earlier computer viruses developed mainly extensively (that is, their number grew, but not their quality characteristics), today, thanks to the improvement of data transmission technologies, we can say the opposite. The “primitive ancestors” are being replaced by increasingly “smart” and “cunning” viruses, much better adapted to new living conditions. Today, virus programs are no longer limited to corrupting files, boot sectors, or playing harmless tunes. Some of them are capable of destroying data on motherboard chips. At the same time, technologies for masking, encryption and spreading viruses sometimes surprise even the most experienced specialists.

WHAT ARE VIRUSES?

To date, about 55 thousand computer viruses have been registered. Their number is constantly growing, and completely new, previously unknown types are appearing. Classifying viruses is becoming more difficult every year. In general, they can be divided into groups according to the following main characteristics: habitat, operating system, features of the operating algorithm. According to these three classifications, the well-known Chernobyl virus, for example, can be classified as a file-resident non-polymorphic Windows virus. Let us explain in more detail what this means.

1. Habitat

Depending on their habitat, file, boot and macro viruses are distinguished.

At first, the most common form of computer “infection” was file viruses, “living” in files and folders of the computer’s operating system. These include, for example, “overwriting” viruses (from the English “to write over”). Once they get into the computer, they write their code instead of the code of the infected file, destroying its contents. Naturally, in this case the file stops working and is not restored. However, these are rather primitive viruses: they, as a rule, reveal themselves very quickly and cannot cause an epidemic.

“Companion” viruses behave even more “cunningly” (from the English “buddy”, “companion”). They do not change the file itself, but create a duplicate file for it in such a way that when the infected file is launched, it is this duplicate, that is, the virus, that receives control. For example, “companion” viruses running under DOS use the feature of this operating system to first execute files with the COM extension, and then with the EXE extension. Such viruses create duplicates for EXE files that have the same name, but with the COM extension. The virus is written to the COM file and does not change the EXE file in any way. When you run an infected file, DOS will first detect and execute the COM file, that is, the virus, and only then the virus will launch the file with the EXE extension.

Sometimes “companion” viruses simply rename the file they are infecting, and write their own code to disk under the old name. For example, the file XCOPY.EXE is renamed to XCOPY.EXD, and the virus is recorded under the name XCOPY.EXE. When the file is launched, the virus code takes control, which then launches the original XCOPY, stored under the name XCOPY.EXD. Viruses of this type have been found in many operating systems ah - not only in DOS, but also in Windows and OS/2.

There are other ways to create duplicate files. For example, "path-companion" viruses "play" on the features of DOS PATH - a hierarchical record of file location in the DOS system. The virus copies its code under the name of the infected file, but places it not in the same directory, but one level higher. In this case, DOS will be the first to detect and launch the virus file.

Operating principle boot viruses based on operating system startup algorithms. These viruses infect the boot sector of a floppy disk or hard drive - a special area on the disk containing the computer's boot program. If you change the contents of the boot sector, you may not even be able to start your computer.

Macro viruses- a type of computer virus created using macro languages ​​built into popular office applications like Word, Excel, Access, PowerPoint, Project, Corel Draw, etc. (see "Science and Life" No. 6, 2000). Macro languages ​​are used to write special programs (macros) to improve the efficiency of office applications. For example, you can create a macro in Word that automates the process of filling out and sending faxes. Then the user will only need to enter data into the form fields and click on a button - the macro will do the rest itself. The trouble is that, in addition to useful ones, malicious macros can also get into the computer, which have the ability to create copies of themselves and perform certain actions without the user’s knowledge, for example, changing the contents of documents, erasing files or directories. These are macro viruses.

The wider the capabilities of a particular macrolanguage, the more cunning, sophisticated and dangerous macro viruses written in it can be. The most common macro language today is Visual Basic for Applications (VBA). Its capabilities are rapidly increasing with each new version. Thus, the more advanced office applications are, the more dangerous it will be to work in them. Therefore, macro viruses pose a real threat to computer users today. According to our forecasts, every year they will become more elusive and dangerous, and the speed of their spread will soon reach unprecedented levels.

2. Operating system used.

Each file or network virus infects files of one or more operating systems - DOS, Windows, OS/2, Linux, MacOS, etc. This is the basis for the second method of classifying viruses. For example, the "BOZA" virus, which works only in Windows and nowhere else, is classified as a Windows virus. Virus "BLISS" - for Linux viruses, etc.

3. Algorithms of work.

Viruses can also be distinguished by the operating algorithms they use, that is, various software tricks that make them so dangerous and elusive.

Firstly, all viruses can be divided into resident and non-resident. A resident virus is like a spy constantly working in a foreign country. Once the virus enters the computer's RAM during boot, it remains there until the computer is turned off or rebooted. It is from there that the resident virus performs all its destructive actions. Non-resident viruses do not infect computer memory and are able to “multiply” only if they are launched.

All macroviruses can also be classified as resident. They are present in the computer's memory for the entire time the application infected by them is running.

Secondly, there are viruses visible and invisible. For the common man, the invisibility of the virus is perhaps its most mysterious property. However, there is nothing demonic about this. “Invisibility” means that the virus, through software tricks, prevents the user or anti-virus program from noticing the changes it has made to the infected file. Constantly present in the computer's memory, the stealth virus intercepts requests from the operating system to read and write such files. Having intercepted the request, it replaces the infected file with its original, uncorrupted version. Thus, the user always sees only “clean” programs, while the virus quietly carries out its “dirty deed”. One of the first file stealth viruses was "Frodo", and the first boot stealth virus was the "Brain" virus.

To camouflage themselves as much as possible from antivirus programs, almost all viruses use methods self-encryption or polymorphicity, that is, they can encrypt and modify themselves. Changing your appearance(program code), viruses fully retain the ability to perform certain malicious actions. Previously, antivirus programs were able to detect viruses only “by sight,” that is, by their unique program code. Therefore, the appearance of polymorphic viruses several years ago made a real revolution in computer virology. Now there are universal methods of combating such viruses.

METHODS OF COMBATING COMPUTER VIRUSES

It is necessary to remember the main condition in the fight against computer viruses - do not panic. Thousands of highly qualified anti-virus specialists are guarding computer security around the clock, whose professionalism is many times greater than the combined potential of all computer hooligans - hackers. In Russia, antivirus research is carried out by two computer companies- Kaspersky Lab (www.avp.ru) and SalD (www.drweb.ru).

In order to successfully resist attempts by viruses to penetrate your computer, you must fulfill two simple conditions: follow the basic rules of “computer hygiene” and use anti-virus programs.

Since the antivirus industry has existed, many ways to counteract computer viruses have been invented. The variety and variety of protection systems offered today is truly amazing. Let's try to figure out what the advantages and disadvantages of certain methods of protection are and how effective they are in relation to various types viruses.

Today, there are five main approaches to ensuring anti-virus security.

1. Antivirus scanners.

The pioneer of the antivirus movement is a scanner program that was born almost simultaneously with the computer viruses themselves. The principle of operation of the scanner is to view all files, boot sectors and memory with a chain of detection of virus signatures in them, that is, the unique program code of the virus.

The main disadvantage of the scanner is its inability to track various modifications of the virus. For example, there are several dozen variants of the Melissa virus, and for almost each of them antivirus companies had to release a separate update antivirus database.

This leads to the second problem: for the time between the appearance of a new modification of the virus and the release of the corresponding antivirus, the user remains practically unprotected. True, later experts came up with and implemented into scanners an original algorithm for detecting unknown viruses - a heuristic analyzer that checked the program code for the possibility of the presence of a computer virus in it. However, this method has a high rate of false positives, is not reliable enough, and, moreover, does not eliminate detected viruses.

And finally, the third drawback of an anti-virus scanner is that it scans files only when you “ask” it to do so, that is, when you run the program. Meanwhile, users very often forget to check dubious files downloaded, for example, from the Internet, and as a result, their with my own hands infect your computer. The scanner is able to determine the fact of infection only after the virus has already appeared in the system.

2. Anti-virus monitors.

At their core, antivirus monitors are a type of scanner. But unlike the latter, they are constantly in the computer’s memory and perform background scanning of files, boot sectors and memory in real time. To enable anti-virus protection, the user just needs to load the monitor when loading the operating system. All launched files will be automatically scanned for viruses.

3. Change auditors.

The work of this type of anti-virus programs is based on taking original “fingerprints” (CRC sums) from files and system sectors. These "fingerprints" are stored in a database. At the next start, the auditor checks the “fingerprints” with their originals and informs the user about the changes that have occurred.

Change auditors also have disadvantages. Firstly, they are not able to catch the virus at the moment it appears in the system, but do this only some time later, after the virus has spread throughout the computer. Secondly, they cannot detect a virus in new files (e-mail, floppy disks, files recovered from backup copy, or when unpacking files from an archive), since there is no information about these files in the auditor databases. Some viruses take advantage of this, infecting only newly created files and thus remaining invisible to auditors. Thirdly, auditors require regular launching - the more often this is done, the more reliable the control over viral activity will be.

4. Immunizers.

Antivirus immunizer programs are divided into two types: immunizers that report infection, and immunizers that block infection by any type of virus.

The first ones are usually written to the end of files (based on the principle of a file virus) and each time the file is launched, they check it for changes. Such immunizers have only one drawback, but it is fundamental: they are absolutely incapable of detecting invisible viruses that cleverly hide their presence in an infected file.

The second type of immunizer protects the system from damage by a specific virus. To do this, the files are modified in such a way that the virus perceives them as already infected. For example, to prevent a COM file from being infected by the "Jerusalem" virus, just add the MsDos line to it. And to protect against a resident virus, a program that simulates a copy of the virus is entered into the computer’s memory. When launched, the virus encounters it and believes that the system is already infected and there is no need to deal with it.

Of course, it is impossible to immunize files against all known viruses: each of them has its own methods for determining infection. That is why immunizers have not become widespread and are currently practically not used.

5. Behavioral blockers.

All the types of antiviruses listed above do not solve main problem- protection against unknown viruses. Thus, computer systems are defenseless against them until antivirus manufacturers develop antidotes. Sometimes this takes several weeks. During this time, you can lose all important information.

A clear answer to the question “what to do with unknown viruses?” we will succeed only in the coming millennium. However, today we can make some predictions. In our opinion, the most promising area of ​​anti-virus protection is the creation of so-called behavioral blockers. They are the ones who are able to withstand the attacks of new viruses with almost one hundred percent guarantee.

What is a behavioral blocker? This is a program that is constantly located in the computer’s RAM and “intercepts” various events in the system. If it detects “suspicious” actions (which could be performed by a virus or other malicious program), the blocker prohibits this action or requests permission from the user. In other words, the blocker does not look for the virus code, but monitors and prevents its actions.

Theoretically, a blocker can prevent the spread of any virus, both known and unknown (written after the blocker). But the problem is that “virus-like” actions can be performed by the operating system itself, as well as useful programs. A behavioral blocker (here we mean a “classic” blocker that is used to combat file viruses) cannot independently determine who exactly is performing a suspicious action - a virus, an operating system or some program, and therefore is forced to ask the user for confirmation. Thus, the final decision maker must have sufficient knowledge and experience to give the correct answer. But there are few such people. This is why blockers have not yet become popular, although the idea of ​​their creation appeared quite a long time ago. The advantages of these antivirus programs often became their disadvantages: they seemed too intrusive, bothering the user with their constant requests, and users simply uninstalled them. Unfortunately, this situation can only be corrected by the use of artificial intelligence, which would independently understand the reasons for this or that suspicious action.

However, today behavioral blockers can be successfully used to combat macroviruses. In programs written in the VBA macro language, it is possible with a very high degree of probability to distinguish malicious actions from useful ones. At the end of 1999, Kaspersky Lab developed a unique macrovirus protection system for the MS Office package (versions 97 and 2000), based on new approaches to the principles of a behavioral blocker - AVP Office Guard. Thanks to the analysis of the behavior of macroviruses, the most common sequences of their actions were determined. This made it possible to introduce a new highly intelligent system for filtering macro actions into the blocker program, almost accurately identifying those that pose a real danger. Thanks to this, the AVP Office Guard blocker, on the one hand, asks the user much fewer questions and is not as “intrusive” as its file counterparts, and on the other hand, it almost 100% protects the computer from macro viruses, both known and not yet written.

AVP Office Guard intercepts and blocks the execution of even multi-platform macro viruses, that is, viruses that can run in several applications at once. In addition, the AVP Office Guard program controls the operation of macros with external applications, including mail programs. This eliminates the possibility of macroviruses spreading through email. But it was in this way that the LoveLetter virus infected tens of thousands of computers around the world in May of this year.

The effectiveness of the blocker would be zero if macro viruses could randomly disable it. (This is one of the shortcomings of the anti-virus protection built into MS Office applications.) AVP Office Guard has a new mechanism for countering macrovirus attacks on itself with the goal of disabling it and eliminating it from the system. Only the user himself can do this. Thus, using AVP Office Guard will save you from the eternal headache of downloading and connecting anti-virus database updates to protect against new macro viruses. Once installed, this program will reliably protect your computer from macro viruses until a new version of the VBA programming language is released with new functions that can be used to write viruses.

Although the behavioral blocker solves the problem of detecting and preventing the spread of macro viruses, it is not intended to remove them. Therefore, it must be used in conjunction with an anti-virus scanner that can successfully destroy the detected virus. The blocker will allow you to safely wait out the period between the discovery of a new virus and the release of an update to the anti-virus database for the scanner, without interrupting the operation of computer systems for fear of permanently losing valuable data or seriously damaging the computer hardware.

RULES OF "COMPUTER HYGIENE"

"Under no circumstances open files sent by e-mail from people unknown to you. Even if the recipient is known to you, be careful: your friends and partners may not even suspect that their computer has a virus that quietly sends copies of itself to addresses from their address book.

" Be sure to scan all floppy disks, CDs and other mobile media, as well as files received from the Internet and other public resources (BBS, electronic conferences, etc.) with an anti-virus scanner with the maximum level of scanning.

" Conduct a full anti-virus scan of your computer after receiving it from repair services. Repairers use the same floppy disks to scan all computers - they can very easily introduce an “infection” from another machine!

“In a timely manner, install patches from the manufacturers of the operating systems and programs you use.

" Be careful when allowing other users to access your computer.

"To increase the safety of your data, periodically back up information on independent media.

System viruses penetrate system modules and peripheral device drivers and infect interpreter programs.

In the computer world, there is a special group of viruses designed to cause the generation system to fail. Manifestations can be different: reboot, freeze, incorrect work applications and more.