To analyse any malware, we need to understand its theory, how malware are built and where do they get executed. In this chapter, we’ll take a look at different environments that a malware can get executed or spread to different systems.
With this kind of map, you can better understand the real impact that a malware can do and how large the environment containing the malware can be and it’s also important to note that each layer can create different vulnerabilities for malicious code.
Computer architecture dependency
Most computer viruses do spread in executable, binary form. For instance, a boot virus will replicate itself as a single or couple sectors of code and takes advantage of the computer’s boot sequence.
Although the boot sequences of two computers as well as the structures of these viruses show similarities, viruses are highly dependent on the particularities of the architecture itself and on the exact load procedure and memory layout. Thus, binary viruses typically depend on the computer architecture.
While it’s more difficult and time consuming writing different malware each time for different architectures, malware creators will adapt the same malware to behave differently based on the computer architecture type, executing the correct malware for that architecture.
This type of dependency affects binary computer viruses. The source code of programs is compiled to object code, which is linked in a binary format such as an EXE format. For instance, the instruction NOP has a different opcode on CPU A than on CPU B, causing the malware to not run correctly since some opcode might be wrong and cause gibberish code.
The main concept here is this: malware coded for a specific CPU architecture will only work on that architecture.
Operating system dependency
Most computer viruses can operate only on a single operating system (except cross compatibilities between for example different Windows versions). As a result, having a different operative system could prevent you getting that specific malware, might make you invulnerable to some operating system dependent malwares.
However, so-called multipartite viruses are able to infect several different file formats or system areas, enabling them to jump from one operating environment to another.
File system dependency
For most viruses, it does not matter wheteher the targeted files reside on a FAT, NTFS or remote file system shared across network connections. As long as they are compatible with the operating environment’s high-level file system interface, they will work, infecting the file or store new files on the disk without paying attention to th actual storage format.
File format dependency
Viruses can be classified according to the file objects they can infect, such as COM viruses, EXE viruses, NE viruses, PE viruses, ELF viruses and so on.
Interpreted environment dependency
Several viruses classes depend on some sort of interpreted environment. Almost every major application supports users with programmability, like for example macros in Microsoft programs.
Not too much to say, viruses can only infect a new host if the system can be exploited via a known vulnerability. If the system is patched and thus not vulnerable, the virus won’t infect that host.
Date and time dependency
Same here, some viruses might replicate only within a certain time frame of the day or a certain date, making the virus a little bit more difficult to spot.
New viral environments are discovered each year, making more sophisticated malwares and making life look like hell to most of the analyst working on them.