In this chapter you’ll learn about common memory residency strategies that computer viruses use to infect other objects on a system or across multiple systems. Depending on the in-memory residency strategy alone, some viruses can become much more virulent than others.

Direct action viruses

Direct-action viruses load with the host program into computer memory. Upon getting control, they look for new objects to infect by searching for new files. This is exactly why one of the most common kinds of computer virus is the direct-action infector and it can be crafted with relative ease by the attacker on a variety of platforms.

They only infect a couple of files upon execution, but some viruses infect everything at once by enumerating all directories for victims. In other cases, direct-action viruses simply copy themselves betweent the diskettes and the hard disk without waiting for the user to copy an infected file to the diskette.

Depending on the location of the actual host, the virus might become luckier in network environments.

Memory resident viruses

A much more efficient class of computer viruses remains in memory after the initialization of the virus code. Such viruses typically follow these steps:

  1. The virus gets control of the system.
  2. It allocates a block of memory for its own code.
  3. It relocates its code to the allocated block of memory.
  4. It activates itself in the allocated memory block.
  5. It hooks the execution of the code flow to itself.
  6. It infects new files and/or system areas.

This is the most typical pattern but several other methods exist that do not require all the preceding steps.

Stealth viruses

This kind of viruses always intercept a single function or set of functions in such a way that the caller of the function will receive manipulated data from the hook routine of the virus. Therefore, computer virus researchers only call a virus stealth if the virus is active in memory and manipulates the data being returned.

Semi stealth viruses

A virus is a semi stealth virus if it hides the change of file size but the changed content of the infected objects remains visible via regular file access. This technique requires the following basic attack strategy:

  1. Virus code is installed somewhere in memory.
  2. The virus intercepts file functions such as FindFirstFile or FindNextFile.
  3. It infects files of a constant size.
  4. It marks infected files with a flag.
  5. When an already infected file is intercepted, the virus reduces the file size in the returned data.

Because such viruses need to determine quickly if a file is already infected, the easiest approach is to set a special marker on the file timestamp. Because FindFirstFile and FindNextFile return this information in a data structure, the infection marker is readily available when the hook routine of a stealth virus calls the original function to get proper data about the file. The data structure is manipulated for the file size and the false data with reduced file size is returned.

Disk cache and system buffer infection

A very interesting attack strategy infection of files in the operating system’s buffers or file system cache organized by the cache manager. Such viruses are both anti-behaviour blocking and anti-heuristic. Behaviour blockers typically get invoked in system events, such as opening an existing executable file to write and blocking the event to prevent virus infections. This is based on the idea that viruses write to files to replicate to them, so it seems logical that blocking write events to existing binaries would reduce the likelihood of virus infections.

Temporary memory-resident viruses

A slightly more exotic type of computer virus is not always resident in the computer’s memory. Instead, the virus remains in memory for a short period of time or until a particular event occurs. Such an event might be triggered after a certain number of successful infections.

Such viruses tent to be much less successful at becoming in the wild. First of all, direct-action viruses are much easier to spot because they increase the disk activity considerably, though this problem could be mitigated by the attacker. Permanent resident viruses, howerver, are usually more infectious and spread much more rapidly than temporary memory-resident viruses.

Swapping viruses

This technique relies on loading a small piece of virus code actively into memory all the time. This small piece of code might be a hook event that, whenever it gets triggered, the virus loads a segment of viral code from the disk and infects a new object. After that, the virus again clears the loaded segment from memory and waits for the next hook.

Viruses in processes

On modern, multitasking operating systems, viruses need to use slightly different strategies. The virus does not have to become “resident” in the traditional sense. It is usually enough if the virus runs itself as a part of the process. An attacker has several options:

  1. The virus loads with the infected process, gets control using one of the techniques listed in this chapter, creates a thread (or a set of threads) in the running process itself in user mode, and infects files using regular direct-action techniques.
  2. Alternatively, the virus loads before the original host program; it does not create any threads but infects files before the execution of its host. Usually the host is created as a temporary file on the disk and executed in its own process by passing command-line parameters of the original program. This is a very primitive but fairly common approach.
  3. The virus also can run as its own process in user mode.
  4. Furthermore, the virus can use the Service Control Manager to load as a service process.
  5. Per-process resident viruses also hook APIs in the user-mode process and are able to replicate whenever the host process executes the hooked API.
  6. The virus uses a DLL injection technique. The easiest approach is to load a DLL via the modification of one of many Registry keys. When the host is executed, the viral DLL is loaded into the host process. User-mode rootkits usually combine this technique with per- process API hooking.
  1. The Art of Computer Virus Research and Defense, Chapter 5