A Website Dedicated to Computer Professionals...and some not so Professional

Are Viruses Working Together
by Doug Chick 

Todayís viruses have become more than just a geek trying to find self-identity; they have become organized units that call on other viruses for support. Does this sound too absurd to believe? You better believe it because they are already there and eating away at your bandwidth looking for their next targets. If you look at the viruses that you are removing from your networks you will see that each one seems to perform a specific task. One virus may do nothing but e-mail out to a few specific IP addresses. Another may assimilate email addresses from an address book and send itself to your friends and contacts; while another may stay on your system and do nothing but port scans on other networks and report back its findings to its designer. A network analyzer, or Sniffer, is always a good way to detect and plot the activities of these types of viruses. I use a relatively inexpensive packet analyzer named Commview. (The reason that I like it is because you can monitor traffic live, and see what ports are being accessed.) 

 A few weeks ago while running my packet analyzer program I saw a computer on my network running port scans against several ranges of addresses. I realized immediately that this was the work of a virus and instead of unplugging it from the switch I decided to keep in on and monitor its activity. What I found was actually three programs (viruses) performing separate tasks reporting their results to the same e-mail addresses. Other computers also had some or all of these viruses. This particular computer would later be responsible for re-infecting the same set of computers. That is when we found an additional virus that lay almost dormant. Thatís when I realized that it would be very likely for there to be a series of viruses that would actually be capable of working together for the common goal of thier master, or masters.

Trojan or Penetrating Viruses: 

I believe that it is likely that there are viruses that do nothing but penetrate a computer, open a back door and message back to another virus laying in wait that the coast is clear. These types of virus may open the door for many other viruses to join it. There are 4 very distinct ways that these viruses travel in e-mail:

Buffer overflows that allow a virus to march right in.
Intruders write scripts to take advantage of buffer overflow and often reprogram an application to run a different program. For example, an intruder can open a back door; start a new program that sends private files (checkbooks, password files, and the IP Address of the open computer) to the intruder using email. 

Using the e-mail addresses in the computers address book to send itself. Another method is to use the users address book and send itself to his or her friends or contacts. And since most viruses have to be initialized before they become active, having one sent by a familiar name would be more likely to be opened.   By using missionary method. (Despite its name, the missionary method doesnít have anything to do with where your partner is positioned during the course of virus penetration.) Iíll just rephrase that one later too. ** 
Another method might be an executable script embedded inside an HTML e-mail that would be executed if someone had the mail program to preview e-mail. In other words, you are likely to find viruses embedded in SPAM. Once a portal into a computer has been successfully opened it may launch a secondary program, sitting dormant until the computers clock or an event triggers it awake again, or sending for reinforcements. 

Work Horses Viruses:

Work Horse Viruses may be designed to carry out specific tasks. One might do nothing but scan a random or predetermined range of IP Addresses looking for open ports, while another might do nothing but scan for known vulnerabilities. And believe me, there are a lot of them out there and new ones being discovered everyday. Looking for server security patches should be the chore of any Network Administrator. Once this type of virus compiles a list of IP Addresses with open ports and vulnerabilities, it sends its product either back to its creator or to another program that impregnates these servers with another program that allows them access to important data. These viruses may be working on a million computers doing nothing but scanning, reporting, impregnating and quickly going dormant. Thereís a joke about men in here somewhere.

Breeding Viruses:

One of the most frequently asked questions that I get is where do viruses come from and who makes them? There was a time that the obvious answered would have been, Teenagers that are not successful in pair bonding. (Geek term for dating) but these days Iím not so sure. Todayís viruses are written to perform a specific task for its creator, or creators. Gaining access and retrieving data seems to be more on the mind of a modern virus maker instead of mindless vandalizing to impress their peers. I suspect that some countries are very organized and house a battalion of people that do nothing but filter through results looking for information that would be invaluable to the growth of their countries export market. A small program can easily scan through a computer looking for a specific bit pattern that might be a spreadsheet, word or text document and e-mail the results of its finding back to whomever. In the course of a day a virus can impregnate, not thousands, but millions of computers. And these are only the ones that we catch. Well-written viruses may never go detected.  

** Missionary Viruses Explained:

A missionary virus is a virus that depends on others to spread it, either for reasons of irony or because the maker wanted to keep the program small and simple. A missionary virus may be a virus embedded into a cute holiday picture, an e-mail of spiritual inspiration or even the most command form would be a warning that there is a dangerous virus out that will destroy your computer. Please forward this to all of your friends. And of course the unsuspecting victim sends this virus to everyone he or she knows. Most of these types of viruses are hoax, but there are some out there that are the back door Trojans. The reason I call them Missionary Viruses is simply because Missionaries where infamous for traveling to remote locations, such as the Hawaiian Islands or say South America spreading the word of God. What they spread faster than gods words were plagues and diseases that killed over half of these peoples population.



E-mail your comments to dougchick@thenetworkadministrator.com
All rights reserved  TheNetworkAdministrator.com

Disclaimer: The Opinions shared on TheNetworkAdministrator.com are contributed by its readers and does not necessarily express the opinion of the creators of this publication.