What, exactly, IS a computer virus?

[camelCase]

I know I could just Google it and get a wealth of information. Anyway, I was bored today and decided I'd try making a little virus in C#. Not particularly sophisticated at all and anyone smart enough would notice it's a virus program and not open it.

I have zero knowledge about what viruses really are except for some guesses that they're programs that were created for malicious intent. Armed with that lame piece of knowledge, I started work.

So, after a few hours, I was done and my virus would do this:
Upon opening, it will copy itself and .dlls into the user's Startup folder (to run on startup).
It will, then, access the computer's webcam (if any).
Every 30secs, it will snap a photo and use smtp to email it to a dummy email account that I created for this purpose.
All the while, nothing shows up and it runs in the background.

This program is obviously malicious and invades a person's privacy. I tested it on myself and it works like a charm (my unglamorous photos are proof).

Then, I decided to scan it with AVG (not the best but w/e) and it detected nothing. I sent it to a bunch of friends and told them to scan and delete immediately (DO NOT OPEN!) and tell me the results. They all reported that zero threats were found. Which I found really weird. They also said the same thing to me, "If I had opened it, would my computer have crashed?" (Apparently, that's what they think all viruses do.)

This got me thinking, "What exactly do virus scanners look for when scanning?" Do they look for certain binary patterns typical of a virus or what? o.0

 

[13lade619]

Virus scanners don't just check the code inside your little program on-the-fly.

They check the program against a virus database.
If it isn't in the database, it isn't reported.

They mostly check for the file sizes, file names and exact matches in the binary.

 

[camelCase]

Oh, dang.
I suddenly feel less secure.

 

[Accname]

A virus is usually not an executable which you "accidentally" click. They are attached to other kinds of files or activate themselfs once downloaded.

Checking raw code for a virus is a task which is basically impossible for a computer.

 

[s3rius]

A few things:

Every scanner worth its salt uses so-call heuristic analysis to figure out whether a program might contain an unknown virus. That's why virus scanners sometimes report false-positives. Check the link for more.

In addition to the heuristic approach we have the signature scanning. This is where the scanner actually checks against a database to find viruses in files.
They don't put much value into filesize or filenames because these things are too volatile to be useful. They check for partial binary matches to find viruses embedded in larger files, however.

But polymorphic viruses make that a difficult task.

There are many other functions a scanner can perform, such as active memory scanning (e.g. you'll most likely get a warning from your AV when you try to hook into memory of another process), rootkit detection (like modification of boot sector or OS code), and I'm sure there are many others that I don't know.

The problem is: many malware programs basically do the same things as your installed programs. It's very hard to determine whether your screenshot process is actually the result of unwanted infection of your system or if it's actually supposed to be there.
If your program doesn't trigger the heuristics or seriously messes with OS resources then there's a good chance it won't be detected.

I don't really know how good protection is against malware in general, but AV programs mainly protect you from infectuous common viruses that lurk in the interwebz, not from homemade singularities such as yours.

Maybe your could try to set your scanner to maximum security level if there's an option like that. I know my Avira runs on moderate settings because the highest setting absolutely slaughters disk read/write performance.
But I kinda doubt it'll find it then.

 

[KaerfNomekop]

They check the program against a virus database.
If it isn't in the database, it isn't reported.

I don't really know how good protection is against malware in general, but AV programs mainly protect you from infectuous common viruses that lurk in the interwebz, not from homemade singularities such as yours.

Does this mean that any random person could spread a virus over a large network and damage/destroy systems before being caught?

 

[Accname]

How would you "spread" a virus?

Of course, if you give a malicious executable to a worker inside a company, and this person runs the program on a company computer, then you can spread a virus.
But the initial problem is to get somebody in the company to run it.

AV software will not let your program run itself without permission, because it is unknown, but if it is run by a user then the AV software will not be able to fully analyze the code of the software to find out whether its malicious or not.

 

[s3rius]

Does this mean that any random person could spread a virus over a large network and damage/destroy systems before being caught?

That is one reason why computers in larger company networks are protected so much (locked administrator account, paranoid firewall) and why it's discouraged - sometimes forbidden - to "just" surf the net from your workspace.
I think some (many?) companies don't even allow you to insert your datastick/DVDs from home.

I could imagine that some companies have security specialists that monitor network traffic to find out when something unknown spreads over the network.

I've read about the hacker who leaked HL2 pre-release. He did so by sneaking into the company network via a security flaw. IIRC he said he was probing their network for weeks, being very careful not to access too many files at once, or files too deep within the system, as to not show any suspicious activities that could be found.

And professional AV software is probably better than the ones you buy for private use.

So I'd venture to say that it's not all that easy.

And if you want to distribute the virus through the entire internet, it'll be found and forwarded to the AV companies eventually.


Daymn that makes me wanna play Uplink.

 

[camelCase]

Thanks for all the info. s3rius!
Also, from the wiki link of Heuristic Analysis:

Most antivirus programs that utilize heuristic analysis perform this function by executing the programming commands of a questionable program or script within a specialized virtual machine, thereby allowing the anti-virus program to internally simulate what would happen if the suspicious file were to be executed while keeping the suspicious code isolated from the real-world machine. It then analyzes the commands as they are performed, monitoring for common viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus, and the user alerted.

Damn, sounds both cool and complex to code for at the same time.