What Is a Virus?

So now that we’ve talked about malware a little bit, we’re going to talk about specifically what a virus is. So a virus is a type of malicious code or programming to alter the way a computer operates and is designed to spread from one computer to another. A virus operates by inserting or attaching itself to a legitimate program. Now it’s important to understand here that in order for a virus to either operate or replicate– so that’s that spread from one computer to another– it requires user interaction. This means that let’s say you’re going to go and you download a movie from some sort of torrent website, some sort of file-sharing website. That movie has had a virus patched into it.

So somewhere in the binary of the movie– or not the binary– somewhere inside the code of the movie is this virus. When you download it, you still have to watch that movie. You have to click Watch and Play for that virus to execute. And then what happens is you’ll share that. “Hey friend, do you want to watch this movie?” And you give them the movie. That’s kind of the replication. It’s a manual replication. It’s user initiated. That friend will take the movie. They’ll watch the movie, it’ll execute the virus, and so on. And this was exactly how this stuff was spreading back in the days of LimeWire and Pirate Bay and all that kind of stuff.

This was a big issue that you were having then. So what we’re going to do now is we’re going to– We talked about getting hashes for viruses and pieces of malware. We’re going to go out to VirusTotal, and we’re going to show you what that looks like. OK. So what I’ve gone ahead and done here is I’ve created what is known as an Eicar file.

And if we go ahead and cat that out, that string in there is just actually a DOS mand, a DOS program that is a running DOS program. And all it does is it cats out Eicar standard antivirus test file, that little bit of exit we can read there. And what this is used for is this is kind of used for antivirus tools to benchmark their capabilities. This is if you were an organisation and you want to make sure that you’ve got basic level antivirus protection in place, you would have someone try and maybe download an Eicar file, and it should 10 out of 10 times, 100% of the time, get detected. So that’s the idea here.

I have got this on a system. We’ve got an eicar.txt file, which for all intents and purposes is a known piece of malware. And then what we’re going to do is we’re going to go ahead and get the hash for the Eicar file. And in this case we’re using PowerShell, so we’re going to use a command lit get file hash. With Eicar, we’re going to pass the file eicar.txt and we’re going to tell it the algorithm that we want it to get, so that hash value that we want it to get is an MD5 hash.

So we can see we get this string here of characters. We’re going to copy and paste that, and we’re going to go out to VirusTotal and see what VirusTotal will tell us. Here we are at VirusTotal. This is the landing page when you see it. Actually, you’ll land on File. So if you had something that you thought was a malicious file you could upload it there. If you had something you thought was a malicious URL, you could type it in there. And then in this case, we’re just going to, because we have a hash, we’re going to put it in the search. We take that hash that we got from our Eicar file. We dump it into a search bar.

We hit Enter. And we can see that 63 out of 65 antivirus engines detected this as a virus, which is good. And I wouldn’t be surprised if the other two didn’t detect it because it’s just, it’s a known quantity. So on the left here you can see the antivirus engine name– Ad-Aware, Avast, Baidu– and then on the right you can kind of see what that antivirus engine will alert as or what it will register this as. Something that’s interesting to point out is there are a lot of antivirus providers out there, but there’s actually so many antivirus analysis engines, so a lot of them are kind of running the same secret recipe under the hood.

And you can tell here if you look at this, Avast and AVG the alert is the same. And you can see that in a few other places. BitDefenderTheta and ArcaBit, the alert’s the same. So there’s a good chance that they would, they’re probably running a similar, if not the exact same, antivirus engine under the hood. So in addition to showing us that it’s been detected on so many things, it shows us the hash. We can go ahead and find more information out about it. This is just an Eicar file, so there’s not too much interesting stuff. We can see some of the other hashes for it.

We can show you the SHA 256, which is actually the hash that is up top there; the history of when it was first submitted; most recent submission; similar names that we’ve seen it as. If this was something that had domains, you would see domains that it’s called out to. We don’t have that here. If it was running processes on the system, you would see some of the processes that it spawns. You can go to Community. Community will show you what other people have found out about it, some of the research they’ve done. They’ll link to the reports, so you can go ahead and read through some of that.

Again, because this is an Eicar file, none of it’s going to be too interesting, but this kind of gives you a good idea. And we’ll come back to this VirusTotal a couple more times as we move through with actual more malicious malware. Let’s go ahead and hop back to the slides. So we talked about what a virus was. We talked about what malware is. We talked about how to use VirusTotal or Google or something like that to show you how to find out what it is that you’re looking at. Some of the highlights here. So just remember malware is defined by its intents and capabilities, and we’ll go through that further. It’ll keep coming up. Malicious intent makes something malware.

Its capabilities define what class it is. And a virus requires user interaction to activate, and it also requires user action to spread. Again, just because you download it, you need to run it. That’s the interaction. Malware is always changing, which makes it difficult to track. We talked about hashes, heuristical data, things like that. The problem with hash-based or signature-based file detection is that all it takes for me to change a hash is to change one character within that file. So we looked at the Eicar file.

If I had just put an extra exclamation point somewhere in that file, the hash would be totally different, and that would mean that VirusTotal would probably not have a hash for it showing it that it was an Eicar file. So because of this it’s very easy for attackers to use obfuscation techniques where they will change their variable names or change their function names to random strings of stuff, and that will change the hashes. And that makes signature-based detection hard to do, which means that a lot of times we have to rely on behavioural based detection, which is just a lot more sophisticated and takes a lot more resources. There’s also lots of great free resources for identifying malware.

We talked about VirusTotal. We’ll talk about a few more. And you’ve always got Google. So just remember that the next section we’re going to start talking about worms and their ability to replicate themselves.