I think it would be amusing if this virus, a brain-infecting pathogen, is actually the origin of higher brain functions in humans. That in its high-jacking of our dna it has made us essentially what we are today. Even better if it is the source of symbol-based language. That might just be the Burroughsian in me talking though.

PARIS (AFP) – Humans carry in their genome the relics of an animal virus that infected their forerunners at least 40 million years ago, according to research published Wednesday by the British science journal Nature.

The invader is called bornavirus, a brain-infecting pathogen that was first identified in 1970s.

Scientists led by Keizo Tomonaga of Japan’s Osaka University compared the DNA of a range of mammals, including humans, apes, elephants, marsupials and rodents, to look for tell-tale signatures of bornavirus code.

In the human genome, the team found several bornavirus fragments but also in the form of two genes that may be functional, although what they do is unclear.

Until now, the only viruses known to have been handed on in vertebrates were retroviruses, which work by hijacking cellular machinery in order to reproduce.

Retroviruses are effective in infiltrating the germline — the DNA of reproductive cells, which means their sequence, or part of it, is handed on to ensuing generations.

By some estimates, retroviruses account for as much as eight percent of the human code for life.

Bornavirus has a different stealth tactic, replicating in the nucleus of infected cells.

The disease owes its name to the German town of Borna, where a regiment of cavalry horses was wiped out in 1885 by a mysterious “heated head” disease.

Later research also found the disease among sheep, llamas, ostriches, cats and cattle, although how it spreads is poorly understood.

The impact of bornavirus on the human genetic odyssey is likely to trigger fierce debate.

The big questions are whether it provided a potential cause of genetic mutation or innovation in our species, or whether it provided a source for inherited illness — or, conversely, protection.

Bornavirus has not been clearly linked to diseases in humans, although some researchers speculate there could be a link with schizophrenia and other mental disorders.

Viral phenomenon: Ancient microbe invaded human DNA – Yahoo! News.

< via >

Viruses send embarrassing messages to friends on Networking sites(The Time s of India – Dec 15, 2009)

Hackers could evade most existing antivirus protection by hiding malicious code within ordinary text, according to security researchers.

One of the most common ways of hijacking other people’s computers is to use “code-injection” attacks, in which malicious computer code is delivered to and then run on victims’ machines. Current security measures work on the assumption that the code used has a different structure to plain text such as English prose.

Now a team of researchers has highlighted a potential future theatre in the virus-security arms race by working out how to hide malware within English-language sentences.

Though this is a hard exploit to pull off because of all the groundwork that needs to go into it, it is a novel approach for say, a nation state actor such as China to try huh? Of course they would have to work a bit harder at using English properly and not go for the pidgin English that they are known for now in coding sites and malware at times. Imagine just getting infected from a grammatically correct http page on the internet eh?

This exploit would be classic steganography though. Lets see if this exploit shows up somewhere in the future….

“English Shell Code”

Swine Flu May Be Human Error; WHO Investigates Claim

By Jason Gale and Simeon Bennett

May 13 (Bloomberg) — The World Health Organization is investigating a claim by an Australian researcher that the swine flu virus circling the globe may have been created as a result of human error.

Adrian Gibbs, 75, who collaborated on research that led to the development of Roche Holding AG’s Tamiflu drug, said in an interview that he intends to publish a report suggesting the new strain may have accidentally evolved in eggs scientists use to grow viruses and drugmakers use to make vaccines. Gibbs said he came to his conclusion as part of an effort to trace the virus’s origins by analyzing its genetic blueprint.

“One of the simplest explanations is that it’s a laboratory escape,” Gibbs said in an interview with Bloomberg Television today. “But there are lots of others.”

The World Health Organization received the study last weekend and is reviewing it, Keiji Fukuda, the agency’s assistant director-general of health security and environment, said in an interview May 11. Gibbs, who has studied germ evolution for four decades, is one of the first scientists to analyze the genetic makeup of the virus that was identified three weeks ago in Mexico and threatens to touch off the first flu pandemic since 1968.

A virus that resulted from lab experimentation or vaccine production may indicate a greater need for security, Fukuda said. By pinpointing the source of the virus, scientists also may better understand the microbe’s potential for spreading and causing illness, Gibbs said.

Possible Mistake

“The sooner we get to grips with where it’s come from, the safer things might become,” Gibbs said by phone from Canberra yesterday. “It could be a mistake” that occurred at a vaccine production facility or the virus could have jumped from a pig to another mammal or a bird before reaching humans, he said.

Gibbs and two colleagues analyzed the publicly available sequences of hundreds of amino acids coded by each of the flu virus’s eight genes. He said he aims to submit his three-page paper today for publication in a medical journal.

“You really want a very sober assessment” of the science behind the claim, Fukuda said May 11 at the WHO’s Geneva headquarters.

The U.S. Centers for Disease Control and Prevention in Atlanta has received the report and has decided there is no evidence to support Gibbs’s conclusion, said Nancy Cox, director of the agency’s influenza division. She said since researchers don’t have samples of swine flu viruses from South America and Africa, where the new strain may have evolved, those regions can’t be ruled out as natural sources for the new flu.

“This is how science progresses,” he said. “Somebody comes up with a wild idea, and then they all pounce on it and kick you to death, and then you start off on another silly idea.”

Well, this has not really made it to the “main stream” news but Bloomberg is close. Now, this story does answer some possible questions on the oddness of this disease. After all, it has traits of three different bugs within its code not just one particular type.

What’s even more interesting that this theory and paper by Gibbs has been accepted for review by WHO! So, we will see what they say as to the potential validity of this theory. Personally, I think it highly possible that this would be the way something like this would escape the labs out there where folks have been tinkering with the DNA of virus’

“Don’t fear the reaper….”

Remember “The Stand” ? Yeah….

Anyway, I am looking to procure the actual paper by Gibbs.. So once I locate that I will post it. Until then, think about this… Could this indeed have been an accidental release of a bug as byproduct of Tamiflu?

Maybe something more directed? Oh, there I go all Fringe on it….

When the world needs saving who do you call? The Watchmen of the Justice Avengers is the RPGBN’s own Superhero Group.  This stalwart band of heroes is ready to defeat your villain, fight the injustice, protect the innocent, but more importantly spice up your hero campaign.

The WJA’s headquarters are located in Ayuhwa on the RPGBN Shared world project.  However with dimensional hopping abilities, the WJA are ready to help in your own campaign.  This project is not closed.  Leave me a link and I’ll add your hero to the roster.

Founding Membership in alphabetical order:
Ambrose – Home Base: The Nameless Kingdom
The Dungeon Master- Home Base: Vulcan Stev’s Database
Elder Lehman – Home Base: Unclebear
The Grey Wulf - Home Base: Greywulf’s Lair
Mad Brew – Home Base: Mad Brew Labs
Ravyn – Home Base: Exchange of Realities
Virii – Home Base: The Bard of Valiant

Founding Roster is now closed.  Your Hero can still be a member.  Just leave me a link.

In my view, the Conficker worm provides a microcosm of the complexity of IT security and the pressing need for security best practices. Here are a few examples:

1. Conficker reinforces the link between IT security and operations. Organizations with strong asset, configuration, and patch management processes were probably able to patch vulnerable systems before Conficker first appeared in November 2008.
2. Conficker demonstrates the need for device authentication and port blocking. Conficker uses USB flash drives as a means for propagation. This should serve as a wake-up call to security professionals that USB drives can act as a modern-day “sneakernet” for spreading malicious code or stealing confidential data. Addressing these threats means limiting USB access to authorized drives (through means like the IEEE 1667 standard) while filtering all traffic that flows to or from USB drives.
3. Conficker contains a password-cracking program that can break simple passwords like “1234″ or “password.” This demonstrates the need for strong password enforcement, password management, and even multifactor authentication.
4. Finally, Conficker is an extremely aggressive worm that looks for open file shares on the network to create yet another propagation method. Detecting this activity demands network traffic analysis and an understanding of normal versus anomalous behavior.

The rest HERE

This guy hit it right on the head! The poor security practices of many a company out there will be their undoing should Conficker actually do anything of merit. Why is it so many places do so little to really secure their environments? Why, when they are told how to secure and why they need to, do they do nothing or just a half assed job at “Due Diligence” Well, lets see what tomorrow brings.. Well nothing likely tomorrow, but give it a few days….

“Today the majority of malware cannot be detected by signature-based security solutions and other traditional security methods. While these solutions play a role in a company’s defense-in-depth security strategy, malware now is more sophisticated and can easily go around these solutions,” said Greg Hoglund, CEO and founder of HBGary. “Our Digital DNA technology detects malware that is polymorphic, using advanced techniques or currently unknown that these solutions can’t find.” HBGary Digital DNA: How it Works Digital DNA is a patent-pending technology to detect advanced computer security threats within computer memory without relying on information provided by the computer’s operating system. All software modules residing in memory are identified and ranked by level of severity. The Digital DNA sequence appears as a series of trait codes when concatenated together describe the behaviors of each software module. For an example of a Digital DNA sequence, pleases use this link http://www.hbgary.com. Observed behavioral traits are then matched against HBGary’s new Global Threat Genome database to classify digital objects as good, bad or neutral. The database currently contains more than 2500 codified behavior traits.

Full Article HERE

I recently had a discussion about the DNA traits that could be programmed digitally into malware/virus’ I am interested to see a RNA version too that would mutate with connection to other malware/virus’ so they could trade and create new variants on their own.

With the advent of Conficker, I think this is getting closer to a reality. It is conceiveable to create code that could mesh in a random mutation and thus generate new and intersting modus operandi.

On the other end of this I am sure that the presented methodology by HB Gary will be all the rage in future attempts to detect and thwart all those pesky nasties.

Conclusion

We present an analysis of Conficker Variant C, which emerged on the Internet at roughly 6 p.m. (PST) on 4 March 2009.  This variant incorporates significant new functionality, including a new domain generation algorithm and a new peer-to-peer file sharing service.   Absent from our discussion has been any reference to the well-known attack propagation vectors (RCP buffer overflow, USB, and NetBios Scans) that have allowed C’s predecessors to saturate so much of the Internet.  Although not present in C, these attack propagation services are but one peer upload away from any C infected host, and may appear at any time.   C is, in fact, a robust and secure distribution utility for distributing malicious content and binaries to millions of computers across the Internet.   This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools.  It further demonstrates the rapid development pace at which Conficker’s authors are maintaining their current foothold on a large number of Internet-connected hosts.  Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.

Full report HERE

So, what does it all mean? What is the master plan for Conficker? The Cabal has not yet been able to find out who wrote it (but my guess is that they are Ukrainian) to track them down. Everything just looms over us as April 1 approaches and its activation day comes.

What’s missing here is the actual commands that the code is supposed to enact on April 1 though. I am sure they have decoded the bug and know, so why not let us all know? Perhaps the game is afoot and they plan on stopping a mass attack. Who knows…

What I find really interesting about the Conficker updates is that they seem to have thought this out very well. With the random DNS calls, the random sleep times, and other methods to obfuscate its presence, this bug would seem to have the ability to propagate itself, attack the internet, and possibly pass data to the herders at an incredible rate. All the while it would be unable to be stopped by common IDS/Friewalls etc.

April 1 will be interesting to say the least…

Usually it’s difficult for me to make a correlation between the two primary subjects that I studied in college–computer science and philosophy. The first few things that pop into mind when attempting to relate the two are typically artificial intelligence and ethics. Lately, intuition has caused me to ponder over a direct link between modern philosophy and effective digital security.

More precisely, I’ve been applying the Hegelian dialectic to the contemporary signature-based approach to anti-virus while pontificating with my peers on immediate results; the extended repercussions of this application are even more fascinating. Some of my thoughts on this subject were inspired by assertions of Andrew Jacquith and Dr. Daniel Geer at the Source Boston 2008 security conference. Mr. Geer painted a beautiful analogy between the direction of digital security systems and the natural evolution of biological autoimmune systems during his keynote speech. Mr. Jacquith stated the current functional downfalls of major anti-virus offerings. These two notions became the catalysts for the theoretical reasoning and practical applications I’m about to describe.

Hegel’s dialectic is an explicit formulation of a pattern that tends to occur in progressive ideas. Now bear with me here–In essence, it states that for a given action, an inverse reaction will occur and subsequently the favorable traits of both the action and reaction will be combined; then the process starts over. A shorter way to put it is: thesis, antithesis, synthesis. Note that an antithesis can follow a synthesis and this is what creates the loop. This dialectic is a logical characterization of why great artists are eventually considered revolutionary despite  initial ridicule for rebelling against the norm. When this dialectic is applied to anti-virus, we have: blacklist, whitelist, hybrid mixed-mode. Anti-virus signature databases are a form of blacklisting. Projects such as AFOSI md5deep, NIST NSRL,  and Security Objectives Pass The Hash are all whitelisting technologies.

A successful hybrid application of these remains to be seen since the antithesis (whitelisting) is still a relatively new security technology that isn’t utilized as often as it should be. A black/white-list combo that utilizes chunking for both is the next logical step for future security software. When I say hybrid mixed-mode, I don’t mean running a whitelisting anti-malware tool and traditional anti-virus in tandem although that is an attractive option. A true synthesis would involve an entirely new solution that inherited the best of each parent approach, similar to a mule’s strength and size. The drawbacks of blacklists and whitelists are insecurity and inconvenience, respectively. These and other disadvantages are destined for mitigation with a hybridizing synthesis.

The real problem with mainstream anti-virus software is that it’s not stopping all of the structural variations in malware. PC’s continue to contract virii even when they’re loaded with all the latest anti-virus signatures. This is analogous to a biological virus that becomes resistant to a vaccine through mutation. Signature-based matching was effective for many years but now the total set of malicious code far outweighs legitimate code. To compensate, contemporary anti-virus has been going against Ockham’s Razor by becoming too complex and compounding the problem as a result. It’s time for the security industry to make a long overdue about-face. Keep in mind that I’m not suggesting that there be a defection of current anti-virus software. It does serve a purpose and will become part of the synthesization I show above.

The fundamental change in motivation for digital offensive maneuvers from hobbyist to monetary and geopolitical warrants a paradigm shift in defensive countermeasure implementation. For what it’s worth, I am convinced that the aforementioned technique of whitelisting chunked hashes will be an invaluable force for securing the cloud. It will allow tailored information, metrics and visualizations to be targeted towards various domain-specific applications and veriticals. For example: finance, energy, government, or law enforcement, as well as the associated software inventory and asset management tasks of each. Our Clone Wars presentation featuring Pass The Hash (PTH) at Source Boston and CanSecWest will elaborate on our past few blog posts and much more.. See you there!

Durante os ultimos meses passei a me interessar por debuging e ASM afim de entender melhor metodologias de detecção utilizadas por sistemas de Antivirus modernos e desenvolver desta forma metodologias de evadir de sua detecção.

Em algumas das pesquisas descobri o site HX Heavens que é um fantastico repositório de vírus e algoritmos desde worms simples aos mais completos e complexos algoritmos de polimorfismo viral e engines para Shellcode mutate.

Quem deseja estudar esta ramificação de virology recomendo visitar este site e obter muitos exemplos e arquivos interessantes.

Abaixo o Foreword do site:

“Welcome to VX Heavens! This site is dedicated to providing information about computer viruses (or virii, as some would prefer) to anyone who is interested in this topic.

This site contains a massive, continuously updated collection of magazines, virus samples, virus sources, polymorphic engines, virus generators, virus writing tutorials, articles, books, news archives etc. We also offer free hosting for virus authors and groups.

Some of you might reasonably say that it is illegal to offer such content on the net. Or that this information can be misused by “malicious people”. I only want to ask that person: “Is ignorance a defence?”".

No site existe também um Antivir checker que permite que você faça upload de arquivos para verificar se a engine de antivirus utilizada pelo HX Heaven detecta.

Link: http://vx.netlux.org/

Good Hacking 4 All.

Having just caught up on some of the conference “Source Boston”, I can’t help but call out some of the musings of Andrew Jaquith. Something of a more technical abstract can be read at the code project’s article by Jeffrey Walton (pay special attention to Robin Hood and Friar Tuck). If anybody doubt’s the current trend of sophistication in malware, I’m sure it is somebody who is currently penetrated. I’ve had the opportunity to devote specific analysis on occasion over the years to MAL code and its impact on the enterprise. I know FOR SURE the level of sophistication is on the rise. One thing I had to deal with recently, the extent of capability afforded by most desktop OS’s being so advanced, the majority of functionality desired by MAL code is pre-deployed. Unfortunately paving the way for configuration viruses and their ability to remain undetected in that all they are is an elaborate set of configuration settings. You can imagine, a configuration virus has the entire ability of your OS at its disposal, any VPN/IPSEC, self-(UN) healing, remote administration, etc… The issue is then, how do you determine if that configuration is of MAL intent, it’s surely there for a reason and valid in many deployments. The harm is only when connected to a larger entity/botnet that harm begins to affect a host. Some random points to add hard learned through experience;

• Use a native execution environment
  • VMWare, prevents the load or typical operation of many MAL code variants
    • I guess VM vendors have a big win here for a while, until the majority of targets are VM hosts.
• Have an easily duplicated disk strategy
  • MAC systems are great for forensics, target disk mode and ubiquitous fire-wire allows for live memory dumps and ease of off-line disk analysis (without a drive carrier).
  • I’m planning a hash-tree based system to provision arbitrarily sized block checksums of clean/good files, useful of diff’ing out the noise for arbitrary medium (memory, disk, flash).
• Install a Chinese translator locally
  • As you browse Chinese hack sites, (I think all Russian site’s are so quiet these days due to the fact that they are financially driven, while Chinese are currently motivated by nationalistic motivators), you need to translate locally. Using a .com translation service is detected and false content is rendered, translate locally to avoid that problem.
    • Also, keep notes on lingo.. there are no translation-hack dictionaries yet. (I guess code pigeon is referring to a homing pigeon, naturally horse/wood code is a Trojan).

Unfortunately part of the attacker advantage is the relatively un-coordinated fashion defenders operate, not being able to trust or vet your allies to compare notes can be a real pain. One interesting aspect of a MAL system recently analyzed was the fact that that it had no persistent signature. It’s net force mobility so complete, that the totality of its functionality could shift boot-to-boot, so long as it compromised a boot-up driver it would rise again. The exalted C. Brown put it best, “Good grief!” http://www.codeproject.com/KB/cpp/VirusProtect.aspx http://www.sourceboston.com/blog/?p=25

Ik was een Symantec adept. Zeker heeft Norton zijn sporen verdiend, maar de laatste tijd begon dit uitstekende programma om je te beveiligen tegen virussen, malware en hacks tekenen van verval te vertonen. Het is een zwaar programma dat veel van je PC eist. Het was zo erg dat het op den duur zelf voor onstabiliteit zorgde. Dat is nou het gene dat ik niet wens. Daarom ben ik overgeschakeld naar deze gratis (voor particulieren) anti-virus software. Downloaden, installeren en registreren en je bent voor een jaar goed. Deze software ondersteunt zelfs Vista.  Volg deze link.

Joanna Rutkowska, specjalistka ds. zabezpieczeń, zaprezentowała kilka różnych metod, za pomocą których wyspecjalizowane rootkity mogą oszukać nawet najlepsze dostępne obecnie mechanizmy obronne.

Rutkowska zaprezentowała wyniki swoich badań podczas poświęconej komputerowemu bezpieczeństwu konferencji Black Hat w Arlington, w stanie Virginia. Z jej prezentacji wynika, iż jeśli rootkit jest wystarczająco zaawansowany, aktualnie nie ma całkowicie skutecznej metody jego wykrycia w systemie.

Niektóre sprzętowe mechanizmy obrony przed rootkitami (m.in. takie produkty jak Tribble, CoPilot i RAM Capture Tool) działają w ten sposób, że wykonują “obraz” pamięci RAM (jest to najpewniejszy sposób na wykrycie obecności pewnych rodzajów rootkitów).

Rutkowska pokazała jednak trzy rodzaje ataków, skutecznie radzących sobie z tego typu zabezpieczeniami. Jeden z nich prowadził do zawieszenia komputera w momencie, gdy mechanizm zabezpieczający próbował uzyskać dostęp do stanu pamięci RAM, inny polegał na udostępnieniu do wglądu jedynie pewnej części pamięci. Ostatni typ ataku polegał na całkowitym maskowaniu rzeczywistego stanu pamięci fizycznej podczas jej skanowania. Druga z wymienionych technik w niektórych przypadkach pozwalałaby na odnalezienie śladów działania złośliwego oprogramowania w systemie, ale bez możliwości jego identyfikacji, zaś dzięki trzeciej oprogramowanie typu malware mogłoby nigdy nie zostać odnalezione.

Rutkowska twierdzi: “Żyjemy w XXI wieku, ale najwyraźniej nie potrafimy miarodajnie odczytać stanu pamięci naszych komputerów. Może powinniśmy pomyśleć o zmianie architektury systemów tak, aby można je było w pewien sposób zweryfikować”.

Źródło: PC World Komputer

Self replicating, insidious, attacking firewalls, computers and users, the computer virus is the modern equivalent of the biological virus. It has spawned a whole industry of anti-virus programs, updated daily with new definitions in order to protect the user from the effects of the virii.

From Wikipedia’s entry on computer virii.

In computer security, a computer virus is a self-replicating computer program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an “infection”, and the infected file, or executable code that is not part of a file, is called a “host”. Viruses are one of the several types of malicious software or malware. In common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware; viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware.

While viruses can be intentionally destructive, for example, by destroying data, many other viruses are fairly benign or merely annoying. Some viruses have a delayed payload, which is sometimes called a bomb. For example, a virus might display a message on a specific day or wait until it has infected a certain number of hosts. A time bomb occurs during a particular date or time, and a logic bomb occurs when the user of a computer takes an action that triggers the bomb. The predominant negative effect of viruses is their uncontrolled self-reproduction, which wastes or overwhelms computer resources.

Today, viruses are somewhat less common than network-borne worms, due to the popularity of the Internet. Anti-virus software, originally designed to protect computers from viruses, has in turn expanded to cover worms and other threats such as spyware, identity theft and adware.

Included in the many types of viruses are:

Trojan horses

A Trojan horse is just a computer program. The program pretends to do one thing (like claim to be a picture) but actually does damage when one starts it (it can completely erase one’s files). Trojan horses cannot replicate automatically.

Worms

A worm is a piece of software that uses computer networks and security flaws to create copies of itself. A copy of the worm will scan the network for any other machine that has a specific security flaw. It replicates itself to the new machine using the security flaw, and then starts replicating.

E-mail viruses

An e-mail virus will use an e-mail message as a mode of transport, and usually will copy itself by automatically mailing itself to hundreds of people in the victim’s address book.

Computer viruses are called viruses because they share some traits of types of biological viruses.

A computer virus will pass from one computer to another like a real life biological virus passes from person to person. For example, it is estimated by experts that the Mydoom worm infected a quarter-million computers in a single day in January of 2004. In March of 1999, the Melissa virus spread so rapidly that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be dealt with. Another example is the ILOVEYOU virus which occurred in 2000 had a similarly disastrous effect.

Use of the word “virus”

The word virus is often claimed to be the acronym of Vital Information Resources Under Siege, although this is obviously a backronym. The word is derived from and is used the same sense as the biological equivalent. The term “virus” is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or trojans. Most popular anti-virus software packages defend against all of these types of attack. In some technical communities, the term “virus” is also extended to include the authors of malware, in an insulting sense.

The English plural of “virus” is “viruses”. Some people use “virii” or “viri” as a plural, although computer professionals seldom use these words. For a discussion about whether “viri” and “virii” are correct alternatives for “viruses”, see plural of virus.

History

A program called “Elk Cloner” is credited with being the first computer virus to appear “in the wild” — that is, outside the single computer or lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.

The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.

Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of personal computers, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk.

Traditional computer viruses were mostly first seen at the last half of the 1980s, and they came about because of a few reasons. “The first reason was the spread of personal computers. Prior to the 1980s, home computers were nearly non-existent or they were toys. Real computers were rare, and they were locked away for use by “experts.” During the 1980s, real computers started to spread to businesses and homes because of popularity. By the late 1980s, PCs were widespread in businesses, homes and college campuses.

The second reason was the use of bulletin boards on the computer. People could dial up a bulletin board with a modem and download all sorts of different programs. Most popular were games, and then simple word processors, spreadsheets, etc. Bulletin boards led to what is now known as the virus called a Trojan horse. The third reason that led to the creation of viruses was most definitely the floppy disk. At the end of the 1980s, programs were very small, and one could fit the operating system, a word processor and many documents onto a single floppy disk. Most computers didn’t have hard disks, so one would turn on one’s computer and it would load the operating system and everything else straight from the floppy disk. Viruses took advantage of these three facts to create the first self-replicating programs.

As bulletin board systems and online software exchange became popular in the late 1980s and early 1990s, more viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBSes. Within the “pirate scene” of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.

Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel. These viruses spread in Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most of these viruses were able to spread on Macintosh computers as well. Numerically, most of these viruses did not have the ability to send infected e-mail. The ones that did usually worked by accessing the Microsoft Outlook COM interface.

Macro viruses pose unique problems for detection software. For example, some versions of Microsoft Word caused macros to replicate themselves with additional blank lines. The virus behaved identically but would be misidentified as a new virus. In another example, if two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a “mating” of the two and would likely be detected as a virus unique from the “parents”.

A computer virus may also be transmitted through instant messaging. A virus may send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) and follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating.

Why people create computer viruses

Unlike biological viruses, computer viruses do not simply evolve by themselves. Computer viruses cannot come into existence spontaneously, nor can they be created by bugs in regular programs. They are deliberately created by programmers, or by people who use virus creation software. It is possible that copying errors and recombination may lead to the actual evolution of a computer virus; however, the possibility of this type of ‘digital evolution’ is extremely remote.

Virus writers can have various reasons for creating and spreading malware. Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies, to distribute political messages, and financial gain from identity theft, spyware, and cryptoviral extortion. Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby. Additionally, many virus writers oppose deliberately destructive payload routines. Some viruses were intended as “good viruses”. They spread improvements to the programs they infect, or delete other viruses. These viruses are, however, quite rare, still consume system resources, may accidentally damage systems they infect, and, on occasion, have become infected and acted as vectors for malicious viruses. A poorly-written “good virus” can also inadvertently become a virus in and of itself (for example, such a ‘good virus’ may misidentify its target file and delete an innocent system file by mistake). Moreover, they normally operate without asking for permission of the owner of the computer. Since self-replicating code causes many complications, it is questionable if a well-intentioned virus can ever solve a problem in a way which is superior to a regular program that does not replicate itself.

Releasing computer viruses (as well as worms) is a crime in most jurisdictions.

See also the BBC News article.

Replication strategies

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus’ code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they get executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.

Nonresident viruses

Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.

For simple viruses the replicator’s task is to:

1. Open the new file
2. Check if the executable file has already been infected (if it is, return to the finder module)
3. Append the virus code to the executable file
4. Save the executable’s starting point
5. Change the executable’s starting point so that it points to the start location of the newly copied virus code
6. Save the old start location to the virus in a way so that the virus branches to that location right after its execution.
7. Save the changes to the executable file
8. Close the infected file
9. Return to the finder so that it can find new files for the replicator to infect.

Resident viruses

Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can get called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.

Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can “piggy-back” on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach doesn’t seem very successful however. Virus that are common in the wild are mostly relatively fast to extremely fast infectors.

Host types

Viruses have targeted various types of hosts. This is a non-exhaustive list:

• Binary executable files (such as COM-files and EXE-files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux)
• Volume boot records of floppy disks and hard disk partitions
• The master boot record of a harddisk
• General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms).
• Application-specific script files (such as Telix-scripts)
• Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files)

Companion viruses

A few older viruses called companion viruses do not have host files per se, but exploit MS-DOS. A companion virus creates new files (typically .COM but can also use other extensions such as “.EXD”) that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if he does not type in “.EXE” but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. For instance, if a user had “(filename).COM” (the virus) and “(filename).EXE” and the user typed “filename”, he will run “(filename).COM” and run the virus. The virus will spread and do other tasks before redirecting to the legitimate file, which operates normally. Some companion viruses are known to run under Windows 95 and on DOS emulators on Windows NT systems. Path companion viruses create files that have the same name as the legitimate file and place new virus copies earlier in the directory paths. These viruses have become increasingly rare with the introduction of Windows XP, which does not use the MS-DOS command prompt per se.

Methods to avoid detection

In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the “last modified” date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however.

Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files had many empty gaps, the virus, which was 1 KiB in length, did not add to the size of the file.

Recent viruses avoid any kind of detection attempt by attempting to forcefully kill the tasks associated with the virus scanner before it can detect them.

As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced.

Avoiding bait files and other undesirable hosts

A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of hosts that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:

• Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small infected bait file, than to exchange a large application program that has been infected by the virus.
• Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
• Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.

Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of ‘garbage instructions’.

A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.

Stealth

Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is “clean”. Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.

Self-modification

Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) “clean” or “heal” the infected file. Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.

Simple self-modifications

In the past, some viruses modified themselves only in fairly simple ways. For example, they regularly exchanged subroutines in their code. This poses no problems to a somewhat advanced virus scanner.

Encryption with a variable key

A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible.

Mostly, the decryption techniques that these viruses employ are fairly simple and mostly done by just xoring each byte with a randomized key that was saved by the parent virus. The use of XOR-operations has the additional advantage that the encryption and decryption routine are the same (a xor b = c, c xor b = a.)

Polymorphic code

Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts that stay the same on each infection, making it impossible to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate.

Some viruses employ polymorphic code in a way which constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that, as a result of this, some instances of the virus may be able to avoid detection.

Metamorphic code

To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of it part of the metamorphic engine.

Viruses and legitimate software

The vulnerability of operating systems to viruses

Another analogy to biological viruses: just as genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses.

This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and office suites. Users who use Microsoft software (especially networking software such as Microsoft Outlook and Internet Explorer) are especially vulnerable to the spread of viruses. Microsoft software is targeted by virus writers due to their desktop dominance, and is often criticized for including many errors and holes for virus writers to exploit. Integrated applications, applications with scripting languages with access to the file system (for example Visual Basic Script (VBS), and applications with networking features) are also particularly vulnerable.

Although Windows is by far the most popular operating system for virus writers, some viruses also exist on other platforms. Any operating system that allows third-party programs to run can theoretically run viruses. Some operating systems are less secure than others. Unix-based OSes (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their protected space in their own directories.

Windows and Unix have similar scripting abilities, but while Unix natively blocks normal users from having access to make changes to the operating system environment, Windows does not. In 1997, when a virus for Linux was released – known as “Bliss” – leading antivirus vendors issued warnings that Unix-like systems could fall prey to viruses just like Windows. The Bliss virus may be considered characteristic of viruses – as opposed to worms – on Unix systems. Bliss requires that the user run it explicitly, and it can only infect programs that the user has the access to modify. Unlike Windows users, most Unix users do not log in as the administrator user except to install or configure software; as a result, even if a user ran the virus, it could not harm their operating system. The Bliss virus never became widespread, and remains chiefly a research curiosity. Its creator later posted the source code to Usenet, allowing researchers to see how it worked.

The role of software development

Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit software bugs in a system or application to spread. Software development strategies which produce large numbers of bugs will generally also produce potential exploits.

Closed-source software development, as practiced by Microsoft and other proprietary software companies, is seen by many as a security weakness. Open source software such as Linux, for example, allows all users to look for and fix security problems without relying on a single vendor. Some advocate that proprietary software makers practice vulnerability disclosure to improve this weakness.

On the other hand, some claim that open source development exposes potential security problems to virus writers, hence increases in the prevalence of exploits. They counter claims that popular closed source systems such as Windows are often exploited by claiming that these systems are only commonly exploited due to their popularity and the potential widespread effect such an exploit will have.

Anti-virus software and other countermeasures

Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. They work by examining the contents of the computer’s memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus “signatures”. Some anti-virus programs are able to scan opened files in addition to sent and received emails ‘on the fly’ in a similar manner. This practice is known as “on-access scanning.” Anti-virus software does not change the underlying capability of host software to transmit viruses. There have been attempts to do this but adoption of such anti-virus solutions can void the warranty for the host software. Users must therefore update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to gain knowledge about the latest threats and hoaxes.

Virus extensions

@mm is an extension commonly appended to the end of a mass mailing computer virus. This model is used by security firm Symantec, and follows any variant letter. Examples include:

• W32.MyDoom@mm
• Mac.Simpsons@mm
• W32.MyParty@mm
• W32.Nimda.A@mm

Other similar extensions or prefixes are applied to computer viruses, however the decision to do so and indeed the ‘name’ of the virus is determined by the will of individual security firms.

Ever since the Hot Zone by Richard Preston, Ebola Zaire has always had a strange fascination. Let’s examine the origin of the modern computer virus, the biological virus.

From Wikipedia’s entry on Virus.

A virus (Latin, poison) is a submicroscopic particle that can infect the cells of a biological organism. At the most basic level viruses consist of genetic material contained within a protective protein shell called a capsid, which distinguishes them from other virus-like particles such as prions and viroids. The study of viruses is known as virology, and those who study viruses are called virologists.

Viruses are similar to obligate intracellular parasites as they lack the means for self-reproduction outside a host cell, but unlike parasites, which are living organisms, viruses are not truly alive. They infect a wide variety of organisms, both eukaryotes (such as animals and plants) and prokaryotes (such as bacteria). A virus infecting bacteria is known as a bacteriophage, which is used mainly in its shortened form phage.

It has been argued extensively whether viruses are living organisms. They are considered non-living by the majority of virologists as they do not meet all the criteria of the generally accepted definition of life. Among other factors, viruses do not possess a cell membrane or metabolise on their own. A definitive answer is still elusive due to the fact that some organisms considered to be living exhibit characteristics of both living and non-living particles, as viruses do.

Discovery

Viral diseases such as rabies have affected humans for many centuries, but it wasn’t until relatively recently that the cause of these diseases was discovered. In the early 18th century, the wife of an English ambassador to Turkey observed the native women innoculating their children against smallpox, who subsequently became immune to the disease. In the late 18th century, Edward Jenner observed and studied a milkmaid who had caught cowpox previously and subsequently became immune to smallpox, a similar virus.

Charles Chamberland developed a porcelain filter in the late 19th century which was used to indirectly study the first documented virus, tobacco mosaic virus. Shortly afterwards, Dmitri Ivanowski published his experiments showing that crushed leaf extracts of infected tobacco plants were still infectious even after filtering any bacteria. At about the same time, several others documented filterable disease-causing agents, with several independent experiments showing that viruses were different to bacteria and caused disease in living organisms.

In the early 20th century, Frederick Twort discovered that even bacteria could be attacked by viruses. Felix d’Herelle, working independently, showed that a preparation of viruses caused areas of cellular death on thin cell cultures spread on agar. Counting these degraded areas allowed him to estimate the original number of viruses in the suspension. Finally, in 1935 Wendell Stanley crystallised the tobacco mosaic virus and found it to be mostly protein, and a short time later the virus was separated into both protein and a nucleic acid parts.

Origins

The origins of modern viruses are not entirely clear, and there may not be a single mechanism of origin that can account for all viruses. As viruses do not fossilise well, molecular techniques have been the most useful means of hypothesising how they arose. Research in microfossil identification and molecular biology may yet discern fossil evidence dating to the Archean or Proterozoic eons. Two main hypotheses currently exist:

• Small viruses with only a few genes may be runaway stretches of nucleic acid originating from the genome of a living organism. Their genetic material could have been derived from transferable genetic elements such as plasmids or transposons, which are prone to moving around, exiting, and entering genomes.

• Viruses with larger genomes, such as poxviruses, may have once been small cells which parasitised larger host cells. Over time, genes not required by their parasitic lifestyle would have been lost in a streamlining process known as retrograde- or reverse-evolution. Both the bacteria Rickettsia and Chlamydia are living cells which, like viruses, can only reproduce inside host cells. They lend credence to this hypothesis, as they are likely to have lost genes which enabled them to survive outside a host cell in favour of their parasitic lifestyle.

Other infectious particles which are even simpler in structure than viruses include viroids, satellites, and prions.

Classification

An artificially coloured electron micrograph of a bacteriophage

For more details on this topic, see Virus classification.

In taxonomy, the classification of viruses has proved to be rather difficult due to the lack of fossil record and dispute over whether they are living or non-living. They do not fit easily into any of the domains of biological classification and therefore classification begins at the family rank. However, the domain name of Acytota has been suggested. This would place viruses on a par with the other domains of Eubacteria, Archaea, and Eukarya. It should be noted that not all families are currently classified into orders, nor all genera classified into families.

As an example of viral classification, the chicken pox virus belongs to family Herpesviridae, subfamily Alphaherpesvirinae and genus Varicellovirus. It remains unranked in terms of order. The general structure is as follows.

Order (-virales)

Family (-viridae)

Subfamily (-virinae)

Genus (-virus)

Species (-virus)

The International Committee on Taxonomy of Viruses (ICTV) developed the current classification system and put in place guidelines that put a greater weighting on certain virus properties in order to maintain family uniformity. In determining order, taxonomists should consider the type of nucleic acid present, whether the nucleic acid is single- or double-stranded, and the presence or absence of an envelope. After these three main properties, other characteristics can be considered: the type of host, the capsid shape, immunological properties and the type of disease it causes.

In addition to this classification system, the Nobel Prize-winning biologist David Baltimore devised the Baltimore classification system. This places a virus into one of seven Groups, which separate viruses based on their mode of replication and genome type. The ICTV classification system is used in conjunction with the Baltimore classification system in modern virus classification.

Structure

A complete virus particle, known as a virion, is little more than a gene transporter, consisting at the most basic level of nucleic acid surrounded by a protective coat of protein called a capsid. A capsid is composed of proteins encoded by the viral genome and its shape serves as the basis for morphological distinction. Virally coded protein units called protomers will self-assemble to form the capsid, requiring no input from the virus genome – however, a few viruses code for proteins which assist the construction of their capsid. Proteins associated with nucleic acid are more technically known as nucleoproteins, and the association of viral capsid proteins with viral nucleic acid is called a nucleocapsid.

In general, four main morphological virus types can be identified:

	Helical viruses
Diagram of a helical capsid	Helical capsids are composed of a single type of protomer stacked around a central circumference to form an enclosed tube resembling a spiral staircase. This arrangement results in rod-shaped virions which can be short and rigid, or long and flexible. Long helical particles must be flexible in order to prevent forces snapping the structure. The genetic material is housed on the inside of the tube, protected from the outside. Overall, the length of a helical capsid is related to the length of the nucleic acid contained within it, while the diameter is dependent on the overall length and arrangement of protomers. The well-studied tobacco mosaic virus is a helical virus.
	Icosahedral viruses
Electron micrograph of icosahedral virions	Icosahedral capsid symmetry results in a spherical appearance of viruses at low magnification but actually consists of capsomers arranged in a regular geometrical pattern, similar to a soccer ball, hence they are not truly “spherical”. Capsomers are ring shaped structures constructed from five to six copies of protomers. These associate via non-covalent bonding to enclose the viral nucleic acid, though generally less intimately than helical capsids, and may involve one type of protomer or more.Icosahedral architecture was employed by R. Buckminster-Fuller in his geodesic dome, and is the most efficient way of creating an enclosed robust structure from multiple copies of a single protein. The number of proteins required to form a spherical virus capsid is denoted by the T-number[2], where 60×t proteins are necessary. In the case of the hepatitis B virus the T-number is 4, therefore 240 proteins assemble to form the capsid.
	Enveloped viruses
Diagram of enveloped HIV	In addition to a capsid some viruses are able to hijack a modified form of the cell membrane surrounding an infected host cell, thus gaining an outer lipid layer known as a viral envelope. This extra membrane is studded with proteins coded for by the viral genome and host genome, however the lipid membrane itself and any carbohydrates present are entirely host-coded.The viral envelope can give a virion a few distinct advantages over other “naked” virions, such as protection from enzymes and chemicals. The proteins studded upon it can include glycoproteins functioning as receptor molecules, allowing healthy cells to recognise virions as “friendly” and resulting in the possible uptake of the virion into the cell. It should be noted however that some viruses are so dependent upon their viral envelope that they fail to function if it is removed.
	Complex viruses
Diagram of a bacteriophage	These viruses possess a capsid which is neither purely helical, nor purely icosahedral, and which may possess extra structures such as protein tails or a complex outer wall. Some bacteriophages have a complex structure consisting of an icosahedral head bound to a helical tail, the latter of which may have a hexagonal base plate with many protruding protein tail fibres.The poxviruses are large, complex viruses which possess unusual morphology. The viral genome is associated with proteins within a central disk structure known as a nucleoid. The nucleoid is surrounded by a membrane and two lateral bodies of unknown function. Covering the virus is an outer envelope with a thick layer of protein studded on its surface. The whole particle is slightly pleiomorphic, ranging from ovoid to brick shape.

Size

The majority of viruses which have been studied have a capsid diameter between 10 and 300 nanometres. To put viral size into perspective, a medium sized virion next to a flea is roughly equivalent to a human next to a mountain twice the size of Mount Everest. It should be noted that some filoviruses have a total length that can reach up to 1400 nm, however their capsid diametres are only about 80 nm. While most viruses are unable to be seen with a light microscope, some are larger than the smallest bacteria and can be seen under high magification. Both scanning and transmission electron microscopes are commonly employed to visualise virus particles.

A notable exception to the normal viral size range is the recently discovered mimivirus, with a diameter of 400 nm. They also hold the record for the largest viral genome size, possessing about 1000 genes (some bacteria only possess 400) on a genome approximately 1.2 megabases in length. Their large genome also contains many genes which are conserved in both prokaryotic and eukaryotic genes. The discovery of the virus has led many scientists to reconsider the controversial boundary between living organisms and viruses, which are currently considered as mere mobile genetic elements.

Genetic material

Both DNA and RNA are found in viral species, but generally a species will have either one or the other—not both. One exception is the human cytomegalovirus, which contains both a DNA core and mRNA. The nucleic acid can be either single-stranded or double-stranded, depending on the species. Therefore viruses as a group contain all four possible types of nucleic acids: double-stranded DNA, single-stranded DNA, double-stranded RNA and single-stranded RNA. Animal virus species have been observed to possess all combinations, whereas plant viruses tend to have single-stranded RNA. Bacteriophages tend to have double-stranded DNA. Also, the nucleic acids can be either linear or a closed loop.

An electron micrograph of multiple polyomavirus virions

Genome size in terms of the weight of nucleotides varies quite substantially between species. The smallest genomes code for only four proteins and weigh about 10⁶ daltons, while the largest weigh about 10⁸ daltons and code for over one hundred proteins. Some virus species possess abnormal nucleotides, such as hydroxymethylcytosine instead of cytosine, as a normal part of their genome.

For viruses with RNA as their nucleic acid, the strands are said to be either positive-sense (also called plus-strand) or negative-sense (also called minus-strand) depending on whether it is complementary to viral mRNA. Positive-sense viral RNA is identical to viral mRNA and thus can be immediately translated by the host cell. Negative-sense viral RNA is complementary to mRNA and thus must be converted to positive-sense RNA by an RNA polymerase before translation.

All double-stranded RNA genomes and some single-stranded RNA genomes are said to be segmented, or divided into separate parts. Each segment may code for one protein, and they are usually found together in one capsid. Not all segments are required to be in the same virion for the overall virus to be infectious, as can be seen in the brome mosaic virus.

Replication

Viral populations do not grow through cell division, because they are acellular; instead, they use utilize the machinery and metabolism of a host cell to produce multiple copies of themselves. They may have a lytic or a lysogenic cycle, with some viruses are capable of carrying out both. A virus can still cause degenerative effects within a cell without causing its death; collectively these are termed cytopathic effects. Released virions can be passed between hosts through either direct contact, often via body fluids, or through a vector. In aqueous environments, viruses float free in the water.

In the lytic cycle, characteristic of virulent phages such as the T4 phage, host cells will be induced by the virus to begin manufacturing the proteins necessary for virus reproduction. As well as proteins, the virus must also direct the replication of new genomes, the technique used for this varies greatly between virus species but depends heavily on the genome type. The final viral product is assembled spontaneously, though it may be aided by molecular chaperones. After the genome has been replicated and the new capsid assembled, the virus causes the cell to be broken open (lysed) to release the virus particles. Some viruses do not lyse the cell but instead exit the cell via the cell membrane in a process known as exocytosis, taking a small portion of the membrane with them as a viral envelope. As soon as the cell is destroyed the viruses will have to find new host.

In contrast, the lysogenic cycle does not result in immediate lysing of the host cell, instead the viral genome integrates into the host DNA and replicates along with it. The virus remains dormant but after the host cell has replicated several times, or if environmental conditions permit it, the virus will become active and enter the lytic phase. The lysogenic cycle allows the host cell to continue to survive and reproduce, therefore the virus is passed on to all of the cell’s offspring.

A falsely coloured electron micrograph of multiple bacteriophages

Bacteriophages infect specific bacteria by binding to surface receptor molecules and entering the cell. Within a short amount of time, sometimes just minutes, bacterial polymerase starts translating viral mRNA into protein. These proteins go on to become either new virions within the cell, helper proteins which help assembly of new virions, or proteins involved in cell lysis. Viral enzymes aid in the breakdown of the cell membrane, and in the case of the T4 phage, in just over twenty minutes after injection over three hundred phages will be released.

Animal DNA viruses, such as herpesviruses, enter the host via endocytosis, the process by which cells take in material from the external environment. This frequently occurs after chance collision with an appropriate surface receptor on a cell. After penetrating the cell, the viral genome is released from the capsid and host polymerases begin transcribing viral mRNA. New virions are assembled and released either by cell lysis or by budding off the cell membrane.

Animal RNA viruses can be placed into about four different groups depending on their mode of replication. The polarity of the RNA largely determines the replicative mechanism, as well as whether the genetic material is single-stranded or double-stranded. Some RNA viruses are actually DNA based but use a RNA-intermediate to replicate. RNA viruses are heavily dependent upon virally encoded RNA replicase to create copies of their genomes.

A reverse transcribing virus is any virus which replicates using reverse transcription, the formation of DNA from an RNA template. Those viruses containing RNA genomes use a DNA intermediate to replicate, whereas those containing DNA genomes use an RNA intermediate during genome replication. Both types of reverse transcribing viruses use the enzyme reverse transcriptase to carry out the nucleic acid conversion.

Lifeform debate

Multiple rotavirus virions

Argument continues over whether viruses are truly alive or not. According to the United States Code, they are considered to be micro-organisms in the sense of biological weaponry and malicious use. Scientists however are more divided. They have no trouble classifying a horse as living and can see evolutionary relationships between it and other animals, but things become complicated as they look at the more simple viruses, viroids and prions. In the case of viruses, they resemble life in that they possess nucleic acid and can respond to their environment in a limited fashion. They can also reproduce by creating multiple copies of themselves through simple self-assembly.

However, unlike all other forms of established lifeforms, they do not possess a cell structure, regarded as the basic unit of life. Viruses are also absent in the fossil record, making phylogenic relationships difficult to infer. Additionally, although they reproduce they do not metabolise on their own and therefore require a host cell to replicate and synthesise new products. However, confounding this previous statement is the fact that bacterial species such as Rickettsia and Chlamydia, while living organisms, are also unable to reproduce outside of a host cell.

A powerful argument can be made that all accepted forms of life divide at the cell level via cell division to reproduce, whereas all viruses simply assemble spontaneously within cells. What then prevents the comparison to be drawn that viral self-assembly is no different than the autonomous growth of non-living crystals? Virus self-assembly within host cells also has implications for the study of the origin of life, as it lends credence to the hypothesis that life could have started as self-assembling organic molecules.

Other questions involve the classification of viruses within the Tree of Life and its implications – if viruses are considered alive, then the criteria specifying life will have been permanently changed, leading scientists to question what the basic prerequisite of life is. If they are considered living then the prospect of creating artificial life is enhanced, or at least the standards required to call something artificially alive are reduced. Whether or not other infectious particles, such as viroids and prions, would next be considered forms of life could follow if viruses are said to be alive.

Viruses and disease

For more examples of diseases caused by viruses see List of infectious diseases

Examples of common human diseases caused by viruses include the common cold, the flu, chickenpox and cold sores. Serious diseases such as Ebola, AIDS, bird flu and SARS are all also caused by viruses. The relative ability of viruses to cause disease is described in terms of virulence. Other diseases are under investigation as to whether they too have a virus as the causative agent, such as the possible connection between Human Herpesvirus Six (HHV6) and neurological diseases such as multiple sclerosis and chronic fatigue syndrome. Recently it was also shown that cervical cancer is partially caused by papillomavirus, representing evidence in humans of a link existing between cancer and an infective agent. There is current controversy over whether the borna virus, previously thought of as causing neurological disease in horses, could be responsible for psychiatric illness in humans.

Viruses have many different mechanisms by which they produce disease in an organism, which largely depends on the species. Mechanisms at the cellular level primarily include cell lysis, the breaking open and subsequent death of the cell. In multicellular organisms, if enough cells die the whole organism will start to suffer the carry-on effects. Although many viruses result in the disruption of healthy homeostasis, resulting in disease, they may reside relatively harmlessly within an organism. An example would include the ability of the herpes simplex virus, which cause coldsores, to remain in a dormant state within the human body.

Epidemics

For more details on this topic, see List of epidemics.

The helical Ebola virus

A number of highly lethal viral pathogens are members of the Filoviridae. Filoviruses are filament-like viruses that cause viral hemorrhagic fever, and include the Ebola and Marburg viruses. The Marburg virus attracted widespread press attention in April 2005 for an outbreak in Angola. Beginning in October 2004 and continuing into 2005, the outbreak was the world’s worst epidemic of any kind of viral hemorrhagic fever.

Native American populations were devastated by contagious diseases, particularly smallpox, brought to the Americas by European colonists. It is unclear how many Native Americans were killed by foreign diseases after the arrival of Columbus in the Americas, but the numbers have been estimated to be close to 70% of the indigenous population. The damage done by this disease may have significantly aided European attempts to displace or conquer the native population.

The Marburg virus

Detection, purification and diagnosis

In the laboratory, several techniques for growing and detecting viruses exist. Purification of viral particles can be achieved using differential centrifugation, isopycnic centrifugation, precipitation with ammonium sulphate or ethylene glycol, and removal of cell components from a homogenised cell mixture using organic solvents or enzymes to leave the virus particles in solution.

Assays to detect and quantify viruses include:.

A viral plaque assay

• Hemagglutination assays, which quantitatively measure how many virus particles are in a solution of red blood cells by the amount of agglutination the viruses cause between them. This occurs as many viruses are able to bind to the surface of one or more red blood cells.
• Direct counts using an electron microscope. A dilute mixture of virus particles and beads of known size are sprayed onto a special sheet and examined under high magnification. The virions are counted and the number extrapolated to estimate the number of virions in the undiluted mixture.
• Plaque assays involve growing a thin layer of bacterial cells onto a culture dish and adding a dilute mixture of virions onto it. The virions will infect and kill the cells they land on, producing holes in the cell layer known as plaques. The number of plaques can be counted and the number of virions estimated from it.

Detection and subsequent isolation of new viruses from patients is a specialised laboratory subject. Normally it requires the use of large facilities, expensive equipment, and trained specialists such as technicians, molecular biologists, and virologists. Often, this effort is undertaken by state and national governments and shared internationally through organizations like the World Health Organization.

Prevention and treatment

Because viruses use the machinery of a host cell to reproduce and also reside within them, they are difficult to eliminate without killing the host cell. The most effective medical approaches to viral diseases so far are vaccinations to provide resistance to infection, and drugs which treat the symptoms of viral infections. Patients often ask for, and physicians often prescribe, antibiotics. These are useless against viruses, and their misuse against viral infections is one of the causes of antibiotic resistance in bacteria. However, in life-threatening situations the prudent course of action is to begin a course of antibiotic treatment while waiting for test results to determine whether the patient’s symptoms are caused by a virus or a bacterial infection.

Applications

The polio virus

Life sciences

Viruses are important to the study of molecular and cellular biology as they provide simple systems that can be used to manipulate and investigate the functions of cells. The study and use of viruses have provided valuable information about many aspects of cell biology. For example, viruses have simplified the study of genetics and helped human understanding of the basic mechanisms of molecular genetics, such as DNA replication, transcription, RNA processing, translation, protein transport, and immunology.

Geneticists regularly use viruses as vectors to introduce genes into cells that they are studying. This is useful for making the cell produce a foreign substance, or to study the effect of introducing a new gene into the genome. In similar fashion, virotherapy uses viruses as vectors to treat various diseases, as they can specifically target cells and DNA. It shows promising use in the treatment of cancer and in gene therapy.

Materials science and nanotechnology

In April 2006 scientists at the Massachusetts Institute of Technology (MIT) created nanoscale metallic wires using a genetically-modified virus. The MIT team was able to use the virus to create a working battery with an energy density up to three times more than current materials. The potential exists for this technology to be used in liquid crystals, solar cells, fuel cells, and other electronics in the future.

The reconstructed 1918 influenza virus

Weapons

For more details on this topic, see Biological warfare.

The ability of viruses to cause devastating epidemics in human societies has led to the concern that viruses could be weaponized for biological warfare. Further concern was raised by the successful recreation of the infamous 1918 influenza virus in a laboratory. The smallpox virus devastated numerous societies throughout history before its eradication. It currently exists in several secure laboratories in the world and fears that it may be stolen and used as a weapon are not totally unfounded. The modern global human population has almost no established resistance to smallpox; if it were to be released, a massive loss of life could be sustained before the virus was brought under control.