written by: Lee Clemmer•edited by: Bill Bunter•updated: 5/5/2010
Computer viruses seem to appear all the time. But where do they come from? How do people make them? In this article we'll examine how computer viruses are made, and why they continue to be a problem. This is not a how-to guide--instead we look at the big picture of virus creation.
slide 1 of 4
Make A Virus?
This is not going to be a step-by-step programming guide to create a virus. If you want that, learn to program in C & assembly language and study modern operating systems instead--then you'll know everything you need. Computer viruses are made by programming; writing code that takes advantage of weaknesses in other programs, operating systems, or the behaviors of computer users.
slide 2 of 4
How-To Depends on Type
There are many different kinds of viruses. Boot sector, polymorphic, and metamorphic viruses are usually written in assembly language or machine language. A macro virus or CSS virus by definition is written in a macro or scripting language. Worms can be written in many different languages, as could trojans. There are numerous macro and scripting languages, often dependent on the platform and particular applications in use. Many viruses are written in the C or C++ language, used to write major programs and operating systems. Portions of C code can be "optimized" or added in as assembly language if needed. This can allow for very small, exact viruses that infect otherwise difficult targets. Often the author of a virus just writes in the language he or she is familiar with.
slide 3 of 4
Generally a virus starts in one of a couple of ways. The virus author either depends on lack of anti-virus software or virus signatures, coupled with enough user privilege or system access to infect and spread, or with analysis and development of an exploit. An exploit is a flaw in a program or part of an operating system's code that is demonstrated with a proof of concept code, script, or other example. It may seem reckless for security experts to publish exploits, as they are likely to then be taken up by malicious hackers and turned into viruses or worms. Publishing the exploits, however, demonstrates that there is a problem and pushes the software creators to improve the software as well as issue a patch. It also alerts (potentially) users and administrators that there may be a problem, even before a virus is ever written. Virus authors would find the weaknesses eventually anyway.
Once viruses are identified "in the wild", anti-virus vendors will select one or more ways to verify when that particular virus is present on a system protected by their software, or when it is trying to infect it. Usually part of the virus code that does not change (called a signature) is used as an identifier, when it is found on the hard drive, or loaded in memory the anti-virus software deletes it. Some viruses change their code as they copy themselves. These are called polymorphic viruses, and it is harder to identify them, but is usually still possible. When someone makes a computer virus they also usually consider what techniques anti-virus software vendors use to protect systems, and often design the virus to disable or bypass the anti-virus software if possible. Unfortunately this is an ongoing race. In order to use the computer, there is the risk of running a virus program, and as the anti-virus techniques improve, so do the viruses.