Analogy between biology and IT Security: life cycle of viruses




Leonore Lovis, Executive Assistant at _cyel

Viruses, whether considered from a biological or an IT perspective, play an important role in our daily lives. They share many characteristics, and among them, their life cycle.

In a biological context, viruses are entities composed of a genome in a protein shell (capsid) surrounded, in some types of viruses, by a membrane. They need to penetrate a living cell (hosting cell) to be able to replicate. Computer viruses, as other types of malware, need to insert their own code in other computer program in order to replicate and execute themselves.

As we already see here, both types of viruses cannot replicate in an autonomous manner. Therefore, the first challenge of viruses is to reach their hosting organism, or hosting IT system. Hence, a successful infection mechanism is key to their success.

Comparisons with computer viruses can be extended to other types of malicious software.

Entry phase

The capsid of biological viruses provides them protection against unfavorable conditions (low or high temperature, lack or excessive humidity) and allows them to survive until they can penetrate a host. Once in the host, the virus needs to find and penetrate a suitable host cell. Attachment of the virus to the host cell surface is a prerequisite to invade it. Then, the genetic material of the virus is released inside the host cell. Once inside the cell, the virus tries to take full control of the host cell.

Similarly, computer viruses first need to access the target user’s hardware or software. Initial system infection is usually done using social engineering and security vulnerabilities, often through commercially available exploit kits that often address long known vulnerabilities. Once an exploit kit or virus is able to infect a host system, a second stage begins and loads a payload (the data which will perform the malicious activity) from a website or runs an embedded payload. The malware then tries to persist in the host system and locates files or processes which are good targets.

Dormant phase

When inside the host cell, the virus can remain dormant (latent) or start to replicate immediately. Similarly, computer viruses as well as other types of malware can remain idle following infection or start to replicate themselves and propagate to infect other hosts or networks.

Replication and Propagation phases

In biology, replication allows the virus to produce numerous copies of its genome and to pack these new copies into capsids. In the host cell, the virus manufactures the elements needed for its replication using the host cell machinery. This way, the infected host cell works for the benefit of the virus. Once mature, the new viruses are released outside the host cell and subsequently invade other cells for a new replication cycle.

In comparison, computer viruses place a copy of themselves into other software, make themselves persist in the operating system or in other areas of the disk or memory. This way, each host has a copy of the malware, which will itself replicate and propagate further, infecting an increasing number of computers.

Triggering and Execution phases

These two phases are specific to computer viruses. The trigger is a specific event which leads to the execution of the computer malware, such as a date, the presence of another software or file or a specific action of the user. When activated through the trigger, the computer virus performs the function for which it is intended: the execution phase is starting, the payload is executed. It can be destructive such as deleting or corrupting files on disk, spying on the user in form of keyloggers and screen grabbers or data exfiltration. Malware often connects back to its command and control server and waits for instructions from there.

Many other comparisons between biological and computer viruses could be done, such as their ways to evade the host immune system and the anti-virus software, or the way to take control of system hosting them. In any case, viruses, either the biological ones or the computer ones, are a cause of invaluable losses and damages, but also a driving force for research and innovation.