简单判断病毒文件

Today, my girlfriend asked a question. She asked me how to test a software as a suspicious software in linux operating system.I had thought much about it.

With the development of computer, many suspicious software or virus enter into computer world. There is no an accurate concept to describe this software. Maybe they can destroy your operating system or they did nothing.

Now, there are some features to describe them.

    1. Execution. It must be a executable file. No matter what they are, their first action is find a way to make themselves execute with a external motivation. 

    2. Infectiousness. Once your system attacked by them, probably them coped them one hundred copies or more. Then, they can send themselves to the Internet and infect other system.

    3. Hidden. This sort of software is running underground, but they are destructive.

And what our computer seems like after infected by virus ?

    1. The CPU rate always used almost 100%.

    2. The memory totally used by only one process.

    3. Your file deleted and created without yourself.

    4.  There are also other performs like getting your private file and so on.

In fact, many virus are very very hidden which you can't discover them without a anti-virus software. 

Recently, my girlfriend's team developed a code testing system to test the code from student then run the program and get the result returning to the students. Bit there is seriously security problem, which is how should we do if the code itself is a virus code. Once we compiled and run, our system will be attacked.

They develop environment is linux plus gcc.

We all know that linux operating system is very well because of it's micro kernel and good security. The linux's permission is managed very well. The system provides three groups to manage the files. Each group has it's own permission to operate the files.The files can't be executed by other users and groups.

This is a classic example of permission management.

"-rwxrwxrwx", the first three characters "rwx" represent the file owner's permission and the second three character represent the owner's group's permission, then the last three characters represent the other's permission.

This mechanism is very tight! But our program has "x" permission to execute.

We have to describe a mechanism which shows that only root user can execute every commands. That to say that if any software want to execute commands that they can't execute is probably virus.

The other methods to test the program are testing the CPU's used rate and the memory room the program used. If the rate is almost 100%, now that it is not virus, we also must stop it.

We conclude that if a test code try to execute commands it can't executed is probably virus. This is a simply conclude to test the program if it is a virus.

I should continue to explore what a virus is and how defend the virus.