Viruses that attach themselves to executables belong mostly to the past, when viruses were simple and easy to detect.
Today's viruses are themselves harmful executables, DLLs, BHOs, Java applets or Javascript scripts. The aim is to trick you into executing these at least once (which is one too many), where they take control of your computer.
They hide in various places, even in the BIOS, which means that even the old and trusted method of reformating the hard disk may not get rid of them.
One virus is even a complete operating system by itself, so that it takes over the computer and runs your own O/S as a virtual machine. It corrupts the MBR to boot the virus, rather than your system. That means that no tools at your disposition can find even the smallest hint of its presence, and its use of the network card is invisible to your own O/S.
Today's viruses are the product of organized crime. We no longer have to deal with script kiddies, but rather with organized teams whose budgets may exceed those of law-enforcement agencies. Some estimates put the average banks lose from fraud at 5% of the yearly income. Just try to imagine the enormous sums that are involved and the percentage of this "crime-tax" on the world economy!
Sources for any of this? I've seen white papers saying BIOS infections are possible, but I've never heard of one in the wild. As for an undetectable virus that virtualizes your OS. I believe you're referring to Blue Pill, which is very detectable. The creator wouldn't even put it up against rootkit detectors at Black Hat 3 years ago. Also the use of the NIC is certainly not invisible. Traffic has to go out of the physical NIC whether it's being encapuslated by a virtual one first or not. Also, there are a lot of commercial viruses but I think you seriously overestimate their budget – MDMarra – 2009-10-25T13:55:48.300
@MarkM: Do you know that experts seeing the daily mutations of Conficker have concluded that there were at least 20 programmers in the team behind it? – harrymc – 2009-10-25T15:14:50.893
Yeah, 20 programmers hardly exceed the budget of an average law enforcement agency. You have some decent points but there is a lot of sensationalism in the answer. I don't want to edit your answer for you even though it's a CW, but I feel strongly that you need to turn down some of the extreme examples you've listed as their either theory only, or borderline exaggurated. – MDMarra – 2009-10-25T16:09:47.380
@MarkM: Hard to believe, isn't it? I've collected these facts from many articles I've read and several security magazines. Some articles were really scary. Anyway, based on Blue Pill a virus was actually developed as an open-source project, duping hundreds of innocents as collaborators. I believe it was discovered early and neutered. There's more money to gain in computer fraud than in drug dealing, and much less risk, as organized crime is fully aware of. – harrymc – 2009-10-25T17:36:16.147
Blue Pill was a lot of FUD. Since some x86 instructions cannot be virtualized, a proper rootkit scanner will identify it immediately. It is an open source project and was never in the wild, as it was never able to be delivered remotely. It was demoed at Black Hat and then died promptly. As for firmware infections - Sure it's possible, but pretty much anything is possible in theory. There are no known exploits that will allow a virus to infect firmware. All of these worst-case scenerios that you've listed are only a threat if the attack has physical access. This makes them no threat at all. – MDMarra – 2009-10-25T17:52:18.920
Physical access is what the name of the game is trying to dupe people into executing malware. It's possible, even probable, that some of the articles I've read were journalistically pumped-up. However, I'm also quite sure that there are currently teams of brilliant programmers at work trying to bring them into reality or fixing their shortcomings. My answer above was intended to motivate people to take some necessary precautions and be aware of the shortcomings of antivirus products. – harrymc – 2009-10-25T18:05:05.573
@ harrymc - I meant a highly interactive process. Not tricking a novice end using into running a single executable. Regardless, the claims that Blue Pill is undetectable is wrong, and the line where you say .exe based viruses are dead is also very very wrong. Part of my job (which is in networking) is managing three McAfee EPO servers. I get all of the Avert bulletins and deal with the control of outbreaks when a serious threat pops up. Believe me when I say it's important to educate users about the possible threats, but almost everything in your post is blown way out of proportion – MDMarra – 2009-10-25T18:33:13.940
I didn't say exe viruses are dead, just that they are no longer the mainstream effort of virus writers. The mainstream is finding new infection vectors and hidey holes. And, yes, I blew things a bit out of proportion, as I always do when it's time to frighten new network administrators. – harrymc – 2009-10-25T18:40:02.337
Haha, well good luck with that practice. I prefer to give people new to the field accurate information when they are learning. To each his own – MDMarra – 2009-10-25T18:43:46.633
I started doing that after one told me that after 6 years there can be no more security weaknesses left in server 2003 ... Fear of the unknown is healthy. – harrymc – 2009-10-25T20:05:53.020
Being cautious of the unknown is always good. The details of the exploits mentioned in your answer are known though... – MDMarra – 2009-10-25T20:14:12.550