1 stealth techniques
1.1 read request intercepts
1.2 self-modification
1.2.1 encrypted viruses
1.2.2 polymorphic code
1.2.3 metamorphic code
stealth techniques
in order avoid detection users, viruses employ different kinds of deception. old viruses, on ms-dos platform, make sure last modified date of host file stays same when file infected virus. approach not fool antivirus software, however, maintain , date cyclic redundancy checks on file changes. viruses can infect files without increasing sizes or damaging files. accomplish overwriting unused areas of executable files. these called cavity viruses. example, cih virus, or chernobyl virus, infects portable executable files. because files have many empty gaps, virus, 1 kb in length, did not add size of file. viruses try avoid detection killing tasks associated antivirus software before can detect them (for example, conficker). in 2010s, computers , operating systems grow larger , more complex, old hiding techniques need updated or replaced. defending computer against viruses may demand file system migrate towards detailed , explicit permission every kind of file access.
read request intercepts
while kinds of antivirus software employ various techniques counter stealth mechanisms, once infection occurs recourse clean system unreliable. in microsoft windows operating systems, ntfs file system proprietary. leaves antivirus software little alternative send read request windows os files handle such requests. viruses trick antivirus software intercepting requests operating system (os). virus can hide intercepting request read infected file, handling request itself, , returning uninfected version of file antivirus software. interception can occur code injection of actual operating system files handle read request. thus, antivirus software attempting detect virus either not given permission read infected file, or, read request served uninfected version of same file.
the reliable method avoid stealth viruses reboot medium known clear . security software can used check dormant operating system files. security software relies on virus signatures, or employ heuristics. security software may use database of file hashes windows os files, security software can identify altered files, , request windows installation media replace them authentic versions. in older versions of windows, file cryptographic hash functions of windows os files stored in windows—to allow file integrity/authenticity checked—could overwritten system file checker report altered system files authentic, using file hashes scan altered files not guarantee finding infection.
self-modification
most modern antivirus programs try find virus-patterns inside ordinary programs scanning them so-called virus signatures. unfortunately, term misleading, in viruses not possess unique signatures in way human beings do. such virus signature merely sequence of bytes antivirus program looks because known part of virus. better term search strings . different antivirus programs employ different search strings, , indeed different search methods, when identifying viruses. if virus scanner finds such pattern in file, perform other checks make sure has found virus, , not merely coincidental sequence in innocent file, before notifies user file infected. user can delete, or (in cases) clean or heal infected file. viruses employ techniques make detection means of signatures difficult not impossible. these viruses modify code on each infection. is, each infected file contains different variant of virus.
encrypted viruses
one method of evading signature detection use simple encryption encipher (encode) body of virus, leaving encryption module , static cryptographic key in cleartext not change 1 infection next. in case, virus consists of small decrypting module , encrypted copy of virus code. if virus encrypted different key each infected file, part of virus remains constant decrypting module, (for example) appended end. in case, virus scanner cannot directly detect virus using signatures, can still detect decrypting module, still makes indirect detection of virus possible. since these symmetric keys, stored on infected host, entirely possible decrypt final virus, not required, since self-modifying code such rarity may reason virus scanners @ least flag file suspicious. old compact way use of arithmetic operation addition or subtraction , use of logical conditions such xoring, each byte in virus constant, exclusive-or operation had repeated decryption. suspicious code modify itself, code encryption/decryption may part of signature in many virus definitions. simpler older approach did not use key, encryption consisted of operations no parameters, incrementing , decrementing, bitwise rotation, arithmetic negation, , logical not. viruses employ means of encryption inside executable in virus encrypted under events, such virus scanner being disabled updates or computer being rebooted. called cryptovirology. @ said times, executable decrypt virus , execute hidden runtimes, infecting computer , disabling antivirus software.
polymorphic code
polymorphic code first technique posed serious threat virus scanners. regular encrypted viruses, polymorphic virus infects files encrypted copy of itself, decoded decryption module. in case of polymorphic viruses, however, decryption module modified on each infection. well-written polymorphic virus therefore has no parts remain identical between infections, making difficult detect directly using signatures . antivirus software can detect decrypting viruses using emulator, or statistical pattern analysis of encrypted virus body. enable polymorphic code, virus has have polymorphic engine (also called mutating engine or mutation engine ) somewhere in encrypted body. see polymorphic code technical detail on how such engines operate.
some viruses employ polymorphic code in way constrains mutation rate of virus significantly. example, virus can programmed mutate on time, or can programmed refrain mutating when infects file on computer contains copies of virus. advantage of using such slow polymorphic code makes more difficult antivirus professionals , investigators obtain representative samples of virus, because bait files infected in 1 run typically contain identical or similar samples of virus. make more detection virus scanner unreliable, , instances of virus may able avoid detection.
metamorphic code
to avoid being detected emulation, viruses rewrite each time infect new executables. viruses utilize technique said in metamorphic code. enable metamorphism, metamorphic engine needed. metamorphic virus large , complex. example, w32/simile consisted of on 14,000 lines of assembly language code, 90% of part of metamorphic engine.
Comments
Post a Comment