|
Previous | Table of Contents | Next |
Like retro viruses in biological science, the objective of a computer retro virus is to attack its attacker. A PC retro virus seeks out antivirus programs and attempts to delete critical files without which the antivirus program can neither detect the virus nor properly function.
For instance, many antivirus programs include a data file within which virus signatures are stored. A retro virus intent on disabling the enemy might delete the virus definition data file, thereby decreasing a scanners capability to detect viruses.
Several retro viruses use a more clever strategy that targets a different antivirus-generated database. Some antivirus products use an approach known as integrity checking to protect files. To do so, the antivirus program stores a database of integrity information, specifying key characteristics of each uninfected file. The antivirus program then verifies a files integrity by checking a changed file against information for the original file stored in the database. The clever retro virus seeks out this database and deletes it.
This file database exists only if a user configures the antivirus program to create and maintain it. Furthermore, users could delete the database in an effort to free up disk space. The antivirus program, then, has no way of knowing that the database was in fact deleted by a virus. If the unsuspecting antivirus program is configured to use the integrity-checking technique, upon finding that no database exists, it might simply create a new one. Upon doing so, the antivirus program unwittingly uses the integrity information from the recently infected program.
Multipartite viruses infect both boot records and program files, and use both mechanisms to spread. For example, when you run an application infected with a multipartite virus, the virus activates and infects the hard disks Master Boot Record. Then, the next time you boot the workstation, the virus activates again and starts infecting every program you run.
The One-half virus is an example of a multipartite breed that also exhibits both stealth and polymorphic behavior.
The more effective antivirus products include a number of complementary antivirus technologies. This section reviews how these major technologies work, as well as their strengths and weaknesses.
Different antivirus technologies can be rated in seven different categories:
A virus scanner is a program that searches for viruses in files and boot records. To make the virus scanner detect new viruses, the antivirus engineer specifically programs the scanner to detect each new virus. The virus scanner can detect only viruses of which it is aware. It is of little help, then, to prevent new or unknown virus infections. Most antivirus programs provide some sort of antivirus scanner in their suite of antivirus products.
The first antivirus scanners used simple brute force string scanning algorithms. These scanners searched through each and every byte of program files and boot records looking for sequences of bytes known to reside in viruses. If the scanner detected the appropriate sequence of bytes, it would report that the file was infected by a virus.
These original scanners were fairly slow by todays standards; even a well-written brute force string scanner must spend a significant amount of time checking each and every byte of files and boot records. In addition, the original virus scanners only had to search for a handful of viruses. Today, with increasing numbers of complex viruses to search for, virus scanners must use more intelligent algorithms.
The early computer viruses were quite simple and replicated identical copies of themselves from file to file, or from boot record to boot record. Therefore, this simple string scanning algorithm worked well. Unfortunately, the newer generations of viruses were becoming increasingly more complex. These viruses would encrypt the bulk of their virus body using simple encryption schemes. These encrypted viruses were more difficult to detect because the majority of the virus was encrypted and different in each infected file.
Antivirus researchers soon improved their techniques and came up with a faster and more robust virus scanner technology. The researchers realized that most viral infection takes place near the start or the end of executable files; most viruses like to prepend or append themselves to host files. Therefore, rather than searching every byte of each file, the antivirus scanner could concentrate on the first few and last few kilobytes of each executable file.
The researchers also improved their string scanners by adding wild-card capabilities. An original signature, consisting of a series of bytes extracted from the virus, could contain only a fixed sequence of bytes such as the following:
The new wild-card signature could ignore certain bytes:
Previous | Table of Contents | Next |