Retro Viruses

Like retro viruses in biological science, the objective of a computer retro virus is to attack its attacker. A PC retro virus seeks out antivirus programs and attempts to delete critical files without which the antivirus program can neither detect the virus nor properly function.

For instance, many antivirus programs include a data file within which virus signatures are stored. A retro virus intent on disabling the enemy might delete the virus definition data file, thereby decreasing a scanner’s capability to detect viruses.

Several retro viruses use a more clever strategy that targets a different antivirus-generated database. Some antivirus products use an approach known as integrity checking to protect files. To do so, the antivirus program stores a database of integrity information, specifying key characteristics of each uninfected file. The antivirus program then verifies a file’s integrity by checking a changed file against information for the original file stored in the database. The clever retro virus seeks out this database and deletes it.

This file database exists only if a user configures the antivirus program to create and maintain it. Furthermore, users could delete the database in an effort to free up disk space. The antivirus program, then, has no way of knowing that the database was in fact deleted by a virus. If the unsuspecting antivirus program is configured to use the integrity-checking technique, upon finding that no database exists, it might simply create a new one. Upon doing so, the antivirus program unwittingly uses the integrity information from the recently infected program.

Multipartite Viruses

Multipartite viruses infect both boot records and program files, and use both mechanisms to spread. For example, when you run an application infected with a multipartite virus, the virus activates and infects the hard disk’s Master Boot Record. Then, the next time you boot the workstation, the virus activates again and starts infecting every program you run.

The One-half virus is an example of a multipartite breed that also exhibits both stealth and polymorphic behavior.

How Antivirus Programs Work

The more effective antivirus products include a number of complementary antivirus technologies. This section reviews how these major technologies work, as well as their strengths and weaknesses.

Different antivirus technologies can be rated in seven different categories:

•  The amount of work it takes the antivirus producer to detect new viruses.

•  The types of viruses that can or can’t be detected by the technology.

•  Whether the technology is prone to false-positives (improperly identifying an uninfected program or boot record as being infected).

•  Whether the technology is prone to false-negatives (failing to detect an infected program or boot record as being infected).

•  How imposing the technology is on the user. This relates to how often the user must suspend work to accommodate the needs of the antivirus program.

•  How often the product needs to be updated. Because new viruses are written each month, some antivirus components require frequent updates.

•  Whether the technology prevents the virus from infecting the computer, or detects the virus after a file on the computer is infected.

Virus Scanners

A virus scanner is a program that searches for viruses in files and boot records. To make the virus scanner detect new viruses, the antivirus engineer specifically programs the scanner to detect each new virus. The virus scanner can detect only viruses of which it is aware. It is of little help, then, to prevent new or unknown virus infections. Most antivirus programs provide some sort of antivirus scanner in their suite of antivirus products.

The first antivirus scanners used simple brute force string scanning algorithms. These scanners searched through each and every byte of program files and boot records looking for sequences of bytes known to reside in viruses. If the scanner detected the appropriate sequence of bytes, it would report that the file was infected by a virus.

These original scanners were fairly slow by today’s standards; even a well-written brute force string scanner must spend a significant amount of time checking each and every byte of files and boot records. In addition, the original virus scanners only had to search for a handful of viruses. Today, with increasing numbers of complex viruses to search for, virus scanners must use more intelligent algorithms.

The early computer viruses were quite simple and replicated identical copies of themselves from file to file, or from boot record to boot record. Therefore, this simple string scanning algorithm worked well. Unfortunately, the newer generations of viruses were becoming increasingly more complex. These viruses would encrypt the bulk of their virus body using simple encryption schemes. These encrypted viruses were more difficult to detect because the majority of the virus was encrypted and different in each infected file.

Antivirus researchers soon improved their techniques and came up with a faster and more robust virus scanner technology. The researchers realized that most viral infection takes place near the start or the end of executable files; most viruses like to prepend or append themselves to host files. Therefore, rather than searching every byte of each file, the antivirus scanner could concentrate on the first few and last few kilobytes of each executable file.

The researchers also improved their string scanners by adding wild-card capabilities. An original signature, consisting of a series of bytes extracted from the virus, could contain only a fixed sequence of bytes such as the following:

Signature: B8 00 30 CD 21 3D 03 00

The new wild-card signature could ignore certain bytes:

Signature: B8 SKIP 30 CD 21 3D SKIP 00