This was a useful improvement. Most simple encrypting viruses employed rudimentary decryption routines that did not vary significantly from one infection to another. Only the encryption routine key value would change in each infection. For example, the bytes shown in table 15.1 might be found in several files infected with the same encrypted virus. These bytes represent the machine-language decryption routine of the virus.

Except for the ninth byte of each sequence, each decryption routine in the preceding three infected programs uses the same set of bytes. An antivirus researcher, therefore, could construct a simple wild-card signature to detect this virus:

Signature: B9 00 10 BE 0C 01 80 34 SKIP 46 E2 FA

This signature would match every other byte in the virus decryption routine exactly, while ignoring the changing 9th byte. Without using wild-card capabilities, this same virus would require 256 different signatures, because the changing byte can take any of 256 different values.

The string scanner has achieved great success in the antivirus world. This technique still is used today in many products. Usually, however, it cannot detect even simple polymorphic viruses, which change considerably from infection to infection. In recent years, therefore, antivirus producers have used the string scanner in conjunction with other new technologies.

The advent of the polymorphic virus mandated improvements in virus scanner technology. The existing wild-card string scanners simply could not reliably detect these viruses. In addition to the polymorphic virus problem, the number of viruses has continued to grow exponentially. The older scanning algorithms became increasingly slower as the number of viruses quickly increased. Imagine having to search through 8,000 bytes of a program for 4,000 different viruses, all in well under a tenth of a second!

To combat the onslaught of new polymorphic viruses and the overall increase in file viruses, antivirus companies began to employ more clever scanning algorithms, such as the algorithmic entry point scanner. This scheme assumes that in an infected file, the program’s entry point either points directly to the virus or to some machine code that transfers control to the virus.

In an infected COM file, for instance, the file’s entry point points directly to any virus that prepends or overwrites the host file. For appending viruses and all other cases, it points to the machine code that transfers control to the virus. In infected EXE files, the file entry point almost always points directly to the viral code.

The entry point scanner employs a limited machine code simulator that can trace through a target program and follow simple machine-language jump (transfer of control) instructions. The scanner examines the machine code at the target program entry point. If this code transfers control to another program area using a recognized method, the built-in simulator attempts to locate the destination of this transfer. This destination is then treated as the new entry point of the program. The scanner repeats the process until the machine code no longer transfers contr to other program parts (see fig. 15.35).

Figure 15.35  The entry point scanner operating on an infected COM file.

After this “calm” point is reached and there are no further transfers of control in the executable file, the scanner assumes that it has located the most likely location of the start of a virus. The scanner can then search the limited region following this calm point for viruses.

If several different files are infected with the same virus, and the virus uses a consistent technique to transfer control from the primary entry point of the program to the virus body, the final point that is reached by the entry point scanner always converges on the same calm point in the virus. Rather than searching many kilobytes of the target file, a region limited to 20 or 30 bytes can be searched with equal effectiveness. This dramatically improves the virus scanner’s efficiency!

The entry point scanning technique is most often used in conjunction with a technique known as algorithmic scanning. The algorithmic scanner can use simple wild-card virus signatures like the original string scanners. It can also use more complex virus signatures to detect simple and intermediate polymorphic viruses, however.

When the antivirus engineer updates the algorithmic scanner to detect a new virus, he or she can write a simple detection program using a limited script language supported by the scanner. This script-based program is interpreted by the virus scanner and is applied to each scanned file. It can use complex operations built into the script language to detect more complex viruses.

These algorithmic, entry point signatures are capable of detecting a wide variety of simple, encrypted, and even polymorphic viruses. They are fast, because they are applied to a limited region of each scanned file. They also allow the antivirus engineer to write simple script-based programs to detect polymorphic viruses that were impossible to detect using earlier scanner technology. Finally, even if a virus employs a nonstandard infection technique and places itself somewhere in the middle of the host file, it may still be detected. As long as the entry point of the program contains simple code that transfers control to the virus, the entry point scanner can locate the relevant viral code and scan it.

All current antivirus products use some form of algorithmic scanning, usually in conjunction with the entry point scanning technique. This combination achieves fast scanning speeds and robust virus detection. However, over the past several years, virus writers have been working on new and highly complex polymorphic viruses. Such a polymorphic virus uses a varying decryption routine in each new infection. These decryption routines can be so large, varied, and complex that for many polymorphic viruses, the aforementioned scanner techniques are powerless.