HOW VIRUSES AVOID DETECTION

Viruses can survive only if they remain undetected long enough to give them time to spread to other computers. To increase a virus's chance of surviving, virus programmers have used a variety of tactics.

Infection methods

Antivirus programs can spot a virus in one of two ways. First, the antivirus program may recognize a particular virus's signature, which is nothing more than the specific instructions embedded in the virus that tell it how to behave and act. A virus's signature is like a criminal's fingerprint—each one is unique and distinct.

A second way antivirus programs can detect a virus is through its behavior. Antivirus programs can often detect the presence of a previously unknown virus by catching a virus as it tries to infect another file or disk.

To sneak past an antivirus program, many viruses use a variety of methods to spread:

  • Direct infection

  • Fast infection

  • Slow infection

  • Sparse infection

  • RAM-resident infection

Direct infection means that the virus infects a disk, or one or more files, each time you run the infected program or open the infected document. If you don't do either, the virus can't spread at all. Direct infection is the simplest but also the most noticeable way of infecting a computer and can often be detected by antivirus programs fairly easily.

Fast infection means that the virus infects any file accessed by an infected program. For example, if a virus infects your antivirus program, watch out! Each time an infected antivirus program examines a file, it can actually infect that file immediately after certifying that the file is virus-free.

Slow infection means that the virus only infects newly created files or files modified by a legitimate program. By doing this, viruses attempt to further mask their presence from antivirus programs.

Sparse infection means that the virus takes its time infecting files. Sometimes it infects a file, and sometimes it doesn't. By infecting a computer slowly, viruses reduce their chance of being detected.

RAM-resident infection means that the virus buries itself in your computer's memory, and each time you run a program or insert a floppy disk, the virus infects that program or disk. RAM-resident infection is the only way that boot viruses can spread. Boot viruses can never spread across a network or the Internet since they can only spread by physically inserting an infected floppy disk into a computer, although they can still infect individual computers attached to a network.

Stealth

Viruses normally reveal their presence during infection. For example, a file-infecting virus typically changes the size, time, and date stamp of the file that it infects. However, file-infecting viruses that use stealth techniques may infect a program without modifying the program's size, time, or date, thus remaining hidden.

Boot viruses always use stealth techniques. When the computer reads a disk's boot sector, the boot virus quickly loads the real boot sector (which it has safely stashed away in another location on the disk) and hides behind it. This is like having your parents call you at home to make sure you're behaving yourself, but you really answer the phone at the neighborhood pool hall by using call forwarding. As far as your parents are concerned, they called your home number and you answered. But in reality, their call got routed from your home phone to the pool hall phone. Such misdirection is how boot viruses use stealth techniques to hide their presence from the computer.

In most cases, stealth techniques mask the virus's presence from users but cannot always fool an antivirus program. For further protection against an antivirus program, viruses may use polymorphism.

Polymorphism

To keep from infecting the same file or boot sector over and over again (and revealing itself), viruses must first check to see whether they have already infected a particular file or boot sector. To do so, viruses look for their own signature—the set of instructions that make up that particular virus. Of course, antivirus programs can also find viruses by looking for these signatures, as long as the virus has been caught and examined—if that hasn't happened, an antivirus program will never know the virus's signature.

If convicted criminals could modify their fingerprints each time they committed a crime, they would be harder to catch. That's the idea behind polymorphism.

Theoretically, a polymorphic virus changes its signature each time it infects a file, which means that an antivirus program can never find it. However, because polymorphic viruses need to make sure they don't infect the same file over and over again, polymorphic viruses still leave a small distinct signature that they (and an antivirus program) can still find.

Retaliators

The best defense is a good offense. Rather than passively hiding from an antivirus program, many viruses actively search out and attack them. When you use your favorite antivirus program, these retaliating viruses either modify the antivirus program so that it can't detect the virus, or they infect the antivirus program so that the antivirus program actually helps spread the virus. In both cases, the attacked antivirus program cheerfully displays a "Your computer is virus-free" message while the virus is happily spreading throughout your computer.



Steal This Computer Book 3(c) What They Won't Tell You About the Internet
Steal This Computer Book 3: What They Wont Tell You about the Internet
ISBN: 1593270003
EAN: 2147483647
Year: 2003
Pages: 215
Authors: Wallace Wang

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net