2.5 Virus Defense Mechanisms

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 2.  DOS Computer Viruses

When viruses began to gain popularity, so did antivirus programs. The first holistic program to fight MMC was Flushot by Ross Greenberg in 1987. It attempted to prevent viruses and Trojans from making unwarranted changes to files and the disk. While hopelessly outdated today, it offered hope in the early battle against computer viruses and Trojans. There were a few programs that would search for and eradicate a particular type of MMC. But it was not until 1989 that John McAfee released his VirusScan program, which could detect and repair several viruses at once, that the antivirus scanner became popular. Initially scanners minimized the potential threat of MMC, and some AV researchers thought the threat of computer viruses would be over.

The typical life cycle of a DOS computer virus went something like this:

1. A virus gets created and released.

2. The virus infects a few PCs and gets sent to an antivirus company.

3. The antivirus company records a signature (covered in Chapter 14) from the virus.

4. The company includes the new signature in its database.

5. Its scanner now detects the virus, and the threat of the virus is lessened.

If you're a DOS virus writer, your creation can't spread all over the world if it's being detected and cleaned within a few weeks of its release.

Virus writers started fighting back with more sophisticated virus defense mechanisms to go undetected longer. Thus, the war of the virus writers against the antivirus vendors began. In a sense, the antivirus industry created more, faster, and smarter viruses. It is a war that couldn't be avoided or stopped . Virus writers try their best to make their viruses harder to detect, remove, or prevent. Many virus writers concentrate more time on their virus' defenses than the writing of the infecting code. Virus defenses include encryption, polymorphism, stealth, and armoring.

2.5.1 Encryption

Virus writers saw that the best way to stop or slow down antivirus scanners was to make sure there was no constant string of bytes that could become an antivirus signature. For our purposes, encryption is the process of a virus rearranging its code so that it no longer looks like its former self in order to defeat antivirus scanners (see Figure 2-12). The virus executes, decrypts itself, does its thing, then rescrambles its bytes before saving itself back to the disk. Virus authors on the forefront of technology started to research and utilize professional encryption techniques. In order to be able to use encryption, a virus must be able to decrypt the encrypted code (called decryption ) and encrypt itself "on the fly."

Figure 2-12. Encrypted virus example

Some virus encryption routines are simple. A common cipher routine among early virus writers was to simply multiply each byte against a randomly generated number; and later decrypt by dividing with the same number. The random number is generated "on the fly" and uniquely calculated every time the host file is executed. The randomly generated number is stored by the encryption subroutine for later deciphering. Every running of the virus would result in a uniquely encrypted file. How could a virus scanner locate a good signature if the program changed every execution?

The solution involved searching for the decryption routine (sometimes called a decryptor ) that had to be located at the start of every encrypted virus. The decryption engine became the signature. Decryption routines can't be scrambled because they must remain as plain code to execute and start the unscrambling process. To fight back, virus writers started writing smaller and smaller decryption processes. Smaller decryption signatures increase the chance that an antivirus scanner will produce a false-positive. Still, even with ever-smaller decryption processes, most antivirus companies were able to detect encrypted viruses reliably.

Although most viruses use encryption to hide, other viruses use encryption as a means to make the removal process more difficult for antivirus programs. They encrypt the boot area or files when they first infect . After infection, they decipher the encoded host file or boot sector when it is needed. If you remove the virus or boot with a clean diskette, the file or boot area remains encrypted and inaccessible. In a few cases where clients of mine have prematurely removed these types of viruses before getting their data, I've told them to reinfect the PC, copy the data off the PC, and then remove the virus.

The better antivirus programs (covered in Chapter 14) are able to decrypt viruses that have simple encryption routines. They can decrypt the data, remove the virus, and allow the original PC to be cleaned while preserving the integrity of the data. Some virus encryption routines are so strong that antivirus companies cannot easily decrypt the virus and clean the PC, so they recommend backup restoration instead. Virus writers were successful in using encryption to slow down the scanning process and added extra considerations when removing a virus.

2.5.2 Polymorphism

Polymorphism is virus encryption done better. Some bright virus writers decided that the only way to defeat antivirus companies was by randomly changing the encryption/decryption portion of the virus. Each time the virus starts, it might change the random number generation routine used, the length of the number used (called the key ), the number of bytes encrypted, and the place the encryption subroutine is located in every file. This is called polymorphism . How can antivirus scanners find a signature when everything, including the encrypting subroutine, randomly changed? Potentially , there are billions of combinations that scanners would have to try against each host file.

The first polymorphic engine, Dark Avenger's Mutation Engine(MtE or DAME), was released in 1991. MtE allowed the static, unchanging bytes of a virus to be less than a handful. With a static signature so small, the risk of false positives by antivirus scanners suddenly became unacceptably high. MtE and the other polymorphic engines that followed were highly successful at keeping antivirus companies at the workbench. Polymorphic engines were one of the first malicious implementations to seriously challenge the professional debugging teams of the antivirus industry. A lot of the smaller antivirus companies couldn't keep up and stopped producing products. While the world was full of news stories of the infamous Michelangelo boot virus in 1992, antivirus researchers were desperately searching for a way to consistently detect the new polymorphic viruses. It was a highly guarded secret at the time that antivirus companies couldn't break these types of bugs overnight.

Encryption engines are sets of cipher routines that can be added to any virus and are not infectious code by themselves .

It turns out that although polymorphic encrypting viruses were different looking each time, there is no true randomness in the computer world, and a reliable signature can be calculated even in random-looking code. It just takes more digging. Some antivirus products included signatures for each resulting infected file copy. But since one virus could create billions of different copies, this method was quickly rejected by most companies as a workable solution. Researchers started getting a quicker detection rate by learning how the encryption engines worked and decoding each scanned file by reverse-engineering the encryption engine's steps. This took time and meant that scanning engines would potentially have to check each file against a large number of encryption routines.

The most successful scanners use an emulation engine that temporarily load scanned files into a protected area in RAM that simulates the computers operational environment. The virus thinks it is running, even though it is unable to access any part of the computer outside the emulated area, and decrypts itself. The decoded virus code is scanned by the antivirus program. Best of all, it only takes one signature to recognize the billions of different copies of the same virus. Today, there are dozens of polymorphic encryption engines available to virus writers, but good scanners can detect all their variants. When a new engine comes out, it's only a matter of a few hours of work on the antivirus researcher's PC, thereby deflating the potentially damaging encryption routine that took the virus writer weeks or months to write.

2.5.3 Entry Point Changers

Although a virus's code can be located anywhere in a file, antivirus scanners need only briefly follow the host file's starting instructions to find the virus's entry point. After all, the virus has to get control, and it usually does at the start of the program. But some viruses do not modify the starting instruction of the host program, and instead use additional calculations to place the virus entry point instruction later on in the program's execution. This was an effective defense and caused antivirus vendors concern, as they would have to scan all areas of a potential file. Luckily, these types of viruses are hard to make, and most attempts corrupted their hosts .

2.5.4 Random Execution

Antivirus scanners work by following a program's instructions from start to finish, jumping from one byte to wherever it leads next . Rarely does a program start with the first instruction and sequentially hit every byte, one after another, till it reaches the end. Programming instructions in most programs jump here and there. Scanners don't scan every byte because it would be too time-consuming and since the virus must eventually get control to operate , following the program's own logic will eventually lead the scanner to the virus.

Unfortunately, this is not true in every case. Some viruses insert instructions into a program that only point to the virus code at random intervals. When an infected program is run, the virus is not launched unless the correct random sequence is generated. These types of viruses spread slower, but it also means that scanners will miss some of them, too. Most scanners will not find the virus code unless the random generation sequence just happens to be generated to point to the virus's body while the scanner is searching. Otherwise the scanner will bypass the infectious code and consider it inactive. What happens is that scanners catch some copies of the virus, but miss others. The person who ran the scanner is confused later when the same virus keeps reappearing on his machine, though nothing new has been added. This type of defense technique requires that antivirus scanners search the whole file every time.

2.5.5 Stealth

Viruses that contain special coding to elude antivirus researchers and tools are considered stealth viruses. The first PC virus, Brain , included stealth code, and redirected requests to view the infected boot sector to the original boot sector code now placed at the end of the diskette. Stealth viruses can use hundreds of different routines to hide from prying eyes. One of the most common routines is for a virus to remove itself from a file when a virus scanner is being run. Stealth is one more reason you should always boot from a clean, write-protected boot diskette prior to running a DOS virus scan.

If the virus is in memory, it can hide. Viruses often hide increases in infected file size by modifying what DOS returns to the user. It does this by monitoring the DOS interrupts that return memory and file information. For example, if a user types in the DIR command while the virus is in memory, the virus code will pass along the request to DOS. DOS collects the requested information and tries to return it to the user. The virus steps in and does the necessary calculations so that the telltale signs of its infection are hidden.

2.5.6 Armor

An armored virus contains special programming routines meant to discourage antivirus researchers from tracing, disassembling , and analyzing them. Some rogue programs do this by checking to see if any debugging is going on and then locking out the keyboard, or playing some other trick. Other times, specific code is inserted into the malicious program to make code debuggers get stuck in endless loops .

2.5.7 A Good Defense Is a Bad Offense

Many viruses employ techniques to lessen an antivirus program's effectiveness. There are hundreds of viruses that search out a particular brand of antivirus program and delete its vital files. Viruses will delete the data files, configuration files, and delete the antivirus program itself. These viruses aren't widespread because they have to get past the antivirus scanner's defenses in the first place to do their work. Some Trojans have even been named and masqueraded as the next "official" release of a vendor's scanner program in the hope that unsuspecting users will download and use it. When the user scans her system for computer viruses, the Trojan program infects or deletes every file searched.

2.5.8 Trouble on the Horizon

New, complex viruses are being developed today that are testing the limits of antivirus scanners. Although simple polymorphic viruses are considered somewhat easy to detect today by most major antivirus vendors, virus defense technologies are getting smarter and more of them are being used at once. These new types of viruses are able to appear more and more random, and if they don't defeat the scanner altogether, they will at least slow it down.

Some viruses throw in random garbage instructions to lead antivirus tools on a false chase. Other viruses randomly change their polymorphic decryption routine and are called oligomorphic . Some viruses use a polymorphic routine to rename their programming variables and subroutines. The resulting virus has the exact same format, but contains completely different-looking text. Some of the more successful viruses will use polymorphism to not only change their programming variable names , but also the location in a program in which a particular subroutine appears. This body polymorhism is called metamorphic . There are even viruses that search the host machine for a compiler program and compile themselves on the fly, making each resulting variant different from the original. Other viruses decompile the host file, inject themselves, and recompile. Others are using random number generating routines considered unpredictable.

Scanner vendors have heard many times before how their products would be rendered useless by such and such virus defenses, yet they've adapted and survived. The only difference this time is that the naysayers are the scanning vendors themselves. Fortunately, this book assumes that antivirus scanners don't work 100 percent of the time anyway and recommends the steps you can take now to prevent current and future MMC infections.