Polymorphic Viruses
To confound virus scanning programs, virus writers created polymorphic viruses. These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. One virus author even created a tool kit called the "Dark Avenger's Mutation Engine" (also known as MTE or DAME) for other virus writers to use. This allows someone who has a normal virus to use the mutation engine with their virus code. If they use the mutation engine, each file infected by their virus will have what appears to be totally different virus code attached to it. Fortunately, the code isn't totally different and now anyone foolish enough to use the mutation engine with their virus will be creating a virus that will be immediately detected by most of the existing scanners.
Virus Tool Kits
Besides the mutation engine, there are also now several tool kits available to help people create viruses. Several of these programs allow someone who has no knowledge of viruses to create their own "brand new" virus. One of these tool kits even has a very slick user interface with pull down menus and on-line help. You just pick your choices from the various menus and in a flash you've created your very own virus. While this sounds like a pretty ominous development for scanning technology, it's not as bad as it sounds. All the existing tool kits (such as VCS, VCL and MPC) create viruses that can be detected easily with existing scanner technology. The danger with these tool kits lies in the fact it's possible to create such a tool kit that could create viruses that really are unique. Fortunately, this hasn't been done yet, but it's only a matter of time before such a tool kit will be created. The conflict between virus writers and anti-virus researchers continues.
Summary
• Polymorphic viruses change with each infection. They do this in an attempt to defeat scanners.
Stealth Viruses and Rootkits
A virus, by its nature, has to modify something in order to become active. This might be a file, the boot sector, or partition sector (Master Boot Record); whatever it is, it has to change. Unless the virus takes over portions of the system in order to manage accesses to the changes it made, these changes will become visible and the virus will be exposed.
A stealth virus hides the modifications it makes. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). Of course, the virus must be resident in memory and active to do this.
Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known-clean floppy disk or CD. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with.
Important Note: Some viruses, when they infect, encrypt and hide the original information in the sector they infect. If you are infected, some people may advise you to use generic DOS commands (e.g., SYS and/or FDISK /MBR) to correct the problem. If you do this you run the risk of making matters much worse. Monkey, for example, encrypts the partition information and moves it. If you overwrite the virus with FDISK /MBR then you will no longer be able to see your hard disk as DOS/Windows will not recognize what's in the partition table and can't access the encrypted version without Monkey helping (anti-virus software knows how to get around this problem).
• Virus writing tool kits have been created to "simplify" creation of new viruses.
Rootkits
Under Windows, installing a rootkit is a new way of creating a form of stealth virus or other malware. Rootkits are usually installed via a Trojan but once installed can hide most any type of malware.
Rootkits are programs that typically replace kernel programs and DLL files with malware. Since it's a system file that has been replaced it's much easier to mask and hide the malware process from anti-virus software. Indeed, some anti-virus and anti-spyware/adware software has taken on some of the characteristics of a rootkit in order to find other rootkits that might be running. This, itself, can create problems (see the acronym ADVEIS: Anti-Virus Dependent Vulnerabilities in E-mail Infrastructure Security).
Rootkits can also establish themselves in alternate data streams. The spambot Mailbot is one example of a rootkit that establishes itself in an alternate data stream associated with a system directory (yes, alternate data streams can attach to a directory as well as a file).
Probably the most famous rootkit incident in 2005 was the Sony CD incident where Sony installed a rootkit onto music CD-ROMs. When the music CDs were played on a computer, the rootkit installed in order to provide digital rights management for the music on the CD. The problem was that the rootkit itself was not secure and it allowed other malware to piggyback onto it and also install onto a user's computer. An embarrassed Sony recalled a large number of music CDs and reissued them without the digital rights rootkit.
Summary
• In order to infect, a virus must change something.
• A stealth virus takes over portions of the system to effectively hide the virus from casual (and not so casual) examination.
• To better find stealth viruses be certain to cold boot from a known-clean (write protected) floppy disk or CD and avoid using generic DOS commands to try to fix them. Use anti-virus software to handle these viruses.
Fast and Slow Infectors
The term fast or slow when dealing with viruses pertains to how often and under what circumstances they spread the infection.
Typically, a virus will load itself into memory when an infected program is run. It sits there and waits for other programs to be run and infects them at that time.
A fast infector infects programs not just when they are run, but also when they are simply accessed. The purpose of this type of infection is to ride on the back of anti-virus software to infect files as they are being checked. By its nature, anti-virus software (a scanner, in particular) opens each file on a disk being checked in order to determine if a virus is present. A fast infector that has not been found in memory before the scanning starts will spread itself quickly throughout the disk.
A slow infector does just the opposite. A slow infector will only infect files when they are created or modified. Its purpose is to attempt to defeat integrity checking software by piggybacking on top of the process which legitimately changes a file. Because the user knows the file is being changed, they will be less likely to suspect the changes also represent an infection. By its nature (and because executable code is not usually changed) a slow infector does not spread rapidly and if the integrity checker has a scanning component it will likely be caught. Also, an integrity checker that is run on a computer booted from a known-clean floppy disk will be able to defeat a slow infector.
Summary
• A fast infector infects programs when they are accessed, not just when run. This type of virus is designed to ride on the back of anti-virus scanners and can quickly infect an entire disk if not found before the scan is performed.
• A slow infector infects programs only when they are created or modified. This type of virus is designed to defeat integrity checkers but can usually be found if the checker has a scanner component or is started properly.
Sparse Infectors
In order to spread widely, a virus must attempt to avoid detection. To minimize the probability of its being discovered a virus could use any number of different techniques. It might, for example, only infect every 20th time a file is executed; it might only infect files whose lengths are within narrowly defined ranges or whose names begin with letters in a certain range of the alphabet. There are many other possibilities.
A virus which uses such techniques is termed a sparse infector.
Summary
• A wide variety of techniques can be used to help a virus avoid detection of its activity.
Armored Virus
Armored is a class that overlaps other classes of viruses; maybe multiple times.
Basically, an armored virus uses special "tricks" designed to foil anti-virus researchers. Any anti-virus researcher who wants to find out how a virus works must follow the instruction codes in the virus. By using a variety of methods, virus writers can make this disassembly task quite a bit more difficult. This usually make the virus larger as well.
Such a virus can be said to be armored.
An early virus, Whale, made extensive use of these techniques but, at the same time, was a very large virus..
Summary
• An armored virus attempts to make disassembly difficult.
No comments:
Post a Comment