Detection avoidance
FUNGENA.CVP 911202
Detection avoidance
Viral programs have almost no defence at all against
disinfection. 99% of viri are almost trivially simple to get
rid of, simply by replacing the "infected" file (or boot sector)
with an original copy. (Some more recent boot sector and system
viri require slightly more knowledge in order to perform
effective disinfection: none require drastic measures.) Far
from their image as the predators of the computer world, viral
programs behave much more like prey. Their survival is
dependant upon two primary factors: reproductive ability and
avoidance of detection.
Using the standard system calls to modify a file leaves very
definite traces. The change in a file "creation" or "last
modified" date is probably more noticeable than a growth in file
size. File size is rather meaningless, whereas dates and times
do have significance for users. Changing the date back to its
original value, however, is not a significant programming
challenge.
Adding code while avoiding a change in file size is more
difficult, but not impossible. Overwriting existing code and
adding code to "unused" portions of the file or disk are some
possible means. (The fictional rogue program P1, in Thomas
Ryan's "The Adolesence of P1", avoided problems of detection by
analyzing and rewriting existing code in such a manner that the
programs were more compact and ran more efficiently. Such
activity has not yet, alas, been discovered in any existing
virus.)
Some viral programs, or rather, virus authors, rely on
psychological factors. There are a number of examples of viri
which will not infect program files under a certain minimum
size, knowing that an additional 2K is much more noticeable on a
5K utility than on a 300K spreadsheet.
In a sense these are all "stealth" technologies, but this term
is most often used for programs which attempt to avoid detection
by trapping calls to read the disk and "lying" to the
interrogating program. By so doing, they avoid any kind of
detection which relies upon perusal of the disk. The disk gives
back only that information regarding file dates, sizes and
makeup which were appropriate to the original situation. (This
also relies upon the virus being "active" at the time of
checking.) Although this method avoids any kind of "disk"
detection, including checksumming and signature scanning, it
leaves traces in the computer's memory which can be detected.
(Some viral programs also try to "cover their tracks" by
watching for any analysis of the area they occupy in memory and
crashing the system, but this tends to be noticeable behaviour
... )
copyright Robert M. Slade, 1991 FUNGENA.CVP 911202
Detection avoidance
Viral programs have almost no defence at all against
disinfection. 99% of viri are almost trivially simple to get
rid of, simply by replacing the "infected" file (or boot sector)
with an original copy. (Some more recent boot sector and system
viri require slightly more knowledge in order to perform
effective disinfection: none require drastic measures.) Far
from their image as the predators of the computer world, viral
programs behave much more like prey. Their survival is
dependant upon two primary factors: reproductive ability and
avoidance of detection.
Using the standard system calls to modify a file leaves very
definite traces. The change in a file "creation" or "last
modified" date is probably more noticeable than a growth in file
size. File size is rather meaningless, whereas dates and times
do have significance for users. Changing the date back to its
original value, however, is not a significant programming
challenge.
Adding code while avoiding a change in file size is more
difficult, but not impossible. Overwriting existing code and
adding code to "unused" portions of the file or disk are some
possible means. (The fictional rogue program P1, in Thomas
Ryan's "The Adolesence of P1", avoided problems of detection by
analyzing and rewriting existing code in such a manner that the
programs were more compact and ran more efficiently. Such
activity has not yet, alas, been discovered in any existing
virus.)
Some viral programs, or rather, virus authors, rely on
psychological factors. There are a number of examples of viri
which will not infect program files under a certain minimum
size, knowing that an additional 2K is much more noticeable on a
5K utility than on a 300K spreadsheet.
In a sense these are all "stealth" technologies, but this term
is most often used for programs which attempt to avoid detection
by trapping calls to read the disk and "lying" to the
interrogating program. By so doing, they avoid any kind of
detection which relies upon perusal of the disk. The disk gives
back only that information regarding file dates, sizes and
makeup which were appropriate to the original situation. (This
also relies upon the virus being "active" at the time of
checking.) Although this method avoids any kind of "disk"
detection, including checksumming and signature scanning, it
leaves traces in the computer's memory which can be detected.
(Some viral programs also try to "cover their tracks" by
watching for any analysis of the area they occupy in memory and
crashing the system, but this tends to be noticeable behaviour
... )
copyright Robert M. Slade, 1991 FUNGENA.CVP 911202
Comments
Post a Comment