Viruses are not only virulent and destructive, they can also be sneaky, and many have methods that they use to avoid detection by anti-virus software. For example, some are able to infect files without increasing their size or damaging them. These viruses are called cavity viruses and achieve their goal by overwriting the unused areas of executable files. Other viruses kill the tasks that the anti-virus is supposed to carry out in its detection activities. As technology is constantly updated and computers and operating systems increase in complexity, the need for viruses to improve their deception techniques also grows.
A bait file is a file that has been especially created to be infected by a virus. The reasons for this are varied. They can be used to take a sample of the virus. Storing and exchanging a small, infected bait file is more practical than exchanging a large programme that has been infected. Bait files can be used to study the behaviour of viruses and evaluate detection methods. This can be particularly helpful when a virus is polymorphic and infects a large number of bait files, which can then be used to test if a scanner detects all versions. Some software uses bait files that are accessed on a regular basis, and when the files are modified the software alerts the user to the fact that a virus is active in the system.
Viruses are designed to avoid suspicious programmes, particularly small programme files or programmes that contain patterns of garbage instructions . Another avoidance strategy that makes baiting difficult is sparse infection. This involves not infecting a file that would be an ideal host in other circumstances. For instance, there is a random process that decides whether or not to infect a file or not, there is also a process that decides to infect host files on particular days of the week only.
Another way that viruses deceive anti-virus software is by intercepting and interfering with its requests to the operating system to read the file. Instead, it passes it on to the virus, which returns an uninfected version so that it seems that the file is clean . Booting from a medium that you know to be absolutely clean is one reliable method to avoid this stealth.
An advanced method of avoidance is actually fairly simple in theory. It involves the use of encryption to encipher the virus, which then consists of a decrypting module and an encrypted copy of the virus code. There may be a different encrypted key for each infected file so that the only constant is the decrypting module. A scanner wouldn t detect the virus using signatures but it can still detect the decrypting module, which is an indirect method of detection. The file would probably be flagged as suspicious.
Some viruses take sneaky tricks to a whole new level and completely rewrite themselves in order to avoid being detected. These are metamorphic viruses and need a metamorphic engine in order to complete this rewriting process. They are large and complex, most of which is made up of that engine.
When it comes to preventing viruses, there are two common methods of detection that are used. The first is to use a list of virus signature definitions. The computer s memory is examined, along with any files on fixed and removable drives, and these are compared with a database of known virus signatures. The downside to this is that you are only protected to the date of your last update. If anything new has been released and you haven t updated your system you will be vulnerable to it. The second method is to use an heuristic algorithm that identifies viruses based on common behaviours. This enables you to identify viruses that security firms still have to create signatures for. It is important that you update your anti-virus software on a regular basis so that you can prevent the latest and most virulent threats from attacking your computer and destroying all of your data.
Recommended site: http://en.wikipedia.org/wiki/Computer virus
Bookmark it:
No comments:
Post a Comment