McAfee AVDCDE-BA-CA User Guide - Page 11
Stealth, mutation, encryption, and polymorphic techniques
View all McAfee AVDCDE-BA-CA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 11 highlights
Preface Particularly clever viruses can even subvert attempts to clear them from memory by trapping the CTRL+ALT+DEL keyboard sequence for a warm reboot, then faking a restart. Sometimes the only outward indication that anything on your system is amiss-before any payload detonates, that is-might be a small change in the file size of infected legitimate software. Stealth, mutation, encryption, and polymorphic techniques Unobtrusive as they might be, changes in file size and other scant evidence of a virus infection usually gives most anti-virus software enough of a scent to locate and remove the offending code. One of the virus writer's principal challenges, therefore, is to find ways to hide his or her handiwork. The earliest disguises were a mixture of innovative programming and obvious giveaways. The Brain virus, for instance, redirected requests to see a disk's boot sector away from the actual location of the infected sector to the new location of the boot files, which the virus had moved. This "stealth" capability enabled this and other viruses to hide from conventional search techniques. Because viruses needed to avoid continuously reinfecting host systems- doing so would quickly balloon an infected file's size to easily detectable proportions or would consume enough system resources to point to an obvious culprit-their authors also needed to tell them to leave certain files alone. They addressed this problem by having the virus write a characteristic byte sequence or, in 32-bit Windows operating systems, create a particular registry key that would flag infected files with the software equivalent of a "do not disturb" sign. Although that kept the virus from giving itself away immediately, it opened the way for anti-virus software to use the "do not disturb" sequence itself, along with other characteristic patterns that the virus wrote into files it infected, to spot its "code signature." Most anti-virus vendors now compile and regularly update a database of virus "definitions" that their products use to recognize those code signatures in the files they scan. In response, virus writers found ways to conceal the code signatures. Some viruses would "mutate" or transform their code signatures with each new infection. Others encrypted themselves and, as a result, their code signatures, leaving only a couple of bytes to use as a key for decryption. The most sophisticated new viruses employed stealth, mutation and encryption to appear in an almost undetectable variety of new forms. Finding these "polymorphic" viruses required software engineers to develop very elaborate programming techniques for anti-virus software. User's Guide xi