56 lines
2.7 KiB
Plaintext
56 lines
2.7 KiB
Plaintext
FUNGENA.CVP 911202
|
|
|
|
Detection avoidance
|
|
|
|
Viral programs have almost no defence at all against
|
|
disinfection. 99% of viri are almost trivially simple to get
|
|
rid of, simply by replacing the "infected" file (or boot sector)
|
|
with an original copy. (Some more recent boot sector and system
|
|
viri require slightly more knowledge in order to perform
|
|
effective disinfection: none require drastic measures.) Far
|
|
from their image as the predators of the computer world, viral
|
|
programs behave much more like prey. Their survival is
|
|
dependant upon two primary factors: reproductive ability and
|
|
avoidance of detection.
|
|
|
|
Using the standard system calls to modify a file leaves very
|
|
definite traces. The change in a file "creation" or "last
|
|
modified" date is probably more noticeable than a growth in file
|
|
size. File size is rather meaningless, whereas dates and times
|
|
do have significance for users. Changing the date back to its
|
|
original value, however, is not a significant programming
|
|
challenge.
|
|
|
|
Adding code while avoiding a change in file size is more
|
|
difficult, but not impossible. Overwriting existing code and
|
|
adding code to "unused" portions of the file or disk are some
|
|
possible means. (The fictional rogue program P1, in Thomas
|
|
Ryan's "The Adolesence of P1", avoided problems of detection by
|
|
analyzing and rewriting existing code in such a manner that the
|
|
programs were more compact and ran more efficiently. Such
|
|
activity has not yet, alas, been discovered in any existing
|
|
virus.)
|
|
|
|
Some viral programs, or rather, virus authors, rely on
|
|
psychological factors. There are a number of examples of viri
|
|
which will not infect program files under a certain minimum
|
|
size, knowing that an additional 2K is much more noticeable on a
|
|
5K utility than on a 300K spreadsheet.
|
|
|
|
In a sense these are all "stealth" technologies, but this term
|
|
is most often used for programs which attempt to avoid detection
|
|
by trapping calls to read the disk and "lying" to the
|
|
interrogating program. By so doing, they avoid any kind of
|
|
detection which relies upon perusal of the disk. The disk gives
|
|
back only that information regarding file dates, sizes and
|
|
makeup which were appropriate to the original situation. (This
|
|
also relies upon the virus being "active" at the time of
|
|
checking.) Although this method avoids any kind of "disk"
|
|
detection, including checksumming and signature scanning, it
|
|
leaves traces in the computer's memory which can be detected.
|
|
(Some viral programs also try to "cover their tracks" by
|
|
watching for any analysis of the area they occupy in memory and
|
|
crashing the system, but this tends to be noticeable behaviour
|
|
... )
|
|
|
|
copyright Robert M. Slade, 1991 FUNGENA.CVP 911202 |