The billion (actually multi-billion) dollar question that dogs the anti-virus industry day-to-day is: “How are viruses hiding themselves on compromised machines and how can we find them?” This is complicated by both technology and market forces that often put the antivirus industry at odds with the software companies in need of detection and protection.
With this article, we will begin a 5-part series that catalogues and describes 5 major ways viruses hide themselves and avoid detection once your machine. We’ll be digging a bit deeper on a technical level – so be forewarned. But, if you stay with us you’ll end up with a solid foundation that will help you understand a fundamental area of computer security and make good decisions that help you keep yourself and your business safe.
First, let’s start with a little history. In the beginning, in the MS-DOS world, viruses and anti-virus software were crude and simple. One of the most common ways of hiding was when the virus avoided modifying the ‘last updated’ date of the Windows hosts file. This approached worked for a short while and was then beaten by the anti-virus industry through by such actions as executing regular, cyclical checks on file changes – not just the date. Techniques such as comparing data string structure and file size change comparisons were used.
File size comparison was soon easily beaten and so virus creators discovered that many executable files have empty gaps in them – gaps that could be identified and filled without changing the ultimate file size. Then, a virus wouldn’t be much larger than 1K. This technique is still in use today.
Another older, common hiding technique is to kill or intercept the task requested by anti-virus software before it can detect them. This is done by injecting new logic into weaknesses in the Windows operating system.
Those are the basics. In the coming series we will look at 5 more advanced ways viruses hide themselves. They are:
- Read/request intercepts
- Through self-modification
- By encrypting the virus itself
- Through the use of polymorphic code
- Through the user of metamorphic code