Ever wonder how viruses hide themselves from anti-virus programs? Here are five ways.
Read Request Intercepts
Read request intercepts take advantage of the fact that large parts of the Windows operating system are proprietary and inaccessible by non-Windows software. As such, an anti-virus program made by another company has to query the Windows OS by sending a read request to the Windows OS for the files it wants to examine. It goes a little like this:
AV program: ‘Hey Windows! I want to examine file name 22450d384281.dll to see if there’s a virus hiding in there. Can you please let me read it?’
Windows OS: “OK, I recognize you as one of the good guys. I’ll let you read the file and look. One sec. OK, you have access.”
AV Program: “Thanks Windows.”
Windows OS: “NP.”
What does a virus trying to hide itself in this situation do? It represents itself as the Windows OS to the anti-virus software. In other words, it intercepts the AV program’s request and either denies the request or it gives the anti-virus program a fake, clean version of the requested file. The interception can be made possible by injecting code into the actual OS files that handle the read request.
Finding and preventing this is very hard. Security software companies use several techniques. They might examine what’s known as the virus signature by comparing a sample to a known sample of one or more viruses –e.g. what does its code profile look like? Or they may compare the file to a working database of Windows OS files known to be clean.
It’s a hit or miss process that extends the working life of a virus until the injected code or altered file is identified and then patched. Then those patches have to work their way to the consumer.
This is a great example of how a system protected by a current, anti-virus anti-malware program can still be insecure.
Self Modification
Viruses, like Woody Allen in ‘Zelig’ have the ability to change their identity and look and feel. One method of doing this is called ‘Self-Modification.’
Understanding self-modification requires understanding how anti-virus programs scan for virus signatures. Basically, they continually scan files on your computer, take samples of code from them and compare them to a database of known virus snippets. It’s not unlike taking a section of one’s DNA and comparing it to the same section of the same DNA. You would see a perfect match.
That’s how it works in theory but in the world of anti-virus software this is not failsafe. To do it with 100% accuracy the anti-virus software would have to compare the entire virus code base against the entire code base of the computer it’s trying to protect. This would be physically impossible. Instead, antivirus companies use snippets of viruses – more like search strings.
Here’s where self-modification enters the picture. Some classes of viruses hide themselves by tracking the code snippets anti-virus programs use to identify them and then altering that code snippet every time the virus is injected into a new machine. They change their signature so that it is unique on every infected machine. The anti-virus program is then duped. It doesn’t get any positive matches and believes no virus is present.
Self-Encryption
Viruses encrypt themselves to avoid signature detection in 3 common ways.
The first is an older and very small footprint type of encryption that uses the XOR cipher.
A XOR cipher is a simple form of encoding that encrypts the input by a using a simple key that is XORed against the input to create an output. It’s a simple and fast way of encoding that doesn’t require its own, separate algorithm to decipher it. A virus maker might XOR each byte in a virus with some sort of constant value so that it only has to be repeated to decrypt the virus. In this way the virus remains hidden but can be unpacked and used fairly easily.
The second way is a bit of a blunt instrument – where the virus encrypts the entire body of the virus leaving only the encrypted virus and a cryptographic key to decrypt it. This type of encryption would not trigger a virus signature scanner because the scanner couldn’t identify encrypted module as anything. But, the AV program might recognize the presence of the encryption key. Nowadays, when antivirus software encounters a giant chunk of encrypted code it triggers an alarm within the antivirus system causing it to quarantine the entire chunk of code, just to be safe. This method is rarely used today.
The third way a virus uses encryption to avoid detection is within an executable file. Here, the virus has been encrypted and is hiding within an executable file waiting for a defined set of actions to decrypt itself and execute. This is known as crypto virology. The most commonly-used scenario of this type of virus encryption is having the latent virus wait until the computer has disabled its anti-virus software – either manually or during an update. The encrypted virus identifies those situations and then acts. It decrypts itself and infects the machine. As an added insult, a virus like this usually will also disable the anti-virus software permanently.
Polymorphic Viruses
The advent of polymorphic viruses threw a new gauntlet down at the feet of anti-virus software makers. Polymorphic viruses make detection of viruses several orders of magnitude more difficult than any previous virus-hiding technique.
A polymorphic virus contains what is known as a polymorphic or mutating engine. This engine functions like a unique re-coding agent that modifies the virus on every infection or when certain criteria are met. The engine is programmed to re-program key parts of the virus such that they accomplish the same function only they do so via different code strings. This makes them harder to identify and crack.
A perfectly written polymorphic virus would share nothing identically with the same virus on a different machine. This is theoretically possible. And, would theoretically be unbeatable by an anti-virus program.
The rate at which some polymorphic viruses change varies for different reasons. In one scenario, a hacker might not want the virus to completely change over time or as fast as possible. It might change only upon certain actions. The benefit to this is that the virus doesn’t provide anti-virus researchers trying to identify and beat it with many samples of the polymorphic virus to reverse engineer. This means it is less likely to be identified by a virus scanner for longer periods of time, thus doing more damage.
Metamorphic Viruses
Metamorphic viruses represent the end of the road in present day virus detection and avoidance. Think of a metamorphic virus as a polymorphic virus on steroids. Instead of changing parts of itself for each new infection or under certain defined criteria, a metamorphic virus COMPLETELY rewrites itself each time they infect a new target.
This requires a metamorphic engine. The difference between poly and metamorphic is one of scale and code base. Because it completely rewrites itself a metamorphic virus is usually quite large in file size – often too large to be practical as a consumer-targeted virus. One such metamorphic virus known as W31/Simile contained more than 14,000 lines of code – the vast majority of which was the engine.
But, faster processors and larger disc drives are making metamorphic viruses more feasible and applicable in more situations. The only way an anti-virus software can try to identify metamorphic viruses is through the creation of some sort of emulator designed to model and mimic known metamorphic virus behaviors or through what’s known as statistical pattern analysis of the encrypted virus body. Neither technique offers the same confidence level as signature matching, which, as we know, has its own issues.