View Full Version : How Antivirus Software Works & Different Types of Viruses

04-01-2013, 04:02 PM
I tried my best to make it look clean, but if I missed anything please let me know via PM.

Table of Contents:

Pattern Matching
Detecting Injections
Deeper Threats
Protection/Virtual Machines
More Information
Closing Statement

While there are many different styles of viruses and attacks, a lot of antivirus software deployed relies on a currently known threats or vulnerabilities. It is hard to defend against an unknown vector of attack (I use virus here generically), but some basic attacks/detections are as follows:

An easy way to detect if a file has been altered is the size of the file. Some viruses like to tack on their malicious code at the end of the file, and that is a dead giveaway when an antivirus scanner scans it. It compares the before and after sizes, and if there has been no modification by the user, it suspects some malicious activity. Although this used to be the case a very long time ago but hasn't been a reliable vector for a long time. Documents for example change size even when you open and close them without saving in some applications (as they'll save metadata when you close the document). For system files there's also the problem of software updates, which are much more prevalent than they used to be. These days cryptographic hashing is relied upon far more than size and only in limited circumstances. AV products that do automatic inspection of files on write tend to use hooks or file notification signals (but usually hooks so they get it before it's written). Interestingly a lot of modern malware also hooks the same routines to infect files or bypass detection.

Pattern Matching
Viruses often have a telltale signature that they use to infect your computer. It could be couple lines of assembly code that overwrite the stack pointer and then jump to a new line of code, it could be a certain series of commands that throw an error in a common application, or it could be using an unchecked overflow or memory leak to grab an exception thrown. Regardless, a lot of infectious software uses an reproducible exploit that is found on the target operating system or application, and those tell tale signs (because they have been spotted before) go into a huge database of known exploits and vulnerabilities. When your antivirus scans through it checks your programs for these malicious activities.

There are two types of pattern matching (some AV vendors would say the latter doesn't fall into pattern matching although watching the way many of the AV products I've seen I would sometimes disagree) - signatures and heuristics. Signatures are downloaded periodically in the form of a database file and contain strings and patterns to check for. This is where the bulk of a typical AV's detection comes from and is failing, so heuristics (an incorrectly used in AV marketing technique to check for anything from fuzzy logic patterns to a series of 'indicators of compromise' or suspicious activity) are used to bolster this. Most of the products I've looked at don't use heuristics in the traditional computer science) term. In fact if you check the link you'll see 'heuristic signatures' referenced.

A common example of this is when an AV has certain hooks into events on windows that might suggest suspicious activity.
"An application has connected to the internet for the first time" would be an example heuristic - your integrated suite might ask you whether or not you want to permit this but would typically record on a permitted/banned list.
"A known non-Internet using application (such as calc.exe) has connected to the Internet" - This might be more of an indicator of compromise or 'heuristic signature' that points to highly suspicious activity.
"A process has created a thread in a different process and injected code into it" - you'd be surprised how often this happens in Windows systems, but it's also a sign that something suspicious might be going on. If the target process was lsass.exe for example, it would be highly suspicious.

Detecting Injections
Since viruses like to use these known exploits, malware writers sometimes like to inject code into pre existing programs, like when you 'accidentally' installed that malicous program. These kinds of attacks typically inject code into dead regions of documents or files, and use a jump to go to the malicious code. To explain further, since blocks of memory are allocated to files, sometimes the very end of the memory block does not get used up, or in some cases, there are certain exploits within certain types of files that have legacy sections that are no longer used. This legacy section is a perfect spot to hide malicious code, since it does not increase the size of your program or file. An injection attack uses the initial startup code to 'jump' to the malicious code, and then 'jump' back, making it seem like nothing was ever wrong, and your program boots up perfectly. There are many many variations of this attack, but an antivirus program typically looks for those strange 'jumps' and code that looks like it doesnt belong in certain sections.

This is known as the classic stack-based buffer overflow which now no longer results in execution of arbitrary code on modern windows platforms (without a lot of extra fussing around that may or may not work) due to architectural changes at the software and hardware level.

The OS tends to pick this up. AV sometimes has some protective measures that would spot things like this but typically hasn't needed it to a great extent since Windows XP SP2 (due to changes there). AV should never mess with the OS memory management as this can have unintended and violent consequences for your computer.

Some antivirus programs analyze the programs/files byte for byte, and literally compute the sha-1 hash of the item it is detecting. It stores every single hash for everything on your system, and if the program has been modified it will not compute the same hash (that is the whole point of a hash, it changes drastically if only a tiny bit of the program/file changes). This detection is flawed, because if the virus discovers where all the hashes are stored or the algorithm used, it can overwrite the 'secure' hash with the malicious one and the antivirus will never know.

Deeper Threats
Whenever you start your computer, or plug an external device into it (hard drive, cd, usb, there are core drivers or 'code' that runs to setup the connections from your computer to the external device. Some viruses exploit this when the connection is being established, and could either execute arbitrary code (instead of the connection code) or can become a man in the middle, where everything acts fine but the virus is actually the one creating the connection, as well as inserting its own code where ever it feels like. Since these threats can work themselves deep within the operating system and core functions, these are extremely hard to detect. If the deeper OS calls are not compromised, like the antivirus calls to the OS, then these attacks can be detected. If the whole system is compromised, then the virus is embedded so deep that you some times have no choice but to wipe it and hopefully do a fresh install. If the code that starts up your operating system is compromised, you have even bigger problems because wiping will not get rid of it.

A good way to protect yourself is with the use of Virtual Machines.

Virtual Machines
There are ways to strip some basic encryptions, though the easy method to detect encrypted viruses is to let the virus do the work for you. This may be done by allowing the virus to run in a safe, emulated environment to decrypt itself. When it does so, it can be scanned for signatures. This is especially useful for oligomorphic and polymorphic viruses whose encryption changes from generation to generation.

Metamorphic viruses, or viruses that can change their form, are a bit more difficult to detect as they basically rewrite their code. Even if they are not encrypted, their signature can change. To detect these kinds of viruses other methods are necessary. Hashing and size measurements can be useful in narrowing down suspect files, but ultimately different techniques may be needed.

Such techniques may involves trying to strip junk instructions from the virus to attempt to get a leaner representation that may be able to be matched to a signature. It may attempt to track the suspect file's behavior to see if it acts like a specific virus. It may opt to see if the file contains information that would discount it as a virus (a negative signature if you will).

More information
If you ware really interested in how virus detection works I would recommend "The Art of Computer Research and Defence" by Peter Szor. I found it to be an enjoyable and easy to understand read on the subject. Though a large portion of the book is just the collection of various papers he has published (and you can most likely find those for free).
A computer virus is a harmful software program written intentionally to enter a computer without the user's permission or knowledge. It has the ability to replicate itself, thus continuing to spread. Some viruses do little but replicate, while others can cause severe harm or adversely affect the program and performance of the system. A virus should never be assumed harmless and left on a system.

There are different types of viruses which can be classified according to their origin, techniques, types of files they infect, where they hide, the kind of damage they cause, the type of operating system, or platform they attack. Let us have a look at few of them.

Memory Resident Virus
These viruses fix themselves in the computer memory and get activated whenever the OS runs and infects all the files that are then opened.
Hideout: This type of virus hides in the RAM and stays there even after the malicious code is executed. It gets control over the system memory and allocate memory blocks through which it runs its own code, and executes the code when any function is executed.
Target: It can corrupt files and programs that are opened, closed, copied, renamed, etc.
Examples: Randex, CMJ, Meve, and MrKlunky
Protection: Install an antivirus program.

Direct Action Viruses
The main purpose of this virus is to replicate and take action when it is executed. When a specific condition is met, the virus will go into action and infect files in the directory or folder that are specified in the AUTOEXEC.BAT file path. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted.

FindFirst/FindNext technique is used where the code selects a few files as its victims. It also infects the external devices like pen drives or hard disks by copying itself on them.
Hideout: The viruses keep changing their location into new files whenever the code is executed, but are generally found in the hard disk's root directory.
Target: It can corrupt files. Basically, it is a file-infecter virus.
Examples: Vienna virus
Protection: Install an antivirus scanner. However, this type of virus has minimal effect on the computer's performance.

Overwrite Viruses
A virus of this kind is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected.
Hideout: The virus replaces the file content. However, it does not change the file size.
Examples: Way, Trj.Reboot, Trivial.88.D
Protection: The only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content.

However, it is very easy to detect this type of virus, as the original program becomes useless.

Boot Sector Virus
This type of virus affects the boot sector of a hard disk. This is a crucial part of the disk, in which information of the disk itself is stored along with a program that makes it possible to boot (start) the computer from the disk. This type of virus is also called Master Boot Sector Virus or Master Boot Record Virus.
Hideout: It hides in the memory until DOS accesses the floppy disk, and
whichever boot data is accessed, the virus infects it.
Examples: Polyboot.B, AntiEXE
Protection: The best way of avoiding boot sector viruses is to ensure that floppy disks are write-protected. Also, never start your computer with an unknown floppy disk in the disk drive.

Macro Virus
Macro viruses infect files that are created using certain applications or programs that contain macros, like .doc, .xls, .pps, .mdb, etc. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one. These viruses automatically infect the file that contains macros, and also infects the templates and documents that the file contains. It is referred to as a type of e-mail virus.
Hideout: These hide in documents that are shared via e-mail or networks.
Examples: Relax, Melissa.A, Bablas, O97M/Y2K
Protection: The best protection technique is to avoid opening e-mails from unknown senders. Also, disabling macros can help to protect your useful data.

Directory Virus
Directory viruses (also called Cluster Virus/File System Virus) infect the directory of your computer by changing the path that indicates the location of a file. When you execute a program file with an extension .EXE or .COM that has been infected by a virus, you are unknowingly running the virus program, while the original file and program is previously moved by the virus. Once infected, it becomes impossible to locate the original files.
Hideout: It is usually located in only one location of the disk, but infects the entire program in the directory.
Examples: Dir-2 virus
Protection: All you can do is, reinstall all the files from the backup that are infected after formatting the disk.

Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system. This makes it impossible for antivirus software to find them using string or signature searches (because they are different in each encryption). The virus then goes on to create a large number of copies.
Examples: Elkern, Marburg, Satan Bug and Tuareg
Protection: Install a high-end antivirus as the normal ones are incapable of detecting this type of virus.

Companion Viruses
Companion viruses can be considered as a type of file infector virus, like resident or direct action types. They are known as companion viruses because once they get into the system they 'accompany' the other files that already exist. In other words, to carry out their infection routines, companion viruses can wait in memory until a program is run (resident virus), or act immediately by making copies of themselves (direct action virus).
Hideout: These generally use the same filename and create a different extension of it. For example: If there is a file "Me.exe", the virus creates another file named "Me.com" and hides in the new file. When the system calls the filename "Me", the ".com" file gets executed (as ".com" has higher priority than ".exe"), thus infecting the system.
Examples: Stator, Asimov.1539 and Terrax.1069
Protection: Install an antivirus scanner and also download Firewall.

FAT Virus
The file allocation table (FAT) is the part of a disk used to store all the information about the location of files, available space, unusable space, etc.
Hideout: FAT virus attacks the FAT section and may damage crucial information. It can be especially dangerous as it prevents access to certain sections of the disk where important files are stored. Damage caused can result in loss of information from individual files or even entire directories.
Examples: Link Virus
Protection: Before the virus attacks all the files on the computer, locate all the files that are actually needed on the hard drive, and then delete the ones that are not needed. They may be files created by viruses.

Multipartite Virus
These viruses spread in multiple ways possible. It may vary in its action depending upon the operating system installed and the presence of certain files.
Hideout: In the initial phase, these viruses tend to hide in the memory as the resident viruses do; then they infect the hard disk.
Examples: Invader, Flip and Tequila
Protection: You need to clean the boot sector and also the disk to get rid of the virus, and then reload all the data in it. However, ensure that the data is clean.

Web Scripting Virus
Many web pages include complex codes in order to create an interesting and interactive content. This code is often exploited to bring about certain undesirable actions.
Hideout: The main sources of web scripting viruses are the web browsers or infected web pages.
Examples: JS.Fortnight is a virus that spreads through malicious e-mails.
Protection: Install the microsoft tool application that is a default feature in Windows 2000, Windows 7 and Vista. Scan the computer with this application.

A worm is a program very similar to a virus; it has the ability to self-replicate and can lead to negative effects on your system. But they can be detected and eliminated by an antivirus software.
Hideout: These generally spread through e-mails and networks. They do not infect files or damage them, but they replicate so fast that the entire network may collapse.
Examples: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson
Protection: Install an updated version of antivirus.

Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses, do not reproduce by infecting other files, nor do they self-replicate like worms. In fact, it is a program which disguises itself as a useful program or application.

▶ Beware of the fact that these viruses copy files in your computer (when their carrier program is executed) that can damage your data, and even delete it. The attacker can also program the trojans in such a manner that the information in your computer is accessible to them.

As always, it is recommended to use a virtual machine to protect yourself from getting infected. There are some good sandbox's out there, such as:

Sandboxie: http://www.sandboxie.com/
Comodo Internet Security Sandbox: http://www.comodo.com/products/comodo-products.php
Avast Antivirus Sandbox: http://www.avast.com/en-us/index

Closing Statement
I hope that this helped in some way.

04-01-2013, 06:28 PM
I just looked through all of "your" tutorials. If you're going to copy and paste, give credits to the people who actually took the time to type these out.

04-02-2013, 01:31 AM
Who's tutorial is this?

04-02-2013, 05:28 AM
Who's tutorial is this?

This is not a tutorial, this show what different of virus there are in internet

04-02-2013, 06:57 AM
Want it sticky?
1-Give Credits
2-Request For Sticky By Adding "/Req Stick".

04-02-2013, 03:48 PM
Who's tutorial is this?
Just copied and pasted the first few lines of his "tutorial" into Google and I got word-for-word matches. I've seen the way luca types. He's from Italy and his English isn't that great. Which is how I know this (and all of the rest of them) aren't "his". I have no problem with him posting the stuff because I'm sure people are finding them useful, but he's not giving credits...

04-04-2013, 05:28 PM
i actually read this!
Im getting smarter every our at this forum!

06-10-2019, 09:54 AM
Yea, viruses is revolutionized with antiviruses and we always run face to face with such problems. Even emails can be attacked by spam or phishing. Thanks https://cleantalk.org/wordpress-anti-spam-plugin it can be resolved. For now, a lot of antiviruses are viruses in fact. And that disappoints me.