Viruses 101

Anti-Virus Software

The Role of CERT

Legal Implications

Social Impact

The Future

How Anti-Virus Software Works

[Detection]  [Improvements]  [Defeating]  [Virus Removal]  [Problems]  [Sources]

Anti-virus software today is fairly sophisticated, but virus writers are often a step ahead of the software, and new viruses are constantly being released that current anti-virus software cannot recognize. The key to anti-virus software is detection. Once an infected file has been detected, it can sometimes be repaired. If not, the file can at least be quarantined so that the viral code will not be executed. The difficulty here is that generic virus detection is inadequate for current and new viruses, and so anti-virus software must be constantly updated with new lists of viruses. Currently, when a new virus is discovered (unfortunately only through execution,) samples are sent to virus analysis centers. These centers analyze the virus, and extract a unique string from the virus that will identify it. This and other information about the virus is added into a database that users can then download. However, should generic virus detection ever become 100% effective, then the other steps (removal/repair) should be greatly simplified.

Virus Detection Methods
There are four major methods of virus detection in use today: scanning, integrity checking, interception, and heuristic detection. Of these, scanning and interception are very common, with the other two only common in less widely-used anti-virus packages. Unfortunately, while scanning is very effective against known viruses, it is completely incapable of dealing with new viruses, forcing anti-virus analysis centers into a reactive stance.

Definition: A scanner will search all files in memory, in the boot sector (the sector on disk that specifies where boot information is,) and on disk for code snippets that will uniquely identify a file as a virus. Obviously, this requires a list of unique signatures that will be found in viruses and not in benign programs. To prevent false alarms, most scanners also will check the code of a suspected file against either the virus code itself or a checksum of it. (A checksum is a method frequently used to determine if data has been changed, and involves summing all of the bits in a file.) This is the most common method of virus detection available, and is implemented in all major anti-virus software packages. There are two types of scanning: on-access and on-demand. On-access scanning scans files when they are loaded into memory prior to execution. On-demand scanning scans all of main memory, the boot sector, and disk memory as well, and is started by a user when he/she wishes. On-access scanning has become more aggressive recently, with virus scans occurring even if files are selected, but not loaded.
Advantages: Scanners can find viruses that haven't executed yet - this is critical for e-mail worms, which can spread themselves rapidly if not stopped. Also, false alarms have become extremely rare with the software available today. Finally, scanners are also very good at detecting viruses that they have the signatures for.
Disadvantages: There are two major disadvantages to scanning-based techniques. First, if the software is using a signature string to detect the virus, all a virus writer would have to do is modify the signature string to develop a new virus. This is seen in polymorphic viruses. The second, and far greater disadvantage is the limitation that a scanner can only scan for something it has the signature of. The Maltese Amoeba virus was a very destructive virus that activated on November 11, 1991, and was able to spread rapidly before its activation without being detected. According to the 1991 Virus Bulletin: "Prior to November 2nd, 1991, no commercial or shareware scanner (of which VB has copies) detected the Maltese Amoeba virus. Tests showed that not ONE of the major commercial scanners in use ... detected this virus." Although virus updates occur more frequently today because of the Internet, viruses still cannot be detected until one has executed.

Integrity Checking
Definition: An integrity checker records integrity information about important files on disk, usually by checksumming. Should a file change due to virus activity or corruption, the file will no longer match the recorded integrity information. The user is prompted, and can usually be given an option to restore the file to its pre-corrupted/infected state. This is an extensive process, and few virus checkers today utilize it. Norman Virus Control, however, is one.
Advantages: Integrity checking is the only way to determine whether a virus has damaged a file, and it's fairly foolproof. Most integrity checkers today also have the benefit of detecting other damage to data, such as corruption, and can restore that as well.
Disadvantages: The major problem with integrity checking is that not enough companies offer comprehensive integrity checking software. Most anti-virus suites that do offer it don't protect enough files, and those that they do may not be damaged at all with newer viruses. Simpler integrity checkers won't be able to differentiate between damage done via corruption and damage done via a virus, thus giving the user unclear information as to what's going on. Finally, this process is simply rather cumbersome - in today's computers, many important files are changed by as little as booting up and shutting down, so integrity checkers need to be coupled with scanners for maximum efficacy in detecting viruses.

Heuristic Virus Checking
Definition: This is a generic method of virus detection. Anti-virus software makers develop a set of rules to distinguish viruses from non-viruses. Should a program or code segment follow these rules, then it is marked a virus and dealt with accordingly. This allows detection of any virus, and theoretically, should be sufficient to deal with any new virus attacks. F-secure virus software uses this method in addition to scanning, although not very many software packages available today utilize heuristic virus checking.
Advantages: Generic virus protection would make all other virus scanners obsolete and would be sufficient to stop any virus. The user doesn't need to download weekly virus updates anymore, because the software can detect all viruses.
Disadvantages: Although these are huge benefits to heuristic virus checking, the technology today is not sufficient. Virus writers can easily write viruses that don't obey the rules, making the current set of virus detection rules obsolete. Changes to these rules must be downloaded, and thus these virus checkers must be updated and won't stop many new viruses, which gives them similar characteristics to scanners. In addition, the potential for false alarms and not detecting a known virus is greater with heuristic checkers than with scanners.

Definition: Interception software detects virus-like behavior and warns the user about it. How to detect virus-like behavior? Use heuristics again. Many viruses will perform some suspicious action, like relocating themselves in memory and installing themselves as resident programs. Many software packages have this as an option, although most people usually disable it.
Advantages: Interception is a good generic method to stop logic bombs and Trojan horses. Logic bombs will trigger a (usually destructive) sequence given an event, such as the date being set to a certain date. When not detected by scanners, interception software will usually detect the destructive and unusual sequences of events caused by logic bombs and Trojan horses.
Disadvantages: Unfortunately, interceptors aren't very good at detecting anything else. Interceptors also have all the drawbacks of heuristic systems - difficulty differentiating virus from non-virus, and easy to program around. Also, most interceptors are very easy to disable, and so many viruses frequently disable them before launching. Due to the nature of an interceptor, this software is unable to detect viruses before they launch, and a lot of damage could already have been done. Lastly, interceptors are a nuisance and frequently prompt the user to allow/disallow activity during software installations and system upgrades, making the above very tedious. Combined with their limited usefulness, most software packages disable or strongly limit interception by default.

Upcoming Improvements to Software
Symantec has recently released something called the "Digital Immune System" with the Norton AntiVirus Corporate Edition. Currently only available to corporations, this system automates much of the virus detection/vaccine process. A sample is automatically uploaded to an analysis center when the system detects virus-like activity. If the virus matches a known virus, then a vaccine is downloaded to the infected computer and the software cleans it out. If this is a new virus, the sample is sent to analysts to develop a vaccine. This greatly speeds up the time it takes to clean a virus off of a computer, thus greatly decreasing the ability the virus has to infect other computers. Unfortunately, virus activity is detected using heuristics, which, as mentioned above, are not totally accurate. Network Associates has a similar process in its VirusScan software. Unfortunately, not many other improvements to virus software are foreseen, and improvements in this area rely wholly on improved AI to detect viruses.

Ways to Defeat Anti-virus Software
Because the same anti-virus software methods are in use all over the world, virus writers have attempted to defeat the software in their viruses, either by disabling the software or getting around the detection algorithms. This section will briefly examine the techniques that virus writers use to get around the software and how effective they are in doing so.
Polymorphic viruses attempt to neutralize virus-scanning techniques by changing the code every time the virus infects a new computer. Even if the virus signature remains unchanged, the checksum of the virus will, ensuring that anti-virus software won't pick it up. However, all of the viruses today that use such a technique are fairly ineffective, because the code that is generated is too similar to the original virus. "Toolkits" have been developed by virus writers - some with excellent user interfaces and even help files - to generate polymorphic viruses, but even so, the similarities between the viruses generated by these toolkits makes it easy for anti-virus software to detect the virus. Nevertheless, the possibility exists that a polymorphic virus will be developed that can evade virus scanners; such a virus would be extremely difficult to contain.
Tunneling viruses attempt to get around anti-virus software by loading themselves underneath the scanner, closer to the hardware. Such viruses aim to gain access to interrupt handlers and thus have direct access to the operating system. Most anti-virus software can detect this. When detected, the anti-virus software installs itself underneath the virus. Smarter viruses then try to install themselves underneath the anti-virus software, leading to a battle over the interrupt handlers and system problems as no one is allowed access to the interrupt handlers.
Stealth viruses rely on being loaded before the anti-virus software, which could occur should the virus infect the boot sector or a system file that is loaded before anti-virus software is. These viruses then disguise the changes that they make, and thus get around any virus detection schemes. Cleaning such viruses off isn't that difficult - booting with a clean diskette will prevent the virus from being loaded into memory, and a scanner should be able to clean it off then.
Fast infecting viruses work similarly to stealth viruses - they rely on being invisible to the virus scanner to infect computers. These viruses usually piggyback on anti-virus scanners, and infect files whenever they are accessed. If not found before the virus scanner begins scanning files, the virus will quickly infect every file on disk. Because of on-access scanning, this type of virus will spread even without an on-demand scan. However, the virus still needs to infect its first file, and most scanners will block the virus before it can latch onto the virus scanner.
Other methods: Many viruses being developed today use a combination of the above techniques and add a few more of their own. For example, the MTX worm loads itself into memory before anti-virus software and prevents the software from functioning correctly. In addition to that, the virus uses a technique that's becoming more and more common - blocking access to anti-virus vendor websites. The MTX virus blocks access to Symantec, McAfee, and several other companies that provide virus scanner updates so that the user is prevented from retrieving an update. Other viruses will attack the software more directly, damaging and corrupting library or code files that a virus scanner needs to function properly. Finally, many viruses will download updates and plugins, allowing the virus writer to stay one step ahead of the anti-virus software writers.

Virus recovery & removal
Once a virus is detected, how do anti-virus programs undo the damage that the virus has done? Anti-virus programs are fairly bad at restoring data - viruses that attempt to damage files instead of merely infecting them will succeed unless those files have been backed up. Virus scanners repair files by deleting the virus code from the file, which in most cases restores the file to its pre-infected state. However, for viruses that damage system files (e.g. viruses that block access to anti-virus software vendors irreparably changes a network library,) the anti-virus program is incapable of repairing all the damage. The only foolproof method of restoring damage done by a virus is to clean all infected files and restore everything else from backups.

Problems with anti-virus software
Anti-virus software suffers from more problems than not being able to detect cutting edge viruses. Many copies of anti-virus software are unable to detect even old viruses, because end users frequently forget or simply don't update their virus scanner's virus databases until it's too late. On-demand scans are rarely performed because they're slow and hog resources while running, so dormant viruses tend to have a rather long life. On-access scanners aren't free of troubles, either - some consume too many resources, so many users are tempted to disable them if they're on a slower machine.
Finally, while anti-virus software may become extremely good at sensing virus activity, there are always new security holes to exploit in operating system and networking software that would give viruses another entry point that bypasses the anti-virus software. Finding a security hole and getting reported on one of these sites is considered to be an honor among the virus writing community. An example of one of these sites is SANS, which has bulletins about hacker and virus attacks.

The bottom line? Anti-virus software in use today is fairly effective - but only if it's kept updated and the user takes precautions (such as not opening unfamiliar documents or programs.) Despite all this, anti-virus software cannot protect against brand new viruses, and few users take the necessary precautions. A survey was done of corporate computer users, finding that many users still get infected even if they are required to take all the necessary precautions. (Source: ICSA Labs Computer Virus Prevalence Survey 2000.)With the Internet daily growing larger, it is unlikely that anti-virus software will be able to protect all of the users connected; however, with proper care and attention, people should be able to deal with all but the most unusual viruses.

http://www.cknow.com/vtutor/vtprotect.htm Computer Knowledge Virus Tutorial, Computer Knowledge.com

http://www.time.com/time/digital/feature/0,2955,49120,00.html "The New Hot Zone," Time Digital. July 2000

Rutrell Yasin, Management & Security: Viruses Get Quarantined. , InternetWeek, 05-17-1999, pp 25.

http://www.infoworld.com/articles/op/xml/00/09/18/000918opswatch.xml "Do you think that updating your anti-virus software is good enough? Think again." InfoWorld.com Friday, Sep. 15, 2000 1:01 pm PT

http://www.tml.hut.fi/Opinnot/Tik-110.501/1997/viruses.html Hanhisalo, Markus. Helsinki University of Technology.

http://www.icsalabs.com/html/communities/antivirus/index.shtml ICSA Labs, AntiVirus Product Developers Consortium.