Virus vs. Antivirus – Combat on Fire

Muhammad Irfan Basharat
Re searcher/Analyst

The aim of this paper is to endeavor the right and accurate facts of virus and Antivirus software. It will sketch and concisely reveal various potential ways that viruses programmer use to exploit any Anti-Virus product. It will certainly eliminate misconception of the malicious codes.

Any malicious code can be a danger or a source of the danger but many of the computer users are not aware of this. They usually think that installing and configuring best Antivirus software is risk free task or will help them full protection. An anti-virus product can help you to protect your personal computers and networks but expect some commonsense, awareness and vigilance from you as well. Just close your eyes and think for a while, What if an Antivirus is already corrupted? What if some unintentional innocent piece of code acts like virus? What about the cute baby virus born today? Today I like to share a story with you which will certainly help you to understand the subject.

“Once I met to infant virus, he looked at me and smiled. I told him that you are not secure here, Antiviruses are looking to hunt you down and they are present everywhere. You will loose your life in your starting age, may be on the first highway. He smiled again and replied, don’t worry! I know how to deal with these innocent Antiviruses. Antiviruses are and will always on the defensive position and we respectable offenders are attackers. After a long time, today I met him again he was quite young and experience too He looked at me, passed a strange smile and winged toward satellites and mobiles."

Antivirus are programs to minimize security risks rather to dissect all problems and provide infallible security. AV engines are designed in a way to give maximum level of security but are vulnerable to special techniques i.e. binder & packers and Codes Obfuscation etc which are used to hide the prevention of a code. We usually accept these malicious codes by our consent.

Virus is a piece of code that infects either the executable (exe) files or Object files (Com). It attaches itself to a program in a computer and then replicates itself in way that whenever a corrupted file execute the virus execute. It can erase files or lock up a system.

The simplest virus which any programmer can develop can create copies of itself until system crash. Virus can spread across networks by dodging security measures. Internet can be the best, the biggest and the worst source of spoiling personal systems or a network. Viruses usually spread by deceiving the innocent customer by application installations, e-mail attachments, or by having illegal access to the system. Visiting illegal stuff over internet like sex, hacks and cracks can also bless you with virus. Instant messaging clients like yahoo messenger, MSN messenger and any other can be used for casting the threat.

Virus is classified into five major categories.

It infects the boot sector of memory and stays resident. It always executes itself when ever system boot. This will provide it full control of the system.

These viruses usually attack on execution (*.exe) or object (*.com) files. Whenever the infected program execute, the virus run and hunt for the next file to infect.

Macro viruses replicate them through any program that they attach themselves. Every macro virus cannot link to all sorts of programs but to a specific program like MS Word and MS Excel. These viruses basically exploit two features of these programs.

It is capable of encrypting every program and produces a unique decrypt code for them in a way that no two encryptions will be same. Every time they infect, they change their size.

It can be a file infector or Boot sector virus. It provides the forged report to the Antivirus solution about the infected file.

There are many reasons of feeling helpless against these threats, some are given below.

There are varieties of misconceptions about viruses. These myths are sometime responsible for havoc. Some are given below.

Everyone desires to be protected from viruses and antivirus vendors always claim to provide the best software which will protect you completely.

“To me these claims sound as these vendors have close ties with cosmetics companies."

Antivirus is a program that hunts any known or potential viruses in the primary or secondary memory. Some popular Antivirus programs are as follows.

Various methodologies were deployed in the past to help protection these evolving methods are still used by Antivirus vendors to discover and defend the threat. Popular techniques are given below.

String Scanning, Wildcards, Mismatches, Generic Detection, Hashing, Bookmarks, Top-and-Tail Scanning, Entry-Point and Fixed-Point Scanning, Hyperfast Disk Access,Smart Scanning, Skeleton Detection, Nearly Exact Identification, Exact Identification, Filtering, Static Decryptor Detection, The X-RAY Method, Encrypted and Polymorphic Virus Detection, Dynamic Decryptor Detection, Geometric Detection, Disassembling, Emulators for Tracing, Code Execution Start in the Last Section, Suspicious section Characteristics, Virtual Size Is Incorrect in PE Header, Possible "Gap" Between Sections, Suspicious Code Redirection, Suspicious Code Section Name, Possible Header Infection, Multiple PE Headers, Suspicious Imports from KERNEL32.DLL by Ordinal, Import Address Table Is Patched, Suspicious Relocations, Multiple Windows Headers and Suspicious KERNEL32.DLL Imports, Kernel Look-Up, Kernel Inconsistency, Loading a Section into the VMM Address Space, Incorrect Size of Code in Header, Suspicious Flag Combinations, Standard Disinfection, Generic Decryptors, Integrity Checking False Positives, Inoculation, Heuristic Analysis Using Neural Networks, Access Control Systems and Behavior Blocking and Sand-Boxing.

There are several techniques used to fool Antivirus software. Some are given below.

Binders are capable to attach two or more applications in a way that entire binary become change and Antivirus cannot help to detect these sorts of funs due to the misplacement of the original signature of the malicious code. These binders are easily available to download from internet.

Packers usually compress the malicious binary and then embed that into packer’s binary. This dodging practice is fairly successful due to the change of signature.

Code obfuscation occurs when malicious code is encrypted by embedding a small routine. After implementing the scheme, it’s fairly impossible to detect the virus due to the change of binaries signature.

Create a virus and convert the executable file to your desired extension like PIF, SR or VBS etc by using special programs like exe2vbs or any other. On execution of the forged file, the hidden exe just run. Ahhhhh I have nothing to say more.

This fairly simple method is used by producing the fake file extension. Usually extensions are sex oriented.

Searching a header of any file is a fairly easy task because unique file extension means unique header information. First twenty-seven bytes search will explore the hidden truth of any executable application this group of memory (27 bytes) contains complete header information. Right click at the file and open it in Notepad. You may drag and drop the execution file to Notepad or any document readable program. If you find ‘MZ’ in the first two bytes and file extension is other then exe, it means file is suspicious. Changing file extension never harms header properties.

Fred Cohen demonstrates that there is no algorithm that can detect the set of all possible computer viruses. This straight forward demonstration showed that every ELSE in the program will able to provide a loop hole to the smart coder. For technical aspects of the demonstration one can search and find the details on the internet.

CODE START HERE

{

IF (code is malicious or suspicious)

Set Alarm

Message “There is a malicious activity"

FUNCTION (Terminate that application)

FUNCTION (Kill that threat)

Allow running that code

}

Expert security professionals use security applications to form a Security Layer to defend the threat not to eliminate the future possibility it enables the enterprise to achieve a true defense-in-depth security architecture.