Wednesday, January 5, 2011

Virus Identification Techniques

Since ‘Elk Cloner’, the first computer virus was written in 1981; Computers are always been subject to various threats. Not necessarily the viruses, but malware, trojans, worms, rootkits, spyware and hacking attacks always threatening the computer users. That’s where antivirus programs come to the help. Antivirus software is used to prevent, detect, and remove computer viruses, worms, and trojan horses. Furthermore, it may also prevent adware, spyware, and some other forms of malware.

Currently there are hundreds of antivirus software available. Each of them are implemented with different strategies and they may behave and perform in different levels. In this post I’m going to explain about some generic methods used in antivirus software to detect and remove the malicious software.

Signature Based Detection
This is the most widely used technique. Antivirus software compares the contents of a file to a dictionary of virus signatures. Usually, the signature is a string of data that is found in the virus but not in other programs. This method is useless until the samples of malware have already been obtained and signatures created. Therefore, this mechanism won’t defend us from newly created viruses.

Viruses are usually embed themselves in existing files, therefore entire file is searched. Following are some methods to use identify viruses by examining files; [Source :]
  • String Scanning method: Searches for sequence of bytes (strings) that are typical of a specific virus but not likely to be found in other programs.
  • Wildcards method: Search by skipping some bytes or byte ranges.
  • Mismatches method: allows any given number of bytes in a string to be of arbitrary value, regardless of their position.
  • Generic Detection method: This technique uses one common string to detect several or all known variants of a family of viruses.
  • Bookmarks method: calculates the distance between the start of the virus body and the detection string.
  • Smart Scanning: Smart scanning could skip junk instructions in the host file and also did not store them in the virus signature. To enhance the likelihood of detecting related variants of viruses, an area of the virus body was selected which had no references to data or other subroutines.
  • Skeleton Detection: The scanner parses the statements of the virus line-by-line and drops all nonessential statements. What is left is the skeleton of the body that has only essential macro code common in macro virus.
  • Virus specific detection: There are cases when the standard algorithm of the virus scanner cannot deal with a virus. In cases like this, a new detection code must be introduced to implement a virus-specific detection algorithm. 

Heuristic Based Detection
The heuristic based virus detection works similarly to the signature method. But it involves a more generic virus signature. Viruses often multiplies and creates new slightly different versions of itself. This may happen due to the mutations or the refinements by other attackers. However, those new viruses (or variants) doesn’t have the exact signature of the original. Yet those signatures will be very similar. 

Heuristic method identifies a general signature rather than a specific signature for a particular virus. Hence they are capable of identifying virus families. This ability will allow the antivirus programs to detect new variations of existing viruses. So the delay is minimal.

File Emulation
File emulation is another approach to identify malicious software. It involves in executing a program in a virtual environment. During that the behavior of the software/program will be logged. Depending on those logs, the antivirus software can determine if the program is malicious or not. After that the necessary steps can be taken.

Rootkit Detection
Rootkit viruses can gain the administrative privileges of the system and they change the settings and the functionality of the operating system. That make them particularly difficult to detect. And even hard to remove. But the problem is, they can change the virus database that is used by antivirus software or even prevent the antivirus software from running.

There is a Rootkit specific detection method, which is known as “behavioral-based detection”. This method reads the CPU usage and compare it with a usage for a normal computer. Rootkit infected computers usually show high CPU usage. However in this method, virus identification depends on how much CPU it uses. But the accuracy of the detection is very poor and there may be lot of false positives.

1 comment:

  1. please i need a code that well insert data into the database


Had to enable word verification due to number of spam comments received. Sorry for the inconvenience caused.