seminar report on antivirus
TRANSCRIPT
Seminar Report Anti-virus
1.INTRODUCTION
Dangers loom everywhere on the internet, and when surfing the net,
It is always better to be safe than sorry. Even though you may not
Intentionally visit suspicious websites, one wrong click to a
seemingly innocent site can still leave your computer infected with a
malicious computer virus or malware. Once on your computer, these
harmful programs can steal your sensitive information and destroy
your files. Often, infected machines need to have their hard drives
wiped completely clean in order to truly eradicate the virus. This
results in the loss of
files, photos and other
vital data.
Hackers and other
miscreants are constantly
churning out new viruses
and malware that is
designed to steal financial
information, website passwords
and other sensitive informatio
from innocent victims. Millions
of new viruses pop up each
year and new threats are discovered every day. In this constantly changing
environment, it is impossible to completely avoid the threat of
viruses, but using trustworthy antivirus software can minimize your
risk for infection and the damage done.
1 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
2. ANTIVIRUS
2.1 THE BASICS OF ANTIVIRUS PROGRAM
An antivirus program is designed to protect our computer from possible
virus infection. Since most viruses are designed to run in the
background, most users do not know when their computer is infected.Virus
protection programs serve to search for, detect, and remove these viruses.
Antivirus programs must be kept up-to-date in order for them to able to
Detect new viruses.
Antivirus: What exactly is a Antivirus?
Antivirus software is a computer program that identify and remove
computer virus and other malicious software like worms and Trojans from
an infected computer.Not only this,an antivirus software also protects the
computer from further virus attacks.Anti-virus system detects viruses
from system like svchost.exe,servicemgr.exe,lsass.exe,storevirus
generated by autorun.inf,.Generally Antivirus first check the size &
according to it if match the size with it’s data base then it find out the
pattern from that file if so then it will delete it.
2.2 FEATURES OF ANTIVIRUS
1.Antivirus system is a dedicated,system i-specific.
2.It provides full protection against the standard pc types of virus for files
and programs used to store on the system.
2 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
3.In antivirus there is automatic virus signature update via the internet.
4.Proactive virus signature updates via the network for internet isolated
servers.
5.Antivirus can scan the entire libraries.
6.Antivirus support definition of automatic,pre-schelduled periodic scans
2.3 CLASSIFICATION OF ANTIVIRUS PROGRAM
Computer antivirus programs can be classified by their behaviour (Helenius
1994c, pp. 25-26). The definition has been extended from Kauranen's (1990,
pp. 25) definition. Antivirus programs are often designed to identify a
virus,inwhich case the program detects a virus known to the program.
Moreover, aprogram may be designed to find a virus based on the general
behaviour ofviruses. In this latter case the virus is not known to the program
and such products do not identify the virus by name although the program
can give some information based on the behaviour of the virus. Another
aspect is that a product can detect a virus after infection has occurred or
before the infection to new objects occurs. From the identification and
prevention mechanisms we can construct two dimensional table.However it
is important to note that antivirus product typically contain several types of
different program and the program are often integrated
3 | SUBHADIP BHADRA(1070097) MCA 4th Semester
construct a two-dimensional table (Table 1). However, it is important to note
Seminar Report Anti-virus
Table 1:Two-dimensional classification antivirus program
.
3. HOW ANTIVIRUS WORKS
An anti-virus software program is a cprogram that can be used to scan files
to identify and eliminate computer viruses and other malicious software
(malware).Anti-virus software typically uses two different techniques to
accomplish this:
Examining files to look for known viruses by means of a viru
dictionary
Identifying suspicious behavior from anycomputer program
which might indicate infection
3.1Virus dictionary approach:
In the virus dictionary approach, when the anti-virus software examines a
4 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
file, it refers to a dictionary of known viruses that have been identified by
the author of the anti-virus software. If a piece of code in the file matches
any virus identified in the dictionary, then the anti-virus software can then
either delete the file, quarantine it so that the file is inaccessible to other
programs and its virus is unable to spread, or attempt to repair the file by
removing the virus itself from the file.
To be successful in the medium and long term, the virus dictionary
approach requires periodic online downloads of updated virus dictionary
entries. As new viruses are identified "in the wild", civically minded and
technically inclined users can send their infected files to the authors of anti-
virus software, who then include information about the new viruses in their
dictionaries.
Dictionary-based anti-virus software typically examines files when the
computer's operating system creates, opens, and closes them; and when the
files are e-mailed. In this way, a known virus can be detected immediately
upon receipt. The software can also typically be scheduled to examine all
files on the user's hard disk on a regular basis.
Although the dictionary approach is considered effective, virus authors have
tried to stay a step ahead of such software by writing "polymorphic viruses",
which encrypt parts of themselves or otherwise modify themselves as a
method of disguise, so as to not match the virus's signature in the dictionary.
3.2 Suspicious behavior approach:
The suspicious behavior approach, by contrast, doesn't attempt to identify
known viruses, but instead monitors the behavior of all programs. If one
program tries to write data to an executable program, for example, this is
flagged as suspicious behavior and the user is alerted to this, and asked what
5 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
to do.
Unlike the dictionary approach, the suspicious behavior approach therefore
provides protection against brand-new viruses that do not yet exist in any
virus dictionaries. However, it also sounds a large number of false positives,
and users probably become desensitized to all the warnings. If the user clicks
"Accept" on every such warning, then the anti-virus software is obviously
useless to that user. This problem has especially been made worse over the
past 7 years, since many more nonmalicious program designs chose to
modify other .exes without regards to this false positive issue.Thus,most
modern anti virus software uses this technique less and less.
Other ways to detect viruses:
Some antivirus-software will try to emulate the beginning of the code of
each new executable that is being executed before transferring control to the
executable. If the program seems to be using self-modifying code or
otherwise appears as a virus (it immeadeatly tries to find other executables),
one could assume that the executable has been infected with a virus.
However, this method results in a lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the
operating system and runs the executable in this simulation. After the
program has terminated, the sandbox is analysed for changes which might
indicate a virus. Because of performance issues this type of detection is
normally only performed during on-demand scans.
The dictionary approach to detecting virus is often insufficient due to the
continual creation of new viruses,yet the suspicious behaviour approach is
ineffective due to detect false positive alarm;hence,the current understanding
of anti-virus software will never conquer computer virus.
6 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
4.ANTIVIRUS PRODUCT VIRUS DETECTION
ANALYSIS
Each product type requires different analysis approaches.A virus test bed
can be used for evaluating products which will detect or prevent known
viruses.A virus test bed can be utilised for products which will detect or
prevent unknown viruses,but vulnerability analysis is also required.If the
virus test bed are divide into different categories,this can be utilised while
analysing antivirus products.The different virus categories of the test bed
are examples and the classification can be differerent depending on the
analysis method and products evaluated .If the test bed is divided into
different categories ,this will help analysis of product.
Antivirus product catego Current antivirus product
7 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
represent the category
Detecting known virus: known virus scanner
Preventing known virus: memory resident known virus
scanner
Detecting unknown virus: checksum calculation
programs and heuristic scanner
Preventing unknown virus: memory resident heuristic
Sacnners,behaviour blockers
and memory resident checksum
calculation programs
Current Antivirus Product
4.1 Detecting known viruses
A well maintained virus test bed,which contains viruses known to computer
antivirus researches can be used for evaluating products which will detect
known viruses.The virus detection analysis can be carried out by scanning
the contents of the test bed and concluding results from the scanning
reports.Unfortunately,some product may crash during the scanning and in
such files causing crashes need to be traced and files resulting in crashes
should be treated as unidentified by the product.
4.2 Preventing Known virus
8 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
A well maintained virus test bed containing viruses known to computer
antivirus researches can be used for evaluating products preventing known
viruses.The diffrence between is that the product is working in the
background and this requires more complicated evaluation methods,but the
same virus test bed can be used with products,which will prevent known
viruses.
4.3 Detecting Unknown viruses
A virus test bed can also be used as a basis for the analysis for product,
which detect unknown viruses.Often products detecting unknown viruses are
combined with products which will detect known viruses.If possible,the
products known virus detection capability should be disabled.Known virus
detection may be detached by removing virus databse files,by using old
database files or by using specific operation mode of a product.Unfortunate-
ly,the known virus detection may be an inseparable part of a product and in
this case test bed should be limited to viruses not known to the product and
a vulnerability analysis may be necessary.
4.4 Preventing Unknown viruses
A virus test bed can be also used for evaluating products which will prevent
unknown viruses.The diffrence is that the product is working in the
background and this requires special evaluation methods,but the same virus
test bed can be used with product which will prevent unknown viruses.
This is demonstrated in Virus Research Unit’s behaviour blocker analysis.
With products preventing unknown viruses,virus attack emulation and
Vulnerability analysis are also required.
9 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
4.5 Different virus types in the test bed
4.5.1 File viruses
Some programs are viruses in disguise, when executed they load the virus in
the memory along with the program and perform the predefined steps and
infect the system. They infect program files like files with extensions like
.EXE, .COM, .BIN, .DRV and .SYS. Some file viruses just replicate while
others destroy the program being used at that time. Such viruses start
replicated as soon as they are loaded into the memory. As the file viruses also
destroy the program currently being used, after removing the virus or
disinfecting the system, the program that got corrupted due to the file virus,
too, has to be repaired or reinstalled.
4.5.2 Boot sector viruses
The boot sector virus can be the simplest or the most sophisticated of all
computer viruses. Since the boot sector is the first code to gain control after
the ROM startup code, it is very difficult to stop before it loads. If one writes a
boot sector virus with sufficiently sophisticated anti-detection routines, it can
also be very difficult to detect after it loads, making the virus nearly
invincible.
Specifically, let’s look at a virus which will carefully hide itself on both floppy
disks and hard disks, and will infect new disks very efficiently, rather than just
at boot time. Such a virus will require more than one sector of code, so we will
be faced with hiding multiple sectors on disk and loading them at boot time.
Additionally, if the virus is to infect other disks after boot-up, it must leave at
least a portion of itself memory-resident. The mechanism for making the virus
10 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
memory resident cannot take advantage of the DOS Keep function (Function
31H) like typical TSR programs.
4.5.3 Macro viruses
In essence, a macro is an executable program embedded in a word
processing document or other type of file. Typically users employ macros to
automate repetitive tasks and there by save key strokes. The macro language is
some type of basic programming language. A user might define a sequence of
key strokes in a macro and set it up so that a macro is invoked when a function
key is invoked. Common auto executing events are opening a file, closing
file etc. Once a macro is running it can copy itself to other documents, deleting
files etc.
How does a Macro Virus strike?
1. The user gets an infected Office Document by email or by any other
medium.
2. The infected document is opened by the user.
3. The evil Macro code looks for the event to occur which is set as the event
handler at which the Virus is set off or starts infecting other files.
Macro viruses include “Concept,” “Melissa,” and “Have a Nice Day.”
4.5.4 Script viruses
Script viruses should be replicated by using the environment needed for
Replication.For example, viruses using MS-DOS batch language should be
Replicated using batch files as goat files and viruses using Visual Basic
Scripting should be replicated using Windows Scripting Host.
4.5.5 Multipartition viruses
11 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
Multipartite viruses are the hybrid variety; they can be best described as a
cross between both Boot Viruses and File viruses. They not only infect files
but also infect the boot sector. They are more destructive and more difficult to
remove. First of all, they infect program files and when the infected program
is launched or run, the multipartite viruses start infecting the boot sector too.
Now the interesting thing about these viruses is the fact that they do not stop,
once the boot sector is infected. Now after the boot sector is infected, when the
system is booted, they load into the memory and start infecting other program
files. Some popular examples would be Invader and Flip etc.
4.5.6 Polymorphic viruses
They are the most difficult viruses to detect. They have the ability to mutate
this means that they change the viral code known as the signature each time it
spreads or infects. Thus Antiviruses which look for specific virus codes are
not able to detect such viruses. Now what exactly is a Viral Signature?
Basically the Signature can be defined as the specific fingerprint of a
particular virus which is a string of bytes taken from the code of the virus.
Antiviral softwares maintain a database of known virus signatures and look for
a match each time they scan for viruses. As we see a new virus almost
everyday, this database of Virus Signatures has to be kept updated. This is the
reason why the Antivirus vendors provide updates.
How does a Polymorphic Virus Strike?
1. The User copies an infected file to the disk.
2. When the infected file is run, it loads the Virus into the memory or the
RAM.
3. The new virus looks for a host and starts infecting other files on the disk.
4. The virus makes copies of itself on the disk.
5. The mutation engines on the new viruses generate a new unique encryptic
code which is developed due to a new unique algorithm.
12 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
Thus it avoids detecting from Check summers.
4.4.7 Companion viruses
Companion viruses sustaining known executable appearance do not pose
much difficulty for scanners, because they can be simply detected by
normally scanning executable files.Companion viruses,however, may
mislead non identifying products,like integrity checkers,if the possibility of a
companion virus type of attack has not been taken into account while
implementing the product.
4.4.8 Stealth viruses
They viruses are stealth in nature and use various methods to hide
themselves and to avoid detection. They sometimes remove themselves from
the memory temporarily to avoid detection and hiding from virus scanners.
Some can also redirect the disk head to read another sector instead of the
sector in which they reside. Some stealth viruses like the Whale conceal the
increase in the length of the infected file and display the original length by
reducing the size by the same amount as that of the increase, so as to avoid
detection from scanners. For example, the whale virus adds 9216 bytes to an
infected file and then the virus subtracts the same number of bytes i.e. 9216
from the size given in the directory. They are somewhat difficult to detect.
4.4.9 Linking viruses
Linking viruses may require that the system is first infected with the virus in
Order to construct the linkage.However,sacnners typically detect the virus
even when the linkage does not exist and this can be utilised in virus
detection analysis..Furthermore,a linkage virus may be capable of
replicating even without establishing the linkage,but if this is not the
13 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
case,then the linkage should be created before analysis.Otherwise we are
not analysing true working viruses,because the virus is not capable of
replicating without the linkage.
4.4.10 Memory resident viruses
As demonstrated with the definition of stealth viruses,memory resident
Viruses may be able to deceive antivirus products,if the memory scanning
does not work correctly for some reason and the virus active in the central
memory is not found.In such a case it is possible that a antivirus scanner is
actually repplicating a virus,because the virus may infect each file the
scanner opens for reading.Therefore one phase of antivirus product
evaluation could be evaluating products’ capabilities to detect viruses in
central memory.
4.4.11 Self-distributing viruses
Self-distributing viruses have at least one special replication channel from a
local system to a remote system.The replication should be performed by
using the replication channels.However,the replication environvent should be
an isolated environment in order to prevent the virus accidently spreading to
external systems.Preventing antivirus products should be analysed based on
the prevention mechasnism.This may require that the repliction channel is
used or that the virus is activated while the antivitus product is actively
preventing virus
5. IDENTIFICATION METHOD OF ANTIVIRUS
There are several methods which antivirus software can use to identify
malware.
14 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
Signature based detection is the most common method. To identify viruses
and other malware, antivirus software compares the contents of a file to a
dictionary of virus signatures. Because viruses can embed themselves in
existing files, the entire file is searched, not just as a whole, but also in pieces.
Heuristic-based detection, like malicious activity detection, can be used to
identify unknown viruses.
File emulation is another heuristic approach. File emulation involves
executing a program in a virtual environment and logging what actions the
program performs. Depending on the actions logged, the antivirus software
can determine if the program is malicious or not and then carry
Signature-based detection
Traditionally, antivirus software heavily relied upon signatures to identify
malware. This can be very effective, but cannot defend against malware unless
samples have already been obtained and signatures created. Because of this,
signature-based approaches are not effective against new, unknown viruses.
As new viruses are being created each day, the signature-based detection
approach requires frequent updates of the virus signature dictionary. To assist
the antivirus software companies, the software may allow the user to upload
new viruses or variants to the company, allowing the virus to be analyzed and
the signature added to the dictionary.Signatures are obtained by human experts
using reverse engineering.[citation needed] An example of software used in
reversed engineering is Interactive Disassembler. Such a software does not
implement antivirus protection, but facilitates human analysis.
Although the signature-based approach can effectively contain virus
outbreaks, virus authors have tried to stay a step ahead of such software by
writing "oligomorphic", "polymorphic" and, more recently, "metamorphic"
viruses, which encrypt parts of themselves or otherwise modify themselves as
a method of disguise, so as to not match virus signatures in the dictionary.
Heuristics
Some more sophisticated antivirus software uses heuristic analysis to identify
new malware or variants of known malware.
15 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
Many viruses start as a single infection and through either mutation or
refinements by other attackers, can grow into dozens of slightly different
strains, called variants. Generic detection refers to the detection and removal
of multiple threats using a single virus definition.
For example, the Vundo trojan has several family members, depending on the
antivirus vendor's classification. Symantec classifies members of the Vundo
family into two distinct categories, Trojan.Vundo and Trojan.Vundo.B.
While it may be advantageous to identify a specific virus, it can be quicker to
detect a virus family through a generic signature or through an inexact match
to an existing signature. Virus researchers find common areas that all viruses
in a family share uniquely and can thus create a single generic signature.
These signatures often contain non-contiguous code, using wildcard characters
where differences lie. These wildcards allow the scanner to detect viruses even
if they are padded with extra, meaningless code. A detection that uses this
method is said to be "heuristic detection."
Variants of viruses are referred to with terminology such as: "oligomorphic",
"polymorphic" and "metamorphic", where the differences between specific
variants of the same virus are significantly high.In such cases, there are
dedicated statistical analysis-based algorithms, implemented in the "real time"
protection, which analyses software behaviour. This approach is not absolutely
exact and results in higher resource usage on the computer. Since
"oligomorphic", "polymorphic" and "metamorphic" engine development is
difficult and the resulting computer code has a (relatively) high dimension
(although such cases are very rare), this approach can be used with a relatively
high success rate.This approach may imply human ingeniousness for the
design of the algorithm.
If the antivirus software employs heuristic detection, success depends on
achieving the right balance between false positives and false negatives. Due to
the existence of the possibility of false positives and false negatives, the
identification process is subject to human assistance which may include user
decisions, but also analysis from an expert of the antivirus software company.
16 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
6. ANTIVIRUS APPROACHES
The ideal solution to the threat of viruses is prevention. Do not allow
a virus is get into the system in first place. This goal is in general
difficult to achieve, although prevention can reduce the no: of
successful viral attacks. The next best approach is to be able to do the
following.
Detection: Once the infection has occurred, determine that it has occurred
and locate the virus.
Identification: Once detection has been achieved, identify the specific virus
has infected a program.
Removal: Once the specific virus has been identified, remove all traces of the
virus from the infected program and restore it to its original state.
Advances in viruses and antivirus technology go hand in hand.
As the virus arms race has evolved, both viruses and antivirus software have
grown more complex and sophisticated. There are three main kinds of anti-
virus programs [McAfee]. Essentially these are scanners, monitors and
integrity checkers.
6.1 SCANNERS
Scanners are programs that scan the executable objects (files and boot
sectors) for the presence of code sequences that are present in the known
viruses. Currently, these are the most popular and the most widely used kind
of anti-virus programs. There are some variations of the scanning technique,
17 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
like virus removal programs (programs that can "repair" the infected objects
by removing the virus from them), resident scanners (programs that are
constantly active in memory and scan every file before it is executed), virus
identifiers (programs that can recognize the particular virus variant exactly by
keeping some kind of map of the non-modifiable parts of the virus body and
their checksums), heuristic analyzers (programs that scan for particular
sequences of instructions that perform some virus-like functions), and so on.
The reason that this kind of anti-virus program is so widely used nowadays is
that they are relatively easy to maintain. This is especially true for the
programs which just report the infection by a known virus variant, without
attempting exact identification or removal. They consist mainly of a searching
engine and a database of code sequences (often called virus signatures or scan
strings) that are present in the known viruses. When a new virus appears, the
author of the scanner needs just to pick a good signature (which is present in
each copy of the virus and in the same time is unlikely to be found in any
legitimate program) and to add it to the scanner's database. Often this can be
done very quickly and without a detailed disassembly and understanding of
the particular virus.
Furthermore, scanning of any new software is the only way to detect viruses
before they have the chance to get executed. Having in mind that in most
operating systems for personal computers the program being executed has the
full rights to access and/or modify any memory location (including the
operating system itself), it is preferable that the infected programs do not get
any chance to be executed.
At last, even if the computer is protected by another (not virus-specific)
defense, a scanner will still be needed. The reason is that when the non virus-
specific defense detects a virus-like behavior, the user usually wants to
identify the particular virus, which is attacking the system - for instance, to
18 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
figure out the possible side-effects or intentional damage, or at least to identify
all infected objects.
Unfortunately, the scanners have several very serious drawbacks. The main
one is that they must be constantly kept up-to-date. Since they can detect only
the known viruses, any new virus presents a danger, because it can bypass a
scanner-only based protection. In fact, an old scanner is worse than no
protection at all - since it provides a false sense of security.
Simultaneously, it is very difficult to keep a scanner up-to-date. In order to
produce an update, which can detect a particular new virus, the author of the
scanner must obtain a sample of the virus, disassemble it, understand it, pick a
good scan string that is characteristic for this virus and is unlikely to cause a
false positive alert, incorporate this string in the scanner, and ship the update
to the users. This can take quite a lot of time. And new viruses are created
every day - with a current rate of up to 100 per month. Very few anti-virus
producers are able to keep up-to-date with such a production rate. One can
even argue that the scanners are somehow responsible for the existence of so
many virus variants. Indeed, since it is so easy to modify a virus in order to
avoid a particular scanner, lots of "wannabe" virus writers are doing it.
However, the fact that the scanners are obsolete as a single line of defense
against the computer viruses became obvious only with the appearance of the
polymorphic viruses. These are viruses, which use a variable encryption
scheme to encode their body and which even modify the small decryption
routine, so that the virus looks differently in each infected file. It is impossible
to pick a simple sequence of bytes that will be present in all infected files and
use it as a scan string. Such sequence simply does not exist. Some
polymorphic viruses can be detected using a wildcard scan string, but more
and more viruses appear today, which cannot be detected even if the scan
string is allowed to contain wildcard bytes.
19 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
The only possible way to detect such viruses is to understand their mutation
engine in detail. Then one has to construct an algorithmic "scanning engine"
specific to the particular virus. However, this is a very time-consuming and
effort-expensive task, so many of the existing scanners have problems with the
polymorphic viruses. And we are going to see more such viruses in the future.
The Bulgarian virus writer known under the handle Dark Avenger has even
released a "mutating engine" - a tool for building extremely polymorphic
viruses... Very few scanners are able to detect the viruses, which are using it,
with 100 reliability.
One last drawback of the scanners is that scanning for lots of viruses can be
very time-consuming. The number of currently existing viruses is about 1,600
and is expected to reach 3,000 at the end of 1992. Indeed, some scanners use
clever scanning methods like fixed-point scanning, top-and-tail scanning,
hashing and so on. The detailed description of these methods is outside the
scope of this paper, but as has been proved in [Cohen90], scanning is not cost-
effective in the long run, despite the scanning method used.
6.2 MONITORS
The monitoring programs are memory resident programs, which constantly
monitor some functions of the operating system. Those are the functions that
are considered to be dangerous and indicative for virus-like behavior. Such
functions include modifying an executable file, direct access of the disk
bypassing the operating system, and so on. When a program tries to use such a
function, the monitoring program intercepts it and either denies it completely
or asks the user for confirmation.
Unlike the scanners, the monitors are not virus-specific and therefore need not
to be constantly updated. Unfortunately, they have other very serious
20 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
drawbacks - drawbacks that make them even weaker than the scanners as an
anti-virus defense and almost unusable today.
The most serious drawback of the monitors is that they can be easily bypassed
by the so-called tunneling viruses. The reason for this is the total lack of
memory protection in most operating systems for personal computers. Any
program that is being executed (including the virus) has full access to read
and/or modify any area of the computer's memory - including the parts of the
operating system. Therefore, any monitoring program can be disabled because
the virus could simply patch it in the memory. There are other clever
techniques as interrupt tracing, DOS scanning, and so on, which allow the
viruses to find the original handlers of any operating system function.
Afterwards, this function can be called directly, thus bypassing any monitoring
programs, which watch for it.
Another drawback of the monitoring programs is that they try to detect a virus
by its behavior. This is essentially impossible in the general case, as proven in
[Cohen84]. Therefore, they cause many false alarms - since the functions that
are expected to be used by the computer viruses usually have pretty legitimate
use by the normal programs. And if the user gets used to the false alerts, s/he
will be likely to oversee a real one.
The monitoring programs are also completely useless against the slow viruses,
described later in this paper.
6.3 INTEGRITY CHECKING PROGRAMS.
Therefore, in order to be a virus, a program must be able to infect. And, in
order to infect, the program must cause modifications to the programs that are
infected. Therefore, a program, which can detect that the other executable
21 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
objects have been modified, will be able to detect the infection. Such programs
are usually called integrity checkers.
The integrity checkers compute some kind of checksum of the executable code
in a computer system and store it in a database. The checksums are re-
computed periodically and compared with the stored originals. Several authors
point out that in order to avoid forging attempts from the part of the virus, the
checksums must be cryptographically strong. This can be achieved by using
some kind of trap-door one-way function, which is algorithmically difficult to
be inverted. Such functions include DES, MD4, MD5, and so on. But, as has
been shown by [Radai], this is not mandatory. A simple CRC is sufficient, if
implemented correctly.
There are several kinds of integrity checkers. The most widely used ones are
the off-line integrity checkers, which are run to check the integrity of all the
executable code on a computer system. Another kind is the integrity modules,
which can be attached (with the help of a special program) to the executable
files, so that when the latter started will check their own integrity.
Unfortunately, this is not a good idea, since not all executable objects can be
"immunized" this way. Additionally, the "immunization" itself can be easily
bypassed by stealth viruses, as described later in this paper. The third kind of
integrity software is the integrity shells. They are resident programs, similar to
the resident scanners, which check the integrity of an object only at the
moment when this object is about to be executed. These are the least
widespread anti-virus programs today, but the specialists predict them a bright
future [Cohen90].
The integrity checking programs are not virus-specific and therefore do not
need constant updating like the scanners. They do not try to block virus
replication attempts like the monitoring programs and therefore cannot be
bypassed by the tunneling viruses. In fact, as demonstrated by [Cohen90], they
22 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
are currently the most cost-effective and sound line of defense against the
computer viruses.
They also have some drawbacks. For instance, they cannot prevent an
infection - they are able only to detect and report it after the fact. Second, they
must be installed on a virus-free system; otherwise they will compute and
store the checksums of already infected objects. Therefore, they must be used
in a combination with a scanner at least before installation. This is needed, in
order to ensure that the system they are being installed on is virus-free. Third,
they are prone to false positive alerts. Since they detect changes, not viruses,
any change in the programs (like updating the software with a new version), is
likely to trigger the alert. Sometimes this can be avoided or at least reduced by
using some intelligent heuristics and educating the users. Fourth, while the
integrity checkers are able to detect the virus spread and identify the newly
infected objects, they usually cannot determine the initially infected object,
i.e., the source of the infection.
Despite the drawbacks mentioned, the integrity checking programs are the
currently most powerful line of defense against computer viruses and are
likely to be used more widely in the future. Therefore, we should expect that
new viruses will appear which will target the integrity programs in the same
way as the polymorphic viruses are targeting the scanners and the tunneling
viruses are targeting the monitors. Let's see what kinds of attacks are possible
against the integrity checking programs and how these programs can be
improved to avoid them.
23 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
24 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
25 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
.
26 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
27 | SUBHADIP BHADRA(1070097) MCA 4th Semester
Seminar Report Anti-virus
28 | SUBHADIP BHADRA(1070097) MCA 4th Semester