AV Software - Anatomy?
Results 1 to 10 of 10

Thread: AV Software - Anatomy?

  1. #1
    Banned
    Join Date
    Sep 2002
    Posts
    34

    AV Software - Anatomy?

    I was just wondering exactly how anti-virus software works... I have just a brief knowledge about programming (C++ and VB6) and by looking from the code i do know, it just seems strange. What does it look for?
    Hypetheically speaking, if I wrote a virus from my own computer and did not release it to the public, or give it any particular name, would it be detectable by virus software?

  2. #2
    Member
    Join Date
    Oct 2002
    Posts
    64
    Common antivirus software works by searching files on your computer looking for common pieces of code that are known to the virus company as being "signatures" of a virus. As soon as these signatures are discovered, the update is released to the subscribers. This works fairly well but is by nature reactive. Mutations or viruses made from virus creation kits are still detected with the same signature because they share the same virus engine.

    This is the most common form of detection. There are other methods that are more proactive but they have a tendency to generate false positives which can cause panic for the end user.

    The book "Viruses Revealed" does a great job in explaining scanning mechanisms.

    Hope this helped a little.

    -Xe

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    225
    These proactive methods are commonly known as heuristics. The concept of this was initially realized, as I understand it, after a big CARO sponsored AV conference. They had a presenter show small scraps of disassembled code to the AV programmers present and asked them to raise their hands if they thought the code was viral. They slides they showed were from all kinds of software, viral and otherwise. The success rate, including the speed of indentification, was staggeringly high. So all thse guys came away with the idea:
    How did we do that? And furthermore can we develop AI that can do the same thing?
    The answer is in short : Sort of.
    Personally I would call heuristics an art still in developement, but that's just me....
    \"Now it\'s time to erase the story of our bogus fate. Our history as it\'s portrayed is just a recipe for hate!\"
    -Bad Religion

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    Originally posted here by doktorf00bar
    These proactive methods are commonly known as heuristics. The concept of this was initially realized, as I understand it, after a big CARO sponsored AV conference. They had a presenter show small scraps of disassembled code to the AV programmers present and asked them to raise their hands if they thought the code was viral. They slides they showed were from all kinds of software, viral and otherwise. The success rate, including the speed of indentification, was staggeringly high. So all thse guys came away with the idea:
    How did we do that? And furthermore can we develop AI that can do the same thing?
    The answer is in short : Sort of.
    Personally I would call heuristics an art still in developement, but that's just me....
    You hit the nail on the head. What heuristic scanning mainly relies on is looking for suspicious bits of code. Usually the virus is written in one of the common high level programming languages (C, C++, VBS etc.), and uses a well known exploit.
    So when the code is compiled you always get the same set of machine instructions. Of course you can try to confuse matters by inserting extra bits of code which are innocuous into the virus program.
    So to take a completely hypothetical simple example, you might see x'0F546C34' (no this doesn't mean anything!) as a suspect sequence of instructions. And if you saw x'0F54????6C34', you would still be suspicious, depending on what the ???? was.
    In real life, the suspect bits of code are far longer than this.
    So basically you are looking for specific patterns in the raw machine code - the problem is where to draw the line when alerting the user - how likely is this to be a virus?

  5. #5
    Member
    Join Date
    Jul 2001
    Posts
    32
    Another point are boot sector viruses and their detection: the anti virus software makes a picture of the actual boot sectors (at the moment of installation). Whenever the boot sector has changed the software alerts and asks the user if he wants to accept these changes or restore the old sector. This method is independently of the signature of the virus. However, the possibility of false positives is given due to the fact that if one installs another OS for example which writes information in the boot sector. In this case it is for no good to restore the boot sector, believe me :-)

  6. #6
    Senior Member
    Join Date
    Dec 2001
    Posts
    321
    heuristic algorithm are based on adaptive alg, that can evaluate and teach themselves about their efficiency. These alg are found everywhere. (for example in your fixed phone ....that is how old that science is ...)
    the challenge now is that the longuer bits of informations to identify can come into several forms. the pay load of any virus/trojan/worm can be compiled directly in assembly can be almost hidden so an alg will not only have to learn ways of recognizing the data he is looking for but also the different ways that the data can be hidden:
    here is a link for some assembly variable transfer in different manners:
    http://www.mil.ufl.edu/eel4744/

    so in resume, heuristic research will take a long time but it will nessecite a lot of horsepower to compute all the possible combinations of hidding ill intended code.
    assembly.... digital dna ?

  7. #7
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    Originally posted here by nabylbt
    heuristic algorithm are based on adaptive alg, that can evaluate and teach themselves about their efficiency. These alg are found everywhere. (for example in your fixed phone ....that is how old that science is ...)
    the challenge now is that the longuer bits of informations to identify can come into several forms. the pay load of any virus/trojan/worm can be compiled directly in assembly can be almost hidden so an alg will not only have to learn ways of recognizing the data he is looking for but also the different ways that the data can be hidden:
    here is a link for some assembly variable transfer in different manners:
    http://www.mil.ufl.edu/eel4744/

    so in resume, heuristic research will take a long time but it will nessecite a lot of horsepower to compute all the possible combinations of hidding ill intended code.
    This is true, but it is easier to solve than you might think. I remember 15 years ago in a job inteview being asked ten different ways in assembler how you could zero a register in 1-2 instructions (IBM mainframe as it happens). What this did was to prove that you understood the underlying instruction set of the CPU. The same thing applies to todays Intel & AMD chips.
    If you provide the algorithm with the right information to start off with (and keep feeding it with new developments), then it can work.

  8. #8
    Senior Member
    Join Date
    Dec 2001
    Posts
    321
    Well the thing is that the longuer the code gets then the more calculations the soft has to do to identify the code ....
    it's like trying to minimise the risk of using unsecure code with an unknown number of variables .... too many computation now even in finance they are content to get a local minimun and not the overall minimum.
    the heuristic problem is equivalent as finding extremums in non linear function with huge amoutns of variables same problem in number theory when the amount of total computation exceeds what you can do , u try something else....
    that's why right now AV soft are very good at scanning known pieces of code but they cannot infer from that all other malicious code.
    assembly.... digital dna ?

  9. #9
    Banned
    Join Date
    Sep 2002
    Posts
    34
    Thanks guys..
    but would it be possible for a programmer to create a virus that replaces the vital files a system needs by adding malacious code to it? and thus the AV software could not quarantee it without resulting in some system failures? or is my imagination too far fetched..

  10. #10
    Member
    Join Date
    Oct 2002
    Posts
    64
    Many viruses infect vital system files. That is the reason so many viruses cause systems to crash.

    The current fad, BugBear deletes common security program executables, creates a remote backdoor, and propogates using (what else!) Outlook. That is one nasty worm.

    ~Xe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •