8/7/2019 Avoiding detection when writing viral software.

http://slidepdf.com/reader/full/avoiding-detection-when-writing-viral-software 1/2

Detection avoidance

(c) James E. Fletcher 2003 <jfletcher@cs.berkeley.edu><jfletcher@cs.mit.edu><jefletcher@openbsd.org>

[ NOTE: I wrote this a _LONG_ time ago and a lot of concepts arenow largely defunct. I would advise to research further into theissues discussed before assuming the following information stillstands correct today. ] - James Fletcher - Feb 2011.

Viral programs have almost no defence at all againstdisinfection. 99% of viri are almost trivially simple to getrid of, simply by replacing the "infected" file (or boot sector)with an original copy. (Some more recent boot sector and systemviri require slightly more knowledge in order to performeffective disinfection: none require drastic measures.) Far

from their image as the predators of the computer world, viralprograms behave much more like prey. Their survival isdependant upon two primary factors: reproductive ability andavoidance of detection.

Using the standard system calls to modify a file leaves verydefinite traces. The change in a file "creation" or "lastmodified" date is probably more noticeable than a growth in filesize. File size is rather meaningless, whereas dates and timesdo have significance for users. Changing the date back to itsoriginal value, however, is not a significant programmingchallenge.

Adding code while avoiding a change in file size is moredifficult, but not impossible. Overwriting existing code andadding code to "unused" portions of the file or disk are somepossible means. (The fictional rogue program P1, in ThomasRyan's "The Adolesence of P1", avoided problems of detection byanalyzing and rewriting existing code in such a manner that theprograms were more compact and ran more efficiently. Suchactivity has not yet, alas, been discovered in any existingvirus.)

Some viral programs, or rather, virus authors, rely onpsychological factors. There are a number of examples of viri

which will not infect program files under a certain minimumsize, knowing that an additional 2K is much more noticeable on a5K utility than on a 300K spreadsheet.

In a sense these are all "stealth" technologies, but this termis most often used for programs which attempt to avoid detectionby trapping calls to read the disk and "lying" to theinterrogating program. By so doing, they avoid any kind ofdetection which relies upon perusal of the disk. The disk givesback only that information regarding file dates, sizes andmakeup which were appropriate to the original situation. (Thisalso relies upon the virus being "active" at the time ofchecking.) Although this method avoids any kind of "disk"

detection, including checksumming and signature scanning, itleaves traces in the computer's memory which can be detected.(Some viral programs also try to "cover their tracks" by

8/7/2019 Avoiding detection when writing viral software.

http://slidepdf.com/reader/full/avoiding-detection-when-writing-viral-software 2/2

watching for any analysis of the area they occupy in memory andcrashing the system, but this tends to be noticeable behaviour... )