Who Goes There? An Introduction to On-Access Virus Scanning, Part Two

    Date17 Sep 2002
    2707
    Posted ByAnthony Pell
    By now, most savvy computer users have anti-virus software (AV) installed on their machines and use it as part of their regular computing routine. However, most average users do not know how anti-virus software works. This article is the second in . . . By now, most savvy computer users have anti-virus software (AV) installed on their machines and use it as part of their regular computing routine. However, most average users do not know how anti-virus software works. This article is the second in a two-part series that will offer a brief overview of a particular type of anti-virus technique known as on-access scanning.

    The first article of this series looked at on-access AV scanners, including some of the basic concepts behind these mechanisms. This article will explore some of the strategies that virus writers have adopted to circumvent on-access scanners and the ways that anti-virus developers are in turn reacting to those changes.

    Virus writers developed several countermeasures in response to improvements in on-access scanning methods. They began to obscure the malicious nature of the code by encrypting it, by placing it where virus scanners were unlikely to find it, and by hiding the location in the infected program where the virus takes control. For instance, many simple Windows Portable Executable (PE) viruses append their viral code to the end of a program with a jump instruction at the front of the program to cause the virus code to be executed.

    A virus scanner can quickly look for change in executable code by examining the length of the program. If the size of the file has been changed during execution, it is good indicator that a virus has infected the program. To counter this check, cavity viruses hide their code in empty spaces within the program file, thus keeping the file size the same. The cavity virus has been around since the MS-DOS days, beginning with the Lehigh virus. Its use in virus design increased greatly when Microsoft developed the Windows PE format to allow Windows programs to be transported between Windows operating systems. In order to speed the loading of PE format programs, Windows program compilers created empty spaces throughout the program. Recent viruses, such as W2K/Lamchi, make use of these open spaces to hide viral code.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"7","type":"x","order":"1","pct":87.5,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":12.5,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.