Manualshelf

User Guide

ManualsBrandsMcafee ManualsOtherDR SOLOMON S ANTI-VIRUS 8.5
11121314151617181920
Users Guide xvii
Preface
Particularly clever viruses can even subvert attempts to clear them from
memory by trapping the CTRL+ALT+DEL keyboard sequence for a warm
reboot, then faking a restart. Sometimes the only outward indication that
anything on your system is amiss—before any payload detonates, that
is—might be a small change in the file size of infected legitimate software.
Stealth, mutation, encryption, and polymorphic techniques
Unobtrusive as they might be, changes in file size and other scant evidence of
a virus infection usually gives most anti-virus software enough of a scent to
locate and remove the offending code. One of the virus writer’s principal
challenges,therefore, istofindways to hidehisorher handiwork. Theearliest
disguiseswereamixtureofinnovativeprogramming and obvious giveaways.
The Brain virus, for instance, redirected requests to see a disk’s boot sector
away from the actual location of the infected sector to the new location of the
boot files, which the virus had moved. This “stealth” capability enabled this
and other viruses to hide from conventional search techniques.
Because viruses needed to avoid continuously reinfecting host systems—
doing so would quickly balloon an infected file’s size to easily detectable
proportions or would consume enough system resources to point to an
obvious culprit—their authors also needed to tell them to leave certain files
alone. They addressed this problem by having the virus write a characteristic
byte sequence or, in 32-bit Windows operating systems, create a particular
registrykeythatwouldflaginfectedfileswiththesoftwareequivalentofa“do
not disturb” sign. Although that kept the virus from giving itself away
immediately, it opened the way for anti-virus software to use the do not
disturb” sequenceitself, along with other characteristic patterns that thevirus
wrote into files it infected, to spot its “code signature.” Most anti-virus
vendors now compile and regularly update a database of virus “definitions”
thattheirproductsuseto recognize those code signatures in thefilestheyscan.
In response, virus writers found ways to conceal the code signatures. Some
viruses would “mutate” or transform their code signatures with each new
infection. Others encrypted themselves and, as a result, their code signatures,
leaving only a couple of bytes to use as a key for decryption. The most
sophisticated new viruses employed stealth, mutation and encryption to
appear in an almost undetectable variety of new forms. Finding these
“polymorphic”virusesrequired software engineersto developvery elaborate
programming techniques for anti-virus software.