One can give a simplest answer: "Know your enemy!". However it is not so simple.
Well, I have taken control on one of our big tours aimed to antiviruses, so
I have to answer. Who else can?
How you can write an virus without understanding antiviruses? With a very poor
effeciency. The bad but common atribute of virus writers is that they do not
know, how does avirs works. Most of writers call themselfs researchers, but
in many cases they are not researching anything. Just writing some virii
simmilar one to another. Think a bit - it slightly simplyfies work for
antivirus guys. They have no aditional effort to cover new viruses. It is,
in other words, schematic. New viruses can be covered within a minutes
(or even seconds! depends how wise they are and tools they wrote to do so) -
it of course depends when they will do it and it may takes them up to days
or month(s) if they are overloaded with new samples. But no extra work
to catch all the samples in In-the-Wild set and get Virus Bulletin's 100%
award. And i think you will not be happy to be caught so easily.
This tour is oriented to explain you how antiviruses works, lists basic principles and theory of scanning (and cleaning as well) methods, partially appoint how some best antiviruses works (and some our comments to they hit-rates). We will also try to put some valid tests we made on real samples to show you this theories. We are not going you to tell exact methods how to fool each antivirus, but to show you what way you must think, and how to find newer and newer methods how to fool them. As if we list ten methods for example, if all of them will be used there is no other method available. Of course, we will try to show some basic directions, but you have to think! As writing virii is not for lamers. Not any more. Only best can survive. Think as it is YOU, for a while.
Virus is as good as long it can survive. Some virus writers are writing
their work for "research reasons" just putting it into some collections,
spreading between avers, but no more. Well, one may guess it is ethical.
At first I have to say - the most unethical thing associated with viruses
is destruction. Never do that. You don't have any reasons
to do so. The else what left - is the virii principle itself - to spread
and be spreaded. There is nothing inbetween.
I can illustrate it on Uruguay virus family.
Don't you know 'em? They are pretty known: originally, whole family (as
far as I know the latest is number 11) was written as some research virus
to illustrate technologies. Polymorphic technologies, of course. Their
author, named Brueiurere didn't (as far as it is known) supposed them
for real spreading - only for avers and to complicate their life a bit.
Samples were available for av-researchers, later on only for some selected
avers - they obtain samples with important note not to spread them.
As the avers a biggest virus-exchangers in the world soon most of them has
those samples. Someone of them even put uruguay#6 into real enviroment and this
virus (only avers had it!) was detected in the wild. This is classical example
that also avers can spread viruses - even if they are saying they are a good
guys. But world is never black and white. Later on, uruguay's author was
producing some newer versions: up version #8 almost every aver have. Version
#10 and #11 were given only to two peoples in the world Ilja Gulfakov (dr.web)
and xaefer (avp?). Are uruguays ethical? I don't think so - they are same
viruses as other ones, but it complicates life to avers and they don't want
to spread them as they can hardly detect them.
I return back to the original idea - how long virus can survive. Sooner or
later any virus can be detected (and removed as well) unless we can change
the current virii principle - but it is a another long discussion. For avers
easily detectable virus that fits to their scanning schemes makes no problem
to detect and remove if it appears in the wild. It only depends on how
soon the unknown virus (up to that time) infects someone's computer who can find
out there is a virus and can see some changes and send sample to some av
company. The usual way (just think) is to put it to some directory to analyze
it. It depends how much people familiar with viruses they have to process
all the samples they have. As many times there is a lot of rubbish in such
incoming files, damaged files, and viruses of course.
Some minutes, hours or days later virus is roughly checked (usualy not analyzed
as complex analyzis tooks lots of time) and a scan-string (or whatever they
use) is selected. If it is as easy as mentioned, it doesn't take lots of time.
The more it is complicated the more work it takes. If it takes so much work,
or they do not understand it at first look, one puts it into some group
for later processing (if they will have some free time but they usualy have
not if there is too many new viruses). If it is more important - for example
it was reported in the wild, or customer have this virus, it must be processed
immediately (or sooner, let's say).
I will show another example here - well known Slovak virus One_Half (it has
several variants, but forget about them for now): it appears in Slovakia
and local anti-viruses had to fight him, even as it was a bit complicated
(the better is to say non-standard) to detect it. But there were no need
for big foreign companies (like Dr.Solomon's Toolkit) to add this virus
to scanning as it was non-standard - it was not so easy to add it, so they
don't. Even dr.solomon was sold in Slovakia, but it wasn't able to detect
One_Half for a months (only some selected samples that were in virus
collections, but no others ;-). When this virus gets out of Slovakia and
infects other countries, it becomes a problem for av companies and they
have to solve it - if it is standard or not - customers are requesting it.
It takes up to weeks or months for some to do so (also because One_Half appears
in In-the-Wild test set of VB). This ignorancy helps One_Half to spread
a lot until they were able to detect it successfuly.
Was One_Half so amazing and great? In fact, it wasn't. It has only two
unusual things that made him famouse - the rest of it is rather simple and
uninteresing. The first one (more important for
detection) is something what I call distributed decryptor. It is rather
easy but it beats the principle of scanners - that's why it was too hard
for them to detect: decryptor consist of 10 instructions (all fixed)
but they are not at the same place (or chunk). Each instruction surrounded
with couple of rubbish instructions (choosed from 10 one-byte instructions
like clc, stc, sti, and some other simplest ones) with jump is placed at
random place in host file. Jumps connects them in order to keep execution loop.
Very simple, isn't it? One can very easily detect this virus. But avers
weren't able to. As it doesn't fit their scanning schemes - they weren't able
to detect it without writing special aditional routines. And they are busy
and lazy, of course (as everyone is).
Another unusual thing in One_Half was slow encryption of disc. Each time
you reboot, it encrypts two tracks of hard-disc starting from the end (don't
think about some strong encryption! it is simplest xor with constant word
value) but as long as you have virus you can't notice anything because it
(same as if you have a stealth) on fly encrypts-decrypts data in encrypted
area. But if one remove the virus, there is no more on-fly decrypting and
part of disk is left encrypted (xored, in other words) and user can't
access files, etc. This was also untraditional and simple removing leads
to reinstaling of disk - and avers have to prepare special routines that
decrypts disk as well (some of them doesn't even up to now, but One_Half
is over in these days). But this is not what I want to appoint, as it
indirectly leads to destruction.
What you should take from this story? No matter how your virus is complicated
or bombastic, it is only valuable if it can complicate life to avers. Thats it.
flush