Other issues in this category (24)
A stealth one but not a bomber
Climb Mount Fuji
But slowly, slowly!”
Once upon a time, there existed stealth viruses . It was a long time ago, back in the DOS era. Stealth viruses and their descendants lived violent lives filled with events that often brought them to the attention of the entire world. However, eventually they were overrun by hordes of consumer malware. Let’s recall all of them!
Before going any further, let's take a look under an operating system's “hood”.
We open files by clicking on their desktop icons, but what do the files really look like? Essentially, they are sets of bits (and blank fragments—if part of a file contains no data, it may be empty) that have been recorded on some media. This definition is somewhat incomplete, but for our intents and purposes, it will do.
This set of bits—usually ones and zeros—is scattered all over the hard drive (or sometimes all over the Internet).
As one clicks on an icon, the operating system handles this event, determines the file name, translates it into the format it understands and sends a lower level query. After receiving a set of bits (sometimes it can also be converted) in response, an application usually doesn't output them on the screen but converts them into a user-friendly format. It’s very unlikely that anyone could mentally convert a set of bits into an image of a kitty cat!
This means that the programs we use don’t access the hard drive directly (except for some system utilities, but those don’t use the media often and just go several levels down). And at each stage, a filter can be set up.
That's what anti-viruses do—they intercept attempts to access files and verify them before the operations are performed. But malicious programs can do that, too.
For example, if an advanced user gets suspicious and wants to view the list of processes or contents of a folder, he or she will most likely use a system utility. The utility will request information about the contents of the folder; the operating system will send a query to the hard drive. Meanwhile, malware will purge the list of files that the user receives, so that the latter believes that the folder is free of any suspicious files.
That's why an anti-virus's driver must operate on the lowest level possible to prevent malware from altering information so that the anti-virus won't be able to detect its presence.
Stealth viruses are malicious programs that take certain actions to conceal their activity in order to hide their presence in an infected system.
To hide their presence, stealth viruses can do the following:
- Make it more difficult to detect viruses in RAM;
- Make it more difficult to trace or disassemble a virus;
- Conceal an infection process;
- Make it more difficult to detect malware in a compromised application or boot sector.
Stealth virus — a virus that partially or completely hides its presence in a system by intercepting read and write requests to the operating system as well as queries directed at acquiring additional information about infected objects (boot sectors, file system, memory , etc.)
How can we deal with this scourge?
Polyphage anti-viruses are effective against all known viruses, i.e., those viruses whose behaviour patterns are already known to anti-virus developers and registered in the application's database. If a virus is unknown, it will remain undetected.
You do remember what polyphage anti-viruses are, right? :-)
To detect and delete viruses and protect computers from malware, several types of special programs have been developed that allow viruses to be detected and eliminated. These programs are called anti-viruses. The following types of anti-virus software exist:
- Doctors or phages;
- Vaccines or immunisers.
Detectors look for a piece of code (signature) that is typical of a certain virus in RAM and in files. If a virus is detected, they display a corresponding message. The problem is that these programs can only detect those viruses that are known to their developers.
Doctor and phage programs, as well as vaccines, not only detect infected files but also cure them, i.e., they remove malicious code from the file and restore it to its original state. When a phage program is launched, it first looks for viruses in RAM, eliminates them and only then starts curing files. Phages include polyphages, i.e., doctor applications that detect and neutralise a large number of viruses. Aidstest, Scan, Norton AntiVirus, and Doctor Web are the most common polyphages.
It turns out that the well-known Dr.Web anti-virus is a polyphage AND a detector!
But let's go back in time to when there were many types of anti-viruses and few people realised the direction in which they would all evolve. Stealth viruses belonged to that era. They could be divided into three categories:
- Boot sector viruses avoided being detected by utilities that featured low-level access to media and could read data directly from disk sectors. Viruses of this kind often displayed the disk contents that existed prior to an infection.
- File viruses intercepted file operation requests in order to conceal changes in files on disks and in the memory.
- Macro viruses.
Shall we take a quick glance at the news archive?
RCE-04096 was made in Israel in late 1989. It contained a boot sector code even though its body was never written into any boot sector. If the code got written into a floppy disk's boot sector and one tried to boot up from it,
the text FRODO LIVES was displayed in large letters. September 22 is the birthday of Bilbo and Frodo Baggins (Lord of the Rings characters).
The authors of all the publications that described this virus agreed that it was written by a very competent programmer who understood operating systems inside and out and how anti-viruses operate.
In Israel, the virus was discovered in October 1989. In the USSR, D. Lozinsky found it in 1990.
To be on the road to success, one must get on it at its starting point.
First, decide what you need to do. Then implement your idea step by step: search, try, make mistakes and correct them—and never stop moving!