Your browser is obsolete!

The page may not load correctly.

The workshop


Other issues in this category (32)
  • add to favourites
    Add to Bookmarks

The struggle against stealthiness

Read: 1589 Comments: 2 Rating: 9

Thursday, June 1, 2017

Do you know how malware programs are able to lull anti-viruses and users into a false sense of security? They have many ways to do this, but they usually rely on just two:

  1. By launching a virus so it gains control over the operating system and the user's actions. The malware intercepts on the fly user and program requests to access certain resources, and returns the data in an edited form.

    Frodo (also known as RCE-04096) is considered to be the first stealth virus; it was created in Israel in 1989. At the moment of infection, this virus stores the boot sector and when the user requests it, it shows a clean boot sector instead of an infected one.

  2. By concealing a malicious file and its data in a separate area of the hard disk, service areas or specially created files. For example, at the moment of infection, the Trojan creates a file and marks it in a special way, creating a database or even a special file system in it (yes, a file system can be created in a file: broadly speaking, with regards to utilities, file marking does not differ from disk marking and is a sequence of areas for writing data). A password, encryption, or specific operating systems are used to prevent the anti-virus from accessing the file, disk partition or special areas. Bolik—a self-propagating, polymorphic banking virus—is an example of one such Trojan.

    But hiding the malware is only half the mission: attackers need to run it. They can do that with the help of completely legitimate programs—for example, by writing a task in the registry (of course, with a login and a password) to have a file retrieved from the storage.

    The virus transfers the data of the clean file instead of the real information. It follows that the anti-virus program is not able to detect any changes in the file.

    Virologist guide. Author

Of course, this is not exactly the case. If an anti-virus was a standard program, it certainly could not detect the substitution.

To avoid being deceived, anti-viruses embed themselves into the operating system and install their own driver so that no malicious programs can filter data before it hits the driver.

But everything comes at a price — driver updates require a system reboot. This is the price you pay so that your anti-virus can acquire new knowledge. Our users often criticise us for this and even send us emails threatening to stop using Dr.Web because of this☹

Theoretically, a well-crafted stealth virus cannot be detected, and to neutralise it (if, of course, it’s been detected by way of indirect identifiers), the user must at a minimum reinstall the operating system, and more often than not, must change the memory.

But relax—you don't need to change anything.

An anti-virus is able to clear the memory from malicious files—this is exactly what the anti-rootkit API in the anti-virus is designed to do.

#virus #anti-virus #security_updates

The Anti-virus Times recommends

  1. Since new malicious files remain unknown to the anti-virus until they are analysed by virus analysts, it’s quite feasible that they could penetrate your computer. That's why we recommend that you update and reboot your system as soon it finishes receiving updates if the anti-virus asks you to do that. You may never suspect that your system is compromised until an update is complete.
  2. Do not react placidly to the unexpected appearance of new programs, files, processes, etc. on your computer. Of course, the Dr.Web anti-rootkit can clear processes of any running malicious programs, but, for example, its job does not include removing partitions created by malware. It just does not know when and by whom a partition was created.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.