Vous êtes sur la page 1sur 27

Seminar Report Anti-virus

1.INTRODUCTION
Dangers loom everywhere on the internet, and when surfing the net, It is always better to be safe than sorry. Even though you may not Intentionally visit suspicious websites, one wrong click to a seemingly innocent site can still leave your computer infected with a malicious computer virus or malware. Once on your computer, these harmful programs can steal your sensitive information and destroy your files. Often, infected machines need to have their hard drives wiped completely clean in order to truly eradicate the virus. This results in the loss of files, photos and other vital data. Hackers and other miscreants are constantly churning out new viruses and malware that is designed to steal financial information, website passwords and other sensitive informatio from innocent victims. Millions of new viruses pop up each year and new threats are discovered every day. In this constantly changing environment, it is impossible to completely avoid the threat of viruses, but using trustworthy antivirus software can minimize your risk for infection and the damage done.

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus

2. ANTIVIRUS
2.1 THE BASICS OF ANTIVIRUS PROGRAM

An antivirus program is designed to protect our computer from possible virus infection. Since most viruses are designed to run in the background, most users do not know when their computer is infected.Virus protection programs serve to search for, detect, and remove these viruses. Antivirus programs must be kept up-to-date in order for them to able to Detect new viruses.

Antivirus: What exactly is a Antivirus?


Antivirus software is a computer program that identify and remove computer virus and other malicious software like worms and Trojans from an infected computer.Not only this,an antivirus software also protects the computer from further virus attacks.Anti-virus system detects viruses from system like svchost.exe,servicemgr.exe,lsass.exe,storevirus generated by autorun.inf,.Generally Antivirus first check the size & according to it if match the size with its data base then it find out the pattern from that file if so then it will delete it. 2.2 FEATURES OF ANTIVIRUS

1.Antivirus system is a dedicated,system i-specific.


2.It provides full protection against the standard pc types of virus for files and programs used to store on the system. 3.In antivirus there is automatic virus signature update via the internet. 4.Proactive virus signature updates via the network for internet isolated servers. 2 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


5.Antivirus can scan the entire libraries. 6.Antivirus support definition of automatic,pre-schelduled periodic scans 2.3 CLASSIFICATION OF ANTIVIRUS PROGRAM Computer antivirus programs can be classified by their behaviour (Helenius 1994c, pp. 25-26). The definition has been extended from Kauranen's (1990, pp. 25) definition. Antivirus programs are often designed to identify a virus,inwhich case the program detects a virus known to the program. Moreover, aprogram may be designed to find a virus based on the general behaviour ofviruses. In this latter case the virus is not known to the program and such products do not identify the virus by name although the program can give some information based on the behaviour of the virus. Another aspect is that a product can detect a virus after infection has occurred or before the infection to new objects occurs. From the identification and prevention mechanisms we can construct two dimensional table.However it is important to note that antivirus product typically contain several types of construct a two-dimensional table (Table 1). However, it is important to note different program and the program are often integrated

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


.

3. HOW ANTIVIRUS WORKS


An anti-virus software program is a cprogram that can be used to scan files to identify and eliminate computer viruses and other malicious software (malware).Anti-virus software typically uses two different techniques to accomplish this: Examining files to look for known viruses by means of a viru dictionary Identifying suspicious behavior from anycomputer program which might indicate infection

3.1Virus dictionary approach:


In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file. To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries. Dictionary-based anti-virus software typically examines files when the 4 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis. Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary. 3.2 Suspicious behavior approach: The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do. Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more nonmalicious program designs chose to modify other .exes without regards to this false positive issue.Thus,most modern anti virus software uses this technique less and less. Other ways to detect viruses: Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the 5 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in a lot of false positives. Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans. The dictionary approach to detecting virus is often insufficient due to the continual creation of new viruses,yet the suspicious behaviour approach is ineffective due to detect false positive alarm;hence,the current understanding of anti-virus software will never conquer computer virus.

4.ANTIVIRUS PRODUCT VIRUS DETECTION ANALYSIS

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus

Each product type requires different analysis approaches.A virus test bed can be used for evaluating products which will detect or prevent known viruses.A virus test bed can be utilised for products which will detect or prevent unknown viruses,but vulnerability analysis is also required.If the virus test bed are divide into different categories,this can be utilised while analysing antivirus products.The different virus categories of the test bed are examples and the classification can be differerent depending on the analysis method and products evaluated .If the test bed is divided into different categories ,this will help analysis of product.

Antivirus product catego

Current antivirus product represent the category

Detecting known virus: 7

known virus scanner

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


Preventing known virus: memory resident known virus scanner

Detecting unknown virus:

checksum calculation programs and heuristic scanner

Preventing unknown virus:

memory resident heuristic Sacnners,behaviour blockers and memory resident checksum calculation programs

Current Antivirus Product

4.1 Detecting known viruses


A well maintained virus test bed,which contains viruses known to computer antivirus researches can be used for evaluating products which will detect known viruses.The virus detection analysis can be carried out by scanning the contents of the test bed and concluding results from the scanning reports.Unfortunately,some product may crash during the scanning and in such files causing crashes need to be traced and files resulting in crashes should be treated as unidentified by the product.

4.2 Preventing Known virus


A well maintained virus test bed containing viruses known to computer antivirus researches can be used for evaluating products preventing known viruses.The diffrence between is that the product is working in the 8 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


background and this requires more complicated evaluation methods,but the same virus test bed can be used with products,which will prevent known viruses.

4.3 Detecting Unknown viruses


A virus test bed can also be used as a basis for the analysis for product, which detect unknown viruses.Often products detecting unknown viruses are combined with products which will detect known viruses.If possible,the products known virus detection capability should be disabled.Known virus detection may be detached by removing virus databse files,by using old database files or by using specific operation mode of a product.Unfortunately,the known virus detection may be an inseparable part of a product and in this case test bed should be limited to viruses not known to the product and a vulnerability analysis may be necessary.

4.4 Preventing Unknown viruses


A virus test bed can be also used for evaluating products which will prevent unknown viruses.The diffrence is that the product is working in the background and this requires special evaluation methods,but the same virus test bed can be used with product which will prevent unknown viruses. This is demonstrated in Virus Research Units behaviour blocker analysis. With products preventing unknown viruses,virus attack emulation and Vulnerability analysis are also required.

4.5 Different virus types in the test bed


4.5.1 File viruses
Some programs are viruses in disguise, when executed they load the virus in 9 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


the memory along with the program and perform the predefined steps and infect the system. They infect program files like files with extensions like .EXE, .COM, .BIN, .DRV and .SYS. Some file viruses just replicate while others destroy the program being used at that time. Such viruses start replicated as soon as they are loaded into the memory. As the file viruses also destroy the program currently being used, after removing the virus or disinfecting the system, the program that got corrupted due to the file virus, too, has to be repaired or reinstalled.

4.5.2 Boot sector viruses


The boot sector virus can be the simplest or the most sophisticated of all computer viruses. Since the boot sector is the first code to gain control after the ROM startup code, it is very difficult to stop before it loads. If one writes a boot sector virus with sufficiently sophisticated anti-detection routines, it can also be very difficult to detect after it loads, making the virus nearly invincible. Specifically, lets look at a virus which will carefully hide itself on both floppy disks and hard disks, and will infect new disks very efficiently, rather than just at boot time. Such a virus will require more than one sector of code, so we will be faced with hiding multiple sectors on disk and loading them at boot time. Additionally, if the virus is to infect other disks after boot-up, it must leave at least a portion of itself memory-resident. The mechanism for making the virus memory resident cannot take advantage of the DOS Keep function (Function 31H) like typical TSR programs.

4.5.3 Macro viruses


In essence, a macro is an executable program embedded in a word processing document or other type of file. Typically users employ macros to automate repetitive tasks and there by save key strokes. The macro language is some type 10 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


of basic programming language. A user might define a sequence of key strokes in a macro and set it up so that a macro is invoked when a function key is invoked. Common auto executing events are opening a file, closing file etc. Once a macro is running it can copy itself to other documents, deleting files etc. How does a Macro Virus strike? 1. The user gets an infected Office Document by email or by any other medium. 2. The infected document is opened by the user. 3. The evil Macro code looks for the event to occur which is set as the event handler at which the Virus is set off or starts infecting other files. Macro viruses include Concept, Melissa, and Have a Nice Day.

4.5.4 Script viruses


Script viruses should be replicated by using the environment needed for Replication.For example, viruses using MS-DOS batch language should be Replicated using batch files as goat files and viruses using Visual Basic Scripting should be replicated using Windows Scripting Host.

4.5.5 Multipartition viruses


Multipartite viruses are the hybrid variety; they can be best described as a cross between both Boot Viruses and File viruses. They not only infect files but also infect the boot sector. They are more destructive and more difficult to remove. First of all, they infect program files and when the infected program is launched or run, the multipartite viruses start infecting the boot sector too. Now the interesting thing about these viruses is the fact that they do not stop, once the boot sector is infected. Now after the boot sector is infected, when the system is booted, they load into the memory and start infecting other program files. Some popular examples would be Invader and Flip etc. 11 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus 4.5.6 Polymorphic viruses


They are the most difficult viruses to detect. They have the ability to mutate this means that they change the viral code known as the signature each time it spreads or infects. Thus Antiviruses which look for specific virus codes are not able to detect such viruses. Now what exactly is a Viral Signature? Basically the Signature can be defined as the specific fingerprint of a particular virus which is a string of bytes taken from the code of the virus. Antiviral softwares maintain a database of known virus signatures and look for a match each time they scan for viruses. As we see a new virus almost everyday, this database of Virus Signatures has to be kept updated. This is the reason why the Antivirus vendors provide updates. How does a Polymorphic Virus Strike? 1. The User copies an infected file to the disk. 2. When the infected file is run, it loads the Virus into the memory or RAM. 3. The new virus looks for a host and starts infecting other files on the disk. 4. The virus makes copies of itself on the disk. 5. The mutation engines on the new viruses generate a new unique encryptic code which is developed due to a new unique algorithm. Thus it avoids detecting from Check summers. the

4.4.7 Companion viruses


Companion viruses sustaining known executable appearance do not pose much difficulty for scanners, because they can be simply detected by normally scanning executable files.Companion viruses,however, may mislead non identifying products,like integrity checkers,if the possibility of a companion virus type of attack has not been taken into account while implementing the product. 12 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus 4.4.8 Stealth viruses


They viruses are stealth in nature and use various methods to hide themselves and to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection and hiding from virus scanners. Some can also redirect the disk head to read another sector instead of the sector in which they reside. Some stealth viruses like the Whale conceal the increase in the length of the infected file and display the original length by reducing the size by the same amount as that of the increase, so as to avoid detection from scanners. For example, the whale virus adds 9216 bytes to an infected file and then the virus subtracts the same number of bytes i.e. 9216 from the size given in the directory. They are somewhat difficult to detect.

4.4.9 Linking viruses


Linking viruses may require that the system is first infected with the virus in Order to construct the linkage.However,sacnners typically detect the virus even when the linkage does not exist and this can be utilised in virus detection analysis..Furthermore,a linkage virus may be capable of replicating even without establishing the linkage,but if this is not the case,then the linkage should be created before analysis.Otherwise we are not analysing true working viruses,because the virus is not capable of replicating without the linkage.

4.4.10 Memory resident viruses


As demonstrated with the definition of stealth viruses,memory resident Viruses may be able to deceive antivirus products,if the memory scanning does not work correctly for some reason and the virus active in the central memory is not found.In such a case it is possible that a antivirus scanner is actually repplicating a virus,because the virus may infect each file the 13 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


scanner opens for reading.Therefore one phase of antivirus product evaluation could be evaluating products capabilities to detect viruses in central memory.

4.4.11 Self-distributing viruses


Self-distributing viruses have at least one special replication channel from a local system to a remote system.The replication should be performed by using the replication channels.However,the replication environvent should be an isolated environment in order to prevent the virus accidently spreading to external systems.Preventing antivirus products should be analysed based on the prevention mechasnism.This may require that the repliction channel is used or that the virus is activated while the antivitus product is actively preventing virus

5. IDENTIFICATION METHOD OF ANTIVIRUS


There are several methods which antivirus software can use to identify malware. Signature based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces. Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses. File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry Signature-based detection

14

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses. As new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary.Signatures are obtained by human experts using reverse engineering.[citation needed] An example of software used in reversed engineering is Interactive Disassembler. Such a software does not implement antivirus protection, but facilitates human analysis. Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary. Heuristics Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware. Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition. For example, the Vundo trojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundo family into two distinct categories, Trojan.Vundo and Trojan.Vundo.B. While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where 15 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be "heuristic detection." Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic" and "metamorphic", where the differences between specific variants of the same virus are significantly high.In such cases, there are dedicated statistical analysis-based algorithms, implemented in the "real time" protection, which analyses software behaviour. This approach is not absolutely exact and results in higher resource usage on the computer. Since "oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and the resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate.This approach may imply human ingeniousness for the design of the algorithm. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. Due to the existence of the possibility of false positives and false negatives, the identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company.

6. ANTIVIRUS APPROACHES
The ideal solution to the threat of viruses is prevention. Do not allow a virus is get into the system in first place. This goal is in general difficult to achieve, although prevention can reduce the no: of successful viral attacks. The next best approach is to be able to do the following. Detection: Once the infection has occurred, determine that it has occurred and locate the virus. Identification: Once detection has been achieved, identify the specific virus 16 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


has infected a program. Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Advances in viruses and antivirus technology go hand in hand. As the virus arms race has evolved, both viruses and antivirus software have grown more complex and sophisticated. There are three main kinds of antivirus programs [McAfee]. Essentially these are scanners, monitors and integrity checkers.

6.1 SCANNERS
Scanners are programs that scan the executable objects (files and boot sectors) for the presence of code sequences that are present in the known viruses. Currently, these are the most popular and the most widely used kind of anti-virus programs. There are some variations of the scanning technique, like virus removal programs (programs that can "repair" the infected objects by removing the virus from them), resident scanners (programs that are constantly active in memory and scan every file before it is executed), virus identifiers (programs that can recognize the particular virus variant exactly by keeping some kind of map of the non-modifiable parts of the virus body and their checksums), heuristic analyzers (programs that scan for particular sequences of instructions that perform some virus-like functions), and so on. The reason that this kind of anti-virus program is so widely used nowadays is that they are relatively easy to maintain. This is especially true for the programs which just report the infection by a known virus variant, without attempting exact identification or removal. They consist mainly of a searching engine and a database of code sequences (often called virus signatures or scan strings) that 17 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


are present in the known viruses. When a new virus appears, the author of the scanner needs just to pick a good signature (which is present in each copy of the virus and in the same time is unlikely to be found in any legitimate program) and to add it to the scanner's database. Often this can be done very quickly and without a detailed disassembly and understanding of the particular virus. Furthermore, scanning of any new software is the only way to detect viruses before they have the chance to get executed. Having in mind that in most operating systems for personal computers the program being executed has the full rights to access and/or modify any memory location (including the operating system itself), it is preferable that the infected programs do not get any chance to be executed. At last, even if the computer is protected by another (not virus-specific) defense, a scanner will still be needed. The reason is that when the non virus-specific defense detects a virus-like behavior, the user usually wants to identify the particular virus, which is attacking the system - for instance, to figure out the possible side-effects or intentional damage, or at least to identify all infected objects. Unfortunately, the scanners have several very serious drawbacks. The main one is that they must be constantly kept up-to-date. Since they can detect only the known viruses, any new virus presents a danger, because it can bypass a scanner-only based protection. In fact, an old scanner is worse than no protection at all - since it provides a false sense of security. Simultaneously, it is very difficult to keep a scanner up-to-date. In order to produce an update, which can detect a particular new virus, the author of the scanner must obtain a sample of the virus, disassemble it, understand it, pick a good scan string that is characteristic for this virus and is unlikely to cause a false positive alert, incorporate this string in the scanner, and ship the update to the users. This can take quite a lot of time. And new viruses are created every 18 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


day - with a current rate of up to 100 per month. Very few anti-virus producers are able to keep up-to-date with such a production rate. One can even argue that the scanners are somehow responsible for the existence of so many virus variants. Indeed, since it is so easy to modify a virus in order to avoid a particular scanner, lots of "wannabe" virus writers are doing it. However, the fact that the scanners are obsolete as a single line of defense against the computer viruses became obvious only with the appearance of the polymorphic viruses. These are viruses, which use a variable encryption scheme to encode their body and which even modify the small decryption routine, so that the virus looks differently in each infected file. It is impossible to pick a simple sequence of bytes that will be present in all infected files and use it as a scan string. Such sequence simply does not exist. Some polymorphic viruses can be detected using a wildcard scan string, but more and more viruses appear today, which cannot be detected even if the scan string is allowed to contain wildcard bytes. The only possible way to detect such viruses is to understand their mutation engine in detail. Then one has to construct an algorithmic "scanning engine" specific to the particular virus. However, this is a very time-consuming and effort-expensive task, so many of the existing scanners have problems with the polymorphic viruses. And we are going to see more such viruses in the future. The Bulgarian virus writer known under the handle Dark Avenger has even released a "mutating engine" - a tool for building extremely polymorphic viruses... Very few scanners are able to detect the viruses, which are using it, with 100 reliability. One last drawback of the scanners is that scanning for lots of viruses can be very time-consuming. The number of currently existing viruses is about 1,600 and is expected to reach 3,000 at the end of 1992. Indeed, some scanners use clever scanning methods like fixed-point scanning, top-and-tail scanning, hashing and so on. The detailed description of these methods is outside the 19 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


scope of this paper, but as has been proved in [Cohen90], scanning is not costeffective in the long run, despite the scanning method used.

6.2 MONITORS
The monitoring programs are memory resident programs, which constantly monitor some functions of the operating system. Those are the functions that are considered to be dangerous and indicative for virus-like behavior. Such functions include modifying an executable file, direct access of the disk bypassing the operating system, and so on. When a program tries to use such a function, the monitoring program intercepts it and either denies it completely or asks the user for confirmation. Unlike the scanners, the monitors are not virus-specific and therefore need not to be constantly updated. Unfortunately, they have other very serious drawbacks - drawbacks that make them even weaker than the scanners as an anti-virus defense and almost unusable today. The most serious drawback of the monitors is that they can be easily bypassed by the so-called tunneling viruses. The reason for this is the total lack of memory protection in most operating systems for personal computers. Any program that is being executed (including the virus) has full access to read and/or modify any area of the computer's memory - including the parts of the operating system. Therefore, any monitoring program can be disabled because the virus could simply patch it in the memory. There are other clever techniques as interrupt tracing, DOS scanning, and so on, which allow the viruses to find the original handlers of any operating system function. Afterwards, this function can be called directly, thus bypassing any monitoring programs, which watch for it. Another drawback of the monitoring programs is that they try to detect a virus by its behavior. This is essentially impossible in the general case, as proven in 20 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


[Cohen84]. Therefore, they cause many false alarms - since the functions that are expected to be used by the computer viruses usually have pretty legitimate use by the normal programs. And if the user gets used to the false alerts, s/he will be likely to oversee a real one. The monitoring programs are also completely useless against the slow viruses, described later in this paper.

6.3 INTEGRITY CHECKING PROGRAMS.


Therefore, in order to be a virus, a program must be able to infect. And, in order to infect, the program must cause modifications to the programs that are infected. Therefore, a program, which can detect that the other executable objects have been modified, will be able to detect the infection. Such programs are usually called integrity checkers. The integrity checkers compute some kind of checksum of the executable code in a computer system and store it in a database. The checksums are re-computed periodically and compared with the stored originals. Several authors point out that in order to avoid forging attempts from the part of the virus, the checksums must be cryptographically strong. This can be achieved by using some kind of trap-door one-way function, which is algorithmically difficult to be inverted. Such functions include DES, MD4, MD5, and so on. But, as has been shown by [Radai], this is not mandatory. A simple CRC is sufficient, if implemented correctly. There are several kinds of integrity checkers. The most widely used ones are the off-line integrity checkers, which are run to check the integrity of all the executable code on a computer system. Another kind is the integrity modules, which can be attached (with the help of a special program) to the executable files, so that when the latter started will check their own integrity. Unfortunately, this is not a good idea, since not all executable objects can be 21 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


"immunized" this way. Additionally, the "immunization" itself can be easily bypassed by stealth viruses, as described later in this paper. The third kind of integrity software is the integrity shells. They are resident programs, similar to the resident scanners, which check the integrity of an object only at the moment when this object is about to be executed. These are the least widespread antivirus programs today, but the specialists predict them a bright future [Cohen90]. The integrity checking programs are not virus-specific and therefore do not need constant updating like the scanners. They do not try to block virus replication attempts like the monitoring programs and therefore cannot be bypassed by the tunneling viruses. In fact, as demonstrated by [Cohen90], they are currently the most cost-effective and sound line of defense against the computer viruses. They also have some drawbacks. For instance, they cannot prevent an infection - they are able only to detect and report it after the fact. Second, they must be installed on a virus-free system; otherwise they will compute and store the checksums of already infected objects. Therefore, they must be used in a combination with a scanner at least before installation. This is needed, in order to ensure that the system they are being installed on is virus-free. Third, they are prone to false positive alerts. Since they detect changes, not viruses, any change in the programs (like updating the software with a new version), is likely to trigger the alert. Sometimes this can be avoided or at least reduced by using some intelligent heuristics and educating the users. Fourth, while the integrity checkers are able to detect the virus spread and identify the newly infected objects, they usually cannot determine the initially infected object, i.e., the source of the infection. Despite the drawbacks mentioned, the integrity checking programs are the currently most powerful line of defense against computer viruses and are likely to be used more widely in the future. Therefore, we should expect that new viruses will appear which will target the integrity programs in the same way as the polymorphic viruses are targeting the scanners and the tunneling viruses are 22 | SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus


targeting the monitors. Let's see what kinds of attacks are possible against the integrity checking programs and how these programs can be improved to avoid them.

23

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus

24

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus

25

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus

26

| SUBHADIP BHADRA(1070097) MCA 4th Semester

Seminar Report Anti-virus

27

| SUBHADIP BHADRA(1070097) MCA 4th Semester