Techniques used by viruses

 

In order to avoid being detected by IT security solutions, virus creators have developed a series of specialized and complex techniques. Security solutions have had to adapt to these new techniques in order to detect these increasingly complex and perfected viruses.

 

The following are some of the most common techniques used by viruses:

 

Overwrite / Overwrite virus: This technique is used on files that have been infected by a virus. The virus overwrites the information that the file contains, or part of it. This information is lost and cannot be recovered. An overwrite virus can also use any of the techniques described below.

 

Stealth: This technique is typical of resident file viruses. When infecting a file, the virus needs to modify the original file, which makes it possible to see that a virus has manipulated the file. To avoid this, resident viruses monitor all operations designed to obtain virus information and intercept them. It then presents the data of the file before it was infected. This way, the infection goes undetected.

 

Tunneling: Viruses and antivirus programs use similar techniques. Viruses intercept all operating system operations with files in order to infect the files accessed. The automatic antivirus protection also intercepts operations with files in order to monitor which files and being accessed and to check that they are not infected. Using the tunneling technique, a virus can find the services intercepted by the automatic protection and use them directly without the automatic protection being aware of it. However there are alternative antivirus techniques that allow viruses that carry out this type of operation to be detected.

 

Self-encryption / Encrypted Viruses: The main goal of a virus is to replicate. Antiviruses detect infections by searching for a particular string (also called signature) which is identical in all copies of a virus. To avoid detection by this virus search mechanism (the most common type), some viruses can encrypt themselves to change each time they infect a file. This way, the virus never replicates in exactly the same way, and the traditional detection method fails. However, the encryption routine used is always the same and can therefore be used by antiviruses to detect this type of virus.

 

Polymorphism / Polymorphic viruses: In this case, not only do viruses encrypt themselves in a different way in each infection, but they also change the encryption routine. This way, there are no identical copies of a virus as all of its parts differ. To detect this type of virus, decryption simulation techniques are used, which force the virus to show itself.

 

Multipartite viruses: This type virus can carry out several or multiple infections and different techniques can be used for each infection. Their capacity to combine different infection techniques makes these viruses quite dangerous.

 

For more information about viruses consult the Virus Encyclopedia, on the Panda Software website (www.pandasoftware.com/virus_info/encyclopedia).