A Guide to Encrypted Viruses
The basic foundation of encrypted viruses and their operation
There is some confusion between polymorphism and the encryption process. The level of escalation will determine the damage that encrypted viruses can inflict on any given system. Programmers will write the code in such a way that it cannot be easily seen. That means that you may not even notice that your product is under attack. Any programs that were meant to detect Trojans would not be able to bring concrete proof of the attack. There was one which was written by Andy Hopkins in 1984 and he named it the CHK4BOMB. Essentially it would alert the user to problems with formatting and direct disk writes. Unfortunately the encrypted viruses found a way round this.
The mechanisms that make encrypted viruses successful
It is very difficult to resolve a computer problem if you are not even aware of its existence. This is the power of encryption. There is some sort of dilemma in as much as encrypted code is not executable. Therefore the virus will include an element that can decrypt the code at strategic points. In most cases this is the only part of the file that will not be hidden. If you can find a way of targeting it then the rest of the malware will be rendered useless. In many of the protective programs use this technique.
The techniques used by encrypted viruses
At the most basis level you will have a combination of incrementing and decrementing. Alternatively they might work by rotating each byte in code language. Some bytes may be negated while others may not work logically. A key is not necessarily required for these actions. It is possible to change the text through adding and subtracting or Xoring. If a key is used then there are three types to choose from. The static does not change when the viral element is in operation. For example they might add 128 to each byte or rotate each byte three places in either direction. Alternatively each word may be given a xor of 0F8F8h.
The hidden challenges of working against encrypted viruses
Predictable results can be produced using the static methodologies and those which keep changing the keys. When the virus is replicated, the original keys will be understandable for the programmer. Therefore they can keep an eye on how the infection is progressing. The antivirus industry then targets them all using similar strategies. The assumption is that once resistance point will be able to work in all the parent and child versions of the malware.
Call Toll Free: 1- 888- 901- GEEK (4335)
Leave a Reply