Remove Antivirus 360. Description and removal instructions
Antivirus 360 is a brand new fake spyware remover, program with evil intent. Parasite, as many of its kind, tries to push user into purchasing of a licensed version with falsified threats. The name Antivirus 360 sounds very similar to respected security tool Norton 360 by Symantec. Application makes its own way into user’s computer via trojan Zlob or by manual download. After installation, parasite, flood user with numerous pop-ups with imaginary virus infections and system risks. After these notifications Antivirus360 advertises as an effective program that is able to fix all these problems, and of course it is paid one. Program is very dangerous, it mark windows files as an infections or serious threats. The main purpose of it is to show pop-ups and suck money. About fixing of infections you can forget it wasn’t created for that. As a parasite, Antivirus360 can do many serious problems for users, slowdown computer, limit connection of internet, increase loses of personal data and even brake your machine. We recommend you scan your system with reputable spyware remover programs to avoid problems.
Antivirus 360 properties:
• Changes browser settings
• Shows commercial adverts
• Connects itself to the internet
• Hides from the user
• Stays resident in background
Killing malicious processes and removing harmful files
Processes
Each program is a collection of files. To start the program you launch an executable file that runs the entire program or some of its components.
When you launch an executable, part of its code is being loaded into computer’s memory. This code is the process. It allows the system to run the corresponding program. In simple phrase, every running program is represented by its main process (or task). If such process doesn’t exist, the application doesn’t run at the moment.
Parasites are programs and also have processes. However, unlike regular software, their processes run without user knoledge. You cannot terminate a parasite like a common application by simply closing its window. That’s why you have to learn how to kill malicious processes.
Files
Each program consists of files. Even spyware, a virus or a different parasite - all have their own files. Removing a parasite often means deleting all its files. However, some files cannot be easily erased. You cannot delete the file while it’s used by an active application. Furthermore, some files are "invisible".
Imagine the situation: your anti-spyware program keeps detecting a parasite, and you know where its files reside. You open the corresponding folder, but see nothing in there! The parasite continues performing malicious actions and its files remain in that "empty" directory. You wonder how this happens?
Files can really be "invisible". However, it’s not their exceptional feature - the operating system simply hides them from you. Such OS behavior can be a result of recent malware activity. Fortunately, there are several ways to make your system display such files, and thus allow you to delete them.
In this guide manual process termination methods are described. These methods can be applied to all modern Windows operating system versions. The following instructions also explain how to find a file, make it visible (in case it’s hidden) and completely remove it from the system. This information is also fully applicable to folders (directories)
. Start Windows Task Manager
Use the following key combination: press CTRL+ALT+DEL or CTRL+SHIFT+ESC. This will open the Windows Task Manager.
If that didn’t work, try another way. Press the Start button and click on the Run… option. This will start the Run tool. Type in taskmgr and press OK. This should start the Windows Task Manager.
Find and terminate the process
Within the Windows Task Manager click on the Processes tab (it is in the red box). This will bring the complete list of all active tasks. Find the process by name. Names are in the first column from the left. Click on the Image Name button (it is designated by the blue box) to sort tasks in alphabetical order. Then scroll the list to find required process. Select it with your mouse or keyboard and click on the End Process button (in the green box). This will kill the process.
Cogen Antivirus
Friday, September 11, 2009
Tuesday, September 1, 2009
Anti-Virus Strategy Systems
Where do our anti-virus strategy systems fit in this picture? We hope to explore some answers to that question by first examining the components of our model system. Keep in mind, however, that the goal of this paper is not to provide you with answers, but rather to stimulate new ways of thinking about the problems we face daily.
Components
Each of the components in Diagram 1 contributes to the overall health of the system. Conversely, each can contribute to the illness of the system. For instance, our computer can contribute to the health of the system by functioning properly. If the hard drive crashes, a disharmonic condition is introduced. Our managers contribute to the overall well-being of the system, as long as they perform correctly. However, if one of them intentionally or unintentionally infects a computer with a virus, he or she contributes to the illness of the system. Our software contributes to the wellness by keeping employees reassured, and by keeping viruses out. If it is disabled by an employee desirous of more speed upon boot, or if it does not do its job in virus detection, it contributes to the illness or chaos in the system. There are other factors not shown, as the anti-virus strategy system model does not stop at the boundary of the company. The model includes your Internet service provider, virus writers, makers of electronic mail front-ends, anti-virus product tech support people and more. For the purposes of this paper, we must draw an artificial boundary. We mention the rest to give you food for thought, and to illustrate that boundaries are not static.
Anti-virus Strategy System - The Environment
Programs Policy and Procedures
(Selection, Implementation and Maintenance)
Where do we begin in examining the interaction of our chosen system elements? Let's start with the software selection. Anti-virus software is selected based on a wide number of criteria (8). While some of these criteria are beneficial, several are counterproductive at best (9). We need to be aware of exactly how our company's software is being chosen, and not leave this vital aspect of software selection up to people who do not have the experience or expertise to make a selection that will maximize your organisation's protection against viruses.
Does your anti-virus software detect all of the viruses which are a real threat to your organisation? Before you glibly answer yes, you should recognise that all products are far from created equal, and that even the best products will not achieve this goal if not properly maintained. Consider the following:
When asked what happens to two blocks of copper initially at different temperatures left alone together in an insulated container, students will reply that the blocks will come to the same temperature. Of course, if asked how they know, they usually say "Because it is a law of nature"...the opposite is true...it is a law of nature because it happens.[10]
Apply this to your anti-virus software. Does it catch viruses because it is anti-virus software? If so, you can depend on it, as its name defines what it is. But, if you even loosely apply this concept, you will see that it is anti-virus software because it catches viruses - and if it does not, then what does that make it?
Remember the following quote:
'If you call a tail a leg, how many legs has a dog?''Five?''No, Four. Calling a tail a leg doesn't make it a leg' [11]
Maintenance of your software is another critical issue. Maintenance refers not to the upgrade, but to the maintaining of the software on a daily basis. What does it require to run? Are you supplying what it needs to live? Or is it merely surviving? Does it have adequate memory, power, disk space to run optimally and lessen the chance your employees will disable it? Is it in an environment free from other programs which may hinder its performance? If you cannot answer yes to these questions, you are not providing an environment for this element of your strategy system which will allow it to remain viable. It will not survive. Like living systems, the anti-virus strategy system requires a favorable environment, else the system will adapt. Unfortunately, in the case of this system, adaptation can mean software becoming disabled by the user component of the system, or overridden by a competing software component. All this, and we have not even added viruses which by design cause a problem to the system by the introduction of instability.
Even if you have the best anti-virus software, and are running it optimally, there can still be problems. Software is just one part of the strategy system. Policies and procedures play an important role in the overall strategy. Even the viruses we mentioned earlier play a part in this system. Then there are the least predictable aspects of the system, the human beings. How complex is this system? How much should we expect the people involved to understand?
Ackoff defines an abstract system as one in which all of the elements are concepts, whereas a concrete system is one in which at least two of the elements are objects [12]. As you can see, our system is concrete. It is also by design an open system, one into which new components may be introduced. Some of these components are by nature 'unknown' (i.e. actions of people, how software may react, viruses which may appear).
When these components are introduced, we have to consider first how they behave on their own. Next, we have to consider how they would behave in combination with any and/or all of the other elements. Finally, we have to consider how 'things' in general will be if neither of the objects are present. In its most simple form, a two-part system would require four equations, but of course, you can see that as the number of elements increases, the number of interactive equations grows by leaps and bounds
Tuesday, August 18, 2009
Antivirus kernel
The antivirus kernel of avast! for Linux is identical to the kernel for Windows systems.
The latest version of the avast! antivirus kernel features outstanding detection abilities, together with high performance. You can expect 100% detection of In-the-Wild viruses (viruses already spreading between users) and excellent detection of Trojan horses with minimum false positives.
The kernel is certified by ICSA Labs; it frequently takes part in the tests of Virus Bulletin magazine, often yielding the VB100 award.
Like avast! for Windows, the avast! engine for Linux also features outstanding unpacking support. It can scan inside almost the same number of archives as under Windows, with the exception of MAPI, CAB, ACE, CHM, 7ZIP and NTFS streams. The following archives can be scanned: ARJ, ZIP, MIME (+ all associated formats), DBX (Outlook Express archives), RAR, TAR, GZIP, BZIP2, ZOO, ARC, LHA/LHX, TNEF (winmail.dat), CPIO, RPM, ISO, and SIS. It also supports a number of executable packers (such as PKLite, Diet, UPX, ASPack, FSG, MEW, etc.).
User interface
The Simple User Interface is used to start on-demand scanning, to work with the results and to change the various scan options.
The user interface requires GTK+ 2.x libraries. If you do not have these libraries installed on your system, the libraries from the installation package will be used.
Command line scanner
Experienced users will appreciate the classic on-demand scanner, controlled from the command line. It enables files to be scanned in specified directories and both on local and remote volumes. Of course, the command line scanner also works on volumes mounted over a network.
The program is very flexible and has many additional arguments and switches. It is able to generate extensive report files that can be used for analysis.
The scanner is able to run in STDIN/STDOUT mode as a pipe filter. This mode is intended to be used in shell scripts.
Automatic updates
Updates of the virus database are another key need in virus protection. Avast! is usually updated at least 3 times a week (even more frequently during virus outbreaks), providing you with the most up-to-date definitions to efficiently protect your system against the latest threats.
Virus chest
The Linux version also has a chest directory where suspicious files are stored. These files can be deleted, or it is possible to work with them later. It is also possible to submit the files to our virus lab for further analysis.
Internationalization
Currently, avast! for Linux is available in the following languages: English, Czech, Portuguese (Brazil), Bulgarian, Finnish, French
The antivirus kernel of avast! for Linux is identical to the kernel for Windows systems.
The latest version of the avast! antivirus kernel features outstanding detection abilities, together with high performance. You can expect 100% detection of In-the-Wild viruses (viruses already spreading between users) and excellent detection of Trojan horses with minimum false positives.
The kernel is certified by ICSA Labs; it frequently takes part in the tests of Virus Bulletin magazine, often yielding the VB100 award.
Like avast! for Windows, the avast! engine for Linux also features outstanding unpacking support. It can scan inside almost the same number of archives as under Windows, with the exception of MAPI, CAB, ACE, CHM, 7ZIP and NTFS streams. The following archives can be scanned: ARJ, ZIP, MIME (+ all associated formats), DBX (Outlook Express archives), RAR, TAR, GZIP, BZIP2, ZOO, ARC, LHA/LHX, TNEF (winmail.dat), CPIO, RPM, ISO, and SIS. It also supports a number of executable packers (such as PKLite, Diet, UPX, ASPack, FSG, MEW, etc.).
User interface
The Simple User Interface is used to start on-demand scanning, to work with the results and to change the various scan options.
The user interface requires GTK+ 2.x libraries. If you do not have these libraries installed on your system, the libraries from the installation package will be used.
Command line scanner
Experienced users will appreciate the classic on-demand scanner, controlled from the command line. It enables files to be scanned in specified directories and both on local and remote volumes. Of course, the command line scanner also works on volumes mounted over a network.
The program is very flexible and has many additional arguments and switches. It is able to generate extensive report files that can be used for analysis.
The scanner is able to run in STDIN/STDOUT mode as a pipe filter. This mode is intended to be used in shell scripts.
Automatic updates
Updates of the virus database are another key need in virus protection. Avast! is usually updated at least 3 times a week (even more frequently during virus outbreaks), providing you with the most up-to-date definitions to efficiently protect your system against the latest threats.
Virus chest
The Linux version also has a chest directory where suspicious files are stored. These files can be deleted, or it is possible to work with them later. It is also possible to submit the files to our virus lab for further analysis.
Internationalization
Currently, avast! for Linux is available in the following languages: English, Czech, Portuguese (Brazil), Bulgarian, Finnish, French
Free virus protection for your home PC
New viruses are being found "in the wild" all the time. Further, the speed at which these new viruses spread is increasing all the time. A key problem is not that antivirus programs do not detect such viruses, but the fact that most users do not use any antivirus program at all or, perhaps worse, the antivirus software and / or virus definitions database is out of date.
ALWIL Software, the producer of avast!, decided in June 2001 to help to solve this situation by offering avast! Home Edition free of charge for home users who do not use their computer for profit. To get industry leading antivirus protection for your home PC, download the software, and then register it.
The whole process is very simple: you need to download the program from the avast! 4 Home Download page, selecting the appropriate language. Then you need to install it, which is a mostly an automatic process. Initially, if you don't register straight away, you'll install the trial version, which is fully functional for sixty days. During this period, you can register yourself on the avast! 4 Home Free Registration page, and you will receive your license key by E-mail within 24 hours. Insert this key into the avast! 4 Home product, and you will receive the non-restricted version of avast! 4 Home Edition, including access to the update service (the incremental update of the virus database), for one year. After this period you can reregister to obtain a new free license key.
avast! 4 Home Edition can only be used by home users that do NOT use their computer for profit. If you do not meet both conditions, you should download avast! 4 Professional Edition instead, which may also be trialed for up to 60 days before you will need to purchase a valid license key.
avast! 4 Home Edition is a complete antivirus solution, fully able to find computer viruses, to create and check the integrity of programs installed, to test executed programs and opened documents, to test and check email and other functions. Scanning is also available in the shell extension and screen server.
You can read about avast! 4 Home Edition here. You can get avast! 4 Home Edition on our download page. You can later register it on a special avast! 4 Home Edition Free Registration page, where you can also request a renewal registration. You can also access our frequently asked questions section in case you are having difficulties with your product, or visit the forums where many questions have been or can be answered about the product.
New viruses are being found "in the wild" all the time. Further, the speed at which these new viruses spread is increasing all the time. A key problem is not that antivirus programs do not detect such viruses, but the fact that most users do not use any antivirus program at all or, perhaps worse, the antivirus software and / or virus definitions database is out of date.
ALWIL Software, the producer of avast!, decided in June 2001 to help to solve this situation by offering avast! Home Edition free of charge for home users who do not use their computer for profit. To get industry leading antivirus protection for your home PC, download the software, and then register it.
The whole process is very simple: you need to download the program from the avast! 4 Home Download page, selecting the appropriate language. Then you need to install it, which is a mostly an automatic process. Initially, if you don't register straight away, you'll install the trial version, which is fully functional for sixty days. During this period, you can register yourself on the avast! 4 Home Free Registration page, and you will receive your license key by E-mail within 24 hours. Insert this key into the avast! 4 Home product, and you will receive the non-restricted version of avast! 4 Home Edition, including access to the update service (the incremental update of the virus database), for one year. After this period you can reregister to obtain a new free license key.
avast! 4 Home Edition can only be used by home users that do NOT use their computer for profit. If you do not meet both conditions, you should download avast! 4 Professional Edition instead, which may also be trialed for up to 60 days before you will need to purchase a valid license key.
avast! 4 Home Edition is a complete antivirus solution, fully able to find computer viruses, to create and check the integrity of programs installed, to test executed programs and opened documents, to test and check email and other functions. Scanning is also available in the shell extension and screen server.
You can read about avast! 4 Home Edition here. You can get avast! 4 Home Edition on our download page. You can later register it on a special avast! 4 Home Edition Free Registration page, where you can also request a renewal registration. You can also access our frequently asked questions section in case you are having difficulties with your product, or visit the forums where many questions have been or can be answered about the product.
Sunday, July 26, 2009
Help prevent computer viruses
Nothing can guarantee the security of your computer 100 percent.
You can continue to improve your computer's security and decrease the possibility of infection by using a firewall, keeping your system up-to-date, maintaining a current antivirus software subscription, and following a few best practices.
Tip: Because no security method is guaranteed, it's important to back up critical files on a regular basis before you encounter a virus or other problems.
Steps to help avoid viruses:
Use an Internet firewall.Note: Windows Vista and Windows XP with SP2 has a firewall already built-in and turned on by default.
Visit Microsoft Update to verify your settings and check for updates.Note: If you've installed the most recent version of Microsoft Office, Microsoft Update will also update your Office programs. If you have an earlier version of Office, use Office Update.
Subscribe to antivirus software and keep it current.
Nothing can guarantee the security of your computer 100 percent.
You can continue to improve your computer's security and decrease the possibility of infection by using a firewall, keeping your system up-to-date, maintaining a current antivirus software subscription, and following a few best practices.
Tip: Because no security method is guaranteed, it's important to back up critical files on a regular basis before you encounter a virus or other problems.
Steps to help avoid viruses:
Use an Internet firewall.Note: Windows Vista and Windows XP with SP2 has a firewall already built-in and turned on by default.
Visit Microsoft Update to verify your settings and check for updates.Note: If you've installed the most recent version of Microsoft Office, Microsoft Update will also update your Office programs. If you have an earlier version of Office, use Office Update.
Subscribe to antivirus software and keep it current.
Never open an e-mail attachment from someone you don't know.
Avoid opening an e-mail attachment from someone you know, unless you know exactly what the attachment is. The sender may be unaware that it contains a virus.
Use a standard user account unless you need to use an Administrator Account. For more information, see Why use a standard user account instead of an administrator account.
What about spyware?
Although spyware programs are different from viruses, some can behave like viruses and pose similar and other risks. To help protect against spyware, use antispyware software such as Windows Defender. Windows Defender comes with Windows Vista. If you use Windows XP SP2, you can download Windows Defender for no charge.
Sunday, July 12, 2009
COMPUTER VIRUS
A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.
Infection strategies
In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.
Nonresident viruses
Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
Resident viruses
Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module, however, is not called by a finder module. The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. the replication module can be called, for example, each time the operating system executes a file. In this case the virus infects every suitable program that is executed on the computer.
Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. A fast infector, for instance, can infect every potential host file that is accessed. This poses a special problem when using anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. Some slow infectors, for instance, only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably and will, at most, infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach, however, does not seem very successful.
Methods to avoid detection
In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however, especially those which maintain and date Cyclic redundancy checks on file changes.
Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.
Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them.
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.
Avoiding bait files and other undesirable hosts
A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:
Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus.
Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.
Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'.
A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.
Stealth
Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.
Self-modification
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
Encryption with a variable key
A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but this is probably not required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious.
An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious code that modifies itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.
Polymorphic code
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate.
Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.
Metamorphic code
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of which is part of the metamorphic engine.
A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.
Infection strategies
In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.
Nonresident viruses
Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
Resident viruses
Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module, however, is not called by a finder module. The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. the replication module can be called, for example, each time the operating system executes a file. In this case the virus infects every suitable program that is executed on the computer.
Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. A fast infector, for instance, can infect every potential host file that is accessed. This poses a special problem when using anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. Some slow infectors, for instance, only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably and will, at most, infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach, however, does not seem very successful.
Methods to avoid detection
In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however, especially those which maintain and date Cyclic redundancy checks on file changes.
Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.
Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them.
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.
Avoiding bait files and other undesirable hosts
A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:
Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus.
Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.
Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'.
A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.
Stealth
Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.
Self-modification
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
Encryption with a variable key
A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but this is probably not required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious.
An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious code that modifies itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.
Polymorphic code
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate.
Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.
Metamorphic code
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of which is part of the metamorphic engine.
Monday, June 8, 2009
Traditional antivirus isn't enough!
"Traditional" viruses and spyware keep on growing - every day we see tens of thousands of new examples in our labs. And online criminals are getting smarter– they keep inventing types of threat that have never been seen before, usually aimed at stealing your bank account, credit card details or other personal information, so we’ve developed an extra layer of identity theft protection that sits on top of traditional antivirus and antispyware software. It looks for changes in your PC's behavior that are caused by new threats – and then stops them in their tracks.
Threats can be here today, gone tomorrow!
Cybercriminals are also setting up their own web sites – or poisoning legitimate websites – to distribute all sorts of malware over the internet. These web “exploits” are often around for less than a day, shutting up shop once they’ve infected enough people for that day. So to counter this, we’ve developed real-time software protection that gives you safety ratings for web pages and stops you opening the bad ones at the only time that matters – when you’re about to click the link.
"Traditional" viruses and spyware keep on growing - every day we see tens of thousands of new examples in our labs. And online criminals are getting smarter– they keep inventing types of threat that have never been seen before, usually aimed at stealing your bank account, credit card details or other personal information, so we’ve developed an extra layer of identity theft protection that sits on top of traditional antivirus and antispyware software. It looks for changes in your PC's behavior that are caused by new threats – and then stops them in their tracks.
Threats can be here today, gone tomorrow!
Cybercriminals are also setting up their own web sites – or poisoning legitimate websites – to distribute all sorts of malware over the internet. These web “exploits” are often around for less than a day, shutting up shop once they’ve infected enough people for that day. So to counter this, we’ve developed real-time software protection that gives you safety ratings for web pages and stops you opening the bad ones at the only time that matters – when you’re about to click the link.
Subscribe to:
Posts (Atom)