Sign in to follow this  

A question about viruses

This topic is 4593 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I've been doing some research on the internet about viruses and how they work, what kind of people write them, what the most famous ones are, so on and so forth. In my research, i've found that one of the signs of a cleverly coded and thereby "inteligent" virus is its ability to avoid detection. Some virues do this by simply changing their file extensions, others jump from program to program, but they are all trying to avoid the AV software. This got me thinking: What would happen if a virus were coded with some kind of advanced AI? Perhaps a neural net or something like that. Now i know that neural network AI is still in its infantcy but for sake of arguement, think along those lines. What would be happen to the AV industry? How would it affect home computing knowing that there might be a virus that could potetially go undetected and deliver large ammounts of damage? Kee in mind that i am fully aware of root directory viruses and that they work along the same lines, but they have no AI in them whatsoever. Would something like an AI virus screw up secure computing? just something i thoyght i'd put out there. thanks, Alex Ruiz

Share this post


Link to post
Share on other sites
When that happens we are definitly in the matrix...

I've often wondered that myself. Some virus that uses some sort of AI. It could both be a boon or a bane for the computer world.

I can see it now: A Virus/Worm that infects a machine, turns it into a zombie, connects to a botnet, and then reads up on the latest exploits for Windows and has at it. A spybot infecting from a malicious site, quickly looks through your email, documents, looks for credit cards, names, address, your pr0n folder, Uploads it to a harvester, then quietly watches your actions and waits for you to load up a Music file before screaming at you for copyright infringment, alerts your local authorities and burning a hole in your cpu.

Share this post


Link to post
Share on other sites
In a word, no.

If a machine is infected, it's over. No amount of cleaning will ever fix it. No matter the payload of the virus, it could've been something to overwrite the bootloader, or re-write passwords... It's over, and you lost. No virus is going to do any more damage by sticking around on the machine.

Any sys-admin actually earning their wages knows this. AV companies don't look to clean machines anymore. Though they still [mostly] use dumb as dirt signature engines, most of the AV work is done at the network borders these days. They don't look for virus signatures across the hard drive, they look for exploits going across their wire.

No AI can change the bug the virus uses to exploit the machine. That bug will have a pattern detectable by AV software. Usually by signatures. Sometimes though, the systems will just look for generic buffer overflow patterns or things that don't abide by protocol rules. Things like that have existed for 5+ years.

Share this post


Link to post
Share on other sites
From what I understand, Virus writers try to keep their virii small - taking as few bytes as possible. Lean and mean all the way. An AI might work against that.

Share this post


Link to post
Share on other sites
Yes, that would be the difficulty, unless a bootstrap virus was noted, which hopefully would be caught beforehand (install a trojen and download a larger virus). That bootstrapper of course should be able to be detected rather promptly using standard means. Now this is starting to shrink with the advent of faster internet, and i see a 50k-100kb virus as VERY probable, which is definitly enough for an AI of some sort.

Share this post


Link to post
Share on other sites
Its not that hard to make a virus to avoid AV. All you have to do is specify in the executable (of your virus) where you can add harmless redundant code. And thus every time the virus want to make a distinct copy of itself it randomly adds some redundant code thus changing its own hash every time and avoiding AV.

It is much eisier to write effective viruses then it is to write effective AV.

Share this post


Link to post
Share on other sites
Any virus attempting to learn how to do things would create too much suspicious activity, thereby giving it away. It would have to be hard-coded with specific exploit instructions. Unless of course you treat the whole network of computers as some gene pool, whereby some copy of the virus might strike it lucky, and thus it acts like a genetic algorithm.
I think that it's far too inefficient to try and create such a virus however. We're also talking Megabytes, not Kilobytes in size, I'd say. Even with a bootloader it would be too slow to spread.

This "going undetected" bit is just nonsense though. All transmitted data can be observed. All attempts to connect to a port can be logged etc.
I believe that it is possible to have a 100% secure operating system (ignoring user programs). You can bet that it'll never be one made by MS though.

Share this post


Link to post
Share on other sites
Quote:
Original post by snisarenko
Its not that hard to make a virus to avoid AV. All you have to do is specify in the executable (of your virus) where you can add harmless redundant code. And thus every time the virus want to make a distinct copy of itself it randomly adds some redundant code thus changing its own hash every time and avoiding AV.

It is much eisier to write effective viruses then it is to write effective AV.


These types of virii are called polymorphic viruses they change themselves slightly to fool AV software.

AFAIK (from a friend in Trend Micro) AV scanners do not work by comparing the hash of the virus since the AV does not know how large the virus is. virii always have a constant part that is responsible for adding the random instructions and the damage/payload. AV scanners look for these bytes patterns.

edit: also virii typically check if a target file is already infected then stop infecting it twice. AV can search for known "infected" tags of viruses. A few years back some AV innoculated programs by putting the infected tags on the file
to fool the virus into thinking the file was already infected and skip it.

[Edited by - yapposai on May 16, 2005 2:42:11 AM]

Share this post


Link to post
Share on other sites
I used to write programs that verified themselves to ensure that they had not been tampered with. No virus is going to be smart enough to counter that.

What would be really scary would be a virus that modified the compiler installed on your PC, such that all compiled programs contain a copy of the virus.

Perhaps this thread should be moved to the lounge btw.

Share this post


Link to post
Share on other sites
Viruses that mutate their code and hide inside .exe files (without increasing their size) has been around for decades. Also viruses that decrypts it's code right before execution and then encrypts it again (heck I even wrote some license code that did that on the A500, decrypted a few instructions, executed them, encrypted them again and so on). Modern AV software uses "AI" themselves, they doesn't look for a specifiec set of instructions that a certain virus executes. It rather looks for suspicious behavior of a program. This way modern AV can detect viruses that the AV constructor didn't know about.
If a suspicious activity is detected the program performing it would be inspected up close, using code analysis etc.
Some suspicious bahviours could be things like:
A program that searches the harddrive.
A program that opens .exe files.
Programs that opens files that wasn't installed at the same time.
And so on..

I do however agree that it's easier to write a virus than to detect them.
All you could do is to hope that your computers isn't the first ones attacked and keep updating the your AV software, creating McAfee millioners in the process :)

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Quote:
Original post by iMalc
I used to write programs that verified themselves to ensure that they had not been tampered with. No virus is going to be smart enough to counter that.


The moment your executable is loaded in memory and starts checking itself, it's already too late. It'll be able to find that it has been tampered with and to exit, but the virus will have had time to jump to another binary. Or did I misunderstand you?


Quote:
What would be really scary would be a virus that modified the compiler installed on your PC, such that all compiled programs contain a copy of the virus.



That was done a long while ago by Kent Thompson, sort of (from http://www.albion.com/security/intro-18.html):

Quote:
In a famous speech, Ken Thompson, one of the creators of UNIX, told of a frightening pair of bugs he was able to code.1 He planted a Trojan Horse in the source of a C compiler that would find and miscompile the UNIX login command in such a way that it would accept either the correct password or one known to him. Once installed in binary, this C compiler would create a login command that enabled him to log into the system as any user. That's a security hole! Now, Thompson knew that another programmer looking at the source would likely see this gaping hole. So he created a second Trojan Horse aimed at the C compiler. He compiled the Trojaned source with the regular C compiler to produce a Trojaned binary and made this the official C compiler. Voila, Thompson could then remove the bugs from the source, knowing that the new (Trojaned compiler) binary would reinsert the bugs whenever it was compiled. Thus, the login command was Trojaned with no trace in the source code. Thompson pointed out the clear moral of the story: "You can't trust code that you did not totally create yourself." On the other hand, not many of us are Ken Thompson, with resume items like "Invented UNIX operating system." Perhaps a better moral would be: "Trust no one completely."


Granted, it wouldn't "infect" all binaries, but the idea is there, and it's much more subtle than infecting everything.


Hope this helps.

Share this post


Link to post
Share on other sites

This topic is 4593 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this