A question about viruses
Author
I've been doing some research on the internet about viruses and how they work, what kind of people write them, what the most famous ones are, so on and so forth.
In my research, i've found that one of the signs of a cleverly coded and thereby "inteligent" virus is its ability to avoid detection. Some virues do this by simply changing their file extensions, others jump from program to program, but they are all trying to avoid the AV software. This got me thinking: What would happen if a virus were coded with some kind of advanced AI? Perhaps a neural net or something like that. Now i know that neural network AI is still in its infantcy but for sake of arguement, think along those lines. What would be happen to the AV industry? How would it affect home computing knowing that there might be a virus that could potetially go undetected and deliver large ammounts of damage? Kee in mind that i am fully aware of root directory viruses and that they work along the
same lines, but they have no AI in them whatsoever. Would something like an AI virus screw up secure computing? just something i thoyght i'd put out there.
thanks,
Alex Ruiz
When that happens we are definitly in the matrix...
I've often wondered that myself. Some virus that uses some sort of AI. It could both be a boon or a bane for the computer world.
I can see it now: A Virus/Worm that infects a machine, turns it into a zombie, connects to a botnet, and then reads up on the latest exploits for Windows and has at it. A spybot infecting from a malicious site, quickly looks through your email, documents, looks for credit cards, names, address, your pr0n folder, Uploads it to a harvester, then quietly watches your actions and waits for you to load up a Music file before screaming at you for copyright infringment, alerts your local authorities and burning a hole in your cpu.
I've often wondered that myself. Some virus that uses some sort of AI. It could both be a boon or a bane for the computer world.
I can see it now: A Virus/Worm that infects a machine, turns it into a zombie, connects to a botnet, and then reads up on the latest exploits for Windows and has at it. A spybot infecting from a malicious site, quickly looks through your email, documents, looks for credit cards, names, address, your pr0n folder, Uploads it to a harvester, then quietly watches your actions and waits for you to load up a Music file before screaming at you for copyright infringment, alerts your local authorities and burning a hole in your cpu.
In a word, no.
If a machine is infected, it's over. No amount of cleaning will ever fix it. No matter the payload of the virus, it could've been something to overwrite the bootloader, or re-write passwords... It's over, and you lost. No virus is going to do any more damage by sticking around on the machine.
Any sys-admin actually earning their wages knows this. AV companies don't look to clean machines anymore. Though they still [mostly] use dumb as dirt signature engines, most of the AV work is done at the network borders these days. They don't look for virus signatures across the hard drive, they look for exploits going across their wire.
No AI can change the bug the virus uses to exploit the machine. That bug will have a pattern detectable by AV software. Usually by signatures. Sometimes though, the systems will just look for generic buffer overflow patterns or things that don't abide by protocol rules. Things like that have existed for 5+ years.
If a machine is infected, it's over. No amount of cleaning will ever fix it. No matter the payload of the virus, it could've been something to overwrite the bootloader, or re-write passwords... It's over, and you lost. No virus is going to do any more damage by sticking around on the machine.
Any sys-admin actually earning their wages knows this. AV companies don't look to clean machines anymore. Though they still [mostly] use dumb as dirt signature engines, most of the AV work is done at the network borders these days. They don't look for virus signatures across the hard drive, they look for exploits going across their wire.
No AI can change the bug the virus uses to exploit the machine. That bug will have a pattern detectable by AV software. Usually by signatures. Sometimes though, the systems will just look for generic buffer overflow patterns or things that don't abide by protocol rules. Things like that have existed for 5+ years.
From what I understand, Virus writers try to keep their virii small - taking as few bytes as possible. Lean and mean all the way. An AI might work against that.
Yes, that would be the difficulty, unless a bootstrap virus was noted, which hopefully would be caught beforehand (install a trojen and download a larger virus). That bootstrapper of course should be able to be detected rather promptly using standard means. Now this is starting to shrink with the advent of faster internet, and i see a 50k-100kb virus as VERY probable, which is definitly enough for an AI of some sort.
Its not that hard to make a virus to avoid AV. All you have to do is specify in the executable (of your virus) where you can add harmless redundant code. And thus every time the virus want to make a distinct copy of itself it randomly adds some redundant code thus changing its own hash every time and avoiding AV.
It is much eisier to write effective viruses then it is to write effective AV.
It is much eisier to write effective viruses then it is to write effective AV.
Any virus attempting to learn how to do things would create too much suspicious activity, thereby giving it away. It would have to be hard-coded with specific exploit instructions. Unless of course you treat the whole network of computers as some gene pool, whereby some copy of the virus might strike it lucky, and thus it acts like a genetic algorithm.
I think that it's far too inefficient to try and create such a virus however. We're also talking Megabytes, not Kilobytes in size, I'd say. Even with a bootloader it would be too slow to spread.
This "going undetected" bit is just nonsense though. All transmitted data can be observed. All attempts to connect to a port can be logged etc.
I believe that it is possible to have a 100% secure operating system (ignoring user programs). You can bet that it'll never be one made by MS though.
I think that it's far too inefficient to try and create such a virus however. We're also talking Megabytes, not Kilobytes in size, I'd say. Even with a bootloader it would be too slow to spread.
This "going undetected" bit is just nonsense though. All transmitted data can be observed. All attempts to connect to a port can be logged etc.
I believe that it is possible to have a 100% secure operating system (ignoring user programs). You can bet that it'll never be one made by MS though.
I agree with above posts. Besides the AI taking more memory, either way, the addition to any exe file can and will be detected by Anti-virus programs. AI won't really help, rather hinder that virus.
Quote:Original post by snisarenko
Its not that hard to make a virus to avoid AV. All you have to do is specify in the executable (of your virus) where you can add harmless redundant code. And thus every time the virus want to make a distinct copy of itself it randomly adds some redundant code thus changing its own hash every time and avoiding AV.
It is much eisier to write effective viruses then it is to write effective AV.
These types of virii are called polymorphic viruses they change themselves slightly to fool AV software.
AFAIK (from a friend in Trend Micro) AV scanners do not work by comparing the hash of the virus since the AV does not know how large the virus is. virii always have a constant part that is responsible for adding the random instructions and the damage/payload. AV scanners look for these bytes patterns.
edit: also virii typically check if a target file is already infected then stop infecting it twice. AV can search for known "infected" tags of viruses. A few years back some AV innoculated programs by putting the infected tags on the file
to fool the virus into thinking the file was already infected and skip it.
[Edited by - yapposai on May 16, 2005 2:42:11 AM]
I used to write programs that verified themselves to ensure that they had not been tampered with. No virus is going to be smart enough to counter that.
What would be really scary would be a virus that modified the compiler installed on your PC, such that all compiled programs contain a copy of the virus.
Perhaps this thread should be moved to the lounge btw.
What would be really scary would be a virus that modified the compiler installed on your PC, such that all compiled programs contain a copy of the virus.
Perhaps this thread should be moved to the lounge btw.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
