Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

List all techniques and briefly describe each technique that is used by virus wr

ID: 3683700 • Letter: L

Question

List all techniques and briefly describe each technique that is used by virus writers to protect their code from detection. Also say what type of counter techniques can be used. Please use the following tablet to summarize your analysis (One example provided):

Technique

Property of the Infection

How to detect

Reside in an unused portion of the hard drive

Cannot be detected antiviruses that only scan “used” areas of hard drive.

Low level scan of hard drive or disk cleaning programs.

Technique

Property of the Infection

How to detect

Reside in an unused portion of the hard drive

Cannot be detected antiviruses that only scan “used” areas of hard drive.

Low level scan of hard drive or disk cleaning programs.

Explanation / Answer

A virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. In order to avoid detection by users, some viruses employ different kinds of deception such as the following Strategies

Technique

Property of the Infection

How to detect

Reside in an unused portion of the hard drive

Cannot be detected antiviruses that only scan “used” areas of hard drive.

Low level scan of hard drive or disk cleaning programs.

Overwriting Virus

this type of virus overwrites files with their own copy.

Of course, this is a very primitive technique, but it is certainly the easiest

approach of all. Overwriting viruses cannot be disinfected from a system

Infected files must be deleted from the disk

Companion Infection

approach to becoming a companion to an EXE

file is to give the virus the same base name as the targeted program, but use a

.COM extension instead of .EXE. This technique was employed by the Globe

virus, first detected in 1992. When the victim attempts to launch an EXE

program, he or she usually types its name without the extension. In such

cases, Windows gives priority to a file with the .COM extension over a file

with the same base name but with the .EXE extension.

Opening an executable, with both read and write permission.

Appending Virus

a jump (JMP) instruction is inserted at

the front of the host to point to the end of the original host. A typical example

of this virus is Vienna. The appender technique can be implemented for any

other type of executable file, such as EXE, NE, PE, and ELF formats, and so

on. Such files have a header section that stores the address of the main entry

point, which, in most cases, will be replaced with a new entry point to the

start of the virus code appended to the end of the file.

Prepending Virus

This virus inserts its code at the front of host programs.

This is a simple kind of infection, and it is often very successful. Virus

writers have implemented it on various operating systems, causing major

virus outbreaks in many. An example of a COM prepender virus is the

Hungarian virus Polimer.512.A, which prepends itself, 512 bytes long, at the

front of the executable and shifts the original program content to follow itself.

Cavity or spacefiller Virus

virus attempts to install itself in this empty

space while not damaging the actual program itself. An advantage of this is

that the virus then does not increase the length of the program and can avoid

the need for some stealth techniques. The Lehigh virus was an early example

of a cavity virus. Because of the difficulty of writing this type of virus and the

limited number of possible hosts, cavity viruses are rare.

Compressing Virus

virus infection technique uses the approach of

compressing the content of the host program. Sometimes this technique is

used to hide the host program's size increase after the infection by packing

the host program sufficiently with a binary packing algorithm

Boot Sectors Virus

virus takes advantage of the executable nature of

master boot record (MBR) and partition boot sector (PBS). A PC infected

with a boot sector virus will execute the virus's code when the machine boots

up. Michelangelo virus is an example of a Boot Sectors Virus

macro virus:

infects a Microsoft Word or similar application and causes a

sequence of actions to be performed automatically when the application is

started or something else triggers it

Malicious mobile code

mobile code is a lightweight program that is

downloaded from a remote system and executed locally with minimal or no

user intervention. Java applets, JavaScript scripts, Visual Basic Scripts

(VBScripts), and ActiveX controls are some of the most popular examples of

mobile code that you may encounter while browsing the Web or reading

HTML-formatted e-mail

Computer virus writers use many strategies to evade detection such as space filling, compressing and encryption, in another hand; the antivirus software trying to detect the viruses by using variant static and dynamic methods. However; all the existing methods are not adequate. To develop new reliable antivirus software some problems must be fixed.

Here I am giving some static and dynamic counter techniques or detection methods to be used

With static analysis, a virus is detected by examining the files or records for the occurrences of virus patterns without actually running any code. Static Methods include the following methods

Dynamic detection method decides whether or not code is infected by running the code and observing its behavior. The program monitors known methods of virus activity including attempts to infect and evade detection. This may also include attempts to write to boot sectors, modify interrupt vectors, write to system files, etc. For example, most virus activity eventually needs to call some system functionality, like I/O operations - only these actions have to be considered. No matter how obfuscated the I/O calls are statically, the calls will appear clearly when the code runs. Software monitors work best when the normal usage

characteristics of the system are vastly different from the activity profile of an infected system. A virus might exhibit a dynamic signature like

A behavior blocker is antivirus software which monitors a running program's behavior in real time, watching for suspicious activity. If such activity is seen, the behavior blocker can prevent the suspect operations from succeeding, can terminate the program, or can ask the user for the appropriate action to perform. Behavior blocking allowed code to run on the real machine. In contrast, antivirus techniques using emulation let the code being analyzed run in an emulated environment. The hope is that, under emulation, a virus will reveal itself. Because any virus found wouldn't be running on the real computer, no harm is done.

Technique

Property of the Infection

How to detect

Reside in an unused portion of the hard drive

Cannot be detected antiviruses that only scan “used” areas of hard drive.

Low level scan of hard drive or disk cleaning programs.

Overwriting Virus

this type of virus overwrites files with their own copy.

Of course, this is a very primitive technique, but it is certainly the easiest

approach of all. Overwriting viruses cannot be disinfected from a system

Infected files must be deleted from the disk

Companion Infection

approach to becoming a companion to an EXE

file is to give the virus the same base name as the targeted program, but use a

.COM extension instead of .EXE. This technique was employed by the Globe

virus, first detected in 1992. When the victim attempts to launch an EXE

program, he or she usually types its name without the extension. In such

cases, Windows gives priority to a file with the .COM extension over a file

with the same base name but with the .EXE extension.

Opening an executable, with both read and write permission.

Appending Virus

a jump (JMP) instruction is inserted at

the front of the host to point to the end of the original host. A typical example

of this virus is Vienna. The appender technique can be implemented for any

other type of executable file, such as EXE, NE, PE, and ELF formats, and so

on. Such files have a header section that stores the address of the main entry

point, which, in most cases, will be replaced with a new entry point to the

start of the virus code appended to the end of the file.

Prepending Virus

This virus inserts its code at the front of host programs.

This is a simple kind of infection, and it is often very successful. Virus

writers have implemented it on various operating systems, causing major

virus outbreaks in many. An example of a COM prepender virus is the

Hungarian virus Polimer.512.A, which prepends itself, 512 bytes long, at the

front of the executable and shifts the original program content to follow itself.

Cavity or spacefiller Virus

virus attempts to install itself in this empty

space while not damaging the actual program itself. An advantage of this is

that the virus then does not increase the length of the program and can avoid

the need for some stealth techniques. The Lehigh virus was an early example

of a cavity virus. Because of the difficulty of writing this type of virus and the

limited number of possible hosts, cavity viruses are rare.

Compressing Virus

virus infection technique uses the approach of

compressing the content of the host program. Sometimes this technique is

used to hide the host program's size increase after the infection by packing

the host program sufficiently with a binary packing algorithm

Boot Sectors Virus

virus takes advantage of the executable nature of

master boot record (MBR) and partition boot sector (PBS). A PC infected

with a boot sector virus will execute the virus's code when the machine boots

up. Michelangelo virus is an example of a Boot Sectors Virus

macro virus:

infects a Microsoft Word or similar application and causes a

sequence of actions to be performed automatically when the application is

started or something else triggers it

Malicious mobile code

mobile code is a lightweight program that is

downloaded from a remote system and executed locally with minimal or no

user intervention. Java applets, JavaScript scripts, Visual Basic Scripts

(VBScripts), and ActiveX controls are some of the most popular examples of

mobile code that you may encounter while browsing the Web or reading

HTML-formatted e-mail

Related Questions

List 3 major characteristics that make Earth unique among other planets of our S
Question #292093
List 3 of your major dietary sources of saturated (solid) fats. Then list simila
Question #240232
List 3-5 performance measurements to go with the following company goals and als
Question #347526
List 3-5 performance measurements to go with the following company goals and als
Question #347527
List 4 criteria for aromatic compounds. Draw the structure of ortho-dibromobenze
Question #495502
List 4 ways to preserve foods. Why is radiation a useful tool and when may it be
Question #164952
List 4-5 derived traits shared by members of the Kingdom P 2. Outline a generali
Question #3164989
List 5 grades each between 50-100, find the mean rounded to the hundredths and s
Question #3354722
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
List all samples of size 3, and compute the mean of each sample. (Round your mea
Next
List all the anions in this lab that are identified using: A. Precipitation B. r

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.