Virus vs Anti-virus An Armed Race By: Faheem ul haq Roll no:63
Definition of a Computer Virus Computer viruses can vary greatly from one another, but they are based in computer code – or a series of ones and zeros. Though not all computer viruses are malicious, most tend to “infect” computer systems and overwrite or damage the software in an attempt to spread itself and comprise the system. Viruses can be based in a number of formats: Java code, HTML code, hidden applets, text documents and several other things. In short, it is a computer program that is able to attach itself to disks or other files and replicate itself repeatively, often without the users knowledge. Although most viruses damage a system, it is not necessary for the definition of a virus.
Background <ul><li>There are estimated 30,000 computer viruses in existence. </li></ul><ul><li>Over 300 new ones are created each month. </li></ul><ul><li>First virus was created to show loopholes in softwares. </li></ul>
Symptoms of Virus Attack <ul><li>Computer runs slower then usual </li></ul><ul><li>Computer no longer boots up </li></ul><ul><li>Screen sometimes flicker </li></ul><ul><li>PC speaker beeps periodically </li></ul><ul><li>System crashes for no reason </li></ul><ul><li>Files/directories sometimes disappear </li></ul><ul><li>Denial of Service (DoS) </li></ul>
<ul><li>Types of virus </li></ul>Name Discription Anti-Anti-virus - Anti-antivirus viruses attack,disable or infect specific anti-virus software.
Fast Infector Fast infector viruses, when active in memory, infect not only executed programs, but also those that are merely opened. Thus running an application, such as anti-virus software, which opens many programs but does not execute them, can result in all programs becoming infected . Macro Virus A macro virus is a malicious series of instructions designed to simplify repetitive tasks within a program. Macro viruses are written a macro programming language and attach to a document file (such as Word or Excel). When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage and copies itself into other documents. Continual use of the program results in the spread of the virus Mutating Virus A virus that stays in memory after it executes and infects other files when certain conditions are met.
Resident Virus A resident virus loads into memory and remains inactive until a trigger event. When the event occurs the virus activates, either infecting a file or disk, or causing other consequences. All boot viruses are resident viruses and so are the most common file viruses. Trojan Horse Program A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive. Worm Worms are parasitic computer programs that replicate, but unlike viruses, do not infect other files. Worms can create copies on the same computer, or can send the copies to other computers via a network.
Zoo Virus A zoo virus exists in the collections of researchers and has never infected a real world computer system
<ul><li>Detection of virus by its appearance </li></ul><ul><li>Detection of virus by its behaviour </li></ul><ul><li>Detection of evolution of a known virus </li></ul><ul><li>. Detection of evolution of a known triggering mechanism </li></ul><ul><li>Detection of evolution of known viral detector </li></ul>Virus detection problems The following are undecidable :
ANTIVIRUS SOFTWARE <ul><li>Antivirus software are those softwares that attempt to identify, neutralize or eliminate malicious software . The term "antivirus" is used because the earliest examples were designed exclusively to combat computer viruses ; however most modern antivirus software is now designed to combat a wide range of threats, including worms , phishing attacks, rootkits , Trojans , often described collectively as malware </li></ul><ul><li>Antivirus scanning software, or a virus scanner, is a program which examines all files in specified locations, the contents of memory, the operating system, the registry , unexpected program behavior, and anywhere else relevant with the intention of identifying and removing any malware. </li></ul>
DICTIONARY <ul><li>In the virus dictionary approach, when the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions: </li></ul><ul><li>attempt to repair the file by removing the virus itself from the file </li></ul><ul><li>quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread), or </li></ul><ul><li>delete the infected file. </li></ul>
SUSPICIOUS BEHAVIOUR The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do. Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives , and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. This problem has worsened since 1997, since many more non-malicious program designs came to modify other .exe files without regard to this false positive issue. Therefore, most modern antivirus software uses this technique less and less
ISSUES OF CONCERN <ul><li>The regular appearance of new malware is certainly in the financial interest of vendors of commercial antivirus software, but there is no evidence of collusion. </li></ul><ul><li>Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection, the antivirus software needs to be enabled all the time — often at the cost of slower performance . </li></ul><ul><li>It is important to note that one should not have more than one memory-resident antivirus software solution installed on a single computer at any given time. Otherwise, the computer may be crippled and further damaged. </li></ul>
....cont <ul><li>It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Active antivirus protection may partially or completely prevent the installation of a major update. </li></ul><ul><li>When purchasing antivirus software, the agreement may include a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. </li></ul><ul><li>Some commercial antivirus software programs contain adware . </li></ul><ul><li>Most widely-accepted antivirus programs often do not detect newly-created viruses. </li></ul><ul><li>Anti-virus manuafacturers have been criticised for fear mongering by exaggerating the risk that virus pose to consumers. </li></ul>