Tech Tip: Advanced viruses may elude detection

Jonathan Yarden

Many IT pros feel helpless in the battle against the constant barrage of worms and viruses. When using antivirus software, the general rule is to update automatically or download the latest virus definitions at regular intervals. But the problem with antivirus software is that it only offers protection for known viruses; therefore, the software is only effective when it can detect specific patterns in viruses and worms. But someday this may not be possible.

The people who find and categorize malicious code rely on their ability to understand and locate a "signature" to identify the code. That signature then goes into a list of other signatures to identify malicious code. This is how most antivirus software works. The key to its success is if it's possible to locate a "signature." For example, last year's discovery of the Datom.A worm suggested that "signature" methods for detecting and subsequently protecting computers from certain kinds of malicious code are becoming less effective.

There are two basic classes of malicious code: scripts and native executable code. It's easier to protect against scripted worms, such as the VBScript worms that circulate regularly, because it's usually possible to run an application script that will control or disable it.

This isn't the case when dealing with native executable or compiled viruses and worms. That's because many of these are written in C or in an assembly language. Machine code is the native instructions of the microprocessor, and people who can write malicious code in C or in an assembly language are extremely competent programmers.

That's also why antivirus companies employ people who can reverse-engineer or "disassemble" malicious code and know how to identify it. There has always been an "arms race" of sorts going on between the virus authors and the antivirus companies. It's become a game of one-upmanship with the virus and worm authors using advanced methods to avoid detection.

The troubling part is when worms use data encryption to protect themselves. Malicious code using data encryption makes it more difficult to understand the "purpose" of the virus or worm.

Virus writers will continue to use more advanced programming techniques in the future. Techniques such as self-modifying executable code (often referred to as polymorphism) coupled with data encryption will make it virtually impossible for antivirus software to detect any malicious code.

While no one can predict what the next big, worm, virus, or Trojan horse is going to look like--given that malicious code authors are always one step ahead of the antivirus researchers--it's a sure bet that virus authors working with advanced viruses and other malicious code will use methods such as data encryption and polymorphism to elude detection.

In the future, we can expect that the ability to protect computers against viruses will need to address the design of the operating system and microprocessors. And while keeping antivirus software up to date is our best defense now, something will come along to prove that method wrong. Honestly, it's just a matter of time.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.