Anti-Virus ADinf32 Logo
En Ru Site map Contact us
Screen
Screen
Screen
Screen
Screen
Screen
Screen
<< Back
  
This is the text of the lecture, presented in Boston (USA) 
on 21th September 1995 on the 5th international conference VB-95
      (Virus Bulletin - 95), 20-22 September 1995
------------------------------------------------------------


           MODERN METHODS OF DETECTING AND ERADICATING
                    KNOWN AND UNKNOWN VIRUSES

                       Dr. Dmitry Mostovoy

DialogueScience, Inc.
Computing Center of the Russian Academy of Sciences,
40 Vavilova Street, Moscow, 117967, Russia
E-mail: dmost@dials.msk.su


                            Abstract

    Viruses are  growing in  number from  day to  day, so it  is
    obvious that soon anti-virus programs like NAV or MSAV  will
    not be quite efficacious.   Therefore, we started  designing
    a program  that would  annihilate not  individual infectors,
    but viruses  in general,  regardless of  whether a  virus is
    known or not, or whether it is old or new.

    The first outcome  of our efforts  in this direction,  ADinf
    (Advanced  Diskinfoscope),  is  a  forecasting  center which
    alerts the user in advance with great reliability about  the
    intrusion of viruses, even  HITHERTO unknown infectors.   As
    distinct  from  all  other  data  integrity  checkers, ADinf
    inspects  a  disk  by  scanning  the  sectors one by one via
    direct  addressing  of  BIOS  without  the assistance of the
    operating system and  takes under check  all vital parts  of
    hard disk.   To evade  such a  detection tactics  is  almost
    impossible.

    ADinf  alerts  the  user  in  time about virus intrusion and
    restores  infected  boot  sectors.    How  to  restore   the
    infected files automatically?  Our next step was to  produce
    a  curing  companion  to  ADinf.  The  new  tool, ADinf Cure
    Module,  deploys  a  novel  strategy.  Paradoxically, ninety
    seven percents of the  viruses in our collection  fall under
    few standard groups by the types of infection methods.   New
    viruses  are  as  a  rule  designed  on  one of these common
    infection principles, and  therefore ADinf Cure  Module will
    be  about  97%  efficient  in  its  performance  also in the
    future.

    ADinf and  ADinf Cure  Module are  parts of  DialogueScience
    anti-virus kit - the most popular anti-virus in Russia.



                       INTEGRITY CHECKING

  The basic  classes of  anti-virus programs  are well  known.  They are
scanners/removers, monitors, and vaccines.  I would like to discuss  the
development of  programs to  which, in  my opinion,  anti-virus designer
pay undeservedly little  attention.  This  class of anti-virus  programs
is  known  as  ``integrity  checkers'',  though  the name does not fully
characterize the program's policy which we describe below.  This is  the
only  class  of  purely  software  means of anti-virus protection, which
permits  the  detection  of  known  and unknown viruses with reliability
approaching 100%  and eradication  up to  97% file  infectors, even  new
hitherto unknown viruses.

  The operation of integrity checkers is  based on a simple fact:   even
though  it  is  impossible  to  know  all  information about potentially
infinite  number  of  viruses,  it  is  quite possible to store a finite
volume  of  information  about  each  logical  drive  in the disk and to
detect virus infection from the changes taken place in files and  system
areas of the disk.  As already mentioned, the name "integrity  checker''
does  not  fully  reflect  the  essence  of  these  programs.  Infection
techniques is  not restricted  to a  simple modification  of the program
code.   Other  paths  for  infection  either  already  exist or are also
possible; for example, companion viruses  [1].  A disk can  be corrupted
by restructuring the  directory tree, say,  by renaming the  directories
and  creating  new  directories,   and  by  other  such   manipulations.
Consequently,  to  provide  reliable  protection integrity checkers must
take care of far more number of parameters that the mere changes in  the   
size and CRC of files as is done by most programs of this class.   Thus,
master boot record (MBR) and boot  sectors of logical drives, a list  of
bad clusters,  directory tree  structure, free  memory size,  CRC of Int
13h handler in BIOS  and even the Hard  Disk Parameter Tables, all  must
be under the  control of integrity  checkers.  Changes  in the size  and
CRC of files, creation of new  files and directories and removal of  old
files  and  directories  are  obviously  objects  for strict control.  A
designer of integrity checker must be one step ahead of virus  designers
and block every possible loophole for parasite intrusion.

  Despite  the  large  amount  of  controlled  information, an integrity
checker must nonetheless  be user-friendly, simple  in usage, and  quick
in checking  disks. It  must at  the same  time be  user-customizable as
regards the levels of messages displayed on the changes occurred in  the
disk  and  be  capable  of  conducting  a  preliminary  analysis  of the
changes, particularly the suspicious modifications such as

  - changes in size and CRC of files without any change in datestamp,

  - illegal values of hours, minutes or seconds in the datestamp of
    infected files (for example, 62 seconds),

  - year greater than the current year (certain viruses mark infected
    files by increasing the year of creation by 100 years, which cannot be
    detected visually because "dir" command only displays the last two
    figures of the year,

  - any changes in files specified in the "stable" list,

  - change in master boot record or boot sector,

  - appearance of new bad clusters on the disk and others.

  Let  us  now  discuss  the  main  problems  faced  by  a  designers of
"integrity checkers".  First, this  is the dodging ability of  viruses
based on stealth-mechanism.   Integrity checkers that rely  on operating
system tools in their  scanning mission are absolutely  helpless against
this  class  of  viruses.   They  have  stimulated the development of an
integrity checker that  checks disks by  reading the sectors  via direct
addressing through BIOS.  Stealth viruses cannot hide the changes in  an
infected file  size; on  the contrary,  under such  a scanning technique
the  stealth-mechanism  betrays  the  presence  of  known  and  hitherto
unknown stealth viruses through the discrepancy between the  information
given out by DOS and the information obtained by reading via BIOS.  Such
algorithms have been created  and successfully detect the  appearance of
stealth-viruses.

  Scanning a disk  by reading the  sectors by direct  addressing of BIOS
has one more important merit which  is often overlooked.  If a  computer
is infected  by a  so-called ``fast  infector'' [1],  i.e., a virus that
infects  files  not  only  when  they  are  started,  but also when they
opened, such an integrity checker  will not spread the infection  to all
files in  the disk,  because it  does not  at all  address the operating
system  for  reading  a  disk  via  sectors and uses an independent file
opening system, and the viruses does not get any control.

  Finally, an integrity checker  utilizing direct reading of  sectors is
twice faster in checking  a disk than any  other program than relies  on
the  operating  system  tools,  because  a  disk  scan  algorithm can be
created  that  reads  each  sector  only  once  and  optimizes  the head
movements.

  Disk handling via BIOS has its  own hurdles.  The foremost problem  is
the  compatibility  with  innumerable  number  of  diverse  hardware and
software, including disk compactors (Stacker, DoubleSpace),  specialized
drivers  for  accessing  large  disks  (Disk Manager), SCSI disk drivers
etc.  Furthermore,  there are many  MS-DOS compatible operating  systems
that have  imperceptible but  quite important  features in  partitioning
logical drives.   Integrity checkers  must pay  due attention  to  these
fine factors.


                    VIRUS REMOVAL TECHNIQUES

    Modern  integrity  checkers  are   useful  not  only  in   detecting
infection, but  are also  capable of  removing viruses  immediately with
the help of the information they retrieve from an uninfected machine  at
the time of installation.  An integrity checkers can kill known  viruses
as well as  the viruses which  were unknown at  the time of  creation of
the integrity checker.

  How this is done?  Obvious  are the methods for removing viruses  from
the  master  boot  record  and  boot  sectors.  Integrity checker stores
images of uninfected boot  sectors in its tables  and in case of  damage
can  instantly  restore  them.  The  only restriction is the restoration
must  also  be  effected  via  direct  addressing  of  BIOS  and   after
restoration the system must be rebooted immediately in order to  prevent
the active  virus from  reinjecting infection  while accessing  the disk
via INT 13h.

  Removal  of  file  viruses  is  based  on  a  surprising fact, namely,
despite  the  vast  number  of  diverse  viruses,  there  are only a few
techniques by  which a  virus is  injected into  a file.   Here we  only
briefly  outline  the  file  restoration  strategy.   Figure  1  shows a
schematic diagram of a usual EXE file.

  For each file  integrity checker keeps  a header (area  1), relocation
table (area 2) and the code at the entry point (area 4).  Strings  (area
3 and area  5) are vital  because they are  the keys to  identifying the
mutual  locations  of  various  areas  in  an infected file when a virus
writes its tail, not  at the file end,  but at the file  beginning or in
the file body (after  the relocation table or  at the entry point).   In
an infected  file, after  determining the  area that  coincides with the
imaged areas  in the  table, the  displacement of  a block (for example,
the  block  for  area  3  begins  at  the  end of area 2 and ends at the
beginning of  the area  4) can  be identified  by string  3 position and
thus moved back to its original location.

               --------------------------------=
                         EXE-header             1
               +-------------------------------+=
                                               
                      Relocation table          2
               +-------------------------------+=-
                                              
                           Code               =
                                                3
                                              =-
                                              
                        Entry point   ------->=
                                                4
                                              =-
                                              =
                                                5
                                              =-
               +-------------------------------+=
                    Debug information or        6
                    overlays                  =-
               L--------------------------------

                           Fig.1


  Image of area 6  takes about 3-4 Kb  and is essential in  recovering a
file  corrupted  by  viruses  which  damage  the  debug  information and
overlays in the course of defective infection.

  Thus,  a  file  is  recovered  by  reinstating  its  original   status
overwriting  the  image  of  its  structure  stored in integrity checker
tables  on  an  infected  file.   Consequently,  a knowledge as to which
virus infected the file is not mandatory.

  Tables  containing  information  necessary  for  recovering files take
about 200-450 Kb for one logical drive.  The table size can be cut  down
to 90 Kb, if a user  decides not to save the relocation  information and
this will not have any perceptible influence on the quality of  recovery
in most of the cases.


			   CONCLUSION

  Integrity  checkers  undoubtedly  do  not  provide  a  panacea against
computer viruses.   Unfortunately, there  is no  such panacea,  nor  can
there be one.   But they are  quite reliable protection  utilities which
must  be  used  jointly  with  other  classes  of anti-virus tools.  The
highlights of integrity checkers described above are all implemented  in
ADinf program, the most popular  itegrity checker in Russia. It  also is
known in Germany  where it is  distributed on CD-ROM  as a component  of
the DialogueScience  Anti-Virus Kit.   It checks  a disk  by reading its
sectors  one  by  one  directly  addressing  BIOS,  easily  traps active
stealth viruses by comparing  the information obtained through  BIOS and
DOS. It instantly  restores up to  97% of files  corrupted by known  and
unknown viruses.


                           REFERENCES

  1. Vesselin  Bontchev,  Possible  Virus Attacks  Against Integrity
                          Programs And How  To Prevent Them,  Proc.
                          2nd Int. Virus Bulletin Conf.,  September
                          1992, pp. 131-141.

  2. Mostovoy D. Yu.,    A  Method of Detecting and Eradicating
                         Known   and    Unknown    Viruses,    IFIP
                         Transactions,  A-43,  Security&Control  of
                         Information   Technology    in    Society,
                         February, 1994, pp.  109-111.


<< Back
ADinf32 is Windows 10 compatible