Skip to content
October 13, 2008 / technocrawl

How Anti-Virus Programs Works

Here is a Simple example that demonstrates how the Anti-Virus Program works.

Basically Anti-Virus Program is a typical search tool that searches for some text which are commonly used in a Virus ( Malwares ). The Anti-Virus Program hunts for the key term that might be a function name or variable name in a virus program, and if it finds one then it will seal it as a virus then creates a filter and will force it into the quarantine and this process will differs from various anti-virus programs.

For this i will take the “WindowBomb” Source Code and will explain how Anti-Virus Software Hunts for it.

Here is the Source code for the WindowBomber Virus. ( WindowBomber is not potentially harmful virus, and it doesn’t have the tendency to replicate by itself, hence it doesn’t comes under the category of virus )

WindowBomb

Just type it in a Notepad file and then save it as a .htm or .html file and then scan it with a Anti-Virus program, then it will detect it as a Malware ( I am not sure, whether all the anti-virus program detects it ), kaspersky Internet Security 2009 will detect this as a Trojan File, since it found the match “WindowBomb” which is updated in its virus definition already.
Here is the POC, where KIS detected the WindowBomb as a Trojan.

WindowBomb POC


What can i do to make my virus Undetected by Anti-virus ?

In this Scenario, since the Word “WindowBomb” is the key term that the Anti-virus( KIS ) program use here to detect this malware, you can craft your own virus just by editing the function name from “WindowBomb” to any other name like “func” and so on to make them undetectable from the Anti virus.
Likewise you can use Hex editors to modify the source of any virus programs and make it undetectable by anti virus.

Do all the Anti Virus program hunt for malwares just by searching terms ?
Well, this is one of the case with the all the AV, since it is the prime technique that’s been implemented, but in the other hand AV will have some other techniques that too can inspect the box for malwares.
Anomaly based hunt” is another technique that an AV use to hunt malwares.
The AV will suspect a file as a virus based upon the anomalies, that too got a virus definition already included in the AV itself.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: