Laugh at anti-virus and virus technologies

Author: xyzreg [E.S. T]
Source: evil baboons China

How can anti-virus software be more perfect? How will the virus technology develop in the future? What breakthroughs will anti-virus technology make? This is a concern of many people.
At this point, it is necessary to briefly understand the development history and current situation of viruses and anti-virus. In fact, the term "virus" is commonly referred to as "malware" in academic circles, including viruses, Trojans, backdoors, and worms. But for the public's habits, This article uses the word virus to refer to "malicious programs", that is, viruses in a broad sense.
As early as DOS, the virus went viral. At that time, anti-virus adopted the pattern technology. Pattern technology is the most basic anti-virus technology and is also a common method of anti-virus software. Anti-Virus researchers analyze virus samples to extract representative code from viruses and write them into the virus database of anti-virus software. When the anti-virus software detects that the code in the target file is consistent with the pattern in the virus database of the anti-virus software, the file is considered to be toxic and antivirus. Later, anti-virus researchers were inspired by the philosophy that "things are commonly linked" to create a broad spectrum of signatures. Because some viruses have common characteristics and are related to each other, you only need to analyze the common characteristics of a type of virus to extract a broad spectrum of feature strings, which can effectively and concisely detect and kill such viruses.
In order to improve the survival ability of viruses and make it more difficult for antivirus staff to analyze virus code, virus writers apply the instructions to virus writing. What is a flower command? The so-called spending command is to add code that does not seem meaningless but does not prevent the program from running normally when writing a virus program. During static disassembly and virus program analysis by anti-virus researchers, instructions may make the source code of the virus itself incorrectly translated, which makes it more difficult for anti-virus researchers to analyze and kill viruses. Haha, anti-virus personnel are not vegetarian either! No, I just need to move it? Anti-Virus personnel only need to dynamically track the virus program to analyze the virus, so as to find a way to kill the virus.
The struggle continues, and virus and anti-virus technologies are constantly developing. Then the virus used polymorphism and Deformation Techniques. The so-called virus polymorphism technology means that the virus uses different keys to implement its own encryption each time the virus is infected with other files. In this way, the code of each virus sample is different. The common anti-virus software that only uses the signature technology can only look at the virus! The development of virus technology also promotes the development of anti-virus technology. Anti-Virus researchers have developed Virtual Machine methods. The virtual machine method is also called the simulation method. It allows the software to run and analyze it in a virtual environment. Although the virus pattern of the files infected by virus infection using polymorphism technology is different, the runtime encryption code will be decrypted in the memory and restored to the original fixed code. Therefore, as long as the virtual machine technology is combined with the pattern technology, the virus can be detected and killed. Even if the wave is smooth, the virus technology has developed and the deformation technology has emerged. Deformation Technology is the highest level of virus encryption, which is much better than polymorphism technology. Compared with the polymorphism technology, the decrypted code in the memory during virus running using the deformation technology is also different, which truly achieves the purpose of deformation, in this way, it is difficult for anti-virus personnel to extract the virus pattern, so it is difficult for anti-virus software to detect and kill such viruses.
With the popularization of the network, Trojan and backdoor viruses are surging, and the technologies used are getting increasingly powerful. They use advanced technologies such as "bounce port", "HTTP tunnel", and "ICMP tunnel. When the bounce port technology emerged, it escaped most of the firewalls. Then, the network firewall adopted the method of limiting the applications connected to the local network, which made the bounce port technology not so good, of course, the clever trojan virus writer now uses the "DLL thread insertion" technology mentioned below to deal with such a firewall. Trojan viruses using the "ICMP tunnel" and "HTTP tunnel" Technologies Enhance the concealment of Trojans and penetrate most firewalls. Here, the "ICMP tunnel" technology uses ICMP ICMP_ECHO and ICMP_ECHOREPLY packets, so that the Trojan can pass without opening the port, enhancing the concealment of the Trojan. The "HTTP tunnel" technology uses the HTTP protocol to exchange data on trojans and control terminals, because the firewall generally does not transmit data through the HTTP protocol, with this technology, you can penetrate the firewall! To enhance concealment, the virus adopts the DLL thread insertion technology to achieve the effect of inserting other processes, greatly enhancing the concealment of viruses and enhancing the difficulty of being detected and killed. At the same time, the dangers of Trojans using "DLL thread insertion", "rebound port", "HTTP tunnel", and "ICMP tunnel" are relatively large.
With the announcement of WINDOWS operating system vulnerabilities, the worm technology has also developed and innovated. They have used vulnerabilities such as remote buffer overflow to greatly enhance their transmission capabilities and destructiveness. These viruses include well-known "shock waves" and "shock waves.
It is also worth mentioning that viruses have also been innovated in virus loading methods. The virus is transmitted through webpage, email, QQ/MSN, and other instant messaging tools. These are webpage Trojans, email webpage Trojans, and QQ/MSN tails that are increasingly familiar to everyone. In addition, there will be a diversity of viruses in the future. The emergence of mobile phone viruses proves this.
Virus technology is changing with each passing day. In the face of this situation, anti-virus personnel have to try to find effective methods to kill unknown viruses. Computer Virus models have been proposed as early as the beginning of 1980s, proving that computer viruses are "uncertain" as long as the current computer system is extended ". How can we make anti-virus software capable of killing as many unknown viruses as possible ?. Anti-Virus researchers have developed behavior detection and heuristic scanning techniques. Because the purpose of destruction is always achieved through behaviors, no matter how clever the virus is, there are always some behaviors different from those of normal programs, for example, a Trojan program that intercepts a password generally needs to call those fixed API functions, and the guiding virus will inevitably intercept the theft of INT 13 H. Anti-virus software only needs to monitor each program in real time to detect known and unknown viruses. The advantage of the behavior detection method is that it can accurately predict the virus, but the disadvantage is that it has a high false positive rate. The so-called heuristic scanning technology is to disassemble the target program in a specific way, understand the specific instruction sequence, analyze its motivation, and determine whether it is a virus. This technology makes anti-virus software intelligent.
So far, anti-virus software has gone through four stages:
The first generation of anti-virus software uses pure pattern detection technology to clear viruses from infected virus files. This method is accurate and reliable. However, after the virus adopts the encryption technology such as polymorphism and deformation, this simple static scanning technology is insufficient. Typical examples of such products include kill, kv100, kv200, kv300, rising, early vrv, and early avxx.
The second generation of anti-virus software uses the General heuristic scanning technology, pattern detection technology and behavior monitoring technology, and adds the virus firewall to implement real-time dynamic monitoring of viruses. Typical examples of such products include vrv antivirus suit, killxx edition, and kv3000 preview edition.
The third-generation anti-virus software uses the virtual machine technology on the basis of the second generation. It combines virus detection and removal into one. It has the necessary capabilities to fully implement anti-virus, such as anti-virus detection and removal, in addition, it effectively prevents virus intrusion in the form of resident memory.
Now the anti-virus software has basically entered the fourth generation. The fourth generation of anti-virus software, based on the third generation of anti-virus software and combined with artificial intelligence technology, implements heuristic, dynamic, and intelligent detection and removal technology. It uses CRC checksum and scanning mechanisms, heuristic intelligent code analysis modules, and dynamic data restoration modules (this technology can detect and kill viruses after shelling to a certain extent) advanced technologies such as the memory anti-virus module and the Self-immune module (to prevent self-exposure, and to prevent itself from being forcibly disabled by viruses) effectively solve the disadvantages of previous generations of software.
In the future, anti-virus software will further develop and improve existing anti-virus technologies, such as heuristic scanning technology and virtual machines, to enhance their functions. It will further combine with AI virus analysis technology, implement accurate detection and removal of unknown viruses, such as the research of nav bloodhound technology; improve behavior monitoring technology to reduce false positive rate of false positive; construct a more comprehensive three-dimensional monitoring and protection module; strengthen integration with the system and recovery and protection of the system; strengthen detection and removal of diversified viruses; enhance the ease of operation of software, so that it is easy for the public to operate without any information security technology. Of course, there are still many immature technologies under research, such as "virus-infected virus" and "Virus Immune", inspired by the anti-biological virus technology. In the future, anti-virus experts may make these technologies increasingly mature.
Virus technologies are changing with each passing day, and new viruses and technologies are constantly emerging. In contrast, anti-virus technology has a certain degree of lag. In this way, anti-virus manufacturers should focus on the research of anti-virus technology, rather than making gimmicks in advertising and exaggerating functions to mislead consumers.
Anti-virus software vendors have a long way to go, and anti-virus technology is still a long way to go. We sincerely hope that they will be able to use their technologies to truly protect the information security of the majority of users!