Principles of virus Diagnosis technology

Diagnostic principle of comparative method：

The comparison method is used to compare the original or normal file with the file being detected.

Including length, content, memory, interrupt and other comparison methods.

Diagnostic principle of checksum method：

The contents of the normal file are computed for verification and saved in the checksum written to the file or written to another file. During the use of the file, the regular or each use of the file before, check the file is now the contents of the checksum and the original saved test and consistency, so you can find the file is infected, this method is called the checksum method, it can find the known virus and can find unknown virus.

Scanning Method：

The scanning method scans the detected objects with specific strings contained in each virus body. If a particular string is found inside the detected object, it indicates that the virus represented by the string is found.

Scanning method includes: Feature code scanning method, feature Word scanning method.

feature code scanning method：

Virus scanning software consists of two parts: A virus code base, a code string with a specially selected variety of computer viruses, and a scanning program that uses the code base for scanning. The number of computer viruses that a virus scanner can recognize depends entirely on the type of virus contained within the virus code base.

Advantages:

1. The software is easy to operate, and people who know little about the virus can also use it to discover viruses.

2. No special software.

3. The name of the virus that can be identified.

4. Low false positives.

5. According to the test results, can do anti-virus treatment.

Disadvantages:

1. When the file is large, the scan time can be very long.

2. It is not easy to select the appropriate feature string.

3. New viruses cannot be identified when the new virus signature string is not added to the virus database.

4. When the virus is mutated, it changes the original feature string and cannot continue to identify the variant virus.

5. It is easy to generate false positives.

6. Mutation Engine virus is not easy to identify.

7. Collect the characteristic code of the known virus, the cost is very expensive.

8. Inefficient use on the network.

Feature Word scanning method:

Faster, fewer false positives, but there are still some drawbacks to the feature code scanning method. Feature word scanning requires only a few key feature words extracted from the virus body to form a feature font. Due to the small number of bytes to be processed, without string matching, speed up the recognition speed, pay more attention to the "program activity" of computer virus, reduce the possibility of false positives.

Feature code / Word scanning requires constant expansion of the virus database. The maintenance update for the virus code base requires considerable knowledge of viruses and DOS as well as PC computers.

Behavior Detection Method：

The method of detecting the virus by using the peculiar behavioral characteristics of the virus is called the behavior detection method.

1. Occupy INT 13H: All boot-type viruses attack the boot sector or the main boot sector. When the system starts, the system starts to work when the boot sector or the primary boot sector has been executed. The generic boot virus consumes INT 13H functionality because other system functions are not set up and cannot be exploited. The boot virus occupies an INT 13H Power, where the code needed to place the virus.

2. Modify The total amount of memory in the DOS system data area: After the virus resides in memory, the total amount of memory must be modified to prevent the dos system from overwriting it .

3. Write actions in COM and EXE files.

4. Virus program and Host program switch: The Poison program runs, first runs the virus, then executes the host program. There are many characteristic behaviors when switching between the two.

Advantages: Unknown viruses can be found.

Cons: May be false positives and do not recognize the name of the virus, and the implementation of a certain difficulty.

Behavioral Infection test method：

Infection experiment is a simple and practical method to detect viruses. Because the virus detection tool lags behind the development of the virus, when the virus detection tool can not detect the virus, if not with the infection test method, will be helpless. If you use an infection assay, you can detect new viruses that the virus detection tool does not recognize, and can get rid of the reliance on virus detection tools and detect suspected new viruses autonomously.

The principle of this approach is to take advantage of the most important basic characteristics of viruses: infection characteristics.

If there is abnormal behavior in the system, the latest version of the detection tool can not detect the virus, it is possible to do an infection experiment, run the program in the suspect system, then run some of the normal procedures to know the exact non-toxic, and then observe the length and checksum of these normal programs, if you find that some programs grow, or check and change, You can tell that there is a virus in the system.

Behavioral Software Simulation method：

The polymorphic virus every time the infection changes its virus code, against this virus, the characteristic code fails. Because polymorphic virus codes are coded, and each time a key is different, the virus code in the infected file is compared to each other, and the same stable code that might be used as a feature cannot be found. Although the behavior detection method can detect polymorphic virus, but after detection of the virus, can not do anti-virus treatment, because do not know the types of viruses, it is difficult to do anti-virus treatment.

Software Simulation Method: It is a software analyzer, using software methods to simulate and analyze the operation of the program. The new detection tools include software simulation method, when the tool starts running, using the feature code method to detect the virus, if the hidden virus or polymorphic virus is found suspected, launch software simulation module, monitor the operation of the virus, to the virus itself after the password decoding, and then use the character code penalty to identify the type of virus.

Analytical Method(Professional):

Objective:

1. Verify that the disk boot area and program you are observing contains a virus.

2. Confirm the type and kind of virus and determine if it is a new virus.

3. Figure out the approximate structure of the virus and extract the string or feature words used for feature recognition to add to the virus code base for virus scanning and identification programs.

4. Detailed analysis of the virus code, in order to develop appropriate anti-virus measures to specify the program.

The analysis of virus detection is an important technology in anti-virus work, and the development and development of any anti-virus system with excellent performance can not be separated from the detailed and serious analysis of various viruses by specialized personnel.

The steps of analysis are divided into two types: dynamic and static.

Static analysis refers to the use of the disassembly program such as DEBUG to print the virus code into the disassembly of the program list for analysis.

Dynamic analysis refers to the use of debug tools such as debug in the case of memory with poison, the virus to do dynamic tracking, observe the specific work of the virus, in order to further on the basis of static analysis to understand the principle of virus work.

Summary：

1. The method used to compare the original backup and the detected program is suitable for the occasion of not needing special software, can find abnormal situation, is a simple basic virus detection method.

2. The method of scanning feature string and distinguishing feature word is suitable for making virus software for PC users, convenient and rapid, but the situation of new virus will be missed, need to combine with analysis and comparison.

3. The method of virus analysis is mainly by professionals to identify the virus, the development of anti-virus system used, requires more expertise, is an indispensable method of anti-virus research.

Principles of virus Diagnosis technology