Thursday, May 17, 2012

How does Antivirus software works or detects virus

Hello friends, today i will explain you all how an antivirus software works and detects virus. Most of you already know that what is antivirus, but have you ever tried to understand how it works and why it requires updates regularly? How antivirus searches for viruses and detects the virus in the file and eliminates it or heal it. Working of antivirus involves two basic technologies namely:

1. Dictionary based continuous and fragmented string search

2. Suspicious activity detection (process manipulation)


So friends, lets start learning how an antivirus works and detects virus and then eliminates and heals them.

Dictionary based continuous and fragmented string Search:

As the technique's name suggest, as dictionary signifies virus definitions database that is regularly updated as soon as new virus is being found (that is found by second technique). In dictionary based search technique, antivirus software searches a string by comparing the file with strings existing in virus definition's or database.
 Now consider an hypothetical example for better understanding, suppose you have a file whose code is something like below:


Now when a virus infects a file what it does it manipulates the original file and adds some extra code or functionality to it so that the behaviour of file  changes that means that defers from its normal functioning. So after virus infection file becomes something like this:


where 012345 is the string that virus has attached to the file after infection.
Now what does antivirus database contains is that 012345 string . It matches the string in database with string in program or code and if it matches it identifies it as a virus.
Note: This all processing is done on binary format of codes and sometimes executable. 
Only if you manipulate the virus string that is 012345 and add some dead code between that something like below:
0a1a2a3a4a5a that means what we have done is added a between virus string but attached it in such a way that a does not affects the processing of string(virus). That means we have made new virus as this string is not there in the antivirus database so it is not detected by antivirus.
How can you add dead code, consider this string only 0a1a2a3a5a , read the character one by one and whenever character 'a' is found just skip the processing else concatenate the string and store that in new variable and use that variable in further processing of the code. This is how we makes any virus undetectable.
Note: But suspicious activity technique might detect this way as functionality of virus string is same.

That's the main reason why antivirus needs updates regularly. Antivirus companies daily adds new detected strings to their database so that the user can remain secure.

We can also bypass this using crypters too but as we are elite hackers and not script kiddies so i love to do this by manual editing rather than doing it by tools. Because if you do it using tools you will never come to know how its happening. And the day crypter becomes detectable your virus also becomes detectable. So friends i will recommend you that never depend on tools for hacking for two reasons:
1. You will never come to know the real scenario that what is happening in real time that means no knowledge. When the tool become detectable then you are noob again.
2. Most tools available are already infected with keyloggers and spy trojans that inspect your system and send personal credentials to hackers who has created them.

Suspicious activity detection:

The most effective method to detect any malfunctioning in your system as it does not based of any search techniques rather it depends on the behavior of programs and files that how they act while they are executed or running. In this technique what happens is that antivirus identifies the normal behavior of the file or program that what it should do when it is run without infection. Now if any file or program do any illegal processing like manipulating windows files integrity and protection then antivirus identifies that file as virus and terminate that program and process related to it. That's the only reason why it detects patches and key-gens  as virus, as they try to manipulate the files by disassembling their integrity. 
The main drawback of this technique is that its quite annoying as sometimes it detects normal files as virus too but if you want to keep your PC safe then you need to do what your antivirus suggests.
Also note one more thing, 99% patches and key-gens that you use to crack softwares are already infected with trojans which are identity theft programs that steals your personal information and send them hackers. Some patches also contains backdoors that make your system open for attack similar to the way you have left your house main gate open for theifs in night....:P but its truth... 

So what is the lesson you have got from this article stop using pirated softwares and cracks to patch them otherwise you can be in great trouble. Solution for this is simple use trusted freewares as alternatives for paid tools rather than using their cracked versions...

I hope you all have liked it..



Post a Comment