Hello friends, today
i will explain you all how an antivirus software works and detects
virus. Most of you already know that what is antivirus, but have you ever tried
to understand how it works and why it requires updates regularly? How antivirus
searches for viruses and detects the virus in the file and eliminates it or
heal it. Working of antivirus involves two basic technologies namely:
1. Dictionary based
continuous and fragmented string search
2. Suspicious
activity detection (process manipulation)
So friends, lets
start learning how an antivirus works and detects virus and then eliminates and
heals them.
Dictionary based continuous and fragmented
string Search:
As the
technique's name suggest, as dictionary signifies virus definitions database
that is regularly updated as soon as new virus is being found (that is found by
second technique). In dictionary based search technique, antivirus software
searches a string by comparing the file with strings
existing in virus definition's or database.
Now
consider an hypothetical example for better
understanding, suppose you have a file whose code is something like below:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Now when a virus
infects a file what it does it manipulates the original file and adds some
extra code or functionality to it so that the behaviour of file changes
that means that defers from its normal functioning. So after virus infection
file becomes something like this:
ABCDEFGHIJKLMNOPQRSTUVWXYZ012345
where 012345 is
the string that virus has attached to the file after infection.
Now what does
antivirus database contains is that 012345 string . It matches the string in
database with string in program or code and if it matches it identifies it as a
virus.
Note: This all
processing is done on binary format of codes and sometimes executable.
Only if you
manipulate the virus string that is 012345 and add some dead code between that
something like below:
0a1a2a3a4a5a
that means what we have done is added a between virus string but attached it in
such a way that a does not affects the processing of string(virus). That means
we have made new virus as this string is not there in the antivirus database so
it is not detected by antivirus.
How can you add
dead code, consider this string only 0a1a2a3a5a , read the character one by one and whenever character 'a' is found just skip the
processing else concatenate the string and store that in new variable and use
that variable in further processing of the code. This is how we makes any virus
undetectable.
Note: But
suspicious activity technique might detect this way as functionality of virus
string is same.
That's the main
reason why antivirus needs updates regularly. Antivirus companies daily adds
new detected strings to their database so that the user can remain secure.
We can also
bypass this using crypters too but as we are elite hackers and not script
kiddies so i love to do this by manual editing rather than doing it by tools.
Because if you do it using tools you will never come to know how its happening.
And the day crypter becomes detectable your virus also becomes detectable. So
friends i will recommend you that never depend on tools
for hacking for two reasons:
1. You will
never come to know the real scenario that what is happening in real time that
means no knowledge. When the tool become detectable then you are noob again.
2. Most tools
available are already infected with keyloggers and spy trojans that inspect
your system and send personal credentials to hackers who has created them.
Suspicious activity detection:
The most
effective method to detect any malfunctioning in your system as it does not
based of any search techniques rather it depends on the behavior of programs
and files that how they act while they are executed or running. In this
technique what happens is that antivirus identifies the normal behavior of the
file or program that what it should do when it is run
without infection. Now if any file or program do any illegal processing like
manipulating windows files integrity and protection then antivirus identifies
that file as virus and terminate that program and process related to it. That's
the only reason why it detects patches and key-gens as virus, as they try
to manipulate the files by disassembling their integrity.
The main
drawback of this technique is that its quite annoying as sometimes it detects
normal files as virus too but if you want to keep your PC safe then you need to
do what your antivirus suggests.
Also note one
more thing, 99% patches and key-gens that you use to crack softwares are
already infected with trojans which are identity theft programs that steals
your personal information and send them hackers. Some
patches also contains backdoors that make your system open for attack similar
to the way you have left your house main gate open for theifs in night....:P
but its truth...
So what is the
lesson you have got from this article stop using pirated softwares and cracks
to patch them otherwise you can be in great trouble. Solution for this is
simple use trusted freewares as alternatives for paid tools rather than using
their cracked versions...
I hope you all have liked it..