the new infections. Normally, a set of decryptors is interchangeably used in the new infections, making signature matching based on a fixed pattern in the decryptor loop difficult.
Polymorphism
As said above, many anti-virus programs use signatures to detect infection of known viruses. When a virus is successfully analyzed, security experts find out a unique bit pattern in the virus called the signature of the virus. Later, when a computer gets scanned for viruses, the signature is matched with a new virus to detect it.
In Polymorphism, the virus writers keep changing some instructions in the new generations so that signature matching fails in the new infections. The virus modifies some pieces of its body to look dissimilar in the new infections. And, in the new generations, they again construct a different decryptor for the next infection.
The main difference between Oligomorphism and Polymorphism is that polymorphic viruses have the capability of creating an infinite number of new decryptors. And, each new decryptor may use several encryption techniques to encrypt the main virus body. As a result, Polymorphic viruses are much more difficult to detect.
Metamorphism
In Metamorphism, the virus writers mutate the virus body with different-looking but similar functioning instructions. As a result, the virus’s body looks different in the new infections and it becomes difficult for the anti-virus programs to detect them. These viruses are usually not encrypted.
Virus Detection Techniques
Techniques of virus detection also evolved and security experts started applying new techniques to detect viruses. Some most popular virus detection techniques are mentioned below:
String Scanning
In this method, the signature string is scanned in the new virus using special conditions in the byte comparison process. It uses wildcards, generic degrees, etc, to match the signature.
Bookmarks
This technique reduces false positives in virus detection. Several techniques can be used as bookmarks; for example, the offset of the virus signature from the beginning of the virus code may be a good bookmark.
Smart Scanning
Virus writers often conceal their code with a set of dummy instructions like NOP. In Smart Scanning, junk instructions like NOP or address of data and subroutines, etc., are first removed from the virus body, and then the virus is scanned for signature matching. This technique is mainly used to detect macro viruses written in text format.
Skeleton Detection
This technique was invented by Russian virus researcher Eugene Kaspersky, who is also the founder of Kaspersky Anti-Virus.
This method works by removing a set of instructions from a file that does not probably belong to the …






0 Comments