Upload
jash
View
1
Download
0
Embed Size (px)
DESCRIPTION
Encrypted Virus
Citation preview
One method of evading signature detection is to use simple encryption to encipher the body of the
virus, leaving only the encryption module and a cryptographic key in cleartext.[42] In this case, the
virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is
encrypted with a different key for each infected file, the only part of the virus that remains constant is
the decrypting module, which would (for example) be appended to the end. In this case, a virus
scanner cannot directly detect the virus using signatures, but it can still detect the decrypting
module, which still makes indirect detection of the virus possible. Since these would be symmetric
keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but this is
probably not required, since self-modifying code is such a rarity that it may be reason for virus
scanners to at least flag the file as suspicious.[citation needed]
An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the
exclusive-or operation had only to be repeated for decryption. It is suspicious for a code to modify
itself, so the code to do the encryption/decryption may be part of the signature in many virus
definitions.[citation needed]
Some viruses will employ a means of encryption inside an executable in which the virus is encrypted
under certain events, such as the virus scanner being disabled for updates or the computer being
rebooted. This is called Cryptovirology. At said times, the executable will decrypt the virus and
execute its hidden runtimes infecting the computer and sometimes disabling the antivirus software.