Virus detection, removal and analysisAnti-virus software seeks to detect all viral infections on a given computer system and to restore each infected program to its original uninfected state, if possible. There are a variety of complementary anti-virus techniques in common usage; taxonomies are given in [Spafford1991, Kephart et al. 1993]. Activity monitors alert users to system activity that is commonly associated with viruses, but only rarely associated with the behavior of normal, legitimate programs. Integrity management systems warn the user of suspicious changes that have been made to files. These two methods are quite general, and can be used to detect the presence of hitherto unknown viruses in the system. However, they are not often able to pinpoint the nature or even the location of the infecting agent, and they can sometimes flag or prevent legitimate activity, disrupting normal work or leading the user to ignore their warnings altogether. Virus scanners search files, boot records, memory, and other locations where executable code can be stored for characteristic byte patterns (called ``signatures'') that occur in one or more known viruses. Providing much more specific detection than activity monitors and integrity management systems, scanners are essential for establishing the identity and location of a virus. Armed with this very specific knowledge, disinfectors, which restore infected programs to their original uninfected state, can be brought into play. The drawback of scanning and repair mechanisms is that they can be applied only to known viruses, or variants of them. Furthermore, each individual virus strain must be analyzed in order to extract both a signature and information that permits a disinfector to remove the virus. Scanners and disinfectors require frequent updates as new viruses are discovered, and the analysis can entail a significant amount of effort on the part of human virus experts. Whenever a new virus is discovered, it is quickly distributed among an informal, international group of anti-virus experts. Upon obtaining a sample, a human expert disassembles the virus and then analyzes the assembler code to determine the virus's behavior and the method that it uses to attach itself to host programs. Then, the expert selects a ``signature'' (a sequence of perhaps 16 to 32 bytes) that represents a sequence of instructions that is guaranteed to be found in each instance of the virus, and which (in the expert's estimation) is unlikely to be found in legitimate programs. This signature can then be encoded into the scanner. The attachment method and a description of the machine code of the virus can be encoded into a verifier, which verifies the identity of a virus that has been found by the scanner. Finally, a reversal of the attachment method can be encoded into a disinfector.
Virus analysis is tedious and time-consuming, sometimes taking several hours
or days, and even the best experts have been known to select poor
signatures -- ones that cause the scanner to report false positives on
legitimate programs. Alleviation of this burden is by itself
enough to warrant a serious attempt
to automate virus analysis. The anticipated speed with which
viruses of the future may spread is an even stronger argument
in favor of endowing anti-virus software with the ability
to deal with new viruses on its own.
|
