|
In 1990 I found some computer viruses in the school computers (Datalock
and StarDot 801). So I copy them and try to look how they work
(I uses an hex editor, a debugger and a disassembler for reach this point).
Then I was able to obtain about 30 viruses of the various type: boot viruses,
COM-EXE infectors, MBR and TSR viruses, encrypted viruses, stealth viruses. With this
collection of virus I reach a good virus knowledge, so I decided to build a new
kind of antivirus program.
In that period, the scan type antivirus was the best used for find a program infected by virus. The method is simple: look on the file being tested if it contains a virus pattern previously extracted for the virus. If the pattern is significative, we are able to find the virus without false alert.
On the other side, there was the heuristic technique that where been developed for antivirus. An heuristic is a method that try to "execute" the program to test for finding if it uses operation typical of a virus. The "execution" of the programs may be in a simulated environment, or may be only a fly disassembly of the program for find those virus operations.
The best advantage of heuristic antivirus is they can found unknown virus, but the disadvantage is that they can produce many false detection, and finally it's difficult to build some kind of antivirus.
The scan antivirus are, instead, very simple to program, but they must be updates frequently, because they are not capable of finding unknown viruses.
When I choose what kind of antivirus I must develop, I follow these points:
In fact, all viruses infect other programs, but they must not became visible to the users, so one program should may not be infected more that one time. Else, the user may be in double: if you every day use a (infected) program of 100Kbyte, and a virus of 1Kbyte reinfect that program he execute, than the program may grown up to 500Kbyte, so he may find a fall down of the system performance.
So all viruses use some techniques to avoid a double infection of an already
infected program (e.g. for all I think the majority of them, because there's
some virus that don't use these).
Some technique are very sophisticated, other are very simple and similar to scan
technique (the virus searches for part of it's body in the program to infect, but
it searches in a given position, so this is better than what a scanner does).
The same argument is valid for Terminate and Stay Resident (TSR) virus. A TSR virus take up the machine control, so when you launch a program, it may infect the program, but if the program that will be executed is infected, that program installs another copy of the virus im memory, and so on. So when a virus is executed, it finds if it was already in memory, otherwise it installs itself in memory.
So this was my idea: why don't reproduce this virus code for finding the virus?
With these concepts I build the SVDL (Step Virus Detect Language) and (planned) MVDL (Memory Virus Detect Language)...
PC | Tognon Stefano programs |