This page contains unstructured notes I wrote a long time ago. They are in need of organization…
2010
Timeline of widespread computer viruses: All the viruses on this page (except for three) since the release of Windows XP Service Pack 2 (August 2004), were spread not by a vulnerability in Windows, but instead by social engineering: users are fooled into executing the virus, posing as something beneficial (trojan horse). The three exceptions are Bifrost, Conficker, and Stuxnet.
Since 2006 I was convinced that HIPS (Host Intrusion Prevention System) was the answer. I have mainly used standalone HIPS programs. Mainstream security is coming out as “security suites”, which includes HIPS integrated with a network firewall.
“Code injection” can be used to infect operating system files, rendering all antivirus software unable to detect the virus, if they are running on the infected operating system. File hashes stored in Windows, to identify altered Windows files, can also be overwritten so that the “System File Checker” will report that system files are originals.
2012
Read request intercepts
While some antivirus software employ various techniques to counter stealth mechanisms, once the infection occurs any recourse to clean the system is unreliable. In Microsoft Windows operating systems, the NTFS file system is proprietary. Direct access to files without using the Windows OS is undocumented. This leaves antivirus software little alternative but to send a read request to Windows OS files that handle such requests. Some viruses trick antivirus software by intercepting its requests to the OS. A virus can hide itself by intercepting the request to read the infected file, handling the request itself, and return an uninfected version of the file to the antivirus software. The interception can occur by Code injection of the actual operating system files that would handle the read request. Thus, an antivirus software attempting to detect the virus will either not be given permission to read the infected file, or, the read request will be served with the uninfected version of the same file.
File hashes stored in Windows, to identify altered Windows files, can be overwritten so that the System File Checker will report that system files are originals.
The only reliable method to avoid stealth is to boot from a medium that is known to be clean. Antivirus software can then check the dormant operating system files. One fault of antivirus software, is that they rely on virus signatures or they employ heuristics, instead of also using a database of file hashes for all Windows OS files every made. This would guarantee code injection was not used on Windows files.
The only reliable method to avoid stealth is to boot from a medium that is known to be clean. Security software can then be used to check the dormant operating system files. Most security software relies on virus signatures or they employ heuristics, instead of also using a database of file hashes for Windows OS files. Using file hashes to scan for altered files would guarantee removing an infection. The security software can identify the altered files, and request Windows installation media to replace them with authentic versions
https://www.huffpost.com/entry/flame-malware-middle-east_n_1552981 “Stuxnet, Duqu and Flame are all examples of cases where we – the antivirus industry – have failed,” Hyponnen said in a blog post. “All of these cases were spreading undetected for extended periods of time.”
I tried one of my tools, along with a file I know to be malware, on a website that tests a file for malware using dozens of security software. A harmless keygenerator from Core gets a false positive from 36/47 antivirus softwares. An annoying, commercial, behind-your-back adware downloader only got a positive from 6/47 antivirus softwares. Unbelievable!
Discussion