The present invention relates generally to the field of computer virus detection and prevention software, and more particularly to emulator-based antivirus software in which a file is executed in a simulated computer in order to reveal possible damaging effects. The simulated computer described herein may also be used for other kinds of software testing.
Computer viruses typically work by making copies of themselves and in some manner attaching the copies to other executable programs. The copies can be exactly similar to the original, they can be encrypted with a small, static decryptor that unpacks the virus at runtime, or they can be polymorphic. Polymorphic viruses are either encrypted with a changing decryptor, or they are truly polymorphic in the sense that the code in the virus itself is shuffled around.
Computer worms also make copies of themselves, but they do not attach to other programs. Instead they attempt to spread, primarily by network connections, to other computers.
A trojan horse program does not make copies of itself, but instead attempts to perform some action of which the user on the particular machine would not approve. This can range from deleting files to disclosing sensitive information like passwords and user documents.
In the field of detecting computer viruses and other malicious software a limited amount of techniques have historically been used, including for example, stringscanning, checksum mapping, integrity checking, behavior blocking and heuristic analysis.
Stringscanning:
Perhaps the most well known detection technique is string-scanning, where the detecting program (hereafter called the antivirus program) searches inside a possibly infected executable program (hereafter called Ptest) for a sequence of bytes known to exist in a virus.
Ex:Clean DOS COM program:E8 06 00 B4 4C CD 21 CD 20 B4 09 . . .Infected DOS COM program:91 B4 4E BA 38 01 CD 21 73 01 C3 B8 02 3D 99 B2 . . .
In this case, it would be sufficient to look for the byte sequence in bold to be able to determine that Ptest was actually overwritten with a variant of the Trivial virus. This technique has proven very useful over the years and is still in use.
Checksum Mapping:
A variation on this technology is not to look for the specific sequence of bytes, but to instead use a checksumming algorithm (typically CRC) on the bytes in Ptest in order to verify whether the checksum or system of checksums found matches the checksums connected with a known virus. The benefit of this approach is that the search time can be significantly reduced, since the algorithms involved would typically be table lookups instead of sequential compare actions.
The two previous methods are pattern-matching methods to detect viruses that are already known. That means that the antivirus program knows what to look for in a file. A great challenge today, however, is to detect unknown viruses, worms and trojans. A few methods have been developed for this purpose as well:
Integrity Checking:
Integrity checking systems detect modification of files and systems after the modifications have taken place. This technique will detect possible detrimental effects, but not stop them.
Behaviour Blocking:
Behavior blocking systems monitor attempts to change files and systems at runtime. This method may stop damaging actions, but requires the target to be actually run, i.e. that the instructions in Ptest are executed on the real CPU. When running Ptest there is always a possibility that something can go wrong.
Heuristics:
An heuristic analysis-type antivirus program examines Ptest for indications as to whether an unknown computer virus may be present. The antivirus program can do this by using the classical pattern-matching algorithms to detect virus fragments or code that is often found in viruses (passive heuristics), or it can attempt to emulate Ptest and examine whether Ptest performs, or may perform, actions that can be damaging (active heuristics). The present invention in certain aspects is an extension to the latter category, active heuristics.