Monday, June 6, 2011

How does Antivirus software works or detects virus

Hello friends, today i will explain you all how an anti-virus software works and detects virus. Most of you already know that what is anti-virus, but have you ever tried to understand how it works and why it requires updates regularly? How anti-virus searches for viruses and detects the virus in the file and eliminates it or heal it. Working of anti-virus involves two basic technologies namely:
1. Dictionary based continuous and fragmented string search
2. Suspicious activity detection (process manipulation)

antivirus working, how antivirus detects virus
How does anti-virus software works

So friends, lets start learning how an anti-virus works and detects virus and then eliminates and heals them.

Dictionary based continuous and fragmented string Search:

As the technique's name suggest, as dictionary signifies virus definitions database that is regularly updated as soon as new virus is being found (that is found by second technique). In dictionary based search technique, anti-virus software searches a string by comparing the file with strings existing in virus definition's or database.
 Now consider an hypothetical example for better understanding, suppose you have a file whose code is something like below:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Now when a virus infects a file what it does it manipulates the original file and adds some extra code or functionality to it so that the behavior of file  changes that means that defers from its normal functioning. So after virus infection file becomes something like this:
ABCDEFGHIJKLMNOPQRSTUVWXYZ012345
where 012345 is the string that virus has attached to the file after infection.
Now what does anti-virus database contains is that 012345 string . It matches the string in database with string in program or code and if it matches it identifies it as a virus.
Note: This all processing is done on binary format of codes and sometimes executable. 
Only if you manipulate the virus string that is 012345 and add some dead code between that something like below:
0a1a2a3a4a5a that means what we have done is added a between virus string but attached it in such a way that a does not affects the processing of string(virus). That means we have made new virus as this string is not there in the anti-virus database so it is not detected by anti-virus.
How can you add dead code, consider this string only 0a1a2a3a5a , read the character one by one and whenever character 'a' is found just skip the processing else concatenate the string and store that in new variable and use that variable in further processing of the code. This is how we makes any virus undetectable.
Note: But suspicious activity technique might detect this way as functionality of virus string is same.

That's the main reason why anti-virus needs updates regularly. Anti-virus companies daily adds new detected strings to their database so that the user can remain secure.

We can also bypass this using crypters too but as we are elite hackers and not script kiddies so i love to do this by manual editing rather than doing it by tools. Because if you do it using tools you will never come to know how its happening. And the day crypter becomes detectable your virus also becomes detectable. So friends i will recommend you that never depend on tools for hacking for two reasons:
1. You will never come to know the real scenario that what is happening in real time that means no knowledge. When the tool become detectable then you are noob again.
2. Most tools available are already infected with key-loggers and spy Trojans that inspect your system and send personal credentials to hackers who has created them.

Suspicious activity detection:


The most effective method to detect any malfunctioning in your system as it does not based of any search techniques rather it depends on the behavior of programs and files that how they act while they are executed or running. In this technique what happens is that anti-virus identifies the normal behavior of the file or program that what it should do when it is run without infection. Now if any file or program do any illegal processing like manipulating windows files integrity and protection then anti-virus identifies that file as virus and terminate that program and process related to it. That's the only reason why it detects patches and key-gens  as virus, as they try to manipulate the files by disassembling their integrity. 
The main drawback of this technique is that its quite annoying as sometimes it detects normal files as virus too but if you want to keep your PC safe then you need to do what your anti-virus suggests.
Also note one more thing, 99% patches and key-gens that you use to crack softwares are already infected with Trojans which are identity theft programs that steals your personal information and send them hackers. Some patches also contains back-doors that make your system open for attack similar to the way you have left your house main gate open for thieves in night....:P but its truth... 

So what is the lesson you have got from this article stop using pirated softwares and cracks to patch them otherwise you can be in great trouble. Solution for this is simple use trusted free wares as alternatives for paid tools rather than using their cracked versions...

6 comments:

  1. Interesting Sharing ...
    Keep it Up

    ReplyDelete
  2. thanx buddy.
    around 1 week i was thinking to make antivirus u gave me a start,
    sry for trouble i need a database of some viruses.
    also how a trojan and salinity works.

    ReplyDelete
  3. Ohhhhhhh, Now I got understand how really its work...

    Thanks for this info and keep posting all these nice articles bro...

    http://dark-hackerz.blogspot.com/

    ReplyDelete
  4. good one, adnan you rocking yaar

    ReplyDelete
  5. sir i want t0 kn0w that em using many pirated hacking s0ftwear.., s0 it may be p0sible that my system is als0 hacked!!
    can u tel me that what can i d0 n0w..?

    ReplyDelete