The virus developers know that the secret to remaining active is to hide as much as possible. In this video, you’ll learn how virus programmers use obfuscation to create armored viruses.
<< Previous Video: Polymorphic MalwareNext: Man-in-the-Middle Attacks >>
The malware authors and the anti-malware authors are in a race with each other. The malware authors want to get their software distributive on as many systems as possible without being infected, and the anti-malware authors want to be able to create protections so that they’re able to stop this malware as quickly as possible. One thing that the malware authors do is try to obfuscate or make their code a little bit harder to understand by creating an armour around they’re malware.
One of the first things anti-virus and anti-malware authors do is they tell their code inside of their executable to jump other places should something start scanning. In this way, they’re able to take the anti-virus scanners and have them go elsewhere rather than looking at the actual code of their virus. Ultimately, the anti-virus researcher is going to identify this executable as something that is malicious and they’re going to deconstruct this code. They effectively disassemble it so they can view the actual machine code used by this virus and they start examining exactly how it works. The virus author knows this is going to happen. So they’ve added obfuscation or they’ve made the code more confusing by adding unnecessary code or nonsense code. And the researcher still has to go through all of this nonsense code to try to determine where the real virus is and where all the obfuscate code might be.
This is where the race really happens because as long as a signature is not created for this virus or this malware it can continue to be installed on everybody’s computer. The anti-virus researcher of course wants to create a signature and get that out to everybody who’s running their anti-virus software. The longer it takes for that anti-virus researcher to find the code and create a signature, the longer that virus is going to be active out in the wild.