Techniques used by viruses

To avoid detection by antiviruses, virus creators have developed a series of specialized and complex techniques. Antiviruses have had to adapt to these new techniques in order to detect these increasingly complex and perfected viruses.

The following are some of the most common techniques used by viruses:

Stealth: this is a technique used by permanent file viruses. The infection of a file makes it necessary to modify the original file. It is therefore possible to see that a virus has manipulated the file. To avoid this, permanent viruses can be made to monitor all operations designed to obtain virus information and intercept them. It then presents pre-infection data in the place of virus detection information. This way, the infection goes undetected.

Tunneling: viruses and antiviruses work using similar techniques. Viruses intercept all operating system operations involving files in order to infect all files accessed. On the other hand, permanent antivirus protection systems also intercept file operations in order to verify that the files being accessed are not infected. Using the tunneling technique, a virus is capable of finding the services intercepted by the permanent protection and use them directly without the permanent protection being aware of it.

Self-encryption: the main goal of a virus is to replicate. Antiviruses detect infections by searching for a particular string (also called signature) which is identical in all of the copies of a virus. To avoid detection by this virus search mechanism (the most common type), some viruses are able to encrypt themselves to change each time they infect a file. This way, the virus never replicates in exactly the same way, and the traditional detection method fails. However, the encryption routine used is always the same and can therefore be used by antiviruses to detect this type of virus.

Polymorphism: in this case, not only do viruses encrypt themselves in a different way for each infection, but they also change the encryption routine. This way, there are no identical copies of one virus as all of its parts differ. To detect this type of virus, decryption simulation techniques are used, which force the virus to ôshow itselfö.