Polymorphic viruses - what is it and how to deal with them?

We all heard about the dangers of malicious software, especially on the network. Special protection programs against various threats cost good money, but is there any sense in these costs? Consider the most common types of infection of storage media, in particular the most dangerous of them - polymorphic viruses.

The meaning of infection

By analogy with medicine, computer systems are treated as separate "organisms" that are capable of picking up "infection" during interaction with the surrounding digital environment: from the Internet or through the use of unchecked removable media. Hence the name of most malicious programs - viruses. At the beginning of its appearance, polymorphic viruses served as entertainment for specialists, sort of testing their abilities, and also testing the protection systems of certain computer systems and network resources. Now hackers from pampering went to the openly criminal actions, and all because of the globalization of digital banking systems, which opened access to electronic wallets from virtually anywhere in the world. The information itself, now hunted by the authors of the viruses, has now become more accessible, and its value has increased tens and hundreds of times compared to the pre-digital times.

Description and history of occurrence

Polymorphic viruses, according to the name, are able to modify their own code when creating their own copy. Thus, the bred virus can not be detected by antivirus tools by one mask and is found entirely for a simple scan cycle. The first virus with the technology of changing its own code was released back in 1990 under the name chameleon. Serious development of the technology of writing viruses was received a little later with the advent of generators of polymorphic code, one of which was called Trident Polymorphic Engine distributed with detailed instructions in the archives of BBS. With the passage of time, the technology of polymorphism has not undergone serious changes, but there are other ways to hide malicious actions.

The spread of viruses

In addition to popular with spammers and virus writers of mail systems, mutant viruses can get to the computer along with downloaded files, when using infected Internet resources by special links. For infection, it is possible to use infected duplicates of known sites. Removable storage media, usually with a rewriting function, can also become a source of infection, since they can contain infected files that the user is able to run himself. Various requests by installers to temporarily disable the anti-virus software should become a signal to the user, at least for a thorough scan of the files being launched. Automatic distribution of viruses is possible in case of detection by the attackers of the shortcomings of the protection systems, such software implementations are usually directed to certain types of networks and operating systems. The popularization of office software also attracted the attention of intruders, resulting in special infected macros. Such virus programs have a serious drawback, they are "tied" to the type of file, macro viruses from Word files can not interact with Excel tables.

Types of polymorphism

Polymorphic structures are divided by the complexity of the algorithms used into several groups. Oligomorphic - the simplest ones - use constants to encrypt their own code, so even a lightweight antivirus can calculate and neutralize them. Then follow the codes with several instructions for encryption and the use of "empty" code, to detect such viruses, security programs must be able to filter out garbage commands.

Viruses that use a change in their own structure without loss of functionality, as well as implementing other cryptographic techniques of a lower level, already present a serious challenge for antivirus detection. Incomplete polymorphic viruses, consisting of program blocks, can enter parts of their code in different places of the infected file. In fact, such viruses do not need to use "empty" code, which uses the executable code of the infected files. Fortunately for users and developers of antivirus software, writing such viruses requires a serious knowledge of the assembler and is available only to programmers of a very high level.

Goals, objectives and the principle of action

The virus code in the network worm can be a big threat, because, in addition to the speed of distribution, it provides a malicious effect on data and infection of system files. The head of the virus-polymorph in the worms or the basis of their code makes it easier to bypass the protective means of computers. The targets for viruses can be very different, from simple theft to complete destruction of data recorded on permanent media, as well as disruption of operating systems and their complete destabilization. Some virus programs can transfer computer control to intruders to explicitly or covertly launch other programs, connect to paid network resources, or simply transfer files. Others are able to quietly "settle" in RAM and monitor the current process of executing applications in search of suitable files for infection or in order to interfere with the user's work.

Methods of protection

Antivirus installation is mandatory for any computer connected to the network, because operating systems are not able to protect themselves against malicious programs, except for the most simple. Timely updating of databases and systematic checks of files, in addition to constant monitoring of the system, will also help in time to recognize the infection and eliminate the source. If you are using outdated or weak computers today, you can install a lightweight antivirus that uses cloud storage of virus databases. The choice of such programs is very wide, and all of them are to varying degrees effective, and the price of anti-virus software does not always indicate its high reliability. Undoubtedly plus paid programs - the presence of active user support and frequent updates of virus databases, however, some free analogs also respond in time to the emergence of new virus signatures on the network.