Friday, May 26, 2006

How to analyze a virus or my virus autobiography

Virus analysis is something I find interesting even though I have no idea of how this exactly takes place. Virus analysis is to me a mysterious thing. This idea started to become interesting a couple of months ago but I absolutely had not got the slightest idea about how to start something like this. Virus analysis is a riddle.

Two years ago, viruses where a complete mystery to me. For a long time I wondered what viruses actually are and could not imagine their essense. I thought they were a magical enemy of the computer. Then one day I discovered that viruses are nothing else but a single file! Yes! Viruses are normal files which are dangerous when executed (=ran or =double clicked).

This was one of the greatest shocks of my life. The magical and invisible viruses suddenly became visible and lost their strength in front of my eyes. Viruses are like programs and can even be seen through the task manager, a windows program that shows the active processes and applications running in windows. Viruses are usually also very small files in size.

The second shock I had was when I found out that viruses need to be executed in order to infect a pc. In the past I thought that as soon as you download a virus you are infected! But that is not the case. The virus has got to be executed to run just like any other program on the pc. These are things I learned while hanging around the antivir forum for 2 years. I remember how proud I was when I had my first virus on my pc without being infected. I started to like handling viruses gently through my folder system without double clicking on them. Virus became so small and insignificant, just like their number of bytes in front of this new great knowledge I got!

Time passed and I started to dwell more on what types of viruses there are and ways of removal. I discovered that almost all my friends had infected computers and I liked to clean them. Unfortunately I have had to fight only with spyware, troyans, backdoors and dialers. All other kinds of viruses, like worms and real viruses that infect exe files are unknown to me and I had no experience with them. I have started to think that they dont write these anymore! If I found a suspicious file online I would send it to an antivirus company for analysis and they would reply whether the file contains a virus or not. Kaspersky has been the fasted in responce so far, although I have only sent viruses to kaspersky and antivir. This was something I admired. How can that russian guy know whether that file is a virus within an hour? What do they do with those files? How do they analyse them? Those were questions that started to slowly form within my mind. It has only been a few weeks since I typed in google "how to analyze a virus". Unfortunately I did not get any results with instructions for beginners. It seemed that virus analysis needs programming knowledge which I do not have. It is all so very technical. Disappointed I gave it up.

Today I read in the F-secure weblog about the "T2'06 Reverse Engineering Challenge". Its like a competition that challenges people to analyse a program. I imagined that it takes the same skills needed for virus analysis. The magical words "reverse engineering" produced great results in google and this might be a good time to start researching on this. It might take me a few years to learn how to do this but unfortunately only the first person who solves the riddle gets a prize!

4 comments:

Indeterminacy said...

My PC has a dust virus. It keeps collecting dust in the vents. None of the antivirus programs has been able to help me. I just remove the cover and vacuum away the dust. But it always comes back.

admin said...

:)) ROFL

You just discovered a market hole and a new virus. I think I have samples hanging around here too. I cant bewitch these viruses away either..

admin said...

Hi! I saw your comment in the adventure game post and replied there!

admin said...

And another comment here.