First published: 01st November 1994
By Allan G. Dyer M.Sc.(tech) B.Sc. AIDPM MIAP MHKCS, Head of F-PROT Technical Support, Yui Kee Co. Ltd.
Whenever a virus infects a computer, it changes things. If it is a boot sector virus, it replaces the boot sector of a disk with it's own code. A file virus changes the contents of a file, might change it's size, and the operating system will usually update the record of the date and time the file was last modified. Many viruses are memory-resident, so the amount of free memory will be less when they are present, and the extra blocks of memory they have reserved can be seen in a memory map. Any of these changes can be clues that a virus is present. A stealth virus tries to avoid detection by hiding the changes, thus making it more difficult for the user or anti-virus software to detect them.
Stealth techniques have been used in PC viruses from the earliest times. The Brain virus, appearing in 1987, (mentioned in my first article) was the first boot sector virus to use stealth. If this virus is resident in memory, it traps attempts to read the boot sector of infected diskettes, and instead reads the copy of the original boot sector that it stored when it infected the diskette. The program that was trying to read the boot sector is given the uninfected boot sector, and, if it is an anti-virus program, it sees nothing wrong. Development of stealth techniques in file viruses was slower, but, in early 1990, the 4K virus showed many methods combined. It would hide the changes it had made to the file length, file contents and file date and made use of a number of undocumented DOS calls.
How do stealth viruses hide themselves? Computer hardware is continually being improved, but older programs often need to be run. The Operating System (OS) (such as DOS, OS/2 or Mac Finder) insulates the application programmer from the hardware by providing a set of standard services, such as Find File, Open File, Read from File, that the programmer can use instead of fiddling with the hardware directly. In DOS, these services are provided via defined interrupt calls, the address of the OS service is held in an area of memory reserved for interrupt vectors, and stealth viruses redirect these to their own code (fig. 1). In fact, it is not unusual to redirect these services, it is intended to be a convenient way to extend the operating system. The manufacturer of a new piece of hardware can include a small program, referred to as a device driver, that redirects the interrupts it requires so that all applications running on the machine can use the new hardware. Once a stealth virus has installed itself in memory and redirected the interrupts, it can detect OS calls that would reveal it's presence and report the "normal" results. In the case of Brain, it would wait for a diskette sector read of track 0, side 0, sector 1 (the boot sector) and instead read the sector containing the original boot sector.
Some anti-virus programs try to detect the insertion of extra routines in OS calls by a technique known as tunneling. This involves tracing through the (possibly multiple) levels of redirection and identifying the original entry point to the OS routine. The anti-virus program can then check the unmodified information for signs of the virus. Virus writers have also made use of tunneling techniques in some viruses, in an attempt to hide from certain anti-virus programs.
All stealth viruses are memory-resident, they have to be so that they can continually monitor for OS calls that might reveal their presence. DOS keeps a record of which programs are using which memory areas, so that it can safely load new programs, the command MEM (available in MS-DOS 5.0 and above) displays this list (fig. 2), showing the TSRs that are present. A memory resident virus could be revealed in this display (fig. 2b). In this example, the program EDIT, which is not normally a TSR, is infected and the virus part has stayed resident (DOS, not knowing that this is a virus, refers to it by the name of the program it infected). An observant user could realise that, because EDIT is not a TSR, something very suspicious is happening. A stealth virus could hide this clue by modifying the DOS record of memory areas so that the virus is listed as part of another TSR (fig 2c). This is far less likely to be noticed by the user, people do not generally memorise the installed size of all their TSRs.
If a stealth virus is in memory, all kinds of anti-virus protection become ineffective, checksumming programs see the unmodified files, so they report nothing, likewise, scanners do not see the virus code, so they report nothing. Of course, good anti-virus software tries to detect and penetrate these deceptions, but the fact remains that, if a virus gets control first, it has the power and potentially can mess up any anti-virus software. This is why it is so important to boot from a clean diskette when doing any secure virus check or clean-up. By doing this, the anti-virus software gets control first, and has the advantage over the virus.
Everyone should make sure they have a clean boot diskette prepared for their computer, containing the basic operating system, any device drivers necessary for their hardware and some good anti-virus software. This disk can also save a lot of time and trouble in other emergency situations, such as disk corruption.