Michal Krejdl

8 January 2010

File infectors - part 2

Go to comments Leave a comment

Hello in 2010. I would like to wish you all the best in this year and I hope that our upcoming v5 will be your good fella starting from this January. Let me resume the previous article "Buggy file infectors" - as the release date for v5 is getting closer and closer, I think it would be good to inform you what to expect regarding the file infectors cleaning. Version 4.x was sometimes criticised due to its lower ability to cure most recent file infector families (more on this will be written later in this text). Good news for you - v5 will perform better.

Ok, it's time to get deeper into the topic (but not so deep to get stuck in technical details). First - we should clarify the situation around v4.x - version 4 already has a cleaning engine. This engine is able to clean certain virus families - mostly the families that were quite successful in spreading (high ITW rank) and some families that were very dangerous and created a high risk for victim computers. You've maybe noticed, that infections are getting more complex as time goes on. Recent virus families need advanced technologies to get rid of them and here's the first limitation of the v4 cleaner - it's not available within the boot-time scan (nor in the linux version). There's also a need to emulate very tricky code to be able to walk through the virus bodies and the minimalistic emulator engine in v4 was not able to reflect all these aspects. But - this doesn't mean that v4 is completely toothless - it is able to clean e.g. Win32:Parite (which is an evergreen between virus families). Your question probably is - what will v5 do better?

Version 5 contains a new emulation engine (in fact, it contains two new emulation engines - one is faster, one is more handy and compatible). This emulation engine is the core of the new cleaning engine, that's available also in the boot-time scan. It also has the ability to walk through the polymorphic code of modern file infectors. Now we know that v5 has new weapons. But how are they used? Avast is now strong at cleaning Win32:Alman, Win32:Cekar, Win32:DunDun, Win32:Expiro and other ITW threats. Sounds promising, right? But there's always some threshold that will remain effectively uncurable. It's necessary to simply accept that fact. Some virus families have such a big impact on your system that there's no way back. Especially when we talk about Win32:Virut (Win32:Vitro) and Win32:Sality - they are very destructive (many wrongly infected files can't be cured and the system would be left in a corrupted state). You should always keep in mind that once you have been attacked by these virus families, your computer is seriously compromised and can't be trustworthy anymore (even after curing with various arbitrary tools). There's no guarantee to fully disinfect such complex viruses and even when you're able to cure all the files, the trust level is significantly decreased. Why?

There are basically two ways of signing files. System files are usually signed through catalogues, 3rd party files are usually signed with authenticode certificates (in-place certificates issued by VeriSign etc.). Most file infectors invalidate these certificates and the cleaning routine can't do any better once the certificate is corrupted (cleaned files can't match their signatures anymore, because we can't take them to their original state). Are you sure that you can trust the unsigned binaries after the system disinfection? Not fully, right? The only way to be certain is to reinstall your system, but do you want to hear such advice? I don't think so, that's the reason why we always try to keep the trust level at some reasonable value. When we're able to get rid of the infection - we do so (some examples were mentioned above). In case we're not able to fully disinfect the system (e.g. in the case of Virut and Sality), we're advising you to periodically backup your system and recover the data when needed.

You can see some tools claiming they're able to clean even the most complex infections, but believe me, there's no guarantee to restore the system to its original state. A cleaned file (in my opinion) means a file that has no malicious functionality and does not contain any (even inactive) traces of the infection. My daily practice offers me many files cleaned from the Virut infection with some 3rd party tools, but they still contain significant parts of the infection and are thus detected by our engine. Cleaned files should not be detected by any engine. Second, the problem with wrongly infected files was already mentioned, that's a sufficient reason to ignore Win32:Mabezat in my opinion (its corruption ratio is soooo high).

So, what to expect from v5 after reading these concerns? It will always try to fully disinfect your system and it offers a wider variety of disinfection methods than v4. Always remember that no AV is the Holy Grail and some infections need special care. Feel free to visit our forums when you're facing an infection but you're not sure what to do and how.

cleaning, General, alman, cekar, file infector, virut, dundun, sality