DEFGENB.CVP   930908
 
                              Stealth
 
A virus usually contains some kind of identifiable string or code
that can be used to identify it.  Even if the virus is new or
polymorphic, it still adds its code to the infected program, thus
adding to the size.  Even if the virus overwrites original code so
that it does not add to the length of the file, and even if the
virus tries to match a "checksum" calculated on the code
overwritten, a sophisticated CRC (cyclic redundancy check) or other
signature will still find a change.  So how to hide from all of
these detection mechanisms?
 
Lie.
 
Or, rather, get the computer to lie for you.
 
"Stealth" technology, as applied to computer viral programs, most
broadly refers to all the various means that viral programs use to
hide themselves.  Specifically, however, it refers to trapping
mechanisms that viral programs use to circumvent detection.  These
mechanisms are only effective once the virus is active in the
computer (referred to as being "active in memory").  The virus will
"trap" calls to read the data on the disk, and present back only the
information of the original, uninfected, program.
 
The virus is able to do this because very few programs bother to
read or write directly to the disk hardware.  Because of possible
differences in hardware, and also because these functions are
generally fairly standard, manipulation of the disk is left to the
operating system and underlying software and hardware.  The
operating system provides standard addresses which are "system
calls" and "hooks" to the required functions.  When a program wishes
to read data from the disk, it asks the operating system to do it by
"calling" the function from a standard, known address.
 
However, since the address is known, virus writers can know it as
well.  Code can be inserted at the standard address which redirects
the "call" to code provided by the virus.  This stealth code may
indeed use the original programming provided by the operating
system, but it filters the data returned to the calling program.  If
an infected file is being read, the "infection" simply does not
appear in the information that the "calling" program receives.  Thus
no trace of the virus infection can be found--at least not on disk.
 
Stealth is a technology, not a virus per se.  There is no one
"stealth" virus:  there are a lot of viral programs which implement
stealth in one form or another.  Stealth is not, in fact, limited to
viral programs.  Antiviral software, and even utilities, use similar
means to avoid compatibility problems with the wide range of
computers and programs now operating.
 
One ironic aspect of stealth, in viral programs, is "self-
cleaning".  When copies are made of infected programs, the copy
program runs the data through the stealth filter as well.  This
means that copies of an infected program, made while the virus is
active, are clean.  At least initially ...
 
copyright Robert M. Slade, 1993   DEFGENB.CVP   930908
 
============= 
Vancouver      ROBERTS@decus.ca         | Life is
Institute for  Robert_Slade@sfu.ca      | unpredictable:
Research into  rslade@cue.bc.ca         | eat dessert
User           p1@CyberStore.ca         | first.
Security       Canada V7K 2G6           |