An “armored” virus is a type of malware that is designed to make its detection as difficult as possible, including by increasing the amount of code (i.e., “armor”). At the same time, the malicious functionality of such a virus may be primitive. The armored variety is a polymorphic virus.
Information security audit
The main efforts of the creator of the armored virus are aimed at making it difficult for antivirus software to analyze it so that the virus code does not get into signature databases. Most modern armored virus use several booking technologies. The basic set includes:
- obfuscation, or code obfuscation: creating redundant, often not written in the language, but working code that makes it difficult to analyze;
- stealth technology: the virus hides its presence in the OS by intercepting system messages;
- Polymorphism: the ability of a virus to change the code of a “descendant” with each new infection using encryption.
Obfuscation is the main feature of an armored virus, which implies, among other things, an increase in the size of the program. For example, one of the first such viruses Whale (“Whale”), which appeared in 1990, “weighed” more than 9 kB. For that time, it was one of the most severe viruses.
One of the varieties of armored virus is a metamorphic virus. Like polymorphic, this type modifies its code, but without the help of encryption. Modifications can be in the form of inserting “garbage” fragments into the source code, changing basic instructions — operation codes, replacing entire blocks of code. Metamorphs can also mix their code with the code of an infected program — this is called “splicing”.
Sources of infection: email attachments and infected sites.