Camouflage Virus

You don't hear much about this type of virus. Fortunately it is rare and, because of the way anti-virus programs have evolved, is unlikely to occur in the future.

When anti-virus scanners were based completely on signatures there was always the possibility of a false alarm when the signature was found in some uninfected file (a statistical possibility). Further, with several scanners circulating, each had their own signature database and when scanned by another product may indicate infection where there was none simply because of the inclusion of the virus identification string. If this happened often, the public would get understandably annoyed (and frightened). In response, a scanner might therefore implement logic that, under the right circumstances, would ignore a virus signature and not issue an alarm.

While this "skip it" logic would stop the false alarms, it opened a door for virus writers to attempt to camouflage their viruses so that they included the specific characteristics the anti-virus programs were checking for and thus have the anti-virus program ignore that particular virus. Fortunately, this never became a serious threat; but the possibility existed.

Today's scanners do much more than simply look for a virus signature string. In order to identify the specific virus variant they also check the virus code and even checksum the virus code to identify it. With these cross-checks it would be extremely difficult for a virus to camouflage itself and spoof a scanner.

However, it should be understood that even with these precautions, false alarms continue to now and again occur. The anti-virus fixes when this happens, however, are such that a virus should not be able to piggyback onto the false alarm fix.

Summary

• In the past it was possible for a virus to spoof a scanner by camouflaging itself to look like something the scanner was programmed to ignore.
• Because of scanner technology evolution this type of virus would be very difficult to write today.