wms:s:,;. L ’
`
`3&3
`
`rm Aim
`
`way,A.3a«J§sbm3a mm, M19 ism,
`
`Te;
`
`12% 31mg -- Fa;&+4«% 12% mwig»
`
`gr&a;a@"u§W£%&:::auL€
`
`
`
`
`
`Ja111¥%’éF3’ .1 995; time
`$6-zgxfy
`
`i7mrm;V
`
`is
`
`flaw
`
`am
`
`esfvh-asses: was
`
`By
`
`£1133 T L .
`
`5 xx -1: T’ Eawm
`V 7
`
`léifii :1: ‘
`5;
`"
`i af
`iflamfi by the
`as fixagglut and it.dQes wuew pV:*imaasme»=af:;LtiA»ax»iz::amfiwmm
`
`1:
`
`"
`
`ta
`
`{Em
`
`this
`
`mtaamfirs: are
`
`frmjaanfiraf
`
`gmxfiawhzxa
`
`IE2
`
`m
`
`aéef $E m
`
`ta
`
`
`V 9:: mt‘
`H
`film, 2% the I1nn?r3:n§:
`firm
`
`ta fimzi Q: -m ’ if ‘ ts:
`
`
`T -
`
`3;
`
`&‘:amw‘Wla§§;hVsz-an
`as
`
`a
`
`i3
`
`
`
`
`
`a
`wiiisrit aw.-: x>fLmk§§ E Emmi
`;
`—
`%
`I
`J ,V:; .1 at iwafa
`
`mt
`
`‘"i‘.£:w+ swat
`
`
`L
`V. K .
`>,.
`
`minim E‘:
`
`ghlt
`
`at
`
`
`3:136».
`
`am
`we.
`
`
`>7
`ymgra-21:1 V
`V
`mFEm«gma§gmad1te$m‘a.‘- -
`$@sIn¢=gp“::ac&2a1,he{u:isti<:rsarfi ’ ' 1 vs: = ~
`_ T‘.
`am:21:
`mumia 3$1§FE:l‘3i we11—k:;1 ,
`V
`V sfimam
`
`-émplfizyizaxg
`‘ V V
`N. . mVa»tha
`‘ ma ma
`W
`
`am
`
`
`V 1 _
`L *
`
`am
`
`V fin?mfwws; a11fi~vims
`
`_ V.
`v
`
`
`}
`23 sari‘
`§*mwm& mainly
`rm
`are mt
`vimges»~={E:mt
`~€1fl14EI' mamas affigtitizzg
`is mi. firm.
`
`
`was
`
`yzmxamgwfimmmmzgxmvmnmmxmu
`»
`_A
`_
`‘
`K
`_
`V
`“FEEL
`9?‘
`my
`vziflamui
`wa km M xvi?‘ @£ &
`
`% ~ ~
`'—A4>fiL
`_
`mssafi %a a
`in
`
`SYMANTEC
`(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:54)(cid:60)(cid:48)(cid:36)(cid:49)(cid:55)(cid:40)(cid:38)
`
`Exhibit 1032 Page 1
`(cid:3)(cid:3)(cid:40)(cid:91)(cid:75)(cid:76)(cid:69)(cid:76)(cid:87)(cid:3)(cid:20)(cid:19)(cid:22)(cid:21)(cid:3)(cid:3)(cid:51)(cid:68)(cid:74)(cid:72)(cid:3)(cid:20)
`
`

`
`226 - GRYAZNOV: SCANNERS OF THE YEAR 2000: HEURISTICS
`
`as popular or as well known as scanners; and anti-virus packages based on non-scanner technology do not
`sell well. Sometimes people who are trying to promote non—scanner based anti-virus software even come to
`the conclusion that there must be some kind of an international plot ofpopular anti-virus scanner producers.
`Why is this? Let us briefly discuss existing types ofanti-virus software. Those interested in more detailed
`discussion and comparison of different types of anti-virus sofiware can find it in [Bontchevl], for example.
`
`1.1
`
`SCANNERS
`
`So, what is a scanner? Simply put, a scanner is a program which searches files and disk sectors for byte
`sequences specific to this or that known virus. Those byte sequences are often called virus signatures. There
`are many different ways to implement a scanning technique; from the so-called ‘dumb’ or ‘grunt’ scanning
`of the whole file, to sophisticated virus-specific methods of deciding which particular part of the file should
`be compared to a virus signature. Nevertheless, one thing is common to all scanners: they detect only known
`viruses. That is, viruses which were disassembled or analysed and from which virus signatures unique to a
`specific virus were selected. In most cases, a scanner cannot detect a brand new virus until the virus is
`passed to the scanner developer, who then extracts an appropriate virus signature and updates the scanner.
`This all takes time — and new viruses appear virtually every day. This means that scanners have to be
`updated frequently to provide adequate anti-virus protection. A version of a scanner which was very good
`six months ago might be no good today ifyou have been hit by just one of the several thousand new viruses
`which have appeared since that version was released.
`
`So, are there any other ways to detect viruses? Are there any other anti-virus programs which do not depend
`so heavily on certain virus signatures and thus might be able to detect even new viruses? The answer is yes,
`there are: integrity checkers and behaviour blockers (monitors). These types of anti-virus software are
`almost as old as scanners, and have been known to specialists for ages. Why then are they not used as
`widely as scanners?
`
`1.2
`
`BEHAVIOUR BLOCKERS
`
`A behaviour blocker (or a monitor) is a memory-resident (TSR) program which monitors system activity
`and looks for virus-like behaviour. In order to replicate, a virus needs to create a copy of itself. Most often,
`viruses modify existing executable files to achieve this. So, in most cases, behaviour blockers try to
`intercept system requests which lead to modifying executable files. When such a suspicious request is
`intercepted, a behaviour blocker, typically, alerts a user and, based on the user’s decision, can prohibit such
`a request from being executed. This way, a behaviour blocker does not depend on detailed analysis of a
`particular virus. Unlike a scanner, a behaviour blocker does not need to know what a new virus looks like to
`catch it.
`
`Unfortunately, it is not that easy to block all the virus activity. Some viruses use very effective and
`sophisticated techniques, such as tunnelling, to bypass behaviour blockers. Even worse, some legitimate
`programs use virus-like methods which could trigger a behaviour blocker. For example, an install or setup
`utility is often modifying executable files. So, when a behaviour blocker is triggered by such a utility, it’s up
`to the user to decide whether it is a virus or not — and this is often a tough choice: you would not assume that
`all users are anti-virus experts, would you?
`
`But even an ideal behaviour blocker (there is no such thing in our real world, mind you!), which never
`triggers on a legitimate program and never misses a real virus, still has a major flaw. To enable a behaviour
`blocker to detect a virus, the virus must be run on a computer. Not to mention the fact that virtually any user
`would reject the very idea of running a virus on his/her computer, by the time a behaviour blocker catches
`the virus attempting to modify executable files, the virus could have triggered and destroyed some ofyour
`valuable data files, for example.
`
`i
`
`~
`
`~’
`
`VIRUS BULLETINCONFERENCE ©1995 Virus Bulletin Ltd,21 TheQuadrant, Abingdon, Oxfordshire, 0X143YS, England.
`Tel. +44 (0)1235 555139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`without the prior written permission of the publishers.
`
`SYMANTEC
`(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:54)(cid:60)(cid:48)(cid:36)(cid:49)(cid:55)(cid:40)(cid:38)
`
`Exhibit 1032 Page 2
`(cid:3)(cid:3)(cid:40)(cid:91)(cid:75)(cid:76)(cid:69)(cid:76)(cid:87)(cid:3)(cid:20)(cid:19)(cid:22)(cid:21)(cid:3)(cid:3)(cid:51)(cid:68)(cid:74)(cid:72)(cid:3)(cid:21)
`
`

`
`VIRUS BUl_LETlN CONFERENCE, SEPTEMBER l *?95 ° 22?
`
`
`1.3
`
`INTEGRITY CHECKERS
`
`An integrity checker is a program which should be run periodically (say, once a day} to detect all the
`changes made to your files and disks. This means that, when an integrity checker is first installed on your
`system, you need to run it to create a database ofall the files on your system. During subsequent runs, the
`integrity checker compares files on your system to the data stored in the database, and detects any changes
`made to the files. Since all viruses modify either files or system areas ofdisks in order to replicate, a good
`integrity checker shoulo be able to spot such changes and alert the user. Unlike a behaviour blocker, it is
`much more difficult for a virus to bypass an integrity checker, provided you run your integrity checker in a
`virus clean environment ~~ e.g. having booted your PC from a known virus-fi‘ee system diskette.
`
`But again, as in the case of behaviour blockers, there are many possible situations when the user's expertise
`is necessary to decide whether changes detected are the result ofvirus activity. Again, ifyou run an install
`or setup utility, this normally results in modifications to your files which can trigger an integrity checker.
`That is, every time you install new software on your system, you have to tell your integrity checker to
`register these new files in its database.
`
`Also, there is a special type of virus, aimed specifically at integrity checkers - so-called slaw infizctmr. A
`slow in factor only infects obj ects which are about to be modified anyway; eg. as a new file being created by
`a compiler. An integrity checker will add this new file to its database to watch its further changes. But in the
`case ofa slow infector, the file added to the database is infected already.‘
`
`Even if integrity checkers were free ofthe above drawbacks, there still would be 3 major flaw. That is, an
`integrity checker can alert you only after a virus has run and modified your files. As in the example given
`while discussing behaviour blockers, this might be well too late. ..
`
`l.4
`
`THAT’S WHY SCANNERSI
`
`So, the main drawbacks ofboth behaviour blockers and integrity checkers, which prevent them from being
`widely used by an average user, are:
`
`1. Both behaviour blockers and integrity checkers, by their very nature, can detect a virus only after you
`have run an infected program on your computer, and the virus has started its replication routine. By
`this time it might be too late ~ many viruses can trigger and switch. to destructive mode before they
`make any attempts to replicate. lt’s somewhat like deciding to find out whether these beautiful yet
`usnlcnown berries are poisonous by eating them and watching the results. Gosh! You would be lucky to
`get away with just dyspepsia!
`
`2. Often enough, the burden to decide whether it is a virus or not is transferred to the user. lt’s as if
`your doctor leaves you to decide whether your dyspepsia is simply because the berries were not ripe
`enough, or it is the first sign of deadly poisoning, and you’ll be dcari in few hours if you don’t take
`an antidote immediately. Tough choice!
`
`On the contrary, a scanner can and should be used to detect viruses before an infected program has a chance
`to be executed. That is, by scanning the incoming software prior to installing it on your system, a scanner
`tells you wlienier it is safe to proceed with the installation. Continuing our berries analogy, it’s like having 2
`portable automated poisonous plants detector, which quickly checks the berries against its database of known
`plants, and tells you wltether or not it is safe to eat the berries.
`
`But what if the berries are not in the database of your portable detector? What if it is a brand new species‘?
`What ifs software package you are about to install is infected with a new, very dangerous virus unknown to
`your summer? Relying on your scanner only, you rnight find yourselfin big trouble. This is where behaviour
`blockers and integrity checkers might be helpful. lt’s still better to detect the virus while it’s txying to infect
`
`V}2i?.'€x'.‘Z B£iZi.§'F2’NC(}.lJPY;“RE~3s.’CE©1995 Virus Bulletin Ltd, 21 The Quadlrant, Abingdon, Oxfordshire, OX14 3Y8, England.
`Tel. +44 (0)1235 555139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`vvithout the prior written permission of the publishers.
`
`SYMANTEC
`(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:54)(cid:60)(cid:48)(cid:36)(cid:49)(cid:55)(cid:40)(cid:38)
`
`Exhibit 1032 Page 3
`(cid:3)(cid:3)(cid:40)(cid:91)(cid:75)(cid:76)(cid:69)(cid:76)(cid:87)(cid:3)(cid:20)(cid:19)(cid:22)(cid:21)(cid:3)(cid:3)(cid:51)(cid:68)(cid:74)(cid:72)(cid:3)(cid:22)
`
`

`
`228 0 GRYAZNOV: SCANNERS OF THE YEAR 2000: HEURISTICS
`
`
`your system, or even after it has infected but before it destroys your valuable data. So, the best anti-virus
`strategy would include all three types ofanti-virus software:
`
`o
`
`a scanner to ensure the new software is free of at least known viruses before you run the software
`
`o a behaviour blocker to catch the virus while it is trying to infect your system
`
`0
`
`an integrity checker to detect infected files after the virus has propagated to your system but not yet
`triggered.
`
`As you can see, the scanners are the first and the most simply implemented line of anti-virus defence.
`Moreover, most people have scanners as the only line of defence.
`
`2
`
`WHY HEURISTICS?
`
`2.1 GLUT PROBLEM
`
`As mentioned above, the main drawback of scanners is that they can detect only known computer viruses.
`Six or seven years ago, this was not a big deal. New viruses appeared rarely. Anti-virus researchers were
`literally hunting for new viruses, spending weeks and months tracking down rumours and random reports
`about a new virus to include its detection in their scanners. It was probably during these times that a most
`nasty computer virus-related myth was born that anti-virus people develop viruses themselves to force users
`to buy their products and profit this way. Some people believe this myth even today. Whenever I hear it, I
`can’t help laughing hysterically. Nowadays with two to three hundred new viruses arriving monthly, it
`would be total waste of time and money for anti-virus manufacturers to develop viruses. Why should they
`bother if new viruses arrive in dozens virtually daily, completely free ofcharge? There were about 3 ,OOO
`known DOS viruses at the beginning of 1994. A year later, in January 1995, the number ofviruses was
`estimated at least 5,000. Another six months later, in July 1995, the number exceeded 7,000. Many anti-
`virus experts expect the number of known DOS viruses to reach the 10,000 mark by the end of 1995. With
`this tremendous and still fast-growing number ofviruses to fight, traditional virus signature scanning
`software is pushed to its limits [Skulason. B0nz‘chev2]. While several years ago a scannerwas often
`developed, updated and supported by a single person, today a team of a dozen skilled employers is only
`barely sufficient. With the increasing number ofviruses, R&D and Quality Control time and resource
`requirements grow. Even monthly scarmer updates are often late, by one month at least! Many formerly
`successful anti-virus vendors are giving up and leaving the anti-virus battleground and market. The fast-
`growing number of viruses heavily affects scanners themselves. They become bigger, and sometimes
`slower. Just few years ago a 360Kb floppy diskette would be enough to hold half a dozen popular scanners,
`leaving plenty ofroom for system files to make the diskette bootable. Today, an average good signature-
`based scanner alone would occupy at least a 720Kb floppy, leaving virtually no room for anything else.
`
`So, are we losing the war? I would say: not yet — but ifwe get stuck with just virus signature scanning, _we
`will lose it sooner or later. Having realised this some time ago, anti-virus researchers started to look for
`more generic scanning techniques, known as heuristics.
`
`2.1 WHAT ARE HEURISTICS?
`
`In the anti-virus area, heuristics are a set of rules which should be applied to a program to decide whether
`the program is likely to contain a virus or not. From the very beginning of the history of computer
`viruses different people started looking for an ultimate generic solution to the problem. Really, how does
`an anti-virus expert know that a program is a virus? It usually involves some kind ofreverse engineering
`(most often disassembly) and reconstructing and understanding the virus’ algorithm: what it does and how it
`does it. Having analysed hundreds and hundreds of computer viruses, it takes just few seconds for an
`experienced anti-virus researcher to recognise a virus, even it is a new one, and never seen before. It is
`
`r
`
`a
`
`g
`
`VIRUS BULLETINCONFERENCE @1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OXl43YS, England.
`Tel. +44 (0)1235 555139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`without the prior written permission of the publishers.
`
`SYMANTEC
`(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:54)(cid:60)(cid:48)(cid:36)(cid:49)(cid:55)(cid:40)(cid:38)
`
`Exhibit 1032 Page 4
`(cid:3)(cid:3)(cid:40)(cid:91)(cid:75)(cid:76)(cid:69)(cid:76)(cid:87)(cid:3)(cid:20)(cid:19)(cid:22)(cid:21)(cid:3)(cid:3)(cid:51)(cid:68)(cid:74)(cid:72)(cid:3)(cid:23)
`
`

`
`VIRUS BULLETIN CONFERENCE, SEPTEMBER 1 995 - 22 9
`
`
`almost a subconscious, automated process. Automated? Wait a minute! If it is an automated process, let’s
`make a program to do it!
`
`Unfortunately (or rather, fortunately) the analytic capabilities of the human brain are far beyond those of a
`computer. As was proven by Fred Cohen [Cohen], it is impossible to construct an algorithm (e. g. a
`program’) to distinguish a virus from a non—virus with 100 per cent reliability. Fortunately, this does not
`rule out a possibility of 90 or even 99 per cent reliability. The remaining one per cent, we hope to be able to
`solve using our traditional virus signatures scanning technique. Anyway, it’s worth trying.
`
`2.2
`
`SIMPLE HEURISTICS
`
`So, how do they do it? How does an anti-virus expert recognise a virus? Let us consider the simplest case: a
`parasitic non-resident appending COM file infector. Something like Vienna, but even more primitive. Such a
`virus appends its code to the end of an infected program, stores a few (usually just three) first bytes ofthe
`victim file in the virus body and replaces those bytes with a code to pass control to the virus code. When the
`infected program is executed, the virus takes control. First, it restores the original victim’s bytes in its
`memory image. It then starts looking for other COM files. When found, the file is opened in
`Read_and_Write mode; then the virus reads the first few bytes of the file and writes itself to the end of the
`file. So, a primitive set of heuristical rules for a virus ofthis kind would be:
`
`1. The program immediately passes control close to the end of itself
`
`2.
`
`It modifies some bytes at the beginning of its copy in memory
`
`3. Then it starts looking for executable files on a disk
`
`4. When found, a file is opened
`
`5. Some data is read from the file
`
`6. Some data is written to the end of the file.
`
`Each ofthe above rules has a corresponding sequence in binary machine code or assembler language. In
`general, ifyou look at such a virus under DEBUG, the favourite tool of anti-virus researchers, it is usually
`represented in a code similar to this:
`
`START:
`
`JMP VIRUSCODE
`
`; Start of the infected program
`; Rule 1:
`the control is passed
`;
`to the virus body
`
`<Victim’ s code>
`
`VIRUS:
`
`SAVED:
`
`; Virus body starts here
`
`; Saved original bytes of the
`victim's code
`
`MASK:
`
`DB ‘*.COM’ , 0
`
`; Search mask
`
`VIRUSCODE:
`
`; Start of the virus code
`
`MOV DLOFFSET START
`MOV SLOFFSET SAVED
`
`the virus restores
`; Rule 2:
`; victim's code
`
`MOVSW
`MOVSB
`
`in memory
`
`;
`;
`
`MOV DX,OFFSET MASK
`
`; Rule 3:
`
`the virus
`
`
`
`I/YR US 8ULLETZNCONFERENCE ©1 995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshine, OXI4 3YS, England.
`Tel +44 (0)1235 555139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`without the prior written permission of the publishers.
`
`SYMANTEC
`(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:54)(cid:60)(cid:48)(cid:36)(cid:49)(cid:55)(cid:40)(cid:38)
`
`Exhibit 1032 Page 5
`(cid:3)(cid:3)(cid:40)(cid:91)(cid:75)(cid:76)(cid:69)(cid:76)(cid:87)(cid:3)(cid:20)(cid:19)(cid:22)(cid:21)(cid:3)(cid:3)(cid:51)(cid:68)(cid:74)(cid:72)(cid:3)(cid:24)
`
`

`
`230 ° GRYAZNOV: SCANNERS OF THE YEAR 2000: HEURISTICS
`
`
`MOV AH,4EH
`
`INT 21H
`
`MOV AX,3DO2H
`INT 21H ;
`
`;
`
`looks for other
`
`; programs to infect
`
`; Rule 4:
`
`the virus opens a file
`
`MOV DX,OFFSET SAVED
`MOV AH,3FH
`
`; Rule 5: first bytes of a file
`; are read to the virus
`
`INT 21H
`
`; body
`
`MOV DX,OFFSET VIRUS
`MOV AH,4OH
`INT 21H
`
`the virus writes itself
`; Rule 6:
`;
`to the file
`;
`
`Figure 1. A sample virus code
`
`When an anti—virus expert sees such code, it is immediately obvious that this is a virus. So, our heuristical
`program should be able to disassemble a binary machine-language code in a similar manner to DEBUG, and
`to analyse it, looking for particular code patterns in a similar manner to an anti-virus expert. In the simplest
`cases, such as the one above, a set of simple wildcard signature string matching would do for the analysis.
`In this case, the analysis itself is simply checking whether the program in question satisfies rules 1 through
`6; in other words, whether the program contains pieces ofcode corresponding to each ofthe rules.
`
`In a more general case, there are many different ways to represent one and the same algorithm in machine
`code. Polymorphic viruses, for example, do this all the time. So, a heuristic scanner must use many clever
`methods, rather than simple pattern-matching techniques. Those methods may involve statistical code
`analysis, partial code interpretation, and even CPU emulation, especially to decrypt self—encrypted viruses:
`but you would be surprised to know how many real life viruses would be detected by the above six simple
`heuristics alone! Unfortunately, some non-virus programs would be ‘detected’ too.
`
`2.3
`
`FALSE ALARMS PROBLEM
`
`Strictly speaking, heuristics do not detect viruses. As behaviour blockers, heuristics are looking for virus-
`like behaviour. Moreover, unlike the behaviour blockers, heuristics can detect not the behaviour itself, but
`justpotential rzbilizjv to perform this or that action. Indeed, the fact that a program contains a certain piece of
`code does not necessarily mean that this piece ofcode is ever executed. The problem ofdiscovering whether
`this or that code in a program ever gets control is known in the theory of algorithms as the Halting Problem,
`and is in general unsolvable. This issue was the basis of Fred Cohen’s proof of the impossibility of writing
`a perfect virus detector. For example, some scanners contain pieces ofvirus code as the signatures for which
`to scan. Those pieces might correspond to each and every one of the above six rules. But they are never
`executed — the scanner uses them just as its static data. Since, in general, there is no way for heuristics to
`decide whether these code pieces are ever executed or not, this can (and sometimes does) causefalse alarms.
`
`A false alarm is when an anti-virus product reports a virus in a program, which in fact does notcontain any
`viruses at all. Different types of false alarms, as well as most widespread causes of false alarms, are
`described in [Solomon] for example. A false alarm might be even more costly than an actual virus infection.
`We all keep saying to users: ‘The main thing to remember when you think you ’ve got a virus - do not
`panic!’ Unfortunately, this does not work well. The average user will panic. And the user panics even more
`if the anti—virus software is unsure itselfwhether it is a virus or not. In the case, say, where a scanner
`definitely detects a virus, the scanner is usually able to detect all infected programs, and to remove the virus.
`At this point, the panic is usually over; but if it is a false alarm, the scanner will not be able to remove the
`virus, and most likely will report something like: ‘This file seems to have a virus’, naming just a single file
`as infected. This is when the user really starts to panic. ‘It must be a new virus!’ — the user thinks. ‘What do
`
`-
`
`«
`
`-
`
`VIRUS BULLEYEWCONFERENCE©1 995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshinc, OX 14 3 YS, England.
`Tel. +44 (0)1235 555139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`without the prior written permission of the publishers.
`
`SYMANTEC
`(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:54)(cid:60)(cid:48)(cid:36)(cid:49)(cid:55)(cid:40)(cid:38)
`
`Exhibit 1032 Page 6
`(cid:3)(cid:3)(cid:40)(cid:91)(cid:75)(cid:76)(cid:69)(cid:76)(cid:87)(cid:3)(cid:20)(cid:19)(cid:22)(cid:21)(cid:3)(cid:3)(cid:51)(cid:68)(cid:74)(cid:72)(cid:3)(cid:25)
`
`

`
`WRUS FJJiLl£li.?‘~i COPli5Eé‘lEl‘éCE, S£?T£fvlfi§§l {W5 * 23!
`
`
`l dc???’ as a result, the LIS€fI' Wall niiglat fcmiai li.is/lien‘ hard disk, caiuiiiig liirriselfa iiaii w::«1?s;e disaster than 3:;
`vials wulrl. ilcnnaiiiiig that hard ilisk la an uniieaesssaiy and um-iusiiiled 21:: t, by this way; €fV€?l1
`ztiriom $0 is
`there are many VlI'Ll§5€S wliixzli wsulal siirvive this act, uniika legitizrnaie softwam arid ilaia Slilifitl on ihe diglc.
`
`Aiimlizsi gzrailbsleiii a 1931.33 slam: can‘: {and slid? gauge: is nesgzitlvéi impact an :1 Si3lll‘W3I'€ manufacturing mmparzyi
`If an am“i»virus software falssly éeiecis a ‘virus in ta mw sofiwam paakagg, the users will step lmylng the
`pa(:l<:«ige anal Ilia: Silfiwiifii dewsrlopsr will sulfa“ iicrt only pmfii losisesg but alsu 3 lass iifrspuiaiion. Evan if it
`was liaim“ maids: l<.n<;>wii {ham ii was 3. lfilfié alzmn, loo many peuple ‘v\"{}uli§ll1llll3l<.Z ‘Tliére my SUIl0l{€ wiiliciut
`£1122’, and imixlil mat the SC%ftW.’:1I‘fi will: suspicimi. Tliis affecté; the asiiiwimis veziciair as well» “lliiaris lizizs
`already been 21. CE;iS§ wliaiar an an triaviriia vcxmlor was-3 salad by 3 giafiware COIll§}am}; Wl3i3i1€? anti-viras pmtectioii
`fl”1l$i£ll!C€l3ly iepmtsd 22. vims.
`
`‘Wll:i‘.l’\ a vlms is i'ep0ri:zl by aiiiiwiiizs saflware, wli::tli:‘::i* it is a fziléss zilaim 43:‘
`hi 3. wiizarairs €:l‘NlrC>l1iTl€1‘I'i,
`1101. Elm mimizil flew cf i}[3€1”E£ll0il
`i.~;~: inieriuptad. ll :a.l<s:s at best sswial lioiirs iu ccantact the aii:.i=~vii°i,i$
`icrclrinisal support and is msurf: it was 3 false 2:llzl1CIl’l beiibre mrirmal. Gperaiiam is msiiiiied ~ and. as we all
`kiioiiz, time is money. In ills cazta all a bi caiiipany, iiim is: big mciiiey.
`
`Sci, it 1:5 ml at all surprising izliat, when asked what level (if falsg alarms is acceptable { lil per must‘? l per
`cent‘! {ii par i?<—tni‘?§~, cisriperaie susmmers alyzswxar: ‘Zero par éiifllil W5: (la n<:im'2i1imiiy false alarms! ’
`
`As pI‘$'Vl:3lL3Sl§/‘ sxplammi, lay its very iiaiiira ll€ll1”lSll‘l£i aiialysis is l'l'i<L)I‘rt? prone 19:: iiilsiae alarms tlian lffifillllilllal
`scaiiniiig metlioilg. lniiegszll mat only virusss but Iriaiiy scanners 213 we ll WC:-il.l(l satisfy the six rules we iisad. 33
`ziii eraariiple: 3 scaiiner does leak ibr execuiable files, &2?{3El1S iliem, rsadé: same data zmtl evmi writes
`Sfimfitlllllg laaclc Wll-iii} i’fiiYlOVln§; a vims from 2:: file. Cari any’sh.img lT>€ alarm: 20 Eivillfl ziiggaring 3 false posiiiva
`m a manner‘? Lvsfg again mm to the expsrience (if 3. liiiman €§.I~ZlIl!-’i«’ll‘11.lS axpan. Ilaw dess zine knew ili at tliis
`is 3 gcaiiiiszi‘, and incl 3 viiiis‘? W&li, iliis £3 i‘llC!f€3 complicatad
`this Ell?/-‘(We fixfilfilplfl if a. l3l"ll’IT1ltl¥§i ‘vims.
`Still, iliere alt’: Smile g«~;'i'1:::ral rules :00. F01‘ siiariiplsr, if a pI'«C‘:gl’.'21IT1i€*llt?S:"1€aVlly
`on its paiamietasrs 01“ lnV{).l‘v‘ eg
`an z‘3}§t€ilSl‘.~’:3 dialogue with a laser, it is highly unlikely that the program is 2: vimsh This leads us :0 the iii-sa
`c>i’szeg:ii‘z'm §E€?.2?I‘lSli:2‘Sl, that iii, a sat ofmles wliicli are mist far a l1{}l’l-‘fli'llS pifograiii. "l‘lien, wliile. analyssiiig a
`piugiam, our lieiiristics slmiilcl éstiriiaie the pi‘0lD3;l'3ill.l}’ Qfiihe g:)mgra:11‘io be a viiiis using lzmli pasitive
`liei.m':‘~;iics;, ssucli as the al2=£?f%!€ six mlea
`negatiw; lieuiisii-::s,, iypical fer nc:»ri«vii:'us pragrams and rarely
`usaatl by real viruses, if 2: prograiii Séitisllti-Zfi all our six poaiiive rules, but also ezxpacta Sfllllif; mmnianilwlins:
`paramsiers and lime an. exieiisive user iziialztigus as well, we wciiilcl nélt call it 21 virus“
`
`So far so gciedt. Leaks Ilka We fcsiiiizi 3 SG*llll‘l()n to the ‘%."lll'll§3 glut probiém, right? N03: iezillyl Unfoiiulnateiy,
`not all virus wriiars are stupid» Siifllfi §i