Myths about anti-viruses

Is it really true that viruses don’t exist?

Viruses do exist, but compared with Trojan horses, their number is small.

For reference:

On average, how many new malicious programs, most of which are Trojans, appear each month?

Even some IT professionals believe that the number of malicious programs appearing on a daily basis is somewhere in the region of 100. However, in real life the anti-virus laboratory receives up to 25 million potentially dangerous samples per month.

The growing number of malware samples received by the Doctor Web anti-virus laboratory in 2014

Some of the files received aren't malware. And, of course, some samples are duplicates. However, they must all be processed by our security researchers.

It’s not feasible to process several million samples per month manually.

Most of the samples are processed using special automated routines. Virus analysts examine only complex samples that can't be analysed automatically. The Dr.Web virus database grows hourly.

Growth in the number of malware definitions in the Dr.Web virus database

Do anti-virus companies develop malware?

Many users believe that it is the anti-virus developers themselves who make malicious programs because it’s lucrative for them—after all, if there are no viruses or Trojans, users won't be buying anti-viruses.

This is our favourite myth!!!:))

And, it is the most persistent of all anti-virus myths. Not a month passes without someone telling us this in their feedback.

This myth is based on false premises that the number of malicious programs released daily is rather small; that several programmers can easily write such programs; and that, of course, those programmers work at anti-virus companies.

• The number of malicious programs crafted by criminals is so great that three shifts of security researchers are kept busy seven days a week. Anti-virus companies have a hard enough time dealing with the constant incoming barrage of malicious programs, so it makes absolutely no sense to believe that they would develop malware themselves.
• Any IT security expert who writes a malicious program is engaging in a pointless exercise. If the program's signature gets added to the database of the anti-virus he/she helped to create, user computers will immediately be protected from the malware, and shortly thereafter, the Trojan will be added into the databases of other anti-viruses. Why waste one’s time?
• Engaging in the development of malicious programs is a criminal offence. Those found to be involved in this sort of activity run the risk of getting put behind bars. And they will be exposed given the fact that malware researchers have a sufficient number of foes.
• Anti-virus developers do not design viruses, and, moreover, they don’t even circulate known malicious files for testing—something customers deploying new software and journalists wanting to compare anti-viruses ask us to do regularly. If a company is ever found to be involved in the development or distribution of malicious software, its business will be doomed.
• Many anti-virus companies—Doctor Web included—never employ individuals who have somehow been involved in illegal activities related to hacking. Anyone who has ever engaged in malware development has low moral standards.

Who actually writes malware?

At the dawn of the computer era, malicious programs were indeed created for experimentation and self-expression. Nowadays lone programmers sometimes write malicious programs in a quest for fame, but these individuals do not represent a major threat.

Today's malware is developed by professional virus writers. Moreover, their work is part of a well-organised illicit business. Virus-making gangs include:

• Managers — people who organise and oversee the development and distribution of malware.
• Malware developers.
• Malware testers.
• Researchers — people who search for vulnerabilities in operating systems and applications in order to exploit them.
• Malware distributors.
• System administrators — people who control botnets and ensure that the distribution environment within the criminal community is secure.
• Webmasters — people who create sites involved in the distribution of malware.
• Salesmen who seek buyers for the developed malicious programs (some Trojans are designed to be sold or rented).
• People who orchestrate DDoS attacks.
• Unscrupulous web advertisement entrepreneurs who make money on advertising Trojans

The streamlined workflow within criminals groups of this kind makes them extremely productive. This has led to explosive growth in the number of malicious programs created by hackers and a subsequent increase in the number of signature records being added daily to the virus database.

The number of programs produced by a single group can reach hundreds of samples per day.

And the anti-virus software being used on the target machines won't be able to detect any of them for some time after their release. Further along we will explain why this happens.

Why do people write malicious programs?

There should be no illusions (myths) here:
Malware is created with the sole goal of making a profit.

People involved in the development, distribution and maintenance of Trojans designed to steal something are criminals.

Modern Trojans steal money and other digital assets belonging to individuals and organisations. For whatever they steal, there is always a buyer:

• Logins and passwords used for online banking and electronic payment systems, social networking sites, etc.
• Electronic money (such as bitcoins)
• Emails and contact information
• Pictures — these can be used to blackmail users or damage their reputation by publishing them on the Internet
• Any kind of technical information about compromised PCs
• Game accounts and virtual game items

What percentage of malware should be detected by an anti-virus at the moment of intrusion?

The myth that anti-viruses neutralise all malicious programs as soon as they try to get into a coputer has amazing staying power. But this just isn't possible. Just as it is impossible to invent a cure for all diseases. Although people have been dreaming of that for centuries, there is no panacea and we should accept that.

The myth exists because most users do not know how the virus-writing business is organised.

Testing a Trojan against the majority of popular anti-viruses is one of the keys to developing a “good” (hard-to-detect) Trojan.

Only Trojans that can't be detected are set loose into the wild or delivered to target PCs.

That's why a time gap exists between the time criminals release a Trojan and the moment when virus laboratories get hold of a sample of that Trojan and design a cure. However, this applies only to really complex and "successful" Trojans. The most common malicious programs are detected by their signature or using the heuristic and other non-signature technologies of the Dr.Web anti-virus engine.

Can you always tell when a system has been infected?

This is one of the most dangerous myths!

It is rooted in the time when the first viruses appeared. Most of them bore a destructive payload (designed to destroy all the data on a PC) or manifested their existence on a machine by unleashing a firestorm of activity—e.g., sending bulk email messages containing copies of themselves, which noticeably slowed overall system performance.

However, today’s criminals are after your money and your information. To be more proficient at stealing, malware needs to be discreet.

Note!

1. Certain malicious programs close vulnerabilities in infected systems to prevent other malicious programs from getting in and clean machines of competitor Trojans that previously infected the system.
2. Some Trojans end anti-virus processes in the system and put the anti-virus icon in the system tray, giving the user the impression that the anti-virus is still running and the system is protected. Malicious programs of this kind are equipped with the icons of all the popular anti-viruses, and an intelligent Trojan will pick the image that matches the anti-virus installed on the target PC. Of course, clicking on such an icon does nothing, and it will appear as if the anti-virus has frozen. In truth the system becomes unprotected. Dr.Web has a special system to protect itself from such attacks.

So don't be fooled—virus writers have long realized that the best Trojans are inconspicuous.

But this myth, more than any other, lives on.
And believing it can have the direst consequences. People who hold onto this myth have either never used an anti-virus or don't follow basic security rules for using an anti-virus such as performing regular scans.

By the way, when was the last time you scanned your computer with an anti-virus?

Do anti-viruses detect malicious programs only by their signatures?

This myth has been around since the early years of anti-viruses. Back then, more than 20 years ago, this really was the case.

Pure signature-based anti-viruses—i.e., those that detect malware only by the definitions in their virus databases—died out in the 1990s,

when ever-changing polymorphic viruses that could not be detected by their signatures appeared (by the way, this led to the emergence of the Dr.Web anti-virus).

If anti-viruses today were able to recognize new viruses only according to the entries in their virus databases, these databases would be so large that no computer’s memory could accommodate them, scanning would take a long time, and the PC's performance would be handicapped severely.

Today's anti-virus features a set of heuristics, behavioural and preventive non-signature detection technologies, which when combined with the signatures in virus databases, ensures that your computer is protected from actual threats.

If the database lacks a definition for a particular malware program, does the anti-virus have to detect it using heuristic technologies?

This myth is based on the misconception that an anti-virus must detect 100% of the malicious programs active today and is supported by the existence of anti-virus testing that uses heuristic analysis.

In fact, heuristic analysis helps detect modifications of malicious programs that have already been analysed and whose behaviour is known to the anti-virus.

When a malware definition is added into an anti-virus database, criminals are reluctant to re-design their program all over again. Instead, they merely compress the program with a different packer or encrypt its code.

What should an anti-virus do in this case? Well, its developers can add the definition of each slightly altered sample into the virus database (some of them do exactly this) or use a versatile unpacking technology like FLY-CODE and structural entropy analysis, which is what Dr.Web does. The former facilitates the scanning of packed objects by emulating the execution of compressed executables, while the latter exposes threats according to the specific code structure in encrypted objects.

What is an anti-virus’s main task?

An anti-virus prevents infection and neutralises malware that has managed to get into the system.

Sadly, an anti-virus can't detect all the programs that attempt to infect a computer. Therefore, additional preventive measures, such as restricting the launch of unknown applications and behavioural control, are used.

However, only an anti-virus can cure a system of malware that has invaded and is resistant to removal.

No other software except for an anti-virus can cure a machine of malware. Curing is a feature that is unique to anti-viruses.

What additional software products should be used to help an anti-virus protect a computer against malware?

Both answers to this question are wrong.

Modern anti-virus software can detect spyware and rootkits; it does not require any assistance. Also, some anti-viruses incorporate firewalls to protect computers against unauthorised network access.

Anti-viruses detect and remove all types of malicious programs. They don't need help from any other applications.

What could be an excuse for not installing an anti-virus?

Both answers to this question are wrong.

Software vulnerabilities, social engineering techniques, and phishing tricks only increase the risk of infection no matter how careful users are.

If a user doesn't visit bogus sites or open links in emails from unknown senders, do they still need an anti-virus?

People who believe that an anti-virus is unnecessary and that it only hinders system performance also think that the only way for their system to become infected is for them to install a Trojan themselves, e.g., by downloading one using a link found in an email. But we’re all too smart for that and would never do such a thing :)

However, experience shows that: In most cases users download and install Trojans on their machines without even knowing they’ve done so.

There are also attack scenarios in which users don’t need to take any action to launch a Trojan. In the blink of an eye, a Trojan will be covertly installed onto your PC.

Does a computer need an anti-virus if it’s only used for gaming?

Modern video gaming is a highly competitive, billion-dollar market. And gamers are not safe from Internet threats.

In order to build a character, players search for various game items, some of which can be purchased for real money—and this is where Trojans can step in. For example, Trojan.SteamBurglar.1 can steal game items for criminals so that they can sell them.

In addition to Trojans, numerous schemes exist to get players to part with valuable items or even their account, and to draw their computers into a botnet involved in DDoS attacks, etc.

Encryption ransomware seeking online gaming assets or Steam accounts and encrypting files to demand a ransom for their decryption complement the picture.

An anti-virus will keep your computer from becoming infected with programs of this kind, while the HTTP monitor SpIDer Gate will prevent you from ending up on a bogus website.