One of the most common ways that anti-virus finds and stops viruses, malware, and ransomware is by using what’s called “signature-based” detection. Signature-based detections is exactly what is sounds like – the anti-virus vendors create signatures for new viruses and the software and then scan your computer for those signatures.
There are two problems with this type of threat detection. The first is that these signatures are usually looking for something very specific in the virus. This could be some code they know will be in the virus or a specific file that is placed on the system when the virus is run. While these signatures can get very complicated, they are also easily broken by many tactics.
So let’s look at what a very simplistic signature would be. Say you have a virus and once it’s installed it runs the following code “printf (“hello world”)”. Now this is a very simplistic line of code and the likelyhood of this being in any virus is low. However, for this demonstration, let’s pretend our virus runs that. The anti-virus application will be looking for that particular piece of code running on your system.
As a malware author, all I have to do is add some random characters in to that line of code to tamper the anti-viruses signature. So if I change that line before to “printf (\x90 “hello world”)”, I have effectively defeated the anti-virus signature.
As a seasoned professional in the industry, I will be the first to say it’s not as easy as I just made it out to be. The anti-virus vendors are very good at creating signatures. However, the virus authors have been largely successful at getting past anti-virus applications thus far, so we can’t rely on anti-virus as our only means of protection.