Armored virus

“Armored” virus is a type of malware that is designed to make its detection as difficult as possible, including by increasing the amount of code (i.e. “armor”). The malicious functionality of such a virus may be primitive. Variety of armored software — polymorphic virus.

Information security audit

learn more

The main effort of the armored virus creator is to make it difficult for antivirus software to analyze it so that the virus code is not included in signature databases. Most modern armored viruses use several armoring technologies. The basic set includes:

obfuscation, or code obfuscation: creating redundant, often not written in the language, but working code that makes it difficult to analyze;
stealth: the virus hides its presence in the OS by intercepting system messages;
polymorphism: the ability of a virus to change the code of its “descendant” with each new infection by means of encryption.

Obfuscation is the main feature of an armored virus, which implies, among other things, increasing the size of the program. For example, one of the first such viruses, Whale, which appeared in 1990, weighed more than 9 kB. For that time, it was one of the heaviest viruses.

One of the varieties of armored virus is a metamorphic virus. Like polymorphic, this type modifies its code, but without encryption. Modifications can be in the form of inserting “junk” fragments into the source code, changing basic instructions – operation codes, or replacing entire code blocks. Metamorphs can also mix their code with the code of an infected program – this is called “splicing”.

Sources of infection: e-mail attachments and infected websites.