Earlier in the year, we discussed the different types of malware and one of the most prevalent is a virus. To recap, a virus infects a legitimate program such as a Microsoft Word file to spread and replicate itself and ultimately perform some nefarious act such as deleting files or sending out spam email.
But how does one detect a virus? The simple answer and most common way is to produce a “virus signature” and then search a computer for that signature. If the signature is found, the infected file or program is then “cleaned” or in other words, the offending code is removed. Most people will be familiar with this procedure because it is exactly how anti-virus software from McAfee, Sophos, Norton and others acts.
A virus signature is best thought of as a sort of “fingerprint” of the virus. It is a set of unique data, or bits of code, that allow it to be identified. The challenge of course is to identify these signatures before the virus can do too much damage. Virus companies must marshal considerable resources on research to keep up (or at least not fall too far behind) the malware developers. They use a variety of techniques to find signatures including honeypots which we have discussed in the past.