Triggered by a session I attended on “Dynamic Analysis of Android Malware” I googled for a name from the past “Thunderbyte”. Back in the pre-internet era this was a Dutch Anti-Virus software product created by Frans Veldman from Essas. I remember visiting him in their Nijmegen Office in the early 90s. The ThunderByte scanner, TbScan, was the fastest scanner ever, one of the first with heuristic detection capabilities, and in those days it was among the top 3 of the available anti-virus products.
I googled some more and found a few articles about the early ThunderByte days and about the takeover by Norman Data Defense Systems back in 1998. It was nice to do the walk down memory lane, but it wasn’t just that. I found the text of a lecture from Frans Veldman from the year 1998 that intrigued me. It was fascinating to read about the race between virus authors and those trying to detect the viruses by writing the anti-virus software.
Yes, this is still a virtualization blog, so I will get to the point that triggered you to read this blog. In the computer middle ages, around 1993, virus writers were getting the upper hand, their Polymorphic Encrypted Viruses were very hard to detect by the Anti-Virus Software. Something needed to change or the authors of the Anti-Virus software would lose the battle for ever.
They needed something new, something Generic that could decrypt all these encrypted viruses and scan them for malicious code. They managed to develop “Emulators”. These emulators were used to trick a virus, making it believe it was executed in a real PC, when it decrypted itself it was easy to scan for the malicious code and disarm the virus.
The following description of the emulators is taken from the article by Veldman;
An emulator is a routine which understands every instruction, and it is therefore able to keep track of what would happen if a piece of code would be really executed. If all instructions are applied to a memory buffer, the end result will be a copy of the decrypted virus, just like it would appear when it has decrypted itself in a non-emulated environment.
Basically, a generic decryptor consists of four modules:
- A processor emulator
- A memory emulator
- A system emulator
- A decision mechanism
It doesn’t take much imagination to see a virtual machine in the above description of the generic decryptor. The Generic Decryptors were developed by the anti-virus authors because they were, very much, pushed to the limits by the many authors of Polymorphic viruses. When the going gets tough….
The below link takes you to the complete text of the lecture from Frans Veldman back in 1998, I really recommend reading it. It is fun to read how the authors of the viruses were in the dark for a long time, they simply did not know about the emulators. Once they did they started to work around the emulators by trying to detect if they were run in an emulated environment. The modern day viruses, the so-called “VM-aware” viruses, still do the same to prevent being detected when run in a virtual machine.
The link at the end of this line takes you to an article, written by Frans Veldman, describing the history of ThunderByte. I remember installing their TBAV software and also their ThunderByte anti-virus hardware. Yes, you read it well “Anti-Virus hardware”, for further details on this piece of “Dutch pride from the past”, read the ThunderByte story.