Change detection programs generally use an executable as the input to a mathematical function, producing a checksum. The change detection program is executed once on the (theoretically) clean system to provide a baseline for testing. During subsequent executions, the program compares the computed checksum with the baseline checksum. A change in the checksum indicates a modification of the executable.
Change detection tools are reactive virus detection tools. They can be used to detect any virus, since they look for modifications in executables. This is a requirement for any virus to replicate. As long as the change detector reviews every executable in its entirety on the system and is used in a proper manner, a virus cannot escape detection.
Change detection tools employ two basic mathematical techniques: Cyclic Redundancy Checks (CRC) and cryptographic checksums.
CRC-Codings
CRC checksums are commonly used to verify integrity of packets in networks and other types of communications between computers. They are fairly efficient and well understood. CRC-based checksums are not extremely secure; they are based on a known set of algorithms. Therefore they can be broken (the particular algorithm can be guessed) by a program if it can find the checksum for a file.
CRC checksum tools, like all change detection tools, can only detect that a virus has replicated. Additionally, the executable must be appear in the baseline.
Cryptographic Checksums
Cryptographic checksums are obtained by applying cryptographic algorithms to the data. Both public and private key algorithms can be used. In general, private key algorithms are used for efficiency. These techniques are sometimes used in conjunction with two other procedures to decrease system overhead. These techniques are message digesting and hashing.
In Message Digesting, hashing is used in conjunction with cryptographic checksums. The hash function, which is very fast, is applied directly to the executable. The result is much smaller than the original data. The checksum is computed by applying the cryptographic function to the hash result. The final result approaches the cryptographic checksum for security, but is much more efficient.