Change detection programs generally use an executable as the input to a
mathematical function, producing a checksum. The change detection program
is executed once on the (theoretically) clean system to provide a
baseline
for testing. During subsequent executions, the program compares the computed
checksum with the baseline checksum. A change in the checksum indicates a
modification of the executable.
Change detection tools are reactive virus detection tools. They can be used to detect any virus, since they look for modifications in executables. This is a requirement for any virus to replicate. As long as the change detector reviews every executable in its entirety on the system and is used in a proper manner, a virus cannot escape detection.
Change detection tools employ two basic mathematical techniques: Cyclic
Redundancy Checks (CRC) and cryptographic checksums.
CRC-Codings
CRC checksums are commonly used to verify integrity of packets in networks and
other types of communications between computers. They are fairly efficient
and well understood. CRC-based checksums are not extremely secure; they are
based on a known set of algorithms. Therefore they can be broken (the particular
algorithm can be guessed) by a program if it can find the checksum for a file.
CRC checksum tools, like all change detection tools, can only detect that a virus has replicated. Additionally, the executable must be appear in the baseline.
Cryptographic Checksums
Cryptographic checksums are obtained by applying
cryptographic algorithms to the data. Both public and private key algorithms
can be used. In general, private key algorithms are used
for efficiency. These techniques are sometimes used in conjunction with two
other procedures to decrease system overhead. These techniques are message
digesting and hashing.
In Message Digesting, hashing is used in conjunction with cryptographic
checksums. The hash function, which is very fast, is applied directly to the
executable. The result is much smaller than the original data. The checksum is
computed by applying the cryptographic function to the hash result. The final
result approaches the cryptographic checksum for security, but is much more
efficient.