Viruses encrypt themselves to avoid signature detection in 3 common ways.
The first is an older and very small footprint type of encryption that uses the XOR cipher.
A XOR cipher is a simple form of encoding that encrypts the input by a using a simple key that is XORed against the input to create an output. It’s a simple and fast way of encoding that doesn’t require its own, separate algorithm to decipher it. A virus maker might XOR each byte in a virus with some sort of constant value so that it only has to be repeated to decrypt the virus. In this way the virus remains hidden but can be unpacked and used simply.
A second way is a bit of a blunt instrument – where the virus maker encrypts the entire body of the virus leaving only the encrypted virus and a cryptographic key to decrypt it. This type of encryption would not trigger a virus signature scanner because the scanner couldn’t identify encrypted module as anything. But, it might recognize the presence of the encryption key. Nowadays with most antivirus software this triggers an alarm within the antivirus system causing it to quarantine the entire chunk of code, just to be safe. This method is rarely used today.
A third way a virus uses encryption to avoid detection is within an executable file. Here, the virus has been encrypted and is hiding within an executable file waiting for a defined set of actions to decrypt itself and execute. This is known as cryptovirology. The most commonly-used scenario of this type of virus encryption is having the latent virus wait until the computer has disabled its anti-virus software – either manually or during an update. The encrypted virus identifies those situations, decrypts and infects the machine. As an added insult, a virus like this will also disable the anti-virus software permanently.
Next up: Polymorphic Code