Spacefiller (Cavity) Viruses

A spacefiller (cavity) virus attempts to install itself inside of the file it is infecting. This is difficult but has become easier with new file formats designed to make executable files load and run faster.

Many viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don’t see the increase in file length when the virus is active in memory.

A spacefiller (cavity) virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A spacefiller virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a spacefiller virus.

Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare…however… A new Windows file format known as Portable Executable (PE) is designed to make loading and running programs faster. While a great goal, the implementation has the effect of leaving potentially large gaps in the program file. A cavity (spacefiller) virus can find these gaps and insert itself into them. The CIH virus family takes advantage of this new file format. There will likely be more.

To see an example of CIH at work, see this video…

Summary

  • A spacefiller (cavity) virus attempts to install itself inside of the file it is infecting.
  • In the past this was difficult to do properly, but new file formats make it easier.
Up Arrow How Viruses Infect Up Arrow
Prior Page Next Page
Multipartite Viruses Tunneling Viruses