A cavity virus is a relatively uncommon type of virus that copies itself into unused spaces in files, thus spreading without affecting the file size of whatever it is infecting. They are sometimes also called “space filler” viruses. Many files have empty spaces that are normally ignored when it comes to executing the file they’re part of. The presence of these spaces isn’t a problem – unless they are infected by a virus, of course.
Since no change is made to the file size, it’s impossible to know whether a file has been altered purely by checking its properties – instead, you would have to compare it to a previous, uninfected version to be sure. Space fillers have been around since 1998 and are reasonably difficult to spot. There were several very successful virus waves around the Windows 95/98 days.
How does it work?
In order to infect files, a space filler first needs to find a file that has empty space in it. So, it needs to scan for empty spaces. When it finds empty space in a file somewhere, it will copy itself in, filling the space without making the file larger. That makes it difficult to detect by anti-virus programs.
As long as the virus keeps finding spaces big enough to copy itself into, it will continue to do so – if it finds nowhere or it’s already infected all possible options, then it may sit idle until triggered or simply continue its scanning until a new file suitable for it appears. As such, it will consume processing power in the background which can slow down other things.
This technique relies on primitive antivirus techniques that almost exclusively look for signatures of known viruses. By infecting an existing file, the resulting infected signature is unique to the combination of file and virus.
A real example
In 1998 a virus called CIH, demonstrated this functionality. It was nicknamed Chernobyl because its payload was incidentally set to trigger on the date of the Chernobyl disaster more than a decade earlier. The virus specifically targeted gaps in Portable Execution or PE files. It split its code to fit neatly in those gaps and inserted a table at the top of the file to track the locations of its code so it could run properly.
CIH would then, on the trigger date, overwrite the first megabyte of storage with zeroes. This generally destroyed the partition table or master boot record. Losing that makes it appear as if the entire drive has been wiped. The data, however, was recoverable. The virus would also attempt to wipe the BIOS chip. This was only successful on some devices and not others. On devices with a wiped BIOS chip, either the chip needed reprogramming or replacing. The other alternative was to get a new computer.
All told the CIH virus was estimated to have caused US$1 billion in damages and to have infected 60 million computers around the world. The virus was written by Chén Yíngháo, a student at Tatung University in Taiwan. Chén claimed that the virus was written as a challenge against the overly bold efficiency claims made by antivirus developers. It was then released by classmates, though it’s unclear if this was deliberate or accidental. Chén apologised to the university and published an antivirus for CIH. No charges were ever brought because at the time, Taiwan lacked computer crime legislation and no victims came forward with a lawsuit.
Prevention
Preventing cavity or spacefiller viruses is best done by minimising your exposure risk. One good step is to make sure that all programs and files you download or install are from an official, trustworthy source. Antivirus programs historically tended to have difficulty detecting cavity viruses. Modern antivirus techniques are much more advanced, though. It’s still important to keep your antivirus up to date and updated with the latest virus signatures to make it easier to detect and remove known viruses.
This type of virus is not really seen anymore. Antivirus techniques have advanced considerably making it much easier to detect this sort of thing. Additionally, virus creators have also adopted even more creative methods of avoiding antivirus software.
Conclusion
A cavity virus, also known as a space filler virus, is a type of malware that hides itself in gaps in other files. This technique makes it really hard to detect with basic file signature checks. It also avoids adjusting the infected file’s size, making it even harder to detect. The most well-known example, CIH, used this technique to great effect. It split its code across as many gaps as it needed and inserted a table at the top of the file to track the location of its code. Modern antivirus techniques are capable of identifying this sort of virus, so it is not commonly used.
