They are sometimes also called space filler viruses.
Many files have empty spaces that are normally ignored when it comes to executing the file theyre part of.
The presence of these spaces isnt a problem unless they are infected by a virus, of course.
Space fillers have been around since 1998 and are reasonably difficult to spot.
There were several very successful virus waves around the Windows 95/98 days.
Contents
How does it work?
to infect files, a space filler first needs to find a file that has empty space in it.
So, it needs to scan for empty spaces.
That makes it difficult to detect by anti-virus programs.
As such, it will consume processing power in the background which can slow down other things.
This technique relies on primitive antivirus techniques that almost exclusively look for signatures of known viruses.
By infecting an existing file, the resulting infected signature is unique to the combination of file and virus.
A real example
In 1998 a virus called CIH, demonstrated this functionality.
The virus specifically targeted gaps in Portable Execution or PE files.
CIH would then, on the trigger date, overwrite the first megabyte of storage with zeroes.
This generally destroyed the partition table or master boot record.
Losing that makes it appear as if the entire drive has been wiped.
The data, however, was recoverable.
The virus would also attempt to wipe the BIOS chip.
This was only successful on some devices and not others.
On devices with a wiped BIOS chip, either the chip needed reprogramming or replacing.
The other alternative was to get a new computer.
The virus was written by Chen Yinghao, a student at Tatung University in Taiwan.
It was then released by classmates, though its unclear if this was deliberate or accidental.
Chen apologised to the university and published an antivirus for CIH.
Prevention
Preventing cavity or spacefiller viruses is best done by minimising your exposure risk.
Antivirus programs historically tended to have difficulty detecting cavity viruses.
Modern antivirus techniques are much more advanced, though.
This jot down of virus is not really seen anymore.
Antivirus techniques have advanced considerably making it much easier to detect this sort of thing.
Additionally, virus creators have also adopted even more creative methods of avoiding antivirus software.
This technique makes it really hard to detect with basic file signature checks.
It also avoids adjusting the infected files size, making it even harder to detect.
The most well-known example, CIH, used this technique to great effect.
Modern antivirus techniques are capable of identifying this sort of virus, so it is not commonly used.
