CSCD 303 Essential Computer Security Fall 2018

Similar documents
CSCD 303 Essential Computer Security Fall 2017

Virus Analysis. Introduction to Malware. Common Forms of Malware

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Retrospective Testing - How Good Heuristics Really Work

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

Free antivirus software download

FILELESSMALW ARE PROTECTION TEST OCTOBER2017

DETECTING UNDETECTABLE COMPUTER VIRUSES

Small Office Security 2. Mail Anti-Virus

Free antivirus software download windows 10

Internet Security Mail Anti-Virus

Undetectable Metamorphic Viruses. COMP 116 Amit Patel

An Introduction to Virus Scanners

Download antivirus free

HUNTING FOR METAMORPHIC ENGINES

Kaspersky PURE 2.0. Mail Anti-Virus: security levels

How To Remove Personal Antivirus Security Pro Virus Windows 8

T Jarkko Turkulainen, F-Secure Corporation

Anti-Virus Comparative

Simple Substitution Distance and Metamorphic Detection

Anti-Virus. Anti-Virus Scanning Overview. This chapter contains the following sections:

Artificial Intelligence Methods invirus Detection & Recognition

Anti-Virus Comparative No.7

Get BitDefender Security for File Servers 2 Years 5 PCs computer new software download ]

How To Remove Xp Internet Security 2011 Virus Manually

Anti-Virus Comparative No.1

Malware. Advanced Internet Security. Adrian Dabrowski Aljosha Judmayer Christian Kudera Georg Merzdovnik

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

How To Remove Virus From Computer Without Using Antivirus In Windows Xp

Discount Bitdefender Security for SharePoint website for free software ]

Symantec Ransomware Protection

protectiontestagainst ransomwarethreats

Antivirus Technology

How To Remove A Virus Manually Windows 7

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

How To Remove Personal Antivirus Security Pro Virus Manually

Free Download BitDefender Client Security 1 Year 50 PCs softwares download ]

What is Zemana AntiLogger?

AV is Dead! Is AV Dead? AV is Dead! Is AV Dead?

Tales from cloud nine. Mihai Chiriac, BitDefender

Malware Analysis and Antivirus Technologies: Antivirus Engine Basics

Practical Malware Analysis

Get Max Internet Security where to buy software for students ]

Securing the SMB Cloud Generation

Evading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran

Quick Heal AntiVirus Pro. Tough on malware, light on your PC.

Beyond Testing: What Really Matters. Andreas Marx CEO, AV-TEST GmbH

F-PROT Antivirus Engine performance analysis

Avg Antivirus Manual Latest Version 2013 For Xp

Comparison Of Antivirus Software

Cracked BitDefender Security for File Servers 2 Years 55 PCs pc repair software for free ]

What is an Endpoint Protection Platform?

Test Strategies & Common Mistakes International Antivirus Testing Workshop 2007

9 Steps to Protect Against Ransomware

How To Remove Virus Without Antivirus In >>>CLICK HERE<<<

Rakan El-Khalil xvr α xvr net

Next Generation Endpoint Security Confused?

Anti-Virus Comparative No.8

Symantec Endpoint Protection 14

MRG Effitas 360 Degree Assessment & Certification Q1 2018

ENDPOINT SECURITY FOR BUSINESS: TECHNOLOGY IN ACTION

Firewall Antivirus For Windows Xp Avast 2012 With Key

RANSOMWARE. All Locked Up and No Place to Go. Mark

SECURE2013 ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING

CONSUMER AV / EPP COMPARATIVE ANALYSIS

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

MRG Effitas 360 Assessment & Certification Programme Q4 2015

Random Code Variation Compilation Automated software diversity s performance penalties

MRG Effitas 360 Degree Assessment & Certification Q4 2017

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

How To Remove Personal Antivirus Security Pro Virus

SentinelOne Technical Brief

SPAM Malware s Super Highway. How To Protect Yourself Against Malicious s 1

Anti-Virus Comparative Summary Report 2008

Automated static deobfuscation in the context of Reverse Engineering

Best Practical Response against Ransomware

QUICK START GUIDE. Microsoft Windows 10 / 8.1 / 8 / 7 / Vista / Home Server Click here to download the most recent version of this document

No Stone. and Servers Alike.

anti-anti-virus (continued)

Overcoming limitations of Signature scanning - Applying TRIZ to Improve Anti-Virus Programs

Advanced Threat Control

Metamorphic Viruses with Built-In Buffer Overflow

NetDefend Firewall UTM Services

User Experience Review

Agenda. Motivation Generic unpacking Typical problems Results

Antivirus. Sandbox evasion. 1

Synchronized Security

Stack Shape Analysis to Detect Obfuscated calls in Binaries

Keeping Your PC Safe. Tips on Safe Computing from Doug Copley

Get BitDefender Business Security 3 Years 15 PCs pc software site download ]

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

MRG Effitas Online Banking Browser Security Assessment Project Q Q1 2014

Anti-Virus Comparative No.4

How To Removing Personal Antivirus Security Pro From Windows 8

Typical Installation Guide. Installation Guide. Typical installation only. Standard version 2.5

Viruses and antiviruses

ID: Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:17:42 Date: 12/04/2018 Version:

Transcription:

CSCD 303 Essential Computer Security Fall 2018 Lecture 10 - Malware Evasion, Prevention, Detection, Removal Reading: Chapter 6 CompTIA Book, Links

Overview Malware Techniques for Evasion Detection/Removal Antivirus/Antitrojan 2

Malware So Far So far, have looked at malware examples Viruses Worms Trojans Combination Have not covered Rootkits Good project topic Botnets Good project topic 3

Consider Purpose of Malware Goal for older viruses and worms Proof of concept, trying to highlight security flaws Sometimes purely malicious Damage computers, delete files Written by amateurs, students Goal for modern malware Generate income Steal information, ransom income, hijack computers for botnets Written by professionals 4

Malware and Detection Two Main Questions Answer questions, How does malware hide itself? How do detection programs work? 5

Stealth Virus Techniques 6

Stealth Techniques Virus Metamorphic malware Rewritten with each iteration so that each succeeding version of code is different from preceding one Code changes makes it hard for signature-based antivirus to recognize that different iterations are same malicious program 7

Metamorphic Viruses Apparition: an early Win32 metamorphic virus Carries its source code Contains useless junk Looks for compiler on infected machine Changes junk in its source and recompiles itself New binary copy looks different! Does this each time it infects 8 slide 8

Obfuscation and Anti-Debugging Common in all kinds of malware Goal: prevent code analysis and signaturebased detection, foil reverse-engineering Code obfuscation and mutation Packed binaries, hard-to-analyze code structures packing, is compressing an executable file and combining both compressed and decompression code into a single executable. Different code in each copy of the virus Effect of code execution is the same, but 9 this is difficult to detect by passive/static analysis slide 9

Mutation Techniques Malware writers have created obfuscation engines Real Permutating Engine/RPME, ADMutate, etc. Large arsenal of obfuscation techniques Instructions reordered, branch conditions reversed, different register names, different subroutine order Jumps and NOPs inserted in random places Garbage opcodes inserted in code areas Instruction sequences replaced with other instructions that have the same effect, but different opcodes Mutate SUB EAX, EAX into XOR EAX, EAX or MOV EBP, ESP into PUSH ESP; POP EBP There is no constant, recognizable virus body 10 slide 10

Mutations in Action 11

Example: In x86 Assembly code. If the scanner were looking for the instructions mov ax, 2513H mov dx, 1307H int 21H One might modify the virus to instead execute this operation code mov ax, 2513H mov dx, 1307H xchg ax, dx int 21H The scanner can no longer see it, and the virus can go undetected. 12

Some More Transformations Insert jmps #make_bin# MOV AX, 5 MOV BX, 10 ADD AX, BX SUB AX, 1 HLT Add redundant labels MOV AX, 1 MOV AX, 2 #make_bin# MOV AX, 5 MOV BX, 10 ADD AX, BX jmp proc_sub proc_sub: SUB AX, 1 HLT x1: MOV AX, 1 x2: MOV AX, 2 13

Another Example - Transformations 14

Metamorphic Virus Question 15

Polymorphic Viruses Polymorphic means Change the appearance of Are Encrypted viruses: decryptor followed by the encrypted virus body Polymorphic viruses: each copy creates a new random encryption of the same virus body Early Decryptor code constant and can be detected Once decrypted, virus body can be detected via signature Later Decryptors used metamorphic techniques to hide, changed the instructions 16 slide 16

Examples of Polymorphic and Metamorphic Malware CryptoWall Ransomware CryptoWall is polymorphic ransomware that encrypts files on victim s computer and demands a ransom payment for their decryption Storm Worm Email Email sent in 2007 with the subject 230 dead as storm batters Europe was, at one point, responsible for as much as 8% of all global malware infections. When the message s attachment is opened, malware installs wincom32 service and a trojan onto recipient s computer, transforming it into a bot One of the reasons the storm worm was so hard to detect with traditional antivirus software was the malicious code used morphed every 30 minutes!!! 17

More Polymorphic Facts According to Security experts at Barkley https://blog.barkly.com/what-is-polymorphic-malware Polymorphism has become so popular that 97 percent of malware infections now employ polymorphic techniques, making them exceptionally hard to detect by traditional AV means.. signature detection 18

Another Example Virlock Virlock ransomware stands out in multiple ways. First, it's parasitic, meaning that in addition to encrypting files, it actually infects them so that each time a user attempts to open one of them, the infection process starts back up all over again Second, uses "on-demand polymorphic algorithm When Virlock arrives, it's payload is encrypted to avoid detection As part of its infection process, it only decrypts specific pieces of code that it needs at a time, then encrypts them back using a different encryption key 19

Anti-Virus Anti-Malware Detection 20

Anti-virus Anti-virus Will identify infections, viruses, trojans, worms Not always able to exactly identify what got you First step, Detect something is wrong Try to identify it - Key Next step Try to remove it and restore the files if possible 21

Static vs. Dynamic Analysis Static Analysis Code is Not Executed Autopsy or Dissection of Dead Code Dynamic Analysis Observing and Controlling Running ( live ) Code The Fastest Path to the Best Answers Will Usually Involve. Combination of Both 22

23

Modern Antivirus Software 1 st Generation: Simple scanners Require signatures to detect behavior of known viruses Look at program length and alert administrators if anything has changed Signatures for system binaries Signatures for known viruses No so good for zero-day attacks 24

Signature File Monitoring File integrity monitoring (FIM) is an internal control or process that performs validation of operating system and application software files Uses a verification method between current file state and a known, good baseline This comparison method often involves calculating a known cryptographic checksum of file's original baseline and comparing to calculated checksum of current state of file Tripwire is one example of this type of file monitoring software https://www.tripwire.com/products/tripwire-file-integrity-manager/ 25

Tripwire http://original.jamesthornton.com/redhat/linux/9/reference- Guide/figs/tripwire/tripwire.png 26

Signatures for Malware Malware signatures first generation anti-malware programs Use Hashes of entire file or fragments of known malware Store in a database, use for suspected malware identification 27

Hashes MD5 or SHA-1 Condenses a file of any size down to a fixed-length fingerprint Uniquely identifies a file well in practice There are MD5 collisions but they are not common Collision: two different files with the same hash 28

HashCalc 29

Malware Hash Uses Label malware file Use in signature based malware programs Share hash with other analysts to identify malware Search hash online to see if someone else has already identified the file Problems with malware Signature based approach? 30

Example of Virus Signature Hashes Abraxas-1200= cd21b43c33c9ba9e00cd21b74093ba0001b9b004cd21c3b4 Abraxas-1214= cd21b43c33c9ba9e00cd21b74093ba0001b9be04cd21c3b4 Abraxas-15xx= b90200b44ebaa80190cd21b8023c33c9ba9e00cd21b74093 Acid #2= 99cd212d0300c606ae02e9a3af02b440b9a20299c d21b800422bc9cd21b440b91a00baae02cd21b8 Acid-670= e800005d81ed0300b8ffa02bdbcd210681fbffa07 458b82135cd21899e9e028c86a0028cd8488ec026 803e00005a757c26832e03002e26832e12002e26a 11200 Ada #2= 480200740f80fc41741b80fc1374163d004b74069d2eff2e Ada #3= 8c4f0cb8004bbab012cd21b402b207cd 31

Identifying Abraxas-1214 Virus Signature in File 737461727475705c77696e7269702e626174220d0 a40646972202f73202f62202f6c20633a5c77696e 7a697033322e657865207c2073657420777a3d0d0 a40464f52202f4620222f73202f62202f6c20633a 5c2a2e7a6970276804010000600204000a5a5a5ac d21b43c33c9ba9e00cd21b74093ba0001b9be04cd 21c3b431010000ebef68d8244000683f000f006a0 068102040006802000080e8320100000bc075266a 32

Updating the Signatures Anti-virus companies must release new signatures each time a new virus is discovered A virus s spread is unimpeded for a while According to Andreas Marx of AV-Test.org, Took Symantec 25 hours to release an updated signature file in response to W32/Sober.C worm attack 33

Modern Antivirus Software 2nd Generation: Heuristics scanners Don t rely on signatures as much, but use rules of recognition Looks for odd behavior, or code fragments that are often associated with viruses, but don t have specific signatures of every virus it can handle Next slide shows possible behaviors signal malware 34

Static Heuristics Detection Possible Heuristics Junk code Decryption loops Self-modifying code Use of undocumented API Manipulation of interrupt vectors Unusual instructions, especially those not normally emitted by compiler Strings containing obscenities or virus Difference between entry point and end of file Spectral analysis Frequency analysis of instructions

Ex. Heuristic Detection of Pykeylogger Uses the SetWindowsHookEx API in Win32 o Specifically the WH_KEYBOARD and WH_KEYBOARD_LL Commonly used APIs, but not in background Simple heuristic rule: oin general, don t allow keyboard strokes to be captured in the background 36

Modern Antivirus Software 3 rd Generation: Activity traps/emulation o More like the anomaly detection scheme, where this program just combs memory and looks for actions that are a threat to security rather than structures in the program code in memory o This has the distinct advantage of being able to prevent actions proactively rather than be responding retroactively o Also uses Emulation or Sandboxing to analyze malware 4 th Generation: full-featured scanners o All of these tools combined and used simultaneously 37

Sandboxing Antivirus program will take suspicious code and run it in a virtual machine to see purpose code and how code works After program is terminated software analyzes the sandbox for any changes, which might indicate a virus.

Virus: Antivirus Techniques Dynamic Methods Emulation Analyze code before letting it run Emulation uses dynamic heuristics Similar to static heuristics, looking for patterns of behavior Emulator can also run signature searches some time into run-time of emulated code Since its not actually running on real machine, can take more time to figure out its true purpose

Modern Antivirus Software The differences: o Older software scanned once a day, etc. Now they are working constantly to prevent infection o Norton, McAfee: all had original versions that did scheduled scans or on-boot scans based on signatures Commercial Examples o Norton 2006 (13.0) introduced Internet Explorer and host file protection o Panda Antivirus is award winning modern anti-virus Detects all strange behavior, very good anomaly detection Balance between good and annoying 40

Anti-virus Treat Infection Two main ways Quarantine Disinfect 41

Anti Virus Software Quarantine Only temporary until user decides how to handle it, user asked to make a decision 42

Anti Virus Software Why do Anti-Virus Programs Quarantine? Virus detection was generic, can t determine how to clean it off of system Wants user, you, to make a decision Quarantine Actions Copy infected file to quarantine directory Remove original infected file Disable file permissions so user can t accidentally transfer it out of directory 43

Anti Virus Software Disinfect Files a. Disinfection by Specific Virus Multiple ways to disinfect files Depends on the type of virus From virus DB, get file executable start address Run generic clean-up routine with start address Can derive this information by running virus in test lab, recording information from infected file Store this information for specific virus 44

Anti Virus Software b. Disinfect by Virus Behavior Disinfect based on assumptions from virus behavior Prepend or Appended viruses Restore original program header Move original byte contents back to original location Can store in advance for each executable file on an uninfected system, system file Program header, file length, checksum of executable file contents, which is a computed check of the file contents Compute various checksums until you get the exact checksum of the file, can be tricky need to figure out which part of the file is original, look for checksum match 45

Best Recommended Free Antivirus Programs 2017 A number of recommended programs are free to help keep your computer malware free Bitdefender Antivirus Free Avira Antivirus Avast Free Antivirus AVG Free Antivirus Kaspersky Lab Internet Security 2017 Sophos Home Free Antivirus https://fossbytes.com/10-best-free-antivirus-software-list-2017/ 46

Best Recommended Antivirus Programs 2017 These recommended programs are not free but hightly recommended Bitdefender Antivirus Plus Kapersky Internet Security Kapersky Total Security Norton Avast McAffe ESET https://antivirusprotection.reviews/best-antivirus/

Test Your Virus Scanner Good to test your anti-virus software to see how well it does There is test file you can use to test your anti-virus software The Anti-Virus or Anti-Malware test file From European Expert Group for IT Security, www.eicar.org Run this file against your virus scanner to determine its effectiveness http://www.eicar.org/anti_virus_test_file.htm 48

Summary Malware and anti-malware arms race Who is winniner? Let you decide. The end 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback