Virus Analysis. Introduction to Malware. Common Forms of Malware

Similar documents
DETECTING UNDETECTABLE COMPUTER VIRUSES

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

CSCD 303 Essential Computer Security Fall 2017

CSCD 303 Essential Computer Security Fall 2018

Undetectable Metamorphic Viruses. COMP 116 Amit Patel

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Cracked BitDefender Security for File Servers 2 Years 55 PCs pc repair software for free ]

Simple Substitution Distance and Metamorphic Detection

Stack Shape Analysis to Detect Obfuscated calls in Binaries

An Introduction to Virus Scanners

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Get BitDefender Security for File Servers 2 Years 5 PCs computer new software download ]

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Malware. Advanced Internet Security. Adrian Dabrowski Aljosha Judmayer Christian Kudera Georg Merzdovnik

Agenda. Motivation Generic unpacking Typical problems Results

Get BitDefender Client Security 2 Years 30 PCs software suite ]

Free Download BitDefender Client Security 1 Year 50 PCs softwares download ]

Small Office Security 2. Mail Anti-Virus

T Jarkko Turkulainen, F-Secure Corporation

Comparison Of File Infection On The Windows And Linux lclee_vx / F-13 Labs, lychan25/f-13 Labs

HUNTING FOR METAMORPHIC ENGINES

Random Code Variation Compilation Automated software diversity s performance penalties

Cracked BitDefender Client Security 2 Years 20 PCs lowest price software ]

Internet Security Mail Anti-Virus

Get Max Internet Security where to buy software for students ]

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

EXECUTIVE REPORT 20 / 12 / 2006

Zillya Internet Security User Guide

Metamorphic Code Generator based on bytecode of LLVM IR

Unit 5. System Security

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

, STANDARDIZER,v ANNOTATOR US 7,739,737 B2 Jun.15, NO MATCH SYNONYMS MALICIOUS CODE PATTERN DETECTOR

Virus Analysis. Analysis Environment & Tools. Anti-Virus Lab. Key Requirements

Anti-Virus. Anti-Virus Scanning Overview. This chapter contains the following sections:

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Unit 2 Assignment 2. Software Utilities?

Network Security Fundamentals

Artificial Intelligence Methods invirus Detection & Recognition

Antivirus Technology

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

Malware, , Database Security

AV is Dead! Is AV Dead? AV is Dead! Is AV Dead?

Abstract Stack Graph as a Representation to Detect Obfuscated Calls in Binaries. A Thesis. Presented to the. Graduate Faculty of the

Protection Against Malware. Alan German Ottawa PC Users Group

Quick Heal AntiVirus Pro. Tough on malware, light on your PC.

IDS: Signature Detection

How To Remove A Virus Manually Windows 7 Without Antivirus Security Pro

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Detecting Metamorphic Computer Viruses using Supercompilation

IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

anti-anti-virus (continued)

CODE OBFUSCATION AND VIRUS DETECTION

Metamorphic Viruses with Built-In Buffer Overflow

Improved Signature-Based Antivirus System

MIS Week 6. Operating System Security. Windows Antivirus

Kaspersky PURE 2.0. Mail Anti-Virus: security levels

Eigenviruses for metamorphic virus recognition

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

Product Line Guide Corporate Antimalware PLUS Network Visibility PLUS Systems Management

Management Information Systems (MMBA 6110-SP) Research Paper: Internet Security. Michael S. Pallos April 3, 2002

Practical Detection of Metamorphic Computer Viruses

How To Remove Virus From Computer Without Using Antivirus In Windows Xp

Herd Intelligence: true protection from targeted attacks. Ryan Sherstobitoff, Chief Corporate Evangelist

Malware Analysis and Antivirus Technologies: Antivirus Engine Basics

NHS South Commissioning Support Unit

Symantec vs. Trend Micro Comparative Aug. 2009

Seqrite Antivirus for Server

StandGuard Anti-Virus Technical Packet

Module 20: Security. The Security Problem Authentication Program Threats System Threats Threat Monitoring Encryption. Operating System Concepts 20.

2 ZyWALL UTM Application Note

McAfee Internet Security Suite Quick-Start Guide

INDEX. browser-hijacking adware programs, 29 brute-force spam, business, impact of spam, business issues, C

How to Configure Virus Scanning in the Firewall for FTP Traffic

Quick Heal Total Security Multi-Device (Mac) Simple, fast and seamless protection for Mac.

CUHK CSE ADAM: An Automatic & Extensible Platform Stress Test Android Anti-Virus Systems John Spark Patrick C.S. Lui ZHENG Min P.C.

Symantec Endpoint Protection 14

Typical Installation Guide. Installation Guide. Typical installation only. Standard version 2.5

APPROXIMATE DISASSEMBLY USING DYNAMIC PROGRAMMING

Guardian Total Security User Guide

CS System Security Mid-Semester Review

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

anti-virus and anti-anti-virus

Activation Screen Virus

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Intel Security Advanced Threat Defense Threat Detection Testing

Overcoming limitations of Signature scanning - Applying TRIZ to Improve Anti-Virus Programs

How To Remove Personal Antivirus Security Pro Virus Manually

KASPERSKY LAB. Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition ADMINISTRATOR S GUIDE

Resolution based computer metamorphic virus detection using redundancy control strategy

Guardian NetSecure User Guide

How To Uninstall Mcafee Antivirus File System Filter Driver Windows 8

Focus on the ESET NOD32 antivirus system

Antivirus Engines. T Helsinki University of Technology Mika Ståhlberg, F-Secure Corporation

Viruses and Malicious Code: A Community Defense Perspective

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

Computer Security. Solutions

Transcription:

Virus Analysis Techniques, Tools, and Research Issues Part I: Introduction Michael Venable Arun Lakhotia, USA Introduction to Malware Common Forms of Malware Detection Techniques Anti-Detection Techniques Common Forms of Malware Virus Needs a vector for propagation Worm No vector needed Can spread by: network shares, email, security holes Trojan horse Performs unstated and undesirable function Spyware, adware, logic bomb, backdoors, rootkits

Detection Technologies Integrity Checking Static Anti-Virus (AV) Scanners Signature-based Strings Regular expressions Static behavior analyzer Dynamic AV Scanners Behavior Monitors AV Detection Process ANALYSIS LAB Sample Malicious: yes/no Removal Instructions DESKTOP Disinfector Clean File Signature Infected File File/Message Scanner Malicious: yes/no Integrity Checking Compute cryptographic checksums of files Periodically compare checksum with current checksum If mismatch, file has been modified

AV Scanners: Static Analysis Static Analysis Analyze behavior of program without execution Detects Properties true for all executions of a program Examples Approximation of values Analyze patterns of system calls AV Scanners: Signature-based Extract byte sequences from malware Search for byte sequence within files If found, file is infected Byte sequences may contain wildcards Signature-Based Scanning Hex strings from virus variants 67 33 74 20 73 38 6D 35 20 76 37 61 67 36 74 20 73 32 6D 37 20 76 38 61 67 39 74 20 73 37 6D 33 20 76 36 61 Hex string for detecting virus 67?? 74 20 73?? 6D?? 20 76?? 61?? = wildcard

AV Scanners: Dynamic Analysis Monitor a running program to detect malicious behavior Examples Intercepting system calls Analyzing audit trails Looking at patterns of system calls Allows examination of only selected testcases Anti-Detection Techniques Attacking Integrity Checkers Attacking Signature-Based Scanners Polymorphism Metamorphism Attacking Static Behavior Analyzer Obfuscating Calls Attacking Behavior Monitors Non-Deterministic behavior Change behavior when being monitored Attacking Integrity Checkers Intercept open() system call Open a non-infected backup of the file instead Restore system to original state after attack Infect system before checksums are computed

Attacking Signature Scanners: Polymorphism Virus body is encrypted Decryptor is propagated with virus Use different encryption keys Morph decryptor code Swap registers Insert garbage instructions Replace instruction with equivalents Reorder subroutines Polymorphism Detecting polymorphic viruses Run suspect program in an emulator Wait until it decrypts Decrypted code will be identical for various copies Use signature scanning on decrypted virus body Challenges Determining when decryption is complete Decryptor can determine whether its running in an emulator Polymorphic Virus W32.Bugbear.B Released in June 2003 Encrypted body with polymorphic decryptor Spreads via email & shared network drives Disarms popular anti-virus and firewall applications Installs key-logger Installs backdoor for remote access

Attacking Signature Scanners: Metamorphism Does not have a decryptor Morph code of the entire virus body No constant body signature scanning will not work Metamorphism Detecting metamorphic viruses Run suspect program in an emulator Analyze behavior while running Look for changes in file structure Some viruses modify files in a consistent way Disassemble and look for virus-like instructions Metamorphic Virus Win32.Evol The Win32.Evol virus appeared in early July, 2000 Polymorphic operations: Swaps instructions with equivalents Inserts junk code between essential instructions

Metamorphic Virus [Szor, 2001] An early generation c7060f000055 mov dword ptr [esi], 550000Fh c746048bbc5151 mov dword ptr [esi+0004], 5151BCBBh A later generation BF0F000055 mov edi, 550000Fh 893E mov [esi], edi 5F pop edi 52 push edx B640 mov dh, 40 BA8BEC5151 mov edx, 5151EC8Bh 53 push ebx 8BDA mov ebx, ebx 895E04 mov [esi+0004], ebx Attacking Behavior Monitors Bypass higher-level system calls AKA tunneling Act benign if running in emulator Summary Types of malware Virus, worms, Trojans, adware, spyware, etc. AV Technologies Integrity checkers AV Scanners Static Dynamic AV Process Analyze and extract signatures in lab Distribute signatures to desktops Analyze files/messages on desktops All AV technologies can be attacked

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback