Antivirus Software

About This Presentation

Title:

Antivirus Software

Description:

However, this module is not called by a finder module. ... Typically the worm will arrive as email, where the message body or attachment ... – PowerPoint PPT presentation

Number of Views:6105

Avg rating:3.0/5.0

Slides: 56

Provided by: amm4

Category:

more less

Transcript and Presenter's Notes

Title: Antivirus Software

1
Antivirus Software

By Eng. Ammar J.Mahmood
Supervised by Dr. Loai Tawalbeh
New York Institute of Technology (NYIT)-Jordans
campus

2
Introduction

Antivirus software consists of computer programs
that attempt to identify, thwart and eliminate
computer viruses and other malicious software
(malware).
Malware or Malicious Software is software
designed to infiltrate or damage a computer
system without the owner's informed consent.
Types of malware include spyware, adware, Trojan
horses, Worms, and viruses.

3
Malware

Know your enemy

4
The Virus

A computer virus is a self-replicating computer
program written to alter the way a computer
operates, without the permission or knowledge of
the user
Why people create computer viruses?
Some virus writers consider their creations to be
works of art, and see virus writing as a creative
hobby
Viruses have been written as research projects,
pranks, vandalism, to attack the products of
specific companies

5
The Virus

Why people create computer viruses?
Some viruses were intended as "good viruses".
They spread improvements to the programs they
infect, or delete other viruses. These viruses
are, however, quite rare, still consume system
resources, may accidentally damage systems they
infect.

6
The Virus

Viruses can be subdivided into a number of types,
the main ones being
Boot sector viruses
alters or hides in the boot sector, usually the
1st sector, of a bootable disk or hard drive.
contains code for bootstrapping programs (usually
activates, but not necessarily, operating
systems)
Boot sector infector viruses replace the
bootstrap code in the boot sectors (of floppy
disks, hard disks, or both) with viral code.
the BIOS on IBM PC compatible machines is
ignorant of whether a disk has in fact been
high-level formatted and had an operating system
installed in it
This results in a security vulnerability. A user
who sees the error message may not be aware that
the code in the boot sector of the disk has
already been run by that point, and that if the
disk was infected by a boot-sector computer virus

7
The Virus

Companion viruses creates new files (typically
.COM but can also use other extensions such as
".EXD") that have the same file names as
legitimate .EXE files. When a user types in the
name of a desired program, if a user does not
type in ".EXE" but instead does not specify a
file extension, DOS will assume he meant the file
with the extension that comes first in
alphabetical order and run the virus.
Email viruses is a virus which uses e-mail
messages as a mode of transport. These viruses
often copy themselves by automatically mailing
copies to hundreds of people in the victim's
address book.

8
The Virus

Logic bombs and time bombs employs code that
lies inert until specific conditions
(e.g.infected a certain number of hosts ) are
met. The resolution of the conditions will
trigger a certain function (such as printing a
message to the user and/or deleting files).
Macro viruses often written in the scripting
languages for Microsoft programs such as Word and
Excel, is spread in Microsoft Office by infecting
documents and spreadsheets.
Cross-site scripting virus is a type of virus
that utilizes cross-site scripting
vulnerabilities to replicate.

9
The Virus

Methods to avoid detection
Avoiding bait files and other undesirable hosts
A virus needs to infect hosts in order to spread
further. In some cases, it might be a bad idea to
infect a host program. For example, many
anti-virus programs perform an integrity check of
their own code. Infecting such programs will
therefore increase the likelihood that the virus
is detected.
Bait files (or goat files) are files that are
specially created by anti-virus software
Anti-virus professionals can use bait files to
take a sample of a virus
Anti-virus professionals can use bait files to
study the behavior of a virus and evaluate
detection methods.
Some anti-virus software employs bait files that
are accessed regularly. When these files are
modified, the anti-virus software warns the user
that a virus is probably active on the system.

10
The Virus

Stealth\Rootkit
A virus can hide itself by intercepting the
anti-virus softwares request to read the file
and passing the request to the virus, instead of
the OS.
The virus can then return an uninfected version
of the file to the anti-virus software, so that
it seems that the file is "clean.
Modern anti-virus software employs various
techniques to counter stealth mechanisms of
viruses.

11
The Virus

A rootkit is a set of software tools intended to
conceal running processes, files or system data
from the operating system
Rootkit types
Virtualised These rootkits work by modifying the
boot sequence of the machine to load themselves
instead of the original operating system. Once
loaded into memory a virtualised rootkit then
loads the original operating system as a Virtual
Machine thereby enabling the rootkit to intercept
all hardware calls made by the guest OS
Kernel levelKernel level rootkits add additional
code and/or replace a portion of kernel code with
modified code to help hide a backdoor on a
computer system

12
The Virus

Rootkit types
Library level commonly patch, hook, or replace
system calls with versions that hide information
about the attacker.
Application level rootkits may replace regular
application binaries with trojanized fakes, or
they may modify the behavior of existing
applications using hooks, patches, injected code,
or other means.
The only completely reliable method to avoid
stealth is to boot from a medium that is known to
be clean.
Done byshut down the computer suspected of
infection and check its storage by booting from
an alternative media (e.g. rescue CD-ROM or USB
flash drive). A non-running rootkit cannot hide
its presence and most established antivirus
programs will identify rootkits armed via
standard OS calls

13
The Virus

Self-modification
Some viruses employ techniques that make
detection by means of signatures difficult or
impossible.
These viruses modify their code on each
infection. That is, each infected file contains a
different variant of the virus.
Simple self-modifications some viruses modified
themselves only in simple ways. For example, they
regularly exchanged subroutines in their code for
others that would perform the same action - for
example, 22 could be swapped for 13. This poses
no problems to a somewhat advanced virus scanner.

14
The Virus

Encryption with a variable key
A more advanced method is the use of simple
encryption to encipher the virus.
the virus consists of a small decrypting module
and an encrypted copy of the virus code
the virus is encrypted with a different key for
each infected file, the only part of the virus
that remains constant is the decrypting module.
a virus scanner cannot directly detect the virus
using signatures, but it can still detect the
decrypting module, which still makes indirect
detection of the virus possible.

15
The Virus

Polymorphic code
Polymorphic code was the first technique that
posed a serious threat to virus scanners.
Same as encrypted viruses except that decryption
module is also modified on each infection.
To enable polymorphic code, the virus has to have
a polymorphic engine (also called mutating engine
or mutation engine) somewhere in its encrypted
body
Anti-virus software can detect it by decrypting
the viruses using an emulator, or by statistical
pattern analysis of the encrypted virus body.

16
The Virus

Metamorphic code
To avoid being detected by emulation, some
viruses rewrite themselves completely each time
they are to infect new executables.
it does this by translating its own code into a
temporary representation, and then back to normal
code again
Metamorphic code is more effective than
polymorphic code. This is because most anti-virus
software will try to search for known virus-code
even during the execution of the code
A metamorphic virus is usually very large and
complex. For example, W32/Simile consisted of
over 14000 lines of Assembly language code, 90
of it part of the metamorphic engine.

17
The Virus

Replication strategies
In order to replicate itself, a virus must be
permitted to execute code and write to memory.
For this reason, many viruses attach themselves
to executable files that may be part of
legitimate programs
Viruses can be divided into two types, on the
basis of their behavior when they are executed

18
The Virus

Nonresident viruses
immediately search for other hosts that can be
infected, infect these targets, and finally
transfer control to the application program they
infected
Nonresident viruses can be thought of as
consisting of a finder module and a replication
module
The finder module is responsible for finding new
files to infect. For each new executable file the
finder module encounters, it calls the
replication module to infect that file.

19
The Virus

Resident viruses
Resident viruses do not search for hosts when
they are started. Instead, a resident virus loads
itself into memory on execution and transfers
control to the host program.
The virus stays active in the background and
infects new hosts when those files are accessed
by other programs or the operating system itself.
Resident viruses contain a replication module
that is similar to the one that is employed by
nonresident viruses. However, this module is not
called by a finder module. Instead, the virus
loads the replication module into memory when it
is executed and ensures that this module is
executed each time the operating system is called
to perform a certain operation

20
The Virus

Resident viruses are sometimes subdivided into a
category
Fast infectors are designed to infect as many
files as possible. It can infect every potential
host file that is accessed.
This poses a special problem to anti-virus
software, since a virus scanner will access every
potential host file on a computer when it
performs a system-wide scan. If the virus scanner
fails to notice that such a virus is present in
memory, the virus can "piggy-back" on the virus
scanner and in this way infect all files that are
scanned.
The disadvantage of this method is that infecting
many files may make detection more likely,
because the virus may slow down a computer or
perform many suspicious actions that can be
noticed by anti-virus software.

21
The Virus

2nd category Slow infectors
are designed to infect hosts infrequently. For
instance, some slow infectors only infect files
when they are copied.
Slow infectors are designed to avoid detection by
limiting their actions they are less likely to
slow down a computer noticeably, and will at most
infrequently trigger anti-virus software that
detects suspicious behavior by programs.
The slow infector approach does not seem very
successful however.

22
The Virus

Host types
Binary executable files (such as COM files and
EXE files in MS-DOS, Portable Executable files in
Microsoft Windows, and ELF files in Linux)
Volume Boot Records of floppy disks and hard disk
partitions
The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files
in MS-DOS and Microsoft Windows, VBScript files,
and shell script files on Unix-like platforms).
Application-specific script files (such as
Telix-scripts)
Documents that can contain macros (such as
Microsoft Word documents, Microsoft Excel
spreadsheets, AmiPro documents, and Microsoft
Access database files)

23
The Worm

A computer worm is a self-replicating computer
program. It uses a network to send copies of
itself to other nodes (computer terminals on the
network) and it may do so without any user
intervention.
Unlike a virus, it does not need to attach itself
to an existing program.
Worms always harm the network (if only by
consuming bandwidth), whereas viruses always
infect or corrupt files on a targeted computer.

24
The Worm

Types of computer worms
Email Worms Spread via email messages. Typically
the worm will arrive as email, where the message
body or attachment contains the worm code, but it
may also link to code on an external website.
Instant messaging worms The spreading used is via
instant messaging applications by sending links
to infected websites to everyone on the local
contact list
IRC worms Chat channels are the main target and
the same infection/spreading method is used as
above

25
The Worm

Types of computer worms
File-sharing networks worms Copies itself into a
shared folder, most likely located on the local
machine. The worm will place a copy of itself in
a shared folder under a harmless name. Now the
worm is ready for download via the P2P network
and spreading of the infected file will continue.
Internet worms
Those which target low level TCP/IP ports
directly, rather than going via higher level
protocols such as email or IRC.
A classic example is "Blaster" which exploited a
vulnerability in Microsoft's Remote procedure
call (RPC). An infected machine aggressively
scans random computers on both its local network
and the public Internet attempting an exploit
against port 135 which, if successful, spreads
the worm to that machine.

26
The Worm

Payloads
Many worms have been created which are only
designed to spread, and don't attempt to alter
the systems they pass through.
A "payload" is code designed to do more than
spread the worm - it might delete files on a host
system (e.g. the ExploreZip worm), encrypt files
in a cryptoviral extortion attack, or send
documents via e-mail.
A very common payload for worms is to install a
backdoor in the infected computer to allow the
creation of a "zombie" under control of the worm
author

27
Antivirus SW
28
Antivirus

Antivirus software typically uses two different
techniques to accomplish his mission
Examining (scanning) files to look for known
viruses matching definitions in a virus
dictionary
Identifying suspicious behavior from any computer
program which might indicate infection. Such
analysis may include data captures, port
monitoring and other methods.

29
Antivirus modes

Anti-virus programs have two basic modes
static file scanning useful for when you have
to scan a file or a volume to check to see if any
of the files are currently infected with malware
real-time dynamic scanning is really what is
needed to prevent the computer from getting
infected in the first place. In this mode, all
files that the operating system opens or uses are
scanned first before they are fully opened.

30
Approaches

Dictionary
A signature is a characteristic byte-pattern that
is part of a certain virus or family of viruses
In the virus dictionary approach, when the
antivirus software examines a file, it refers to
a dictionary of known viruses that the authors of
the antivirus software have identified. If a
piece of code in the file matches any virus
identified in the dictionary, then the antivirus
software can take one of the following actions
attempt to repair the file by removing the virus
itself from the file
quarantine the file (such that the file remains
inaccessible to other programs and its virus can
no longer spread)
delete the infected file

31
Approaches

Dictionary
the virus dictionary approach requires periodic
(generally online) downloads of updated virus
dictionary entries.
users identify new viruses "in the wild", they
can send their infected files to the authors of
antivirus software, who then include information
about the new viruses in their dictionaries.
Dictionary-based antivirus software typically
examines files when the computer's operating
system creates, opens, closes or e-mails them. In
this way it can detect a known virus immediately
upon receipt

32
Approaches

Dictionary
System Administrator can typically schedule the
antivirus software to examine (scan) all files on
the user's hard disk on a regular basis.
Although the dictionary approach can effectively
contain virus outbreaks in the right
circumstances.

33
Approaches

Dictionary
Viruss Technology to avoid the Dictionary
Approach is
Metamorphic code
Polymorphic code
Oligomorphic engine is generally used by a
computer virus to generate a decryptor for itself
in a way comparable to a simple polymorphic
engine

34
Approaches

Dictionary
Previous technology weakness are
Polymorphism
A small portion of it is left unencrypted and
used to jumpstart the encrypted software.
Anti-virus software targets this small
unencrypted portion of code.
Anti-virus software can detect it by decrypting
the viruses using an emulator, or by statistical
pattern analysis of the encrypted virus body.
most oligomorphic viruses aren't able to generate
more than just a few hundred different
decryptors, so detecting them with simple
signatures is still possible

35
Approaches

Suspicious behavior
The suspicious behavior approach doesn't attempt
to identify known viruses, but instead monitors
the behavior of all programs.
If one program tries to write data to an
executable program, for example, the antivirus
software can flag this suspicious behavior, alert
a user and ask what to do.

36
Approaches

Suspicious behavior
the suspicious behavior approach therefore
provides protection against brand-new viruses
that do not yet exist in any virus dictionaries.
However, it can also sound a large number of
false positives, and users probably become
desensitized to all the warnings.
If the user clicks "Accept" on every such
warning, then the antivirus software obviously
gives no benefit to that user

37
Approaches

Suspicious behavior weakness
The fact the many legal SW behave like malicious
SW make the job of antivirus harder
ExThere are commercial software that have many
features as dynamic code encryption/decryption,
code replace, metamorphic engine, API export,
anti debug/dump/trace and more. They are used to
protect software programs from illegal
use(cracking and reverse engineering)

38
Approaches

Heuristic analysis
try to emulate the beginning of the code of each
new executable that the system invokes before
transferring control to that executable.
If the program seems to use self-modifying code
or otherwise appears as a virus (if it
immediately tries to find other executables, for
example), one could assume that a virus has
infected the executable.
Heuristic scanners have a higher rate of false
positives than do signature scanners but they
have the significant advantage of being able to
detect unknown viruses.

39
Approaches

Sandbox
sandbox is a security mechanism for safely
running programs. It is often used to execute
untested code, or programs from unverified
third-parties, suppliers and untrusted users.
emulates the operating system and runs the
executable in this simulation. After the program
has terminated, software analyzes the sandbox for
any changes which might indicate a virus.
Because of performance issues, this type of
detection normally only takes place during
on-demand scans

40
Approaches

Sandbox
Also this method may fail as virus can be
nondeterministic and result in different actions
or no actions at all done then run - so it will
be impossible to detect it from one run.
The sandbox typically provides a
tightly-controlled set of resources for guest
programs to run in

41
Weaknesses of antivirus SW

Many security professionals agree that the
current approach to defend against malicious
software with antivirus is not good enough, but
it is best solution that we have right now.
Here is the brief summary of the main
shortcomings in the antivirus software

42
Weaknesses of antivirus SW

1. Reactive approach Your antivirus as good as
your definition files. If you did not update
them, the antivirus program will not be able to
detect a new malware. The most critical problems
for the antivirus software to detect malicious
code are
new or modified malicious code
rootkit programs
Software Misuse
2. Inability to protect themselves With
sufficient system permissions, malware can change
antivirus settings and configuration.

43
Weaknesses of antivirus SW

3. Inability to revert the results of malware
infection process.
Too often, installation process of malware
includes copying files, changing registry and
system configuration files, changing other
software configuration. Some of these changes
still present in the infected system, even after
an antivirus program delete or disinfect malware
files.
Almost for every severe virus/worm, antivirus
vendors issues Removal Tool.
this is means that the antivirus vendors saying
to their customers our antivirus isnt good
enough to clean your system please use this
tool

44
Retro Viruses

retro viruses are the viruses that attack
security programs
Attack is the best defense strategy
The malware instead of hiding from detection by
security SW it target these SW as its (part of)
malicious action
We will discuss in the next slides some of the
technique used by the Retro viruses

45
The Black Antivirus

a(white) antivirus used for the good purposes
while Black Antivirus is the same antivirus, but
used for the bad purposes.
An unexpected problem
virus definition database has the definitions
for security tools used today in the computer
security world to defend and protect computer
systems.
Malware could includes antivirus engine and
signature definition files for security tools.
To protect our tools we need to evade the
Antivirus detection! Therefore, our security
tools need to be a polymorphic or even
metamorphic.

46
The Black Intrusion Detection System

Malware can use IDS system to shut down
security systems at the network level.
Such malware will primary target internal
corporate LAN and could carry itself an IDS
engine or change the existing one with new rules
(if possible).
malware carry engine itselfand use MAC and ARP
poisoning to sniff in a switched network.
Any communication that passes the wire were the
malware was able to see it, is a subject for
this attack.
The solution for this problem may be the use of
covert channels

47
Practical Examples
48
Virus Example

Win32/Simile
is a metamorphic computer virus written in
assembly language for Microsoft Windows (most
recent version in early March 2002)
It was written by the virus writer Mental Driller
When the virus is first executed, it checks the
current date. If the host file (the file that is
infected with the virus) imports the file
User32.dll, then on the 17th of March, June,
September, or December, a message is displayed.
Depending on the version of the virus the case of
each letter in the text is altered randomly. On
May 14, a message saying "Free Palestine!" will
be displayed if the system locale is set to
Hebrew.

49
Virus Example

The virus then rebuilds itself. This metamorphic
process is very complex and accounts for around
90 of the virus' code
After the rebuild, the virus searches for
executable files in folders on all fixed and
remote drives.
The virus contains checks to avoid infecting
"goat" or "bait" files
The infection process uses the structure of the
host, as well as random factors, to control the
placement of the virus body and the decryptor.
The virus contains no destructive payload

50
SQL slammer worm

The SQL slammer worm is a computer worm that
caused a denial of service on some Internet hosts
and dramatically slowed down general Internet
traffic
It spread rapidly, infecting most of its 75,000
victims within ten minutes.
it exploited two buffer overflow bugs in
Microsoft's flagship SQL Server and Desktop
Engine database products
The worm is a small (376 bytes) piece of code
that does little other than generate random IP
addresses and send itself out to those addresses.

51
SQL slammer worm

If a selected address happens to belong to a host
that is running an unpatched copy of Microsoft
SQL Server Resolution MSDE Service, the host
immediately becomes infected and begins spraying
the Internet with more copies of the worm
program.
The worm is so small that it does not contain
code to write itself to disk, so it only stays in
memory, and it is easy to remove.

52
Antivirus Example

one of the most popular full-featured freeware
anti-virus applications for Microsoft Windows
users.
Official website http//www.avast.com/

53
Antivirus Example

Features
Standard Shield Real-time protection
IM shield Instant Messenger protection
P2P shield P2P protection
Internet Mail E-mail protection
Outlook/Exchange Microsoft Outlook/Exchange
protection
Web Shield HTTP protection (local transparent
proxy)
Script blocker script checker
Network Shield basic protection against
well-known network worms. Acts as a lightweight
Intrusion Detection System
Audible alarms vocal warnings such as "Caution,
a virus has been detected!"
boot-time scan through the program interface, a
user can schedule a boot-time scan to remove
viruses that load during Windows startup and
therefore difficult to remove.