A New Methodology based on Cloud Computing for Efficient Virus Detection V. A. Memos and K. E. Psannis* Department of Technology Management, * Department of Applied Informatics University of Macedonia, Greece http://users.uom.gr/~kpsannis/ http://www.mobility2net.eu/ CISSE Online e-Conference (TeNe), December 12-14, 2013

Research Purposes Understanding the way that antivirus programs work Understanding the weaknesses of the current antivirus techniques for data protection Propose a new security model which can offer better security and efficient virus detection

Problem Definition Thousand new malware samples are discovered daily and spread on the internet Virus programmers use many advanced techniques, such as code mutation and encryption methods (e.g. crypters) to make their viruses undetectable, so they are usually one step ahead of the antivirus programs Antivirus software use various static and dynamic techniques to detect malware The most basic technique that they use is “signature scanning” which is considered to be outdated In addition, some of the new techniques, such as heuristic detection methods, have many weaknesses

Virus signature method Signatures are byte sequences (strings) which are a part of virus code Each antivirus software choose and use a specific part of bytes sequence of a virus code to identify it E.g. 55 8B EC 6A FF 68 90 70 41 00 68 B0 64 41 00 64 This signature-based detection model has many advantages, but it has inevitably many weaknesses too

Advantages: Scan speed (lots of files are analyzed per second) Use less memory and system resources Disadvantages: Signature is unlikely to be unique (large amount of files so it is almost impossible not to exist in other non-malicious files too) False positive problems It is easy to be changed by specialists Virus database is need to be constantly updated This method is unable to detect polymorphic viruses (whose code is self-replicated and self-concealed) and new unknown malware

Other detection methods (such as “heuristics”) They are used additionally by many antivirus programs They are based on looking up for suspicious instruction sequences that may be related to malware existence Better detection capabilities However, they present a lot of false positives when they are adjusted for maximum detection rate In addition, such behavior detection methods take up many system resources, so they slow down computers’ operation and overload networks.

Experiments A. Finding virus signature B. The problem of false positives C. Virus concealment

A. Finding virus signature Tools we use: “s” file 238KB size, which looks like a picture, but it is an executable malicious file (trojan horse) which is transmitted via social networks Avira antivirus (as on-demand scanner) DSplit file splitter Windows Command Line HxD hex editor program

dsplit.exe 0 max 10000 s.exe

The above command creates 25 new smaller files so that each file is 10 The above command creates 25 new smaller files so that each file is 10.000 bytes larger than its previous one and 10.000 bytes smaller than its next one

Scan with Avira Antivirus Virus signature TR/Offend.kdv.49932 in the last 16 files

Virus signature TR/Offend. kdv Virus signature TR/Offend.kdv.49932 in the last 16 files, from the 100KB file to the final one It actually means that some of the added bytes into the 90KB file make the 100KB one to be detected as malware So, we delete all the created files except these two files and continue with the next proper command

dsplit.exe 90000 100000 1000 s.exe creates new files between 90KB and 100KB ones so that each of them is 1.000 bytes larger than its previous one and 1.000 bytes smaller than its next one

By scanning these files again with Avira antivirus, we observe that 9/11 files detected as trojan horse, from 92KB file onwards It means that there is something in the 92KB file that isn’t in the previous 91KB one

The process is a routine and as previously we delete all other files and hold these two files and type the proper command, which is now:  dsplit.exe 91000  92000  100  s.exe. By repeating the above steps, it will be needed to give the following commands too: dsplit.exe 91000 91100  10  s.exe   dsplit.exe  91040 91050 1 s.exe 

Thus, we will manage to have files with only 1 byte difference between each other.  

By scanning these files, we observe only 91050B file detected as trojan So the additional 1B in 91049B file, makes the next one detected

Open and compare their codes with Hex editor

The byte which is added and causes the trojan detection is the hexadecimal 41 or the string A  So, we just find the end of the string signature which Avira antivirus use to identify this trojan horse To find the start of the signature we need a clear – non-malicious – file. We use taskmgr.exe system file We open taskmgr.exe file with HxD too and try copying some of the last bytes from the 91050B file into it Then, we scan it with Avira antivirus It is a routine again by adding byte-to-byte from the detected file to this clear one, until we can manage to make this clear file detectable as a Trojan, too

By continuous tests we find that Avira uses 123 bytes length signature to detect the s.exe file as “TR/Offend.kdv.49932”, which is consisted of the following: 55 8B EC 6A FF 68 90 70 41 00 68 B0 64 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 30 70 41 00 59 83 0D C4 89 41 00 FF 83 0D C8 89 41 00 FF FF 15 34 70 41 00 8B 0D C0 89 41 00 89 08 FF 15 38 70 41 00 8B 0D BC 89 41 00 89 08 A1 5C 70 41 00 8B 00 A3 CC 89 41 00 E8 11 01 00 00 39 1D 90 89 41 00 75 0C 68 AC 64 41

B. The problem of false positives The 123 additional bytes in the original code of the taskmgr.exe are no more than a useless code and it neither affect the operation of the task manager file, nor makes it malicious.

VirusTotal site. Only Avira finds this file as malware…

C. Virus Concealment By changing an alphabet string in the malicious s.exe file, such as “U” to “u” (55 to 75 in hexadecimal code), signature will change, but not the file’s destructive function

However, Avira antivirus is unable to detect the malware!

Proposed Approach Hybrid security model which merges: System-Changes based signatures (new proposed technique for creation virus signatures) Sandboxing method Cloud technology

System-Changes based signatures This new method will not be based on specific byte sequences, but on specific system-changes sequences A malicious file will be identified from the sequence of changes that it tries to cause on the computer system Each malicious behavior will have its different and unique signature

Sandboxing Method Isolated environment which provides additional protection level All files run firstly inside the sandbox, until antivirus program verify their function (malicious or not?) If the user runs a file that is malicious, the changes it will cause to the system will not be permanent In this case, the installed antivirus program blocks the malicious process of the file and the system resets to its previous mode

Cloud Technology Architecture that is based on communication between servers that are somewhere on the internet – “cloud” – and computers that are connected to this “cloud”. The connected computers have installed a small program - in our case the antivirus program - that is used as a client. The most processes of the program take part in the connected server by the web service which is running in the cloud. So, computer doesn’t need to process and store large amount of data – in our case virus signatures. Low memory consumption and system resources, without supercharge the computer even if it is not meet the minimum requirements that have the most current computers

Proposed Model m cloud virtual sub-servers that constitute the Home Cloud Server n terminals connected to m cloud virtual sub-servers i sandboxes contained in n terminals k files are inserted to n terminals l virus signatures that are collected and contained to the Home Cloud Server’s Virus Database l virus signatures that are transmitted from the Home Cloud Server’s Virus Database to m cloud virtual sub-servers’ Virus Databases where: i=1,2.., n=1,2.., m=1,2.., k=1,2.., l=1,2.., i=n.

Model Architecture

Conclusions – Future Work The current virus detection methods present many security problems Our proposed model merges System-Changes-based Virus Signatures, Cloud Computing and Sandboxing technologies and can offer maximum efficient protection against known and unknown internet threats Future work will include deep study and analysis of the capability to adjust to the new proposed security model

Questions? V. A. Memos and K. E. Psannis* University of Macedonia, Greece http://users.uom.gr/~kpsannis/ http://www.mobility2net.eu/ Emails: tm0844@uom.gr kpsannis@uom.gr