Techniques, Tools, and Research Issues

Slides:



Advertisements
Similar presentations
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Advertisements

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Chapter 3 (Part 1) Network Security
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
 a crime committed on a computer network, esp. the Internet.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly, but erroneously.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2015.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Return to the PC Security web page Lesson 5: Dealing with Malware.
Normalizing Metamorphic Malware Using Term Rewriting A. Walenstein, R. Mathur, M. R. Chouchane, and A. Lakhotia Software Research Laboratory The University.
CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.
Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.
Using Engine Signature to Detect Metamorphic Malware Mohamed R. Chouchane and Arun Lakhotia Software Research Laboratory The University of Louisiana at.
Malicious Software.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Chapter 19 – Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War,
METAMORPHIC VIRUS NGUYEN LE VAN.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
VIRUSES & ANTI- VIRU-SES. WHAT IS A COMPUTER VIRUS? A computer virus is a small software program that spreads from one computer to another computer and.
CompTIA Security+ Study Guide (SY0-401) Chapter 9: Malware, Vulnerabilities, and Threats.
MALWARE.
Bringing VX back to life!
King Fahd University of Petroleum & Minerals
Techniques, Tools, and Research Issues
Techniques, Tools, and Research Issues
V. A. Memos and K. E. Psannis*
Techniques, Tools, and Research Issues
Techniques, Tools, and Research Issues
Outline Introduction Viruses Trojan horses Trap doors Logic bombs
Lecture 8. Cyber Security, Ethics and Trust
Techniques, Tools, and Research Issues
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to.
Fix AOL Desktop Error Code 212 Call for Help
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
CSCD 303 Essential Computer Security Fall 2017
WHAT IS A VIRUS? A Computer Virus is a computer program that can copy itself and infect a computer A Computer Virus is a computer program that can copy.
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Computer Viruses.
Semantics-Aware Malware Detection
12: Security The Security Problem Authentication Program Threats
Chap 10 Malicious Software.
Executive Director and Endowed Chair
Executive Director and Endowed Chair
CSC 382/582: Computer Security
Malicious Software Network security Master:Mr jangjou
Chap 10 Malicious Software.
Operating System Concepts
Normalizing Metamorphic Malware Using Term Rewriting
Malicious Program and Protection
Introduction to Internet Worm
Presentation transcript:

Techniques, Tools, and Research Issues Virus Analysis Techniques, Tools, and Research Issues Part I: Introduction Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA

Introduction to Malware Common Forms of Malware Detection Techniques Anti-Detection Techniques

Common Forms of Malware Virus Needs a vector for propagation Worm No vector needed Can spread by: network shares, email, security holes Trojan horse Performs unstated and undesirable function Spyware, adware, logic bomb, backdoors, rootkits

Detection Technologies Integrity Checking Static Anti-Virus (AV) Scanners Signature-based Strings Regular expressions Static behavior analyzer Dynamic AV Scanners Behavior Monitors

AV Detection Process ANALYSIS LAB Sample Malicious: yes/no Removal Instructions DESKTOP Clean File Disinfector Signature Infected File File/Message Malicious: yes/no Scanner

Integrity Checking Compute cryptographic checksums of files Periodically compare checksum with current checksum If mismatch, file has been modified

AV Scanners: Static Analysis Analyze behavior of program without execution Detects Properties true for all executions of a program Examples Approximation of values Analyze patterns of system calls

AV Scanners: Signature-based Extract byte sequences from malware Search for byte sequence within files If found, file is infected Byte sequences may contain wildcards

Signature-Based Scanning Hex strings from virus variants 67 33 74 20 73 38 6D 35 20 76 37 61 67 36 74 20 73 32 6D 37 20 76 38 61 67 39 74 20 73 37 6D 33 20 76 36 61 Hex string for detecting virus 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 ?? = wildcard

AV Scanners: Dynamic Analysis Monitor a running program to detect malicious behavior Examples Intercepting system calls Analyzing audit trails Looking at patterns of system calls Allows examination of only selected testcases

Anti-Detection Techniques Attacking Integrity Checkers Attacking Signature-Based Scanners Polymorphism Metamorphism Attacking Static Behavior Analyzer Obfuscating Calls Attacking Behavior Monitors Non-Deterministic behavior Change behavior when being monitored

Attacking Integrity Checkers Intercept open() system call Open a non-infected backup of the file instead Restore system to original state after attack Infect system before checksums are computed

Attacking Signature Scanners: Polymorphism Virus body is encrypted Decryptor is propagated with virus Use different encryption keys Morph decryptor code Swap registers Insert garbage instructions Replace instruction with equivalents Reorder subroutines

Polymorphism Detecting polymorphic viruses Challenges Run suspect program in an emulator Wait until it decrypts Decrypted code will be identical for various copies Use signature scanning on decrypted virus body Challenges Determining when decryption is complete Decryptor can determine whether its running in an emulator

Polymorphic Virus W32.Bugbear.B Released in June 2003 Encrypted body with polymorphic decryptor Spreads via email & shared network drives Disarms popular anti-virus and firewall applications Installs key-logger Installs backdoor for remote access

Attacking Signature Scanners: Metamorphism Does not have a decryptor Morph code of the entire virus body No constant body signature scanning will not work

Metamorphism Detecting metamorphic viruses Run suspect program in an emulator Analyze behavior while running Look for changes in file structure Some viruses modify files in a consistent way Disassemble and look for virus-like instructions

Metamorphic Virus Win32.Evol The Win32.Evol virus appeared in early July, 2000 Polymorphic operations: Swaps instructions with equivalents Inserts junk code between essential instructions

Metamorphic Virus [Szor, 2001] An early generation c7060F000055 mov dword ptr [esi], 550000Fh c746048BBC5151 mov dword ptr [esi+0004], 5151BCBBh A later generation BF0F000055 mov edi, 550000Fh 893E mov [esi], edi 5F pop edi 52 push edx B640 mov dh, 40 BA8BEC5151 mov edx, 5151EC8Bh 53 push ebx 8BDA mov ebx, ebx 895E04 mov [esi+0004], ebx

Attacking Behavior Monitors Bypass higher-level system calls AKA tunneling Act benign if running in emulator

Summary Types of malware AV Technologies AV Process Virus, worms, Trojans, adware, spyware, etc. AV Technologies Integrity checkers AV Scanners – Static Dynamic AV Process Analyze and extract signatures in lab Distribute signatures to desktops Analyze files/messages on desktops All AV technologies can be attacked

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.