Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…

Slides:

Advertisements

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Advertisements

Picture It Very Basic Game Picture Pepper. Original Game import java.util.Scanner; public class Game { public static void main() { Scanner scan=new Scanner(System.in);

Announcements You survived midterm 2! No Class / No Office hours Friday.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Recursion CS 367 – Introduction to Data Structures.

 RAID stands for Redundant Array of Independent Disks  A system of arranging multiple disks for redundancy (or performance)  Term first coined in 1987.

Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.

Tools for Text Review. Algorithms The heart of computer science Definition: A finite sequence of instructions with the properties that –Each instruction.

Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.

Cryptography and Network Security

Software performance enhancement using multithreading and architectural considerations Prepared by: Andrey Sloutsman Evgeny Gokhfeld 06/2006.

Who’s watching your network Deep Inside an AntiVirus Engine Network Associates, Inc. Jimmy Kuo Director, AV Research Deep Inside.

Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.

27-Jun-15 Profiling code, Timing Methods. Optimization Optimization is the process of making a program as fast (or as small) as possible Here’s what the.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Project By Ben Woodard ISC 110 Professor: Dr. Elaine Wenderholm.

While Loops and Do Loops. Suppose you wanted to repeat the same code over and over again? System.out.println(“text”); System.out.println(“text”); System.out.println(“text”);

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

OPERATION SYSTEM (WINDOWS) VIRUS REMOVAL. COMPUTER VIRUS - Type of malware that, when executed, replicates by inserting copies of itself (possibly modified)

Video Following is a video of what can happen if you don’t update your security settings! security.

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Computer Viruses Preetha Annamalai Niranjan Potnis.

Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.

Structure Classifications &

Author ： Ozgun Erdogan and Pei Cao Publisher ： IEEE Globecom 2005 (IJSN 2007) Presenter ： Zong-Lin Sie Date ： 2010/12/08 1.

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

1 Higher Computing Topic 8: Supporting Software Updated

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

Hunting for Metamorphic Engines Wing Wong Mark Stamp Hunting for Metamorphic Engines 1.

Retrospective Testing - How Good Heuristics Really Work Andreas Marx AV-Test.org University of Magdeburg GEGA IT-Solutions GbR.

For any query mail to or BITS Pilani Lecture # 1.

Chapter 21 Virtual Memoey: Policies Chien-Chung Shen CIS, UD

David Luebke 1 10/25/2015 CS 332: Algorithms Skip Lists Hash Tables.

Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area.

Telecommunications Networking II Lecture 41f Viruses and Worms.

Biologically Inspired Defenses against Computer Viruses International Joint Conference on Artificial Intelligence 95’ J.O. Kephart et al.

Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 25 – Virus Detection and Prevention.

Dealing with Malware By: Brandon Payne Image source: TechTips.com.

Bordoloi Computer Virus Software programs written by someone that needs to get a lifeSoftware programs written by someone that needs to get a life Can.

Copyright Curt Hill Variables What are they? Why do we need them?

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

CPS110: Page replacement Landon Cox. Replacement  Think of physical memory as a cache  What happens on a cache miss?  Page fault  Must decide what.

Program Design. The design process How do you go about writing a program? –It’s like many other things in life Understand the problem to be solved Develop.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

METAMORPHIC VIRUS NGUYEN LE VAN.

CS321 Data Structures Jan Lecture 2 Introduction.

Python – May 16 Recap lab Simple string tokenizing Random numbers Tomorrow: –multidimensional array (list of list) –Exceptions.

Accelerating Multi-Pattern Matching on Compressed HTTP Traffic Dr. Anat Bremler-Barr (IDC) Joint work with Yaron Koral (IDC), Infocom[2009]

Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.

ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.

Information Systems Design and Development Security Precautions Computing Science.

Dr. Richard Ford  Szor  A.k.a. Stealth Viruses  “How viruses hide”

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Computer Viruses Author: Alyse Allen.

The Data Types and Data Structures

Techniques, Tools, and Research Issues

Java Byte Codes (0xCAFEBABE) cs205: engineering software

Chap 10 Malicious Software.

Coding Concepts (Basics)

CSC 382/582: Computer Security

Explaining issues with DCremoval( )

Chap 10 Malicious Software.

Presentation transcript:

Dr. Richard Ford

 Szor 11  Virus Scanners – how they work, why they matter, how to write one…

 Look for “known” viruses  Basically, used to look for hex strings in files  Virus writers tried to make this more difficult… (as we saw last week)

 Generic/Specific  On-demand, on-access

 Look for an extracted sequence of bytes  Skill required to select a signature which won’t cause false positives!

 Exact identification…  How about boot sector virus detection?  Sometimes we have data in the string… so we have to use a wildcard  0400 B E 07BB ??02 %3 33C9  Can be Boyer-Moore…  Moore_string_search_algorithm Moore_string_search_algorithm

 Try and pick a string which handles all variants of a virus…  Ideally, can detect variants we don’t know about  (but of course, the badguys have scanners too…)

 Store relative offset of the string  Helps with identification  Can also “bookmark” the location in a sector

 Most viruses only really modify the start/end of a host  So, you can speed up a string scanner by only scanning the “top and tail” of the file  Problem is…

 Use the COM entry/jmp point to work out where to scan  Use offsets in the EXE header  Use “fixed point” scanning (take an entry point of M, and scan at M+X for a string…)

 Don’t have to use DOS to access the disk  Can use the BIOS and skip past the DOS niceties  Also bypasses stealth on Int 21h

 Smart scanning (ignore NOPs in a signature)  Leads to the idea of Skeleton Detection (get rid of whitespace/deadspace)

 How?

 Not a very good name  Means “virus-specific detection algorithm”  Hard-coded detection methods released with the scan engine  Lead to “virus scanning language”  Ultimately, Java (!) like p-code

 As algorithmic scanning is expensive, needs a good pre-filter  Rule: be fast on clean files!  “Quick and dirty” rule out  Number of 0’s at the file end  Look for the types on certain segments  Check file characteristics  Why? Zmist requires 2 million p-code-based iterations!

 Most viruses have very simple encryption – say, constant XOR  Can “decrypt” top and tail of files for all possible keys and use a simple signature on the remainder…  Gives access to unencrypted virus, allowing for repair  Side benefit… detects “broken” decryption loops

 Implement an emulator for instructions!  Code optimization?

 Hard!  Geometric Detection  Focus on “interesting” instructions  Negative and Positive features  Emulator-based heuristics  Long list of Win32 Heuristics  Neural networks…

 Some revision and recap time to prepare for our midterm!