1. Cosc 4765 Antivirus Approaches

2. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible to achieve, but we can prevent a large number of them.

3. Next best thing If we can’t prevent all of them, –Detection Determine if an infection has occurred –Identification Once detected, identify the virus that has infected a system or program –Removal Be able to remove all traces of the infection and restore the program or system to original state. –Non trivial, think about MyDoom and others.

4. 4 generations of AV First Generation: simple scanners –Required a virus signature to identify a virus –Limited in their detection of a set of known viruses –Another variant of 1 st Gen scanners was to kept record of the length of programs and scan for changes Lots of problem with method as well.

5. 4 generations of AV (2) Second Generation: Heuristic scanners –Doesn’t rely on just signatures –Looked for probable virus infections Looked for code fragments often associated with viruses. Look for the beginning of an encryption loop used by polymorphic viruses, then “discover” the encryption key, so the virus can be identified.

6. 4 generations of AV (3) Third generation: activity traps –Memory resident program to identify a virus by it’s actions rather than it structure. –Advantages You don’t have to develop a signature for every virus Instead look for a smaller set of actions that would indicate an infection attempt and then intervene to stop it.

7. 4 generations of AV (4) Fourth Generation: full-featured protection –Use several techniques in conjunction Scanning and activity traps Access control capability, to limit penetration and to limit a viruses ability to infect more files. AV become more advanced, but so do the viruses and worms.

8. Advanced Techniques Generic Decryption (GD) –In order for a polymorphic virus to execute it must decrypt itself first. –So GD provides the following to scan for the viruses CPU emulator: –Instructions are executed by the emulator, so the underlying system is not effected Virus Signature Scanner: –scans the code looking for known viruses Emulation control module: –controls the execution of target code

9. Advanced Techniques (2) Digital Immune System, developed by IBM –Still in prototype stage, but these are the steps 1. A monitoring program uses heuristics based on behavior, suspicious changes, or family signatures to infer a virus MAY be present 2. A administrative machine encrypts the sample and sends it to a central virus analysis machine (CVAM). 3. The CVAM runs the program in a safe environment. It then produces a signature and method to remove the virus, if it’s a virus 4. The result is sent back to the administrative machine 5. Which is sent to the “infected” machine and all the other is the system. Regular and quick updates are produced very quickly, possibility within minutes, instead of hours or days.

10. Advanced Techniques (3) Behavior-Blocking software –Instead of heuristics and signatures, behavior blocking integrates into the O/S It monitors programs for behavior in real-time for malicious actions. –It blocks potentially malicious changes to the system. –So not just viruses, but possibly even spyware. Behaviors can be: –Attempts to open, view, delete, and/or modify files –Format disks or other unrecoverable disk options –Modifications files and scripts, system settings and startup settings –Scripts in e-mail and IM to send executable content –Initiation of network communications

11. Final Word The idea is get away from having just signature based detections. –There are literally trillions of different ways to obfuscate and rearrange code for a virus or worm –New security vulnerabilities We need software that can react very fast to new viruses or worms. –Human intervention is just too slow, we can only clean up the mess created, rarely prevent it..

12. New types of virus/worm/malware In 2007 there were around 200,000 virus variants. AV is on average about 2 months behind on tracking malware and may only find %30. –Which is what most viruses are now installing on computers. Viruses/worms are now coming in in low-volume, high-variant waves. –by the time AV releases a signature, that a new variant has already be launched.

13. Storm virus a server side polymorphic virus contained a large of number of distinct short lived variants. –each variant required a new signature. –it’s estimated there were 40,000 distinct variants. –Each had short time to infect as many computer as possible before it was replaced. 2 others were Stration/Warezov and the happy New year virus.

14. And malware. A comprised websites have been found with the same techniques –self-multating trojan programs. For every download, it mutates, giving each computer a different version of the same program. –version contained different random junk code. –makes them hard to detect and may require a different signature for each version!

15. And malware (2) swizzor, a trojan download program –discovered in 2006 –used a “packer” tool to encrypt the code –repacked itself once per minute –recompiled itself once every hour –able to get around virus defenses.

16. split/parisite/co-dependent malware. malware is split up into several parts. Each part keep track of the other parts if one is deleted/removed, the other parts can regenerate the missing piece. The system is very difficult to clean, because they regenerate while being cleaned. –The only good way to “clean” a system is to not boot the primary O/S. Instead use a live CD with cleaning software.

17. References Numerous web pages Digital Immune System, IBM [KEPH97a, KEPH97b] RSA: New threats could make traditional antivirus tools ineffectiveRSA: New threats could make traditional antivirus tools ineffective Network Security Essentials, Stallings, Prentice Hall, 2002

18. Q A &