Presentation is loading. Please wait.

Presentation is loading. Please wait.

Techniques, Tools, and Research Issues

Published byLizbeth King Modified over 6 years ago

Similar presentations

Presentation on theme: "Techniques, Tools, and Research Issues"— Presentation transcript:

1 Techniques, Tools, and Research Issues
Virus Analysis Techniques, Tools, and Research Issues Part I: Introduction Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA

2 Introduction to Malware
Common Forms of Malware Detection Techniques Anti-Detection Techniques

3 Common Forms of Malware
Virus Needs a vector for propagation Worm No vector needed Can spread by: network shares, , security holes Trojan horse Performs unstated and undesirable function Spyware, adware, logic bomb, backdoors, rootkits

4 Detection Technologies
Integrity Checking Static Anti-Virus (AV) Scanners Signature-based Strings Regular expressions Static behavior analyzer Dynamic AV Scanners Behavior Monitors

5 AV Detection Process ANALYSIS LAB Sample Malicious: yes/no
Removal Instructions DESKTOP Clean File Disinfector Signature Infected File File/Message Malicious: yes/no Scanner

6 Integrity Checking Compute cryptographic checksums of files
Periodically compare checksum with current checksum If mismatch, file has been modified

7 AV Scanners: Static Analysis
Analyze behavior of program without execution Detects Properties true for all executions of a program Examples Approximation of values Analyze patterns of system calls

8 AV Scanners: Signature-based
Extract byte sequences from malware Search for byte sequence within files If found, file is infected Byte sequences may contain wildcards

9 Signature-Based Scanning
Hex strings from virus variants D D D Hex string for detecting virus 67 ?? ?? 6D ?? ?? 61 ?? = wildcard

10 AV Scanners: Dynamic Analysis
Monitor a running program to detect malicious behavior Examples Intercepting system calls Analyzing audit trails Looking at patterns of system calls Allows examination of only selected testcases

11 Anti-Detection Techniques
Attacking Integrity Checkers Attacking Signature-Based Scanners Polymorphism Metamorphism Attacking Static Behavior Analyzer Obfuscating Calls Attacking Behavior Monitors Non-Deterministic behavior Change behavior when being monitored

12 Attacking Integrity Checkers
Intercept open() system call Open a non-infected backup of the file instead Restore system to original state after attack Infect system before checksums are computed

13 Attacking Signature Scanners: Polymorphism
Virus body is encrypted Decryptor is propagated with virus Use different encryption keys Morph decryptor code Swap registers Insert garbage instructions Replace instruction with equivalents Reorder subroutines

14 Polymorphism Detecting polymorphic viruses Challenges
Run suspect program in an emulator Wait until it decrypts Decrypted code will be identical for various copies Use signature scanning on decrypted virus body Challenges Determining when decryption is complete Decryptor can determine whether its running in an emulator

15 Polymorphic Virus W32.Bugbear.B Released in June 2003
Encrypted body with polymorphic decryptor Spreads via & shared network drives Disarms popular anti-virus and firewall applications Installs key-logger Installs backdoor for remote access

16 Attacking Signature Scanners: Metamorphism
Does not have a decryptor Morph code of the entire virus body No constant body signature scanning will not work

17 Metamorphism Detecting metamorphic viruses
Run suspect program in an emulator Analyze behavior while running Look for changes in file structure Some viruses modify files in a consistent way Disassemble and look for virus-like instructions

18 Metamorphic Virus Win32.Evol
The Win32.Evol virus appeared in early July, 2000 Polymorphic operations: Swaps instructions with equivalents Inserts junk code between essential instructions

19 Metamorphic Virus [Szor, 2001]
An early generation c7060F mov dword ptr [esi], Fh c746048BBC5151 mov dword ptr [esi+0004], 5151BCBBh A later generation BF0F mov edi, Fh 893E mov [esi], edi 5F pop edi 52 push edx B640 mov dh, 40 BA8BEC5151 mov edx, 5151EC8Bh 53 push ebx 8BDA mov ebx, ebx 895E04 mov [esi+0004], ebx

20 Attacking Behavior Monitors
Bypass higher-level system calls AKA tunneling Act benign if running in emulator

21 Summary Types of malware AV Technologies AV Process
Virus, worms, Trojans, adware, spyware, etc. AV Technologies Integrity checkers AV Scanners – Static Dynamic AV Process Analyze and extract signatures in lab Distribute signatures to desktops Analyze files/messages on desktops All AV technologies can be attacked

Download ppt "Techniques, Tools, and Research Issues"

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.

1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Beyond Anti-Virus by Dan Keller 1987- Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.

CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
 a crime committed on a computer network, esp. the Internet.

 a crime committed on a computer network, esp. the Internet.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.

HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Similar presentations

Ads by Google