Antivirus Software - PowerPoint PPT Presentation

About This Presentation
Title:

Antivirus Software

Description:

However, this module is not called by a finder module. ... Typically the worm will arrive as email, where the message body or attachment ... – PowerPoint PPT presentation

Number of Views:6111
Avg rating:3.0/5.0
Slides: 56
Provided by: amm4
Category:

less

Transcript and Presenter's Notes

Title: Antivirus Software


1
Antivirus Software
  • By Eng. Ammar J.Mahmood
  • Supervised by Dr. Loai Tawalbeh
  • New York Institute of Technology (NYIT)-Jordans
    campus

2
Introduction
  • Antivirus software consists of computer programs
    that attempt to identify, thwart and eliminate
    computer viruses and other malicious software
    (malware).
  • Malware or Malicious Software is software
    designed to infiltrate or damage a computer
    system without the owner's informed consent.
  • Types of malware include spyware, adware, Trojan
    horses, Worms, and viruses.

3
Malware
  • Know your enemy

4
The Virus
  • A computer virus is a self-replicating computer
    program written to alter the way a computer
    operates, without the permission or knowledge of
    the user
  • Why people create computer viruses?
  • Some virus writers consider their creations to be
    works of art, and see virus writing as a creative
    hobby
  • Viruses have been written as research projects,
    pranks, vandalism, to attack the products of
    specific companies

5
The Virus
  • Why people create computer viruses?
  • Some viruses were intended as "good viruses".
    They spread improvements to the programs they
    infect, or delete other viruses. These viruses
    are, however, quite rare, still consume system
    resources, may accidentally damage systems they
    infect.

6
The Virus
  • Viruses can be subdivided into a number of types,
    the main ones being
  • Boot sector viruses
  • alters or hides in the boot sector, usually the
    1st sector, of a bootable disk or hard drive.
  • contains code for bootstrapping programs (usually
    activates, but not necessarily, operating
    systems)
  • Boot sector infector viruses replace the
    bootstrap code in the boot sectors (of floppy
    disks, hard disks, or both) with viral code.
  • the BIOS on IBM PC compatible machines is
    ignorant of whether a disk has in fact been
    high-level formatted and had an operating system
    installed in it
  • This results in a security vulnerability. A user
    who sees the error message may not be aware that
    the code in the boot sector of the disk has
    already been run by that point, and that if the
    disk was infected by a boot-sector computer virus

7
The Virus
  • Companion viruses creates new files (typically
    .COM but can also use other extensions such as
    ".EXD") that have the same file names as
    legitimate .EXE files. When a user types in the
    name of a desired program, if a user does not
    type in ".EXE" but instead does not specify a
    file extension, DOS will assume he meant the file
    with the extension that comes first in
    alphabetical order and run the virus.
  • Email viruses is a virus which uses e-mail
    messages as a mode of transport. These viruses
    often copy themselves by automatically mailing
    copies to hundreds of people in the victim's
    address book.

8
The Virus
  • Logic bombs and time bombs employs code that
    lies inert until specific conditions
    (e.g.infected a certain number of hosts ) are
    met. The resolution of the conditions will
    trigger a certain function (such as printing a
    message to the user and/or deleting files).
  • Macro viruses often written in the scripting
    languages for Microsoft programs such as Word and
    Excel, is spread in Microsoft Office by infecting
    documents and spreadsheets.
  • Cross-site scripting virus is a type of virus
    that utilizes cross-site scripting
    vulnerabilities to replicate.

9
The Virus
  • Methods to avoid detection
  • Avoiding bait files and other undesirable hosts
    A virus needs to infect hosts in order to spread
    further. In some cases, it might be a bad idea to
    infect a host program. For example, many
    anti-virus programs perform an integrity check of
    their own code. Infecting such programs will
    therefore increase the likelihood that the virus
    is detected.
  • Bait files (or goat files) are files that are
    specially created by anti-virus software
  • Anti-virus professionals can use bait files to
    take a sample of a virus
  • Anti-virus professionals can use bait files to
    study the behavior of a virus and evaluate
    detection methods.
  • Some anti-virus software employs bait files that
    are accessed regularly. When these files are
    modified, the anti-virus software warns the user
    that a virus is probably active on the system.

10
The Virus
  • Stealth\Rootkit
  • A virus can hide itself by intercepting the
    anti-virus softwares request to read the file
    and passing the request to the virus, instead of
    the OS.
  • The virus can then return an uninfected version
    of the file to the anti-virus software, so that
    it seems that the file is "clean.
  • Modern anti-virus software employs various
    techniques to counter stealth mechanisms of
    viruses.

11
The Virus
  • A rootkit is a set of software tools intended to
    conceal running processes, files or system data
    from the operating system
  • Rootkit types
  • Virtualised These rootkits work by modifying the
    boot sequence of the machine to load themselves
    instead of the original operating system. Once
    loaded into memory a virtualised rootkit then
    loads the original operating system as a Virtual
    Machine thereby enabling the rootkit to intercept
    all hardware calls made by the guest OS
  • Kernel levelKernel level rootkits add additional
    code and/or replace a portion of kernel code with
    modified code to help hide a backdoor on a
    computer system

12
The Virus
  • Rootkit types
  • Library level commonly patch, hook, or replace
    system calls with versions that hide information
    about the attacker.
  • Application level rootkits may replace regular
    application binaries with trojanized fakes, or
    they may modify the behavior of existing
    applications using hooks, patches, injected code,
    or other means.
  • The only completely reliable method to avoid
    stealth is to boot from a medium that is known to
    be clean.
  • Done byshut down the computer suspected of
    infection and check its storage by booting from
    an alternative media (e.g. rescue CD-ROM or USB
    flash drive). A non-running rootkit cannot hide
    its presence and most established antivirus
    programs will identify rootkits armed via
    standard OS calls

13
The Virus
  • Self-modification
  • Some viruses employ techniques that make
    detection by means of signatures difficult or
    impossible.
  • These viruses modify their code on each
    infection. That is, each infected file contains a
    different variant of the virus.
  • Simple self-modifications some viruses modified
    themselves only in simple ways. For example, they
    regularly exchanged subroutines in their code for
    others that would perform the same action - for
    example, 22 could be swapped for 13. This poses
    no problems to a somewhat advanced virus scanner.

14
The Virus
  • Encryption with a variable key
  • A more advanced method is the use of simple
    encryption to encipher the virus.
  • the virus consists of a small decrypting module
    and an encrypted copy of the virus code
  • the virus is encrypted with a different key for
    each infected file, the only part of the virus
    that remains constant is the decrypting module.
  • a virus scanner cannot directly detect the virus
    using signatures, but it can still detect the
    decrypting module, which still makes indirect
    detection of the virus possible.

15
The Virus
  • Polymorphic code
  • Polymorphic code was the first technique that
    posed a serious threat to virus scanners.
  • Same as encrypted viruses except that decryption
    module is also modified on each infection.
  • To enable polymorphic code, the virus has to have
    a polymorphic engine (also called mutating engine
    or mutation engine) somewhere in its encrypted
    body
  • Anti-virus software can detect it by decrypting
    the viruses using an emulator, or by statistical
    pattern analysis of the encrypted virus body.

16
The Virus
  • Metamorphic code
  • To avoid being detected by emulation, some
    viruses rewrite themselves completely each time
    they are to infect new executables.
  • it does this by translating its own code into a
    temporary representation, and then back to normal
    code again
  • Metamorphic code is more effective than
    polymorphic code. This is because most anti-virus
    software will try to search for known virus-code
    even during the execution of the code
  • A metamorphic virus is usually very large and
    complex. For example, W32/Simile consisted of
    over 14000 lines of Assembly language code, 90
    of it part of the metamorphic engine.

17
The Virus
  • Replication strategies
  • In order to replicate itself, a virus must be
    permitted to execute code and write to memory.
    For this reason, many viruses attach themselves
    to executable files that may be part of
    legitimate programs
  • Viruses can be divided into two types, on the
    basis of their behavior when they are executed

18
The Virus
  • Nonresident viruses
  • immediately search for other hosts that can be
    infected, infect these targets, and finally
    transfer control to the application program they
    infected
  • Nonresident viruses can be thought of as
    consisting of a finder module and a replication
    module
  • The finder module is responsible for finding new
    files to infect. For each new executable file the
    finder module encounters, it calls the
    replication module to infect that file.

19
The Virus
  • Resident viruses
  • Resident viruses do not search for hosts when
    they are started. Instead, a resident virus loads
    itself into memory on execution and transfers
    control to the host program.
  • The virus stays active in the background and
    infects new hosts when those files are accessed
    by other programs or the operating system itself.
  • Resident viruses contain a replication module
    that is similar to the one that is employed by
    nonresident viruses. However, this module is not
    called by a finder module. Instead, the virus
    loads the replication module into memory when it
    is executed and ensures that this module is
    executed each time the operating system is called
    to perform a certain operation

20
The Virus
  • Resident viruses are sometimes subdivided into a
    category
  • Fast infectors are designed to infect as many
    files as possible. It can infect every potential
    host file that is accessed.
  • This poses a special problem to anti-virus
    software, since a virus scanner will access every
    potential host file on a computer when it
    performs a system-wide scan. If the virus scanner
    fails to notice that such a virus is present in
    memory, the virus can "piggy-back" on the virus
    scanner and in this way infect all files that are
    scanned.
  • The disadvantage of this method is that infecting
    many files may make detection more likely,
    because the virus may slow down a computer or
    perform many suspicious actions that can be
    noticed by anti-virus software.

21
The Virus
  • 2nd category Slow infectors
  • are designed to infect hosts infrequently. For
    instance, some slow infectors only infect files
    when they are copied.
  • Slow infectors are designed to avoid detection by
    limiting their actions they are less likely to
    slow down a computer noticeably, and will at most
    infrequently trigger anti-virus software that
    detects suspicious behavior by programs.
  • The slow infector approach does not seem very
    successful however.

22
The Virus
  • Host types
  • Binary executable files (such as COM files and
    EXE files in MS-DOS, Portable Executable files in
    Microsoft Windows, and ELF files in Linux)
  • Volume Boot Records of floppy disks and hard disk
    partitions
  • The master boot record (MBR) of a hard disk
  • General-purpose script files (such as batch files
    in MS-DOS and Microsoft Windows, VBScript files,
    and shell script files on Unix-like platforms).
  • Application-specific script files (such as
    Telix-scripts)
  • Documents that can contain macros (such as
    Microsoft Word documents, Microsoft Excel
    spreadsheets, AmiPro documents, and Microsoft
    Access database files)

23
The Worm
  • A computer worm is a self-replicating computer
    program. It uses a network to send copies of
    itself to other nodes (computer terminals on the
    network) and it may do so without any user
    intervention.
  • Unlike a virus, it does not need to attach itself
    to an existing program.
  • Worms always harm the network (if only by
    consuming bandwidth), whereas viruses always
    infect or corrupt files on a targeted computer.

24
The Worm
  • Types of computer worms
  • Email Worms Spread via email messages. Typically
    the worm will arrive as email, where the message
    body or attachment contains the worm code, but it
    may also link to code on an external website.
  • Instant messaging worms The spreading used is via
    instant messaging applications by sending links
    to infected websites to everyone on the local
    contact list
  • IRC worms Chat channels are the main target and
    the same infection/spreading method is used as
    above

25
The Worm
  • Types of computer worms
  • File-sharing networks worms Copies itself into a
    shared folder, most likely located on the local
    machine. The worm will place a copy of itself in
    a shared folder under a harmless name. Now the
    worm is ready for download via the P2P network
    and spreading of the infected file will continue.
  • Internet worms
  • Those which target low level TCP/IP ports
    directly, rather than going via higher level
    protocols such as email or IRC.
  • A classic example is "Blaster" which exploited a
    vulnerability in Microsoft's Remote procedure
    call (RPC). An infected machine aggressively
    scans random computers on both its local network
    and the public Internet attempting an exploit
    against port 135 which, if successful, spreads
    the worm to that machine.

26
The Worm
  • Payloads
  • Many worms have been created which are only
    designed to spread, and don't attempt to alter
    the systems they pass through.
  • A "payload" is code designed to do more than
    spread the worm - it might delete files on a host
    system (e.g. the ExploreZip worm), encrypt files
    in a cryptoviral extortion attack, or send
    documents via e-mail.
  • A very common payload for worms is to install a
    backdoor in the infected computer to allow the
    creation of a "zombie" under control of the worm
    author

27
Antivirus SW
28
Antivirus
  • Antivirus software typically uses two different
    techniques to accomplish his mission
  • Examining (scanning) files to look for known
    viruses matching definitions in a virus
    dictionary
  • Identifying suspicious behavior from any computer
    program which might indicate infection. Such
    analysis may include data captures, port
    monitoring and other methods.

29
Antivirus modes
  • Anti-virus programs have two basic modes
  • static file scanning useful for when you have
    to scan a file or a volume to check to see if any
    of the files are currently infected with malware
  • real-time dynamic scanning is really what is
    needed to prevent the computer from getting
    infected in the first place. In this mode, all
    files that the operating system opens or uses are
    scanned first before they are fully opened.

30
Approaches
  • Dictionary
  • A signature is a characteristic byte-pattern that
    is part of a certain virus or family of viruses
  • In the virus dictionary approach, when the
    antivirus software examines a file, it refers to
    a dictionary of known viruses that the authors of
    the antivirus software have identified. If a
    piece of code in the file matches any virus
    identified in the dictionary, then the antivirus
    software can take one of the following actions
  • attempt to repair the file by removing the virus
    itself from the file
  • quarantine the file (such that the file remains
    inaccessible to other programs and its virus can
    no longer spread)
  • delete the infected file

31
Approaches
  • Dictionary
  • the virus dictionary approach requires periodic
    (generally online) downloads of updated virus
    dictionary entries.
  • users identify new viruses "in the wild", they
    can send their infected files to the authors of
    antivirus software, who then include information
    about the new viruses in their dictionaries.
  • Dictionary-based antivirus software typically
    examines files when the computer's operating
    system creates, opens, closes or e-mails them. In
    this way it can detect a known virus immediately
    upon receipt

32
Approaches
  • Dictionary
  • System Administrator can typically schedule the
    antivirus software to examine (scan) all files on
    the user's hard disk on a regular basis.
  • Although the dictionary approach can effectively
    contain virus outbreaks in the right
    circumstances.

33
Approaches
  • Dictionary
  • Viruss Technology to avoid the Dictionary
    Approach is
  • Metamorphic code
  • Polymorphic code
  • Oligomorphic engine is generally used by a
    computer virus to generate a decryptor for itself
    in a way comparable to a simple polymorphic
    engine

34
Approaches
  • Dictionary
  • Previous technology weakness are
  • Polymorphism
  • A small portion of it is left unencrypted and
    used to jumpstart the encrypted software.
    Anti-virus software targets this small
    unencrypted portion of code.
  • Anti-virus software can detect it by decrypting
    the viruses using an emulator, or by statistical
    pattern analysis of the encrypted virus body.
  • most oligomorphic viruses aren't able to generate
    more than just a few hundred different
    decryptors, so detecting them with simple
    signatures is still possible

35
Approaches
  • Suspicious behavior
  • The suspicious behavior approach doesn't attempt
    to identify known viruses, but instead monitors
    the behavior of all programs.
  • If one program tries to write data to an
    executable program, for example, the antivirus
    software can flag this suspicious behavior, alert
    a user and ask what to do.

36
Approaches
  • Suspicious behavior
  • the suspicious behavior approach therefore
    provides protection against brand-new viruses
    that do not yet exist in any virus dictionaries.
  • However, it can also sound a large number of
    false positives, and users probably become
    desensitized to all the warnings.
  • If the user clicks "Accept" on every such
    warning, then the antivirus software obviously
    gives no benefit to that user

37
Approaches
  • Suspicious behavior weakness
  • The fact the many legal SW behave like malicious
    SW make the job of antivirus harder
  • ExThere are commercial software that have many
    features as dynamic code encryption/decryption,
    code replace, metamorphic engine, API export,
    anti debug/dump/trace and more. They are used to
    protect software programs from illegal
    use(cracking and reverse engineering)

38
Approaches
  • Heuristic analysis
  • try to emulate the beginning of the code of each
    new executable that the system invokes before
    transferring control to that executable.
  • If the program seems to use self-modifying code
    or otherwise appears as a virus (if it
    immediately tries to find other executables, for
    example), one could assume that a virus has
    infected the executable.
  • Heuristic scanners have a higher rate of false
    positives than do signature scanners but they
    have the significant advantage of being able to
    detect unknown viruses.

39
Approaches
  • Sandbox
  • sandbox is a security mechanism for safely
    running programs. It is often used to execute
    untested code, or programs from unverified
    third-parties, suppliers and untrusted users.
  • emulates the operating system and runs the
    executable in this simulation. After the program
    has terminated, software analyzes the sandbox for
    any changes which might indicate a virus.
  • Because of performance issues, this type of
    detection normally only takes place during
    on-demand scans

40
Approaches
  • Sandbox
  • Also this method may fail as virus can be
    nondeterministic and result in different actions
    or no actions at all done then run - so it will
    be impossible to detect it from one run.
  • The sandbox typically provides a
    tightly-controlled set of resources for guest
    programs to run in

41
Weaknesses of antivirus SW
  • Many security professionals agree that the
    current approach to defend against malicious
    software with antivirus is not good enough, but
    it is best solution that we have right now.
  • Here is the brief summary of the main
    shortcomings in the antivirus software

42
Weaknesses of antivirus SW
  • 1. Reactive approach Your antivirus as good as
    your definition files. If you did not update
    them, the antivirus program will not be able to
    detect a new malware. The most critical problems
    for the antivirus software to detect malicious
    code are
  • new or modified malicious code
  • rootkit programs
  • Software Misuse
  • 2. Inability to protect themselves With
    sufficient system permissions, malware can change
    antivirus settings and configuration.

43
Weaknesses of antivirus SW
  • 3. Inability to revert the results of malware
    infection process.
  • Too often, installation process of malware
    includes copying files, changing registry and
    system configuration files, changing other
    software configuration. Some of these changes
    still present in the infected system, even after
    an antivirus program delete or disinfect malware
    files.
  • Almost for every severe virus/worm, antivirus
    vendors issues Removal Tool.
  • this is means that the antivirus vendors saying
    to their customers our antivirus isnt good
    enough to clean your system please use this
    tool

44
Retro Viruses
  • retro viruses are the viruses that attack
    security programs
  • Attack is the best defense strategy
  • The malware instead of hiding from detection by
    security SW it target these SW as its (part of)
    malicious action
  • We will discuss in the next slides some of the
    technique used by the Retro viruses

45
The Black Antivirus
  • a(white) antivirus used for the good purposes
    while Black Antivirus is the same antivirus, but
    used for the bad purposes.
  • An unexpected problem
  • virus definition database has the definitions
    for security tools used today in the computer
    security world to defend and protect computer
    systems.
  • Malware could includes antivirus engine and
    signature definition files for security tools.
  • To protect our tools we need to evade the
    Antivirus detection! Therefore, our security
    tools need to be a polymorphic or even
    metamorphic.

46
The Black Intrusion Detection System
  • Malware can use IDS system to shut down
    security systems at the network level.
  • Such malware will primary target internal
    corporate LAN and could carry itself an IDS
    engine or change the existing one with new rules
    (if possible).
  • malware carry engine itselfand use MAC and ARP
    poisoning to sniff in a switched network.
  • Any communication that passes the wire were the
    malware was able to see it, is a subject for
    this attack.
  • The solution for this problem may be the use of
    covert channels

47
Practical Examples
48
Virus Example
  • Win32/Simile
  • is a metamorphic computer virus written in
    assembly language for Microsoft Windows (most
    recent version in early March 2002)
  • It was written by the virus writer Mental Driller
  • When the virus is first executed, it checks the
    current date. If the host file (the file that is
    infected with the virus) imports the file
    User32.dll, then on the 17th of March, June,
    September, or December, a message is displayed.
  • Depending on the version of the virus the case of
    each letter in the text is altered randomly. On
    May 14, a message saying "Free Palestine!" will
    be displayed if the system locale is set to
    Hebrew.

49
Virus Example
  • The virus then rebuilds itself. This metamorphic
    process is very complex and accounts for around
    90 of the virus' code
  • After the rebuild, the virus searches for
    executable files in folders on all fixed and
    remote drives.
  • The virus contains checks to avoid infecting
    "goat" or "bait" files
  • The infection process uses the structure of the
    host, as well as random factors, to control the
    placement of the virus body and the decryptor.
  • The virus contains no destructive payload

50
SQL slammer worm
  • The SQL slammer worm is a computer worm that
    caused a denial of service on some Internet hosts
    and dramatically slowed down general Internet
    traffic
  • It spread rapidly, infecting most of its 75,000
    victims within ten minutes.
  • it exploited two buffer overflow bugs in
    Microsoft's flagship SQL Server and Desktop
    Engine database products
  • The worm is a small (376 bytes) piece of code
    that does little other than generate random IP
    addresses and send itself out to those addresses.

51
SQL slammer worm
  • If a selected address happens to belong to a host
    that is running an unpatched copy of Microsoft
    SQL Server Resolution MSDE Service, the host
    immediately becomes infected and begins spraying
    the Internet with more copies of the worm
    program.
  • The worm is so small that it does not contain
    code to write itself to disk, so it only stays in
    memory, and it is easy to remove.

52
Antivirus Example
  • one of the most popular full-featured freeware
    anti-virus applications for Microsoft Windows
    users.
  • Official website http//www.avast.com/

53
Antivirus Example
  • Features
  • Standard Shield Real-time protection
  • IM shield Instant Messenger protection
  • P2P shield P2P protection
  • Internet Mail E-mail protection
  • Outlook/Exchange Microsoft Outlook/Exchange
    protection
  • Web Shield HTTP protection (local transparent
    proxy)
  • Script blocker script checker
  • Network Shield basic protection against
    well-known network worms. Acts as a lightweight
    Intrusion Detection System
  • Audible alarms vocal warnings such as "Caution,
    a virus has been detected!"
  • boot-time scan through the program interface, a
    user can schedule a boot-time scan to remove
    viruses that load during Windows startup and
    therefore difficult to remove.

54
Resources
  • http//www.securityelf.org/files/Andrey_Bayora_sof
    tware_misuse.pdf
  • http//en.wikipedia.org/wiki/Antivirus
  • http//www.research.ibm.com/antivirus/SciPapers/Go
    rdon/Strategy.html
  • http//www.sans.org/reading_room/whitepapers/malic
    ious/68.php
  • http//en.wikipedia.org/wiki/Software_virus
  • http//www.symantec.com/security_response/writeup.
    jsp?docid2002-030617-5423-99
  • http//en.wikipedia.org/wiki/Computer_virus

55
Thank you
Write a Comment
User Comments (0)
About PowerShow.com