1 / 55

Antivirus Software

Antivirus Software. By: Eng. Ammar J.Mahmood Supervised by: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT)-Jordan’s campus. Introduction.

jamesljohnson
Download Presentation

Antivirus Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Antivirus Software By: Eng. Ammar J.Mahmood Supervised by: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT)-Jordan’s campus Eng. Ammar Mahmood

  2. Introduction • Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware). • Malware or Malicious Software is software designed to infiltrate or damage a computer system without the owner's informed consent. • Types of malware include spyware, adware, Trojan horses, Worms, and viruses. Eng. Ammar Mahmood

  3. Malware “Know your enemy” Eng. Ammar Mahmood

  4. The Virus • A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user • Why people create computer viruses? • Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby • Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies Eng. Ammar Mahmood

  5. The Virus • Why people create computer viruses? • Some viruses were intended as "good viruses". They spread improvements to the programs they infect, or delete other viruses. These viruses are, however, quite rare, still consume system resources, may accidentally damage systems they infect. Eng. Ammar Mahmood

  6. The Virus • Viruses can be subdivided into a number of types, the main ones being: • Boot sector viruses: • alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive. • contains code for bootstrapping programs (usually activates, but not necessarily, operating systems) • Boot sector infector viruses replace the bootstrap code in the boot sectors (of floppy disks, hard disks, or both) with viral code. • the BIOS on IBM PC compatible machines is ignorant of whether a disk has in fact been high-level formatted and had an operating system installed in it • This results in a security vulnerability. A user who sees the error message may not be aware that the code in the boot sector of the disk has already been run by that point, and that if the disk was infected by a boot-sector computer virus Eng. Ammar Mahmood

  7. The Virus • Companion viruses: creates new files (typically .COM but can also use other extensions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if a user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. • Email viruses: is a virus which uses e-mail messages as a mode of transport. These viruses often copy themselves by automatically mailing copies to hundreds of people in the victim's address book. Eng. Ammar Mahmood

  8. The Virus • Logic bombs and time bombs: employs code that lies inert until specific conditions (e.g.infected a certain number of hosts ) are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files). • Macro viruses: often written in the scripting languages for Microsoft programs such as Word and Excel, is spread in Microsoft Office by infecting documents and spreadsheets. • Cross-site scripting virus: is a type of virus that utilizes cross-site scripting vulnerabilities to replicate. Eng. Ammar Mahmood

  9. The Virus • Methods to avoid detection • Avoiding bait files and other undesirable hosts: A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. • Bait files (or goat files) are files that are specially created by anti-virus software • Anti-virus professionals can use bait files to take a sample of a virus • Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. • Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system. Eng. Ammar Mahmood

  10. The Virus • Stealth\Rootkit: • A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. • The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean“. • Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. Eng. Ammar Mahmood

  11. The Virus • A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system • Rootkit types: • Virtualised: These rootkits work by modifying the boot sequence of the machine to load themselves instead of the original operating system. Once loaded into memory a virtualised rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest OS • Kernel level:Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system Eng. Ammar Mahmood

  12. The Virus • Rootkit types • Library level :commonly patch, hook, or replace system calls with versions that hide information about the attacker. • Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. • The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean. • Done byshut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM or USB flash drive). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls Eng. Ammar Mahmood

  13. The Virus • Self-modification: • Some viruses employ techniques that make detection by means of signatures difficult or impossible. • These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus. • Simple self-modifications: some viruses modified themselves only in simple ways. For example, they regularly exchanged subroutines in their code for others that would perform the same action - for example, 2+2 could be swapped for 1+3. This poses no problems to a somewhat advanced virus scanner. Eng. Ammar Mahmood

  14. The Virus • Encryption with a variable key: • A more advanced method is the use of simple encryption to encipher the virus. • the virus consists of a small decrypting module and an encrypted copy of the virus code • the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module. • a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Eng. Ammar Mahmood

  15. The Virus • Polymorphic code: • Polymorphic code was the first technique that posed a serious threat to virus scanners. • Same as encrypted viruses except that decryption module is also modified on each infection. • To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body • Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. Eng. Ammar Mahmood

  16. The Virus • Metamorphic code: • To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. • it does this by translating its own code into a temporary representation, and then back to normal code again • Metamorphic code is more effective than polymorphic code. This is because most anti-virus software will try to search for known virus-code even during the execution of the code • A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of it part of the metamorphic engine. Eng. Ammar Mahmood

  17. The Virus • Replication strategies • In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs • Viruses can be divided into two types, on the basis of their behavior when they are executed Eng. Ammar Mahmood

  18. The Virus • Nonresident viruses: • immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected • Nonresident viruses can be thought of as consisting of a finder module and a replication module • The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. Eng. Ammar Mahmood

  19. The Virus • Resident viruses • Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. • The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. • Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation Eng. Ammar Mahmood

  20. The Virus • Resident viruses are sometimes subdivided into a category: • Fast infectors: are designed to infect as many files as possible. It can infect every potential host file that is accessed. • This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. • The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Eng. Ammar Mahmood

  21. The Virus • 2ndcategory Slow infectors: • are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. • Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. • The slow infector approach does not seem very successful however. Eng. Ammar Mahmood

  22. The Virus • Host types: • Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux) • Volume Boot Records of floppy disks and hard disk partitions • The master boot record (MBR) of a hard disk • General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms). • Application-specific script files (such as Telix-scripts) • Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files) Eng. Ammar Mahmood

  23. The Worm • A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. • Unlike a virus, it does not need to attach itself to an existing program. • Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer. Eng. Ammar Mahmood

  24. The Worm • Types of computer worms: • Email Worms Spread via email messages. Typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website. • Instant messaging worms The spreading used is via instant messaging applications by sending links to infected websites to everyone on the local contact list • IRC worms Chat channels are the main target and the same infection/spreading method is used as above Eng. Ammar Mahmood

  25. The Worm • Types of computer worms: • File-sharing networks worms Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spreading of the infected file will continue. • Internet worms • Those which target low level TCP/IP ports directly, rather than going via higher level protocols such as email or IRC. • A classic example is "Blaster" which exploited a vulnerability in Microsoft's Remote procedure call (RPC). An infected machine aggressively scans random computers on both its local network and the public Internet attempting an exploit against port 135 which, if successful, spreads the worm to that machine. Eng. Ammar Mahmood

  26. The Worm • Payloads: • Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through. • A "payload" is code designed to do more than spread the worm - it might delete files on a host system (e.g. the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. • A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author Eng. Ammar Mahmood

  27. Antivirus SW Eng. Ammar Mahmood

  28. Antivirus • Antivirus software typically uses two different techniques to accomplish his mission: • Examining (scanning) files to look for known viruses matching definitions in a virus dictionary • Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods. Eng. Ammar Mahmood

  29. Antivirus modes • Anti-virus programs have two basic modes: • “static” file scanning: useful for when you have to scan a file or a volume to check to see if any of the files are currently infected with malware • real-time “dynamic” scanning: is really what is needed to prevent the computer from getting infected in the first place. In this mode, all files that the operating system opens or uses are scanned first before they are fully opened. Eng. Ammar Mahmood

  30. Approaches • Dictionary • A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses • In the virus dictionary approach, when the antivirus software examines a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions: • attempt to repair the file by removing the virus itself from the file • quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread) • delete the infected file Eng. Ammar Mahmood

  31. Approaches • Dictionary • the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. • users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries. • Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt Eng. Ammar Mahmood

  32. Approaches • Dictionary • System Administrator can typically schedule the antivirus software to examine (scan) all files on the user's hard disk on a regular basis. • Although the dictionary approach can effectively contain virus outbreaks in the right circumstances. Eng. Ammar Mahmood

  33. Approaches • Dictionary • Virus’s Technology to avoid the Dictionary Approach is: • Metamorphic code • Polymorphic code • Oligomorphic engine is generally used by a computer virus to generate a decryptor for itself in a way comparable to a simple polymorphic engine Eng. Ammar Mahmood

  34. Approaches • Dictionary • Previous technology weakness are: • Polymorphism: • A small portion of it is left unencrypted and used to jumpstart the encrypted software. Anti-virus software targets this small unencrypted portion of code. • Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. • most oligomorphic viruses aren't able to generate more than just a few hundred different decryptors, so detecting them with simple signatures is still possible Eng. Ammar Mahmood

  35. Approaches • Suspicious behavior: • The suspicious behavior approach doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. • If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do. Eng. Ammar Mahmood

  36. Approaches • Suspicious behavior • the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. • However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. • If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user Eng. Ammar Mahmood

  37. Approaches • Suspicious behavior weakness • The fact the many legal SW behave like malicious SW make the job of antivirus harder • Ex:There are commercial software that have many features as dynamic code encryption/decryption, code replace, metamorphic engine, API export, anti debug/dump/trace and more. They are used to protect software programs from illegal use(cracking and reverse engineering) Eng. Ammar Mahmood

  38. Approaches • Heuristic analysis: • try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. • If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. • Heuristic scanners have a higher rate of false positives than do signature scanners but they have the significant advantage of being able to detect unknown viruses. Eng. Ammar Mahmood

  39. Approaches • Sandbox: • sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users. • emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. • Because of performance issues, this type of detection normally only takes place during on-demand scans Eng. Ammar Mahmood

  40. Approaches • Sandbox: • Also this method may fail as virus can be nondeterministic and result in different actions or no actions at all done then run - so it will be impossible to detect it from one run. • The sandbox typically provides a tightly-controlled set of resources for guest programs to run in Eng. Ammar Mahmood

  41. Weaknesses of antivirus SW • Many security professionals agree that the current approach to defend against malicious software with antivirus is not good enough, but it is best solution that we have right now. • Here is the brief summary of the main shortcomings in the antivirus software: Eng. Ammar Mahmood

  42. Weaknesses of antivirus SW 1. Reactive approach: Your antivirus as good as your definition files. If you did not update them, the antivirus program will not be able to detect a new malware. The most critical problems for the antivirus software to detect malicious code are: • new or modified malicious code • rootkit programs • Software Misuse 2. Inability to protect themselves: With sufficient system permissions, malware can change antivirus settings and configuration. Eng. Ammar Mahmood

  43. Weaknesses of antivirus SW 3. Inability to revert the results of malware infection process. • Too often, “installation process” of malware includes copying files, changing registry and system configuration files, changing other software configuration. Some of these changes still present in the infected system, even after an antivirus program delete or disinfect malware files. • Almost for every severe virus/worm, antivirus vendors issues “Removal Tool”. • this is means that the antivirus vendors saying to their customers: “our antivirus isn’t good enough to clean your system – please use this tool” Eng. Ammar Mahmood

  44. Retro Viruses • retro viruses are the viruses that attack security programs • “Attack is the best defense strategy” • The malware instead of hiding from detection by security SW it target these SW as its (part of) malicious action • We will discuss in the next slides some of the technique used by the Retro viruses Eng. Ammar Mahmood

  45. The Black Antivirus • a(white) antivirus used for the good purposes while Black Antivirus is the same antivirus, but used for the “bad” purposes. • An unexpected problem: • “virus definition database” has the definitions for security tools used today in the computer security world to defend and protect computer systems. • Malware could includes antivirus engine and signature definition files for security tools. • To protect our tools we need to evade the Antivirus detection! Therefore, our security tools need to be a polymorphic or even metamorphic. Eng. Ammar Mahmood

  46. Malware can use IDS system to “shut down” security systems at the network level. Such malware will primary target internal corporate LAN and could carry itself an IDS engine or change the existing one with new rules (if possible). malware carry engine itselfand use MAC and ARP poisoning to sniff in a switched network. Any communication that passes the wire were the malware was able to “see” it, is a subject for this attack. The solution for this problem may be the use of covert channels The Black Intrusion Detection System: Eng. Ammar Mahmood

  47. Practical Examples Eng. Ammar Mahmood

  48. Virus Example • Win32/Simile: • is a metamorphic computer virus written in assembly language for Microsoft Windows (most recent version in early March 2002) • It was written by the virus writer Mental Driller • When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the file User32.dll, then on the 17th of March, June, September, or December, a message is displayed. • Depending on the version of the virus the case of each letter in the text is altered randomly. On May 14, a message saying "Free Palestine!" will be displayed if the system locale is set to Hebrew. Eng. Ammar Mahmood

  49. Virus Example • The virus then rebuilds itself. This metamorphic process is very complex and accounts for around 90% of the virus' code • After the rebuild, the virus searches for executable files in folders on all fixed and remote drives. • The virus contains checks to avoid infecting "goat" or "bait" files • The infection process uses the structure of the host, as well as random factors, to control the placement of the virus body and the decryptor. • The virus contains no destructive payload Eng. Ammar Mahmood

  50. SQL slammer worm • The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic • It spread rapidly, infecting most of its 75,000 victims within ten minutes. • it exploited two buffer overflow bugs in Microsoft's flagship SQL Server and Desktop Engine database products • The worm is a small (376 bytes) piece of code that does little other than generate random IP addresses and send itself out to those addresses. Eng. Ammar Mahmood

More Related