AVisDead!IsAVDead?AVisDead!IsAVDead?
1
AVisDead!
IsAVDead?
AVisDead!IsAVDead?
“Thereisnoalgorithmthatcanperfectlydetectallpossiblecomputerviruses.”
FredCohen,1987PioneerComputerVirusTechnology
AndDefense
AVisDead!IsAVDead?
Virus• Virusisanexecutableorpieceofcodethathasthe
capabilitytoreplicate andattach itselfontotargetfile
Malware• Istermusedtodenotemalicioussoftware,including
butnotlimitedtoworms,Trojans,ransomware andvirus
• Oftenreferredto,bysomepeople,as“virus”
AVisDead!IsAVDead?
Mainquestionstobeanswered
WHO
WHY
WHATWhyaretheysayingthatAVisdead
WhoaretheonesthataresayingAVisdead
Whatshouldwelearnfromallofthis
AVisDead!IsAVDead?
• HistoricMalwareFacts:ANeverEndingWar
• ProactiveDevelopmentOfNewWeapons
• BeingOpinionatedonData
• Derivation
Agenda
AVisDead!IsAVDead?
AV- Anti-Virus
• Softwareoriginallydesignedtodetectandremovecomputervirus
• Initiallybasedonsignaturedetectionsandblacklistingtechniquewhichusesscan-detect-protect-cleanparadigm
• Althoughdevelopedduringthe80s,non-ITpeoplearestillusedtothetermAV(antivirus)torefertothesoftwaretheyusetoprotectagainstmalware
AVisDead!IsAVDead?
ANeverEndingWarVirusWormsTrojans
Malware
Security
• Encryption,Polymorphism,Metamorphism
• Packing,Armouring,Protectors
• Anti-emulation,anti-debugging
1980- 1990 1990- 2000 2014- 20162010- 20142000- 2005 2005- 2010
Rootkit,Exploits HijackerAdwareSpywareRogueAV RansomwareAPT
• Botnet
• Vulnerabilityexploitation
• Dormancy
• Stealth
• EULA
• Lawsuits,greyware
• Socialengineering
• Stolendigitalsignatures
• Fastflux
• Rapidvariancegeneration
• Morelaserfocusedtargetedattacks
• Signaturebaseddetection
• Hashing
• Heuristic
• Emulation
• Intelligentscanning
• Genericunpacking
• Behaviouralanalysis
• Virtualizedenvironments
• Gatewaysolution
• Cloud
• Antirootkits
• Memoryprotection(PatchGuard)
• Machinelearning
• Datamining
• Anomalybasedetections
• NEXTGEN
AVisDead!IsAVDead?
ANeverEndingWar
PE32GoEntryPoint()
Sig=MatchExactHexa
[0x600xe80x000x00 0x5d0x810xed0x0b…]
If(Sig)
returnInfected
AVisDead!IsAVDead?
Usingheuristicbasedsignaturedetections,emulationandintelligentscanning.AVenginescannowremovegarbagecodesandproducetheactualmaliciouscode
Andagain,malwareauthorsrespondedbackwithanti-emulationtechniquessuchasnearinfiniteloopsandtimedbasedtechniquesbycountingthedifferenceinprocessorcyclesinbetween2points
ANeverEndingWar
AVisDead!IsAVDead?
Heuristicbaseddetectionarethesignaturedetectionsthatweusenowadays.It’scalleda1tomanydetectionpattern.
Theusualheuristicsigcandetectfromhundredstothousandssamplepersig.
Iknowofacouplewhocancatchamillionsamplewith1heuristicbasedsignature.
Butthosearefewandrare,asitisveryhardtofindacommonpatternfromdifferentvariant,familiesanddifferentgenerationsofmalware.
AVisDead!IsAVDead?
AmIrunningonaREALmachine???
GOTCHA!!!!
ANeverEndingWar
AVisDead!IsAVDead?
Windows764bit
- CodeIntegrityPolicypreventsunsignedkernel-modedriversonloading- Windows PatchGuard protectsmodificationof
- SSDTSystemServiceDispatchTable- IDTInterruptDescriptorTable- GlobalDescriptorTable- Patchingcodesonkernel
ANeverEndingWar
AVisDead!IsAVDead?
“TheMasterBootRecord(MBR)isthefirst512bytesofadatastoragedevicethatcontainscodeforbootstrappinganoperatingsystem.IthousesthetableofprimarypartitionsusingtheIBMpartitiontablescheme.It’sprimarypurposeistoloadthebootsectorandpasscontroltoit(volumebootrecord)”
AVisDead!IsAVDead?
LoadMBR
LoadVBR
LoadBootmgr
Loadwinload.exeorwinresume.exe
Loadkernelandotherdrivers
MBRMasterBootRecord
LoadstheVBR
VBRVolumeBootRecord
LoadstheBootmgr
Bootmgr
ReadsBCD(BootConfigurationData)Loadseitherwinload.exeorwinresume.exe(restorethestateofhibernatingsystem)
Winload.exe
Initializescodeintegritypolicy
loadskernelanditsdependencieshal.dll,bootvid.dll,kdcom.dll
KernelInitializationCallsKdDebuggerInitialize1fromkdcom.dll toinitializethedebuggingfacilitiesofthesystem
ANeverEndingWar
AVisDead!IsAVDead?
Call
KdDebuggerInitialize1
Loadntoskernel.exe,hal.dllandkdcom.dll
LoadinfectedMBR
LoadLDR16 fromitsfilesystem
HooksINT13andrestoreoriginalMBR
LoadVBR
LoadBootmgr
LoadWinload.exe(WINPEmode)
Initializekernel
InfectedMBRContainsmaliciouscodesforloadingTDL4
LoadsLDR16ReplacesakeyBCDvalueinregistrytoinitiateWinPEmode
HooksINT13HookINT13Waitsforkdcom.dlltobeloaded,thenreplacestheimageofitinmemorywithLDR32orLDR64(platformdependent)
WINPEmodeSincethevalueinBCDregistryhivewasreplacedWinPEmodeisactivated.
CodeIntegritydisabled
LoadskerneldependenciesLoadsdependencies,whenhookfindskdcom.dllinmemory,replacestheimagewithLDR32orLDR64WhyKDCOM.DLLContainsafunctionthatiscalledbythesystemtoinitializesystemdebuggers.
LDR32/64Containsthesamefunctionsasoriginalkdcom.dllbutonlyoneworks
KdDebuggerInitialize1
Allothersaredummiesandreturn0Kerneldebuggerdisabled
DRV32orDRV64(rootkit’smaincomponentforhooking)willbeloaded
Continueloadingasifnothinghappened
ANeverEndingWar
AVisDead!IsAVDead?
"Weareessentiallygoingincircles.Weimproveonlyafterouradversariesdefeatourdefenses.Mostsoftwareisstillriddledwithvulnerabilities,butthevendorstypicallymakenomovetofixoneuntilitbecomespubliclydisclosed.”
DavidHoelzerDirectorofResearch,EnclaveForensics
ANeverEndingWar
AVisDead!IsAVDead?
• Peoplewhohavelimitedknowledgeaboutthesubject
• Iratevictimsofamalwareattacks
• Peoplewhohaveotherintent
• Financialgain
• Ego
• Marketinganewtechnology(NextGen)
• 2008,2014BigAVcompanieswerequotedsayingin,essence,AVisnotsufficientanymore
WHO?
AVisDead!IsAVDead?
Pre-filteringWhitelisting&
MetadataconfidenceSample
NextGenSoftwareX
MemorySpaceContinuouscheckforanomalousbehaviour
Behaviouralanalysis(almost
similartosandbox)
Bad
Parallelpipe
Badpipe
ProactiveDevelopmentOfNewWeapons
• Avoidknownnamesormicrosoft systemfilenames
• Useantisandboxtechniquestodefeatthebehaviouralanalysis
• Staydormantbutdon’tuseone’sthatwilltriggerthesandboxtraps
• Usetrialanderrortoescapetheanomalousbehaviourchecks
AVisDead!IsAVDead?
2016VerizonDataBreachInvestigationsReport
BeingOpinionatedOnData
AVisDead!IsAVDead?
2015MicrosoftSecurityIntelligenceReport
InfectionRatesForProtectedandUnprotectedComputers
RecentreleasesoftheMSRTcollectandreportdetailsaboutthestateofreal-timeantimalwaresoftwareonacomputer,ifthecomputer’sadministratorhaschosentooptintoprovidedatatoMicrosoft.Thistelemetrydatamakesitpossibletoanalyzesecuritysoftwareusagepatternsaroundtheworldandcorrelatethemwithinfectionrates.
Thisgraphtellsusthatcomputersthatwereunprotectedwerebetween2.7and5.6times aslikelytobeinfectedwithmalwareascomputersthatwereprotected.
BeingOpinionatedOnData
AVisDead!IsAVDead?
“Antiviruswon'tprotectyoufromtheever-increasingpercentageofmalwarethat'sspecificallydesignedtobypassantivirussoftware,butitwillprotectyoufromalltherandomunsophisticatedattacksoutthere:the"backgroundradiation"oftheInternet.”
BeingOpinionatedOnData
https://www.schneier.com/blog/archives/2014/05/is_antivirus_de_1.html
AVisDead!IsAVDead?
“Inanerawhereanti-malwarelabsprocesshundredsofthousandsofsamplesaday,failuretorealizethesignificanceofavanishinglysmallsetofstealthy,low-prevalencesamples– howevergreattheirsubsequentimpact– whilehardlydescribableasasuccess,ishardlyaspectacularfailureinstatisticalterms.“[1]
AVisDead!IsAVDead?
Derivation
• Toreacttotheevolvingthreats,“AV”orAMhasevolvedtoo
• ItdoesnotSOLELYusethesimplesignaturebaseddetectionasitdid20yearsago
• Hash(blacklist),whitelisting,SmartpatternsorHeuristicsaretheBASICfunctionalitieswe’reusingfor“AV”thesedays
• Even20%protectionisbetterthannone(worsecasescenariofromAUSCERT)
AVisDead!IsAVDead?
Derivation
GOODSECURITY
• Doesnotrelyonasingletechnologyforprotection
• Multi-layeredsecurityistherightapproach
• Goodendpointsecurity(AV/AM)
• Goodnetworkbasedsecurity
• Backups
• UpdatesandPatches
• Secureyourchannels
• Don’toverdoit
AVisDead!IsAVDead?
“Considerwhetheryouwanttobaseyoursecuritystrategy(athomeoratwork)onaPRexercisebasedonstatisticalmisrepresentationandmisunderstanding.Don’tbetoooptimisticaboutfindingTheOneTrue(probablygeneric)Solution:lookforcombinationsofsolutionthatgiveyouthebestcoverageatapriceyoucanafford.Theprincipleappliestohomeuserstoo:therightfreeantivirusisalotbetterthannoprotection”[1]
Extra:GettingOpinionatedAgain
[1]www.welivesecurity.com/wp-content/uploads/.../avar-2013-paper.pdf
AVisDead!IsAVDead?
Q?