Viruses: Classification and Prevention Mike Morain.

Viruses: Classification

and Prevention

Mike Morain

Basic Lecture Structure

• History of malware• Nature and operation of

malware• Discuss means of

identification, removal, and prevention• Virtualization in malware

A Brief History• John Von Neumann

o 1949 - Developed the first “self-replicating automata”

• Veith Risako 1972 - Wrote the first self-reproducing program for a

SIEMENS 4004/35 computer

• 1980 - Jurgen Krauso Wrote a paper which put forward the idea that computer

programs could act and behave like biological viruses

• 1984 - Fred Coheno Coined the term “virus” in his paper “Computer Viruses –

Theory and Experiments”

Creeper• First controlled virus• Developed by Bob Thomas released

on ARPANET in 1971for the TENEX OS

• Behaved more like a modern wormo Would replicate itself onto machines around the NET,

and display the message “I’m the creeper, catch me if you can!”

o Would begin to print a file, pause, find a network system, and transfer

o Relatively harmless. More a proof-of-concept than anything. Actually removed itself if it found another copy, then moved on.

The Elk Cloner• First virus to be released outside a single

lab. First “uncontrolled” computer virus. (Skentra, ‘81)

• Practical joke: spread via a floppy disk game, infected the host’s boot sector

• The target OS: Apple DOS 3.3• Relatively benign

o Would print a poem on the target computer’s screen

• From a recent NBC interview:o "I guess if you had to pick between being known for this and

not being known for anything, I'd rather be known for this. But it's an odd placeholder for (all that) I've done."

Malware Today• Not so benign• Motivations:

oCreating zombie machines for botnets (DDoS attacks, etc.)

o Identity theft and impersonationoMonetary gains (credit card fraud, bank

fraud, etc.)oMany other nefarious goals

Types of Viruses• Boot Sector• File• Macro• Encrypted• Stealth• Polymorphic• Metamorphic• Worms

A Structural Breakdown

• Infection Mechanism• Trigger• Payload

• Phaseso Dormant Phaseo Propagation Phaseo Triggering Phaseo Executing Phase

Example: MyDoom Worm

• Infection Mechanismo E-mail attachment executable disguised as an image,

document, etc.

• Triggero Opening the email attachment

• Payloado 1. TCP Backdoor on port 3127 by overwriting local DLLs

and running as a child process of Windows Explorero 2. Launched a DDoS attack against the Caldera

International (software company) on 1st of February, 2004

Infection Mechanism• The means by which a virus spreads• Early on, this was done via floppy drives, etc., but

now Internet makes this far more easy.• Attach to common downloads, music, videos,

software, screensavers etc.• Spread through emails as attachments• Spread on thumb drives (Pentagon example)• Infection vectors vary, payloads stay relatively

constant• There are many other infection mechanisms: PDF

files, infected image files, visiting infected web pages, office macros, etc.

Trigger• The mechanism by which the payload is activated. • For simply malicious viruses, this is often the simple

act of opening the infected file• For more devious or surreptitious viruses, like trojan

horses, backdoors, or botnet infections, the trigger usually has to do with the intended purpose:o DDoS: Triggered by time/date to attack on, or by the controllers directlyo Credit/Bank fraud: Activated when the user visits as bank site, etc.

• The trigger is almost always related to the infection mechanism; the code needs to be executed somehow.

Payload• This is the intended action of the virus• Goals relatively constant• Malicious code (format hard drive,

delete important files – old school)• Botnets

o DDoS, hosting phishing sites, etc.

• Trojanso back doors, keyloggerso Searching for personal of financial information

Ex: MS “Removal” Tool

MS Removal Tool (cont.)

• Infection Mechanismo ActiveX Remote installation o ActiveX Data Objects tied to Wiindows APIs

• Triggero Begins execution on install

• Payloado Hijacks various OS process calls o Changes web proxy

Combatting Malware• Prevention

o Ideal solutiono This requires detection during the propagation phase.

• Detection, Identification, and Removalo Theoretically, much harder than prevention

• The Malware may have spread already, so many files/machines will have to be checked and cleaned.

• Removal requires knowing what it is, how it spread etc.

• What do we do today?

Modern Antivirus Software

• 1st Generation: simple scannerso Require signatures to detect the behavior of

known viruseso Look at program length often and alert the

administrators if anything has changeo No so good for zero-day attacks

Tripwire

http://original.jamesthornton.com/redhat/linux/9/Reference-Guide/figs/tripwire/tripwire.png

Modern Antivirus Software

• 2nd Generation: heuristics scannersoDon’t really rely on the signatures as

much, but use “rules of recognition”o They look for odd behavior, or code

fragments that are often associated with viruses, but again, they don’t have specific signatures of every virus it can handle

o Example of behavior: PyKeyLogger

Pykeylogger

Pykeylogger• Uses the SetWindowsHookEx API in

Win32o Specifically the WH_KEYBOARD and WH_KEYBOARD_LL

• Commonly used APIs, but not in background.

• Simple heuristic rule:o In general, don’t allow keyboard strokes to be captured

in the background

Modern Antivirus Software (cont.)

• 3rd Generation: activity traps o More like the anomaly detection scheme, where this

program just combs memory and looks for actions that are a threat to security rather than structures in the program code in memory

o This has the distinct advantage of being able to prevent actions proactively rather than be responding retroactively.

• 4th Generation: full-featured scannerso All of these tools combined and used simultaneously

Modern Antivirus Software (cont.)

• The differences:o Older software scanned once a day, etc. Now they are

working constantly to prevent infectiono Norton, McAfee: all had original versions that did

scheduled scans or on-boot scans based on signatureso Progress adds features as malware authors find exploits

• Commercial Exampleso Norton 2006 (13.0) introduced Internet Explorer and

host file protectiono Panda Antivirus is award winning

• Detects all strange behavior, very good anomaly detection

• Balance between good and annoying

Case Study: Microsoft Security Essentials

• Microsoft has never really been known for security prowess

• They’ve had some of the most embarrassing mishaps when it comes to security:o A few years ago, they released a “Malicious Software

Removal Tool.”o It actually got pretty good reviews, and the methodology

used was goodo Unfortunately for MS, it worked so well it removed

Internet Explorer as a potential security threat.

MSE Example (cont.)• Today’s solution: Microsoft Security

Essentials, and is being lauded as a very well developed antivirus tool.

• It uses a combination of signature and anomaly detection to fight infection.

• Advances in hardware and speed allow constant protection to be done without extremely noticeable overhead.

MSE Example (cont.)• It has (as do many other tools):

o Integration with the computer’s API calls• For instance, when you open a folder with an

infected file, MSE does quick analysis on those files, and will alert you if it’s obviously infected, and does so without consuming too many resources• Also has the ability to scan every file for

every known signature of virus.• Sandboxes programs that are behaving

suspiciously and alerts the user

Further Advances in AV

• The advancement of viruses and antiviruses is inseparably linked.

• Once the current threats are dealt with, it’s hard to predict what virus makers will do next, so it’s a tango back and forth.

• A huge flaw in even 4th Generation anti-virus software is the inability to track and detect polymorphic viruses

Digital Immune Systems

Digital Immune Systems• 1. A monitoring program on each PC uses

anomaly detection to analyze behavior, and sends the suspicious activity to the admin machine.

• 2. The admin machine encrypts the sample and sends it to a “central virus analysis (CVA).”

• 3. The CVA creates a VM for running the infected program, analyzes the behavior, and produces a fix which is sent out to clients.

• 4. Subscribers world-wide receive the new signatures and patches.




• 2. The admin machine encrypts the sample and sends it to a “central virus analysis.”
















Generic Decryption• Solves this problem by running code

through a fast “generic decryption” scanner that:o Has a CPU emulator that the suspicious code is allowed to be

executed on.o The system looks for any commonly known

encryption/decryption behavior, since this is often how polymorphic viruses change themselves.

o Also includes the signature scanner from other generations.o Halts the code if it’s determined to be malicious, and

“quarantines” the original executable.o Works a lot like TaintCheck

• The problem with this is that it requires a lot of overhead.

Virtualization in Anti-virus

• Hardware advances – mainly speed of processors, multiple cores, and more memory – allow virtualization to be used

• Example: Sunbelt Software’s Vipre Enterprise Malware Cliento Maintains a minimized, mimicked copy of the host system in a

sandbox of memory and allows suspect files to run free.o Implementation utilizing the advancement of processor

virtualization and multi-core assignment minimizes the overhead.

o The virtualization, along-side a proprietary “dynamic translation” re-compiler is how this works so quickly and well

Sunbelt Vipre

Sunbelt Vipre

Sunbelt Vipre

http://www.sunbeltsoftware.com/developer/VIPRE-Desktop-SDK/

Conclusions• Digital immune systems are the way of the

future• Virtualization allows them to be

implemented locally on a small scale• Still benefit from honeypots that security

companies run to catch all the viruses going around.

• OS integration is key

Date post:	15-Dec-2015
Category:	Documents
Upload:	darnell-toyne
View:	223 times
Download:	0 times

Viruses: Classification and Prevention Mike Morain.

Documents