Antivirus Software By Eng Ammar J Mahmood Supervised
Antivirus Software By: Eng. Ammar J. Mahmood Supervised by: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT)Jordan’s campus 11/1/2020 Eng. Ammar Mahmood 1
Introduction n Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware). Malware or Malicious Software is software designed to infiltrate or damage a computer system without the owner's informed consent. Types of malware include spyware, adware, Trojan horses, Worms, and viruses. 11/1/2020 Eng. Ammar Mahmood 2
Malware “Know your enemy” 11/1/2020 Eng. Ammar Mahmood 3
The Virus n n A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user Why people create computer viruses? ¨ Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby ¨ Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies 11/1/2020 Eng. Ammar Mahmood 4
The Virus n Why people create computer viruses? ¨ Some viruses were intended as "good viruses". They spread improvements to the programs they infect, or delete other viruses. These viruses are, however, quite rare, still consume system resources, may accidentally damage systems they infect. 11/1/2020 Eng. Ammar Mahmood 5
The Virus n Viruses can be subdivided into a number of types, the main ones being: ¨ Boot sector viruses: n n n 11/1/2020 alters or hides in the boot sector, usually the 1 st sector, of a bootable disk or hard drive. contains code for bootstrapping programs (usually activates, but not necessarily, operating systems) Boot sector infector viruses replace the bootstrap code in the boot sectors (of floppy disks, hard disks, or both) with viral code. the BIOS on IBM PC compatible machines is ignorant of whether a disk has in fact been high-level formatted and had an operating system installed in it This results in a security vulnerability. A user who sees the error message may not be aware that the code in the boot sector of the disk has already been run by that point, and that if the disk was infected by a boot-sector computer virus Eng. Ammar Mahmood 6
The Virus ¨ Companion viruses: creates new files (typically. COM but can also use other extensions such as ". EXD") that have the same file names as legitimate. EXE files. When a user types in the name of a desired program, if a user does not type in ". EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. ¨ Email viruses: is a virus which uses e-mail messages as a mode of transport. These viruses often copy themselves by automatically mailing copies to hundreds of people in the victim's address book. 11/1/2020 Eng. Ammar Mahmood 7
The Virus ¨ Logic bombs and time bombs: employs code that lies inert until specific conditions (e. g. infected a certain number of hosts ) are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files). ¨ Macro viruses: often written in the scripting languages for Microsoft programs such as Word and Excel, is spread in Microsoft Office by infecting documents and spreadsheets. ¨ Cross-site scripting virus: is a type of virus that utilizes cross-site scripting vulnerabilities to replicate. 11/1/2020 Eng. Ammar Mahmood 8
The Virus n Methods to avoid detection Avoiding bait files and other undesirable hosts: A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. ¨ Bait files (or goat files) are files that are specially created by antivirus software ¨ n n n 11/1/2020 Anti-virus professionals can use bait files to take a sample of a virus Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system. Eng. Ammar Mahmood 9
The Virus ¨ StealthRootkit: A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. n The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean“. n Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. n 11/1/2020 Eng. Ammar Mahmood 10
The Virus A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system n Rootkit types: n Virtualised: These rootkits work by modifying the boot sequence of the machine to load themselves instead of the original operating system. Once loaded into memory a virtualised rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest OS ¨ Kernel level: Kernel level rootkits additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system ¨ 11/1/2020 Eng. Ammar Mahmood 11
The Virus n Rootkit types ¨ ¨ n n 11/1/2020 Library level : commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean. Done byshut down the computer suspected of infection and check its storage by booting from an alternative media (e. g. rescue CD-ROM or USB flash drive). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls Eng. Ammar Mahmood 12
The Virus ¨ Self-modification: n n n 11/1/2020 Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus. Simple self-modifications: some viruses modified themselves only in simple ways. For example, they regularly exchanged subroutines in their code for others that would perform the same action - for example, 2+2 could be swapped for 1+3. This poses no problems to a somewhat advanced virus scanner. Eng. Ammar Mahmood 13
The Virus ¨ Encryption n n 11/1/2020 with a variable key: A more advanced method is the use of simple encryption to encipher the virus consists of a small decrypting module and an encrypted copy of the virus code the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module. a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Eng. Ammar Mahmood 14
The Virus ¨ Polymorphic n n 11/1/2020 code: Polymorphic code was the first technique that posed a serious threat to virus scanners. Same as encrypted viruses except that decryption module is also modified on each infection. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. Eng. Ammar Mahmood 15
The Virus n Metamorphic code: To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. ¨ it does this by translating its own code into a temporary representation, and then back to normal code again ¨ Metamorphic code is more effective than polymorphic code. This is because most anti-virus software will try to search for known virus-code even during the execution of the code ¨ A metamorphic virus is usually very large and complex. For example, W 32/Simile consisted of over 14000 lines of Assembly language code, 90% of it part of the metamorphic engine. ¨ 11/1/2020 Eng. Ammar Mahmood 16
The Virus n Replication strategies ¨ In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs ¨ Viruses can be divided into two types, on the basis of their behavior when they are executed 11/1/2020 Eng. Ammar Mahmood 17
The Virus ¨ Nonresident viruses: n immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected n Nonresident viruses can be thought of as consisting of a finder module and a replication module n The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. 11/1/2020 Eng. Ammar Mahmood 18
The Virus n Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. ¨ The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. ¨ Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation ¨ 11/1/2020 Eng. Ammar Mahmood 19
The Virus ¨ Resident viruses are sometimes subdivided into a category: n Fast infectors: are designed to infect as many files as possible. It can infect every potential host file that is accessed. ¨ ¨ 11/1/2020 This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Eng. Ammar Mahmood 20
The Virus ¨ 2 nd category Slow infectors: n are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. n Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. n The slow infector approach does not seem very successful however. 11/1/2020 Eng. Ammar Mahmood 21
The Virus n Host types: ¨ ¨ ¨ 11/1/2020 Binary executable files (such as COM files and EXE files in MSDOS, Portable Executable files in Microsoft Windows, and ELF files in Linux) Volume Boot Records of floppy disks and hard disk partitions The master boot record (MBR) of a hard disk General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unixlike platforms). Application-specific script files (such as Telix-scripts) Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, Ami. Pro documents, and Microsoft Access database files) Eng. Ammar Mahmood 22
The Worm n n n A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer. 11/1/2020 Eng. Ammar Mahmood 23
The Worm n Types of computer worms: ¨ Email Worms Spread via email messages. Typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website. ¨ Instant messaging worms The spreading used is via instant messaging applications by sending links to infected websites to everyone on the local contact list ¨ IRC worms Chat channels are the main target and the same infection/spreading method is used as above 11/1/2020 Eng. Ammar Mahmood 24
The Worm n Types of computer worms: ¨ File-sharing networks worms Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P 2 P network and spreading of the infected file will continue. ¨ Internet worms n n 11/1/2020 Those which target low level TCP/IP ports directly, rather than going via higher level protocols such as email or IRC. A classic example is "Blaster" which exploited a vulnerability in Microsoft's Remote procedure call (RPC). An infected machine aggressively scans random computers on both its local network and the public Internet attempting an exploit against port 135 which, if successful, spreads the worm to that machine. Eng. Ammar Mahmood 25
The Worm n Payloads: ¨ Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through. ¨ A "payload" is code designed to do more than spread the worm - it might delete files on a host system (e. g. the Explore. Zip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. ¨ A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author 11/1/2020 Eng. Ammar Mahmood 26
Antivirus SW 11/1/2020 Eng. Ammar Mahmood 27
Antivirus n Antivirus software typically uses two different techniques to accomplish his mission: ¨ Examining (scanning) files to look for known viruses matching definitions in a virus dictionary ¨ Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods. 11/1/2020 Eng. Ammar Mahmood 28
Antivirus modes n Anti-virus programs have two basic modes: ¨ “static” file scanning: useful for when you have to scan a file or a volume to check to see if any of the files are currently infected with malware ¨ real-time “dynamic” scanning: is really what is needed to prevent the computer from getting infected in the first place. In this mode, all files that the operating system opens or uses are scanned first before they are fully opened. 11/1/2020 Eng. Ammar Mahmood 29
Approaches n Dictionary ¨ ¨ 1. 2. 3. 11/1/2020 A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses In the virus dictionary approach, when the antivirus software examines a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions: attempt to repair the file by removing the virus itself from the file quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread) delete the infected file Eng. Ammar Mahmood 30
Approaches n Dictionary ¨ the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. ¨ users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries. ¨ Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt 11/1/2020 Eng. Ammar Mahmood 31
Approaches n Dictionary ¨ System Administrator can typically schedule the antivirus software to examine (scan) all files on the user's hard disk on a regular basis. ¨ Although the dictionary approach can effectively contain virus outbreaks in the right circumstances. 11/1/2020 Eng. Ammar Mahmood 32
Approaches n Dictionary ¨ Virus’s Technology to avoid the Dictionary Approach is: Metamorphic code n Polymorphic code n Oligomorphic engine is generally used by a computer virus to generate a decryptor for itself in a way comparable to a simple polymorphic engine n 11/1/2020 Eng. Ammar Mahmood 33
Approaches n Dictionary ¨ Previous technology n Polymorphism: ¨ ¨ n 11/1/2020 weakness are: A small portion of it is left unencrypted and used to jumpstart the encrypted software. Anti-virus software targets this small unencrypted portion of code. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. most oligomorphic viruses aren't able to generate more than just a few hundred different decryptors, so detecting them with simple signatures is still possible Eng. Ammar Mahmood 34
Approaches n Suspicious behavior: ¨ The suspicious behavior approach doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. ¨ If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do. 11/1/2020 Eng. Ammar Mahmood 35
Approaches n Suspicious behavior ¨ the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. ¨ However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. ¨ If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user 11/1/2020 Eng. Ammar Mahmood 36
Approaches n Suspicious behavior weakness ¨ The fact the many legal SW behave like malicious SW make the job of antivirus harder ¨ Ex: There are commercial software that have many features as dynamic code encryption/decryption, code replace, metamorphic engine, API export, anti debug/dump/trace and more. They are used to protect software programs from illegal use(cracking and reverse engineering) 11/1/2020 Eng. Ammar Mahmood 37
Approaches n Heuristic analysis: ¨ try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. ¨ If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. ¨ Heuristic scanners have a higher rate of false positives than do signature scanners but they have the significant advantage of being able to detect unknown viruses. 11/1/2020 Eng. Ammar Mahmood 38
Approaches n Sandbox: ¨ sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users. ¨ emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. ¨ Because of performance issues, this type of detection normally only takes place during on-demand scans 11/1/2020 Eng. Ammar Mahmood 39
Approaches n Sandbox: ¨ Also this method may fail as virus can be nondeterministic and result in different actions or no actions at all done then run - so it will be impossible to detect it from one run. ¨ The sandbox typically provides a tightlycontrolled set of resources for guest programs to run in 11/1/2020 Eng. Ammar Mahmood 40
Weaknesses of antivirus SW Many security professionals agree that the current approach to defend against malicious software with antivirus is not good enough, but it is best solution that we have right now. n Here is the brief summary of the main shortcomings in the antivirus software: n 11/1/2020 Eng. Ammar Mahmood 41
Weaknesses of antivirus SW 1. Reactive approach: Your antivirus as good as your definition files. If you did not update them, the antivirus program will not be able to detect a new malware. The most critical problems for the antivirus software to detect malicious code are: new or modified malicious code ¨ rootkit programs ¨ Software Misuse ¨ 2. Inability to protect themselves: With sufficient system permissions, malware can change antivirus settings and configuration. 11/1/2020 Eng. Ammar Mahmood 42
Weaknesses of antivirus SW 3. Inability to revert the results of malware infection process. Too often, “installation process” of malware includes copying files, changing registry and system configuration files, changing other software configuration. Some of these changes still present in the infected system, even after an antivirus program delete or disinfect malware files. ¨ Almost for every severe virus/worm, antivirus vendors issues “Removal Tool”. ¨ this is means that the antivirus vendors saying to their customers: “our antivirus isn’t good enough to clean your system – please use this tool” ¨ 11/1/2020 Eng. Ammar Mahmood 43
Retro Viruses n n retro viruses are the viruses that attack security programs “Attack is the best defense strategy” The malware instead of hiding from detection by security SW it target these SW as its (part of) malicious action We will discuss in the next slides some of the technique used by the Retro viruses 11/1/2020 Eng. Ammar Mahmood 44
The Black Antivirus n n a(white) antivirus used for the good purposes while Black Antivirus is the same antivirus, but used for the “bad” purposes. An unexpected problem: “virus definition database” has the definitions for security tools used today in the computer security world to defend and protect computer systems. ¨ Malware could includes antivirus engine and signature definition files for security tools. ¨ n To protect our tools we need to evade the Antivirus detection! Therefore, our security tools need to be a polymorphic or even metamorphic. 11/1/2020 Eng. Ammar Mahmood 45
The Black Intrusion Detection System: ¨ Malware can use IDS system to “shut down” security systems at the network level. ¨ Such malware will primary target internal corporate LAN and could carry itself an IDS engine or change the existing one with new rules (if possible). ¨ malware carry engine itselfand use MAC and ARP poisoning to sniff in a switched network. ¨ Any communication that passes the wire were the malware was able to “see” it, is a subject for this attack. ¨ The solution for this problem may be the use of covert channels 11/1/2020 Eng. Ammar Mahmood 46
Practical Examples 11/1/2020 Eng. Ammar Mahmood 47
Virus Example n Win 32/Simile: is a metamorphic computer virus written in assembly language for Microsoft Windows (most recent version in early March 2002) ¨ It was written by the virus writer Mental Driller ¨ When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the file User 32. dll, then on the 17 th of March, June, September, or December, a message is displayed. ¨ Depending on the version of the virus the case of each letter in the text is altered randomly. On May 14, a message saying "Free Palestine!" will be displayed if the system locale is set to Hebrew. ¨ 11/1/2020 Eng. Ammar Mahmood 48
Virus Example n n n The virus then rebuilds itself. This metamorphic process is very complex and accounts for around 90% of the virus' code After the rebuild, the virus searches for executable files in folders on all fixed and remote drives. The virus contains checks to avoid infecting "goat" or "bait" files The infection process uses the structure of the host, as well as random factors, to control the placement of the virus body and the decryptor. The virus contains no destructive payload 11/1/2020 Eng. Ammar Mahmood 49
SQL slammer worm n n The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic It spread rapidly, infecting most of its 75, 000 victims within ten minutes. it exploited two buffer overflow bugs in Microsoft's flagship SQL Server and Desktop Engine database products The worm is a small (376 bytes) piece of code that does little other than generate random IP addresses and send itself out to those addresses. 11/1/2020 Eng. Ammar Mahmood 50
SQL slammer worm n n If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution MSDE Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. 11/1/2020 Eng. Ammar Mahmood 51
Antivirus Example one of the most popular full-featured freeware anti-virus applications for Microsoft Windows users. n Official website: http: //www. avast. com/ n 11/1/2020 Eng. Ammar Mahmood 52
Antivirus Example n Features : Standard Shield — Real-time protection IM shield — Instant Messenger protection P 2 P shield — P 2 P protection Internet Mail — E-mail protection Outlook/Exchange — Microsoft Outlook/Exchange protection Web Shield — HTTP protection (local transparent proxy) Script blocker — script checker Network Shield — basic protection against well-known network worms. Acts as a lightweight Intrusion Detection System ¨ Audible alarms — vocal warnings such as "Caution, a virus has been detected!" ¨ boot-time scan — through the program interface, a user can schedule a boot-time scan to remove viruses that load during Windows startup and therefore difficult to remove. ¨ ¨ ¨ ¨ 11/1/2020 Eng. Ammar Mahmood 53
Resources n n n n http: //www. securityelf. org/files/Andrey_Bayora_software _misuse. pdf http: //en. wikipedia. org/wiki/Antivirus http: //www. research. ibm. com/antivirus/Sci. Papers/Gordo n/Strategy. html http: //www. sans. org/reading_room/whitepapers/maliciou s/68. php http: //en. wikipedia. org/wiki/Software_virus http: //www. symantec. com/security_response/writeup. jsp ? docid=2002 -030617 -5423 -99 http: //en. wikipedia. org/wiki/Computer_virus 11/1/2020 Eng. Ammar Mahmood 54
11/1/2020 Eng. Ammar Mahmood 55
- Slides: 55