malware and anti-malware seminar by benny czarny
Post on 28-Jan-2015
126 Views
Preview:
DESCRIPTION
TRANSCRIPT
Malware and Anti-malware
Benny CzarnyCEO and Founderbenny@opswat.com
23 October 2013
AgendaMalware
What is malware ?
Why do malware writers write malware ?
Malware infection methods
Challenges detecting malware
Malware detection techniques
Real life examples of malware detection systems
Current trends in the industry
What is malware
What is the origin of the name “malware?” malicious software
What is the definition of malware ? Software that is intended to damage or disable
computers and computer systems
Any kind of unwanted software that is installed without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software that are often grouped together and referred to as malware.
What is malware Many types of malware
Worm
Trojan horse/Trojan
Virus
Rogues / Scareware
Ransomware
Others
What is malware Worms
Activity Make copies of themselves again and again on:
local drive
network shares
USB drives
Purpose: reproduce (*)Does not need to attach itself to an existing program
What is malware I love you worm
Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting image files, and sent a copy of itself to the first 50 addresses in the Windows Address.
What is malware Morris worm
What is malware Trojan horse
What is malware Trojan
Activity
Appears to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access
Purpose:
Gains privileged access to the operating system
(*)Does not need to attach itself to an existing program.
What is malware Trojan
Install a game NetBus ->backdoor
Redirect to bogus web sites
Install a browser plugin
Flashback
What is malware Virus
Activity
When executed – usually by a human, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected.“
Purpose:
Replicate
Harm computers
What is malware Rogue antivirus / scareware
Appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.
What is malware Ransomware
Restricts access to the computer system that it infects
Encrypt files lock system Displays messages intended to coax the user into paying
Demands a ransom in order for the restriction to be removed
What is malware Ransomware
What is malware Quantity of malware
What is malwareGrowth in quantity of known malware
Why do malware writers write malware ?What are the reasons behind malware writers
Economical
Personal
Political / cyber weapons
Others
Why do malware writers write malware ?Economical
Stealing sensitive information which is then sold on the black market.
Ransomware
Industrial espionage
Sell bots Take down networks Host phishing attacks Send spam Others
Why do malware writers write malware ?Economical
Why do malware writers write malware ?Personal
Revenge
Vandalism
Experimental / research
Hobby / art
Why do malware writers write malware ?Political / cyber weapons
Sabotage Infrastructure Service availability
Spy tools Domestic Foreign
Political messages
Malware propagation methods Samples
Exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows
Torrent, peer-to-peer (P2P) and file sharing program
Emails
USB Flash drive
Rogue security programs
Others
Malware propagation methods Sample USB virus
autorun.inf[autorun]open=file.batshell\option1=Openshell\option1\command=file.bat
file.bat@echo offcopy autorun.inf C:\ > NULcopy file.bat C:\ > NULcopy autorun.inf D:\ > NULcopy file.bat D:\ > NULexplorer .
Malware propagation methods
Appending Virus
Prepending Virus
Cavity Virus
Compressing Virus
Packers
Malware propagation methodsAppending
A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.
HostFile
Data
Virus Code
New Header
Malware propagation methodsPrepending
A virus that inserts a copy of its malicious code at the beginning of the file.
HostFile
Data
New Header
Virus Code
Malware propagation methodsCavity
HostFile
Data
New Header
Virus
Code
Copies itself to one of the cavities present in the executable. It modifies the header so that the control jumps to its location and once the execution of virus code is over, the control is passed back.
Malware propagation methodsCompressing
Compresses the host program and attaches itself. It copies itself to the start of the data segment and includes a decompressing algorithm that is used to decompress the host program and execute it.
Compressed
Host FileData
New HeaderVirus Code
+ Decompresso
r
Malware propagation methodsPacker functionality
Compress Encrypt Randomize (polymorphism) Anti-debug technique (fake jmp) Add-junk Anti-VM
MalwareInfected HostExecutable
Packer
Payload
Challenges in detecting malware Packer functionality
Fred Cohen It is not possible to build a perfect malware detector
( 1984) http://web.eecs.umich.edu/~
aprakash/eecs588/handouts/cohen-viruses.html
Diagonal argument P is a perfect detection programV is a virusV can call P
if P(V) = true -> haltif P(V) = false -> spread
Challenges detecting malware Static vs. Dynamic
Known malware In the wild Malware exchange programs e.g metascan-online AMTSO real time threat list
Unknown malware Targeted attacks Outbreaks
Malware detection techniquesStatic vs. Dynamic
Static Inspect the code before it is executed
Dynamic Inspect the exaction of the code
Malware detection techniquesStatic code analysis
PE Headers
Digital signatures
Txt searches
Hash checks
Dependency check
Check for packers
Heuristic checks
Malware detection techniquesChallenges of static code analysis
Many signatures Quality assurance of 100M signatures Big data Performance – scan in a timely manner
Many signature updates Challenges to update - build a scalable update
mechanism
Easy to obfuscate the code
Malware detection techniquesChallenges of static code analysis
Malware detection techniquesDynamic code analysis
Execute on Target host Virtual machine Physical machine Custom hardware
Monitor the behavior of the host From the host Outside the host
Malware detection techniquesDynamic code analysis
Monitor
Processes Files Registry key changes System scheduling Services / Daemon Network traffic
Type Destination
Malware detection techniquesChallenges of dynamic code analysis
Anti virtualization techniques Sleep / loops to wait for detection Randomization Polymorphism Consume Resources
Real life examples of malware detection systems
Malware detection for new outbreaks Source: Metascan Online
Real life examples of malware detection systems
Malware detection for new outbreaks Source: Metascan Online
Real life examples of malware detection systems
Static vs. Dynamic
Tested 30 known malware files (disguised as documents or embedded within documents) Fewest number of engines was 10 (out of 43) Highest number of engines was 30 (out of 43)
Real life examples of malware detection systems
Static vs. Dynamic
Tested 30 known malware files (disguised as documents or embedded within documents) Lowest number of threats detected was 3 Highest number of threats detected was 23
Real life examples of malware detection systems
Sandboxing
X1%Protection level :
100%
Multi-scanning
X2%Protection level:
Measuring detection coverage
Current trends in the industry
Secure transaction to cloud applications Mobile Security and BYOD Cloud malware scanning
Big Data Performance
Sandbox Cloud Sandbox
Protect digital wallets
top related