malware & anti-malware
Post on 15-Apr-2017
Embed Size (px)
MALWARE & Anti-malwareBy: Arpit mittal
CONTENTSMALWAREPURPOSE OF MALWARESTYPES OF MALWAREVIRUSES, WORMS, TROJANSHOW MALWARE SPREADS
What is Malware? Program or codeMade up of two words Malicious + Software.'Malware' is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including viruses, worms, trojan horses, spyware, adware etc.
The purpose of MalwareTo subject the user to advertising
The purpose of MalwareTo launch DDoS on another service
The purpose of MalwareTo spread spam.To commit fraud, such as identity theft For kicks (vandalism), and to spreadFUD (fear, uncertainty, doubt). . . and perhaps other reasons
Types of Malware
But we will be discussing.MALWAREWORMSVIRUSESTROJAN HORSES
What exactly is a Virus?Virus propagates by infecting other programsIt attaches itself to other programs or file.But to propagate a human has to run an infected program.A term mistakenly applied to trojans and worms.Self-propagating viruses are often called worms
Many propagation methodsInsert a copy into every executable (.COM, .EXE)Insert a copy into boot sectors of disksInfect common OS routines, stay in memory
First Virus: CreeperWritten in 1971Infected DEC PDP-10 machines running TENEX OSJumped from machine to machine over ARPANETcopied its state over, tried to delete old copyPayload: displayed a message Im the creeper, catch me if you can!Later, Reaper was written to hunt down Creeper
Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system.Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).Stealth Virus - explicitly designed to hide from Virus Scanning programs.Polymorphic - Virus - mutates with every new host to prevent signature detection.
Virus PhasesDormant - waits for a trigger to start replicatingPropagation - copies itself into other programs of the same type on a computer. Spreads when the user shares a file with another computer. Usually searches a file for its own signature before infecting.Triggering - starts delivering payload. Sometimes triggered on a certain date, or after a certain time after infection.Execution - payload function is done. Perhaps it put a funny message on the screen, or wiped the hard disk clean. It may become start the first phase over again.
Okay, So Then Whats a Worm?Similar to a virus, but propagates itself without human interaction.
Six Components of WormsReconnaissanceSpecific AttacksCommand InterfaceCommunication MechanismsIntelligence CapabilitiesUnused and Non-attack Capabilities
Target identificationActive methodsscanningPassive methodsOS fingerprintingtraffic analysis
Exploitsbuffer overflows, cgi-bin, etc.Trojan horse injectionsLimited in targetsTwo componentslocal, remote
Interface to compromised systemadministrative shellnetwork clientAccepts instructionspersonother worm node
Information transferProtocolsStealth concerns
Knowledge of other nodesConcrete vs. abstractComplete vs. incomplete
Back-Chaining PropagationThe Cheese worm is an example of this type of propagation where the attacking computer initiates a file transfer to the victim computer. After initiation, the attacking computer can then send files and any payload over to the victim without intervention. Then the victim becomes the attacking computer in the next cycle with a new victim. This method of propagation is more reliable then central source because central source data can be cut off.
Central Source Propagation This type of propagation involves a central location where after a computer is infected it locates a source where it can get code to copy into the compromised computer then after it infects the current computer it finds the next computer and then everything starts over again. And example of the this kind of worm is the 1i0n worm.
Autonomous Propagation Autonomous worms attack the victim computer and insert the attack instructions directly into the processing space of the victim computer which results in the next attack cycle to initiate without any additional file transfer. Code Red is an example of this type of worm. The original Morris worm of 1988 was of this nature as well.
Yeah, but whats a Trojan?
A small program that is designed to appear desirable but is in fact maliciousMust be run by the userDo not replicate themselvesUsed to take over a computer, or steal/delete dataGood Trojans will not:alert the user alter the way their computer works
Trojan Horses can install backdoors, perform malicious scanning, monitor system logins and other malicious activities.Majority of modern trojan horses are backdoor utilitiesSub Seven NetbusBack Orifice
Feature set usually includes remote control, desktop viewing, http/ftp server, file sharing, password collecting, port redirectionSome of these trojan horses can be used as legitimate remote administration toolsOther trojans are mostly programs that steal/delete data or can drop viruses
HOW MALWARE SPREADS
Just by visiting seemingly harmless website. DRIVE BY DOWNLOAD.By mails, attachments, links.By physical media.Software vulnerabilities or bugs.
ANTI-MALWARESoftwares developed to combat all types of Malwares.Are they different from Anti-Viruses?Viruses were extremely popular in the 90s, which is when the term Antivirus became common.but today viruses are the minority when it comes to malware.So, nearly all anti-virus provides security from most of the malwares.
So the difference ANTI-VIRUSusually deals with the older, more established threats, such as Trojans, viruses, and worms
protects users from lingering, predictable-yet-still-dangerous malware.best at crushing malware you might contract from a traditional source, like a USB or an email attachment ANTI-MALWAREtypically focuses on newer stuff, such as polymorphic malware and malware delivered by zero-day exploitsprotects users from the latest, currently in the wild, and even more dangerous threats.updates its rules faster than antivirus, meaning that it's the best protection against new malware you might encounter while surfing the net
Effective Anti-Malware Strategy
Core ProductResearch TeamUpdate infrastructure
Anti-Malware EngineScanningMonitor and examines various locations on computer like hard disk, registry.If change has been made to a critical component, it could be sign of infectionDetectionMatching with the definition list.Classifying as appropriate type such as virus, spyware or Trojans.Removal
Common challengesRootKitsProgram that can hide files, registry entries, network traffic, or other information.Kernel mode rootkit could tamper with operating system at lowest level.Blended ThreatsCombined characteristics of viruses, worms and spyware. PerformanceMaintaining high level performance on machine is critical.ClassificationUnderstand the nature of threat.Wide variety of nature and context make it difficult to manage.
Two Approaches of ScanningSpecific Scanningsignature detectionthe application scans files to look for known viruses matching definitions in a dictionary.after recognizing the malicious software the antivirus software can take one of the following actions:attempt to repair the file by removing the virus itself from the file.quarantine the file.or delete the file completely.
Generic ScanningGeneric scanning is also referred to as the suspicious behavior approach.Used when new malware appear. In this method the software does not look for a specific signature but instead monitors the behavior of all applications.if anything questionable is found by the software the application is quarantined and a warning is broadcasted to the user about what the program may be trying to do.
Generic Scanningif the software is found to be a virus the user can send it to a virus vendorresearchers examine it, determine its signature, name and catalogue it and release antivirus software to stop its spread.
Two Other ApproachesHeuristic analysisanother form of generic scanning The sandbox method
Heuristic Analysissoftware tries to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable.if the program attempts to use self-modifying code or appears to be a virus, its assumed the virus has infected the executable. there are many false positives in this approach.
Sandboxingin this approach an antivirus program will take suspicious code and run it in a virtual machine to see the purpose of the code and exactly how the code works. after the program is terminated the software analyzes the sandbox for any changes, which might indicate a virus.