Benny Czarny presented an introduction to malware and anti-malware to computer science students at San Francisco State University. The presentation introduced the concept of malware, types of malware, and methods for detecting malware. Benny provided examples of historical malware and illustrations of the difficulties that security vendors face in detecting threats.

1. Malware and Anti-malware
Benny Czarny
CEO and Founder
benny@opswat.com
23 October 2013

2. Agenda
Malware
 What is malware ?
 Why do malware writers write malware ?
 Malware infection methods
 Challenges detecting malware
 Malware detection techniques
 Real life examples of malware detection systems
 Current trends in the industry

3. What is malware
 What is the origin of the name “malware?”
 malicious software
 What is the definition of malware ?
 Software that is intended to damage or disable computers and
computer systems
 Any kind of unwanted software that is installed without your
adequate consent. Viruses, worms, and Trojan horses are
examples of malicious software that are often grouped together
and referred to as malware.

4. What is malware
Many types of malware
 Worm
 Trojan horse/Trojan
 Virus
 Rogues / Scareware
 Ransomware
 Others

5. What is malware
Worms
 Activity
 Make copies of themselves again and again on:

local drive

network shares

USB drives
 Purpose:
 reproduce
(*)Does not need to attach itself to an existing program

6. What is malware
I love you worm
Opening the attachment activated the Visual Basic
script. The worm did damage on the local machine,
overwriting image files, and sent a copy of itself to the
first 50 addresses in the Windows Address.

7. What is malware
Morris worm

8. What is malware
Trojan horse

9. What is malware
Trojan
 Activity
 Appears to perform a desirable function but instead drops a
malicious payload, often including a backdoor allowing
unauthorized access
 Purpose:
 Gains privileged access to the operating system
(*)Does not need to attach itself to an existing program.

10. What is malware
Trojan
Install a game
NetBus ->backdoor
Install a browser plugin
Flashback
Redirect to bogus web sites

11. What is malware
Virus
Activity
 When executed – usually by a human, replicates by inserting
copies of itself (possibly modified) into other computer programs,
data files, or the boot sector of the hard drive; when this
replication succeeds, the affected areas are then said to be
"infected.“
Purpose:
 Replicate
 Harm computers

12. What is malware
Rogue antivirus / scareware
Appears to be beneficial from a security perspective but provides
limited or no security, generates erroneous or misleading alerts,
or attempts to lure users into participating in fraudulent
transactions.

13. What is malware
Ransomware
 Restricts access to the computer system that it infects
 Encrypt files lock system
 Displays messages intended to coax the user into paying
 Demands a ransom in order for the restriction to be removed

14. What is malware
Ransomware

15. What is malware
Quantity of malware

16. What is malware
Growth in quantity of known malware

17. Why do malware writers write malware ?
What are the reasons behind malware writers
 Economical
 Personal
 Political / cyber weapons
 Others

18. Why do malware writers write malware ?
Economical
 Stealing sensitive information which is then sold on the
black market.
 Ransomware
 Industrial espionage
 Sell bots




Take down networks
Host phishing attacks
Send spam
Others

19. Why do malware writers write malware ?
Economical

20. Why do malware writers write malware ?
Personal
 Revenge
 Vandalism
 Experimental / research
 Hobby / art

21. Why do malware writers write malware ?
Political / cyber weapons
 Sabotage
 Infrastructure
 Service availability
 Spy tools
 Domestic
 Foreign
 Political messages

22. Malware propagation methods
Samples
 Exploiting unpatched security holes or vulnerabilities in
older versions of popular software such as Adobe, Java,
Windows
 Torrent, peer-to-peer (P2P) and file sharing program
 Emails
 USB Flash drive
 Rogue security programs
 Others

23. Malware propagation methods
Sample USB virus
autorun.inf
[autorun]
open=file.bat
shelloption1=Open
shelloption1command=file.bat
file.bat
@echo off
copy autorun.inf C: > NUL
copy file.bat C: > NUL
copy autorun.inf D: > NUL
copy file.bat D: > NUL
explorer .

24. Malware propagation methods
 Appending Virus
 Prepending Virus
 Cavity Virus
 Compressing Virus
 Packers

25. Malware propagation methods
Appending
New Header
Host
File
Data
Virus Code
A virus that inserts a copy of
its malicious code at the end
of the file. The goal of an
appending virus is not to
harm the host program, but
to modify it to hold the virus
code and then be able to
run itself.

26. Malware propagation methods
Prepending
New Header
Virus Code
Host
File
Data
A virus that inserts a copy of
its malicious code at the
beginning of the file.

27. Malware propagation methods
Cavity
New Header
Virus
Cod
e
Host
File
Data
Copies itself to one of the
cavities present in the
executable. It modifies the
header so that the control
jumps to its location and
once the execution of
virus code is over, the
control is passed back.

28. Malware propagation methods
Compressing
New Header
Virus Code
+
Decompressor
Compressed
Host File
Data
Compresses the host
program and attaches
itself. It copies itself to the
start of the data segment
and includes a
decompressing algorithm
that is used to
decompress the host
program and execute it.

29. Malware propagation methods
Packer functionality






Compress
Encrypt
Randomize (polymorphism)
Anti-debug technique (fake jmp)
Add-junk
Anti-VM
Payload
Packer
Malware
Infected Host
Executable

30. Challenges in detecting malware
Packer functionality
 Fred Cohen
 It is not possible to build a perfect malware detector ( 1984)
 http://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohe
n-viruses.html
 Diagonal argument
P is a perfect detection program
V is a virus
V can call P
if P(V) = true -> halt
if P(V) = false -> spread

31. Challenges detecting malware
Static vs. Dynamic
 Known malware
 In the wild
 Malware exchange programs e.g metascan-online
 AMTSO real time threat list
 Unknown malware
 Targeted attacks
 Outbreaks

32. Malware detection techniques
Static vs. Dynamic
 Static
 Inspect the code before it is executed
 Dynamic
 Inspect the exaction of the code

33. Malware detection techniques
Static code analysis
 PE Headers
 Digital signatures
 Txt searches
 Hash checks
 Dependency check
 Check for packers
 Heuristic checks

34. Malware detection techniques
Challenges of static code analysis
 Many signatures
 Quality assurance of 100M signatures
 Big data
 Performance – scan in a timely manner
 Many signature updates
 Challenges to update - build a scalable update mechanism
 Easy to obfuscate the code

35. Malware detection techniques
Challenges of static code analysis

36. Malware detection techniques
Dynamic code analysis
 Execute on




Target host
Virtual machine
Physical machine
Custom hardware
 Monitor the behavior of the host
 From the host
 Outside the host

37. Malware detection techniques
Dynamic code analysis
Monitor






Processes
Files
Registry key changes
System scheduling
Services / Daemon
Network traffic
 Type
 Destination

38. Malware detection techniques
Challenges of dynamic code analysis





Anti virtualization techniques
Sleep / loops to wait for detection
Randomization
Polymorphism
Consume Resources

39. Real life examples of malware detection systems
Malware detection for new outbreaks Source: Metascan Online

40. Real life examples of malware detection systems
Malware detection for new outbreaks Source: Metascan Online

41. Real life examples of malware detection systems
Static vs. Dynamic
 Tested 30 known malware files (disguised as documents
or embedded within documents)
 Fewest number of engines was 10 (out of 43)
 Highest number of engines was 30 (out of 43)

42. Real life examples of malware detection systems
Static vs. Dynamic
 Tested 30 known malware files (disguised as documents
or embedded within documents)
 Lowest number of threats detected was 3
 Highest number of threats detected was 23

43. Real life examples of malware detection systems
Measuring detection coverage
100%
Sandboxing
X1%
Protection level :
Multi-scanning
X2%
Protection
level:

44. Current trends in the industry
 Secure transaction to cloud applications
 Mobile Security and BYOD
 Cloud malware scanning
 Big Data
 Performance
 Sandbox
 Cloud
 Sandbox
 Protect digital wallets