Benny Czarny presented an introduction to malware and anti-malware to computer science students at San Francisco State University. The presentation introduced the concept of malware, types of malware, and methods for detecting malware. Benny provided examples of historical malware and illustrations of the difficulties that security vendors face in detecting threats.
2. Agenda
Malware
What is malware ?
Why do malware writers write malware ?
Malware infection methods
Challenges detecting malware
Malware detection techniques
Real life examples of malware detection systems
Current trends in the industry
3. What is malware
What is the origin of the name “malware?”
malicious software
What is the definition of malware ?
Software that is intended to damage or disable computers and
computer systems
Any kind of unwanted software that is installed without your
adequate consent. Viruses, worms, and Trojan horses are
examples of malicious software that are often grouped together
and referred to as malware.
4. What is malware
Many types of malware
Worm
Trojan horse/Trojan
Virus
Rogues / Scareware
Ransomware
Others
5. What is malware
Worms
Activity
Make copies of themselves again and again on:
local drive
network shares
USB drives
Purpose:
reproduce
(*)Does not need to attach itself to an existing program
6. What is malware
I love you worm
Opening the attachment activated the Visual Basic
script. The worm did damage on the local machine,
overwriting image files, and sent a copy of itself to the
first 50 addresses in the Windows Address.
9. What is malware
Trojan
Activity
Appears to perform a desirable function but instead drops a
malicious payload, often including a backdoor allowing
unauthorized access
Purpose:
Gains privileged access to the operating system
(*)Does not need to attach itself to an existing program.
11. What is malware
Virus
Activity
When executed – usually by a human, replicates by inserting
copies of itself (possibly modified) into other computer programs,
data files, or the boot sector of the hard drive; when this
replication succeeds, the affected areas are then said to be
"infected.“
Purpose:
Replicate
Harm computers
12. What is malware
Rogue antivirus / scareware
Appears to be beneficial from a security perspective but provides
limited or no security, generates erroneous or misleading alerts,
or attempts to lure users into participating in fraudulent
transactions.
13. What is malware
Ransomware
Restricts access to the computer system that it infects
Encrypt files lock system
Displays messages intended to coax the user into paying
Demands a ransom in order for the restriction to be removed
17. Why do malware writers write malware ?
What are the reasons behind malware writers
Economical
Personal
Political / cyber weapons
Others
18. Why do malware writers write malware ?
Economical
Stealing sensitive information which is then sold on the
black market.
Ransomware
Industrial espionage
Sell bots
Take down networks
Host phishing attacks
Send spam
Others
20. Why do malware writers write malware ?
Personal
Revenge
Vandalism
Experimental / research
Hobby / art
21. Why do malware writers write malware ?
Political / cyber weapons
Sabotage
Infrastructure
Service availability
Spy tools
Domestic
Foreign
Political messages
22. Malware propagation methods
Samples
Exploiting unpatched security holes or vulnerabilities in
older versions of popular software such as Adobe, Java,
Windows
Torrent, peer-to-peer (P2P) and file sharing program
Emails
USB Flash drive
Rogue security programs
Others
25. Malware propagation methods
Appending
New Header
Host
File
Data
Virus Code
A virus that inserts a copy of
its malicious code at the end
of the file. The goal of an
appending virus is not to
harm the host program, but
to modify it to hold the virus
code and then be able to
run itself.
27. Malware propagation methods
Cavity
New Header
Virus
Cod
e
Host
File
Data
Copies itself to one of the
cavities present in the
executable. It modifies the
header so that the control
jumps to its location and
once the execution of
virus code is over, the
control is passed back.
28. Malware propagation methods
Compressing
New Header
Virus Code
+
Decompressor
Compressed
Host File
Data
Compresses the host
program and attaches
itself. It copies itself to the
start of the data segment
and includes a
decompressing algorithm
that is used to
decompress the host
program and execute it.
30. Challenges in detecting malware
Packer functionality
Fred Cohen
It is not possible to build a perfect malware detector ( 1984)
http://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohe
n-viruses.html
Diagonal argument
P is a perfect detection program
V is a virus
V can call P
if P(V) = true -> halt
if P(V) = false -> spread
31. Challenges detecting malware
Static vs. Dynamic
Known malware
In the wild
Malware exchange programs e.g metascan-online
AMTSO real time threat list
Unknown malware
Targeted attacks
Outbreaks
32. Malware detection techniques
Static vs. Dynamic
Static
Inspect the code before it is executed
Dynamic
Inspect the exaction of the code
33. Malware detection techniques
Static code analysis
PE Headers
Digital signatures
Txt searches
Hash checks
Dependency check
Check for packers
Heuristic checks
34. Malware detection techniques
Challenges of static code analysis
Many signatures
Quality assurance of 100M signatures
Big data
Performance – scan in a timely manner
Many signature updates
Challenges to update - build a scalable update mechanism
Easy to obfuscate the code
38. Malware detection techniques
Challenges of dynamic code analysis
Anti virtualization techniques
Sleep / loops to wait for detection
Randomization
Polymorphism
Consume Resources
39. Real life examples of malware detection systems
Malware detection for new outbreaks Source: Metascan Online
40. Real life examples of malware detection systems
Malware detection for new outbreaks Source: Metascan Online
41. Real life examples of malware detection systems
Static vs. Dynamic
Tested 30 known malware files (disguised as documents
or embedded within documents)
Fewest number of engines was 10 (out of 43)
Highest number of engines was 30 (out of 43)
42. Real life examples of malware detection systems
Static vs. Dynamic
Tested 30 known malware files (disguised as documents
or embedded within documents)
Lowest number of threats detected was 3
Highest number of threats detected was 23
43. Real life examples of malware detection systems
Measuring detection coverage
100%
Sandboxing
X1%
Protection level :
Multi-scanning
X2%
Protection
level:
44. Current trends in the industry
Secure transaction to cloud applications
Mobile Security and BYOD
Cloud malware scanning
Big Data
Performance
Sandbox
Cloud
Sandbox
Protect digital wallets
Notas do Editor
1 min
<why multiscanning>Growth of MalwareMore engines are better than 1OutbreaksVulnerabilities in engines <technology overview of Metascan>What is Metascanwhy use MetascanCurrent feature set <different implementations of Metascan>Out of box solution: MDTADemo of metascanonline.com (local box with wireless access point)Endpoint client (MD4SA)Demo of MD4SA <Managing Metascan>Introduction to the management station
The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B
The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice