malware & anti-malware

41
MALWARE & ANTI-MALWARE BY: ARPIT MITTAL

Upload: arpit982

Post on 15-Apr-2017

173 views

Category:

Engineering


1 download

TRANSCRIPT

Page 1: Malware & Anti-Malware

MALWARE & ANTI-MALWARE

BY: ARPIT MITTAL

Page 2: Malware & Anti-Malware

CONTENTSMALWAREPURPOSE OF MALWARESTYPES OF MALWAREVIRUSES, WORMS, TROJANSHOW MALWARE SPREADS

Page 3: Malware & Anti-Malware

What is Malware? Program or code

• Made up of two words “Malicious” + “Software”.

• 'Malware' is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including • viruses, worms, trojan

horses, spyware, adware etc.

Page 4: Malware & Anti-Malware

The purpose of Malware

• To subject the user to advertising

Page 5: Malware & Anti-Malware

The purpose of Malware

• To launch DDoS on another service

Page 6: Malware & Anti-Malware

The purpose of Malware

• To spread spam.• To commit fraud, such

as identity theft • For kicks (vandalism),

and to spreadFUD (fear, uncertainty, doubt)

• . . . and perhaps other reasons

Page 7: Malware & Anti-Malware

Types of Malware

Page 8: Malware & Anti-Malware

But we will be discussing….

MALWARE

WORMSVIRUSES

TROJAN HORSES

Page 9: Malware & Anti-Malware

What exactly is a Virus? Virus propagates by infecting other

programs• It attaches itself to other

programs or file.• But to propagate a human has to

run an infected program.• A term mistakenly applied to

trojans and worms.• Self-propagating viruses are often

called worms

Page 10: Malware & Anti-Malware

• Many propagation methods• Insert a copy into every

executable (.COM, .EXE)• Insert a copy into boot sectors of

disks• Infect common OS routines, stay

in memory

Page 11: Malware & Anti-Malware

First Virus: Creeper

Written in 1971 Infected DEC PDP-10 machines running TENEX OS Jumped from machine to machine over

ARPANET copied its state over, tried to delete old

copy Payload: displayed a message “I’m the creeper, catch me if you can!” Later, Reaper was written to hunt down

Creeper

Page 12: Malware & Anti-Malware

Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system.Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).Stealth Virus - explicitly designed to hide from Virus Scanning programs.Polymorphic - Virus - mutates with every new host to prevent signature detection.

Page 13: Malware & Anti-Malware

Virus Phases

Dormant - waits for a trigger to start replicatingPropagation - copies itself into other programs of the same type on a computer. Spreads when the user shares a file with another computer. Usually searches a file for it’s own signature before infecting.Triggering - starts delivering payload. Sometimes triggered on a certain date, or after a certain time after infection.Execution - payload function is done. Perhaps it put a funny message on the screen, or wiped the hard disk clean. It may become start the first phase over again.

Page 14: Malware & Anti-Malware

Okay, So Then What’s a Worm?

Similar to a virus, but propagates itself without human interaction.

Page 15: Malware & Anti-Malware

Six Components of Worms

1) Reconnaissance2) Specific Attacks3) Command Interface4) Communication Mechanisms5) Intelligence Capabilities6) Unused and Non-attack

Capabilities

Page 16: Malware & Anti-Malware

Reconnaissance

• Target identification• Active methods

• scanning• Passive methods

• OS fingerprinting• traffic analysis

Page 17: Malware & Anti-Malware

Specific Attacks

• Exploits• buffer overflows, cgi-bin, etc.• Trojan horse injections

• Limited in targets• Two components

• local, remote

Page 18: Malware & Anti-Malware

Command Interface

• Interface to compromised system• administrative shell• network client

• Accepts instructions• person• other worm node

Page 19: Malware & Anti-Malware

communications

Information transfer Protocols Stealth concerns

Page 20: Malware & Anti-Malware

Intelligence Database

Knowledge of other nodes

Concrete vs. abstract

Complete vs. incomplete

Page 21: Malware & Anti-Malware

Worm Propagation

Back-Chaining PropagationThe Cheese worm is an example of this type of

propagation where the attacking computer initiates a file transfer to the victim computer. After initiation, the attacking computer can then send files and any payload over to the victim without intervention. Then the victim becomes the attacking computer in the next cycle with a new victim. This method of propagation is more reliable then central source because central source data can be cut off.

Page 22: Malware & Anti-Malware

Worm Propagation

Central Source Propagation This type of propagation involves a central

location where after a computer is infected it locates a source where it can get code to copy into the compromised computer then after it infects the current computer it finds the next computer and then everything starts over again. And example of the this kind of worm is the 1i0n worm.

Page 23: Malware & Anti-Malware

Worm Propagation

Autonomous Propagation Autonomous worms attack the victim computer and insert the attack instructions directly into the processing space of the victim computer which results in the next attack cycle to initiate without any additional file transfer. Code Red is an example of this type of worm. The original Morris worm of 1988 was of this nature as well.

Page 24: Malware & Anti-Malware

Yeah, but what’s a Trojan?

A small program that is designed to appear desirable but is in fact maliciousMust be run by the userDo not replicate themselvesUsed to take over a computer, or steal/delete dataGood Trojans will not:alert the user alter the way their computer works

Page 25: Malware & Anti-Malware

TROJANS Trojan Horses can install backdoors, perform malicious scanning,

monitor system logins and other malicious activities. Majority of modern trojan horses are backdoor utilities

Sub Seven Netbus Back Orifice

Feature set usually includes remote control, desktop viewing, http/ftp server, file sharing, password collecting, port redirection

Some of these trojan horses can be used as legitimate remote administration tools

Other trojans are mostly programs that steal/delete data or can drop viruses

Page 26: Malware & Anti-Malware

HOW MALWARE SPREADS…

Just by visiting seemingly harmless website. DRIVE BY DOWNLOAD.

By mails, attachments, links.By physical media.Software vulnerabilities or bugs.

Page 27: Malware & Anti-Malware

Anti-MALWARE

Page 28: Malware & Anti-Malware

ANTI-MALWARESoftwares developed to combat all types of Malwares.Are they different from Anti-Viruses?

Viruses were extremely “popular” in the ‘90s, which is when the term “Antivirus” became common.

but today viruses are the minority when it comes to malware.

So, nearly all anti-virus provides security from most of the malwares.

Page 29: Malware & Anti-Malware

So the difference… ANTI-VIRUS usually deals with the

older, more established threats, such as Trojans, viruses, and worms

protects users from lingering, predictable-yet-still-dangerous malware.

 best at crushing malware you might contract from a traditional source, like a USB or an email attachment

ANTI-MALWARE typically focuses on newer

stuff, such as polymorphic malware and malware delivered by zero-day exploits

protects users from the latest, currently in the wild, and even more dangerous threats.

 updates its rules faster than antivirus, meaning that it's the best protection against new malware you might encounter while surfing the net

Page 30: Malware & Anti-Malware

Effective Anti-Malware Strategy

Core ProductResearch TeamUpdate infrastructure

Page 31: Malware & Anti-Malware

Anti-Malware EngineScanning

• Monitor and examines various locations on computer like hard disk, registry.

• If change has been made to a critical component, it could be sign of infection

Detection• Matching with the definition list.• Classifying as appropriate type such as virus,

spyware or Trojans. Removal

Page 32: Malware & Anti-Malware
Page 33: Malware & Anti-Malware

Common challenges…RootKits

• Program that can hide files, registry entries, network traffic, or other information.

• Kernel mode rootkit could tamper with operating system at lowest level.

Blended Threats• Combined characteristics of viruses, worms and

spyware. Performance

• Maintaining high level performance on machine is critical.

Classification• Understand the nature of threat.• Wide variety of nature and context make it difficult to

manage.

Page 34: Malware & Anti-Malware

Two Approaches of Scanning

1.Specific Scanning• signature detection• the application scans files to look for known viruses

matching definitions in a “dictionary”.• after recognizing the malicious software the antivirus

software can take one of the following actions:1. attempt to repair the file by removing the virus itself from

the file.2. quarantine the file.3. or delete the file completely.

Page 35: Malware & Anti-Malware

Generic Scanning

Generic scanning is also referred to as the suspicious behavior approach.

Used when new malware appear. In this method the software does not look for a specific

signature but instead monitors the behavior of all applications.

if anything questionable is found by the software the application is quarantined and a warning is broadcasted to the user about what the program may be trying to do.

Page 36: Malware & Anti-Malware

Generic Scanning

if the software is found to be a virus the user can send it to a virus vendor

researchers examine it, determine its signature, name and catalogue it and release antivirus software to stop its spread.

Page 37: Malware & Anti-Malware

Two Other Approaches Heuristic analysis

another form of generic scanning The sandbox method

Page 38: Malware & Anti-Malware

Heuristic Analysis

software tries to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable.

if the program attempts to use self-modifying code or appears to be a virus, it’s assumed the virus has infected the executable.

there are many false positives in this approach.

Page 39: Malware & Anti-Malware

Sandboxing

in this approach an antivirus program will take suspicious code and run it in a “virtual machine” to see the purpose of the code and exactly how the code works.

after the program is terminated the software analyzes the sandbox for any changes, which might indicate a virus.

Page 40: Malware & Anti-Malware
Page 41: Malware & Anti-Malware