Antivirus Software By: Eng. Ammar J.Mahmood Supervised by: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT)Jordan’s campus 7/26/2016 Eng. Ammar Mahmood 1 Introduction Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware). Malware or Malicious Software is software designed to infiltrate or damage a computer system without the owner's informed consent. Types of malware include spyware, adware, Trojan horses, Worms, and viruses. 7/26/2016 Eng. Ammar Mahmood 2 Malware “Know your enemy” 7/26/2016 Eng. Ammar Mahmood 3 The Virus A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user Why people create computer viruses? Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies 7/26/2016 Eng. Ammar Mahmood 4 The Virus Why people create computer viruses? Some viruses were intended as "good viruses". They spread improvements to the programs they infect, or delete other viruses. These viruses are, however, quite rare, still consume system resources, may accidentally damage systems they infect. 7/26/2016 Eng. Ammar Mahmood 5 The Virus Viruses can be subdivided into a number of types, the main ones being: Boot sector viruses: 7/26/2016 alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive. contains code for bootstrapping programs (usually activates, but not necessarily, operating systems) Boot sector infector viruses replace the bootstrap code in the boot sectors (of floppy disks, hard disks, or both) with viral code. the BIOS on IBM PC compatible machines is ignorant of whether a disk has in fact been high-level formatted and had an operating system installed in it This results in a security vulnerability. A user who sees the error message may not be aware that the code in the boot sector of the disk has already been run by that point, and that if the disk was infected by a boot-sector computer virus Eng. Ammar Mahmood 6 The Virus Companion viruses: creates new files (typically .COM but can also use other extensions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if a user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. Email viruses: is a virus which uses e-mail messages as a mode of transport. These viruses often copy themselves by automatically mailing copies to hundreds of people in the victim's address book. 7/26/2016 Eng. Ammar Mahmood 7 The Virus Logic bombs and time bombs: employs code that lies inert until specific conditions (e.g.infected a certain number of hosts ) are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files). Macro viruses: often written in the scripting languages for Microsoft programs such as Word and Excel, is spread in Microsoft Office by infecting documents and spreadsheets. Cross-site scripting virus: is a type of virus that utilizes cross-site scripting vulnerabilities to replicate. 7/26/2016 Eng. Ammar Mahmood 8 The Virus Methods to avoid detection Avoiding bait files and other undesirable hosts: A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many antivirus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. Bait files (or goat files) are files that are specially created by antivirus software 7/26/2016 Anti-virus professionals can use bait files to take a sample of a virus Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system. Eng. Ammar Mahmood 9 The Virus Stealth\Rootkit: A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean“. Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. 7/26/2016 Eng. Ammar Mahmood 10 The Virus A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system Rootkit types: Virtualised: These rootkits work by modifying the boot sequence of the machine to load themselves instead of the original operating system. Once loaded into memory a virtualised rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest OS Kernel level:Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system 7/26/2016 Eng. Ammar Mahmood 11 The Virus Rootkit types 7/26/2016 Library level :commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean. Done byshut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM or USB flash drive). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls Eng. Ammar Mahmood 12 The Virus Self-modification: 7/26/2016 Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus. Simple self-modifications: some viruses modified themselves only in simple ways. For example, they regularly exchanged subroutines in their code for others that would perform the same action - for example, 2+2 could be swapped for 1+3. This poses no problems to a somewhat advanced virus scanner. Eng. Ammar Mahmood 13 The Virus Encryption 7/26/2016 with a variable key: A more advanced method is the use of simple encryption to encipher the virus. the virus consists of a small decrypting module and an encrypted copy of the virus code the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module. a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Eng. Ammar Mahmood 14 The Virus Polymorphic 7/26/2016 code: Polymorphic code was the first technique that posed a serious threat to virus scanners. Same as encrypted viruses except that decryption module is also modified on each infection. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. Eng. Ammar Mahmood 15 The Virus Metamorphic code: 7/26/2016 To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. it does this by translating its own code into a temporary representation, and then back to normal code again Metamorphic code is more effective than polymorphic code. This is because most anti-virus software will try to search for known virus-code even during the execution of the code A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of it part of the metamorphic engine. Eng. Ammar Mahmood 16 The Virus Replication strategies In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs Viruses can be divided into two types, on the basis of their behavior when they are executed 7/26/2016 Eng. Ammar Mahmood 17 The Virus Nonresident viruses: immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected Nonresident viruses can be thought of as consisting of a finder module and a replication module The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. 7/26/2016 Eng. Ammar Mahmood 18 The Virus Resident viruses 7/26/2016 Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation Eng. Ammar Mahmood 19 The Virus Resident viruses are sometimes subdivided into a category: Fast infectors: are designed to infect as many files as possible. It can infect every potential host file that is accessed. 7/26/2016 This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Eng. Ammar Mahmood 20 The Virus 2nd category Slow infectors: are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach does not seem very successful however. 7/26/2016 Eng. Ammar Mahmood 21 The Virus Host types: 7/26/2016 Binary executable files (such as COM files and EXE files in MSDOS, Portable Executable files in Microsoft Windows, and ELF files in Linux) Volume Boot Records of floppy disks and hard disk partitions The master boot record (MBR) of a hard disk General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unixlike platforms). Application-specific script files (such as Telix-scripts) Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files) Eng. Ammar Mahmood 22 The Worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer. 7/26/2016 Eng. Ammar Mahmood 23 The Worm Types of computer worms: Email Worms Spread via email messages. Typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website. Instant messaging worms The spreading used is via instant messaging applications by sending links to infected websites to everyone on the local contact list IRC worms Chat channels are the main target and the same infection/spreading method is used as above 7/26/2016 Eng. Ammar Mahmood 24 The Worm Types of computer worms: File-sharing networks worms Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spreading of the infected file will continue. Internet worms 7/26/2016 Those which target low level TCP/IP ports directly, rather than going via higher level protocols such as email or IRC. A classic example is "Blaster" which exploited a vulnerability in Microsoft's Remote procedure call (RPC). An infected machine aggressively scans random computers on both its local network and the public Internet attempting an exploit against port 135 which, if successful, spreads the worm to that machine. Eng. Ammar Mahmood 25 The Worm Payloads: Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through. A "payload" is code designed to do more than spread the worm - it might delete files on a host system (e.g. the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author 7/26/2016 Eng. Ammar Mahmood 26 Antivirus SW 7/26/2016 Eng. Ammar Mahmood 27 Antivirus Antivirus software typically uses two different techniques to accomplish his mission: Examining (scanning) files to look for known viruses matching definitions in a virus dictionary Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods. 7/26/2016 Eng. Ammar Mahmood 28 Antivirus modes Anti-virus programs have two basic modes: “static” file scanning: useful for when you have to scan a file or a volume to check to see if any of the files are currently infected with malware real-time “dynamic” scanning: is really what is needed to prevent the computer from getting infected in the first place. In this mode, all files that the operating system opens or uses are scanned first before they are fully opened. 7/26/2016 Eng. Ammar Mahmood 29 Approaches Dictionary 1. 2. 3. 7/26/2016 A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses In the virus dictionary approach, when the antivirus software examines a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions: attempt to repair the file by removing the virus itself from the file quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread) delete the infected file Eng. Ammar Mahmood 30 Approaches Dictionary the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries. Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt 7/26/2016 Eng. Ammar Mahmood 31 Approaches Dictionary System Administrator can typically schedule the antivirus software to examine (scan) all files on the user's hard disk on a regular basis. Although the dictionary approach can effectively contain virus outbreaks in the right circumstances. 7/26/2016 Eng. Ammar Mahmood 32 Approaches Dictionary Virus’s Technology to avoid the Dictionary Approach is: Metamorphic code Polymorphic code Oligomorphic engine is generally used by a computer virus to generate a decryptor for itself in a way comparable to a simple polymorphic engine 7/26/2016 Eng. Ammar Mahmood 33 Approaches Dictionary Previous technology Polymorphism: 7/26/2016 weakness are: A small portion of it is left unencrypted and used to jumpstart the encrypted software. Anti-virus software targets this small unencrypted portion of code. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. most oligomorphic viruses aren't able to generate more than just a few hundred different decryptors, so detecting them with simple signatures is still possible Eng. Ammar Mahmood 34 Approaches Suspicious behavior: The suspicious behavior approach doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do. 7/26/2016 Eng. Ammar Mahmood 35 Approaches Suspicious behavior the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user 7/26/2016 Eng. Ammar Mahmood 36 Approaches Suspicious behavior weakness The fact the many legal SW behave like malicious SW make the job of antivirus harder Ex:There are commercial software that have many features as dynamic code encryption/decryption, code replace, metamorphic engine, API export, anti debug/dump/trace and more. They are used to protect software programs from illegal use(cracking and reverse engineering) 7/26/2016 Eng. Ammar Mahmood 37 Approaches Heuristic analysis: try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. Heuristic scanners have a higher rate of false positives than do signature scanners but they have the significant advantage of being able to detect unknown viruses. 7/26/2016 Eng. Ammar Mahmood 38 Approaches Sandbox: sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users. emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans 7/26/2016 Eng. Ammar Mahmood 39 Approaches Sandbox: Also this method may fail as virus can be nondeterministic and result in different actions or no actions at all done then run - so it will be impossible to detect it from one run. The sandbox typically provides a tightlycontrolled set of resources for guest programs to run in 7/26/2016 Eng. Ammar Mahmood 40 Weaknesses of antivirus SW Many security professionals agree that the current approach to defend against malicious software with antivirus is not good enough, but it is best solution that we have right now. Here is the brief summary of the main shortcomings in the antivirus software: 7/26/2016 Eng. Ammar Mahmood 41 Weaknesses of antivirus SW 1. Reactive approach: Your antivirus as good as your definition files. If you did not update them, the antivirus program will not be able to detect a new malware. The most critical problems for the antivirus software to detect malicious code are: new or modified malicious code rootkit programs Software Misuse 2. Inability to protect themselves: With sufficient system permissions, malware can change antivirus settings and configuration. 7/26/2016 Eng. Ammar Mahmood 42 Weaknesses of antivirus SW 3. Inability to revert the results of malware infection process. 7/26/2016 Too often, “installation process” of malware includes copying files, changing registry and system configuration files, changing other software configuration. Some of these changes still present in the infected system, even after an antivirus program delete or disinfect malware files. Almost for every severe virus/worm, antivirus vendors issues “Removal Tool”. this is means that the antivirus vendors saying to their customers: “our antivirus isn’t good enough to clean your system – please use this tool” Eng. Ammar Mahmood 43 Retro Viruses retro viruses are the viruses that attack security programs “Attack is the best defense strategy” The malware instead of hiding from detection by security SW it target these SW as its (part of) malicious action We will discuss in the next slides some of the technique used by the Retro viruses 7/26/2016 Eng. Ammar Mahmood 44 The Black Antivirus a(white) antivirus used for the good purposes while Black Antivirus is the same antivirus, but used for the “bad” purposes. An unexpected problem: “virus definition database” has the definitions for security tools used today in the computer security world to defend and protect computer systems. Malware could includes antivirus engine and signature definition files for security tools. To protect our tools we need to evade the Antivirus detection! Therefore, our security tools need to be a polymorphic or even metamorphic. 7/26/2016 Eng. Ammar Mahmood 45 The Black Intrusion Detection System: Malware can use IDS system to “shut down” security systems at the network level. Such malware will primary target internal corporate LAN and could carry itself an IDS engine or change the existing one with new rules (if possible). malware carry engine itselfand use MAC and ARP poisoning to sniff in a switched network. Any communication that passes the wire were the malware was able to “see” it, is a subject for this attack. The solution for this problem may be the use of covert channels 7/26/2016 Eng. Ammar Mahmood 46 Practical Examples 7/26/2016 Eng. Ammar Mahmood 47 Virus Example Win32/Simile: 7/26/2016 is a metamorphic computer virus written in assembly language for Microsoft Windows (most recent version in early March 2002) It was written by the virus writer Mental Driller When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the file User32.dll, then on the 17th of March, June, September, or December, a message is displayed. Depending on the version of the virus the case of each letter in the text is altered randomly. On May 14, a message saying "Free Palestine!" will be displayed if the system locale is set to Hebrew. Eng. Ammar Mahmood 48 Virus Example The virus then rebuilds itself. This metamorphic process is very complex and accounts for around 90% of the virus' code After the rebuild, the virus searches for executable files in folders on all fixed and remote drives. The virus contains checks to avoid infecting "goat" or "bait" files The infection process uses the structure of the host, as well as random factors, to control the placement of the virus body and the decryptor. The virus contains no destructive payload 7/26/2016 Eng. Ammar Mahmood 49 SQL slammer worm The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic It spread rapidly, infecting most of its 75,000 victims within ten minutes. it exploited two buffer overflow bugs in Microsoft's flagship SQL Server and Desktop Engine database products The worm is a small (376 bytes) piece of code that does little other than generate random IP addresses and send itself out to those addresses. 7/26/2016 Eng. Ammar Mahmood 50 SQL slammer worm If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution MSDE Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. 7/26/2016 Eng. Ammar Mahmood 51 Antivirus Example one of the most popular full-featured freeware anti-virus applications for Microsoft Windows users. Official website: http://www.avast.com/ 7/26/2016 Eng. Ammar Mahmood 52 Antivirus Example Features : 7/26/2016 Standard Shield — Real-time protection IM shield — Instant Messenger protection P2P shield — P2P protection Internet Mail — E-mail protection Outlook/Exchange — Microsoft Outlook/Exchange protection Web Shield — HTTP protection (local transparent proxy) Script blocker — script checker Network Shield — basic protection against well-known network worms. Acts as a lightweight Intrusion Detection System Audible alarms — vocal warnings such as "Caution, a virus has been detected!" boot-time scan — through the program interface, a user can schedule a boot-time scan to remove viruses that load during Windows startup and therefore difficult to remove. Eng. Ammar Mahmood 53 Resources http://www.securityelf.org/files/Andrey_Bayora_software_ misuse.pdf http://en.wikipedia.org/wiki/Antivirus http://www.research.ibm.com/antivirus/SciPapers/Gordo n/Strategy.html http://www.sans.org/reading_room/whitepapers/maliciou s/68.php http://en.wikipedia.org/wiki/Software_virus http://www.symantec.com/security_response/writeup.jsp ?docid=2002-030617-5423-99 http://en.wikipedia.org/wiki/Computer_virus 7/26/2016 Eng. Ammar Mahmood 54 7/26/2016 Eng. Ammar Mahmood 55