Antivirus Software
By: Eng. Ammar J.Mahmood
Supervised by: Dr. Lo’ai Tawalbeh
New York Institute of Technology (NYIT)Jordan’s campus
7/26/2016
Eng. Ammar Mahmood
1
Introduction



Antivirus software consists of computer
programs that attempt to identify, thwart and
eliminate computer viruses and other malicious
software (malware).
Malware or Malicious Software is software
designed to infiltrate or damage a computer
system without the owner's informed consent.
Types of malware include spyware, adware,
Trojan horses, Worms, and viruses.
7/26/2016
Eng. Ammar Mahmood
2
Malware
“Know your enemy”
7/26/2016
Eng. Ammar Mahmood
3
The Virus


A computer virus is a self-replicating computer
program written to alter the way a computer
operates, without the permission or knowledge
of the user
Why people create computer viruses?
 Some
virus writers consider their creations to be
works of art, and see virus writing as a creative hobby
 Viruses have been written as research projects,
pranks, vandalism, to attack the products of specific
companies
7/26/2016
Eng. Ammar Mahmood
4
The Virus

Why people create computer viruses?
 Some
viruses were intended as "good
viruses". They spread improvements to the
programs they infect, or delete other viruses.
These viruses are, however, quite rare, still
consume system resources, may accidentally
damage systems they infect.
7/26/2016
Eng. Ammar Mahmood
5
The Virus

Viruses can be subdivided into a number of types, the
main ones being:

Boot sector viruses:





7/26/2016
alters or hides in the boot sector, usually the 1st sector, of a
bootable disk or hard drive.
contains code for bootstrapping programs (usually activates, but not
necessarily, operating systems)
Boot sector infector viruses replace the bootstrap code in the boot
sectors (of floppy disks, hard disks, or both) with viral code.
the BIOS on IBM PC compatible machines is ignorant of whether a
disk has in fact been high-level formatted and had an operating
system installed in it
This results in a security vulnerability. A user who sees the error
message may not be aware that the code in the boot sector of the
disk has already been run by that point, and that if the disk was
infected by a boot-sector computer virus
Eng. Ammar Mahmood
6
The Virus
 Companion
viruses: creates new files (typically
.COM but can also use other extensions such as
".EXD") that have the same file names as legitimate
.EXE files. When a user types in the name of a
desired program, if a user does not type in ".EXE" but
instead does not specify a file extension, DOS will
assume he meant the file with the extension that
comes first in alphabetical order and run the virus.
 Email viruses: is a virus which uses e-mail
messages as a mode of transport. These viruses
often copy themselves by automatically mailing
copies to hundreds of people in the victim's address
book.
7/26/2016
Eng. Ammar Mahmood
7
The Virus
 Logic
bombs and time bombs: employs code that
lies inert until specific conditions (e.g.infected a
certain number of hosts ) are met. The resolution of
the conditions will trigger a certain function (such as
printing a message to the user and/or deleting files).
 Macro viruses: often written in the scripting
languages for Microsoft programs such as Word and
Excel, is spread in Microsoft Office by infecting
documents and spreadsheets.
 Cross-site scripting virus: is a type of virus that
utilizes cross-site scripting vulnerabilities to replicate.
7/26/2016
Eng. Ammar Mahmood
8
The Virus

Methods to avoid detection


Avoiding bait files and other undesirable hosts: A virus needs
to infect hosts in order to spread further. In some cases, it might
be a bad idea to infect a host program. For example, many antivirus programs perform an integrity check of their own code.
Infecting such programs will therefore increase the likelihood that
the virus is detected.
Bait files (or goat files) are files that are specially created by antivirus software



7/26/2016
Anti-virus professionals can use bait files to take a sample of a virus
Anti-virus professionals can use bait files to study the behavior of a
virus and evaluate detection methods.
Some anti-virus software employs bait files that are accessed
regularly. When these files are modified, the anti-virus software
warns the user that a virus is probably active on the system.
Eng. Ammar Mahmood
9
The Virus
 Stealth\Rootkit:
A virus can hide itself by intercepting the anti-virus
software’s request to read the file and passing the
request to the virus, instead of the OS.
 The virus can then return an uninfected version of
the file to the anti-virus software, so that it seems
that the file is "clean“.
 Modern anti-virus software employs various
techniques to counter stealth mechanisms of
viruses.

7/26/2016
Eng. Ammar Mahmood
10
The Virus
A rootkit is a set of software tools intended to
conceal running processes, files or system data
from the operating system
 Rootkit types:

Virtualised: These rootkits work by modifying the boot
sequence of the machine to load themselves instead of
the original operating system. Once loaded into memory
a virtualised rootkit then loads the original operating
system as a Virtual Machine thereby enabling the rootkit
to intercept all hardware calls made by the guest OS
 Kernel level:Kernel level rootkits add additional code
and/or replace a portion of kernel code with modified
code to help hide a backdoor on a computer system

7/26/2016
Eng. Ammar Mahmood
11
The Virus

Rootkit types




7/26/2016
Library level :commonly patch, hook, or replace system calls
with versions that hide information about the attacker.
Application level rootkits may replace regular application
binaries with trojanized fakes, or they may modify the behavior
of existing applications using hooks, patches, injected code, or
other means.
The only completely reliable method to avoid stealth is to
boot from a medium that is known to be clean.
Done byshut down the computer suspected of infection and
check its storage by booting from an alternative media (e.g.
rescue CD-ROM or USB flash drive). A non-running rootkit
cannot hide its presence and most established antivirus
programs will identify rootkits armed via standard OS calls
Eng. Ammar Mahmood
12
The Virus
 Self-modification:



7/26/2016
Some viruses employ techniques that make detection by
means of signatures difficult or impossible.
These viruses modify their code on each infection. That is,
each infected file contains a different variant of the virus.
Simple self-modifications: some viruses modified themselves
only in simple ways. For example, they regularly exchanged
subroutines in their code for others that would perform the
same action - for example, 2+2 could be swapped for 1+3.
This poses no problems to a somewhat advanced virus
scanner.
Eng. Ammar Mahmood
13
The Virus
 Encryption




7/26/2016
with a variable key:
A more advanced method is the use of simple encryption to
encipher the virus.
the virus consists of a small decrypting module and an
encrypted copy of the virus code
the virus is encrypted with a different key for each infected
file, the only part of the virus that remains constant is the
decrypting module.
a virus scanner cannot directly detect the virus using
signatures, but it can still detect the decrypting module, which
still makes indirect detection of the virus possible.
Eng. Ammar Mahmood
14
The Virus
 Polymorphic




7/26/2016
code:
Polymorphic code was the first technique that posed a
serious threat to virus scanners.
Same as encrypted viruses except that decryption module is
also modified on each infection.
To enable polymorphic code, the virus has to have a
polymorphic engine (also called mutating engine or mutation
engine) somewhere in its encrypted body
Anti-virus software can detect it by decrypting the viruses
using an emulator, or by statistical pattern analysis of the
encrypted virus body.
Eng. Ammar Mahmood
15
The Virus

Metamorphic code:




7/26/2016
To avoid being detected by emulation, some viruses rewrite
themselves completely each time they are to infect new
executables.
it does this by translating its own code into a temporary
representation, and then back to normal code again
Metamorphic code is more effective than polymorphic code. This
is because most anti-virus software will try to search for known
virus-code even during the execution of the code
A metamorphic virus is usually very large and complex. For
example, W32/Simile consisted of over 14000 lines of Assembly
language code, 90% of it part of the metamorphic engine.
Eng. Ammar Mahmood
16
The Virus

Replication strategies
 In
order to replicate itself, a virus must be
permitted to execute code and write to
memory. For this reason, many viruses attach
themselves to executable files that may be
part of legitimate programs
 Viruses can be divided into two types, on the
basis of their behavior when they are
executed
7/26/2016
Eng. Ammar Mahmood
17
The Virus
 Nonresident
viruses:
immediately search for other hosts that can be
infected, infect these targets, and finally transfer
control to the application program they infected
 Nonresident viruses can be thought of as
consisting of a finder module and a replication
module
 The finder module is responsible for finding new
files to infect. For each new executable file the
finder module encounters, it calls the replication
module to infect that file.

7/26/2016
Eng. Ammar Mahmood
18
The Virus

Resident viruses



7/26/2016
Resident viruses do not search for hosts when they are started.
Instead, a resident virus loads itself into memory on execution
and transfers control to the host program.
The virus stays active in the background and infects new hosts
when those files are accessed by other programs or the
operating system itself.
Resident viruses contain a replication module that is similar to
the one that is employed by nonresident viruses. However, this
module is not called by a finder module. Instead, the virus loads
the replication module into memory when it is executed and
ensures that this module is executed each time the operating
system is called to perform a certain operation
Eng. Ammar Mahmood
19
The Virus
 Resident
viruses are sometimes subdivided into a
category:

Fast infectors: are designed to infect as many files as
possible. It can infect every potential host file that is
accessed.


7/26/2016
This poses a special problem to anti-virus software, since a
virus scanner will access every potential host file on a computer
when it performs a system-wide scan. If the virus scanner fails
to notice that such a virus is present in memory, the virus can
"piggy-back" on the virus scanner and in this way infect all files
that are scanned.
The disadvantage of this method is that infecting many files
may make detection more likely, because the virus may slow
down a computer or perform many suspicious actions that can
be noticed by anti-virus software.
Eng. Ammar Mahmood
20
The Virus
 2nd
category Slow infectors:
are designed to infect hosts infrequently. For
instance, some slow infectors only infect files when
they are copied.
 Slow infectors are designed to avoid detection by
limiting their actions: they are less likely to slow
down a computer noticeably, and will at most
infrequently trigger anti-virus software that detects
suspicious behavior by programs.
 The slow infector approach does not seem very
successful however.

7/26/2016
Eng. Ammar Mahmood
21
The Virus

Host types:






7/26/2016
Binary executable files (such as COM files and EXE files in MSDOS, Portable Executable files in Microsoft Windows, and ELF
files in Linux)
Volume Boot Records of floppy disks and hard disk partitions
The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files in MS-DOS and
Microsoft Windows, VBScript files, and shell script files on Unixlike platforms).
Application-specific script files (such as Telix-scripts)
Documents that can contain macros (such as Microsoft Word
documents, Microsoft Excel spreadsheets, AmiPro documents,
and Microsoft Access database files)
Eng. Ammar Mahmood
22
The Worm



A computer worm is a self-replicating computer
program. It uses a network to send copies of
itself to other nodes (computer terminals on the
network) and it may do so without any user
intervention.
Unlike a virus, it does not need to attach itself to
an existing program.
Worms always harm the network (if only by
consuming bandwidth), whereas viruses always
infect or corrupt files on a targeted computer.
7/26/2016
Eng. Ammar Mahmood
23
The Worm

Types of computer worms:
 Email
Worms Spread via email messages. Typically
the worm will arrive as email, where the message
body or attachment contains the worm code, but it
may also link to code on an external website.
 Instant messaging worms The spreading used is via
instant messaging applications by sending links to
infected websites to everyone on the local contact list
 IRC worms Chat channels are the main target and
the same infection/spreading method is used as
above
7/26/2016
Eng. Ammar Mahmood
24
The Worm

Types of computer worms:
 File-sharing
networks worms Copies itself into a
shared folder, most likely located on the local
machine. The worm will place a copy of itself in a
shared folder under a harmless name. Now the worm
is ready for download via the P2P network and
spreading of the infected file will continue.
 Internet worms


7/26/2016
Those which target low level TCP/IP ports directly, rather
than going via higher level protocols such as email or IRC.
A classic example is "Blaster" which exploited a vulnerability
in Microsoft's Remote procedure call (RPC). An infected
machine aggressively scans random computers on both its
local network and the public Internet attempting an exploit
against port 135 which, if successful, spreads the worm to
that machine.
Eng. Ammar Mahmood
25
The Worm

Payloads:
 Many
worms have been created which are only
designed to spread, and don't attempt to alter the
systems they pass through.
 A "payload" is code designed to do more than spread
the worm - it might delete files on a host system (e.g.
the ExploreZip worm), encrypt files in a cryptoviral
extortion attack, or send documents via e-mail.
 A very common payload for worms is to install a
backdoor in the infected computer to allow the
creation of a "zombie" under control of the worm
author
7/26/2016
Eng. Ammar Mahmood
26
Antivirus SW
7/26/2016
Eng. Ammar Mahmood
27
Antivirus

Antivirus software typically uses two different
techniques to accomplish his mission:
 Examining
(scanning) files to look for known viruses
matching definitions in a virus dictionary
 Identifying suspicious behavior from any computer
program which might indicate infection. Such analysis
may include data captures, port monitoring and other
methods.
7/26/2016
Eng. Ammar Mahmood
28
Antivirus modes

Anti-virus programs have two basic modes:
 “static”
file scanning: useful for when you have to
scan a file or a volume to check to see if any of the
files are currently infected with malware
 real-time “dynamic” scanning: is really what is needed
to prevent the computer from getting infected in the
first place. In this mode, all files that the operating
system opens or uses are scanned first before they
are fully opened.
7/26/2016
Eng. Ammar Mahmood
29
Approaches

Dictionary


1.
2.
3.
7/26/2016
A signature is a characteristic byte-pattern that is part of a
certain virus or family of viruses
In the virus dictionary approach, when the antivirus software
examines a file, it refers to a dictionary of known viruses that the
authors of the antivirus software have identified. If a piece of
code in the file matches any virus identified in the dictionary,
then the antivirus software can take one of the following actions:
attempt to repair the file by removing the virus itself from the file
quarantine the file (such that the file remains inaccessible to
other programs and its virus can no longer spread)
delete the infected file
Eng. Ammar Mahmood
30
Approaches

Dictionary
 the
virus dictionary approach requires periodic
(generally online) downloads of updated virus
dictionary entries.
 users identify new viruses "in the wild", they can send
their infected files to the authors of antivirus software,
who then include information about the new viruses in
their dictionaries.
 Dictionary-based antivirus software typically
examines files when the computer's operating system
creates, opens, closes or e-mails them. In this way it
can detect a known virus immediately upon receipt
7/26/2016
Eng. Ammar Mahmood
31
Approaches

Dictionary
 System Administrator
can typically schedule
the antivirus software to examine (scan) all
files on the user's hard disk on a regular
basis.
 Although the dictionary approach can
effectively contain virus outbreaks in the right
circumstances.
7/26/2016
Eng. Ammar Mahmood
32
Approaches

Dictionary
 Virus’s
Technology to avoid the Dictionary
Approach is:
Metamorphic code
 Polymorphic code
 Oligomorphic engine is generally used by a
computer virus to generate a decryptor for itself in
a way comparable to a simple polymorphic engine

7/26/2016
Eng. Ammar Mahmood
33
Approaches

Dictionary
 Previous technology
 Polymorphism:



7/26/2016
weakness are:
A small portion of it is left unencrypted and used to jumpstart
the encrypted software. Anti-virus software targets this small
unencrypted portion of code.
Anti-virus software can detect it by decrypting the viruses using
an emulator, or by statistical pattern analysis of the encrypted
virus body.
most oligomorphic viruses aren't able to generate more than
just a few hundred different decryptors, so detecting them
with simple signatures is still possible
Eng. Ammar Mahmood
34
Approaches

Suspicious behavior:
 The
suspicious behavior approach doesn't
attempt to identify known viruses, but instead
monitors the behavior of all programs.
 If one program tries to write data to an
executable program, for example, the
antivirus software can flag this suspicious
behavior, alert a user and ask what to do.
7/26/2016
Eng. Ammar Mahmood
35
Approaches

Suspicious behavior
 the
suspicious behavior approach therefore provides
protection against brand-new viruses that do not yet
exist in any virus dictionaries.
 However, it can also sound a large number of false
positives, and users probably become desensitized to
all the warnings.
 If the user clicks "Accept" on every such warning,
then the antivirus software obviously gives no benefit
to that user
7/26/2016
Eng. Ammar Mahmood
36
Approaches

Suspicious behavior weakness
 The
fact the many legal SW behave like malicious
SW make the job of antivirus harder
 Ex:There are commercial software that have many
features as dynamic code encryption/decryption, code
replace, metamorphic engine, API export, anti
debug/dump/trace and more. They are used to
protect software programs from illegal use(cracking
and reverse engineering)
7/26/2016
Eng. Ammar Mahmood
37
Approaches

Heuristic analysis:
 try
to emulate the beginning of the code of each new
executable that the system invokes before
transferring control to that executable.
 If the program seems to use self-modifying code or
otherwise appears as a virus (if it immediately tries to
find other executables, for example), one could
assume that a virus has infected the executable.
 Heuristic scanners have a higher rate of false
positives than do signature scanners but they have
the significant advantage of being able to detect
unknown viruses.
7/26/2016
Eng. Ammar Mahmood
38
Approaches

Sandbox:
 sandbox is a security mechanism for safely
running programs. It is often used to execute
untested code, or programs from unverified
third-parties, suppliers and untrusted users.
 emulates
the operating system and runs the
executable in this simulation. After the program has
terminated, software analyzes the sandbox for any
changes which might indicate a virus.
 Because of performance issues, this type of detection
normally only takes place during on-demand scans
7/26/2016
Eng. Ammar Mahmood
39
Approaches

Sandbox:
 Also
this method may fail as virus can be
nondeterministic and result in different actions
or no actions at all done then run - so it will be
impossible to detect it from one run.
 The sandbox typically provides a tightlycontrolled set of resources for guest programs
to run in
7/26/2016
Eng. Ammar Mahmood
40
Weaknesses of antivirus SW
Many security professionals agree that the
current approach to defend against
malicious software with antivirus is not
good enough, but it is best solution that we
have right now.
 Here is the brief summary of the main
shortcomings in the antivirus software:

7/26/2016
Eng. Ammar Mahmood
41
Weaknesses of antivirus SW
1. Reactive approach: Your antivirus as good as your
definition files. If you did not update them, the antivirus
program will not be able to detect a new malware. The
most critical problems for the antivirus software to detect
malicious code are:



new or modified malicious code
rootkit programs
Software Misuse
2. Inability to protect themselves: With sufficient system
permissions, malware can change antivirus settings and
configuration.
7/26/2016
Eng. Ammar Mahmood
42
Weaknesses of antivirus SW
3. Inability to revert the results of malware infection
process.



7/26/2016
Too often, “installation process” of malware includes copying
files, changing registry and system configuration files, changing
other software configuration. Some of these changes still present
in the infected system, even after an antivirus program delete or
disinfect malware files.
Almost for every severe virus/worm, antivirus vendors issues
“Removal Tool”.
this is means that the antivirus vendors saying to their
customers: “our antivirus isn’t good enough to clean your system
– please use this tool”
Eng. Ammar Mahmood
43
Retro Viruses




retro viruses are the viruses that attack security
programs
“Attack is the best defense strategy”
The malware instead of hiding from detection by
security SW it target these SW as its (part of)
malicious action
We will discuss in the next slides some of the
technique used by the Retro viruses
7/26/2016
Eng. Ammar Mahmood
44
The Black Antivirus


a(white) antivirus used for the good purposes while
Black Antivirus is the same antivirus, but used for the
“bad” purposes.
An unexpected problem:



“virus definition database” has the definitions for security tools
used today in the computer security world to defend and protect
computer systems.
Malware could includes antivirus engine and signature definition
files for security tools.
To protect our tools we need to evade the Antivirus
detection! Therefore, our security tools need to be a
polymorphic or even metamorphic.
7/26/2016
Eng. Ammar Mahmood
45
The Black Intrusion Detection
System:
 Malware
can use IDS system to “shut down” security
systems at the network level.
 Such malware will primary target internal corporate
LAN and could carry itself an IDS engine or change
the existing one with new rules (if possible).
 malware carry engine itselfand use MAC and ARP
poisoning to sniff in a switched network.
 Any communication that passes the wire were the
malware was able to “see” it, is a subject for this
attack.
 The solution for this problem may be the use of
covert channels
7/26/2016
Eng. Ammar Mahmood
46
Practical
Examples
7/26/2016
Eng. Ammar Mahmood
47
Virus Example

Win32/Simile:




7/26/2016
is a metamorphic computer virus written in assembly language
for Microsoft Windows (most recent version in early March 2002)
It was written by the virus writer Mental Driller
When the virus is first executed, it checks the current date. If the
host file (the file that is infected with the virus) imports the file
User32.dll, then on the 17th of March, June, September, or
December, a message is displayed.
Depending on the version of the virus the case of each letter in
the text is altered randomly. On May 14, a message saying "Free
Palestine!" will be displayed if the system locale is set to Hebrew.
Eng. Ammar Mahmood
48
Virus Example





The virus then rebuilds itself. This metamorphic process
is very complex and accounts for around 90% of the
virus' code
After the rebuild, the virus searches for executable files
in folders on all fixed and remote drives.
The virus contains checks to avoid infecting "goat" or
"bait" files
The infection process uses the structure of the host, as
well as random factors, to control the placement of the
virus body and the decryptor.
The virus contains no destructive payload
7/26/2016
Eng. Ammar Mahmood
49
SQL slammer worm




The SQL slammer worm is a computer worm that
caused a denial of service on some Internet hosts and
dramatically slowed down general Internet traffic
It spread rapidly, infecting most of its 75,000 victims
within ten minutes.
it exploited two buffer overflow bugs in Microsoft's
flagship SQL Server and Desktop Engine database
products
The worm is a small (376 bytes) piece of code that does
little other than generate random IP addresses and send
itself out to those addresses.
7/26/2016
Eng. Ammar Mahmood
50
SQL slammer worm


If a selected address happens to belong to a
host that is running an unpatched copy of
Microsoft SQL Server Resolution MSDE
Service, the host immediately becomes infected
and begins spraying the Internet with more
copies of the worm program.
The worm is so small that it does not contain
code to write itself to disk, so it only stays in
memory, and it is easy to remove.
7/26/2016
Eng. Ammar Mahmood
51
Antivirus Example
one of the most popular full-featured
freeware anti-virus applications for
Microsoft Windows users.
 Official website: http://www.avast.com/

7/26/2016
Eng. Ammar Mahmood
52
Antivirus Example

Features :










7/26/2016
Standard Shield — Real-time protection
IM shield — Instant Messenger protection
P2P shield — P2P protection
Internet Mail — E-mail protection
Outlook/Exchange — Microsoft Outlook/Exchange protection
Web Shield — HTTP protection (local transparent proxy)
Script blocker — script checker
Network Shield — basic protection against well-known network
worms. Acts as a lightweight Intrusion Detection System
Audible alarms — vocal warnings such as "Caution, a virus has
been detected!"
boot-time scan — through the program interface, a user can
schedule a boot-time scan to remove viruses that load during
Windows startup and therefore difficult to remove.
Eng. Ammar Mahmood
53
Resources







http://www.securityelf.org/files/Andrey_Bayora_software_
misuse.pdf
http://en.wikipedia.org/wiki/Antivirus
http://www.research.ibm.com/antivirus/SciPapers/Gordo
n/Strategy.html
http://www.sans.org/reading_room/whitepapers/maliciou
s/68.php
http://en.wikipedia.org/wiki/Software_virus
http://www.symantec.com/security_response/writeup.jsp
?docid=2002-030617-5423-99
http://en.wikipedia.org/wiki/Computer_virus
7/26/2016
Eng. Ammar Mahmood
54
7/26/2016
Eng. Ammar Mahmood
55