Matt Banick

Broad Definition: “Let us take the easy one
first. "Malware" is short for malicious software
and is typically used as a catch-all term to
refer to any software designed to cause
damage to a single computer, server, or
computer network, whether it's a virus,
spyware, et al.” (1)

How to Classify Malware?
◦ Trojan, Virus, Worm, Spyware, etc
◦ Level of compromise?

Security Classification?
◦ Degree of OS compromise
◦ Changes
◦ Security Compromise

“Stealth” Malware Taxonomy
◦ Joanna Rutkowska

Malware re-definition
◦ Changes in OS Kernel
◦ Security applications
◦ Other processes


Four types (0-3)
No true order



OS, security processes, other processes
unaffected
“Legal” use of APIs
Still a threat!


Malware changes ‘constant’ data
True ‘system compromise’


Malware changes ‘dynamic’ parts of system
Similar to Type 1


Similar to Type 0.. In a way
Hypervisor control



Signature-based
Heuristic-based
Others?


Code-based ‘dictionary’ search
Targets static parts of Malware
For (Sig a : dictionary)..

Polymorphic Viruses
◦ Encryption + crafty = disaster

Code Obfuscation
◦ War which may never end

Metamorphic Viruses
◦ Polymorphic-Polymorphic virus!
eval('document.'+potato+'.s
tyle.color= "red"');

Can include different concepts
◦
◦
◦
◦

Virus activity
Instruction oddities
File activity
Network activity
Static
◦ Code review

Dynamic
◦ Watch and wait…

False-positives can be costly
◦ User indifference
◦ PR nightmare
◦ Slow
While (a < 5000)
sleep(5);
//random code
Some_malicious_code
//random code
Some_more_malicious_code
//random code
… etc.




What “Should” occur?
Emerging research
Math based (in a way…)
Problems
◦ Dynamic web pages
◦ Analysis is costly
◦ White-listing processes









http://technet.microsoft.com/en-us/library/dd632948.aspx (1)
Sony Rootkit: http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rightsmanagement-gone-too-far.aspx
Polymorphic Viruses: http://www.symantec.com/avcenter/reference/striker.pdf
Obfuscation: http://delivery.acm.org/10.1145/1780000/1772720/p281cova.pdf?key1=1772720&key2=0800233031&coll=DL&dl=ACM&ip=129.244.189.101&CFID=17197576&CFTOKEN=8574
6334
Metamorphic Viruses: http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
RDAE & Other info: http://docs.google.com/viewer?a=v&q=cache:p2XzCVP51GQJ:www.waset.org/journals/waset/v34/v3445.pdf+RDA+decryption+engines&hl=en&gl=us&pid=bl&srcid=ADGEESj7KEkEBTkeJ5ydlcAafATSGutwPlsjA8mzG6d_bsnAk
UbeOoZSnfe6BIGNC4ffQZpacWFGzeKWhsH8JMn7LkYdfCwOd2q-VkDnyvrunTVfM4CSQOO1xui6uB3DUgEBc3mX_n3&sig=AHIEtbQu67h41KBkC3HjISYFceSrQFQZUQ
Samsung Issue: http://www.thetechherald.com/article.php/201113/6997/Samsung-keylogger-fears-based-on-falsepositives
Heuristic Basics: http://vx.netlux.org/lib/static/vdat/epheurs1.htm
More Heuristics (Dynamic):
http://service1.symantec.com/legal/publishedpatents.nsf/0/4b4a30633137923b88256df7005d6b5d/$FILE/United%20Stat
es%20Patent%206,357,008.htm

User-based detection: http://otc.rutgers.edu/pdf/Yao-09-046.pdf

User-based detection cont: http://people.cs.vt.edu/danfeng/papers/paper106_icics2009.pdf

Blue Pill wrap: http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html





http://www.google.com/imgres?imgurl=http://withfriendship.com/images/b/8701/trojan-horsevirus.png&imgrefurl=http://withfriendship.com/user/pintu/trojan-horsevirus.php&usg=__pBZIK81boUOnTGwvq22ggTo4dpk=&h=413&w=551&sz=28&hl=en&start=8&sig2=Itoi02OTbd0L3AcSiaHDDQ&zoom=1&tbnid=cUkl2JE
K07AXKM:&tbnh=100&tbnw=133&ei=lUGrTdCQHuXm0QG3itz5CA&prev=/images%3Fq%3DTrojan%2Bhorse%26um%3D1%26hl%3Den%26client%3Dfirefoxa%26sa%3DN%26rls%3Dorg.mozilla:en-US:official%26biw%3D1600%26bih%3D707%26tbm%3Disch&um=1&itbs=1
http://www.google.com/imgres?imgurl=http://www.topnews.in/files/sony_logo_1.jpg&imgrefurl=http://www.topnews.in/technologyupdate/sony&usg=__IWFxwkG68KOnUXwbhfLw8wyCv4=&h=400&w=600&sz=12&hl=en&start=0&sig2=5dGNYCEjtqlyqXvQe8aSgQ&zoom=1&tbnid=pkP8vBhPZ6WRM:&tbnh=143&tbnw=214&ei=TEmrTYH8IMba0QG21eWdCQ&prev=/images%3Fq%3DSony%26um%3D1%26hl%3Den%26client%3Dfirefoxa%26rls%3Dorg.mozilla:enUS:official%26biw%3D1600%26bih%3D707%26tbm%3Disch&um=1&itbs=1&iact=hc&vpx=138&vpy=150&dur=58897&hovh=183&hovw=275&tx=201&ty=
93&oei=TEmrTYH8IMba0QG21eWdCQ&page=1&ndsp=21&ved=1t:429,r:0,s:0
http://www.google.com/imgres?imgurl=http://images.amazon.com/images/G/01/software/detail-page/kasperskyvirus.jpg&imgrefurl=http://www.amazon.com/Kaspersky-Anti-Virus-7-0-OLDVERSION/dp/B000U819A2&usg=__oJrp_dVVIHZ2A2T6c6r7f8Bos9s=&h=385&w=300&sz=27&hl=en&start=0&sig2=MpYwwna9pcxc2Nqb9cHGhw&zoom=
1&tbnid=mj4A1xEQlKMeWM:&tbnh=133&tbnw=104&ei=SRCvTaC6GoXa0QGl9ryoCw&prev=/images%3Fq%3Dvirus%2Bdetection%26hl%3Den%26biw%3D16
00%26bih%3D707%26gbv%3D2%26tbm%3Disch&itbs=1&iact=hc&vpx=131&vpy=70&dur=307&hovh=209&hovw=163&tx=108&ty=124&oei=SRCvTaC6Go
Xa0QGl9ryoCw&page=1&ndsp=33&ved=1t:429,r:0,s:0
http://www.google.com/imgres?imgurl=http://vxheavens.com/lib/img/mjp00/biennale.py_code72.jpg&imgrefurl=http://vxheavens.com/lib/mjp00.html&usg=__d9ctjQol4n95KZa9g1iS3sfaYKI=&h=329&w=346&sz=175&hl=en&start=21&sig2=U9qp
VQz1A0wTEWpMR8ReBw&zoom=1&tbnid=Ba1UnpCi56snOM:&tbnh=127&tbnw=125&ei=TBmvTYqjIozegQfs9I3xCw&prev=/search%3Fq%3Dcode%26hl%3D
en%26client%3Dfirefox-a%26rls%3Dorg.mozilla:enUS:official%26biw%3D1600%26bih%3D707%26site%3Dsearch%26tbm%3Disch0%2C760&um=1&itbs=1&iact=hc&vpx=223&vpy=327&dur=244&hovh=219&
hovw=230&tx=70&ty=139&oei=KBmvTcmrEO-L0QGUk9GjCw&page=2&ndsp=38&ved=1t:429,r:29,s:21&biw=1600&bih=707
http://www.thetechherald.com/article.php/201113/6997/Samsung-keylogger-fears-based-on-false-positives