Add to collection(s) Add to saved
  1. Business
  2. Finance

Intelligent Malware DeTection

advertisement 
INTELLIGENT MALWARE
DETECTION
Individual Paper – Michael Hite
Insructor: Yenumula V Reddy
Sponsor: Yangfeng Ye
Hite
Page |1
Table of Contents
Introduction to Malware:.............................................................................................................................. 2
Adware: ..................................................................................................................................................... 2
Bot: ............................................................................................................................................................ 2
Bug: ........................................................................................................................................................... 2
Ransomware: ............................................................................................................................................ 3
Rootkit:...................................................................................................................................................... 3
Spyware:.................................................................................................................................................... 3
Virus: ......................................................................................................................................................... 3
Worm: ....................................................................................................................................................... 3
Trojan Horse:............................................................................................................................................. 4
History of Malware: ...................................................................................................................................... 4
Early Days of Malware: ............................................................................................................................. 4
Recent Malware: ....................................................................................................................................... 4
Needs: ........................................................................................................................................................... 5
Stakeholders: ................................................................................................................................................ 6
Design: .......................................................................................................................................................... 6
Features: ....................................................................................................................................................... 6
Bibliography: ................................................................................................................................................. 7
Hite
Page |2
Introduction to Malware:
Malware is defined as software that is intended to damage or disable computers or computer
systems, but this definition doesn’t truly encompass what is considered malware. There are several
different types of malware. These types include: Adware, Bot, Bug, Ransomware, Rootkit, Spyware,
Viruses, Worms, and the infamous Trojan Horse. This report will briefly discuss what each type of
malware does in order to give the reader a better understanding of what this project is trying to
accomplish.
Adware:
Adware is short for advertising supported software. This is the type of malware that delivers
advertisements automatically when you enter certain webpages. Adware is more commonly known as
“pop ups” and although most adware is simply designed as a way to advertise, it is not uncommon to
see spyware bundled with it. Because of the capabilities of spyware, when adware and spyware are
seen together they are much more dangerous than the adware alone.
Bot:
Bots are programs that are designed specifically to automatically perform a specific set of
operations. While there are bots that have been created for harmless and trivial purposes (such as
video games, internet auctions, and online contests), there are also malicious bots. Malicious bots are
generally used in Botnets – a collection of computers to be controlled by third parties – for Denial of
Service attacks, as spambots, as web spiders, and for distributing malware. Denial of Service attacks are
when a website is receiving more incoming requests than it is capable of handling so the time it takes for
requests to be processed is increased or the request cannot be processed at all. Spambots are a way of
rendering advertisements on websites and web spiders are a way of taking data from a server. Websites
can guard against bots with relative ease by using a CAPTCHA test. These are simple tests that verify the
user as human.
Bug:
A Bug is more of a flaw in the context of the software than it is malware. Although bugs may
not be malware, it is relevant to know that bug can cause websites to freeze or crash, and that security
bugs can allow unauthorized access to users who know how to exploit them.
Hite
Page |3
Ransomware:
Ransomware essentially “steals” the computer from a user while demanding compensation for
returning it. It “steals” the computer by encrypting files, locking down the system, or restricting access
to the computer, while it displays messages intended to force the user to pay the creator of the malware
to remove the restrictions and re-allow access to the computer. Ransomware typically spreads like a
worm (described below).
Rootkit:
Rootkits are a very dangerous type of malware, as they are designed to remotely access a
computer undetectably. This allows the rootkit to alter system configurations, user settings (including
malware detection settings), run programs, access files, install other malware, or be used as part of a
botnet. Because of their stealthy behavior, rootkits can be extremely hard to detect and remove.
Spyware:
Spyware is a malware program that basically functions by spying on the user. Spyware can
include activity monitoring, collecting keystrokes, data harvesting (login information, account
information, financial data, etc.), and more. Spyware also attempts to modify security settings to
interfere with software and network connections. Spyware spreads by exploiting security vulnerabilities
and by attaching itself to other software or Trojans.
Virus:
A virus is a type of malware that can replicate itself and spread to other computers. Viruses
often spread by attaching themselves to programs and executing their code as the user launches the
infected program. They also spread in documents, vulnerabilities in web applications, and script files.
Viruses are used to steal information, harm computers and networks, steal money, display
advertisements, and create botnets.
Worm:
Computer worms are one of the most common types of malware. They spread by exploiting
vulnerabilities in the operating system of computers. Worms are harmful in that they consume
bandwidth and overload web servers. Worms can also contain pieces of code that perform actions
Hite
Page |4
other than just spreading the worm. The pieces of code are usually intended to steal data, create
botnets, or delete files. Worms and viruses may sound very similar, but there are several ways to
distinguish between the two. The biggest difference between a worm and a virus is that while a virus
relies on human activity to replicate and spread a worm does not. Worms often send mass emails and
then attach copies of themselves to these emails to spread.
Trojan Horse:
Commonly known as a Trojan, the Trojan Horse is malware that disguises itself as a normal file
or program to entice users to download and install it. Trojans can give another party remote access to
the infected computer. Once the attacker has access to the computer, they can steal information,
monitor user activity, use the computer with botnets, modify files, install more malware, practically do
anything they want with the computer
History of Malware:
Early Days of Malware:
Over the years malware has changed significantly. In 1971, the “Creeper Virus” was created.
This was the first known virus created and while not malicious in intent, it did foreshadow the future of
malicious attacks. Infected computers would simply display the message “capture the creeper”. The
“Reaper” was then created to find and “destroy” the Creeper Virus and is considered one of the first
anti-virus programs. The first Trojan was released in 1978. Known as ANIMAL, the Trojan did not
destroy systems, but was able to spread by copying itself over networks while the user was playing a
game. In 1988, the Morris Worm is created and is the first worm to spread extensively through the
internet.
Recent Malware:
In 2014, “Heartbleed” was discovered as malware that exploited the OpenSSL cryptography
library which is used in TLS protocol. It allowed the theft of server’s private keys and the cookies and
passwords of user’s sessions. Around the time of its discovery, it is believed about 17% (approximately
500,000) of all secure web servers certified by trusted authorities were infected. The difference
between Heartbleed and other malware is that Heartbleed exposed a vulnerability in SSL. SSL is the
secure socket layer which helps secure most internet transactions; therefore, this is not something
normal internet users could avoid if they had information stored in an infected server.
Hite
Page |5
In 2013, the Target Credit Card Breach was discovered. Before Thanksgiving 2013, there was
phishing software installed on Target’s security and payment systems. This software was designed to
steal every credit card used at any of Target’s 1,797 stores. This was the largest credit card breach in
United States retail history until recently when Home Depot was compromised. Approximately 40
million card accounts were stolen and the personal data of 70 million customers were also stolen in the
breach. As long as a year later, the effects of this breach are still being felt by Target as their stock value
is consistently dropping. Ironically, Target had just installed a new anti-malware system called FireEye
(costing $1.6 million) months before the heist but it had been turned off. If this software had been
turned on, it would have easily caught the phishing software that caused this heist.
Stuxnet was discovered in 2010. Stuxnet was a Windows worm approximately %1000 larger
than a typical worm. It infected a system and hid itself using a Rootkit, while checking to see if the
system was connected to a “Siemens Simatic factory system”. Once the connection was found, the
worm changed the commands sent from the Windows computer to the Programmable Logic Controller.
This worm was designed to impair the ability of a centrifuge to enrich Uranium; F-Secure Labs estimates
it would take approximately ten man years of work to fix the virus. This worm damaged Iran’s
centrifuges and delayed its uranium enrichment efforts.
CryptoLocker is a Trojan Virus from 2013 that targeted computers that ran Microsoft Windows.
It encrypted files on a user’s hard drive and then prompted the user to pay for the decryption key.
CryptoLocker is considered to be the first true RansomWare.
The last malware discussed in recent history is SpyEye. SpyEye was a Trojan Horse Virus that
stole money from bank accounts while simultaneously creating falsified statements to show that the
money was still there. SpyEye was active between 2009 and 2011 and it has infected more than 1.4
million computers. The developer, a Russain named Aleksandr Andreevich Panin, is expected to have
sold the virus to at least 150 cybercriminals who compromised more than 10,000 bank accounts. One of
these clients is reported to have made $3.2 million in a six month period.
Needs:
The needs for our system are very simple. We need the program to: be reliable, be
maintainable, use as little system resources as possible, be cost effective, and be easy to use. The most
important of these needs is the reliability of the program. If the program is unreliable, it will be hard to
market and will not help people protect their systems. Secondly, the ease of use, if the program is
difficult to use, people just will not use it and again this will make it hard for us to help them protect
their systems. Maintenance and cost come next, as an unmaintained product becomes useless and
outdated quickly and if people can’t afford the program or we can’t afford to make it, what good does
that make the program? Lastly, the load on system resources; while we don’t want to have a significant
piece of system resources being held up scanning files, we would rather it be getting the job done than
not doing it at all.
Hite
Page |6
Stakeholders:
The Stakeholder’s involved with this software project would be anyone who it is marketed to.
Seeing as this software will be attempting to detect malware and that that malware exists on the
internet which almost every modern day computer will be connected to at some point in its existence,
this software can be marketed to anyone who uses a computer. Other stakeholders will include other
companies that market software that detects malware because they will be competing with our
product.
Design:
Our group has not yet determined the final design of our project, but we have developed a
strategy for the development of our product. Our goal is to determine which files on a computer are
malicious by examining their API calls. To do this, we have to open the header of the PE files. PE files, or
portable executables, are the files that begin and execute programs; this is where many viruses, Trojans,
and worms wait for users to activate them. Many of these viruses have similar API calls and this is one
of the ways we plan to identify malicious from benign software. Another way we plan to detect
malicious software is by looking at the signatures of the files being scanned and comparing them to the
signatures of known malware.
Our plan with the API calls is to take every API call that has not been seen already and assign it
an integer. After each API call has an integer value assigned to it, we plan to take every API call from
each file and put it into an integer vector. After we have all the API calls for all files in their integer
vectors, this will help us identify which programs are malicious because API calls are the most effective
way to see exactly what a program is doing. By knowing what the programs are trying to do, we can sort
out which programs are benign and which are malicious.
Features:
As stated earlier, we haven’t completed the final design of our program and along the same
lines we have not decided the features that will be in the final product. However, there are some
features we have decided we would like to implement. One of the first features we would like to
implement is a way to check if a file is malicious individually. This will be essential in order to check to
see if the software is working.
There are also several other features we plan to implement. They will be included as soon as
possible.
Hite
Page |7
Bibliography:
BIBLIOGRAPHY SITES:
"Blog." Veracode. N.p., n.d. Web. 22 Oct. 2014.
"Parse a PE (EXE, DLL, OCX Files ) and New Dependency Walker." - CodeProject. N.p., n.d. Web. 22 Oct.
2014.
Related documents
Virtual Worlds - Cyberspace Law and Policy Centre
Virtual Worlds - Cyberspace Law and Policy Centre
sample_cato_cust_ed
sample_cato_cust_ed
here - Iberville Bank
here - Iberville Bank
Report 2 - People at VT Computer Science
Report 2 - People at VT Computer Science
Info Sec Training
Info Sec Training
malware_02
malware_02
Cyber Security is everybody`s responsibility
Cyber Security is everybody`s responsibility
all
all
Download
advertisement