Classification
and Prevention
Mike Morain
A Brief History
John Von Neumann
o 1949 - Developed the first self-replicating automata
Veith Risak
o 1972 - Wrote the first self-reproducing program for a
SIEMENS 4004/35 computer
Creeper
First controlled virus
Developed by Bob Thomas released
on ARPANET in 1971for the TENEX
OS
Behaved more like a modern worm
o Would replicate itself onto machines around the NET,
and display the message Im the creeper, catch me if
you can!
o Would begin to print a file, pause, find a network system,
and transfer
o Relatively harmless. More a proof-of-concept than
anything. Actually removed itself if it found another
copy, then moved on.
Malware Today
Not so benign
Motivations:
o Creating zombie machines for botnets
(DDoS attacks, etc.)
o Identity theft and impersonation
o Monetary gains (credit card fraud, bank
fraud, etc.)
o Many other nefarious goals
Types of Viruses
Boot Sector
File
Macro
Encrypted
Stealth
Polymorphic
Metamorphic
Worms
A Structural Breakdown
Infection Mechanism
Trigger
Payload
Phases
o
o
o
o
Dormant Phase
Propagation Phase
Triggering Phase
Executing Phase
Trigger
o Opening the email attachment
Payload
o 1. TCP Backdoor on port 3127 by overwriting local DLLs
and running as a child process of Windows Explorer
o 2. Launched a DDoS attack against the Caldera
International (software company) on 1st of February,
2004
Infection Mechanism
The means by which a virus spreads
Early on, this was done via floppy drives, etc., but now
Internet makes this far more easy.
Attach to common downloads, music, videos,
software, screensavers etc.
Spread through emails as attachments
Spread on thumb drives (Pentagon example)
Infection vectors vary, payloads stay relatively
constant
There are many other infection mechanisms: PDF
files, infected image files, visiting infected web pages,
office macros, etc.
Trigger
The mechanism by which the payload is activated.
For simply malicious viruses, this is often the simple
act of opening the infected file
For more devious or surreptitious viruses, like trojan
horses, backdoors, or botnet infections, the trigger
usually has to do with the intended purpose:
o DDoS: Triggered by time/date to attack on, or by the controllers directly
o Credit/Bank fraud: Activated when the user visits as bank site, etc.
Payload
This is the intended action of the virus
Goals relatively constant
Malicious code (format hard drive,
delete important files old school)
Botnets
o DDoS, hosting phishing sites, etc.
Trojans
o back doors, keyloggers
o Searching for personal of financial information
Trigger
o Begins execution on install
Payload
o Hijacks various OS process calls
o Changes web proxy
Combatting Malware
Prevention
o Ideal solution
o This requires detection during the propagation phase.
What do we do today?
Modern Antivirus
Software
1st Generation: simple scanners
o Require signatures to detect the behavior of
known viruses
o Look at program length often and alert the
administrators if anything has change
o No so good for zero-day attacks
Tripwire
http://original.jamesthornton.com/redhat/linux/9/ReferenceGuide/figs/tripwire/tripwire.png
Modern Antivirus
Software
2nd Generation: heuristics
scanners
o Dont really rely on the signatures as
much, but use rules of recognition
o They look for odd behavior, or code
fragments that are often associated with
viruses, but again, they dont have
specific signatures of every virus it can
handle
o Example of behavior: PyKeyLogger
Pykeylogger
Pykeylogger
Uses the SetWindowsHookEx API in
Win32
o Specifically the WH_KEYBOARD and WH_KEYBOARD_LL
Commercial Examples
o Norton 2006 (13.0) introduced Internet Explorer and
host file protection
o Panda Antivirus is award winning
Detects all strange behavior, very good anomaly
detection
Balance between good and annoying
Further Advances in AV
The advancement of viruses and
antiviruses is inseparably linked.
Once the current threats are dealt with, its
hard to predict what virus makers will do
next, so its a tango back and forth.
A huge flaw in even 4th Generation antivirus software is the inability to track and
detect polymorphic viruses
Generic Decryption
Solves this problem by running code
through a fast generic decryption
scanner that:
o Has a CPU emulator that the suspicious code is allowed to be
executed on.
o The system looks for any commonly known
encryption/decryption behavior, since this is often how
polymorphic viruses change themselves.
o Also includes the signature scanner from other generations.
o Halts the code if its determined to be malicious, and
quarantines the original executable.
o Works a lot like TaintCheck
Virtualization in Antivirus
Hardware advances mainly speed of
processors, multiple cores, and more
memory allow virtualization to be used
Example: Sunbelt Softwares Vipre
Enterprise Malware Client
o Maintains a minimized, mimicked copy of the host system in a
sandbox of memory and allows suspect files to run free.
o Implementation utilizing the advancement of processor
virtualization and multi-core assignment minimizes the
overhead.
o The virtualization, along-side a proprietary dynamic
translation re-compiler is how this works so quickly and well
Sunbelt Vipre
Sunbelt Vipre
Sunbelt Vipre
http://www.sunbeltsoftware.com/developer/VIPRE-Desktop-SDK/
Conclusions
Digital immune systems are the way of the
future
Virtualization allows them to be
implemented locally on a small scale
Still benefit from honeypots that security
companies run to catch all the viruses
going around.
OS integration is key