Malware and Anti-malware

Benny Czarny
CEO and Founder
benny@opswat.com

23 October 2013
Agenda
Malware
 What is malware ?
 Why do malware writers write malware ?
 Malware infection methods
 Challenges detec...
What is malware
 What is the origin of the name “malware?”
 malicious software

 What is the definition of malware ?
 ...
What is malware
Many types of malware

 Worm

 Trojan horse/Trojan
 Virus
 Rogues / Scareware

 Ransomware
 Others
What is malware
Worms

 Activity
 Make copies of themselves again and again on:


local drive



network shares



US...
What is malware
I love you worm

Opening the attachment activated the Visual Basic
script. The worm did damage on the loca...
What is malware
Morris worm
What is malware
Trojan horse
What is malware
Trojan

 Activity
 Appears to perform a desirable function but instead drops a
malicious payload, often ...
What is malware
Trojan
Install a game

NetBus ->backdoor

Install a browser plugin

Flashback
Redirect to bogus web sites
What is malware
Virus

Activity
 When executed – usually by a human, replicates by inserting
copies of itself (possibly m...
What is malware
Rogue antivirus / scareware

Appears to be beneficial from a security perspective but provides
limited or ...
What is malware
Ransomware

 Restricts access to the computer system that it infects

 Encrypt files lock system
 Displ...
What is malware
Ransomware
What is malware
Quantity of malware
What is malware
Growth in quantity of known malware
Why do malware writers write malware ?
What are the reasons behind malware writers

 Economical
 Personal
 Political / ...
Why do malware writers write malware ?
Economical

 Stealing sensitive information which is then sold on the
black market...
Why do malware writers write malware ?
Economical
Why do malware writers write malware ?
Personal

 Revenge
 Vandalism
 Experimental / research
 Hobby / art
Why do malware writers write malware ?
Political / cyber weapons

 Sabotage
 Infrastructure
 Service availability

 Sp...
Malware propagation methods
Samples

 Exploiting unpatched security holes or vulnerabilities in
older versions of popular...
Malware propagation methods
Sample USB virus
autorun.inf
[autorun]
open=file.bat
shelloption1=Open
shelloption1command=fil...
Malware propagation methods
 Appending Virus
 Prepending Virus
 Cavity Virus
 Compressing Virus
 Packers
Malware propagation methods
Appending
New Header

Host
File
Data

Virus Code

A virus that inserts a copy of
its malicious...
Malware propagation methods
Prepending
New Header

Virus Code

Host
File
Data

A virus that inserts a copy of
its maliciou...
Malware propagation methods
Cavity
New Header

Virus
Cod
e

Host
File
Data

Copies itself to one of the
cavities present i...
Malware propagation methods
Compressing
New Header

Virus Code
+
Decompressor

Compressed
Host File
Data

Compresses the h...
Malware propagation methods
Packer functionality








Compress
Encrypt
Randomize (polymorphism)
Anti-debug techni...
Challenges in detecting malware
Packer functionality

 Fred Cohen
 It is not possible to build a perfect malware detecto...
Challenges detecting malware
Static vs. Dynamic

 Known malware
 In the wild
 Malware exchange programs e.g metascan-on...
Malware detection techniques
Static vs. Dynamic

 Static
 Inspect the code before it is executed

 Dynamic
 Inspect th...
Malware detection techniques
Static code analysis

 PE Headers
 Digital signatures
 Txt searches
 Hash checks
 Depend...
Malware detection techniques
Challenges of static code analysis

 Many signatures
 Quality assurance of 100M signatures
...
Malware detection techniques
Challenges of static code analysis
Malware detection techniques
Dynamic code analysis

 Execute on





Target host
Virtual machine
Physical machine
Cus...
Malware detection techniques
Dynamic code analysis

Monitor







Processes
Files
Registry key changes
System sched...
Malware detection techniques
Challenges of dynamic code analysis







Anti virtualization techniques
Sleep / loops ...
Real life examples of malware detection systems
Malware detection for new outbreaks Source: Metascan Online
Real life examples of malware detection systems
Malware detection for new outbreaks Source: Metascan Online
Real life examples of malware detection systems
Static vs. Dynamic

 Tested 30 known malware files (disguised as document...
Real life examples of malware detection systems
Static vs. Dynamic

 Tested 30 known malware files (disguised as document...
Real life examples of malware detection systems
Measuring detection coverage

100%

Sandboxing

X1%
Protection level :

Mu...
Current trends in the industry

 Secure transaction to cloud applications
 Mobile Security and BYOD
 Cloud malware scan...
Upcoming SlideShare
Loading in...5
×

Malware and Anti-Malware Seminar by Benny Czarny

1,656

Published on

Benny Czarny presented an introduction to malware and anti-malware to computer science students at San Francisco State University. The presentation introduced the concept of malware, types of malware, and methods for detecting malware. Benny provided examples of historical malware and illustrations of the difficulties that security vendors face in detecting threats.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,656
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
162
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • 1 min
  • <why multiscanning>Growth of MalwareMore engines are better than 1OutbreaksVulnerabilities in engines <technology overview of Metascan>What is Metascanwhy use MetascanCurrent feature set <different implementations of Metascan>Out of box solution: MDTADemo of metascanonline.com (local box with wireless access point)Endpoint client (MD4SA)Demo of MD4SA <Managing Metascan>Introduction to the management station
  • The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B
  • The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice
  • Malware and Anti-Malware Seminar by Benny Czarny

    1. 1. Malware and Anti-malware Benny Czarny CEO and Founder benny@opswat.com 23 October 2013
    2. 2. Agenda Malware  What is malware ?  Why do malware writers write malware ?  Malware infection methods  Challenges detecting malware  Malware detection techniques  Real life examples of malware detection systems  Current trends in the industry
    3. 3. What is malware  What is the origin of the name “malware?”  malicious software  What is the definition of malware ?  Software that is intended to damage or disable computers and computer systems  Any kind of unwanted software that is installed without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software that are often grouped together and referred to as malware.
    4. 4. What is malware Many types of malware  Worm  Trojan horse/Trojan  Virus  Rogues / Scareware  Ransomware  Others
    5. 5. What is malware Worms  Activity  Make copies of themselves again and again on:  local drive  network shares  USB drives  Purpose:  reproduce (*)Does not need to attach itself to an existing program
    6. 6. What is malware I love you worm Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting image files, and sent a copy of itself to the first 50 addresses in the Windows Address.
    7. 7. What is malware Morris worm
    8. 8. What is malware Trojan horse
    9. 9. What is malware Trojan  Activity  Appears to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access  Purpose:  Gains privileged access to the operating system (*)Does not need to attach itself to an existing program.
    10. 10. What is malware Trojan Install a game NetBus ->backdoor Install a browser plugin Flashback Redirect to bogus web sites
    11. 11. What is malware Virus Activity  When executed – usually by a human, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected.“ Purpose:  Replicate  Harm computers
    12. 12. What is malware Rogue antivirus / scareware Appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.
    13. 13. What is malware Ransomware  Restricts access to the computer system that it infects  Encrypt files lock system  Displays messages intended to coax the user into paying  Demands a ransom in order for the restriction to be removed
    14. 14. What is malware Ransomware
    15. 15. What is malware Quantity of malware
    16. 16. What is malware Growth in quantity of known malware
    17. 17. Why do malware writers write malware ? What are the reasons behind malware writers  Economical  Personal  Political / cyber weapons  Others
    18. 18. Why do malware writers write malware ? Economical  Stealing sensitive information which is then sold on the black market.  Ransomware  Industrial espionage  Sell bots     Take down networks Host phishing attacks Send spam Others
    19. 19. Why do malware writers write malware ? Economical
    20. 20. Why do malware writers write malware ? Personal  Revenge  Vandalism  Experimental / research  Hobby / art
    21. 21. Why do malware writers write malware ? Political / cyber weapons  Sabotage  Infrastructure  Service availability  Spy tools  Domestic  Foreign  Political messages
    22. 22. Malware propagation methods Samples  Exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows  Torrent, peer-to-peer (P2P) and file sharing program  Emails  USB Flash drive  Rogue security programs  Others
    23. 23. Malware propagation methods Sample USB virus autorun.inf [autorun] open=file.bat shelloption1=Open shelloption1command=file.bat file.bat @echo off copy autorun.inf C: > NUL copy file.bat C: > NUL copy autorun.inf D: > NUL copy file.bat D: > NUL explorer .
    24. 24. Malware propagation methods  Appending Virus  Prepending Virus  Cavity Virus  Compressing Virus  Packers
    25. 25. Malware propagation methods Appending New Header Host File Data Virus Code A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.
    26. 26. Malware propagation methods Prepending New Header Virus Code Host File Data A virus that inserts a copy of its malicious code at the beginning of the file.
    27. 27. Malware propagation methods Cavity New Header Virus Cod e Host File Data Copies itself to one of the cavities present in the executable. It modifies the header so that the control jumps to its location and once the execution of virus code is over, the control is passed back.
    28. 28. Malware propagation methods Compressing New Header Virus Code + Decompressor Compressed Host File Data Compresses the host program and attaches itself. It copies itself to the start of the data segment and includes a decompressing algorithm that is used to decompress the host program and execute it.
    29. 29. Malware propagation methods Packer functionality       Compress Encrypt Randomize (polymorphism) Anti-debug technique (fake jmp) Add-junk Anti-VM Payload Packer Malware Infected Host Executable
    30. 30. Challenges in detecting malware Packer functionality  Fred Cohen  It is not possible to build a perfect malware detector ( 1984)  http://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohe n-viruses.html  Diagonal argument P is a perfect detection program V is a virus V can call P if P(V) = true -> halt if P(V) = false -> spread
    31. 31. Challenges detecting malware Static vs. Dynamic  Known malware  In the wild  Malware exchange programs e.g metascan-online  AMTSO real time threat list  Unknown malware  Targeted attacks  Outbreaks
    32. 32. Malware detection techniques Static vs. Dynamic  Static  Inspect the code before it is executed  Dynamic  Inspect the exaction of the code
    33. 33. Malware detection techniques Static code analysis  PE Headers  Digital signatures  Txt searches  Hash checks  Dependency check  Check for packers  Heuristic checks
    34. 34. Malware detection techniques Challenges of static code analysis  Many signatures  Quality assurance of 100M signatures  Big data  Performance – scan in a timely manner  Many signature updates  Challenges to update - build a scalable update mechanism  Easy to obfuscate the code
    35. 35. Malware detection techniques Challenges of static code analysis
    36. 36. Malware detection techniques Dynamic code analysis  Execute on     Target host Virtual machine Physical machine Custom hardware  Monitor the behavior of the host  From the host  Outside the host
    37. 37. Malware detection techniques Dynamic code analysis Monitor       Processes Files Registry key changes System scheduling Services / Daemon Network traffic  Type  Destination
    38. 38. Malware detection techniques Challenges of dynamic code analysis      Anti virtualization techniques Sleep / loops to wait for detection Randomization Polymorphism Consume Resources
    39. 39. Real life examples of malware detection systems Malware detection for new outbreaks Source: Metascan Online
    40. 40. Real life examples of malware detection systems Malware detection for new outbreaks Source: Metascan Online
    41. 41. Real life examples of malware detection systems Static vs. Dynamic  Tested 30 known malware files (disguised as documents or embedded within documents)  Fewest number of engines was 10 (out of 43)  Highest number of engines was 30 (out of 43)
    42. 42. Real life examples of malware detection systems Static vs. Dynamic  Tested 30 known malware files (disguised as documents or embedded within documents)  Lowest number of threats detected was 3  Highest number of threats detected was 23
    43. 43. Real life examples of malware detection systems Measuring detection coverage 100% Sandboxing X1% Protection level : Multi-scanning X2% Protection level:
    44. 44. Current trends in the industry  Secure transaction to cloud applications  Mobile Security and BYOD  Cloud malware scanning  Big Data  Performance  Sandbox  Cloud  Sandbox  Protect digital wallets
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×