Malware and Anti-Malware Seminar by Benny Czarny
Upcoming SlideShare
Loading in...5
×
 

Malware and Anti-Malware Seminar by Benny Czarny

on

  • 963 views

Benny Czarny presented an introduction to malware and anti-malware to computer science students at San Francisco State University. The presentation introduced the concept of malware, types of malware, ...

Benny Czarny presented an introduction to malware and anti-malware to computer science students at San Francisco State University. The presentation introduced the concept of malware, types of malware, and methods for detecting malware. Benny provided examples of historical malware and illustrations of the difficulties that security vendors face in detecting threats.

Statistics

Views

Total Views
963
Views on SlideShare
935
Embed Views
28

Actions

Likes
0
Downloads
49
Comments
0

3 Embeds 28

http://130.217.79.30 18
http://riflerange.tk 6
https://twitter.com 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 1 min
  • Growth of MalwareMore engines are better than 1OutbreaksVulnerabilities in engines What is Metascanwhy use MetascanCurrent feature set Out of box solution: MDTADemo of metascanonline.com (local box with wireless access point)Endpoint client (MD4SA)Demo of MD4SA Introduction to the management station
  • The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B
  • The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice

Malware and Anti-Malware Seminar by Benny Czarny Malware and Anti-Malware Seminar by Benny Czarny Presentation Transcript

  • Malware and Anti-malware Benny Czarny CEO and Founder benny@opswat.com 23 October 2013
  • Agenda Malware  What is malware ?  Why do malware writers write malware ?  Malware infection methods  Challenges detecting malware  Malware detection techniques  Real life examples of malware detection systems  Current trends in the industry
  • What is malware  What is the origin of the name “malware?”  malicious software  What is the definition of malware ?  Software that is intended to damage or disable computers and computer systems  Any kind of unwanted software that is installed without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software that are often grouped together and referred to as malware.
  • What is malware Many types of malware  Worm  Trojan horse/Trojan  Virus  Rogues / Scareware  Ransomware  Others
  • What is malware Worms  Activity  Make copies of themselves again and again on:  local drive  network shares  USB drives  Purpose:  reproduce (*)Does not need to attach itself to an existing program
  • What is malware I love you worm Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting image files, and sent a copy of itself to the first 50 addresses in the Windows Address.
  • What is malware Morris worm
  • What is malware Trojan horse
  • What is malware Trojan  Activity  Appears to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access  Purpose:  Gains privileged access to the operating system (*)Does not need to attach itself to an existing program.
  • What is malware Trojan Install a game NetBus ->backdoor Install a browser plugin Flashback Redirect to bogus web sites
  • What is malware Virus Activity  When executed – usually by a human, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected.“ Purpose:  Replicate  Harm computers
  • What is malware Rogue antivirus / scareware Appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.
  • What is malware Ransomware  Restricts access to the computer system that it infects  Encrypt files lock system  Displays messages intended to coax the user into paying  Demands a ransom in order for the restriction to be removed
  • What is malware Ransomware
  • What is malware Quantity of malware
  • What is malware Growth in quantity of known malware
  • Why do malware writers write malware ? What are the reasons behind malware writers  Economical  Personal  Political / cyber weapons  Others
  • Why do malware writers write malware ? Economical  Stealing sensitive information which is then sold on the black market.  Ransomware  Industrial espionage  Sell bots     Take down networks Host phishing attacks Send spam Others
  • Why do malware writers write malware ? Economical
  • Why do malware writers write malware ? Personal  Revenge  Vandalism  Experimental / research  Hobby / art
  • Why do malware writers write malware ? Political / cyber weapons  Sabotage  Infrastructure  Service availability  Spy tools  Domestic  Foreign  Political messages
  • Malware propagation methods Samples  Exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows  Torrent, peer-to-peer (P2P) and file sharing program  Emails  USB Flash drive  Rogue security programs  Others
  • Malware propagation methods Sample USB virus autorun.inf [autorun] open=file.bat shelloption1=Open shelloption1command=file.bat file.bat @echo off copy autorun.inf C: > NUL copy file.bat C: > NUL copy autorun.inf D: > NUL copy file.bat D: > NUL explorer .
  • Malware propagation methods  Appending Virus  Prepending Virus  Cavity Virus  Compressing Virus  Packers
  • Malware propagation methods Appending New Header Host File Data Virus Code A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.
  • Malware propagation methods Prepending New Header Virus Code Host File Data A virus that inserts a copy of its malicious code at the beginning of the file.
  • Malware propagation methods Cavity New Header Virus Cod e Host File Data Copies itself to one of the cavities present in the executable. It modifies the header so that the control jumps to its location and once the execution of virus code is over, the control is passed back.
  • Malware propagation methods Compressing New Header Virus Code + Decompressor Compressed Host File Data Compresses the host program and attaches itself. It copies itself to the start of the data segment and includes a decompressing algorithm that is used to decompress the host program and execute it.
  • Malware propagation methods Packer functionality       Compress Encrypt Randomize (polymorphism) Anti-debug technique (fake jmp) Add-junk Anti-VM Payload Packer Malware Infected Host Executable
  • Challenges in detecting malware Packer functionality  Fred Cohen  It is not possible to build a perfect malware detector ( 1984)  http://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohe n-viruses.html  Diagonal argument P is a perfect detection program V is a virus V can call P if P(V) = true -> halt if P(V) = false -> spread
  • Challenges detecting malware Static vs. Dynamic  Known malware  In the wild  Malware exchange programs e.g metascan-online  AMTSO real time threat list  Unknown malware  Targeted attacks  Outbreaks
  • Malware detection techniques Static vs. Dynamic  Static  Inspect the code before it is executed  Dynamic  Inspect the exaction of the code
  • Malware detection techniques Static code analysis  PE Headers  Digital signatures  Txt searches  Hash checks  Dependency check  Check for packers  Heuristic checks
  • Malware detection techniques Challenges of static code analysis  Many signatures  Quality assurance of 100M signatures  Big data  Performance – scan in a timely manner  Many signature updates  Challenges to update - build a scalable update mechanism  Easy to obfuscate the code
  • Malware detection techniques Challenges of static code analysis
  • Malware detection techniques Dynamic code analysis  Execute on     Target host Virtual machine Physical machine Custom hardware  Monitor the behavior of the host  From the host  Outside the host
  • Malware detection techniques Dynamic code analysis Monitor       Processes Files Registry key changes System scheduling Services / Daemon Network traffic  Type  Destination
  • Malware detection techniques Challenges of dynamic code analysis      Anti virtualization techniques Sleep / loops to wait for detection Randomization Polymorphism Consume Resources
  • Real life examples of malware detection systems Malware detection for new outbreaks Source: Metascan Online
  • Real life examples of malware detection systems Malware detection for new outbreaks Source: Metascan Online
  • Real life examples of malware detection systems Static vs. Dynamic  Tested 30 known malware files (disguised as documents or embedded within documents)  Fewest number of engines was 10 (out of 43)  Highest number of engines was 30 (out of 43)
  • Real life examples of malware detection systems Static vs. Dynamic  Tested 30 known malware files (disguised as documents or embedded within documents)  Lowest number of threats detected was 3  Highest number of threats detected was 23
  • Real life examples of malware detection systems Measuring detection coverage 100% Sandboxing X1% Protection level : Multi-scanning X2% Protection level:
  • Current trends in the industry  Secure transaction to cloud applications  Mobile Security and BYOD  Cloud malware scanning  Big Data  Performance  Sandbox  Cloud  Sandbox  Protect digital wallets