Antiy Labs SeakThe Evolution Theory of Malware and Our                Thought
WarnThe views as well as the visual effects          ofpictures   in   the     report   may   cause   somedispleasures, so...
Outline The evolution of Antivirus The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I am the n...
The evolutionary methods of AVFighting against directly    • Anti-virus    Adding functions         • Regmon and TDI monIn...
Outline The conclusive history of AV vs. VX The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I...
Darwin, as a naturalist, sailedwith HMS Beagle for 5 years.The picture is about theanchorage of HMS Beagle onJuly, 5th, 18...
The Evolution Theory of Malware: The status of Malware, Chapter ofthat of the living                     the similar to L...
Parasitism   The infection of files                Nasonia   and boot sectors• The most primitive skills of   viruses• Kee...
Reproduction                                      Self-reproducing with a large                                      numbe...
Avoiding PredatorsYankee                             Meerkat• Yankee was found by displaying  the songs of Yankee Doodle a...
Protective ColorationGrey pigeons               Grasshoppers                      中国安天实验室
MimicryRootkit        Stick insect           中国安天实验室
Allure                               The snail a kind of fluke hosts onSocial engineering means                           ...
Suspended Animation                                       A millipede in suspended animation    Rootkit.Baidu•   To interc...
The Evolution Theory of Malware:                       the Chapter of Death Trilobites, dinosaurs, saber-toothed tiger ha...
PredatorsSecurity Points          Living Cretures                       • Preying• Anti-virus                       • Enha...
Environment A variety of viruses have been eliminated due to the     upgrading of the operation systems. DOS 3.3 >DOS 5...
Propagation and Migration The exchanging methods of main data to Malware are     as important as the migrating ways to an...
VX: not the only one to be eliminated OLE2 Watershed The security mechanisms like DEP and PatchGuard enhanced by  Vista,...
The Evolution Theory of Malware:                   the Chapter of MutationThe core of the evolution is to architect the ac...
Variants of the Virus Family That the Jerusalem had three hundred and fifty-four variants  in DOS time seemed to be unbel...
A Typical Case to Revisit the Anti-immunity The modification and evolution of the  propagation.                     中国安天实验室
Disassembly and Code Evolution The wide propagation of DOS virus attributes to the  disclosure of disassembly results. T...
The Binary Evolution The evolution of password guessing worms  Worm.ronron.a      -> Worm.ronron.b  └Cloner ->STED -> ele...
Cross-platform Virus:             not the Product of Variation Do the double-state viruses PE and ELF belong to variation...
The Change of State Does Not                  Mean Self-variation No new features will not be invented in the process of ...
The Evolution Theory of Malware:            the Chapter of Anecdotes Interesting Phenomenon                       中国安天实验室
Wildlist VS ZooWildlist             Zoo
The Secret of Longevity Klez Parite wyx
Species in the Legend Overwhelming Rumors             Manufacturing Species• The e-mail virus• The IM information virus• T...
Outline The conclusive history of AV vs. VX The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I...
Darwin or Lamarck?     Lamarckism                               Darwinism• Evolution is the result of        • Evolution i...
Electing Darwin The malware has no tendency to evolve by itself. The result of natural selection is that some  malwares ...
The Confusion If we consider virus and anti-virus software as animals, the  people who work on them belong to environment...
Is it possible for malware to                evolve in a Lamarckian way? The uncertainty of malware evolution is the tran...
The Ideal Achievements of Self-study Picking up the unknown viruses with Neural  Networks
Distributed Nightmares Based on powerful computing ability. The computing ability of AI built with single point    will ...
Outline The conclusive history of AV vs. VX The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I...
Why the red pines began to releasesuch large amounts of carbondioxide?The pine beetles have destroyed 12.8square kilometer...
Protecting the Trees or                 Killing the Beetles? The purpose of AVER is to maintain the system running  norma...
Dvloder Dvloder is the most dangerous one of password guessing worms. Larger password files, faster scanning speeds. Mo...
Welchian The adoption of ARP repression and the manipulation     of unmanagable network                          中国安天实验室
中国安天实验室             The monitoring result of a             HIT mail server someday    Rank          Name         Times    ...
The Process of Downloader The identification of behaviors DEMO                       中国安天实验室
The Response to MS08-067 Min loading and scanning probe Class C, 11 severs                       中国安天实验室
Outline The conclusive history of AV vs. VX The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I...
Religious fanatics ridiculeDarwin because he believesapes   are    our   ancestors.Actually, Darwin just sayshuman beings ...
On AVER’s Defense AVER=Extortioner? AVER has determined the attributes of thousands of documents,  analyzed millions of ...
Thank you!Seakhttp://www.anity.comseak@antiy.net                     中国安天实验室
Upcoming SlideShare
Loading in …5
×

The Evolution Theory of Malware and Our Thought

704 views

Published on

Published in: Automotive
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
704
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Evolution Theory of Malware and Our Thought

  1. 1. Antiy Labs SeakThe Evolution Theory of Malware and Our Thought
  2. 2. WarnThe views as well as the visual effects ofpictures in the report may cause somedispleasures, so it is not suitable to watchafter meals. 中国安天实验室
  3. 3. Outline The evolution of Antivirus The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I am the nature—thinking on the creating and struggling Meditating in front of Darwin’s portrait
  4. 4. The evolutionary methods of AVFighting against directly • Anti-virus Adding functions • Regmon and TDI monInduction to normalization • From AntiOOB to PFW Reflux • Immunity Conversion between • Unknown detection based on neural networkforeground and background and Decision Tree Introduction • UTM added AV Engine Hardware and software • Anti-virus card -〉anti-virus software ……
  5. 5. Outline The conclusive history of AV vs. VX The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I am the nature—thinking on the creating and struggling Meditating in front of Darwin’s portrait
  6. 6. Darwin, as a naturalist, sailedwith HMS Beagle for 5 years.The picture is about theanchorage of HMS Beagle onJuly, 5th, 1832.Form Stowe, K. (1995)"Exploring Ocean Science",2th ed. 中国安天实验室
  7. 7. The Evolution Theory of Malware: The status of Malware, Chapter ofthat of the living the similar to Living creatures, is the result of the comprehensive elimination and selection. Actually, it is the same with all the software programs. The living creatures developed the survival ability during the long-term antagonism, elimination and selection. Let’s come to the Chapter of Living
  8. 8. Parasitism The infection of files Nasonia and boot sectors• The most primitive skills of viruses• Keeping the infected objects the same as original ones until the viruses begin to attack 中国安天实验室
  9. 9. Reproduction Self-reproducing with a large number Self-replicating • There is an old saying that a male mouse and a female mouse can breed• SQL.Slammer worm two hundred and fifty babies in three years. has infected seventy- five thousand(75,000) computers in just ten minutes across the world. 中国安天实验室
  10. 10. Avoiding PredatorsYankee Meerkat• Yankee was found by displaying the songs of Yankee Doodle and became well-known.• Yankee is one of the earliest viruses which can avoid their predators. It will “run away” when finding the Debug module. 中国安天实验室
  11. 11. Protective ColorationGrey pigeons Grasshoppers 中国安天实验室
  12. 12. MimicryRootkit Stick insect 中国安天实验室
  13. 13. Allure The snail a kind of fluke hosts onSocial engineering means 中国安天实验室
  14. 14. Suspended Animation A millipede in suspended animation Rootkit.Baidu• To intercept the API operation of anti-virus software. When finding the Deletefile, it shows SUCCESS.• The anti-virus software can detect files circularly, so it changes the interception policy.
  15. 15. The Evolution Theory of Malware: the Chapter of Death Trilobites, dinosaurs, saber-toothed tiger have died out, and the South China tigers are about to die out. The dead ones left fossils and the dying ones are surviving in the zoos. The thinking tank of Pakistan and the Morris worm are no longer active. Some of Malwares are at the edge of the attacking field. The viruses, with no activities, are not harmful any more, and just the source codes or disassembly codes printed in textbooks. 中国安天实验室
  16. 16. PredatorsSecurity Points Living Cretures • Preying• Anti-virus • Enhancing immunity to avoid• Defense being hosted on
  17. 17. Environment A variety of viruses have been eliminated due to the upgrading of the operation systems. DOS 3.3 >DOS 5 MZ > PE Ring0 VxD->WDM
  18. 18. Propagation and Migration The exchanging methods of main data to Malware are as important as the migrating ways to animals. Disks E-mails Remote exploits Password cracking USB Flash Drive WEB injection 中国安天实验室
  19. 19. VX: not the only one to be eliminated OLE2 Watershed The security mechanisms like DEP and PatchGuard enhanced by Vista, stop the viruses outside the computers but interrupt the anti-virus vendors’ incapability test for a long time.
  20. 20. The Evolution Theory of Malware: the Chapter of MutationThe core of the evolution is to architect the academic systemwith the hard evidence of the Origin of Species and Evolutionrather than breeding and life-death. This kind of academicsystem can overthrow the fallacy that God created the world andthe species remained unchanged. 中国安天实验室
  21. 21. Variants of the Virus Family That the Jerusalem had three hundred and fifty-four variants in DOS time seemed to be unbelievable. At present, there are thousands of variants of virus families which do not include the variants matched out by general features. The number of the grey pigeon variants accounts for 17percent of the total backdoor variants in the world. 中国安天实验室
  22. 22. A Typical Case to Revisit the Anti-immunity The modification and evolution of the propagation. 中国安天实验室
  23. 23. Disassembly and Code Evolution The wide propagation of DOS virus attributes to the disclosure of disassembly results. The crazy increasing of backdoors disclosed on BO. The appearance of Rbot with most variants owing to the code disclosure. 中国安天实验室
  24. 24. The Binary Evolution The evolution of password guessing worms Worm.ronron.a -> Worm.ronron.b └Cloner ->STED -> eleet cals->olo Release Worm.Dvldr 中国安天实验室
  25. 25. Cross-platform Virus: not the Product of Variation Do the double-state viruses PE and ELF belong to variation? Do the double-state viruses Macro and DOS.com belong to variation? Regarding them as amphibians 中国安天实验室
  26. 26. The Change of State Does Not Mean Self-variation No new features will not be invented in the process of virus variation. we can call it chameleon. We can call it chameleon. 中国安天实验室
  27. 27. The Evolution Theory of Malware: the Chapter of Anecdotes Interesting Phenomenon 中国安天实验室
  28. 28. Wildlist VS ZooWildlist Zoo
  29. 29. The Secret of Longevity Klez Parite wyx
  30. 30. Species in the Legend Overwhelming Rumors Manufacturing Species• The e-mail virus• The IM information virus• The BIOS virus 中国安天实验室
  31. 31. Outline The conclusive history of AV vs. VX The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I am the nature—thinking on the creating and struggling Meditating in front of Darwin’s portrait
  32. 32. Darwin or Lamarck? Lamarckism Darwinism• Evolution is the result of • Evolution is the result of natural biological activity. selection. – Use and disuse – Inheritance with uncertainty – Inheritance of acquired – The uncertainty eliminated by characteristics environment 中国安天实验室
  33. 33. Electing Darwin The malware has no tendency to evolve by itself. The result of natural selection is that some malwares dying out and some malwares being active. 中国安天实验室
  34. 34. The Confusion If we consider virus and anti-virus software as animals, the people who work on them belong to environment or are the “creator”? Both VX and AV mutate owing to the experience and attempt of human beings. Living creatures breed and are bred in the process of mutating; codes copy and are copied in constance. The creators and the modificators are the parts of the inherited strand, which are the biggest difference from the Code Darwinism. 中国安天实验室
  35. 35. Is it possible for malware to evolve in a Lamarckian way? The uncertainty of malware evolution is the transformation of biological activity. Is it possible for malware to evolve in a Lamarckian way? 中国安天实验室
  36. 36. The Ideal Achievements of Self-study Picking up the unknown viruses with Neural Networks
  37. 37. Distributed Nightmares Based on powerful computing ability. The computing ability of AI built with single point will not reach the level of children after ten years. How is about the bot of hundreds of thousands of computers?
  38. 38. Outline The conclusive history of AV vs. VX The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I am the nature—thinking on the creating and struggling Meditating in front of Darwin’s portrait
  39. 39. Why the red pines began to releasesuch large amounts of carbondioxide?The pine beetles have destroyed 12.8square kilometers of forest inwestern Canada by the end of 2006.It is not the first time for the forestdestroyed at this level, but thedestruction is 10 times as serious asbefore.The beetles will release largeamounts of carbon dioxide after thetrees die?
  40. 40. Protecting the Trees or Killing the Beetles? The purpose of AVER is to maintain the system running normally. Recalling the key points in the “war” welchian Sobig.f Dvlodr downloader MS08-067 中国安天实验室
  41. 41. Dvloder Dvloder is the most dangerous one of password guessing worms. Larger password files, faster scanning speeds. More compact ways to combine together. Setting up VNC backdoor. HIT-Antiy CERT (built by HIT and Antiy) found it first, and located the earliest infected computer very fast. 中国安天实验室
  42. 42. Welchian The adoption of ARP repression and the manipulation of unmanagable network 中国安天实验室
  43. 43. 中国安天实验室 The monitoring result of a HIT mail server someday Rank Name Times Traffic1 I-Worm.sobig 39006 3.7G2 I-worm.klez.h 34664 5.6G3 I-Worm.Runonce 34206 3.0GAmount 12.3G
  44. 44. The Process of Downloader The identification of behaviors DEMO 中国安天实验室
  45. 45. The Response to MS08-067 Min loading and scanning probe Class C, 11 severs 中国安天实验室
  46. 46. Outline The conclusive history of AV vs. VX The virus ecology in the Evolution Theory Lamarck, Darwin, and AI Empire I am the nature—thinking on the creating and struggling Meditating in front of Darwin’s portrait
  47. 47. Religious fanatics ridiculeDarwin because he believesapes are our ancestors.Actually, Darwin just sayshuman beings and apes havethe same ancestors ratherthan to say that. 中国安天实验室
  48. 48. On AVER’s Defense AVER=Extortioner? AVER has determined the attributes of thousands of documents, analyzed millions of virus samples, extracted more than one million detection rules and named over 340 thousand viruses in past 20 years. Snort takes respected place in academia with less than 3 thousand (3,000) rules so far. 中国安天实验室
  49. 49. Thank you!Seakhttp://www.anity.comseak@antiy.net 中国安天实验室

×