SlideShare a Scribd company logo

Virus Detection Based on the Packet Flow

Antiy Labs
Antiy Labs
BusinessTechnology
1 of 29
Download to read offline
Antiy Labs Virus Detection Based on the Packet Flow Seak@antiy.net
Antiy Labs Foreword • Worms and other network viruses are more and more common and VXers have become more familiar with hacking techniques, as a result, network security technology and anti-virus technology are more and more integrated. • Developers hope to extend the anti-virus capabilities of firewalls, IDS and GAP products. Though they can be combined with the file-level detection of traditional anti- virus vendors, there are still some problems. • This presentation attempts to explore the integration point of network security technology and anti-virus technology - virus detection based on network packet flow. www.antiy.net
Antiy Labs 1. A Comparison of Two Detection Methods’ Granularity • We will take the extremely coarse anti-virus rules of snort as an example. • In the latest snort virus.rules, up to 24 rules are used to detect the worm named NewApt, which accounts for 28% of all VX rules www.antiy.net
Antiy Labs Coarse File Name Detection content: "filename="THEOBBQ.EXE""; content: "filename="GADGET.EXE""; content: "filename="COOLER3.EXE""; content: "filename="IRNGLANT.EXE""; content: "filename="PARTY.EXE""; content: "filename="CASPER.EXE""; content: "filename="HOG.EXE""; content: "filename="FBORFW.EXE""; content: "filename="GOAL1.EXE""; content: "filename="SADDAM.EXE""; content: "filename="PIRATE.EXE""; content: "filename="BBOY.EXE""; content: "filename="VIDEO.EXE""; content: "filename="MONICA.EXE""; content: "filename="BABY.EXE""; content: "filename="GOAL.EXE""; content: "filename="COOLER1.EXE""; content: "filename="PANTHER.EXE""; content: "filename="BOSS.EXE""; content: "filename="CHESTBURST.EXE""; content: "filename="G-ZILLA.EXE""; content: "filename="FARTER.EXE""; content: "filename="COYPER..EXE""; content: "filename="CUPID2.EXE""; www.antiy.net
Antiy Labs Low Detection Granularity After analysis, we found that there are 26 Worm.NewApt attachment files, not 24. Rules from C&D are correct. We hope to improve Code&Disassemblers besides Capture&Decode. www.antiy.net
Antiy Labs Flaws of Attachment File Name Detection • It can do nothing to worms that randomly choose attachment file names or extract local file names. • When a normal attachment file triggers a false alarm, users will panic. In addition, renaming the file name is the easiest way to modify worms. www.antiy.net
Antiy Labs High-Granularity Detection • From the perspective of file system-based virus analysis, I-worm.NewApt can be totally detected by the following signature string: | 680401000056FF152CC04000568B 75106884F7400056E8CC0800005903C650 E83B07000083C40C6880F7400056E8B50 800005903C650……| www.antiy.net
Antiy Labs Problem 1 Differences on Network Detection and File detection • Worms spread via network encoded with base64, not as binary files. The following is the corresponding base64 code of the virus signature code. GgEAQAAVv8VLMBAAFaLdRBohPdAAFboz AgAAFkDxlDoOwcAAIPEDGiA90AAVui1CAA AWQPGUOgkBwAAoeQBQQBZWUBQVuidC AAAWQPGUGjo90AA/9ej5AFBA…… • A new problem comes up: how to process |0d 0a|? www.antiy.net
Antiy Labs Problem 2 Requirements of the Signature Code It can’t be arbitrarily chosen. Instead, it should correctly detect without false positives. •Length requirement •Complexity requirement •Other requirements www.antiy.net
Antiy Labs Problem 3 How to Meet Multi-Layer Needs • IDS rules are the starting point of problem 3. • Can we prevent malware from entering the intranet? • Can we extend anti-virus capabilities to firewalls and Gap products? • Can we build a virus monitoring mechanism, or even directly cut off worm spread in backbone networks ? www.antiy.net
Antiy Labs Preparations for Independent Virus Analysis • It is a piece of cake for network security pros to analyze worms and extract signatures. But we should note that a series of tasks needs to be done: • Build a virus capture network, and get new virus samples as soon as possible • Build a complete sample database • Build a signature analysis mechanism, and avoid omission and false positives • Warning: For firewall or IDS development departments, it is far too wasteful to build a Virus CERT www.antiy.net
Antiy Labs 2. Combing File-Level Antivirus Technologies • Anti-virus technology requires experience, so there are certain thresholds. For this reason, combining the technologies of traditional antivirus vendors is a good choice. • Some b-grade antivirus vendors also turn to providing an AV SDK for other network security vendors and service providers. • On the other hand, more antivirus vendors are actively expanding their network security product line, in order to build a complete solution. www.antiy.net
Antiy Labs Description of Traditional Antivirus Technologies File Format Recognition Module Y Format Processing Format Processing Module Y Pre-Processing Pre-Processing Module Categorization Detection Engine www.antiy.net
Antiy Labs Integration with Traditional Antivirus Technologies • Traditional antivirus technologies are based on files. They are used to build a gateway server based file system or application-layer proxy. • Case-in-point: the antivirus system of hotmail • The antivirus gateway of Trend Micro www.antiy.net
Antiy Labs Advantages of Integration with traditional Antivirus Technologies • Good for integration with application-level gateways • Various known viruses can be detected • Support for compressed formats www.antiy.net
Antiy Labs Problems of Traditional Antivirus Network-Level Applications • They must restore specific files, leading to a series of problems: • High resource consumption and low efficiency • Can’t process Malware such as Stuxnet II and Code Red • Can’t respond to and process network-level situations in real-time • Protocols such as UDP can’t restore to files without high cost • Can we build a virus detection mechanism on the flow level or the packet level? www.antiy.net
Antiy Labs 3. Virus Detection Based on the Flow and Packet • Virus analysis technologies • Network transmission forms • We developed a usable Virus Catcher SDK www.antiy.net
Antiy Labs Detection on the Flow-Level and Packet-Level Virus Catcher Virus Catcher Virus Steam Packet Catcher File Binary Virus √ √ √ Detection Module Email Worm √ √ √ Detection Module URL Detection √ √ Module Script Detection √ √ Module www.antiy.net
Antiy Labs Comparison on Packet-Level and File-Level Detection Transmission of scan objects struct se_data { unsigned long src_ip,dst_ip; //source IP, target IP unsigned short src_port,dst_port; //source port, target port unsigned long protocol; //protocol type(used by response processing module) unsigned char * data; //data to be scanned unsigned long len; //length of data to be scanned }; www.antiy.net
Antiy Labs Comparison on Packet-Level and File-Level Detection Processing methods: int vise_response(unsigned long vi_id,//Virus code unsigned long src_ip, //source IP unsigned short src_port, //source port unsigned long dst_ip, //target IP unsigned short dst_port, //target port unsigned long protocol); //network protocol(specific protocol) www.antiy.net
Antiy Labs Not Simple Technology Mixing • Packet-level detection ≠ traditional virus database +high-speed matching algorithm • Why can’t current antivirus systems be used for packet-level detection? • Detection mechanism of file-level antivirus software: File formats, preprocessing, virtual machine, signature code |B3 03 B4 38 81 03 F3 B4 38 81 8C C8 B7 38 81 8C DB B5 38 81 39 C3 B4 38 81 74 11 B4 | ->|B303B4 ?1 03F3B4 ?1 8CC8B7 ?1 8CDBB5 ?1 39C3B4 ?1 7411B4| www.antiy.net
Antiy Labs Problems Solved • High-speed matching: 2Gbps • Signature codes are cut • High-speed pre-processing • High-quality signature codes • Transparent processing www.antiy.net
Antiy Labs Unsolved Problems • Complex metamorphic viruses • Encrypted Macro viruses • Compressed formats www.antiy.net
Antiy Labs Technical Conclusion • Reliable virus processing focuses on the system and the file level • Packet-level detection can’t solve all virus problems, so it can’t replace traditional antivirus products • Technologies are not always complete, but they can still be used to solve practical issues • Antivirus technologies will never be complete, but they sure can help us a lot www.antiy.net
Antiy Labs Technical Application • Antivirus modules in firewalls and GAP products • More reliable IDS Worm rule set • Independent backbone network anti-virus module www.antiy.net
Antiy Labs Examples Log Us er View Log (fro m Vi e w L og ) (f rom Ac tors ) Alert (fro m Al e rt) Log Setup Sys tem Sys tem Adm inis trator (fro m Se tup Syste m ) (f rom Ac tors ) System Adm in Scan Virus at Packet Level Network Sniffer (fro m Sca n Vi rus a t Pa cket L e ve l ) (f rom Ac tors ) Datab ase Cert User Maintain Virus Databas e (f rom Ac tors ) (fro m M ai n ta i n Vi ru s Datab a s ) e www.antiy.net
Antiy Labs Application Purposes • Used in packet detection and gateway/firewall antivirus systems to prevent malware from spreading. • Protect users who are not aware enough of malware damages • Virus monitoring on backbone networks www.antiy.net
Antiy Labs Related Download Sites • Nothing has been uploaded. If you are interested, you can leave me your email. www.antiy.net
Antiy Labs Contact Information • Email: Seak@antiy.net www.antiy.net

Recommended

B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Embeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityEmbeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityAntiy Labs
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Idsamiable_indian
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroudUT, San Antonio
 
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...GeekPwn Keen
 

Recommended

B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Embeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityEmbeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityAntiy Labs
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Idsamiable_indian
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroudUT, San Antonio
 
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...GeekPwn Keen
 
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDSAlfredo Hickman
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 
Virus Detection System
Virus Detection SystemVirus Detection System
Virus Detection SystemAntiy Labs
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityAntiy Labs
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewAntiy Labs
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought Antiy Labs
 
Virus detection system
Virus detection systemVirus detection system
Virus detection systemAkshay Surve
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognitionahmadali999
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing pptDatta Dharanikota
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple pptAgarwaljay
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computingRkrishna Mishra
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Quick Heal Technologies Ltd.
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 

More Related Content

What's hot

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDSAlfredo Hickman
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 

What's hot (7)

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDS
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A Jumpstart
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEW
 

Viewers also liked

Virus Detection System
Virus Detection SystemVirus Detection System
Virus Detection SystemAntiy Labs
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityAntiy Labs
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewAntiy Labs
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought Antiy Labs
 
Virus detection system
Virus detection systemVirus detection system
Virus detection systemAkshay Surve
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognitionahmadali999
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple pptAgarwaljay
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computingRkrishna Mishra
 

Viewers also liked (12)

Virus Detection System
Virus Detection SystemVirus Detection System
Virus Detection System
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought
 
Virus detection system
Virus detection systemVirus detection system
Virus detection system
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and prevention
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognition
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple ppt
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computing
 

Similar to Virus Detection Based on the Packet Flow

Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
PE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File FeaturesPE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File FeaturesAntiy Labs
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guideintertelinvestigations
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
[CB19] tknk_scanner v2:community-based integrated malware identification syst...
[CB19] tknk_scanner v2:community-based integrated malware identification syst...[CB19] tknk_scanner v2:community-based integrated malware identification syst...
[CB19] tknk_scanner v2:community-based integrated malware identification syst...CODE BLUE
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Donu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDonu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDevOps.com
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!ichikaway
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!VAddy
 

Similar to Virus Detection Based on the Packet Flow (20)

Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
PE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File FeaturesPE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File Features
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
[CB19] tknk_scanner v2:community-based integrated malware identification syst...
[CB19] tknk_scanner v2:community-based integrated malware identification syst...[CB19] tknk_scanner v2:community-based integrated malware identification syst...
[CB19] tknk_scanner v2:community-based integrated malware identification syst...
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Donu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDonu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your Organization
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
 

Recently uploaded

Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryWhittensFineJewelry1
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptxGo for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptxRakhi Bazaar
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdfChris Skinner
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreNZSG
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
WSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfWSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfJamesConcepcion7
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxran17april2001
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...ssuserf63bd7
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Associazione Digital Days
 

Recently uploaded (20)

Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptxGo for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource Centre
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
WSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfWSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdf
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptx
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
WAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdfWAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdf
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
 

Virus Detection Based on the Packet Flow

  • 1. Antiy Labs Virus Detection Based on the Packet Flow Seak@antiy.net
  • 2. Antiy Labs Foreword • Worms and other network viruses are more and more common and VXers have become more familiar with hacking techniques, as a result, network security technology and anti-virus technology are more and more integrated. • Developers hope to extend the anti-virus capabilities of firewalls, IDS and GAP products. Though they can be combined with the file-level detection of traditional anti- virus vendors, there are still some problems. • This presentation attempts to explore the integration point of network security technology and anti-virus technology - virus detection based on network packet flow. www.antiy.net
  • 3. Antiy Labs 1. A Comparison of Two Detection Methods’ Granularity • We will take the extremely coarse anti-virus rules of snort as an example. • In the latest snort virus.rules, up to 24 rules are used to detect the worm named NewApt, which accounts for 28% of all VX rules www.antiy.net
  • 4. Antiy Labs Coarse File Name Detection content: "filename="THEOBBQ.EXE""; content: "filename="GADGET.EXE""; content: "filename="COOLER3.EXE""; content: "filename="IRNGLANT.EXE""; content: "filename="PARTY.EXE""; content: "filename="CASPER.EXE""; content: "filename="HOG.EXE""; content: "filename="FBORFW.EXE""; content: "filename="GOAL1.EXE""; content: "filename="SADDAM.EXE""; content: "filename="PIRATE.EXE""; content: "filename="BBOY.EXE""; content: "filename="VIDEO.EXE""; content: "filename="MONICA.EXE""; content: "filename="BABY.EXE""; content: "filename="GOAL.EXE""; content: "filename="COOLER1.EXE""; content: "filename="PANTHER.EXE""; content: "filename="BOSS.EXE""; content: "filename="CHESTBURST.EXE""; content: "filename="G-ZILLA.EXE""; content: "filename="FARTER.EXE""; content: "filename="COYPER..EXE""; content: "filename="CUPID2.EXE""; www.antiy.net
  • 5. Antiy Labs Low Detection Granularity After analysis, we found that there are 26 Worm.NewApt attachment files, not 24. Rules from C&D are correct. We hope to improve Code&Disassemblers besides Capture&Decode. www.antiy.net
  • 6. Antiy Labs Flaws of Attachment File Name Detection • It can do nothing to worms that randomly choose attachment file names or extract local file names. • When a normal attachment file triggers a false alarm, users will panic. In addition, renaming the file name is the easiest way to modify worms. www.antiy.net
  • 7. Antiy Labs High-Granularity Detection • From the perspective of file system-based virus analysis, I-worm.NewApt can be totally detected by the following signature string: | 680401000056FF152CC04000568B 75106884F7400056E8CC0800005903C650 E83B07000083C40C6880F7400056E8B50 800005903C650……| www.antiy.net
  • 8. Antiy Labs Problem 1 Differences on Network Detection and File detection • Worms spread via network encoded with base64, not as binary files. The following is the corresponding base64 code of the virus signature code. GgEAQAAVv8VLMBAAFaLdRBohPdAAFboz AgAAFkDxlDoOwcAAIPEDGiA90AAVui1CAA AWQPGUOgkBwAAoeQBQQBZWUBQVuidC AAAWQPGUGjo90AA/9ej5AFBA…… • A new problem comes up: how to process |0d 0a|? www.antiy.net
  • 9. Antiy Labs Problem 2 Requirements of the Signature Code It can’t be arbitrarily chosen. Instead, it should correctly detect without false positives. •Length requirement •Complexity requirement •Other requirements www.antiy.net
  • 10. Antiy Labs Problem 3 How to Meet Multi-Layer Needs • IDS rules are the starting point of problem 3. • Can we prevent malware from entering the intranet? • Can we extend anti-virus capabilities to firewalls and Gap products? • Can we build a virus monitoring mechanism, or even directly cut off worm spread in backbone networks ? www.antiy.net
  • 11. Antiy Labs Preparations for Independent Virus Analysis • It is a piece of cake for network security pros to analyze worms and extract signatures. But we should note that a series of tasks needs to be done: • Build a virus capture network, and get new virus samples as soon as possible • Build a complete sample database • Build a signature analysis mechanism, and avoid omission and false positives • Warning: For firewall or IDS development departments, it is far too wasteful to build a Virus CERT www.antiy.net
  • 12. Antiy Labs 2. Combing File-Level Antivirus Technologies • Anti-virus technology requires experience, so there are certain thresholds. For this reason, combining the technologies of traditional antivirus vendors is a good choice. • Some b-grade antivirus vendors also turn to providing an AV SDK for other network security vendors and service providers. • On the other hand, more antivirus vendors are actively expanding their network security product line, in order to build a complete solution. www.antiy.net
  • 13. Antiy Labs Description of Traditional Antivirus Technologies File Format Recognition Module Y Format Processing Format Processing Module Y Pre-Processing Pre-Processing Module Categorization Detection Engine www.antiy.net
  • 14. Antiy Labs Integration with Traditional Antivirus Technologies • Traditional antivirus technologies are based on files. They are used to build a gateway server based file system or application-layer proxy. • Case-in-point: the antivirus system of hotmail • The antivirus gateway of Trend Micro www.antiy.net
  • 15. Antiy Labs Advantages of Integration with traditional Antivirus Technologies • Good for integration with application-level gateways • Various known viruses can be detected • Support for compressed formats www.antiy.net
  • 16. Antiy Labs Problems of Traditional Antivirus Network-Level Applications • They must restore specific files, leading to a series of problems: • High resource consumption and low efficiency • Can’t process Malware such as Stuxnet II and Code Red • Can’t respond to and process network-level situations in real-time • Protocols such as UDP can’t restore to files without high cost • Can we build a virus detection mechanism on the flow level or the packet level? www.antiy.net
  • 17. Antiy Labs 3. Virus Detection Based on the Flow and Packet • Virus analysis technologies • Network transmission forms • We developed a usable Virus Catcher SDK www.antiy.net
  • 18. Antiy Labs Detection on the Flow-Level and Packet-Level Virus Catcher Virus Catcher Virus Steam Packet Catcher File Binary Virus √ √ √ Detection Module Email Worm √ √ √ Detection Module URL Detection √ √ Module Script Detection √ √ Module www.antiy.net
  • 19. Antiy Labs Comparison on Packet-Level and File-Level Detection Transmission of scan objects struct se_data { unsigned long src_ip,dst_ip; //source IP, target IP unsigned short src_port,dst_port; //source port, target port unsigned long protocol; //protocol type(used by response processing module) unsigned char * data; //data to be scanned unsigned long len; //length of data to be scanned }; www.antiy.net
  • 20. Antiy Labs Comparison on Packet-Level and File-Level Detection Processing methods: int vise_response(unsigned long vi_id,//Virus code unsigned long src_ip, //source IP unsigned short src_port, //source port unsigned long dst_ip, //target IP unsigned short dst_port, //target port unsigned long protocol); //network protocol(specific protocol) www.antiy.net
  • 21. Antiy Labs Not Simple Technology Mixing • Packet-level detection ≠ traditional virus database +high-speed matching algorithm • Why can’t current antivirus systems be used for packet-level detection? • Detection mechanism of file-level antivirus software: File formats, preprocessing, virtual machine, signature code |B3 03 B4 38 81 03 F3 B4 38 81 8C C8 B7 38 81 8C DB B5 38 81 39 C3 B4 38 81 74 11 B4 | ->|B303B4 ?1 03F3B4 ?1 8CC8B7 ?1 8CDBB5 ?1 39C3B4 ?1 7411B4| www.antiy.net
  • 22. Antiy Labs Problems Solved • High-speed matching: 2Gbps • Signature codes are cut • High-speed pre-processing • High-quality signature codes • Transparent processing www.antiy.net
  • 23. Antiy Labs Unsolved Problems • Complex metamorphic viruses • Encrypted Macro viruses • Compressed formats www.antiy.net
  • 24. Antiy Labs Technical Conclusion • Reliable virus processing focuses on the system and the file level • Packet-level detection can’t solve all virus problems, so it can’t replace traditional antivirus products • Technologies are not always complete, but they can still be used to solve practical issues • Antivirus technologies will never be complete, but they sure can help us a lot www.antiy.net
  • 25. Antiy Labs Technical Application • Antivirus modules in firewalls and GAP products • More reliable IDS Worm rule set • Independent backbone network anti-virus module www.antiy.net
  • 26. Antiy Labs Examples Log Us er View Log (fro m Vi e w L og ) (f rom Ac tors ) Alert (fro m Al e rt) Log Setup Sys tem Sys tem Adm inis trator (fro m Se tup Syste m ) (f rom Ac tors ) System Adm in Scan Virus at Packet Level Network Sniffer (fro m Sca n Vi rus a t Pa cket L e ve l ) (f rom Ac tors ) Datab ase Cert User Maintain Virus Databas e (f rom Ac tors ) (fro m M ai n ta i n Vi ru s Datab a s ) e www.antiy.net
  • 27. Antiy Labs Application Purposes • Used in packet detection and gateway/firewall antivirus systems to prevent malware from spreading. • Protect users who are not aware enough of malware damages • Virus monitoring on backbone networks www.antiy.net
  • 28. Antiy Labs Related Download Sites • Nothing has been uploaded. If you are interested, you can leave me your email. www.antiy.net
  • 29. Antiy Labs Contact Information • Email: Seak@antiy.net www.antiy.net