#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Study of Anti-Virus Software Detection Evasion Techniques
1. To Study Of Anti-Virus Software
Prepared By :
Pradeep K. Rajyaguru
115030693013
Ankit K. Solanki
115030693041
Guided By:
Prof. V.A. Gandhi
B.H.Gardi College Of Engg. & Tech. Department of M.C.A.
2. Topic to be covered
•
•
•
•
•
•
•
•
•
•
•
•
•
Introduction
Malware Threats
Type of Viruses
Other Malwares
Types of Attacks
Anti-virus
Recent Trends in Malware
Threat Model
Code Hiding
Building Blocks
Design
Prototype
Conclusion and Research
3. Introduction
• Internet is a collection of interconnected computers. People rely on the Internet
to communicate, share files, for news, and most importantly for financial
transactions.
• Recent studies and researches show that a computer connected to the Internet
may experience an attack every 39 seconds because of less awareness in people
regarding attacks.
• The war between virus creators and anti-virus developers started since the birth
of the earliest viruses in eighties.
• Any anti-virus software must perform three functions: detection, identification
and Removal of malicious code. The goal of any virus writer is to design a
virus that can evade detection.
4. Continue...
• When Virus found that, an anti-virus program is their biggest enemy they came
up with the idea to screw the anti-virus program and paralyze the functions of
the anti-virus system.
How Anti-virus works
5. Security in consumer computing
• Consumer computers are very attractive to intruders because it’s fairly easy to gain
access by number of online resources of hacking.
• This enables hacker to use the compromised machine to easily steal secret data
such as passwords to bank accounts, credit card numbers and social security
numbers.
• The compromised machines can also be made a part of a huge botnet that can
be used to launch Denial of Service attacks on servers.
• Software such as anti-virus solutions and firewalls offer some protection to
users against attacks, however, they are not completely effective.The reason for
this is that anti-virus relies on virus definitions and known behavioral patterns
to identify malicious code.
6. Malware Threats
• Malware is short for "malicious software." Malware is any kind of unwanted
software that is installed without your adequate consent. Viruses, worms, and
Trojan horses are examples of malicious software that are often grouped
together and referred to as malware.
• Early days they were designed to cause disruptions but recent days they are
designed to stealing secret information such as passwords, credit card numbers
and social security numbers for providing some sort of financial gains for their
developers.
7. Types of Virus
• Boot Virus:These types of viruses operate by infecting the Master Boot Record
(MBR) of a PC. Example, ‘POLYBOOT.B’
• Parasitic viruses/ File Infectors:This type of virus attaches itself onto files or executables, leaving the
contents of the file unchanged.
• Date viruses/ Logic Bombs/ Time Bomb:These are types of viruses that reside in a machine and get triggered by
some event such as a particular date or a day of the week . Example, ‘Sunday’.
• Macro Virus:These are programs that take advantage of the macro utilities that are
built into programs like Excel and Word. Example, ‘Concept’ for Word 95.
8. Continue..
• Encrypted Virus:This is a type of virus whose body is encrypted. The virus itself contains
the key for decryption and a decryption engine within itself. This method is
used to hide the virus from signature detection. Example, ‘Cascade’.
• Polymorphic virus:It is same as Encrypted Virus but in addition it also has a mutation engine
that creates new encryption schemes for every infection. Example, ‘1260’.
• Stealth Virus:This type of virus attempts to hide its presence by hooking onto some system
calls. A recent worm called the `Lion' installs a rootkit and then makes various
hooks and system modifications to prevent any scanner from capturing its
presence.
9. Other Malware
• Trojan Horse:This is a program that enters a machine disguised or embedded inside
legitimate software. The Trojan looks harmless or something interesting to a
user, but is actually very harmful when executed.
• Worms:A computer worm is a standalone malware computer program that
replicates itself in order to spread to other computers. Worms almost always cause
at least some harm to the network.
• Rootkit:Rootkit is term derived from the UNIX term root.It is malicious program that
obtains administrator privilege and manipulates other processes in the system.It was
designed to give administrator privileges to the attacker.
13. Literature Review
• Secret Data Protection
• Smart cards
Common Access Card
IBM's PCI Crypto Card
SET
• HD-DVD Encryption
• Distributed software for secret protection
• Software based approach for secret management
14. Code-Hiding
• Code Obfuscation
• Code hiding by malicious programs
• Shadow Walker
• SubVirt
• Blue Pill
• Code Injection
Before Infection
After Infection
15. Threat Model
• Internet Threat Mode
• Shortcomings of ITM
• Viral Threat Model
Internet Threat Model
Threat posed by malware
16. Building Blocks
• Injecting Code in Logon process
• Shortcomings
• Watch Processes
Watch Process to monitor anti-virus
• Shortcomings
• Install as a Different Process
• Shortcomings
Query results before camouflaging the anti-virus
softwar
e
Query results after camouflaging the anti-virus
softwar
e
17. Design
•
•
•
•
Installing the Program
Starting the Process
Execution of the Process
Watch Processes
• Shut Down Events
• Virus Definition Files
• Whitelists
• Storage of definition file
Storing image files
18. Prototype
• Placing start up information in Windows system process
• Code Injection
• Injecting Libraries
• Injecting Code
• Overhead and Performance
System Overhead
19. Conclusion and Future Research
• In this research, an approach was presented to improve the reliability of the
anti-virus process by hiding its presence from other processes on the machine
because if malware infect any process of system then no component of a
consumer computer can be trusted.
• For solving this problem it changes the name of the file and changing the
registry entry by installing the process under different name. This helps in
working around attacks that scan the registry entries and the file system to
identify the anti-virus program.
• After this, the process was continuously migrated to different address spaces to
avoid detection by any malware. . By moving the code at regular intervals of
time, such a snapshot would not be very useful in killing the anti-virus process
as it would have migrated to another process space while the results of the
snapshot are calculated. After this, multiple watch processes were installed to
detect if the anti-virus program is shut down at any point of time.