SlideShare a Scribd company logo

Virus vs Anti-Virus

Download as PPT, PDF
S
SamarAhmadKhan1

This is the presentation on Virus and Anti-Virus

Internet
1 of 44
Virus vs Anti-Virus: The Arms Race Samar Ahmad Khan # samarahmad5233@gmail.com
Outline  Viruses  Anti-Viruses  Discussion
Viruses  A virus is “a program that can ‘infect other programs by modifying them to include a possibly evolved copy of itself.” - Fred Cohen  Fred Cohen seems to have been the first to define the term virus, but the concept had been discussed earlier and there were some viruses out in the wild before he began his research.  Link to virus history
Example of a virus  In his 1984 Turing award acceptance speech to the ACM, Ken Thompson related the story of how he modified the C compiler to insert a backdoor into the UNIX login program and to insert his modifications into any C compiler compiled using his modified compiler.  Slick—no trace of the backdoor remains in any source code!
Viruses example  The WM.Nuclear Microsoft Word macro virus infects Word documents during opening, saving, and printing by adding a set of macros to them. On April 5th it attempts to overwrite critical system files, and it occaisonally adds the text "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!" to the current document. (Information from Symantec’s security bulletin.)
Worms are not viruses  The VBS.SST@mm “Anna Kournikova” malware is a worm, not a virus, because it e- mails copies of itself but does not infect any other documents. (Information about VBS.SST@mm from Symantec’s security bulletin.)
Malware terminology  We found a web site listing 56 different terms related to viruses and malware, including:  backdoor  boot sector viruses  Encrypted virus  Hoax  Micro virus  …
Virus statistics  Here are some statistics from 2000 we found on the web:  Over 85% of all the known viruses are for Microsoft platforms (nearly all the self-propagating worms are as well)  Slightly less than 52,000 are viruses for DOS/Windows/NT platforms - about 6000 of these are Word macro viruses - about 150-200 of these are known to be widespread "in the wild" - in 1999, approximately 650 new viruses were reported each month (more than 20 a day)
Virus statistics  More statistics from the same site  A few hundred are for Javascript, Hypercard, Perl, and other scripting languages. Few of these can spread beyond a few machines without active support of the users  150 are for the Atari  31 are native to the Macintosh, and only two of them are known to exist anymore  2 or 3 are viruses native to OS/2
Virus statistics (cont’d)  More statistics from the same site  About 5 are for Linux/Unix/etc, but none have been found in quantity "in the wild", nor would they be likely to spread very far if they were "loose"  None are for BeOS, ErOS, or other small- population systems.  Question: can we reduce the risk of getting a virus infection by not using Microsoft products?
Example virus  Fred Cohen’s example virus: program virus := { 1234567; subroutine infect-executable := { loop:file = get-random-executable-file; if first-line-of-file = 1234567 then goto loop; prepend virus to file; } subroutine do-damage := { whatever damage is to be done } subroutine trigger-pulled := { return true if some condition holds } main-program := { infect-executable; if trigger-pulled then do-damage; goto next;} next: }
More about viruses  Viruses aren’t necessarily hard to write  Cohen reports that his first virus took only 8 hours for an experienced programmer to write.  Viruses aren’t necessarily big  Cohen reports on a UNIX shell script virus that was only 7 lines long
Viruses aren’t necessarily malware  Cohen describes a hypothetical virus that compresses executables to conserve disk space.
Viruses can be malicious in many ways  Virus payloads could:  Carry out a denial of service attack  Crash the machine  Randomly destroy data  Install a trojan horse program  Perform password cracking  … and basically any other nasty thing you can think of.
Making matters worse…  Virus payloads may not trigger immediately. If a virus has few detectable side effects, it could spread without notice and become widespread before the payload is triggered.  Question: is it possible that there are viruses in the wild today that have infected large numbers of systems but have gone unnoticed because they have few if any side effects and have not yet triggered their destructive payloads?
Isolation  One way to protect against infection is to isolate systems, users, and/or information to make it difficult or impossible for a virus to spread widely.  Total isolation is a sure cure.  Total isolation probably isn't practical for most users…  Imagine life without google … without BitTorrent … without Amazon.com …
Partitioning  If we can’t isolate systems and users from each other completely, maybe we can erect partitions to limit the spread of malware.  It was thought that the Bell-LaPadula model might help limit the spread of viruses, but Cohen reports that “viruses demonstrated the ability to cross users boundaries and move from a given security level to a higher security level.”
Partitioning (continued)  According to Cohen, the Biba and Bell- LaPadula models, if combined, would tend to create partitions.  Unfortunately: “When we mix the Biba and Bell- LaPadula models, we find that the resulting isolationism secures us from viruses, but doesn’t permit any user to write programs that can be used throughout the system.” – Cohen
Bad news about partitioning  Transitivity is a problem:  “If there is a path from user A to user B, and there is a path from user B to user C, then there is a path from user A to user C with the witting or unwitting cooperation of user B.” – Cohen  The military uses a category system in which users can only access information needed for their current duties. But, some users have simultaneous access to multiple categories…
More bad news…  According to Cohen “a precise system for integrity is NP-complete” and “any non-NP complete solution must tend toward isolationism.”  If a system restricts user’s actions unnecessarily, it will be unpopular…
And the hits just keep on coming…  Cohen notes that flow distance and flow list models may limit virus spread.  Flow distance restrictions limit how far information can travel.  Flow lists allow more arbitrary expressions for accessibility based on the list of users who have had an effect on an object.  BUT: “tracing exact information flow requires NP- complete time, and maintaining markings requires large amounts of space.”
Prevention by law  Couldn’t we just make it against the law? “By simply telling users not to launch attacks, little is accomplished; users who can be trusted will not launch attacks; but users who would do damage cannot be trusted, so only legitimate work is blocked.” - Cohen
Limited interpretation  If a given document is interpreted, and the interpreter lacks commands like “write file,” it may be impossible for it to have a virus  Graphics files are probably immune  Except AnnaKournikova.jpg.vbs   Documents that can hold scripts probably aren’t  Word documents can contain macro viruses such as WM.Nuclear
Detection  If we can’t limit the spread of a virus, maybe we can find it and quarantine infected files…  Unfortunately, no general algorithm for detecting virus behavior is possible.  Cohen argues this by proposing a virus that infects only when the detection algorithm thinks it isn’t a virus.  Anti-virus programs must make do with more limited solutions, such as scanning for a virus signature.
Virus detection problems  According to Cohen, the following are undecidable:  Detection of a virus by its appearance  Detection of a virus by its behavior  Detection of an evolution of a known virus  Detection of a triggering mechanism by its appearance  Detection of a triggering mechanism by its behavior  Detection of an evolution of a known triggering mechanism  Detection of a virus detector by its appearance  Detection of a virus detector by its behavior  Detection of an evolution of a known viral detector
Detection by signature  Rather than implement a general solution, virus scanners look for virus signatures.  These signatures could be as small as a few bytes or as large as the entire virus code.  If a virus scanner uses the whole virus code as a signature, it may not be able to find simple variants of a virus.  However, if a virus uses a very small signature, it may incorrectly infections that aren’t there.
Updated signatures  Anti-virus companies must release new signatures each time a new virus is discovered  A virus’s spread is unimpeded for a while…  According to Andreas Marx of AV-Test.org, it took Symantec 25h 5m to release an updated signature file in response to the W32/Sober.C worm attack.
The arms race  In order to make it hard for virus scanners to detect their vurises, virus writers can add morphing behavior to their creations:  “A polymorphic virus ‘morphs’ itself in order to evade detection. … Metamorphic viruses attempt to evade heuristic detection techniques by using more complex obfuscations.” – Christodorescu and Jha
More bad news…  Cohen argues that no general solution for proving the equivalence of two programs is possible.  His argument follows the same form as his argument against a general algorithm for virus detection: he proposes a virus in which two different infection instances will behave differently when a watching antivirus program believes they are the same.
Morphing  A virus may morph itself by:  Encrypting part of itself using a different key for each infection  Changing variable names (in a script virus)  Binary obfuscation techniques (more on this later)  Polymorphic virus examples:  Chameleon -- first polymorphic virus, 90’s  A partial list of the viruses that can be called 100 percent polymorphic (late 1993): Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions). – at link Virus-Scan-Software
Arming the virus writers  If virus author knew what the anti-virus programs look for, he or she could design a virus that they wouldn’t find…  Example: in the early 90s there were a few MS-DOS 'stealth' viruses that could interrupt a virus-scanning program's attempt to read the boot record and show it a clean versions rather than what was really there.  See Symantec’s description of the Stealth_boot virus.  "Frodo.4096" virus, first Stealth virus  “Beast.512" Stealth virus, less than a year after Frodo.4096  More on this at Virus-Scan-Software
Extracting signatures  Christodorescu and Jha report on a technique for extracting the signature used by a given antivirus program.  Basically they obfuscate parts of the program and determine what has to remain unobfuscated for the antivirus program to find the virus.  FYI there is a typo in the paper: the conditions on the loop in the SignatureExtraction function cause it to never execute…  They say it “was successful in many cases.”
Binary obfuscation techniques  The goal of binary obfuscation is to make it difficult to obtain an assembly-language description of a program from its raw bytes  You need to turn raw bytes back into assembly code before you can decompile  You can obfuscate by:  Garbage insertion (more in a minute)  Variable renaming  Code reordering  Encapsulating/encrypting code or data  …
x86 binary obfuscation  If you create unused regions in the executable and fill them with garbage bytes, the variable-length nature of the x86 instruction set can cause disassemblers to think that the legitimate instructions following the garbage are in fact operands.  You can use a conditional branch instruction to do an unconditional jump—disassemblers assume no garbage bytes at the target address or following the branch instruction.
Better obfuscation  Linn and Debray describe obfuscation using a branch function  This function in turn branches to another target depending on where it is called from.  This makes determining which parts of the program are real by following the branch instructions difficult.  The function can return to an instruction one or more bytes after the usual return point, opening up a region to insert more garbage bytes into.
Advances in disassembly  Kruegel, Robertson, Valeur and Vigna describe a disassembler that is able to correctly disassemble most instructions from a program obfuscated by the obfuscator Linn and Debray describe.
Dissasembly in detail  Static analysis techniques  Linear sweep  GNU's objdump uses linear sweep  Gets confused by garbage bytes in unreachable areas  Recursive traversal following control flow  Drawback: indirect jumps  Doesn’t always “see” the whole binary  Speculative disassembly  Hybrid approach
Now for some good news  “This arms race is usually in favor of the de- obfuscator. The obfuscator has to devise techniques that transform the program without seriously impacting the run-time performance or increasing the binary's size or memory footprint while there are no such constraints for the de-obfuscator.” - Kruegel et al
AV tool resistance to obfuscation  Christodorescu and Jha claim “the state of the art for malware detectors is dismal!”  They propose a testing technique and then use it to show that the tested virus scanners were not generally able to identify the sampled viruses when they were obfuscated by code reordering or encapsulation.
AV tool resistance to obfuscation (cont’d)  This doesn’t mean that these products aren’t capable of detecting morphing viruses—the viruses in the sample set did not perform these morphs in the wild.  This does mean that in order to protect against a new virus that is just a simple modification of one of these existing viruses the AV companies would have to release a new signature file.
Known clean system  Some virus detection techniques require you to start from a clean system.  DOS users used clean boot disks to defeat stealth viruses…  But is it always possible to get to a known clean state?  What if every UNIX vendor had been infected with Ken Thompson’s C compiler virus? Even their “clean” distribution media would be infected…
Discussion  Obfuscation vs deobfuscation, who can win?
Discussion (cont’d)  Anti-virus can win in the future?
Questions? Thanks

Recommended

Fighting computer viruses
Fighting computer virusesFighting computer viruses
Fighting computer virusesNguyễn Anh
 
Virus
VirusVirus
Virusdddaou
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
How computer works against thevirus or any threat
How computer works against thevirus or any threatHow computer works against thevirus or any threat
How computer works against thevirus or any threatSadaf Walliyani
 
A critical look at the regulation of computer viruses
A critical look at the regulation of computer virusesA critical look at the regulation of computer viruses
A critical look at the regulation of computer virusesUltraUploader
 
Computer viruses
Computer virusesComputer viruses
Computer virusesRaviteja Chowdary Adusumalli
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesUltraUploader
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 

Recommended

Fighting computer viruses
Fighting computer virusesFighting computer viruses
Fighting computer virusesNguyễn Anh
 
Virus
VirusVirus
Virusdddaou
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
How computer works against thevirus or any threat
How computer works against thevirus or any threatHow computer works against thevirus or any threat
How computer works against thevirus or any threatSadaf Walliyani
 
A critical look at the regulation of computer viruses
A critical look at the regulation of computer virusesA critical look at the regulation of computer viruses
A critical look at the regulation of computer virusesUltraUploader
 
Computer viruses
Computer virusesComputer viruses
Computer virusesRaviteja Chowdary Adusumalli
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesUltraUploader
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
A history of computer viruses three special viruses
A history of computer viruses three special virusesA history of computer viruses three special viruses
A history of computer viruses three special virusesUltraUploader
 
Dilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studyDilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studydilsherece
 
Computer Viruses- B S Kalyan Chakravarthy
Computer Viruses- B S Kalyan ChakravarthyComputer Viruses- B S Kalyan Chakravarthy
Computer Viruses- B S Kalyan ChakravarthyDipayan Sarkar
 
A failure to learn from the past
A failure to learn from the pastA failure to learn from the past
A failure to learn from the pastUltraUploader
 
Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo MaliciosoJose Manuel Acosta
 
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationSearch Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationFoCAS Initiative
 
Computer viruses 911 computer support
Computer viruses 911 computer supportComputer viruses 911 computer support
Computer viruses 911 computer supportbozzerapide
 
A history of computer viruses introduction
A history of computer viruses introductionA history of computer viruses introduction
A history of computer viruses introductionUltraUploader
 
14 household ways to protect your computer from viruses
14 household ways to protect your computer from viruses14 household ways to protect your computer from viruses
14 household ways to protect your computer from virusesar-rifke.com
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
Viruses
VirusesViruses
Virusesprakhar vajpai
 
Virus
VirusVirus
Virusritu1606089
 
Virus and Anti virus
Virus and Anti virusVirus and Anti virus
Virus and Anti virusFaisal Hassan
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++UltraUploader
 
Automated worm fingerprinting
Automated worm fingerprintingAutomated worm fingerprinting
Automated worm fingerprintingUltraUploader
 
341 346
341 346341 346
341 346Editor IJARCET
 
A bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cureA bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cureUltraUploader
 
Eh34803812
Eh34803812Eh34803812
Eh34803812IJERA Editor
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationabhijit chintamani
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
computer vipin kumar ppt
computer vipin kumar pptcomputer vipin kumar ppt
computer vipin kumar pptvipinkumar940
 

More Related Content

What's hot

A history of computer viruses three special viruses
A history of computer viruses three special virusesA history of computer viruses three special viruses
A history of computer viruses three special virusesUltraUploader
 
Dilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studyDilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studydilsherece
 
Computer Viruses- B S Kalyan Chakravarthy
Computer Viruses- B S Kalyan ChakravarthyComputer Viruses- B S Kalyan Chakravarthy
Computer Viruses- B S Kalyan ChakravarthyDipayan Sarkar
 
A failure to learn from the past
A failure to learn from the pastA failure to learn from the past
A failure to learn from the pastUltraUploader
 
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationSearch Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationFoCAS Initiative
 
Computer viruses 911 computer support
Computer viruses 911 computer supportComputer viruses 911 computer support
Computer viruses 911 computer supportbozzerapide
 
A history of computer viruses introduction
A history of computer viruses introductionA history of computer viruses introduction
A history of computer viruses introductionUltraUploader
 
14 household ways to protect your computer from viruses
14 household ways to protect your computer from viruses14 household ways to protect your computer from viruses
14 household ways to protect your computer from virusesar-rifke.com
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
Virus and Anti virus
Virus and Anti virusVirus and Anti virus
Virus and Anti virusFaisal Hassan
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++UltraUploader
 
Automated worm fingerprinting
Automated worm fingerprintingAutomated worm fingerprinting
Automated worm fingerprintingUltraUploader
 
A bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cureA bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cureUltraUploader
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationabhijit chintamani
 

What's hot (20)

A history of computer viruses three special viruses
A history of computer viruses three special virusesA history of computer viruses three special viruses
A history of computer viruses three special viruses
 
Dilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studyDilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_study
 
Computer Viruses- B S Kalyan Chakravarthy
Computer Viruses- B S Kalyan ChakravarthyComputer Viruses- B S Kalyan Chakravarthy
Computer Viruses- B S Kalyan Chakravarthy
 
A failure to learn from the past
A failure to learn from the pastA failure to learn from the past
A failure to learn from the past
 
Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo Malicioso
 
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationSearch Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software Diversification
 
Computer viruses 911 computer support
Computer viruses 911 computer supportComputer viruses 911 computer support
Computer viruses 911 computer support
 
A history of computer viruses introduction
A history of computer viruses introductionA history of computer viruses introduction
A history of computer viruses introduction
 
14 household ways to protect your computer from viruses
14 household ways to protect your computer from viruses14 household ways to protect your computer from viruses
14 household ways to protect your computer from viruses
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
 
Viruses
VirusesViruses
Viruses
 
Virus
VirusVirus
Virus
 
Virus and Anti virus
Virus and Anti virusVirus and Anti virus
Virus and Anti virus
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++
 
Automated worm fingerprinting
Automated worm fingerprintingAutomated worm fingerprinting
Automated worm fingerprinting
 
341 346
341 346341 346
341 346
 
A bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cureA bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cure
 
Eh34803812
Eh34803812Eh34803812
Eh34803812
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentation
 

Similar to Virus vs Anti-Virus

Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
computer vipin kumar ppt
computer vipin kumar pptcomputer vipin kumar ppt
computer vipin kumar pptvipinkumar940
 
Computer Virus
Computer Virus Computer Virus
Computer Virus bebo
 
Computer virus (sarthak)
Computer virus (sarthak)Computer virus (sarthak)
Computer virus (sarthak)manveer gujar
 
Computer viruses
Computer virusesComputer viruses
Computer virusesSimiAttri
 
Computer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon ChakrabortyComputer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon Chakrabortysankhadeep
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesVikas Chandwani
 
Presentation24190
Presentation24190Presentation24190
Presentation24190KRT395
 
Computer viruses and anti viruses
Computer viruses and anti virusesComputer viruses and anti viruses
Computer viruses and anti virusesMohit Jaiswal
 
Virus, Worms And Antivirus
Virus, Worms And AntivirusVirus, Worms And Antivirus
Virus, Worms And AntivirusLokesh Kumar N
 
computer virus Report
computer virus Reportcomputer virus Report
computer virus Reportrawaabdullah
 
Web virus activity
Web virus activityWeb virus activity
Web virus activitySim_Dhillon
 

Similar to Virus vs Anti-Virus (20)

Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
 
computer vipin kumar ppt
computer vipin kumar pptcomputer vipin kumar ppt
computer vipin kumar ppt
 
Computer Virus
Computer Virus Computer Virus
Computer Virus
 
Computer virus
Computer virusComputer virus
Computer virus
 
Computer virus (sarthak)
Computer virus (sarthak)Computer virus (sarthak)
Computer virus (sarthak)
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Computer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon ChakrabortyComputer Virus And Antivirus-Sumon Chakraborty
Computer Virus And Antivirus-Sumon Chakraborty
 
εργασια
εργασιαεργασια
εργασια
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and Antiviruses
 
Virus and antivirus
Virus and antivirusVirus and antivirus
Virus and antivirus
 
Presentation24190
Presentation24190Presentation24190
Presentation24190
 
Computer viruses and anti viruses
Computer viruses and anti virusesComputer viruses and anti viruses
Computer viruses and anti viruses
 
Cybercrime: Virus and Defense
Cybercrime: Virus and DefenseCybercrime: Virus and Defense
Cybercrime: Virus and Defense
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
 
Virus, Worms And Antivirus
Virus, Worms And AntivirusVirus, Worms And Antivirus
Virus, Worms And Antivirus
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Viruses worms
Viruses wormsViruses worms
Viruses worms
 
computer virus Report
computer virus Reportcomputer virus Report
computer virus Report
 
Web virus activity
Web virus activityWeb virus activity
Web virus activity
 
Computer virus
Computer virusComputer virus
Computer virus
 

Recently uploaded

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 

Recently uploaded (20)

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 

Virus vs Anti-Virus

  • 1. Virus vs Anti-Virus: The Arms Race Samar Ahmad Khan # samarahmad5233@gmail.com
  • 3. Viruses  A virus is “a program that can ‘infect other programs by modifying them to include a possibly evolved copy of itself.” - Fred Cohen  Fred Cohen seems to have been the first to define the term virus, but the concept had been discussed earlier and there were some viruses out in the wild before he began his research.  Link to virus history
  • 4. Example of a virus  In his 1984 Turing award acceptance speech to the ACM, Ken Thompson related the story of how he modified the C compiler to insert a backdoor into the UNIX login program and to insert his modifications into any C compiler compiled using his modified compiler.  Slick—no trace of the backdoor remains in any source code!
  • 5. Viruses example  The WM.Nuclear Microsoft Word macro virus infects Word documents during opening, saving, and printing by adding a set of macros to them. On April 5th it attempts to overwrite critical system files, and it occaisonally adds the text "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!" to the current document. (Information from Symantec’s security bulletin.)
  • 6. Worms are not viruses  The VBS.SST@mm “Anna Kournikova” malware is a worm, not a virus, because it e- mails copies of itself but does not infect any other documents. (Information about VBS.SST@mm from Symantec’s security bulletin.)
  • 7. Malware terminology  We found a web site listing 56 different terms related to viruses and malware, including:  backdoor  boot sector viruses  Encrypted virus  Hoax  Micro virus  …
  • 8. Virus statistics  Here are some statistics from 2000 we found on the web:  Over 85% of all the known viruses are for Microsoft platforms (nearly all the self-propagating worms are as well)  Slightly less than 52,000 are viruses for DOS/Windows/NT platforms - about 6000 of these are Word macro viruses - about 150-200 of these are known to be widespread "in the wild" - in 1999, approximately 650 new viruses were reported each month (more than 20 a day)
  • 9. Virus statistics  More statistics from the same site  A few hundred are for Javascript, Hypercard, Perl, and other scripting languages. Few of these can spread beyond a few machines without active support of the users  150 are for the Atari  31 are native to the Macintosh, and only two of them are known to exist anymore  2 or 3 are viruses native to OS/2
  • 10. Virus statistics (cont’d)  More statistics from the same site  About 5 are for Linux/Unix/etc, but none have been found in quantity "in the wild", nor would they be likely to spread very far if they were "loose"  None are for BeOS, ErOS, or other small- population systems.  Question: can we reduce the risk of getting a virus infection by not using Microsoft products?
  • 11. Example virus  Fred Cohen’s example virus: program virus := { 1234567; subroutine infect-executable := { loop:file = get-random-executable-file; if first-line-of-file = 1234567 then goto loop; prepend virus to file; } subroutine do-damage := { whatever damage is to be done } subroutine trigger-pulled := { return true if some condition holds } main-program := { infect-executable; if trigger-pulled then do-damage; goto next;} next: }
  • 12. More about viruses  Viruses aren’t necessarily hard to write  Cohen reports that his first virus took only 8 hours for an experienced programmer to write.  Viruses aren’t necessarily big  Cohen reports on a UNIX shell script virus that was only 7 lines long
  • 13. Viruses aren’t necessarily malware  Cohen describes a hypothetical virus that compresses executables to conserve disk space.
  • 14. Viruses can be malicious in many ways  Virus payloads could:  Carry out a denial of service attack  Crash the machine  Randomly destroy data  Install a trojan horse program  Perform password cracking  … and basically any other nasty thing you can think of.
  • 15. Making matters worse…  Virus payloads may not trigger immediately. If a virus has few detectable side effects, it could spread without notice and become widespread before the payload is triggered.  Question: is it possible that there are viruses in the wild today that have infected large numbers of systems but have gone unnoticed because they have few if any side effects and have not yet triggered their destructive payloads?
  • 16. Isolation  One way to protect against infection is to isolate systems, users, and/or information to make it difficult or impossible for a virus to spread widely.  Total isolation is a sure cure.  Total isolation probably isn't practical for most users…  Imagine life without google … without BitTorrent … without Amazon.com …
  • 17. Partitioning  If we can’t isolate systems and users from each other completely, maybe we can erect partitions to limit the spread of malware.  It was thought that the Bell-LaPadula model might help limit the spread of viruses, but Cohen reports that “viruses demonstrated the ability to cross users boundaries and move from a given security level to a higher security level.”
  • 18. Partitioning (continued)  According to Cohen, the Biba and Bell- LaPadula models, if combined, would tend to create partitions.  Unfortunately: “When we mix the Biba and Bell- LaPadula models, we find that the resulting isolationism secures us from viruses, but doesn’t permit any user to write programs that can be used throughout the system.” – Cohen
  • 19. Bad news about partitioning  Transitivity is a problem:  “If there is a path from user A to user B, and there is a path from user B to user C, then there is a path from user A to user C with the witting or unwitting cooperation of user B.” – Cohen  The military uses a category system in which users can only access information needed for their current duties. But, some users have simultaneous access to multiple categories…
  • 20. More bad news…  According to Cohen “a precise system for integrity is NP-complete” and “any non-NP complete solution must tend toward isolationism.”  If a system restricts user’s actions unnecessarily, it will be unpopular…
  • 21. And the hits just keep on coming…  Cohen notes that flow distance and flow list models may limit virus spread.  Flow distance restrictions limit how far information can travel.  Flow lists allow more arbitrary expressions for accessibility based on the list of users who have had an effect on an object.  BUT: “tracing exact information flow requires NP- complete time, and maintaining markings requires large amounts of space.”
  • 22. Prevention by law  Couldn’t we just make it against the law? “By simply telling users not to launch attacks, little is accomplished; users who can be trusted will not launch attacks; but users who would do damage cannot be trusted, so only legitimate work is blocked.” - Cohen
  • 23. Limited interpretation  If a given document is interpreted, and the interpreter lacks commands like “write file,” it may be impossible for it to have a virus  Graphics files are probably immune  Except AnnaKournikova.jpg.vbs   Documents that can hold scripts probably aren’t  Word documents can contain macro viruses such as WM.Nuclear
  • 24. Detection  If we can’t limit the spread of a virus, maybe we can find it and quarantine infected files…  Unfortunately, no general algorithm for detecting virus behavior is possible.  Cohen argues this by proposing a virus that infects only when the detection algorithm thinks it isn’t a virus.  Anti-virus programs must make do with more limited solutions, such as scanning for a virus signature.
  • 25. Virus detection problems  According to Cohen, the following are undecidable:  Detection of a virus by its appearance  Detection of a virus by its behavior  Detection of an evolution of a known virus  Detection of a triggering mechanism by its appearance  Detection of a triggering mechanism by its behavior  Detection of an evolution of a known triggering mechanism  Detection of a virus detector by its appearance  Detection of a virus detector by its behavior  Detection of an evolution of a known viral detector
  • 26. Detection by signature  Rather than implement a general solution, virus scanners look for virus signatures.  These signatures could be as small as a few bytes or as large as the entire virus code.  If a virus scanner uses the whole virus code as a signature, it may not be able to find simple variants of a virus.  However, if a virus uses a very small signature, it may incorrectly infections that aren’t there.
  • 27. Updated signatures  Anti-virus companies must release new signatures each time a new virus is discovered  A virus’s spread is unimpeded for a while…  According to Andreas Marx of AV-Test.org, it took Symantec 25h 5m to release an updated signature file in response to the W32/Sober.C worm attack.
  • 28. The arms race  In order to make it hard for virus scanners to detect their vurises, virus writers can add morphing behavior to their creations:  “A polymorphic virus ‘morphs’ itself in order to evade detection. … Metamorphic viruses attempt to evade heuristic detection techniques by using more complex obfuscations.” – Christodorescu and Jha
  • 29. More bad news…  Cohen argues that no general solution for proving the equivalence of two programs is possible.  His argument follows the same form as his argument against a general algorithm for virus detection: he proposes a virus in which two different infection instances will behave differently when a watching antivirus program believes they are the same.
  • 30. Morphing  A virus may morph itself by:  Encrypting part of itself using a different key for each infection  Changing variable names (in a script virus)  Binary obfuscation techniques (more on this later)  Polymorphic virus examples:  Chameleon -- first polymorphic virus, 90’s  A partial list of the viruses that can be called 100 percent polymorphic (late 1993): Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions). – at link Virus-Scan-Software
  • 31. Arming the virus writers  If virus author knew what the anti-virus programs look for, he or she could design a virus that they wouldn’t find…  Example: in the early 90s there were a few MS-DOS 'stealth' viruses that could interrupt a virus-scanning program's attempt to read the boot record and show it a clean versions rather than what was really there.  See Symantec’s description of the Stealth_boot virus.  "Frodo.4096" virus, first Stealth virus  “Beast.512" Stealth virus, less than a year after Frodo.4096  More on this at Virus-Scan-Software
  • 32. Extracting signatures  Christodorescu and Jha report on a technique for extracting the signature used by a given antivirus program.  Basically they obfuscate parts of the program and determine what has to remain unobfuscated for the antivirus program to find the virus.  FYI there is a typo in the paper: the conditions on the loop in the SignatureExtraction function cause it to never execute…  They say it “was successful in many cases.”
  • 33. Binary obfuscation techniques  The goal of binary obfuscation is to make it difficult to obtain an assembly-language description of a program from its raw bytes  You need to turn raw bytes back into assembly code before you can decompile  You can obfuscate by:  Garbage insertion (more in a minute)  Variable renaming  Code reordering  Encapsulating/encrypting code or data  …
  • 34. x86 binary obfuscation  If you create unused regions in the executable and fill them with garbage bytes, the variable-length nature of the x86 instruction set can cause disassemblers to think that the legitimate instructions following the garbage are in fact operands.  You can use a conditional branch instruction to do an unconditional jump—disassemblers assume no garbage bytes at the target address or following the branch instruction.
  • 35. Better obfuscation  Linn and Debray describe obfuscation using a branch function  This function in turn branches to another target depending on where it is called from.  This makes determining which parts of the program are real by following the branch instructions difficult.  The function can return to an instruction one or more bytes after the usual return point, opening up a region to insert more garbage bytes into.
  • 36. Advances in disassembly  Kruegel, Robertson, Valeur and Vigna describe a disassembler that is able to correctly disassemble most instructions from a program obfuscated by the obfuscator Linn and Debray describe.
  • 37. Dissasembly in detail  Static analysis techniques  Linear sweep  GNU's objdump uses linear sweep  Gets confused by garbage bytes in unreachable areas  Recursive traversal following control flow  Drawback: indirect jumps  Doesn’t always “see” the whole binary  Speculative disassembly  Hybrid approach
  • 38. Now for some good news  “This arms race is usually in favor of the de- obfuscator. The obfuscator has to devise techniques that transform the program without seriously impacting the run-time performance or increasing the binary's size or memory footprint while there are no such constraints for the de-obfuscator.” - Kruegel et al
  • 39. AV tool resistance to obfuscation  Christodorescu and Jha claim “the state of the art for malware detectors is dismal!”  They propose a testing technique and then use it to show that the tested virus scanners were not generally able to identify the sampled viruses when they were obfuscated by code reordering or encapsulation.
  • 40. AV tool resistance to obfuscation (cont’d)  This doesn’t mean that these products aren’t capable of detecting morphing viruses—the viruses in the sample set did not perform these morphs in the wild.  This does mean that in order to protect against a new virus that is just a simple modification of one of these existing viruses the AV companies would have to release a new signature file.
  • 41. Known clean system  Some virus detection techniques require you to start from a clean system.  DOS users used clean boot disks to defeat stealth viruses…  But is it always possible to get to a known clean state?  What if every UNIX vendor had been infected with Ken Thompson’s C compiler virus? Even their “clean” distribution media would be infected…
  • 42. Discussion  Obfuscation vs deobfuscation, who can win?
  • 43. Discussion (cont’d)  Anti-virus can win in the future?