Malware and Anti-Malware Seminar by Benny Czarny

Malware and Anti-malware

Benny CzarnyCEO and [email protected]

23 October 2013

AgendaMalware

What is malware ?

Why do malware writers write malware ?

Malware infection methods

Challenges detecting malware

Malware detection techniques

Real life examples of malware detection systems

Current trends in the industry

What is malware

What is the origin of the name “malware?” malicious software

What is the definition of malware ? Software that is intended to damage or disable

computers and computer systems

Any kind of unwanted software that is installed without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software that are often grouped together and referred to as malware.

What is malware Many types of malware

Worm

Trojan horse/Trojan

Virus

Rogues / Scareware

Ransomware

Others

What is malware Worms

Activity Make copies of themselves again and again on:

local drive

network shares

USB drives

Purpose: reproduce (*)Does not need to attach itself to an existing program

What is malware I love you worm

Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting image files, and sent a copy of itself to the first 50 addresses in the Windows Address.

What is malware Morris worm

What is malware Trojan horse

What is malware Trojan

Activity

Appears to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access

Purpose:

Gains privileged access to the operating system

(*)Does not need to attach itself to an existing program.

What is malware Trojan

Install a game NetBus ->backdoor

Redirect to bogus web sites

Install a browser plugin

Flashback

What is malware Virus

Activity

When executed – usually by a human, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected.“

Purpose:

Replicate

Harm computers

What is malware Rogue antivirus / scareware

Appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.

What is malware Ransomware

Restricts access to the computer system that it infects

Encrypt files lock system Displays messages intended to coax the user into paying

Demands a ransom in order for the restriction to be removed

What is malware Ransomware

What is malware Quantity of malware

What is malwareGrowth in quantity of known malware

Why do malware writers write malware ?What are the reasons behind malware writers

Economical

Personal

Political / cyber weapons

Others

Why do malware writers write malware ?Economical

Stealing sensitive information which is then sold on the black market.

Ransomware

Industrial espionage

Sell bots Take down networks Host phishing attacks Send spam Others

Why do malware writers write malware ?Economical

Why do malware writers write malware ?Personal

Revenge

Vandalism

Experimental / research

Hobby / art

Why do malware writers write malware ?Political / cyber weapons

Sabotage Infrastructure Service availability

Spy tools Domestic Foreign

Political messages

Malware propagation methods Samples

Exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows

Torrent, peer-to-peer (P2P) and file sharing program

Emails

USB Flash drive

Rogue security programs

Others

Malware propagation methods Sample USB virus

autorun.inf[autorun]open=file.batshell\option1=Openshell\option1\command=file.bat

file.bat@echo offcopy autorun.inf C:\ > NULcopy file.bat C:\ > NULcopy autorun.inf D:\ > NULcopy file.bat D:\ > NULexplorer .

Malware propagation methods

Appending Virus

Prepending Virus

Cavity Virus

Compressing Virus

Packers

Malware propagation methodsAppending

A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.

HostFile

Data

Virus Code

New Header

Malware propagation methodsPrepending

A virus that inserts a copy of its malicious code at the beginning of the file.

HostFile

Data

New Header

Virus Code

Malware propagation methodsCavity

HostFile

Data

New Header

Virus

Code

Copies itself to one of the cavities present in the executable. It modifies the header so that the control jumps to its location and once the execution of virus code is over, the control is passed back.

Malware propagation methodsCompressing

Compresses the host program and attaches itself. It copies itself to the start of the data segment and includes a decompressing algorithm that is used to decompress the host program and execute it.

Compressed

Host FileData

New HeaderVirus Code

+ Decompresso

r

Malware propagation methodsPacker functionality

Compress Encrypt Randomize (polymorphism) Anti-debug technique (fake jmp) Add-junk Anti-VM

MalwareInfected HostExecutable

Packer

Payload

Challenges in detecting malware Packer functionality

Fred Cohen It is not possible to build a perfect malware detector

( 1984) http://web.eecs.umich.edu/~

aprakash/eecs588/handouts/cohen-viruses.html

Diagonal argument P is a perfect detection programV is a virusV can call P

if P(V) = true -> haltif P(V) = false -> spread

Challenges detecting malware Static vs. Dynamic

Known malware In the wild Malware exchange programs e.g metascan-online AMTSO real time threat list

Unknown malware Targeted attacks Outbreaks

Malware detection techniquesStatic vs. Dynamic

Static Inspect the code before it is executed

Dynamic Inspect the exaction of the code

Malware detection techniquesStatic code analysis

PE Headers

Digital signatures

Txt searches

Hash checks

Dependency check

Check for packers

Heuristic checks

Malware detection techniquesChallenges of static code analysis

Many signatures Quality assurance of 100M signatures Big data Performance – scan in a timely manner

Many signature updates Challenges to update - build a scalable update

mechanism

Easy to obfuscate the code

Malware detection techniquesChallenges of static code analysis

Malware detection techniquesDynamic code analysis

Execute on Target host Virtual machine Physical machine Custom hardware

Monitor the behavior of the host From the host Outside the host

Malware detection techniquesDynamic code analysis

Monitor

Processes Files Registry key changes System scheduling Services / Daemon Network traffic

Type Destination

Malware detection techniquesChallenges of dynamic code analysis

Anti virtualization techniques Sleep / loops to wait for detection Randomization Polymorphism Consume Resources

Real life examples of malware detection systems

Malware detection for new outbreaks Source: Metascan Online

Real life examples of malware detection systems

Malware detection for new outbreaks Source: Metascan Online

Real life examples of malware detection systems

Static vs. Dynamic

Tested 30 known malware files (disguised as documents or embedded within documents) Fewest number of engines was 10 (out of 43) Highest number of engines was 30 (out of 43)

Real life examples of malware detection systems

Static vs. Dynamic

Tested 30 known malware files (disguised as documents or embedded within documents) Lowest number of threats detected was 3 Highest number of threats detected was 23

Real life examples of malware detection systems

Sandboxing

X1%Protection level :

100%

Multi-scanning

X2%Protection level:

Measuring detection coverage

Current trends in the industry

Secure transaction to cloud applications Mobile Security and BYOD Cloud malware scanning

Big Data Performance

Sandbox Cloud Sandbox

Protect digital wallets