SlideShare a Scribd company logo

Antiviruse.ppt

Download as PPT, PDF
A
AthiraKrishnan57

This document provides an overview of antivirus software and the types of malware it protects against, including viruses, worms, and other malicious software. It describes how viruses and worms infect systems, replicate, and attempt to avoid detection. Viruses can infect files directly or reside in memory. Worms replicate across networks without infecting files. The document outlines techniques used by antiviruses to detect viruses and worms, such as signature-based scanning and behavioral analysis. It also discusses countermeasures used by malware to evade detection, like encryption, polymorphism, and metamorphism.

Education
1 of 55
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
2/27/2023 Eng. Ammar Mahmood 1 Antivirus Software By: Eng. Ammar J.Mahmood Supervised by: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT)- Jordan’s campus
Eng. Ammar Mahmood 2 2/27/2023 Introduction  Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).  Malware or Malicious Software is software designed to infiltrate or damage a computer system without the owner's informed consent.  Types of malware include spyware, adware, Trojan horses, Worms, and viruses.
2/27/2023 Eng. Ammar Mahmood 3 Malware “Know your enemy”
Eng. Ammar Mahmood 4 2/27/2023 The Virus  A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user  Why people create computer viruses?  Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby  Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies
Eng. Ammar Mahmood 5 2/27/2023 The Virus  Why people create computer viruses? Some viruses were intended as "good viruses". They spread improvements to the programs they infect, or delete other viruses. These viruses are, however, quite rare, still consume system resources, may accidentally damage systems they infect.
Eng. Ammar Mahmood 6 2/27/2023 The Virus  Viruses can be subdivided into a number of types, the main ones being:  Boot sector viruses:  alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive.  contains code for bootstrapping programs (usually activates, but not necessarily, operating systems)  Boot sector infector viruses replace the bootstrap code in the boot sectors (of floppy disks, hard disks, or both) with viral code.  the BIOS on IBM PC compatible machines is ignorant of whether a disk has in fact been high-level formatted and had an operating system installed in it  This results in a security vulnerability. A user who sees the error message may not be aware that the code in the boot sector of the disk has already been run by that point, and that if the disk was infected by a boot-sector computer virus
Eng. Ammar Mahmood 7 2/27/2023 The Virus  Companion viruses: creates new files (typically .COM but can also use other extensions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if a user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus.  Email viruses: is a virus which uses e-mail messages as a mode of transport. These viruses often copy themselves by automatically mailing copies to hundreds of people in the victim's address book.
Eng. Ammar Mahmood 8 2/27/2023 The Virus  Logic bombs and time bombs: employs code that lies inert until specific conditions (e.g.infected a certain number of hosts ) are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files).  Macro viruses: often written in the scripting languages for Microsoft programs such as Word and Excel, is spread in Microsoft Office by infecting documents and spreadsheets.  Cross-site scripting virus: is a type of virus that utilizes cross-site scripting vulnerabilities to replicate.
Eng. Ammar Mahmood 9 2/27/2023 The Virus  Methods to avoid detection  Avoiding bait files and other undesirable hosts: A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti- virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected.  Bait files (or goat files) are files that are specially created by anti- virus software  Anti-virus professionals can use bait files to take a sample of a virus  Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods.  Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.
Eng. Ammar Mahmood 10 2/27/2023 The Virus StealthRootkit:  A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS.  The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean“.  Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses.
Eng. Ammar Mahmood 11 2/27/2023 The Virus  A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system  Rootkit types:  Virtualised: These rootkits work by modifying the boot sequence of the machine to load themselves instead of the original operating system. Once loaded into memory a virtualised rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest OS  Kernel level:Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system
Eng. Ammar Mahmood 12 2/27/2023 The Virus  Rootkit types  Library level :commonly patch, hook, or replace system calls with versions that hide information about the attacker.  Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.  The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.  Done byshut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM or USB flash drive). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls
Eng. Ammar Mahmood 13 2/27/2023 The Virus  Self-modification:  Some viruses employ techniques that make detection by means of signatures difficult or impossible.  These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.  Simple self-modifications: some viruses modified themselves only in simple ways. For example, they regularly exchanged subroutines in their code for others that would perform the same action - for example, 2+2 could be swapped for 1+3. This poses no problems to a somewhat advanced virus scanner.
Eng. Ammar Mahmood 14 2/27/2023 The Virus  Encryption with a variable key:  A more advanced method is the use of simple encryption to encipher the virus.  the virus consists of a small decrypting module and an encrypted copy of the virus code  the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module.  a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible.
Eng. Ammar Mahmood 15 2/27/2023 The Virus  Polymorphic code:  Polymorphic code was the first technique that posed a serious threat to virus scanners.  Same as encrypted viruses except that decryption module is also modified on each infection.  To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body  Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body.
Eng. Ammar Mahmood 16 2/27/2023 The Virus  Metamorphic code:  To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables.  it does this by translating its own code into a temporary representation, and then back to normal code again  Metamorphic code is more effective than polymorphic code. This is because most anti-virus software will try to search for known virus-code even during the execution of the code  A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of it part of the metamorphic engine.
Eng. Ammar Mahmood 17 2/27/2023 The Virus  Replication strategies In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs Viruses can be divided into two types, on the basis of their behavior when they are executed
Eng. Ammar Mahmood 18 2/27/2023 The Virus Nonresident viruses:  immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected  Nonresident viruses can be thought of as consisting of a finder module and a replication module  The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
Eng. Ammar Mahmood 19 2/27/2023 The Virus  Resident viruses  Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program.  The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.  Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation
Eng. Ammar Mahmood 20 2/27/2023 The Virus  Resident viruses are sometimes subdivided into a category:  Fast infectors: are designed to infect as many files as possible. It can infect every potential host file that is accessed.  This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned.  The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software.
Eng. Ammar Mahmood 21 2/27/2023 The Virus 2nd category Slow infectors:  are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied.  Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs.  The slow infector approach does not seem very successful however.
Eng. Ammar Mahmood 22 2/27/2023 The Virus  Host types:  Binary executable files (such as COM files and EXE files in MS- DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux)  Volume Boot Records of floppy disks and hard disk partitions  The master boot record (MBR) of a hard disk  General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix- like platforms).  Application-specific script files (such as Telix-scripts)  Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files)
Eng. Ammar Mahmood 23 2/27/2023 The Worm  A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention.  Unlike a virus, it does not need to attach itself to an existing program.  Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.
Eng. Ammar Mahmood 24 2/27/2023 The Worm  Types of computer worms:  Email Worms Spread via email messages. Typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website.  Instant messaging worms The spreading used is via instant messaging applications by sending links to infected websites to everyone on the local contact list  IRC worms Chat channels are the main target and the same infection/spreading method is used as above
Eng. Ammar Mahmood 25 2/27/2023 The Worm  Types of computer worms:  File-sharing networks worms Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spreading of the infected file will continue.  Internet worms  Those which target low level TCP/IP ports directly, rather than going via higher level protocols such as email or IRC.  A classic example is "Blaster" which exploited a vulnerability in Microsoft's Remote procedure call (RPC). An infected machine aggressively scans random computers on both its local network and the public Internet attempting an exploit against port 135 which, if successful, spreads the worm to that machine.
Eng. Ammar Mahmood 26 2/27/2023 The Worm  Payloads:  Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through.  A "payload" is code designed to do more than spread the worm - it might delete files on a host system (e.g. the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail.  A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author
2/27/2023 Eng. Ammar Mahmood 27 Antivirus SW
Eng. Ammar Mahmood 28 2/27/2023 Antivirus  Antivirus software typically uses two different techniques to accomplish his mission:  Examining (scanning) files to look for known viruses matching definitions in a virus dictionary  Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.
Eng. Ammar Mahmood 29 2/27/2023 Antivirus modes  Anti-virus programs have two basic modes:  “static” file scanning: useful for when you have to scan a file or a volume to check to see if any of the files are currently infected with malware  real-time “dynamic” scanning: is really what is needed to prevent the computer from getting infected in the first place. In this mode, all files that the operating system opens or uses are scanned first before they are fully opened.
Eng. Ammar Mahmood 30 2/27/2023 Approaches  Dictionary  A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses  In the virus dictionary approach, when the antivirus software examines a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions: 1. attempt to repair the file by removing the virus itself from the file 2. quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread) 3. delete the infected file
Eng. Ammar Mahmood 31 2/27/2023 Approaches  Dictionary  the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries.  users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries.  Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt
Eng. Ammar Mahmood 32 2/27/2023 Approaches  Dictionary System Administrator can typically schedule the antivirus software to examine (scan) all files on the user's hard disk on a regular basis. Although the dictionary approach can effectively contain virus outbreaks in the right circumstances.
Eng. Ammar Mahmood 33 2/27/2023 Approaches  Dictionary Virus’s Technology to avoid the Dictionary Approach is:  Metamorphic code  Polymorphic code  Oligomorphic engine is generally used by a computer virus to generate a decryptor for itself in a way comparable to a simple polymorphic engine
Eng. Ammar Mahmood 34 2/27/2023 Approaches  Dictionary  Previous technology weakness are:  Polymorphism:  A small portion of it is left unencrypted and used to jumpstart the encrypted software. Anti-virus software targets this small unencrypted portion of code.  Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body.  most oligomorphic viruses aren't able to generate more than just a few hundred different decryptors, so detecting them with simple signatures is still possible
Eng. Ammar Mahmood 35 2/27/2023 Approaches  Suspicious behavior: The suspicious behavior approach doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do.
Eng. Ammar Mahmood 36 2/27/2023 Approaches  Suspicious behavior  the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries.  However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings.  If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user
Eng. Ammar Mahmood 37 2/27/2023 Approaches  Suspicious behavior weakness  The fact the many legal SW behave like malicious SW make the job of antivirus harder  Ex:There are commercial software that have many features as dynamic code encryption/decryption, code replace, metamorphic engine, API export, anti debug/dump/trace and more. They are used to protect software programs from illegal use(cracking and reverse engineering)
Eng. Ammar Mahmood 38 2/27/2023 Approaches  Heuristic analysis:  try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable.  If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable.  Heuristic scanners have a higher rate of false positives than do signature scanners but they have the significant advantage of being able to detect unknown viruses.
Eng. Ammar Mahmood 39 2/27/2023 Approaches  Sandbox: sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users.  emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus.  Because of performance issues, this type of detection normally only takes place during on-demand scans
Eng. Ammar Mahmood 40 2/27/2023 Approaches  Sandbox: Also this method may fail as virus can be nondeterministic and result in different actions or no actions at all done then run - so it will be impossible to detect it from one run. The sandbox typically provides a tightly- controlled set of resources for guest programs to run in
Eng. Ammar Mahmood 41 2/27/2023 Weaknesses of antivirus SW  Many security professionals agree that the current approach to defend against malicious software with antivirus is not good enough, but it is best solution that we have right now.  Here is the brief summary of the main shortcomings in the antivirus software:
Eng. Ammar Mahmood 42 2/27/2023 Weaknesses of antivirus SW 1. Reactive approach: Your antivirus as good as your definition files. If you did not update them, the antivirus program will not be able to detect a new malware. The most critical problems for the antivirus software to detect malicious code are:  new or modified malicious code  rootkit programs  Software Misuse 2. Inability to protect themselves: With sufficient system permissions, malware can change antivirus settings and configuration.
Eng. Ammar Mahmood 43 2/27/2023 Weaknesses of antivirus SW 3. Inability to revert the results of malware infection process.  Too often, “installation process” of malware includes copying files, changing registry and system configuration files, changing other software configuration. Some of these changes still present in the infected system, even after an antivirus program delete or disinfect malware files.  Almost for every severe virus/worm, antivirus vendors issues “Removal Tool”.  this is means that the antivirus vendors saying to their customers: “our antivirus isn’t good enough to clean your system – please use this tool”
Eng. Ammar Mahmood 44 2/27/2023 Retro Viruses  retro viruses are the viruses that attack security programs  “Attack is the best defense strategy”  The malware instead of hiding from detection by security SW it target these SW as its (part of) malicious action  We will discuss in the next slides some of the technique used by the Retro viruses
Eng. Ammar Mahmood 45 2/27/2023 The Black Antivirus  a(white) antivirus used for the good purposes while Black Antivirus is the same antivirus, but used for the “bad” purposes.  An unexpected problem:  “virus definition database” has the definitions for security tools used today in the computer security world to defend and protect computer systems.  Malware could includes antivirus engine and signature definition files for security tools.  To protect our tools we need to evade the Antivirus detection! Therefore, our security tools need to be a polymorphic or even metamorphic.
Eng. Ammar Mahmood 46 2/27/2023 The Black Intrusion Detection System:  Malware can use IDS system to “shut down” security systems at the network level.  Such malware will primary target internal corporate LAN and could carry itself an IDS engine or change the existing one with new rules (if possible).  malware carry engine itselfand use MAC and ARP poisoning to sniff in a switched network.  Any communication that passes the wire were the malware was able to “see” it, is a subject for this attack.  The solution for this problem may be the use of covert channels
2/27/2023 Eng. Ammar Mahmood 47 Practical Examples
Eng. Ammar Mahmood 48 2/27/2023 Virus Example  Win32/Simile:  is a metamorphic computer virus written in assembly language for Microsoft Windows (most recent version in early March 2002)  It was written by the virus writer Mental Driller  When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the file User32.dll, then on the 17th of March, June, September, or December, a message is displayed.  Depending on the version of the virus the case of each letter in the text is altered randomly. On May 14, a message saying "Free Palestine!" will be displayed if the system locale is set to Hebrew.
Eng. Ammar Mahmood 49 2/27/2023 Virus Example  The virus then rebuilds itself. This metamorphic process is very complex and accounts for around 90% of the virus' code  After the rebuild, the virus searches for executable files in folders on all fixed and remote drives.  The virus contains checks to avoid infecting "goat" or "bait" files  The infection process uses the structure of the host, as well as random factors, to control the placement of the virus body and the decryptor.  The virus contains no destructive payload
Eng. Ammar Mahmood 50 2/27/2023 SQL slammer worm  The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic  It spread rapidly, infecting most of its 75,000 victims within ten minutes.  it exploited two buffer overflow bugs in Microsoft's flagship SQL Server and Desktop Engine database products  The worm is a small (376 bytes) piece of code that does little other than generate random IP addresses and send itself out to those addresses.
Eng. Ammar Mahmood 51 2/27/2023 SQL slammer worm  If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution MSDE Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.  The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove.
Eng. Ammar Mahmood 52 2/27/2023 Antivirus Example  one of the most popular full-featured freeware anti-virus applications for Microsoft Windows users.  Official website: http://www.avast.com/
Eng. Ammar Mahmood 53 2/27/2023 Antivirus Example  Features :  Standard Shield — Real-time protection  IM shield — Instant Messenger protection  P2P shield — P2P protection  Internet Mail — E-mail protection  Outlook/Exchange — Microsoft Outlook/Exchange protection  Web Shield — HTTP protection (local transparent proxy)  Script blocker — script checker  Network Shield — basic protection against well-known network worms. Acts as a lightweight Intrusion Detection System  Audible alarms — vocal warnings such as "Caution, a virus has been detected!"  boot-time scan — through the program interface, a user can schedule a boot-time scan to remove viruses that load during Windows startup and therefore difficult to remove.
Eng. Ammar Mahmood 54 2/27/2023 Resources  http://www.securityelf.org/files/Andrey_Bayora_software_ misuse.pdf  http://en.wikipedia.org/wiki/Antivirus  http://www.research.ibm.com/antivirus/SciPapers/Gordo n/Strategy.html  http://www.sans.org/reading_room/whitepapers/maliciou s/68.php  http://en.wikipedia.org/wiki/Software_virus  http://www.symantec.com/security_response/writeup.jsp ?docid=2002-030617-5423-99  http://en.wikipedia.org/wiki/Computer_virus
Eng. Ammar Mahmood 55 2/27/2023

More Related Content

PPT
Network virus detection & prevention
Khaleel Assadi
 
PPT
Computer viruses
Imran Khan
 
PPT
Malicious
ashraf karaimeh
 
DOCX
Antivirus
Pankaj Kumawat
 
PPT
Computer viruses
Raviteja Chowdary Adusumalli
 
PPTX
Computer Introduction-Lecture04
Dr. Mazin Mohamed alkathiri
 
PPTX
MALWARE AND ITS TYPES
Sagilasagi1
 
PPT
Computer Virus And Antivirus-Sumon Chakraborty
sankhadeep
 
Network virus detection & prevention
Khaleel Assadi
 
Computer viruses
Imran Khan
 
Malicious
ashraf karaimeh
 
Antivirus
Pankaj Kumawat
 
Computer viruses
Raviteja Chowdary Adusumalli
 
Computer Introduction-Lecture04
Dr. Mazin Mohamed alkathiri
 
MALWARE AND ITS TYPES
Sagilasagi1
 
Computer Virus And Antivirus-Sumon Chakraborty
sankhadeep
 

Similar to Antiviruse.ppt (20)

PPT
Ch19
Joe Christensen
 
PDF
Ch19
saurabhmittal79
 
PPT
Computer virus 18
Muhammad Ramzan
 
PDF
Computer viruses
MDAZAD53
 
PPTX
viruses and its types in the computer system
jatinkumar07051999
 
PPTX
Chapter 11 Malicious Software - HCMUT.pptx
PHHPHANTHIN
 
ODP
Virus and antivirus final ppt
aritradutta22
 
PPSX
Computer viruses
Yousef Bahaa
 
PPT
Virus, Worms And Antivirus
Lokesh Kumar N
 
PPTX
Firewall , Viruses and Antiviruses
Vikas Chandwani
 
PPSX
Computer viruses
Yousef Bahaa
 
PPTX
Program and System Threats
Reddhi Basu
 
PPT
Presentation2
Jeslynn
 
PDF
Malicious software
Dr.Florence Dayana
 
PPT
Computer viruses, types and preventions
Prem Kumar Bonam
 
PDF
An analysis of how antivirus methodologies are utilized in protecting compute...
UltraUploader
 
PDF
Analysis of virus algorithms
UltraUploader
 
PPT
Computer Virus
bebo
 
PPT
Computer Viruses and Classification lecture slides ppt
Osama Yousaf
 
PPTX
Final malacious softwares
Mirza Adnan Baig
 
Ch19
Joe Christensen
 
Ch19
saurabhmittal79
 
Computer virus 18
Muhammad Ramzan
 
Computer viruses
MDAZAD53
 
viruses and its types in the computer system
jatinkumar07051999
 
Chapter 11 Malicious Software - HCMUT.pptx
PHHPHANTHIN
 
Virus and antivirus final ppt
aritradutta22
 
Computer viruses
Yousef Bahaa
 
Virus, Worms And Antivirus
Lokesh Kumar N
 
Firewall , Viruses and Antiviruses
Vikas Chandwani
 
Computer viruses
Yousef Bahaa
 
Program and System Threats
Reddhi Basu
 
Presentation2
Jeslynn
 
Malicious software
Dr.Florence Dayana
 
Computer viruses, types and preventions
Prem Kumar Bonam
 
An analysis of how antivirus methodologies are utilized in protecting compute...
UltraUploader
 
Analysis of virus algorithms
UltraUploader
 
Computer Virus
bebo
 
Computer Viruses and Classification lecture slides ppt
Osama Yousaf
 
Final malacious softwares
Mirza Adnan Baig
 
Ad

Recently uploaded (20)

PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Presentation on HIE in infants and its manifestations
joghikamal786
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Classroom Observation Tools for Teachers
Nicaramirez
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
master seminar digital applications in india
ananyaray35
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Presentation on HIE in infants and its manifestations
joghikamal786
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Ad

Antiviruse.ppt

  • 1. 2/27/2023 Eng. Ammar Mahmood 1 Antivirus Software By: Eng. Ammar J.Mahmood Supervised by: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT)- Jordan’s campus
  • 2. Eng. Ammar Mahmood 2 2/27/2023 Introduction  Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).  Malware or Malicious Software is software designed to infiltrate or damage a computer system without the owner's informed consent.  Types of malware include spyware, adware, Trojan horses, Worms, and viruses.
  • 3. 2/27/2023 Eng. Ammar Mahmood 3 Malware “Know your enemy”
  • 4. Eng. Ammar Mahmood 4 2/27/2023 The Virus  A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user  Why people create computer viruses?  Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby  Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies
  • 5. Eng. Ammar Mahmood 5 2/27/2023 The Virus  Why people create computer viruses? Some viruses were intended as "good viruses". They spread improvements to the programs they infect, or delete other viruses. These viruses are, however, quite rare, still consume system resources, may accidentally damage systems they infect.
  • 6. Eng. Ammar Mahmood 6 2/27/2023 The Virus  Viruses can be subdivided into a number of types, the main ones being:  Boot sector viruses:  alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive.  contains code for bootstrapping programs (usually activates, but not necessarily, operating systems)  Boot sector infector viruses replace the bootstrap code in the boot sectors (of floppy disks, hard disks, or both) with viral code.  the BIOS on IBM PC compatible machines is ignorant of whether a disk has in fact been high-level formatted and had an operating system installed in it  This results in a security vulnerability. A user who sees the error message may not be aware that the code in the boot sector of the disk has already been run by that point, and that if the disk was infected by a boot-sector computer virus
  • 7. Eng. Ammar Mahmood 7 2/27/2023 The Virus  Companion viruses: creates new files (typically .COM but can also use other extensions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if a user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus.  Email viruses: is a virus which uses e-mail messages as a mode of transport. These viruses often copy themselves by automatically mailing copies to hundreds of people in the victim's address book.
  • 8. Eng. Ammar Mahmood 8 2/27/2023 The Virus  Logic bombs and time bombs: employs code that lies inert until specific conditions (e.g.infected a certain number of hosts ) are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files).  Macro viruses: often written in the scripting languages for Microsoft programs such as Word and Excel, is spread in Microsoft Office by infecting documents and spreadsheets.  Cross-site scripting virus: is a type of virus that utilizes cross-site scripting vulnerabilities to replicate.
  • 9. Eng. Ammar Mahmood 9 2/27/2023 The Virus  Methods to avoid detection  Avoiding bait files and other undesirable hosts: A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti- virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected.  Bait files (or goat files) are files that are specially created by anti- virus software  Anti-virus professionals can use bait files to take a sample of a virus  Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods.  Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.
  • 10. Eng. Ammar Mahmood 10 2/27/2023 The Virus StealthRootkit:  A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS.  The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean“.  Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses.
  • 11. Eng. Ammar Mahmood 11 2/27/2023 The Virus  A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system  Rootkit types:  Virtualised: These rootkits work by modifying the boot sequence of the machine to load themselves instead of the original operating system. Once loaded into memory a virtualised rootkit then loads the original operating system as a Virtual Machine thereby enabling the rootkit to intercept all hardware calls made by the guest OS  Kernel level:Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system
  • 12. Eng. Ammar Mahmood 12 2/27/2023 The Virus  Rootkit types  Library level :commonly patch, hook, or replace system calls with versions that hide information about the attacker.  Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.  The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.  Done byshut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM or USB flash drive). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls
  • 13. Eng. Ammar Mahmood 13 2/27/2023 The Virus  Self-modification:  Some viruses employ techniques that make detection by means of signatures difficult or impossible.  These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.  Simple self-modifications: some viruses modified themselves only in simple ways. For example, they regularly exchanged subroutines in their code for others that would perform the same action - for example, 2+2 could be swapped for 1+3. This poses no problems to a somewhat advanced virus scanner.
  • 14. Eng. Ammar Mahmood 14 2/27/2023 The Virus  Encryption with a variable key:  A more advanced method is the use of simple encryption to encipher the virus.  the virus consists of a small decrypting module and an encrypted copy of the virus code  the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module.  a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible.
  • 15. Eng. Ammar Mahmood 15 2/27/2023 The Virus  Polymorphic code:  Polymorphic code was the first technique that posed a serious threat to virus scanners.  Same as encrypted viruses except that decryption module is also modified on each infection.  To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body  Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body.
  • 16. Eng. Ammar Mahmood 16 2/27/2023 The Virus  Metamorphic code:  To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables.  it does this by translating its own code into a temporary representation, and then back to normal code again  Metamorphic code is more effective than polymorphic code. This is because most anti-virus software will try to search for known virus-code even during the execution of the code  A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of it part of the metamorphic engine.
  • 17. Eng. Ammar Mahmood 17 2/27/2023 The Virus  Replication strategies In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs Viruses can be divided into two types, on the basis of their behavior when they are executed
  • 18. Eng. Ammar Mahmood 18 2/27/2023 The Virus Nonresident viruses:  immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected  Nonresident viruses can be thought of as consisting of a finder module and a replication module  The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
  • 19. Eng. Ammar Mahmood 19 2/27/2023 The Virus  Resident viruses  Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program.  The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.  Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation
  • 20. Eng. Ammar Mahmood 20 2/27/2023 The Virus  Resident viruses are sometimes subdivided into a category:  Fast infectors: are designed to infect as many files as possible. It can infect every potential host file that is accessed.  This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned.  The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software.
  • 21. Eng. Ammar Mahmood 21 2/27/2023 The Virus 2nd category Slow infectors:  are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied.  Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs.  The slow infector approach does not seem very successful however.
  • 22. Eng. Ammar Mahmood 22 2/27/2023 The Virus  Host types:  Binary executable files (such as COM files and EXE files in MS- DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux)  Volume Boot Records of floppy disks and hard disk partitions  The master boot record (MBR) of a hard disk  General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix- like platforms).  Application-specific script files (such as Telix-scripts)  Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files)
  • 23. Eng. Ammar Mahmood 23 2/27/2023 The Worm  A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention.  Unlike a virus, it does not need to attach itself to an existing program.  Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.
  • 24. Eng. Ammar Mahmood 24 2/27/2023 The Worm  Types of computer worms:  Email Worms Spread via email messages. Typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website.  Instant messaging worms The spreading used is via instant messaging applications by sending links to infected websites to everyone on the local contact list  IRC worms Chat channels are the main target and the same infection/spreading method is used as above
  • 25. Eng. Ammar Mahmood 25 2/27/2023 The Worm  Types of computer worms:  File-sharing networks worms Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spreading of the infected file will continue.  Internet worms  Those which target low level TCP/IP ports directly, rather than going via higher level protocols such as email or IRC.  A classic example is "Blaster" which exploited a vulnerability in Microsoft's Remote procedure call (RPC). An infected machine aggressively scans random computers on both its local network and the public Internet attempting an exploit against port 135 which, if successful, spreads the worm to that machine.
  • 26. Eng. Ammar Mahmood 26 2/27/2023 The Worm  Payloads:  Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through.  A "payload" is code designed to do more than spread the worm - it might delete files on a host system (e.g. the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail.  A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author
  • 27. 2/27/2023 Eng. Ammar Mahmood 27 Antivirus SW
  • 28. Eng. Ammar Mahmood 28 2/27/2023 Antivirus  Antivirus software typically uses two different techniques to accomplish his mission:  Examining (scanning) files to look for known viruses matching definitions in a virus dictionary  Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.
  • 29. Eng. Ammar Mahmood 29 2/27/2023 Antivirus modes  Anti-virus programs have two basic modes:  “static” file scanning: useful for when you have to scan a file or a volume to check to see if any of the files are currently infected with malware  real-time “dynamic” scanning: is really what is needed to prevent the computer from getting infected in the first place. In this mode, all files that the operating system opens or uses are scanned first before they are fully opened.
  • 30. Eng. Ammar Mahmood 30 2/27/2023 Approaches  Dictionary  A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses  In the virus dictionary approach, when the antivirus software examines a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions: 1. attempt to repair the file by removing the virus itself from the file 2. quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread) 3. delete the infected file
  • 31. Eng. Ammar Mahmood 31 2/27/2023 Approaches  Dictionary  the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries.  users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries.  Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt
  • 32. Eng. Ammar Mahmood 32 2/27/2023 Approaches  Dictionary System Administrator can typically schedule the antivirus software to examine (scan) all files on the user's hard disk on a regular basis. Although the dictionary approach can effectively contain virus outbreaks in the right circumstances.
  • 33. Eng. Ammar Mahmood 33 2/27/2023 Approaches  Dictionary Virus’s Technology to avoid the Dictionary Approach is:  Metamorphic code  Polymorphic code  Oligomorphic engine is generally used by a computer virus to generate a decryptor for itself in a way comparable to a simple polymorphic engine
  • 34. Eng. Ammar Mahmood 34 2/27/2023 Approaches  Dictionary  Previous technology weakness are:  Polymorphism:  A small portion of it is left unencrypted and used to jumpstart the encrypted software. Anti-virus software targets this small unencrypted portion of code.  Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body.  most oligomorphic viruses aren't able to generate more than just a few hundred different decryptors, so detecting them with simple signatures is still possible
  • 35. Eng. Ammar Mahmood 35 2/27/2023 Approaches  Suspicious behavior: The suspicious behavior approach doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do.
  • 36. Eng. Ammar Mahmood 36 2/27/2023 Approaches  Suspicious behavior  the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries.  However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings.  If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user
  • 37. Eng. Ammar Mahmood 37 2/27/2023 Approaches  Suspicious behavior weakness  The fact the many legal SW behave like malicious SW make the job of antivirus harder  Ex:There are commercial software that have many features as dynamic code encryption/decryption, code replace, metamorphic engine, API export, anti debug/dump/trace and more. They are used to protect software programs from illegal use(cracking and reverse engineering)
  • 38. Eng. Ammar Mahmood 38 2/27/2023 Approaches  Heuristic analysis:  try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable.  If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable.  Heuristic scanners have a higher rate of false positives than do signature scanners but they have the significant advantage of being able to detect unknown viruses.
  • 39. Eng. Ammar Mahmood 39 2/27/2023 Approaches  Sandbox: sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users.  emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus.  Because of performance issues, this type of detection normally only takes place during on-demand scans
  • 40. Eng. Ammar Mahmood 40 2/27/2023 Approaches  Sandbox: Also this method may fail as virus can be nondeterministic and result in different actions or no actions at all done then run - so it will be impossible to detect it from one run. The sandbox typically provides a tightly- controlled set of resources for guest programs to run in
  • 41. Eng. Ammar Mahmood 41 2/27/2023 Weaknesses of antivirus SW  Many security professionals agree that the current approach to defend against malicious software with antivirus is not good enough, but it is best solution that we have right now.  Here is the brief summary of the main shortcomings in the antivirus software:
  • 42. Eng. Ammar Mahmood 42 2/27/2023 Weaknesses of antivirus SW 1. Reactive approach: Your antivirus as good as your definition files. If you did not update them, the antivirus program will not be able to detect a new malware. The most critical problems for the antivirus software to detect malicious code are:  new or modified malicious code  rootkit programs  Software Misuse 2. Inability to protect themselves: With sufficient system permissions, malware can change antivirus settings and configuration.
  • 43. Eng. Ammar Mahmood 43 2/27/2023 Weaknesses of antivirus SW 3. Inability to revert the results of malware infection process.  Too often, “installation process” of malware includes copying files, changing registry and system configuration files, changing other software configuration. Some of these changes still present in the infected system, even after an antivirus program delete or disinfect malware files.  Almost for every severe virus/worm, antivirus vendors issues “Removal Tool”.  this is means that the antivirus vendors saying to their customers: “our antivirus isn’t good enough to clean your system – please use this tool”
  • 44. Eng. Ammar Mahmood 44 2/27/2023 Retro Viruses  retro viruses are the viruses that attack security programs  “Attack is the best defense strategy”  The malware instead of hiding from detection by security SW it target these SW as its (part of) malicious action  We will discuss in the next slides some of the technique used by the Retro viruses
  • 45. Eng. Ammar Mahmood 45 2/27/2023 The Black Antivirus  a(white) antivirus used for the good purposes while Black Antivirus is the same antivirus, but used for the “bad” purposes.  An unexpected problem:  “virus definition database” has the definitions for security tools used today in the computer security world to defend and protect computer systems.  Malware could includes antivirus engine and signature definition files for security tools.  To protect our tools we need to evade the Antivirus detection! Therefore, our security tools need to be a polymorphic or even metamorphic.
  • 46. Eng. Ammar Mahmood 46 2/27/2023 The Black Intrusion Detection System:  Malware can use IDS system to “shut down” security systems at the network level.  Such malware will primary target internal corporate LAN and could carry itself an IDS engine or change the existing one with new rules (if possible).  malware carry engine itselfand use MAC and ARP poisoning to sniff in a switched network.  Any communication that passes the wire were the malware was able to “see” it, is a subject for this attack.  The solution for this problem may be the use of covert channels
  • 47. 2/27/2023 Eng. Ammar Mahmood 47 Practical Examples
  • 48. Eng. Ammar Mahmood 48 2/27/2023 Virus Example  Win32/Simile:  is a metamorphic computer virus written in assembly language for Microsoft Windows (most recent version in early March 2002)  It was written by the virus writer Mental Driller  When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the file User32.dll, then on the 17th of March, June, September, or December, a message is displayed.  Depending on the version of the virus the case of each letter in the text is altered randomly. On May 14, a message saying "Free Palestine!" will be displayed if the system locale is set to Hebrew.
  • 49. Eng. Ammar Mahmood 49 2/27/2023 Virus Example  The virus then rebuilds itself. This metamorphic process is very complex and accounts for around 90% of the virus' code  After the rebuild, the virus searches for executable files in folders on all fixed and remote drives.  The virus contains checks to avoid infecting "goat" or "bait" files  The infection process uses the structure of the host, as well as random factors, to control the placement of the virus body and the decryptor.  The virus contains no destructive payload
  • 50. Eng. Ammar Mahmood 50 2/27/2023 SQL slammer worm  The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic  It spread rapidly, infecting most of its 75,000 victims within ten minutes.  it exploited two buffer overflow bugs in Microsoft's flagship SQL Server and Desktop Engine database products  The worm is a small (376 bytes) piece of code that does little other than generate random IP addresses and send itself out to those addresses.
  • 51. Eng. Ammar Mahmood 51 2/27/2023 SQL slammer worm  If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution MSDE Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.  The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove.
  • 52. Eng. Ammar Mahmood 52 2/27/2023 Antivirus Example  one of the most popular full-featured freeware anti-virus applications for Microsoft Windows users.  Official website: http://www.avast.com/
  • 53. Eng. Ammar Mahmood 53 2/27/2023 Antivirus Example  Features :  Standard Shield — Real-time protection  IM shield — Instant Messenger protection  P2P shield — P2P protection  Internet Mail — E-mail protection  Outlook/Exchange — Microsoft Outlook/Exchange protection  Web Shield — HTTP protection (local transparent proxy)  Script blocker — script checker  Network Shield — basic protection against well-known network worms. Acts as a lightweight Intrusion Detection System  Audible alarms — vocal warnings such as "Caution, a virus has been detected!"  boot-time scan — through the program interface, a user can schedule a boot-time scan to remove viruses that load during Windows startup and therefore difficult to remove.
  • 54. Eng. Ammar Mahmood 54 2/27/2023 Resources  http://www.securityelf.org/files/Andrey_Bayora_software_ misuse.pdf  http://en.wikipedia.org/wiki/Antivirus  http://www.research.ibm.com/antivirus/SciPapers/Gordo n/Strategy.html  http://www.sans.org/reading_room/whitepapers/maliciou s/68.php  http://en.wikipedia.org/wiki/Software_virus  http://www.symantec.com/security_response/writeup.jsp ?docid=2002-030617-5423-99  http://en.wikipedia.org/wiki/Computer_virus
  • 55. Eng. Ammar Mahmood 55 2/27/2023