By:Tanvi lotliker TE COMPUTER 411128 Malware Defense By:Tanvi lotliker TE COMPUTER 411128

Malware Defense index Antivirus Approaches Generic Decryption Digital immune system Behavior-Blocking Software Worm Countermeasures Bot Countermeasures Rootkit Countermeasures

Antivirus Approaches (pg.686 William stalling) The ideal solution to the threat of viruses is prevention Do not allow a virus to get into the system .This goal is, in general, impossible to achieve, although prevention can reduce the number of successful viral attacks. The next best approach is to be able to do the following: Detection: Once the infection has occurred, determine that it has occurred and locate the virus. Identification: Once detection has been achieved, identify the specific virus that has infected a program. Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the disease cannot spread further.

Generic Decryption (GD) (pg.686 William stalling) Is a technology that: Easily detects the most complex polymorphic virus. Causes no damage to computer. In order to detect such polymorphic virus, executable files are run through a GD scanner, which contains the following elements: CPU emulator Virus signature scanner Emulation control module

CPU emulator: A software-based virtual computer CPU emulator: A software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. The emulator includes software versions of all registers and other processor hardware, so that the underlying processor is unaffected by programs interpreted on the emulator. Virus signature scanner: A module that scans the target code looking for known virus signatures.

Emulation control module: Controls the execution of the target code. At the start of each simulation, the emulator begins interpreting instructions in the target code, one at a time. Thus, if the code includes a decryption routine that decrypts and hence exposes the virus, that code is interpreted. In effect, the virus does the work for the antivirus program by exposing the virus. During interpretation, no damage is caused to the actual computer environment, because it is being interpreted in a completely controlled environment.

* Digital Immune System (pg.687 w. stallings) A common deficiency observed in current virus defense strategies is that most antivirus tools are not able to detect cutting edge viruses. The digital immune system is an approach to virus protection developed by IBM and subsequently refined by Symantec .The motivation for this development has been the rising threat of Internet-based virus propagation. Traditionally, the virus threat was characterized by the relatively slow spread of new viruses and new mutations. Antivirus software was typically updated on a monthly basis, and this was sufficient to control the problem.

Also traditionally, the Internet played a comparatively small role in the spread of viruses. But, two major trends in Internet technology have had an increasing impact on the rate of virus propagation in recent years: • Integrated mail systems: Systems such as Lotus Notes and Microsoft Outlook make it very simple to send anything to anyone and to work with objects that are received. • Mobile-program systems: Capabilities such as Java and ActiveX allow programs to move on their own from one system to another.

Pg.688

Figure illustrates the typical steps in digital immune system operation: 1. A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present . The monitoring program forwards a copy of any program thought to be infected to an administrative machine within the organization. 2. The administrative machine encrypts the sample and sends it to a central virus analysis machine. 3. This machine creates an environment in which the infected program can be safely run for analysis. Techniques used for this purpose include the creation of a protected environment within which the suspect program can be executed and monitored. The virus analysis machine then produces a prescription for identifying and removing the virus.

4. The resulting prescription is sent back to the administrative machine. 5. The administrative machine forwards the prescription to the infected client. 6. The prescription is also forwarded to other clients in the organization. 7. Subscribers around the world receive regular antivirus updates that protect them from the new virus.

Behavior-blocking software (pg.688 w.stallings) The behavior-blocking software blocks potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include • Attempts to open, view, delete, and/or modify files; • Attempts to format disk drives and other unrecoverable disk operations; • Modifications to the logic of executable files or macros; • Modification of critical system settings, such as start-up settings; • Scripting of e-mail and instant messaging clients to send executable content; • Initiation of network communications.

This diagram actually shows the operation of the behaviour blocker

Behavior-blocking software runs on server and desktop computers and is instructed through policies set by the network administrator to let benign actions take place but to intercede when unauthorized or suspicious actions occur. The module blocks any suspicious software from executing. A blocker isolates the code in a sandbox, which restricts the code’s access to various OS resources and applications. The blocker then sends an alert to administrator. Behavior blocking alone has limitations. Because the malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked. Behavior blocker can block suspicious software in real time, it has an advantage over such established antivirus detection techniques as fingerprinting.

Worm countermeasures (pg.690 w.stalling) Countermeasures is the action taken to prevent the attacks of threats on system. The requirements for an effective worm countermeasure scheme: • Generality: The approach taken should be able to handle a wide variety of worm attacks, including polymorphic worms. • Timeliness: The approach should respond quickly so as to limit the number infected systems and the number of generated transmissions from infected systems. • Resiliency: The approach should be resistant to evasion techniques employed by attackers to evade worm countermeasures. • Minimal denial-of-service costs: The approach should result in minimal reduction in capacity or service due to the actions of the countermeasure software. That is, in an attempt to contain worm propagation, the countermeasure should not significantly disrupt normal operation. • Transparency: The countermeasure software and devices should not require modification to existing (legacy) OSs, application software, and hardware. • Global and local coverage: The approach should be able to deal with attack sources both from outside and inside the enterprise network.

Six classes of worm defense A. Signature-based worm scan filtering: This type of approach generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host. Typically, this approach involves identifying suspicious flows and generating a worm signature. B. Filter-based worm containment: This approach is similar to class A but focuses on worm content rather than a scan signature.The filter checks a message to determine if it contains worm code. C. Payload-classification-based worm containment: These network-based techniques examine packets to see if they contain a worm. Various anomaly detection techniques can be used, but care is needed to avoid high levels of false positives or negatives.

D. Threshold random walk (TRW) scan detection: TRW exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation.It is effective against the common behavior seen in worm scans. E. Rate limiting: This class limits the rate of scanlike traffic from an infected host. F. Rate halting: This approach immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or diversity of connection attempts [JHI07]. The approach must include measures to quickly unblock mistakenly blocked hosts in a transparent way. Rate halting can integrate with a signature- or filter-based approach so that once a signature or filter is generated, every blocked host can be unblocked.

Bot countermeasures (pg. 691 w.stallings) Once bots are activated and an attack is underway, these countermeasures can be used to detect the attack.

Rootkit countermeasures (pg. 691 w.stallings) Rootkits can be extraordinarily difficult to detect and neutralize, particularly so for kernel-level rootkits Countering rootkits requires a variety of network- and computer-level security tools.. Host-based antivirus software can also be used to recognize the known signatures.

Questions………. What is digital immune system?(nov/dec. 2009) Write a short note on GD?

Any questions?

Thank you