Copyright © 2006, Idea Group Inc. 1 Chapter IV Malware and Antivirus Deployment for Enterprise Security By: Raj Sharman,K. Pramod Krishna, H. Raghov Rao & Shambhu Upadhyaya Presented by: Abdallah Rasheed Spring 08
Copyright © 2006, Idea Group Inc. 2 Outline Types Malware. Approach to antivirus S/W implementation. Mechanism of virus/antivirus.
Copyright © 2006, Idea Group Inc. 3 Malware “short for malicious software and is typically used as a catch-all term to refer to the class of software designed to cause damage to any device”. Ex: – a virus, a worm, a Trojan, spyware, or backdoor.
Copyright © 2006, Idea Group Inc. 4 Malware impact Increases business risk. Reduces productivity. Loss of customer confidence. Time consuming. Cost of antivirus / firewalls.
Copyright © 2006, Idea Group Inc. 5 Malware history 1986, “Pakistani Brain” virus. 1987, “ Merry Christmas” worm. 1988, “Morris worm”. 1990s, more complex viruses. – OS executable. – Network/protocol worms.
Copyright © 2006, Idea Group Inc. 6 Antivirus Solution: The Layered Approach: – Layer 1: Gateway and content security – Layer 2: Intranet servers – Layer 3: Desktops and user community Figure 1. Three-layer defense in enterprise network
Copyright © 2006, Idea Group Inc. 7 Layer 1 — Gateway Security and Content Security Deals with the internet visible servers & “Demilitarized Zone “DMZ. – Gateway Traffic: Firewall filters. – Content Scanning: attachment. Scan s for a text. Spam s.
Copyright © 2006, Idea Group Inc. 8 Layer 2 — Intranet Servers servers – Virtual Private Network (VPN) – Remote Access Server (RAS) Proxy servers. File servers. – Risk minimizing. – Increasing of storage space.
Copyright © 2006, Idea Group Inc. 9 Layer 3 — Desktop and User Community Sources of virus infection: – The use of Webmail. – Instant messaging tools. – peer-to-peer file sharing – downloads from the Internet. Administrator privileges Automated scan. Educating user.
Copyright © 2006, Idea Group Inc. 10 Antispyware in Enterprise Network Symptoms of spyware: – unauthorized pop-up advertisements making Web browsing difficult; – sudden change in the performance of the computer slowing it down considerably. – appearance of new and unwanted toolbar on the browser without installation. – increased crashing of operating systems, Web browsers.
Copyright © 2006, Idea Group Inc. 11 Why Antispyware Increased IT support costs. Theft of intellectual property; Privacy violations. Information disclosure. loss of credibility and damage to the organization.
Copyright © 2006, Idea Group Inc. 12 Antivirus detection techniques Pattern Recognition – examines key suspect areas and uses the virus pattern file to compare and detect viruses. Integrity Checking – Initial records of the status of all files on HDD. – Check summing programs to detect changes. – Possibility of virus; – Otherwise; False alarms.
Copyright © 2006, Idea Group Inc. 13 Cont. Techniques X-Raying – See the picture of a virus body – Based on the encryption algorithm 32-Bit Viruses and PE File Infectors – Windows 95 that uses 32-bit OS. – PE file infector run themselves each time the host file is executed.
Copyright © 2006, Idea Group Inc. 14 Cont. Techniques Entry Point Obscuring (EPO) – Places “ Jump-to-Virus” Instruction in the code. – Insert a viral code in un used space in the file. – Detection is more complex. Encrypted Virus – Has virus decryption body routine & the encrypted body. – Decryption of the virus body.
Copyright © 2006, Idea Group Inc. 15 Cont. Techniques Polymorphic Viruses – A mutation engine generates randomized decryption techniques each time the virus infects a new program. – No fixed signature and no fixed decryption routine. – Decryption routine is time consuming.
Copyright © 2006, Idea Group Inc. 16 Polymorphic Detection Generic decryption. “A scanner loads the file being scanned into a self- contained virtual container created in the RAM” – When an infected file is executed, the decryption routine executes. – The virus decrypts itself, exposing the virus body to the scanner. – The scanner Identify the virus signature.
Copyright © 2006, Idea Group Inc. 17 Heuristic-Based Generic Decryption – a generic set of rules that helps differentiate non- virus from virus behavior. – Inconsistencies may led to the presence of an infected file – Running for long period, exposes the virus body.
Copyright © 2006, Idea Group Inc. 18 Anti-Emulation Emulation is to allow the virus to run inside a virtual computer to decrypt itself and reveal its code. anti-emulation systems are incorporated into the decryptor of a virus so that it does not decrypt properly and hence will not reveal its code.
Copyright © 2006, Idea Group Inc. 19 Retrovirus Tries to bypass the antivirus by: – modifying the code of an antivirus program file – stopping the execution of the program – using methods in the virus code that cause problems for antivirus. – exploiting a specific weakness or a backdoor in an antivirus.
Copyright © 2006, Idea Group Inc. 20 Backdoor “ Trojan allows access to computer resources using network connection” Hackers download scripts onto PCs, essentially hijacking them, and then use them to launch a denial-of service attack. Those PCs become slave computers.
Copyright © 2006, Idea Group Inc. 21 Virus Infection Cycle of W32/Gobi PE virus, written in assembly. Infects (.exe) files in windows directory. Changing the registry file. – Once the registry hook is done, Gobi infects programs launched from Windows Explorer before letting them run.
Copyright © 2006, Idea Group Inc. 22 Conclusions Malicious code and Internet-based attacks keep increasing, some of the future forecasts regarding malware are: – Spam mails, phishing will continue to be a major concern in usage. – Social engineering is emerging as one of the biggest challenges, as there is no technical defense against the exploitation of human weaknesses. – The time between vulnerability disclosure and release of malware exploiting the vulnerability continues to get shorter, requiring more proactive assessment tools.
Copyright © 2006, Idea Group Inc. 23 References Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues, by Merrill Warkentin and Rayford Vaughn, Idea Group Inc. Argaez, E. D. (2004). How to prevent the online invasion of spyware and adware. March 25, 2008,