Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…

Published byAntonia Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…"— Presentation transcript:

1 Dr. Richard Ford rford@fit.edu

2  Szor 11  Virus Scanners – how they work, why they matter, how to write one…

3  Look for “known” viruses  Basically, used to look for hex strings in files  Virus writers tried to make this more difficult… (as we saw last week)

4  Generic/Specific  On-demand, on-access

5  Look for an extracted sequence of bytes  Skill required to select a signature which won’t cause false positives!

6  Exact identification…  How about boot sector virus detection?  Sometimes we have data in the string… so we have to use a wildcard  0400 B801 020E 07BB ??02 %3 33C9  Can be Boyer-Moore…  http://en.wikipedia.org/wiki/Boyer- Moore_string_search_algorithm http://en.wikipedia.org/wiki/Boyer- Moore_string_search_algorithm

7  Try and pick a string which handles all variants of a virus…  Ideally, can detect variants we don’t know about  (but of course, the badguys have scanners too…)

8  Store relative offset of the string  Helps with identification  Can also “bookmark” the location in a sector

9  Most viruses only really modify the start/end of a host  So, you can speed up a string scanner by only scanning the “top and tail” of the file  Problem is…

10  Use the COM entry/jmp point to work out where to scan  Use offsets in the EXE header  Use “fixed point” scanning (take an entry point of M, and scan at M+X for a string…)

11  Don’t have to use DOS to access the disk  Can use the BIOS and skip past the DOS niceties  Also bypasses stealth on Int 21h

12  Smart scanning (ignore NOPs in a signature)  Leads to the idea of Skeleton Detection (get rid of whitespace/deadspace)

13  How?

14  Not a very good name  Means “virus-specific detection algorithm”  Hard-coded detection methods released with the scan engine  Lead to “virus scanning language”  Ultimately, Java (!) like p-code

15  As algorithmic scanning is expensive, needs a good pre-filter  Rule: be fast on clean files!  “Quick and dirty” rule out  Number of 0’s at the file end  Look for the types on certain segments  Check file characteristics  Why? Zmist requires 2 million p-code-based iterations!

16  Most viruses have very simple encryption – say, constant XOR  Can “decrypt” top and tail of files for all possible keys and use a simple signature on the remainder…  Gives access to unencrypted virus, allowing for repair  Side benefit… detects “broken” decryption loops

17  Implement an emulator for instructions!  Code optimization?

18  Hard!  Geometric Detection  Focus on “interesting” instructions  Negative and Positive features  Emulator-based heuristics  Long list of Win32 Heuristics  Neural networks…

19  Some revision and recap time to prepare for our midterm!

Download ppt "Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…"

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Picture It Very Basic Game Picture Pepper. Original Game import java.util.Scanner; public class Game { public static void main() { Scanner scan=new Scanner(System.in);

Picture It Very Basic Game Picture Pepper. Original Game import java.util.Scanner; public class Game { public static void main() { Scanner scan=new Scanner(System.in);
Announcements You survived midterm 2! No Class / No Office hours Friday.

Announcements You survived midterm 2! No Class / No Office hours Friday.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Recursion CS 367 – Introduction to Data Structures.

Recursion CS 367 – Introduction to Data Structures.
 RAID stands for Redundant Array of Independent Disks  A system of arranging multiple disks for redundancy (or performance)  Term first coined in 1987.

 RAID stands for Redundant Array of Independent Disks  A system of arranging multiple disks for redundancy (or performance)  Term first coined in 1987.
Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.

Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.
Tools for Text Review. Algorithms The heart of computer science Definition: A finite sequence of instructions with the properties that –Each instruction.

Tools for Text Review. Algorithms The heart of computer science Definition: A finite sequence of instructions with the properties that –Each instruction.
Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.

Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.
Cryptography and Network Security

Cryptography and Network Security
Software performance enhancement using multithreading and architectural considerations Prepared by: Andrey Sloutsman Evgeny Gokhfeld 06/2006.

Software performance enhancement using multithreading and architectural considerations Prepared by: Andrey Sloutsman Evgeny Gokhfeld 06/2006.
Who’s watching your network Deep Inside an AntiVirus Engine Network Associates, Inc. Jimmy Kuo Director, AV Research Deep Inside.

Who’s watching your network Deep Inside an AntiVirus Engine Network Associates, Inc. Jimmy Kuo Director, AV Research Deep Inside.
Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.

Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.
27-Jun-15 Profiling code, Timing Methods. Optimization Optimization is the process of making a program as fast (or as small) as possible Here’s what the.

27-Jun-15 Profiling code, Timing Methods. Optimization Optimization is the process of making a program as fast (or as small) as possible Here’s what the.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Project By Ben Woodard ISC 110 Professor: Dr. Elaine Wenderholm.

Project By Ben Woodard ISC 110 Professor: Dr. Elaine Wenderholm.
While Loops and Do Loops. Suppose you wanted to repeat the same code over and over again? System.out.println(“text”); System.out.println(“text”); System.out.println(“text”);

While Loops and Do Loops. Suppose you wanted to repeat the same code over and over again? System.out.println(“text”); System.out.println(“text”); System.out.println(“text”);
Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Similar presentations

Ads by Google