Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area.

Published byKevin Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area."— Presentation transcript:

1 Dr. Richard Ford rford@fit.edu

2  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area

3  Look for “known” viruses  But they also must scan memory for viruses… why?  Why isn’t just using an “on-access” scanner good enough?

4  Speed of spread (more infection opportunity)  Longevity of infection: active stealth  Imagine an integrity checker or virus scanner operating with a virus in memory…

5  DOS uses the Intel Processor in Real Mode!  Which means what?  DOS does not protect or differentiate memory from any process  No support for “virtual” memory

6  Can scan memory byte by byte  Effective  Not too slow (not much memory)  Direct access by the virus scanner (no OS involvement)  Problem is false positive rate – so scans using MCBs to reduce memory coverage  Safe?

7  Later versions of MS OSes changed things around a lot  Virtual memory (basically, unlimited memory) makes life much harder  To understand why, need to understand how Windows NT and above manages memory

8  Not a requirement for an OS  But…  Allows an application to not worry about usage (i.e. makes overlays uneccessary)  Provides process isolation  Provides memory protection  No memory limitation  Really needs dedicated CPU support – and Intel provides it

9  In NT, memory is broken down into pages, each 4096 bytes in size  The operating system handles how these pages are stored and translates into physical memory  This means that two processes can access the “same” address but two totally different physical pieces of memory  Introduces the idea of a “page fault”

10  If Process A is isolated from Process B how can you scan memory globally?  One solution: ReadProcessMemory()  API used by Debuggers, requires a “Handle” to a particular process  How to list processes… non-trivial!  Problem: requires us to basically provide global access to the user doing the scanning – that’s foolish!  Better to use kernel-mode… but this is hard too!

11  A virus can hook itself into the OS in a few different ways  User-mode and kernel-mode  Infect a DLL that’s used everywhere (like KERNEL32.DLL)

12  In order to scan memory in user-mode, the OS will have to generate a page fault for swapped memory pages  Slow!  Tempting to enumerate process and scan the disk images – why is this not a good idea?

13  How?  Yeah, really… it’s not easy at all  Terminate the process that is infected  Detect and terminate remote threads  Patch “in memory” to deactivate (useful when the virus is loaded into every process)  Think carefully how memory protection on shared DLLs works

14  Let’s think about a virus which is a File System Filter Driver  Can’t unhook safely  How to disinfect?

15  Can now mark memory as “Read Only”  How to disinfect?  Can use assembly within the kernel – but requires us to be kernel-mode

16  Encryption!  In-memory polymorphic code  Metamorphic in-memory  Code which “moves about” in memory (ouch)  Inject into multiple processes at once  In-memory stealth techniques

17  Many ways to detect malware “generically”  Checksummers  Behavioral analysis  However, both have issues with false positives  Can create a more “optimistic” set of rules  Both these detection techniques appeared VERY early in the game

18  Not confined to static analysis, but most common there  Typically, we define a heuristic as a rule of thumb  Heuristic analysis was also used pretty early on in the detection game  If you think about it, a heuristic to detect our polymorphic hello world programs isn’t a bad idea…

19  Botnets and other loose ends

Download ppt "Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area."

Similar presentations

Operating Systems (CSCI2413) Lecture 2 Overview phones off (please)

Operating Systems (CSCI2413) Lecture 2 Overview phones off (please)
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
OS/2 Warp Chris Ashworth Cameron Davis John Weatherley.

OS/2 Warp Chris Ashworth Cameron Davis John Weatherley.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.
Chapter 101 Virtual Memory Chapter 10 Sections 10.1 - 10.3.1 and 10.4 - 10.6 plus10.8.1 (Skip:10.3.2, 10.7, rest of 10.8)

Chapter 101 Virtual Memory Chapter 10 Sections and plus (Skip:10.3.2, 10.7, rest of 10.8)
Memory Management (II)

Memory Management (II)
03/09/2007CSCI 315 Operating Systems Design1 Memory Management Notice: The slides for this lecture have been largely based on those accompanying the textbook.

03/09/2007CSCI 315 Operating Systems Design1 Memory Management Notice: The slides for this lecture have been largely based on those accompanying the textbook.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Memory Management April 28, 2000 Instructor: Gary Kimura.

Memory Management April 28, 2000 Instructor: Gary Kimura.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Segmentation CS 537 – Introduction to Operating Systems.

Segmentation CS 537 – Introduction to Operating Systems.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…

Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Windows 2000 Memory Management Computing Department, Lancaster University, UK.

Windows 2000 Memory Management Computing Department, Lancaster University, UK.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google