Transcript Virus Detection Mechanisms - International Institute of

Virus Detection Mechanisms
Final Year Project by
Chaitanya kumar CH
K.S. Karthik
Project details

Project Guide: Dr. V.Ch.Venkaiah

Description:


Study various detection mechanisms
Implement the mechanisms
Some important terms


Backdoors/Trapdoors allow
unauthorized access to the system.
Logic bombs are programmed threats
that lie dormant for an extended period
of time until they are triggered.
Some important terms (Cont…)


A Virus is a piece of code that inserts
itself into a host [program] to
propagate. The virus is executed along
with the original program.
Boot sector viruses insert themselves
into the boot sector area and are
activated when the system boots.
Some important terms (Cont…)


Multi-partite Viruses refers to viruses
that can use multiple means of
infection, such as MBR, boot sector
and parasitic
Trojan horses are programs that
appear to have one function but
actually perform another function.
Some important terms (Cont…)

A worm is a program that can run
independently, will consume the
resources of its host [machine] from
within in order to maintain itself and
can propagate a complete working
version of itself on to other machines.
Some important terms (Cont…)

Payload refers to what the virus does
(besides propagation) once executed.



Do nothing
Playing with your data
Malicious damage
Detection of Internet Worms

Traffic Analysis




Growth in traffic volume
Rise in number of scans and sweeps
Change in traffic patterns for some hosts
Predicting scans by analyzing the scan
engine of the worm
Detection of Internet Worms

Honeypots


Setup a seemingly vulnerable host on the
network and log all the filesystem and
network activity using low level tools
A picture of what happens when a worm
strikes a real host, along with network
signatures and binaries is obtained. This
can be used to develop attack signatures
Detection of Internet Worms


Worms don’t usually monitor DNS
entries for new hosts. They simply
scan.
Black hole monitoring


Monitor the locally unused subnets within
our address space.
Monitor the globally unused address
space, or dark IP space, and to monitor
that usage.
Detection of Internet Worms

Signature-Based Detection



Network signatures
Log signatures from nonvulnerable
servers
Filesystem signatures (used by any
typical antivirus software)
Defenses against worms

Host based


Personal Firewalls, antivirus software,
privilege control
Firewall and Network Defenses



Stop existing worms
Implement inbound and outbound rules
Reactive IDS
Defenses against worms

Proxy-Based Defenses (application
level)



Authentication
Mail-server proxies (can scan the emails)
Web-based proxies (content screening)
Attacking the Worm Network




Shutdown messages (stop the worm
processes or halt the host)
“I am already infected”
Poison updates
These methods can be unprofessional
if our attacker gets out of our control
Virus Scanners

Compare code to a database of known
malicious code





Identify viruses by their “signatures.”
Search for these patterns in executable files.
Watch for changes in files


Just matching strings in the code
Reasonably useful in days of floppies
Size, time of modification, etc.
Monitor system for malicious actions
Virus Scanners Internals
User mode
Win32 program
Kernel32.dll
File system driver
Kernel Mode
I/O Manager
Disk driver
Hardware
Read/Write request/reply
Virus Scanners Internals
Virus scanner
(File system filter)
File system driver
I/O Manager
File system filter scans a file whenever it
is accessed.
If the file is infected, it returns the
original file after cleaning it.
If it cannot be cleaned, it returns failure
message and performs appropriate action
such as quarantining or deleting the
infected file.
Monitoring using compression
enabled filesystem


The virus can hide itself in other files
by prepending itself to other
executable.
But this way there will be a change in
the file size which can be easily
recognized.
Monitoring using compression
enabled filesystem



To avoid detection a virus compresses the
original file and then prepend the virus to it.
Since the compression is performed to
reduce the file size by the size of virus there
will be no apparent change in file size
When executed the virus code
decompresses the original code and then
executes it.
Monitoring using compression
enabled filesystem
File sizes before compressed by the file system
virus
Original file
Compress file
by the size of
virus code
Original file
compressed by the
virus
Monitoring using compression
enabled filesystem
Compression by filesystem
File sizes before compressed by the file system
virus
Original file
compressed by the
virus
Original file
File sizes on the disc after compressed by the file system
virus
Original file
Original file
compressed by the
virus
Compression by virus
Monitoring using compression
enabled filesystem


In a compression enabled filesystem
the file size differs from original to that
on the disk which is compressed.
When a virus hides itself in other file
by compressing and prepending the
virus code the file size may differ on
the disk when compressed again by
the filesystem