190 likes | 392 Views
Dr. Richard Ford rford@fit.edu. Virus Scanners. What are we going to talk about?. Szor 11 Virus Scanners – how they work, why they matter, how to write one…. Virus Scanners. Look for “known” viruses Basically, used to look for hex strings in files
E N D
Dr. Richard Ford rford@fit.edu Virus Scanners
What are we going to talk about? • Szor 11 • Virus Scanners – how they work, why they matter, how to write one…
Virus Scanners • Look for “known” viruses • Basically, used to look for hex strings in files • Virus writers tried to make this more difficult… (as we saw last week)
Types of Scanner • Generic/Specific • On-demand, on-access
First-Generation Scanners • Look for an extracted sequence of bytes • Skill required to select a signature which won’t cause false positives!
Problems with Strings… • Exact identification… • How about boot sector virus detection? • Sometimes we have data in the string… so we have to use a wildcard • 0400 B801 020E 07BB ??02 %3 33C9 • Can be Boyer-Moore… • http://en.wikipedia.org/wiki/Boyer-Moore_string_search_algorithm
“Generic” Strings • Try and pick a string which handles all variants of a virus… • Ideally, can detect variants we don’t know about • (but of course, the badguys have scanners too…)
Bookmarks • Store relative offset of the string • Helps with identification • Can also “bookmark” the location in a sector
“Top and Tail” Scanning • Most viruses only really modify the start/end of a host • So, you can speed up a string scanner by only scanning the “top and tail” of the file • Problem is…
Entry-Point Scanning • Use the COM entry/jmp point to work out where to scan • Use offsets in the EXE header • Use “fixed point” scanning (take an entry point of M, and scan at M+X for a string…)
Hyperfast Disk Access • Don’t have to use DOS to access the disk • Can use the BIOS and skip past the DOS niceties • Also bypasses stealth on Int 21h
Second-generation Scanners • Smart scanning (ignore NOPs in a signature) • Leads to the idea of Skeleton Detection (get rid of whitespace/deadspace)
Exact Identification • How?
Algorithmic Scanning • Not a very good name • Means “virus-specific detection algorithm” • Hard-coded detection methods released with the scan engine • Lead to “virus scanning language” • Ultimately, Java (!) like p-code
Filtering • As algorithmic scanning is expensive, needs a good pre-filter • Rule: be fast on clean files! • “Quick and dirty” rule out • Number of 0’s at the file end • Look for the types on certain segments • Check file characteristics • Why? Zmist requires 2 million p-code-based iterations!
X-Ray Scanning • Most viruses have very simple encryption – say, constant XOR • Can “decrypt” top and tail of files for all possible keys and use a simple signature on the remainder… • Gives access to unencrypted virus, allowing for repair • Side benefit… detects “broken” decryption loops
Code Emulation • Implement an emulator for instructions! • Code optimization?
Metamorphic Detection… • Hard! • Geometric Detection • Focus on “interesting” instructions • Negative and Positive features • Emulator-based heuristics • Long list of Win32 Heuristics • Neural networks…
Next… • Some revision and recap time to prepare for our midterm!