1 / 19

Virus Scanners

Dr. Richard Ford rford@fit.edu. Virus Scanners. What are we going to talk about?. Szor 11 Virus Scanners – how they work, why they matter, how to write one…. Virus Scanners. Look for “known” viruses Basically, used to look for hex strings in files

anne
Download Presentation

Virus Scanners

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Richard Ford rford@fit.edu Virus Scanners

  2. What are we going to talk about? • Szor 11 • Virus Scanners – how they work, why they matter, how to write one…

  3. Virus Scanners • Look for “known” viruses • Basically, used to look for hex strings in files • Virus writers tried to make this more difficult… (as we saw last week)

  4. Types of Scanner • Generic/Specific • On-demand, on-access

  5. First-Generation Scanners • Look for an extracted sequence of bytes • Skill required to select a signature which won’t cause false positives!

  6. Problems with Strings… • Exact identification… • How about boot sector virus detection? • Sometimes we have data in the string… so we have to use a wildcard • 0400 B801 020E 07BB ??02 %3 33C9 • Can be Boyer-Moore… • http://en.wikipedia.org/wiki/Boyer-Moore_string_search_algorithm

  7. “Generic” Strings • Try and pick a string which handles all variants of a virus… • Ideally, can detect variants we don’t know about • (but of course, the badguys have scanners too…)

  8. Bookmarks • Store relative offset of the string • Helps with identification • Can also “bookmark” the location in a sector

  9. “Top and Tail” Scanning • Most viruses only really modify the start/end of a host • So, you can speed up a string scanner by only scanning the “top and tail” of the file • Problem is…

  10. Entry-Point Scanning • Use the COM entry/jmp point to work out where to scan • Use offsets in the EXE header • Use “fixed point” scanning (take an entry point of M, and scan at M+X for a string…)

  11. Hyperfast Disk Access • Don’t have to use DOS to access the disk • Can use the BIOS and skip past the DOS niceties • Also bypasses stealth on Int 21h

  12. Second-generation Scanners • Smart scanning (ignore NOPs in a signature) • Leads to the idea of Skeleton Detection (get rid of whitespace/deadspace)

  13. Exact Identification • How?

  14. Algorithmic Scanning • Not a very good name • Means “virus-specific detection algorithm” • Hard-coded detection methods released with the scan engine • Lead to “virus scanning language” • Ultimately, Java (!) like p-code

  15. Filtering • As algorithmic scanning is expensive, needs a good pre-filter • Rule: be fast on clean files! • “Quick and dirty” rule out • Number of 0’s at the file end • Look for the types on certain segments • Check file characteristics • Why? Zmist requires 2 million p-code-based iterations!

  16. X-Ray Scanning • Most viruses have very simple encryption – say, constant XOR • Can “decrypt” top and tail of files for all possible keys and use a simple signature on the remainder… • Gives access to unencrypted virus, allowing for repair • Side benefit… detects “broken” decryption loops

  17. Code Emulation • Implement an emulator for instructions! • Code optimization?

  18. Metamorphic Detection… • Hard! • Geometric Detection • Focus on “interesting” instructions • Negative and Positive features • Emulator-based heuristics • Long list of Win32 Heuristics • Neural networks…

  19. Next… • Some revision and recap time to prepare for our midterm!

More Related