1 / 17

Malware Classification And Detection

Malware Classification And Detection. Matt Banick. Malware – A Brief Introduction.

leroy
Download Presentation

Malware Classification And Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware Classification And Detection Matt Banick

  2. Malware – A Brief Introduction • Broad Definition: “Let us take the easy one first. "Malware" is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, et al.” (1)

  3. Classification • How to Classify Malware? • Trojan, Virus, Worm, Spyware, etc • Level of compromise? • Security Classification? • Degree of OS compromise • Changes • Security Compromise

  4. Malware Classification Levels • “Stealth” Malware Taxonomy • Joanna Rutkowska • Malware re-definition • Changes in OS Kernel • Security applications • Other processes • Four types (0-3) • No true order

  5. Type 0: Playing By The Rules • OS, security processes, other processes unaffected • “Legal” use of APIs • Still a threat!

  6. Type 1: Constant No More • Malware changes ‘constant’ data • True ‘system compromise’

  7. Type 2: Data Compromise • Malware changes ‘dynamic’ parts of system • Similar to Type 1

  8. Type 3: The End of Times? • Similar to Type 0.. In a way • Hypervisor control

  9. Detection Methods • Signature-based • Heuristic-based • Others?

  10. Signature Based • Code-based ‘dictionary’ search • Targets static parts of Malware For (Sig a : dictionary)..

  11. Signature Detection Avoidance • Polymorphic Viruses • Encryption + crafty = disaster • Code Obfuscation • War which may never end • Metamorphic Viruses • Polymorphic-Polymorphic virus! eval('document.'+potato+'.style.color= "red"');

  12. Polymorphic

  13. Heuristic Based • Can include different concepts • Virus activity • Instruction oddities • File activity • Network activity • Static • Code review • Dynamic • Watch and wait…

  14. Heuristic Troubles • False-positives can be costly • User indifference • PR nightmare • Slow While (a < 5000) sleep(5); //random code Some_malicious_code //random code Some_more_malicious_code //random code … etc.

  15. User Based • What “Should” occur? • Emerging research • Math based (in a way…) • Problems • Dynamic web pages • Analysis is costly • White-listing processes

  16. References • http://technet.microsoft.com/en-us/library/dd632948.aspx (1) • Sony Rootkit: http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx • Polymorphic Viruses: http://www.symantec.com/avcenter/reference/striker.pdf • Obfuscation: http://delivery.acm.org/10.1145/1780000/1772720/p281-cova.pdf?key1=1772720&key2=0800233031&coll=DL&dl=ACM&ip=129.244.189.101&CFID=17197576&CFTOKEN=85746334 • Metamorphic Viruses: http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf • RDAE & Other info: http://docs.google.com/viewer?a=v&q=cache:p2XzCVP51GQJ:www.waset.org/journals/waset/v34/v34-45.pdf+RDA+decryption+engines&hl=en&gl=us&pid=bl&srcid=ADGEESj7KEkEBTkeJ5ydlcAafATSGutwPlsjA8mzG6d_bsnAkUbeOoZSnfe6BIGNC4ffQZpacWFGzeKWhsH8JMn7LkYdfCwOd2q-VkDn-yvrunTVfM4CSQOO1xui6uB3DUgEBc3mX_n3&sig=AHIEtbQu67h41KBkC3HjISYFceSrQFQZUQ • Samsung Issue: http://www.thetechherald.com/article.php/201113/6997/Samsung-keylogger-fears-based-on-false-positives • Heuristic Basics: http://vx.netlux.org/lib/static/vdat/epheurs1.htm • More Heuristics (Dynamic): http://service1.symantec.com/legal/publishedpatents.nsf/0/4b4a30633137923b88256df7005d6b5d/$FILE/United%20States%20Patent%206,357,008.htm • User-based detection: http://otc.rutgers.edu/pdf/Yao-09-046.pdf • User-based detection cont: http://people.cs.vt.edu/danfeng/papers/paper106_icics2009.pdf • Blue Pill wrap: http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html

  17. Picture References • http://www.google.com/imgres?imgurl=http://withfriendship.com/images/b/8701/trojan-horse-virus.png&imgrefurl=http://withfriendship.com/user/pintu/trojan-horse-virus.php&usg=__pBZIK81boUOnTGwvq22ggTo4dpk=&h=413&w=551&sz=28&hl=en&start=8&sig2=Itoi02OTbd0L3AcSiaHDDQ&zoom=1&tbnid=cUkl2JEK07AXKM:&tbnh=100&tbnw=133&ei=lUGrTdCQHuXm0QG3itz5CA&prev=/images%3Fq%3DTrojan%2Bhorse%26um%3D1%26hl%3Den%26client%3Dfirefox-a%26sa%3DN%26rls%3Dorg.mozilla:en-US:official%26biw%3D1600%26bih%3D707%26tbm%3Disch&um=1&itbs=1 • http://www.google.com/imgres?imgurl=http://www.topnews.in/files/sony_logo_1.jpg&imgrefurl=http://www.topnews.in/technology-update/sony&usg=__IWFxwkG68K-OnUXwbhfLw8wyCv4=&h=400&w=600&sz=12&hl=en&start=0&sig2=5dGNYCEjtqlyqXvQe8aSgQ&zoom=1&tbnid=pkP8-vBhPZ6WRM:&tbnh=143&tbnw=214&ei=TEmrTYH8IMba0QG21eWdCQ&prev=/images%3Fq%3DSony%26um%3D1%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26biw%3D1600%26bih%3D707%26tbm%3Disch&um=1&itbs=1&iact=hc&vpx=138&vpy=150&dur=58897&hovh=183&hovw=275&tx=201&ty=93&oei=TEmrTYH8IMba0QG21eWdCQ&page=1&ndsp=21&ved=1t:429,r:0,s:0 • http://www.google.com/imgres?imgurl=http://images.amazon.com/images/G/01/software/detail-page/kaspersky-virus.jpg&imgrefurl=http://www.amazon.com/Kaspersky-Anti-Virus-7-0-OLD-VERSION/dp/B000U819A2&usg=__oJrp_dVVIHZ2A2T6c6r7f8Bos9s=&h=385&w=300&sz=27&hl=en&start=0&sig2=MpYwwna9pcxc2Nqb9cHGhw&zoom=1&tbnid=mj4A1xEQlKMeWM:&tbnh=133&tbnw=104&ei=SRCvTaC6GoXa0QGl9ryoCw&prev=/images%3Fq%3Dvirus%2Bdetection%26hl%3Den%26biw%3D1600%26bih%3D707%26gbv%3D2%26tbm%3Disch&itbs=1&iact=hc&vpx=131&vpy=70&dur=307&hovh=209&hovw=163&tx=108&ty=124&oei=SRCvTaC6GoXa0QGl9ryoCw&page=1&ndsp=33&ved=1t:429,r:0,s:0 • http://www.google.com/imgres?imgurl=http://vxheavens.com/lib/img/mjp00/biennale.py_code-72.jpg&imgrefurl=http://vxheavens.com/lib/mjp00.html&usg=__d9ctjQol4n95KZa9g1iS3sfaYKI=&h=329&w=346&sz=175&hl=en&start=21&sig2=U9qpVQz1A0wTEWpMR8ReBw&zoom=1&tbnid=Ba1UnpCi56snOM:&tbnh=127&tbnw=125&ei=TBmvTYqjIozegQfs9I3xCw&prev=/search%3Fq%3Dcode%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26biw%3D1600%26bih%3D707%26site%3Dsearch%26tbm%3Disch0%2C760&um=1&itbs=1&iact=hc&vpx=223&vpy=327&dur=244&hovh=219&hovw=230&tx=70&ty=139&oei=KBmvTcmrEO-L0QGUk9GjCw&page=2&ndsp=38&ved=1t:429,r:29,s:21&biw=1600&bih=707 • http://www.thetechherald.com/article.php/201113/6997/Samsung-keylogger-fears-based-on-false-positives

More Related