introduction to software security malwaresecuresw.dankook.ac.kr › iss19-1 ›...

Seong-je Cho

Spring 2019

Computer Security & Operating Systems Lab, DKU

Introduction to Software Security

Malware(Chapter 11)

- 2 -

Sources / References

Textbook

N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku

Nicholas Weaver, Computer Science 161: Computer Security, Berkeley

Myrto Arapinis, Computer Security: INFRA10067, University of Edinburgh

UFL_EDU 2015, Ch04-Malware: “Malware: Malicious Software”

Please do not duplicate and distribute

Computer Security & OS Lab, DKU

- 3 -

Contents

Malware

Malicious Software = Malicious Code

Types of Malware

Virus

Worm

Malware Detection

Signature/Change/Anomaly based Detection

New Trends of Malware

Do You Trust Software?

Smartphone app, Anti-malware software, DBMS, Compiler, OS/Kernel, Boot loader…


- 4 -

Malicious Software

Malware

any software program designed to cause harm to a computer system or designed to frustrate the user experience.

Fred Cohen’s initial virus work in 1980’s Used viruses to break the MLS (multi-level security) systems of the time

Types of malware (lots of overlap) Virus passive propagation

Worm active propagation

Trojan horse unexpected functionality

Trapdoor/backdoor unauthorized access

Rabbit exhaust system resources can implemented by virus, warm …


- 5 -

Viruses, Worms, Trojans, Rootkits

Malware can be classified into several categories, depending on

propagation and concealment

Propagation

Virus: human-assisted propagation (e.g., open email attachment)

Modifies existing file, program, library, boot block, etc.

Worm: automatic propagation without human assistance

Stand-alone program

Concealment

Rootkit: modifies operating system to hide its existence

Trojan: provides desirable functionality but hides malicious operation

Various types of payloads, ranging from annoyance to crime


- 6 -

Malware Timeline

In 1982, high-school student Rich Skrenta wrote first virus released in the wild: Elk Cloner, a boot sector virus

First academic use of term virus by PhD student Fred Cohen in 1984, who credits advisor Len Adleman with coining it

(c)Brain, by Basit and Amjood Farooq Alvi in 1986, credited with being the first virus to infect PCs Brain virus

Morris worm (1988)

Code Red worm (2001)

SQL Slammer worm (2004)

Future of malware?


- 7 -

Computer Viruses

• A virus is an obligate parasite

• A computer virus is computer code that can replicate itself by modifying other files or programs to insert code that is capable of further replication.

• Self-replication into existing files/programs is what distinguishes computer viruses from other kinds of malware, such as logic bombs.

• Another distinguishing property of a virus is that replication requires some type of user assistance, such as clicking on an email attachment or sharing a USB drive – the infected file is opened.


- 8 -

Brain Virus

First appeared in 1986 More annoying than harmful

Brain did nothing malicious Not much reaction by users

A prototype for later viruses

What it did1. Placed itself in boot sector (and other places)2. Screened disk calls to avoid detection3. Each disk read, checked boot sector to see if boot sector

infected; if not, goto 1

Screen: = check (적절한지)확인하다[거르다], 가려내다. I use my answerphone to screen my phone calls.


- 9 -

Virus Phases

• Dormant phase. During this phase, the virus just exists—the virus is laying low and avoiding detection.

• Propagation phase. During this phase, the virus is replicating itself, infecting new files on new systems.

• Triggering phase. In this phase, some logical condition causes the virus to move from a dormant or propagation phase to perform its intended action.

• Action phase. In this phase, the virus performs the malicious action that it was designed to perform, called payload. – This action could include something seemingly innocent, like displaying a

silly picture on a computer’s screen, or something quite malicious, such as deleting all essential files on the hard drive.


- 10 -

Where do Viruses live?

Boot sector Take control before anything else

Memory resident Stays in memory – Rebooting system can remove the virus out

Applications, macros, data, etc.

Library routines

Compilers, debuggers, virus checker, etc. These are particularly nasty!


- 11 -

Virus Infection Types

• Overwriting

– Destroys original code

• Pre-pending

– Keeps original code, possibly

compressed

• Infection of libraries

– Allows virus to be memory

resident

– E.g., kernel32.dll

• Macro viruses

– Infects MS Office documents

– Often installs in main document

template


original code

virus

compressedvirus

virus

original code

- 12 -

Degrees of Complication• Viruses have various degrees of complication in how they can insert

themselves in computer code.


- 13 -

Concealment

• Encrypted virus

– Decryption engine + encrypted body

– Randomly generate encryption key

– Detection looks for decryption engine

• Polymorphic virus (다형성)

– Encrypted virus with random variations of the decryption engine (e.g.,

padding code)

– Detection using CPU emulator

• Metamorphic virus (변성)

– Different virus bodies

– Approaches include code permutation and instruction replacement

– Challenging to detect


- 14 -

Polymorphic Malware

The first responses of virus writers to avoid signature detection

Polymorphism loosely means: “change the appearance of”

Polymorphic malware is (usually) encrypted Data appending / Data pre-pending can be used too

New key is used each time malware propagates

The purpose of encryption is for masking

The encryption is weak (repeated XOR)

Malware body has no fixed signature

Malware must include code to decrypt itself

Signature detection searches for decrypt code

Detectable by signature-based method

Though more challenging than non-polymorphic…

That is, there are limitations:

The decrypted code is essentially the same in each case, thus memory based signature detection is possible


- 15 -

Metamorphic Malware

“automatically recodes itself each time it propagates or is distributed”

Simple techniques include:

Adding varying lengths of NOP instructions

Permuting use registers

Adding useless instructions and loops within the code segments

Advanced techniques include:

Function reordering

Program flow modification

Static data structure modification

Reordering structures

Inserting unused data types


- 16 -

Metamorphic Malware

Limitations

Identification of Morphing Engine

Code semantics

Behavior

Automated code identification and analysis of memory snapshots or analysis of swap space remnants


Morphing Engine ComponentsMetamorphic Structure

Insider Attacks, Backdoors, Logic Bombs


- 18 -

Insider Attacks & Backdoors

Insider Attacks

An insider attack is a security breach that is caused or facilitated by someone who is a part of the very organization that controls or builds the asset that should be protected.

In the case of malware, an insider attack refers to a security hole that is created in a software system by one of its programmers.

Backdoors, Logic bombs, …

Backdoors

A backdoor, which is also sometimes called a trapdoor, is a hidden feature or command in a program that allows a user to perform actions he or she would not normally be allowed to do.

But if the hidden feature is activated, the program does something unexpected, often in violation of security policies, such as performing a privilege escalation.

Benign example: Easter Eggs in DVDs and software


- 19 -

Logic Bombs

• A logic bomb is a program that performs a malicious action as a result of a certain logic condition.

• The classic example of a logic bomb is a programmer coding up the software for the payroll system who puts in code that makes the program crash should it ever process two consecutive payrolls without paying him.

• Another classic example combines a logic bomb with a backdoor, where a programmer puts in a logic bomb that will crash the program on a certain date (i.e., a time bomb).


- 20 -

The Omega Engineering Logic Bomb

• An example of a logic bomb that was actually triggered and caused damage is one that programmer Tim Lloyd was convicted of using on his former employer, Omega Engineering Corporation.

• On July 31, 1996, a logic bomb was triggered on the server for Omega Engineering’s manufacturing operations, which ultimately cost the company millions of dollars in damages and led to it laying off many of its employees.

The Omega Bomb Code

The Logic Behind the Omega Engineering Time Bomb included the following strings:

• 7/30/96 - Event that triggered the bomb

• F: - Focused attention to volume F, which had critical files

• F:\LOGIN\LOGIN 12345 - Login a fictitious user, 12345 (the back door)

• CD \PUBLIC - Moves to the public folder of programs

• FIX.EXE /Y F:\*.* - Run a program, called FIX, which actually deletes everything

• PURGE F:\/ALL - Prevent recovery of the deleted files


- 21 -

Logic Bomb / Time Bomb

In 1986 Donald Gene Burleson told employer to stop withholding taxes from his paycheck

His company refused

He planned to sue his company He used company computer to prepare legal docs

Company found out and fired him

Burleson had been working on a malware…

After being fired, his software “time bomb” deleted important company data

Company was reluctant to pursue the case

So Burleson sued company for back pay!

Then company finally sued Burleson

In 1988 Burleson fined $11,800

Took years to prosecute

Cost thousands of dollars to prosecute

Resulted in a slap on the wrist

One of the first computer crime cases

Many cases since follow a similar pattern

Companies often reluctant to prosecute


http://www.internetwright.com/drp/RiskAssess.htm

- 22 -

Defenses against Insider Attacks

• Avoid single points of failure.

• Use code walk-throughs.

• Use archiving and reporting tools.

• Limit authority and permissions.

• Physically secure critical systems.

• Monitor employee behavior.

• Control software installations.


Computer Worms


- 24 -

Computer Worms• A computer worm is a malware program that spreads copies of itself without

the need to inject itself in other programs, and usually without human interaction.

• Thus, computer worms are technically not computer viruses (since they don’t infect other programs), but some people nevertheless confuse the terms, since both spread by self-replication.

• In most cases, a computer worm will carry a malicious payload, such as deleting files or installing a backdoor.

• Early History

• First worms built in the labs of John Shock and Jon Hupp at Xerox PARC in the early 80s

• The first internet worm was the Morris Worm, written by Cornell student Robert Tappan Morris and released on November 2, 1988


- 25 -

Worm Development


• Identify vulnerability still unpatched

• Write code for

– Exploit of vulnerability

– Generation of target list

• Random hosts on the internet

• Hosts on LAN

• Divide-and-conquer

– Installation and execution of payload

– Querying/reporting if a host is infected

• Initial deployment on botnet

• Worm template

– Generate target list

– For each host on target list

• Check if infected

• Check if vulnerable

• Infect

• Recur

• Distributed graph search

algorithm

– Forward edges: infection

– Back edges: already infected or

not vulnerable

- 26 -

Morris Worm – 1/4

• Robert Morris – Cornell U. grad student (escape 1988.11.02)

• Find target hosts

– /etc/hosts file

– .rhost

– hosts.equiv

• at random, Gain access to machine using

– symmetry of trust (.rhost, hosts.equiv)

– common user accounts/passwords

– password guessing/cracking

– fingerd buffer overflow

– sendmail misconfiguration (DEGUG mode)

• In debug mode, the worm can send a command string, in place of dest address

• The Worm

- Led to resource exhaustion

- Adverse effect was like a so-called rabbit


- 27 -

Morris Worm – 2/4

The worm (consists of two parts)

a 99-line bootstrap loader written in the C language, plus

a large relocatable object file that comes in VAX and Sun-3 flavors

Launch Grappling Hook (bootstrap loader)

99 lines of C code transferred and compiled on target (victim)

could run on many kinds of hosts

given one-time password used to authenticate itself to source machine

Victim even authenticated the sender!

fetch rest of worm from source machine to target -

remove traces if any errors

compile, link, load and execute

Could only run on DEC Vax/4BSD and Sun-3 machines


- 28 -

Morris Worm – 3/4

Hide (How to remain undetected?)

use of one-time password for grappling hook

encrypt memory-resident copy

Code was encrypted when downloaded

delete all files once in memory

If transmission of the worm was interrupted, all code was deleted

Downloaded code was deleted after decrypting and compiling

change name of program periodically

change PID periodically

When running, the worm regularly changed its name and process identifier (PID)

exit before running for too long

(note: this make cracking attempts limited per worm)


- 29 -

Morris Worm – 4/4

Essentially shut down many university computing facilities (Vax and Sun-3s) (“estimate” of 6000), cost estimation by GAO of $100,000 - $10,000,000

Ad hoc response teams formed (CMU, Purdue, etc)

First prosecution under 1986 Computer Fraud and Abuse Act

Lead to formation of CERT (Computer Emergency Response Team)

Failures of Morris Worm

Re-infected same host multiple times

Clogged up process table and network

Failures of Internet admins and users

Admins did not patch fingerd

Sendmail configuration interface was horrible

No secure login capabilities available

User passwords were pretty weak

No mechanisms in place for coordination, etc.


- 30 -

Worm Propagation

Worms propagate by finding and infecting vulnerable hosts.

They need a way to tell if a host is vulnerable

They need a way to tell if a host is already infected.


initial infection

- 31 -

Code Red Worm

Appeared in July 2001

Infected more than 250,000 systems in about 10 ~ 15 hours

In total, infected 750,000 out of 6,000,000 susceptible systems

To gain access to a system, exploited buffer overflow in Microsoft IIS server software

Then monitored traffic on port 80 looking for other susceptible servers

What it did

Day 1 to 19 of month: tried to spread infection

Day 20 to 27: distributed denial of service (DDOS) attack on www.whitehouse.gov

Later versions (several variants)

Included trapdoor for remote access to infected system

Rebooted to flush worm, leaving only trapdoor

Has been claimed that Code Red may have been “beta test for information warfare”


- 32 -

SQL Slammer Worm

Infected 250,000 systems in 10 minutes!

Code Red took 15 hours to do what Slammer did in 10 minutes

At its peak, Slammer infections doubled every 8.5 seconds

Slammer spread too fast

“Burned out” available bandwidth


Why was Slammer so successful?

Worm fit in one 376 byte UDP packet

Firewalls often let small packet thru, assuming it could do no harm by itself

Then firewall monitors the connection

Expectation was that much more data would be required for an attack

Slammer defied assumptions of “experts”

Y 축: 트래픽, 초당 1백만패킷

Other Malware


- 34 -

Trojan Horses – 1/3

A Trojan horse (or Trojan) is a malware program that appears to perform some useful task, but which also does something with negative consequences (e.g., launches a keylogger).

Trojan horses can be installed as part of the payload of other malware but are often installed by a user or administrator, either deliberately or accidentally.


- 35 -


A Trojan has unexpected function

Prototype of Trojan for the Mac

Example

File icon for freeMusic.mp3:

For a real mp3, double click on icon

iTunes opens

Music in mp3 file plays

But for freeMusic.mp3, unexpected results…

Double click on freeMusic.mp3

iTunes opens (expected)

“Wild Laugh” (probably not expected)

Message box (unexpected)

A wolf in sheep’s clothing


- 36 -


How does freeMusic.mp3 trojan work?

This “mp3” is an application, not data!

This Trojan is harmless,

but… Trojan could have done anything user can do delete files, download files, launch apps, etc.


- 37 -

Definitions of Terms in 2003

[source] Separating Trojan Horses, Viruses, and Worms - A Proposed Taxonomy of Software Weapons, Martin Karresand

Virus:

A self-replicating program.

Some definitions also add the constraint that it has to attach itself to a host program to be able to replicate

Worm:

Also a self-replication program, which does not need another program to be able to replicate but instead is a stand alone program.

The difference between a worm and a virus is often said to be the way they replicate, worms replicate over network connections, while viruses replicate on the host computer.

Trojan horse:

A program performing for the user unknown and unwanted actions, while at the same time posing as a legitimate program.


- 38 -

Definitions of Terms in 2003

[source] Separating Trojan Horses, Viruses, and Worms - A Proposed Taxonomy of Software Weapons, Martin Karresand


- 39 -

Rootkits

• A rootkit modifies the operating system to hide its existence

– E.g., modifies file system exploration utilities

– Hard to detect using software that relies on the OS itself

• RootkitRevealer

– By Bryce Cogswell and Mark Russinovich (Sysinternals)

– Two scans of file system

– High-level scan using the Windows API

– Raw scan using disk access methods

– Discrepancy reveals presence of rootkit

– Could be defeated by rootkit that intercepts and modifies results of raw scan

operations


- 40 -

Malware Zombies Malware can turn a computer in to a zombie, which is a machine that is

controlled externally to perform malicious attacks, usually as a part of a botnet.


Botnet Controller (Attacker)

Victim

Botnet:

Attack Commands

Attack Actions

- 41 -

Professional Malware

Growth in professional cybercrime

and online fraud has led to demand

for professionally developed

malware

New malware is often a custom-

designed variations of known

exploits, so the malware designer

can sell different “products” to

his/her customers.

Like every product, professional

malware is subject to the laws of

supply and demand.

Recent studies put the price of a

software keystroke logger at $23 and

a botnet use at $225.Computer Security & OS Lab, DKU

Image by User:SilverStar from http://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg used by permission under the Creative Commons Attribution ShareAlike 3.0 License

- 42 -

Adware


Adware software payload

Adware engine infects a user’s computer

Computer user

Adware agent

Adware engine requests advertisementsfrom adware agent

Advertisers

Advertisers contract withadware agent for content

Adware agent deliversad content to user

- 43 -

Spyware


Spyware software payload

1. Spyware engine infects a user’s computer.

Computer user

Spyware data collection agent

2. Spyware process collectskeystrokes, passwords, and screen captures.

3. Spyware processperiodically sendscollected data tospyware data collectionagent.

Malware Detection

Malware Countermeasures


- 45 -

Malware Detection

Three common methods

Signature detection 흔적탐지 (패턴매칭)

Change detection 변경탐지

Anomaly detection 비정상탐지 (이상탐지)

For signature detection & change detection, cryptographic hash functions can be used

We’ll briefly discuss each of these

And consider advantages and disadvantages of each


- 46 -

Signatures: A Malware Countermeasure

• Scan compare the analyzed object with a database of signatures

• A signature is a string of bits found in software (or could be a hash value)

• A signature is a virus (etc.) fingerprint

– E.g., a string with a sequence of instructions specific for each virus (etc.)

– Different from a digital signature

• A file is infected if there is a signature inside its code

– Fast pattern matching techniques to search for signatures

• All the signatures together create the malware database that usually is proprietary

Suppose that a virus has signature 0x23956a58bd910345

We can search for this signature in all files


- 47 -

Malware Signature

Brain Virus

The virus marks the six disk sectors as faulty, so that OS may not use them.

Signature: in 5th and 6th bytes of the file, it stores 1234 ( HEX ).

Action : with every disk read, it examines the file for its signature.

If it is not there, it infects the file.

Signature of another malware


- 48 -

Malware Signature

Example of simple code obfuscation


- 49 -

Signatures Database

• Common Malware Enumeration (CME)

– aims to provide unique, common identifiers to new virus threats

– Hosted by MITRE

– http://cme.mitre.org/data/list.html

• Digital Immune System (DIS)

– Automatically create new signatures


http://cme.mitre.org/data/list.html

- 50 -

Signature Detection

If we find the signature, are we sure we’ve found the virus?

No, same signature could appear in other files

But at random, chance is very small: 1/264

Software is not random, so probability is higher

Advantages Effective on “traditional” malware

Minimal burden for users/administrators

Disadvantages Signature file can be large (10,000’s)…

…making scanning slow

Signature files must be kept up to date

Cannot detect unknown viruses

Cannot detect some new types of malware

By far the most popular detection method!


- 51 -

Hash Values Comparison Example


Source:

Check against contamination of critical information

http://i.cs.hku.hk/cisc/projects/va/contam_index.html

http://i.cs.hku.hk/cisc/projects/va/contam_index.html

- 52 -

Change Detection

Viruses must live somewhere on system

If we detect that a file has changed, it may be infected

How to detect changes? Hash files and (securely) store hash values

Re-compute hashes and compare

If hash value changes, file might be infected

Advantages

Virtually no false negatives

Can even detect previously unknown malware

Disadvantages

Many files change and often

Many false alarms (false positives)

Heavy burden on users/administrators

If suspicious change detected, then what?

Might still need signature-based system


- 53 -

Tripwire Maintain database of cryptographic hashes for

Operating system files

Popular applications

Known infected files

Compute hash of each file

Look up into database

Need to protect the integrity of the database


- 54 -

Anomaly Detection – 1/3

Monitor system for anything “unusual” or “virus-like” or potentially malicious

What is unusual?

Files change in some unusual way

System misbehaves in some way

Unusual network activity

Unusual file access, etc.

But must first define “normal”

And normal can change!


- 55 -


Steps

• Feature selection – what to

measure

• Feature reduction – space too big

• Training – what is “normal”?

• Training – what is known bad?

• Classification – separate bad from

good

• Anomaly detection – NOT known

to be good


Issues

• Feature space is too big

• Getting clean training sets

• What is normal changes over time

• False positive rate

Behavior ofknown attacks

Normalobserved

Behavior space

unobserved

- 56 -


Advantages Chance of detecting unknown malware

Disadvantages Unproven in practice

Attacker can make anomaly look normal

Must be combined with another method (such as signature detection)

Also popular in intrusion detection (IDS)

A difficult unsolved (unsolvable?) problem! As difficult as AI?


- 57 -

Quiz

What are the similarities and differences between virus and worm?

What kinds of executable file formats are there?

MS Windows: ?, Linux: ?, Android: ?, iOS: ?

What is malware analysis?

What is static analysis technique for malware detection?

What is dynamic analysis technique for malware detection?

What are the main differences between static analysis and dynamic analysis?

How do you create a unique signature for malware detection?

Is it OK to run a malicious code on bare machine?

What are the common evasive techniques used by malware to avoid anti-malware detection?

What do you do to be a malware analyst?Computer Security & OS Lab, DKU

- 58 -

Heuristic Analysis

• Useful to identify new and “zero day” malware

• Code analysis

– Based on the instructions, the antivirus can determine whether or not the program is

malicious, i.e., program contains instruction to delete system files,

• Execution emulation

– Run code in isolated emulation environment

– Monitor actions that target file takes

– If the actions are harmful, mark as virus

• Heuristic methods can trigger false alarms


- 59 -

Static vs. Dynamic Analysis


Static Analysis

• Checks the code without trying to execute it

• Quick scan in white list

• Filtering: scan with different antivirus and check if they return same result with different name

• Weeding: remove the correct part of files as junk to better identify the virus

• Code analysis: check binary code to understand if it is an executable, e.g., PE (www.heaventools.com)

• Disassembling: check if the byte code shows something unusual

Dynamic Analysis

• Check the execution of codes inside a

virtual sandbox

• Monitor

– File changes

– Registry changes

– Processes and threads

– Networks ports

http://www.heaventools.com/

Anti-Malware SW

Anti-Virus SW (AV SW):

V3, ALYac, ViRobot, Kaspersky, Norton, …


- 61 -

Anti-malware

What is anti-malware?

How does anti-malware work?

Why should we know types of malware?

Why should anti-virus program distinguish the unique types of malware from each other?

Why is malware family classification important?


- 62 -

Shield vs. On-demand


• Shield– Background process

(service/daemon)

– Scans each time a file is touched (open, copy, execute, etc.)

On-demand• Scan on explicit user request

or according to regular schedule

• On a suspicious file, directory, drive, etc.

Performance test of scan techniqueso Comparative: check the number of already known viruses that are

found and the time to perform the scan

o Retrospective: test the proactive detection of the scanner for unknown

viruses, to verify which vendor uses better heuristics

Anti-viruses are ranked using both parameters:http://www.av-comparatives.org/

http://www.av-comparatives.org/

- 63 -

Online vs Offline Anti Virus Software


Online

• Free browser plug-in

• Authentication through third

party certificate (i.e. VeriSign)

• No shielding

• Software and signatures update

at each scan

• Poorly configurable

• Scan needs internet connection

• Report collected by the company

that offers the service

Offline

• Paid annual subscription

• Installed on the OS

• Software distributed securely by

the vendor online or a retailer

• System shielding

• Scheduled software and

signatures updates

• Easily configurable

• Scan without internet connection

• Report collected locally and may

be sent to vendor

- 64 -

Machine Learning for Malware Detection (Kaspersky)


- 65 -

The Best Antivirus Protection of 2018- https://www.pcmag.com/article2/0,2817,2372364,00.asp


https://www.pcmag.com/article2/0,2817,2372364,00.asp

- 66 -

Detection Performance


Source: https://www.pcmag.com/article2/0,2817,2481367,00.asphttps://en.wikipedia.org/wiki/F1_score

https://www.pcmag.com/article2/0,2817,2481367,00.asp

https://en.wikipedia.org/wiki/F1_score

- 67 -

Open-Source Antivirus / Free Antivirus

ClamAV

OpenAV

Armadito AV


The Best Free Antivirus Protection of 2018 by PC magazine

VirusTotal Analyze suspicious files and URL to detect types of malware

https://www.virustotal.com/#/home/upload

YARA The pattern matching swiss knife for malware researchers

https://virustotal.github.io/yara/

YaraRules Project: http://yararules.com/

https://www.virustotal.com/#/home/upload

http://yararules.com/

Summary

• Numerous attacks involve software

• Can you ever trust software?


- 69 -

Trusting Software

Can you ever trust software? See Reflections on Trusting Trust

Consider the following thought experiment

Suppose C compiler has a virus When compiling login program, virus creates backdoor (account with known

password)

When recompiling the C compiler, virus incorporates itself into new C compiler

Difficult to get rid of this virus!

Suppose you notice something is wrong

So you start over from scratch

First, you recompile the C compiler

Then you recompile the OS Including login program…

You have not gotten rid of the problem!

In the real world Attackers try to hide viruses in virus scanner

Imagine damage that would be done by attack on virus signature updates


- 70 -

Summary, Q & A

Malware

Malware family classification

Malware Detection

Signature/Anomaly-based Detection

Anti-malware software, Vaccine = Anti virus,

Most Common Evasive Techniques used by Malware

Antivirus evasion technique,

50 Open Source Tools to Replace Popular Security Software https://www.datamation.com/osrc/article.php/3882711/50-Open-Source-Tools-To-Replace-Popular-Security-Software.htm


• What types of threat are related to this lecture?

‒ Consider the STRIDE model !

https://www.datamation.com/osrc/article.php/3882711/50-Open-Source-Tools-To-Replace-Popular-Security-Software.htm

introduction to software security malwaresecuresw.dankook.ac.kr › iss19-1 ›...

Documents