Virus Detection Mechanisms

Final Year Project by

Chaitanya kumar CH

K.S. Karthik

Project details

Project Guide: Dr. V.Ch.Venkaiah

Description: Study various detection mechanisms Implement the mechanisms

Some important terms

Backdoors/Trapdoors allow unauthorized access to the system.

Logic bombs are programmed threats that lie dormant for an extended period of time until they are triggered.

Some important terms (Cont…)

A Virus is a piece of code that inserts itself into a host [program] to propagate. The virus is executed along with the original program.

Boot sector viruses insert themselves into the boot sector area and are activated when the system boots.

Some important terms (Cont…)

Multi-partite Viruses refers to viruses that can use multiple means of infection, such as MBR, boot sector and parasitic

Trojan horses are programs that appear to have one function but actually perform another function.

Some important terms (Cont…)

A worm is a program that can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.

Some important terms (Cont…)

Payload refers to what the virus does (besides propagation) once executed. Do nothing Playing with your data Malicious damage

Detection of Internet Worms

Traffic Analysis Growth in traffic volume Rise in number of scans and sweeps Change in traffic patterns for some hosts Predicting scans by analyzing the scan

engine of the worm

Detection of Internet Worms

Honeypots Setup a seemingly vulnerable host on the

network and log all the filesystem and network activity using low level tools

A picture of what happens when a worm strikes a real host, along with network signatures and binaries is obtained. This can be used to develop attack signatures

Detection of Internet Worms

Worms don’t usually monitor DNS entries for new hosts. They simply scan.

Black hole monitoring Monitor the locally unused subnets within

our address space. Monitor the globally unused address

space, or dark IP space, and to monitor that usage.

Detection of Internet Worms

Signature-Based Detection Network signatures Log signatures from nonvulnerable

servers Filesystem signatures (used by any

typical antivirus software)

Defenses against worms

Host based Personal Firewalls, antivirus software,

privilege control Firewall and Network Defenses

Stop existing worms Implement inbound and outbound rules Reactive IDS

Defenses against worms

Proxy-Based Defenses (application level) Authentication Mail-server proxies (can scan the emails) Web-based proxies (content screening)

Attacking the Worm Network

Shutdown messages (stop the worm processes or halt the host)

“I am already infected” Poison updates These methods can be unprofessional

if our attacker gets out of our control

Virus Scanners

Compare code to a database of known malicious code Just matching strings in the code Reasonably useful in days of floppies

Identify viruses by their “signatures.” Search for these patterns in executable files. Watch for changes in files

Size, time of modification, etc. Monitor system for malicious actions

Virus Scanners Internals

I/O Manager

Kernel32.dllWin32 program

File system driverKernel Mode

User mode

Disk driver

HardwareRead/Write request/reply

Virus Scanners Internals

File system driver

I/O ManagerVirus scanner

(File system filter)

File system filter scans a file whenever it is accessed.If the file is infected, it returns the original file after cleaning it.If it cannot be cleaned, it returns failure message and performs appropriate action such as quarantining or deleting the infected file.

Monitoring using compression enabled filesystem

The virus can hide itself in other files by prepending itself to other executable.

But this way there will be a change in the file size which can be easily recognized.

Monitoring using compression enabled filesystem

To avoid detection a virus compresses the original file and then prepend the virus to it.

Since the compression is performed to reduce the file size by the size of virus there will be no apparent change in file size

When executed the virus code decompresses the original code and then executes it.

Monitoring using compression enabled filesystem

Original file Original file compressed by the

virus

virus

File sizes before compressed by the file system

Compress file by the size of

virus code

Monitoring using compression enabled filesystem

Original file Original file compressed by the

virus

virus

Original file Original file compressed by the

virus

virus

File sizes on the disc after compressed by the file system

File sizes before compressed by the file system

Com

pres

sion

by

files

yste

m

Compression by virus

Monitoring using compression enabled filesystem

In a compression enabled filesystem the file size differs from original to that on the disk which is compressed.

When a virus hides itself in other file by compressing and prepending the virus code the file size may differ on the disk when compressed again by the filesystem