Malware Classification And Detection
17
Matt Banick
description
Malware Classification And Detection. Matt Banick. Malware – A Brief Introduction. - PowerPoint PPT Presentation
Transcript of Malware Classification And Detection
Matt Banick
Broad Definition: “Let us take the easy one first. "Malware" is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, et al.” (1)
How to Classify Malware?◦ Trojan, Virus, Worm, Spyware, etc◦ Level of compromise?
Security Classification?◦ Degree of OS compromise◦ Changes◦ Security Compromise
“Stealth” Malware Taxonomy◦ Joanna Rutkowska
Malware re-definition◦ Changes in OS Kernel◦ Security applications◦ Other processes
Four types (0-3) No true order
OS, security processes, other processes unaffected
“Legal” use of APIs Still a threat!
Malware changes ‘constant’ data True ‘system compromise’
Malware changes ‘dynamic’ parts of system Similar to Type 1
Similar to Type 0.. In a way Hypervisor control
Signature-based Heuristic-based Others?
Code-based ‘dictionary’ search Targets static parts of Malware
For (Sig a : dictionary)..
Polymorphic Viruses◦ Encryption + crafty = disaster
Code Obfuscation◦ War which may never end
Metamorphic Viruses◦ Polymorphic-Polymorphic virus!
eval('document.'+potato+'.style.color= "red"');
Can include different concepts◦ Virus activity◦ Instruction oddities◦ File activity◦ Network activity
Static◦ Code review
Dynamic◦ Watch and wait…
False-positives can be costly◦ User indifference◦ PR nightmare◦ Slow
While (a < 5000) sleep(5);//random codeSome_malicious_code//random codeSome_more_malicious_code//random code… etc.
What “Should” occur? Emerging research Math based (in a way…) Problems
◦ Dynamic web pages◦ Analysis is costly◦ White-listing processes
http://technet.microsoft.com/en-us/library/dd632948.aspx (1) Sony Rootkit:
http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
Polymorphic Viruses: http://www.symantec.com/avcenter/reference/striker.pdf Obfuscation:
http://delivery.acm.org/10.1145/1780000/1772720/p281-cova.pdf?key1=1772720&key2=0800233031&coll=DL&dl=ACM&ip=129.244.189.101&CFID=17197576&CFTOKEN=85746334
Metamorphic Viruses: http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf RDAE & Other info: http://docs.google.com/viewer?a=v&q=cache:p2XzCVP51GQJ:www.waset.org/journals/waset/v34/
v34-45.pdf+RDA+decryption+engines&hl=en&gl=us&pid=bl&srcid=ADGEESj7KEkEBTkeJ5ydlcAafATSGutwPlsjA8mzG6d_bsnAkUbeOoZSnfe6BIGNC4ffQZpacWFGzeKWhsH8JMn7LkYdfCwOd2q-VkDn-yvrunTVfM4CSQOO1xui6uB3DUgEBc3mX_n3&sig=AHIEtbQu67h41KBkC3HjISYFceSrQFQZUQ
Samsung Issue: http://www.thetechherald.com/article.php/201113/6997/Samsung-keylogger-fears-based-on-false-positives
Heuristic Basics: http://vx.netlux.org/lib/static/vdat/epheurs1.htm More Heuristics (Dynamic):
http://service1.symantec.com/legal/publishedpatents.nsf/0/4b4a30633137923b88256df7005d6b5d/$FILE/United%20States%20Patent%206,357,008.htm
User-based detection: http://otc.rutgers.edu/pdf/Yao-09-046.pdf User-based detection cont: http://people.cs.vt.edu/danfeng/papers/paper106_icics2009.pdf Blue Pill wrap: http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html
http://www.google.com/imgres?imgurl=http://withfriendship.com/images/b/8701/trojan-horse-virus.png&imgrefurl=http://withfriendship.com/user/pintu/trojan-horse-virus.php&usg=__pBZIK81boUOnTGwvq22ggTo4dpk=&h=413&w=551&sz=28&hl=en&start=8&sig2=Itoi02OTbd0L3AcSiaHDDQ&zoom=1&tbnid=cUkl2JEK07AXKM:&tbnh=100&tbnw=133&ei=lUGrTdCQHuXm0QG3itz5CA&prev=/images%3Fq%3DTrojan%2Bhorse%26um%3D1%26hl%3Den%26client%3Dfirefox-a%26sa%3DN%26rls%3Dorg.mozilla:en-US:official%26biw%3D1600%26bih%3D707%26tbm%3Disch&um=1&itbs=1
http://www.google.com/imgres?imgurl=http://www.topnews.in/files/sony_logo_1.jpg&imgrefurl=http://www.topnews.in/technology-update/sony&usg=__IWFxwkG68K-OnUXwbhfLw8wyCv4=&h=400&w=600&sz=12&hl=en&start=0&sig2=5dGNYCEjtqlyqXvQe8aSgQ&zoom=1&tbnid=pkP8-vBhPZ6WRM:&tbnh=143&tbnw=214&ei=TEmrTYH8IMba0QG21eWdCQ&prev=/images%3Fq%3DSony%26um%3D1%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26biw%3D1600%26bih%3D707%26tbm%3Disch&um=1&itbs=1&iact=hc&vpx=138&vpy=150&dur=58897&hovh=183&hovw=275&tx=201&ty=93&oei=TEmrTYH8IMba0QG21eWdCQ&page=1&ndsp=21&ved=1t:429,r:0,s:0
http://www.google.com/imgres?imgurl=http://images.amazon.com/images/G/01/software/detail-page/kaspersky-virus.jpg&imgrefurl=http://www.amazon.com/Kaspersky-Anti-Virus-7-0-OLD-VERSION/dp/B000U819A2&usg=__oJrp_dVVIHZ2A2T6c6r7f8Bos9s=&h=385&w=300&sz=27&hl=en&start=0&sig2=MpYwwna9pcxc2Nqb9cHGhw&zoom=1&tbnid=mj4A1xEQlKMeWM:&tbnh=133&tbnw=104&ei=SRCvTaC6GoXa0QGl9ryoCw&prev=/images%3Fq%3Dvirus%2Bdetection%26hl%3Den%26biw%3D1600%26bih%3D707%26gbv%3D2%26tbm%3Disch&itbs=1&iact=hc&vpx=131&vpy=70&dur=307&hovh=209&hovw=163&tx=108&ty=124&oei=SRCvTaC6GoXa0QGl9ryoCw&page=1&ndsp=33&ved=1t:429,r:0,s:0
http://www.google.com/imgres?imgurl=http://vxheavens.com/lib/img/mjp00/biennale.py_code-72.jpg&imgrefurl=http://vxheavens.com/lib/mjp00.html&usg=__d9ctjQol4n95KZa9g1iS3sfaYKI=&h=329&w=346&sz=175&hl=en&start=21&sig2=U9qpVQz1A0wTEWpMR8ReBw&zoom=1&tbnid=Ba1UnpCi56snOM:&tbnh=127&tbnw=125&ei=TBmvTYqjIozegQfs9I3xCw&prev=/search%3Fq%3Dcode%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26biw%3D1600%26bih%3D707%26site%3Dsearch%26tbm%3Disch0%2C760&um=1&itbs=1&iact=hc&vpx=223&vpy=327&dur=244&hovh=219&hovw=230&tx=70&ty=139&oei=KBmvTcmrEO-L0QGUk9GjCw&page=2&ndsp=38&ved=1t:429,r:29,s:21&biw=1600&bih=707
http://www.thetechherald.com/article.php/201113/6997/Samsung-keylogger-fears-based-on-false-positives
