Saturday, March 21, 2009

Virus vs. Antivirus – Combat on Fire

Abstract
The aim of this paper is to endeavor the right and accurate facts of virus and Antivirus software. It will sketch and concisely reveal various potential ways that viruses programmer use to exploit any Anti-Virus product. It will certainly eliminate misconception of the malicious codes.

1. Introduction
Any malicious code can be a danger or a source of the danger but many of the computer users are not aware of this. They usually think that installing and configuring best Antivirus software is risk free task or will help them full protection. An anti-virus product can help you to protect your personal computers and networks but expect some commonsense, awareness and vigilance from you as well. Just close your eyes and think for a while, What if an Antivirus is already corrupted? What if some unintentional innocent piece of code acts like virus? What about the cute baby virus born today? Today I like to share a story with you which will certainly help you to understand the subject.

"Once I met to infant virus, he looked at me and smiled. I told him that you are not secure here, Antiviruses are looking to hunt you down and they are present everywhere. You will loose your life in your starting age, may be on the first highway. He smiled again and replied, don't worry! I know how to deal with these innocent Antiviruses. Antiviruses are and will always on the defensive position and we respectable offenders are attackers. After a long time, today I met him again he was quite young and experience too; He looked at me, passed a strange smile and winged toward satellites and mobiles."

Antivirus are programs to minimize security risks rather to dissect all problems and provide infallible security. AV engines are designed in a way to give maximum level of security but are vulnerable to special techniques i.e. binder & packers and Codes Obfuscation etc which are used to hide the prevention of a code. We usually accept these malicious codes by our consent.

2. The intruder - virus
Virus is a piece of code that infects either the executable (exe) files or Object files (Com). It attaches itself to a program in a computer and then replicates itself in way that whenever a corrupted file execute; the virus execute. It can erase files or lock up a system.

The simplest virus which any programmer can develop can create copies of itself until system crash. Virus can spread across networks by dodging security measures. Internet can be the best, the biggest and the worst source of spoiling personal systems or a network. Viruses usually spread by deceiving the innocent customer by application installations, e-mail attachments, or by having illegal access to the system. Visiting illegal stuff over internet like sex, hacks and cracks can also bless you with virus. Instant messaging clients like yahoo messenger, MSN messenger and any other can be used for casting the threat.

2.1. Virus types
Virus is classified into five major categories.

  1. Boot virus
  2. File Infector Virus
  3. Macro Virus
  4. Polymorph Virus
  5. Stealth Virus

2.1.1. Boot Virus
It infects the boot sector of memory and stays resident. It always executes itself when ever system boot. This will provide it full control of the system.

2.1.2. File Infector Virus
These viruses usually attack on execution (*.exe) or object (*.com) files. Whenever the infected program execute, the virus run and hunt for the next file to infect.

2.1.3. Macro Viruses

Macro viruses replicate them through any program that they attach themselves. Every macro virus cannot link to all sorts of programs but to a specific program like MS Word and MS Excel. These viruses basically exploit two features of these programs.

Auto Open Macros feature can help macro virus to execute without your consent and you won't even know what's happening.

A good programmer can exploit Global Macro feature for giving viruses a new look i.e. when you open Word or Excel, you could be executing harmful code.

2.1.4. Polymorph Virus

It is capable of encrypting every program and produces a unique decrypt code for them in a way that no two encryptions will be same. Every time they infect, they change their size.

2.1.5. Stealth Virus
It can be a file infector or Boot sector virus. It provides the forged report to the Antivirus solution about the infected file.

2.2. Helpless against Virus?
There are many reasons of feeling helpless against these threats, some are given below.

  1. Antivirus software is not installed in the system.
  2. Antivirus is working but its ill configured.
  3. Virus definitions are not up to date.
  4. Your computer is connected to a network and you are sharing files with anyone without having firewall.
  5. Firewall is configured improperly.
  6. Many viruses take advantage of vulnerabilities in operating systems so update your OS by having critical update feature on.

2.3. Misconceptions about virus
There are varieties of misconceptions about viruses. These myths are sometime responsible for havoc. Some are given below.

  1. The connection to infected FTP or Website will infect my system.
  2. Virus is a mysterious program; it is capable of hiding itself in a data file.
  3. Viruses do not infect compressed files.
  4. All sort of file damages are caused by virus.
  5. All systems are equally vulnerable
  6. All e-mail attachments are threats
  7. No problem with all attachments but some dangerous attachments.
  8. Anti-virus software will protect me
  9. Viruses are prepared by alone isolated sick person rather then a group.
  10. I am a security professional; Viruses can never damage me.
  11. I am working behind personal firewall or corporate firewall
  12. We are safe due to IDS.

3. Antivirus – An Eye on Intruder
Everyone desires to be protected from viruses and antivirus vendors always claim to provide the best software which will protect you completely.

"To me these claims sound as these vendors have close ties with cosmetics companies."

Antivirus is a program that hunts any known or potential viruses in the primary or secondary memory. Some popular Antivirus programs are as follows.

  1. Norton Antivirus
  2. AVG Antivirus
  3. Panda Antivirus Platinum
  4. McAfee Antivirus
  5. Sophos Antivirus
  6. Avast Antivirus

3.1. Discover and Defence
Various methodologies were deployed in the past to help protection; popular techniques are given below.

  1. String Scanning
  2. Wildcards
  3. Mismatches
  4. generic Detection
  5. Hashing, Bookmarks
  6. Top-and-Tail Scanning
  7. Entry-Point and Fixed-Point Scanning
  8. Hyperfast Disk Access, Smart Scanning
  9. Skeleton Detection, Nearly Exact Identification
  10. Exact Identification
  11. Filtering
  12. Static Decryptor Detection
  13. The X-RAY Method
  14. Encrypted and Polymorphic Virus Detection
  15. Dynamic Decryptor Detection, Geometric Detection
  16. Disassembling
  17. Emulators for Tracing
  18. Code Execution Start in the Last Section
  19. Suspicious section Characteristics
  20. Virtual Size Is Incorrect in PE Header
  21. Possible "Gap" Between Sections
  22. Suspicious Code Redirection
  23. Suspicious Code Section Name
  24. Possible Header Infection
  25. Multiple PE Headers
  26. Suspicious Imports from KERNEL32.DLL by Ordinal
  27. Import Address Table Is Patched, Suspicious Relocations
  28. Multiple Windows Headers and Suspicious KERNEL32.DLL Imports
  29. Kernel Look-Up, Kernel Inconsistency
  30. Loading a Section into the VMM Address Space
  31. Incorrect Size of Code in Header
  32. Suspicious Flag Combinations
  33. Standard Disinfection
  34. Generic Decryptors
  35. Integrity Checking False Positives
  36. Inoculation
  37. Heuristic Analysis Using Neural Networks
  38. Access Control Systems and Behavior Blocking and Sand-Boxing

These evolving methods are still used by Antivirus vendors to discover and defend the threat.

3.2. Anti-Virus Evasion Techniques
There are several techniques used to fool Antivirus software. Some are given below.

3.2.1. Use of binders and packers
Binders are capable to attach two or more applications in a way that entire binary become change and Antivirus cannot help to detect these sorts of funs due to the misplacement of the original signature of the malicious code. These binders are easily available to download from internet.

3.2.2. PackerPackers (Compressors)
Packers usually compress the malicious binary and then embed that into packer's binary. This dodging practice is fairly successful due to the change of signature.

3.2.3. Code Obfuscation
Code obfuscation occurs when malicious code is encrypted by embedding a small routine. After implementing the scheme, it's fairly impossible to detect the virus due to the change of binaries signature.

3.2.4. Code conversion from EXE to client side scripts
Create a virus and convert the executable file to your desired extension like PIF, SR or VBS etc by using special programs like exe2vbs or any other. On execution of the forged file, the hidden exe just run. Ahhhhh I have nothing to say more.

3.2.5. Fake File Type Extension
This fairly simple method is used by producing the fake file extension. Usually extensions are sex oriented.

3.3. Manual Virus Identification Method
Searching a header of any file is a fairly easy task because unique file extension means unique header information. First twenty-seven bytes search will explore the hidden truth of any executable application; this group of memory (27 bytes) contains complete header information. Right click at the file and open it in Notepad. You may drag and drop the execution file to Notepad or any document readable program. If you find 'MZ' in the first two bytes and file extension is other then exe, it means file is suspicious. Changing file extension never harms header properties.

3.4. Will any Antivirus detect all possible computer virus in the future?
Fred Cohen demonstrates that there is no algorithm that can detect the set of all possible computer viruses. This straight forward demonstration showed that every ELSE in the program will able to provide a loop hole to the smart coder. For technical aspects of the demonstration one can search and find the details on the internet.

CODE START HERE

{

IF (code is malicious or suspicious)

Set Alarm

Message "There is a malicious activity"

FUNCTION (Terminate that application)

FUNCTION (Kill that threat)

ELSE

Allow running that code

}

Conclusion
Expert security professionals use security applications to form a Security Layer to defend the threat not to eliminate the future possibility; it enables the enterprise to achieve a true defense-in-depth security architecture.

Bibligraphy

  1. The art of computer virus research and defense by peter szor
  2. Malicious Mobile Code: Virus Protection for Windows by Roger A. Grimes
  3. Symantec Antivirus 8.0 Advanced Topics by Symantec
  4. The giant black book of computer viruses by Mark Ludwig
  5. Dangerous virus misconceptions by stephen canale
  6. Anti-virus evasion techniques and countermeasures by debasis mohanty
  7. Testing time for antivirus software by s a r a h gordon
  8. Icsa labs 7th annual computer virus prevalence survey 2001 by lawrencem. Bridwell and peter tippett
  9. Email content security management by trendmicro
  10. Benefits and considerations for a single-vendor antivirus strategy bynatasha david and jane chesher
Posted by at
Labels: , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)