Upload
ashley-martin
View
213
Download
1
Embed Size (px)
Citation preview
Copyright © 2006, Idea Group Inc.
1
Chapter IV
Malware and Antivirus Deployment for Enterprise Security
By: Raj Sharman,K. Pramod Krishna, H. Raghov Rao & Shambhu Upadhyaya
Presented by: Abdallah Rasheed
Spring 08
Copyright © 2006, Idea Group Inc.
2
Outline
Types Malware. Approach to antivirus S/W implementation. Mechanism of virus/antivirus.
Copyright © 2006, Idea Group Inc.
3
Malware
“short for malicious software and is typically used as a catch-all term to refer to the class of software designed to cause damage to any device”.
Ex: – a virus, a worm, a Trojan, spyware, or backdoor.
Copyright © 2006, Idea Group Inc.
4
Malware impact
Increases business risk. Reduces productivity. Loss of customer confidence. Time consuming. Cost of antivirus / firewalls.
Copyright © 2006, Idea Group Inc.
5
Malware history
1986, “Pakistani Brain” virus. 1987, “ Merry Christmas” worm. 1988, “Morris worm”. 1990s, more complex viruses.
– OS executable.– Network/protocol worms.
Copyright © 2006, Idea Group Inc.
6
Antivirus Solution:
The Layered Approach:– Layer 1: Gateway and
content security– Layer 2: Intranet servers– Layer 3: Desktops and
user community
Figure 1. Three-layer defense in enterprise network
Copyright © 2006, Idea Group Inc.
7
Layer 1 — Gateway Security and Content Security
Deals with the internet visible servers & “Demilitarized Zone “DMZ.– Gateway Traffic:
Firewall filters.
– Content Scanning: Email attachment. Scan emails for a text. Spam emails.
Copyright © 2006, Idea Group Inc.
8
Layer 2 — Intranet Servers
Email servers– Virtual Private Network (VPN)– Remote Access Server (RAS)
Proxy servers. File servers.
– Risk minimizing.– Increasing of storage space.
Copyright © 2006, Idea Group Inc.
9
Layer 3 — Desktop and User Community
Sources of virus infection:– The use of Webmail.– Instant messaging tools.– peer-to-peer file sharing– downloads from the Internet.
Administrator privileges Automated scan. Educating user.
Copyright © 2006, Idea Group Inc.
10
Antispyware in Enterprise Network
Symptoms of spyware:– unauthorized pop-up advertisements making Web
browsing difficult;– sudden change in the performance of the
computer slowing it down considerably.– appearance of new and unwanted toolbar on the
browser without installation.– increased crashing of operating systems, Web
browsers.
Copyright © 2006, Idea Group Inc.
11
Why Antispyware
Increased IT support costs. Theft of intellectual property; Privacy violations. Information disclosure. loss of credibility and damage to the
organization.
Copyright © 2006, Idea Group Inc.
12
Antivirus detection techniques
Pattern Recognition– examines key suspect areas and uses the virus
pattern file to compare and detect viruses.
Integrity Checking– Initial records of the status of all files on HDD.– Check summing programs to detect changes.– Possibility of virus; – Otherwise; False alarms.
Copyright © 2006, Idea Group Inc.
13
Cont. Techniques
X-Raying– See the picture of a virus body– Based on the encryption algorithm
32-Bit Viruses and PE File Infectors– Windows 95 that uses 32-bit OS.– PE file infector run themselves each time the host
file is executed.
Copyright © 2006, Idea Group Inc.
14
Cont. Techniques
Entry Point Obscuring (EPO)– Places “ Jump-to-Virus” Instruction in the code.– Insert a viral code in un used space in the file.– Detection is more complex.
Encrypted Virus– Has virus decryption body routine & the encrypted
body.– Decryption of the virus body.
Copyright © 2006, Idea Group Inc.
15
Cont. Techniques
Polymorphic Viruses– A mutation engine generates randomized
decryption techniques each time the virus infects a new program.
– No fixed signature and no fixed decryption routine.
– Decryption routine is time consuming.
Copyright © 2006, Idea Group Inc.
16
Polymorphic Detection
Generic decryption.“A scanner loads the file being scanned into a self-
contained virtual container created in the RAM”– When an infected file is executed, the decryption
routine executes.– The virus decrypts itself, exposing the virus body
to the scanner.– The scanner Identify the virus signature.
Copyright © 2006, Idea Group Inc.
17
Heuristic-Based Generic Decryption
– a generic set of rules that helps differentiate non-virus from virus behavior.
– Inconsistencies may led to the presence of an infected file
– Running for long period, exposes the virus body.
Copyright © 2006, Idea Group Inc.
18
Anti-Emulation
Emulation is to allow the virus to run inside a virtual computer to decrypt itself and reveal its code.
anti-emulation systems are incorporated into the decryptor of a virus so that it does not decrypt properly and hence will not reveal its code.
Copyright © 2006, Idea Group Inc.
19
Retrovirus
Tries to bypass the antivirus by:– modifying the code of an antivirus program file– stopping the execution of the program– using methods in the virus code that cause
problems for antivirus.– exploiting a specific weakness or a backdoor in
an antivirus.
Copyright © 2006, Idea Group Inc.
20
Backdoor
“ Trojan allows access to computer resources using network connection”
Hackers download scripts onto PCs, essentially hijacking them, and then use them to launch a denial-of service attack.
Those PCs become slave computers.
Copyright © 2006, Idea Group Inc.
21
Virus Infection Cycle of W32/Gobi
PE virus , written in assembly. Infects (.exe) files in windows directory. Changing the registry file.
– Once the registry hook is done, Gobi infects programs launched from Windows Explorer before letting them run.
Copyright © 2006, Idea Group Inc.
22
Conclusions
Malicious code and Internet-based attacks keep increasing , some of the future forecasts regarding malware are:
– Spam mails, phishing will continue to be a major concern in e-mail usage.
– Social engineering is emerging as one of the biggest challenges, as there is no technical defense against the exploitation of human weaknesses.
– The time between vulnerability disclosure and release of malware exploiting the vulnerability continues to get shorter, requiring more proactive assessment tools.
Copyright © 2006, Idea Group Inc.
23
References
Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues,by Merrill Warkentin and Rayford Vaughn, Idea Group Inc.
Argaez, E. D. (2004). How to prevent the online invasion of spyware and adware. March 25, 2008, <http://www.internetworldstats.com/articles/art053.htm>