SlideShare une entreprise Scribd logo

Malware and Anti-Malware Seminar by Benny Czarny

Télécharger en tant que PPTX, PDF
OPSWAT
OPSWAT

Benny Czarny presented an introduction to malware and anti-malware to computer science students at San Francisco State University. The presentation introduced the concept of malware, types of malware, and methods for detecting malware. Benny provided examples of historical malware and illustrations of the difficulties that security vendors face in detecting threats.

Technologie
1  sur  44
Malware and Anti-malware Benny Czarny CEO and Founder benny@opswat.com 23 October 2013
Agenda Malware  What is malware ?  Why do malware writers write malware ?  Malware infection methods  Challenges detecting malware  Malware detection techniques  Real life examples of malware detection systems  Current trends in the industry
What is malware  What is the origin of the name “malware?”  malicious software  What is the definition of malware ?  Software that is intended to damage or disable computers and computer systems  Any kind of unwanted software that is installed without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software that are often grouped together and referred to as malware.
What is malware Many types of malware  Worm  Trojan horse/Trojan  Virus  Rogues / Scareware  Ransomware  Others
What is malware Worms  Activity  Make copies of themselves again and again on:  local drive  network shares  USB drives  Purpose:  reproduce (*)Does not need to attach itself to an existing program
What is malware I love you worm Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting image files, and sent a copy of itself to the first 50 addresses in the Windows Address.
What is malware Morris worm
What is malware Trojan horse
What is malware Trojan  Activity  Appears to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access  Purpose:  Gains privileged access to the operating system (*)Does not need to attach itself to an existing program.
What is malware Trojan Install a game NetBus ->backdoor Install a browser plugin Flashback Redirect to bogus web sites
What is malware Virus Activity  When executed – usually by a human, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected.“ Purpose:  Replicate  Harm computers
What is malware Rogue antivirus / scareware Appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.
What is malware Ransomware  Restricts access to the computer system that it infects  Encrypt files lock system  Displays messages intended to coax the user into paying  Demands a ransom in order for the restriction to be removed
What is malware Ransomware
What is malware Quantity of malware
What is malware Growth in quantity of known malware
Why do malware writers write malware ? What are the reasons behind malware writers  Economical  Personal  Political / cyber weapons  Others
Why do malware writers write malware ? Economical  Stealing sensitive information which is then sold on the black market.  Ransomware  Industrial espionage  Sell bots     Take down networks Host phishing attacks Send spam Others
Why do malware writers write malware ? Economical
Why do malware writers write malware ? Personal  Revenge  Vandalism  Experimental / research  Hobby / art
Why do malware writers write malware ? Political / cyber weapons  Sabotage  Infrastructure  Service availability  Spy tools  Domestic  Foreign  Political messages
Malware propagation methods Samples  Exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows  Torrent, peer-to-peer (P2P) and file sharing program  Emails  USB Flash drive  Rogue security programs  Others
Malware propagation methods Sample USB virus autorun.inf [autorun] open=file.bat shelloption1=Open shelloption1command=file.bat file.bat @echo off copy autorun.inf C: > NUL copy file.bat C: > NUL copy autorun.inf D: > NUL copy file.bat D: > NUL explorer .
Malware propagation methods  Appending Virus  Prepending Virus  Cavity Virus  Compressing Virus  Packers
Malware propagation methods Appending New Header Host File Data Virus Code A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.
Malware propagation methods Prepending New Header Virus Code Host File Data A virus that inserts a copy of its malicious code at the beginning of the file.
Malware propagation methods Cavity New Header Virus Cod e Host File Data Copies itself to one of the cavities present in the executable. It modifies the header so that the control jumps to its location and once the execution of virus code is over, the control is passed back.
Malware propagation methods Compressing New Header Virus Code + Decompressor Compressed Host File Data Compresses the host program and attaches itself. It copies itself to the start of the data segment and includes a decompressing algorithm that is used to decompress the host program and execute it.
Malware propagation methods Packer functionality       Compress Encrypt Randomize (polymorphism) Anti-debug technique (fake jmp) Add-junk Anti-VM Payload Packer Malware Infected Host Executable
Challenges in detecting malware Packer functionality  Fred Cohen  It is not possible to build a perfect malware detector ( 1984)  http://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohe n-viruses.html  Diagonal argument P is a perfect detection program V is a virus V can call P if P(V) = true -> halt if P(V) = false -> spread
Challenges detecting malware Static vs. Dynamic  Known malware  In the wild  Malware exchange programs e.g metascan-online  AMTSO real time threat list  Unknown malware  Targeted attacks  Outbreaks
Malware detection techniques Static vs. Dynamic  Static  Inspect the code before it is executed  Dynamic  Inspect the exaction of the code
Malware detection techniques Static code analysis  PE Headers  Digital signatures  Txt searches  Hash checks  Dependency check  Check for packers  Heuristic checks
Malware detection techniques Challenges of static code analysis  Many signatures  Quality assurance of 100M signatures  Big data  Performance – scan in a timely manner  Many signature updates  Challenges to update - build a scalable update mechanism  Easy to obfuscate the code
Malware detection techniques Challenges of static code analysis
Malware detection techniques Dynamic code analysis  Execute on     Target host Virtual machine Physical machine Custom hardware  Monitor the behavior of the host  From the host  Outside the host
Malware detection techniques Dynamic code analysis Monitor       Processes Files Registry key changes System scheduling Services / Daemon Network traffic  Type  Destination
Malware detection techniques Challenges of dynamic code analysis      Anti virtualization techniques Sleep / loops to wait for detection Randomization Polymorphism Consume Resources
Real life examples of malware detection systems Malware detection for new outbreaks Source: Metascan Online
Real life examples of malware detection systems Malware detection for new outbreaks Source: Metascan Online
Real life examples of malware detection systems Static vs. Dynamic  Tested 30 known malware files (disguised as documents or embedded within documents)  Fewest number of engines was 10 (out of 43)  Highest number of engines was 30 (out of 43)
Real life examples of malware detection systems Static vs. Dynamic  Tested 30 known malware files (disguised as documents or embedded within documents)  Lowest number of threats detected was 3  Highest number of threats detected was 23
Real life examples of malware detection systems Measuring detection coverage 100% Sandboxing X1% Protection level : Multi-scanning X2% Protection level:
Current trends in the industry  Secure transaction to cloud applications  Mobile Security and BYOD  Cloud malware scanning  Big Data  Performance  Sandbox  Cloud  Sandbox  Protect digital wallets

Recommandé

Content filters presentation
Content filters presentationContent filters presentation
Content filters presentation
kdore
 
Malware and security
Malware and securityMalware and security
Malware and security
Gurbakash Phonsa
 
Sandboxing
SandboxingSandboxing
Sandboxing
Lan & Wan Solutions
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoors
Shrey Vyas
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 

Recommandé

Content filters presentation
Content filters presentationContent filters presentation
Content filters presentation
kdore
 
Malware and security
Malware and securityMalware and security
Malware and security
Gurbakash Phonsa
 
Sandboxing
SandboxingSandboxing
Sandboxing
Lan & Wan Solutions
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoors
Shrey Vyas
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Dos attack
Dos attackDos attack
Dos attack
Suraj Swarnakar
 
Malware
MalwareMalware
Malware
guest234d3a
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Security attacks
Security attacksSecurity attacks
Security attacks
Tejaswi Potluri
 
computer virus ppt.pptx
computer virus ppt.pptxcomputer virus ppt.pptx
computer virus ppt.pptx
Abiniyavk
 
Computer virus
Computer virusComputer virus
Computer virus
arif srk
 
Computer virus
Computer virusComputer virus
Computer virus
Walden University
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Joe McCarthy
 
Cyber Terrorism Presentation
Cyber Terrorism PresentationCyber Terrorism Presentation
Cyber Terrorism Presentation
merlyna
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
Nasir Bhutta
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
What is malware
What is malwareWhat is malware
What is malware
Malcolm York
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
Vibrant Event
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
Rama Krishna M
 
Antivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methodsAntivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methods
Somanath Kavalase
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malware
amiable_indian
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
Arpit Mittal
 
Malewareanalysis presentation
Malewareanalysis presentationMalewareanalysis presentation
Malewareanalysis presentation
ahmad abdelhafeez
 

Contenu connexe

Tendances

Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
Rama Krishna M
 

Tendances (20)

Dos attack
Dos attackDos attack
Dos attack
 
Malware
MalwareMalware
Malware
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Security attacks
Security attacksSecurity attacks
Security attacks
 
computer virus ppt.pptx
computer virus ppt.pptxcomputer virus ppt.pptx
computer virus ppt.pptx
 
Computer virus
Computer virusComputer virus
Computer virus
 
Computer virus
Computer virusComputer virus
Computer virus
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Cyber Terrorism Presentation
Cyber Terrorism PresentationCyber Terrorism Presentation
Cyber Terrorism Presentation
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
Network security
Network securityNetwork security
Network security
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
What is malware
What is malwareWhat is malware
What is malware
 
System hacking
System hackingSystem hacking
System hacking
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
 
Antivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methodsAntivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methods
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malware
 

En vedette

How to protect business from malware
How to protect business from malware How to protect business from malware
How to protect business from malware
Sanyog Chandra
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - Public
Charles Lim
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
Matthew Rosenquist
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
Rollingsherman
 

En vedette (20)

Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
 
Malewareanalysis presentation
Malewareanalysis presentationMalewareanalysis presentation
Malewareanalysis presentation
 
[2011 CodeEngn Conference 05] daly25 - 파일바이러스 분석 및 치료로직 개발
[2011 CodeEngn Conference 05] daly25 - 파일바이러스 분석 및 치료로직 개발[2011 CodeEngn Conference 05] daly25 - 파일바이러스 분석 및 치료로직 개발
[2011 CodeEngn Conference 05] daly25 - 파일바이러스 분석 및 치료로직 개발
 
Tips to remove malwares
Tips to remove malwaresTips to remove malwares
Tips to remove malwares
 
Malware
MalwareMalware
Malware
 
Know Your Malware: Protect Yourself @ DPS Europe, 2/4/15
Know Your Malware: Protect Yourself @ DPS Europe, 2/4/15Know Your Malware: Protect Yourself @ DPS Europe, 2/4/15
Know Your Malware: Protect Yourself @ DPS Europe, 2/4/15
 
How to protect pc against Malware
How to protect pc against MalwareHow to protect pc against Malware
How to protect pc against Malware
 
How to protect business from malware
How to protect business from malware How to protect business from malware
How to protect business from malware
 
Study Skills, Notetaking and Technology
Study Skills, Notetaking and TechnologyStudy Skills, Notetaking and Technology
Study Skills, Notetaking and Technology
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - Public
 
How to Protect your PC from Malware
How to Protect your PC from MalwareHow to Protect your PC from Malware
How to Protect your PC from Malware
 
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsWeaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPESMALWARE AND ITS TYPES
MALWARE AND ITS TYPES
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
How To Protect From Malware
How To Protect From MalwareHow To Protect From Malware
How To Protect From Malware
 
PACE-IT, Security+3.1: Types of Malware
PACE-IT, Security+3.1: Types of MalwarePACE-IT, Security+3.1: Types of Malware
PACE-IT, Security+3.1: Types of Malware
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 

Similaire à Malware and Anti-Malware Seminar by Benny Czarny

Poly-meta-morphic malware looks different each time it is stored on di.docx
Poly-meta-morphic malware looks different each time it is stored on di.docxPoly-meta-morphic malware looks different each time it is stored on di.docx
Poly-meta-morphic malware looks different each time it is stored on di.docx
rtodd884
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
Imran Khan
 
Presentation2
Presentation2Presentation2
Presentation2
Jeslynn
 

Similaire à Malware and Anti-Malware Seminar by Benny Czarny (20)

Module 5.pdf
Module 5.pdfModule 5.pdf
Module 5.pdf
 
Module 5.Malware
Module 5.MalwareModule 5.Malware
Module 5.Malware
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
Malware
MalwareMalware
Malware
 
virus
virusvirus
virus
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Poly-meta-morphic malware looks different each time it is stored on di.docx
Poly-meta-morphic malware looks different each time it is stored on di.docxPoly-meta-morphic malware looks different each time it is stored on di.docx
Poly-meta-morphic malware looks different each time it is stored on di.docx
 
Computer virus 18
Computer virus 18Computer virus 18
Computer virus 18
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Technical Report Writing Presentation
Technical Report Writing PresentationTechnical Report Writing Presentation
Technical Report Writing Presentation
 
Computer virus
Computer virusComputer virus
Computer virus
 
Final malacious softwares
Final malacious softwaresFinal malacious softwares
Final malacious softwares
 
virus.ppt
virus.pptvirus.ppt
virus.ppt
 
Trojan and Virus,Trojan horse,virus,how to make and defend the virus
Trojan and Virus,Trojan horse,virus,how to make and defend the virusTrojan and Virus,Trojan horse,virus,how to make and defend the virus
Trojan and Virus,Trojan horse,virus,how to make and defend the virus
 
Presentation2
Presentation2Presentation2
Presentation2
 
Viruses and Anti-Viruses
Viruses and Anti-VirusesViruses and Anti-Viruses
Viruses and Anti-Viruses
 
virus vs antivirus
virus vs antivirusvirus vs antivirus
virus vs antivirus
 

Plus de OPSWAT

Reasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record TheftReasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record Theft
OPSWAT
 

Plus de OPSWAT (17)

Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown Threats
 
How to Identify Potentially Unwanted Applications
How to Identify Potentially Unwanted ApplicationsHow to Identify Potentially Unwanted Applications
How to Identify Potentially Unwanted Applications
 
Securing Nuclear Facilities
Securing Nuclear FacilitiesSecuring Nuclear Facilities
Securing Nuclear Facilities
 
3 Cases for Quarantine Confirgurations
3 Cases for Quarantine Confirgurations3 Cases for Quarantine Confirgurations
3 Cases for Quarantine Confirgurations
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email Threats
 
Reasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record TheftReasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record Theft
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation Summit
 
Top 10 Facts About Data Breaches
Top 10 Facts About Data BreachesTop 10 Facts About Data Breaches
Top 10 Facts About Data Breaches
 
Metascan Multi-Scanning Technology for Linux
Metascan Multi-Scanning Technology for LinuxMetascan Multi-Scanning Technology for Linux
Metascan Multi-Scanning Technology for Linux
 
Secure Data Workflow
Secure Data WorkflowSecure Data Workflow
Secure Data Workflow
 
Network Security for Employees
Network Security for Employees Network Security for Employees
Network Security for Employees
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
 
Securing data flow to and from organizations
Securing data flow to and from organizationsSecuring data flow to and from organizations
Securing data flow to and from organizations
 
Introduction to OESIS Framework
Introduction to OESIS FrameworkIntroduction to OESIS Framework
Introduction to OESIS Framework
 
Introduction to Metascan Client
Introduction to Metascan ClientIntroduction to Metascan Client
Introduction to Metascan Client
 
Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning Technology
 
The Value of Multi-scanning
The Value of Multi-scanningThe Value of Multi-scanning
The Value of Multi-scanning
 

Dernier

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Malware and Anti-Malware Seminar by Benny Czarny

  • 1. Malware and Anti-malware Benny Czarny CEO and Founder benny@opswat.com 23 October 2013
  • 2. Agenda Malware  What is malware ?  Why do malware writers write malware ?  Malware infection methods  Challenges detecting malware  Malware detection techniques  Real life examples of malware detection systems  Current trends in the industry
  • 3. What is malware  What is the origin of the name “malware?”  malicious software  What is the definition of malware ?  Software that is intended to damage or disable computers and computer systems  Any kind of unwanted software that is installed without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software that are often grouped together and referred to as malware.
  • 4. What is malware Many types of malware  Worm  Trojan horse/Trojan  Virus  Rogues / Scareware  Ransomware  Others
  • 5. What is malware Worms  Activity  Make copies of themselves again and again on:  local drive  network shares  USB drives  Purpose:  reproduce (*)Does not need to attach itself to an existing program
  • 6. What is malware I love you worm Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting image files, and sent a copy of itself to the first 50 addresses in the Windows Address.
  • 9. What is malware Trojan  Activity  Appears to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access  Purpose:  Gains privileged access to the operating system (*)Does not need to attach itself to an existing program.
  • 10. What is malware Trojan Install a game NetBus ->backdoor Install a browser plugin Flashback Redirect to bogus web sites
  • 11. What is malware Virus Activity  When executed – usually by a human, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected.“ Purpose:  Replicate  Harm computers
  • 12. What is malware Rogue antivirus / scareware Appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.
  • 13. What is malware Ransomware  Restricts access to the computer system that it infects  Encrypt files lock system  Displays messages intended to coax the user into paying  Demands a ransom in order for the restriction to be removed
  • 16. What is malware Growth in quantity of known malware
  • 17. Why do malware writers write malware ? What are the reasons behind malware writers  Economical  Personal  Political / cyber weapons  Others
  • 18. Why do malware writers write malware ? Economical  Stealing sensitive information which is then sold on the black market.  Ransomware  Industrial espionage  Sell bots     Take down networks Host phishing attacks Send spam Others
  • 19. Why do malware writers write malware ? Economical
  • 20. Why do malware writers write malware ? Personal  Revenge  Vandalism  Experimental / research  Hobby / art
  • 21. Why do malware writers write malware ? Political / cyber weapons  Sabotage  Infrastructure  Service availability  Spy tools  Domestic  Foreign  Political messages
  • 22. Malware propagation methods Samples  Exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows  Torrent, peer-to-peer (P2P) and file sharing program  Emails  USB Flash drive  Rogue security programs  Others
  • 23. Malware propagation methods Sample USB virus autorun.inf [autorun] open=file.bat shelloption1=Open shelloption1command=file.bat file.bat @echo off copy autorun.inf C: > NUL copy file.bat C: > NUL copy autorun.inf D: > NUL copy file.bat D: > NUL explorer .
  • 24. Malware propagation methods  Appending Virus  Prepending Virus  Cavity Virus  Compressing Virus  Packers
  • 25. Malware propagation methods Appending New Header Host File Data Virus Code A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.
  • 26. Malware propagation methods Prepending New Header Virus Code Host File Data A virus that inserts a copy of its malicious code at the beginning of the file.
  • 27. Malware propagation methods Cavity New Header Virus Cod e Host File Data Copies itself to one of the cavities present in the executable. It modifies the header so that the control jumps to its location and once the execution of virus code is over, the control is passed back.
  • 28. Malware propagation methods Compressing New Header Virus Code + Decompressor Compressed Host File Data Compresses the host program and attaches itself. It copies itself to the start of the data segment and includes a decompressing algorithm that is used to decompress the host program and execute it.
  • 29. Malware propagation methods Packer functionality       Compress Encrypt Randomize (polymorphism) Anti-debug technique (fake jmp) Add-junk Anti-VM Payload Packer Malware Infected Host Executable
  • 30. Challenges in detecting malware Packer functionality  Fred Cohen  It is not possible to build a perfect malware detector ( 1984)  http://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohe n-viruses.html  Diagonal argument P is a perfect detection program V is a virus V can call P if P(V) = true -> halt if P(V) = false -> spread
  • 31. Challenges detecting malware Static vs. Dynamic  Known malware  In the wild  Malware exchange programs e.g metascan-online  AMTSO real time threat list  Unknown malware  Targeted attacks  Outbreaks
  • 32. Malware detection techniques Static vs. Dynamic  Static  Inspect the code before it is executed  Dynamic  Inspect the exaction of the code
  • 33. Malware detection techniques Static code analysis  PE Headers  Digital signatures  Txt searches  Hash checks  Dependency check  Check for packers  Heuristic checks
  • 34. Malware detection techniques Challenges of static code analysis  Many signatures  Quality assurance of 100M signatures  Big data  Performance – scan in a timely manner  Many signature updates  Challenges to update - build a scalable update mechanism  Easy to obfuscate the code
  • 35. Malware detection techniques Challenges of static code analysis
  • 36. Malware detection techniques Dynamic code analysis  Execute on     Target host Virtual machine Physical machine Custom hardware  Monitor the behavior of the host  From the host  Outside the host
  • 37. Malware detection techniques Dynamic code analysis Monitor       Processes Files Registry key changes System scheduling Services / Daemon Network traffic  Type  Destination
  • 38. Malware detection techniques Challenges of dynamic code analysis      Anti virtualization techniques Sleep / loops to wait for detection Randomization Polymorphism Consume Resources
  • 39. Real life examples of malware detection systems Malware detection for new outbreaks Source: Metascan Online
  • 40. Real life examples of malware detection systems Malware detection for new outbreaks Source: Metascan Online
  • 41. Real life examples of malware detection systems Static vs. Dynamic  Tested 30 known malware files (disguised as documents or embedded within documents)  Fewest number of engines was 10 (out of 43)  Highest number of engines was 30 (out of 43)
  • 42. Real life examples of malware detection systems Static vs. Dynamic  Tested 30 known malware files (disguised as documents or embedded within documents)  Lowest number of threats detected was 3  Highest number of threats detected was 23
  • 43. Real life examples of malware detection systems Measuring detection coverage 100% Sandboxing X1% Protection level : Multi-scanning X2% Protection level:
  • 44. Current trends in the industry  Secure transaction to cloud applications  Mobile Security and BYOD  Cloud malware scanning  Big Data  Performance  Sandbox  Cloud  Sandbox  Protect digital wallets

Notes de l'éditeur

  1. 1 min
  2. <why multiscanning>Growth of MalwareMore engines are better than 1OutbreaksVulnerabilities in engines <technology overview of Metascan>What is Metascanwhy use MetascanCurrent feature set <different implementations of Metascan>Out of box solution: MDTADemo of metascanonline.com (local box with wireless access point)Endpoint client (MD4SA)Demo of MD4SA <Managing Metascan>Introduction to the management station
  3. The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B
  4. The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice