The document discusses the evolution of computer malware and anti-malware over three waves from 1986 to the present. The first wave involved simple computer viruses that replicated by adding themselves to new executable files. Antivirus solutions emerged that used virus "signatures" or fingerprints to detect known viruses. The second wave saw the rise of polymorphic viruses that used encryption and code mutation to avoid signature detection.

1. Compute Malware-AntiMalware Coevolution
Thirty Years of Battle
Himanshu Dubey

2. Wave #1 Problem – Simple Computer Viruses
Today1986
Wave #1: Simple Computer Viruses

3. Wave #1 Problem – Simple Computer Viruses

4. Wave #1 Problem – Simple Computer Viruses

5. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

6. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

7. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

8. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100
Program Instructions:
1.
2.
3.
4.
5.
…
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…

9. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
CALC.EXE
Program Instructions:
1.
2.
3.
4.
5.
…
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

10. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
CALC.EXE
Program Instructions:
1.
2.
3.
4.
5.
…
Go to step #100
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

11. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
CALC.EXE
Program Instructions:
1.
2.
3.
4.
5.
…
Go to step #100
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

12. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
CALC.EXE
Program Instructions:
1.
2.
3.
4.
5.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

13. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
CALC.EXE
Program Instructions:
1.
2.
3.
4.
5.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

14. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
CALC.EXE
Program Instructions:
1.
2.
3.
4.
5.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

15. Program Instructions:
1. Go to step #100
2. Print “Welcome to PACMan!”
3. Play music “pacman.wav”
4. Display maze on screen
5. ...
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
PACMAN.COM
Wave #1 Problem – Simple Computer Viruses
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2
Go to step #100

16. Wave #1 Solution – Antivirus Signatures

17. Wave #1 Solution – Antivirus Signatures

18. Wave #1 Solution – Antivirus Signatures

19. Wave #1 Solution – Antivirus Signatures

20. Wave #1 Solution – Antivirus Signatures

21. Wave #1 Solution – Antivirus SignaturesProgram Instructions:
1.
2.
3.
4.
5.
…
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
Go to step #100
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2

22. Wave #1 Solution – Antivirus SignaturesProgram Instructions:
1.
2.
3.
4.
5.
…
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
Go to step #100
100. Locate a new EXE file on disk
101. Insert “Go to step #100” at the
top of the new file.
102. Append lines 100 through 104
to the end of the new file.
103. If it’s Jan 1st, format hard drive!
104. Go back to step #2

23. Wave #1 Solution – Antivirus Signatures
Virus Fingerprint FileVirus Fingerprint File
Name Virus Fingerprint (aka signature)
Killer print “Killer wuz here!”
Loser If it’s Feb 28, delete files
Jerusalem Delete all files on june 6th
…
Hijack If it’s Jan 1st, format hard drive!

24. Wave #1 Solution – Antivirus Signatures

25. Wave #1 Solution – Antivirus Signatures

26. Wave #1 Solution – Antivirus Signatures

27. Wave #1 Solution – Antivirus Signatures

28. Wave #1 Solution – Antivirus Signatures
Today1986
Wave #1: Simple Computer Viruses Solution: Antivirus Signatures

29. Wave #2 Problem – Polymorphic Viruses
Today
Wave #2: Polymorphic Viruses
1990

30. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
1.
2.
3.
4.
…
30

31. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
1.
2.
3.
4.
…
31

32. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
32

33. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
33
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…

34. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
34
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
The virus generates a totally new
encryption scheme
for each new infection!
This is done using a built-in module
called a “mutation engine.”

35. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
35
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…

36. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
36
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…

37. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
37
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
Jiwawn p oys PQZ nbhe dn penzec
Bzqhwugk t dwh xicyzhpenq lakwnz
Skv qmi lwm kbibrf ki iazouyt abzyt ^-#
Rzoi gha pqi gnaneh pn ode aqz iu loi zxvy

38. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
38
CALC.EXE
Print “Calculator version 1.1”
Print “Copyright 1990 by Joe Shmo”
Print “Enter your first number: “
Prompt the user for a number.
…
Jiwawn p oys PQZ nbhe dn penzec
Bzqhwugk t dwh xicyzhpenq lakwnz
Skv qmi lwm kbibrf ki iazouyt abzyt ^-#
Rzoi gha pqi gnaneh pn ode aqz iu loi zxvy

39. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
39
CALC.EXE
6. Print “Calculator version 1.1”
7. Print “Copyright 1990 by Joe Shmo”
8. Print “Enter your first number: “…
1. On lines 2-5 below:
Shift all letters back 7 slots
Replace every S with N
Replace every E with U
Shift all letters forward by 9 slots
Shift all letters back by 2 slots
Replace every W with a C
2. Jiwawn p oys PQZ nbhe dn penzec
3. Bzqhwugk t dwh xicyzhpenq lakwnz
4. Skv qmi lwm kbibrf ki iazouyt abzyt ^-#
5. Rzoi gha pqi gnaneh pn ode aqz iu loi zxvy

40. Wave #2 Problem – Polymorphic Viruses
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Remove every Q
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za dbvphkt klpgwz %-@
5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk
6. Print “Welcome to PACMan!”
7. Play music “pacman.wav”
8. Display maze on screen
9. ...
PACMAN.COM
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
1.
2.
3.
4.
…
40
CALC.EXE
6. Print “Calculator version 1.1”
7. Print “Copyright 1990 by Joe Shmo”
8. Print “Enter your first number: “…
1. On lines 2-5 below:
Shift all letters back 7 slots
Replace every S with N
Replace every E with U
Shift all letters forward by 9 slots
Shift all letters back by 2 slots
Replace every W with a C
2. Jiwawn p oys PQZ nbhe dn penzec
3. Bzqhwugk t dwh xicyzhpenq lakwnz
4. Skv qmi lwm kbibrf ki iazouyt abzyt ^-#
5. Rzoi gha pqi gnaneh pn ode aqz iu loi zxvy
The decryption
algorithms share
no instructions in
common…
… and every copy
of the virus body
is encrypted
differently!
… and every copy
of the virus body
is encrypted
differently!

41. Wave #2 Solution – The Universal Decoder?
Fix-O-Matic
Antivirus
“We fix it good”

42. Fix-O-Matic
Antivirus
“We fix it good”
Wave #2 Solution – The Universal Decoder?1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za lpgwz %-@
5. Pkja wqr mzr pgayn pg mvc zx htw plmk
6. ...
PACMAN.COM

43. Fix-O-Matic
Antivirus
“We fix it good”
Wave #2 Solution – The Universal Decoder?1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za lpgwz %-@
5. Pkja wqr mzr pgayn pg mvc zx htw plmk
6. ...
PACMAN.COM
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Replace every M with an R
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
6. …
PACMAN.COM

44. Fix-O-Matic
Antivirus
“We fix it good”
Wave #2 Solution – The Universal Decoder?1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za lpgwz %-@
5. Pkja wqr mzr pgayn pg mvc zx htw plmk
6. ...
PACMAN.COM
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Replace every M with an R
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
6. …
PACMAN.COM
Virus Definition FileVirus Definition File
Name Virus Fingerprint (aka signature)
Killer print “Killer wuz here!”
Loser If it’s Jan 1st, format hard drive!
…
Anthrax Generate a new encryption scheme

45. Fix-O-Matic
Antivirus
“We fix it good”
Wave #2 Solution – The Universal Decoder?1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Replace every M with an R
2. Xqrmzae t gwr PMP gorf xz splrzy
3. Pyzytyte t pmq kncqwyzanw pqaewe
4. Pne zge uye zhaea za lpgwz %-@
5. Pkja wqr mzr pgayn pg mvc zx htw plmk
6. ...
PACMAN.COM
1. On lines 2-5 below:
Replace every T with a Z
Shift all letters back 3 spots
Replace every M with an R
2. Locate a new EXE file to infect
3. Generate a new encryption scheme
4. Use the new scheme to encrypt lines 2-5
5. Copy the new strain to the top of the file
6. …
PACMAN.COM
Virus Definition FileVirus Definition File
Name Virus Fingerprint (aka signature)
Killer print “Killer wuz here!”
Loser If it’s Jan 1st, format hard drive!
…
Anthrax Generate a new encryption scheme
X

46. Wave #2 Solution – Emulation-based Scanning
Computer Virus-Antivirus Co-evolution Part 2
Today1986
Wave #1: Simple Computer Viruses Solution: Antivirus Signatures
Wave #2: Polymorphic Viruses
1990
Solution: Emulation-based Scanning

47. Wave #3 Problem – Macro Viruses
Virus Macro Virus?
Today1995
Wave #3: Macro Viruses

48. Wave #3 Problem – Macro Viruses
Computer Virus-Antivirus Co-evolution Part 2
The world’s first Document-based
“macro” virus, called Concept,
hit cyberspace in July of ‘95.

49. Wave #3 Problem – Macro Viruses
Computer Virus-Antivirus Co-evolution Part 2
The world’s first Document-based
“macro” virus, called Concept,
hit cyberspace in July of ‘95.

50. Wave #3 Problem – Macro Viruses
Computer Virus-Antivirus Co-evolution Part 2
The world’s first Document-based
“macro” virus, called Concept,
hit cyberspace in July of ‘95.

51. Computer Virus-Antivirus Co-evolution Part 2
Strategic Plan
Version 1.0
This document details our new strategic plan for FY’95. This document should
Payload
Macro
AutoExec
Macro
AutoOpen
Macro
Wave #3 Problem – Macro Viruses
AutoOpen
Macro
Payload
Macro

52. Computer Virus-Antivirus Co-evolution Part 2
Strategic Plan
Version 1.0
This document details our new strategic plan for FY’95. This document should
Payload
Macro
AutoExec
Macro
AutoOpen
Macro
Wave #3 Problem – Macro Viruses
AutoOpen
Macro
Payload
Macro
Run the following instructions
any time the user opens this
document in Word:
1. Pop up a window stating:
“This is a confidential
document. Do not copy.”
2. Disable cut and paste from
this document.
3. Flag document as read-only
to prevent modifications.

53. Computer Virus-Antivirus Co-evolution Part 2
Strategic Plan
Version 1.0
This document details our new strategic plan for FY’95. This document should
Payload
Macro
AutoExec
Macro
AutoOpen
Macro
Wave #3 Problem – Macro Viruses
AutoOpen
Macro
Payload
Macro
Run the following instructions
any time the user opens this
document in Word:
1. Enumerate all DOCS that are
currently open in Word and:
copy my AutoOpen and
Payload macros into them.
2. If the date is July 28th, run
the “Payload” macro.

54. Computer Virus-Antivirus Co-evolution Part 2
Strategic Plan
Version 1.0
This document details our new strategic plan for FY’95. This document should
Payload
Macro
AutoExec
Macro
AutoOpen
Macro
Wave #3 Problem – Macro Viruses
AutoOpen
Macro
Payload
Macro
Run the following instructions
only when instructed to do so
by another macro:
1. Pop up a window saying:
“Happy Birthday!”
2. Play “happybday.wav”

55. Wave #3 Solution: Coopetition

56. Wave #3 {Real} Solution:

57. Wave #3 (The Real) Solution – Microsoft Requires Digital Signatures

58. Wave #3: Macro Viruses
Today
Wave #1: Simple Computer Viruses Solution: Antivirus Signatures
Wave #2: Polymorphic Viruses Solution: Emulation-based Scanning
1990 19951986
Wave #3 (The Real) Solution – Microsoft Requires Digital Signatures
Solution: Microsoft requires digital signaturesWave #3: Macro Viruses

59. Today
Wave #4 Problem – Worms
Wave #4: Worms
1999
FILE1.
EXE
Virus
logic
JUMP
FILE2.
EXE
Virus
logic
JUMP
Traditional viruses spread from
file to file on a single computer.
Worms spread from computer to
computer over the network.
WORM.
EXE
WORM.
EXE
WORM.
EXE

60. Today
Wave #4 Problem – Worms
Wave #4: Worms
1999
In 1999 and 2000, computer worms
like Melissa and ILOVEYOU flooded
the Internet!

61. Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1

62. Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
This line of code is
vulnerable to attack!
It expects the user to send
up to four lines of data!
But what if an attacker sends more?
There’s room here
for four lines of data!

63. Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Go back to line 6

64. Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Go back to line 6

65. Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9.
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Go back to line 6

66. Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9.
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Go back to line 6
Wait a second!
This line was altered by
the attacker!

67. Network worms spread from
machine to machine…
Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
without human interaction…
by exploiting logic flaws
in software!
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Let’s see how!
Go back to line 6

68. Network worms spread from
machine to machine…
Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
without human interaction…
by exploiting logic flaws
in software!
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Let’s see how!
Go back to line 6

69. Network worms spread from
machine to machine…
Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
without human interaction…
by exploiting logic flaws
in software!
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Let’s see how!
Go back to line 6
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Go back to line 6

70. Network worms spread from
machine to machine…
Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
without human interaction…
by exploiting logic flaws
in software!
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Let’s see how!
Go back to line 6
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Go back to line 6

71. Network worms spread from
machine to machine…
Wave #4 Problem – Worms
ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
without human interaction…
by exploiting logic flaws
in software!
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Let’s see how!
Go back to line 6
<invalid command>
Pick a random target server
Connect to the target server
Send lines 5-9 to the server
Go back to line 6

72. ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
The solution: DON’T fingerprint each worm!
Wave #4 Solution – Vulnerability-centric Signatures
Instead, determine the minimal criteria
required to attack the vulnerability.
Then look for these criteria in a signature.

73. ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
The solution: DON’T fingerprint each worm!
Wave #4 Solution – Vulnerability-centric Signatures
Instead, determine the minimal criteria
required to attack the vulnerability.
Then look for these criteria in a signature.
First, to attack this flaw, an attacker MUST
send a network packet to an ACME v1.5 server.
Sending the same data to a Google Server or
even an Acme v1.6 Server won’t have any effect!
So let’s add this as a requirement in our
signature!

74. ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
The solution: DON’T fingerprint each worm!
Signature:
First, to attack this flaw, an attacker MUST
send a network packet to an ACME v1.5 server.
If a network packet is being sent
to an ACME v1.5 Server…
Wave #4 Solution – Vulnerability-centric Signatures
Instead, determine the minimal criteria
required to attack the vulnerability.
Then look for these criteria in a signature.
Sending the same data to a Google Server or
even an Acme v1.6 Server won’t have any effect!
So let’s add this as a requirement in our
signature!

75. ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
The solution: DON’T fingerprint each worm!
Signature:
If a network packet is being sent
to an ACME v1.5 Server…
Wave #4 Solution – Vulnerability-centric Signatures
Instead, determine the minimal criteria
required to attack the vulnerability.
Then look for these criteria in a signature.
Second, for an attack to succeed, the packet
MUST have MORE than four lines of data…
The content of the lines doesn’t matter!
If the packet has more than four lines, it will
overwrite our server’s instructions/logic!
So let’s add this to our signature as well!

76. ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
The solution: DON’T fingerprint each worm!
Signature:
If a network packet is being sent
to an ACME v1.5 Server…
Wave #4 Solution – Vulnerability-centric Signatures
Instead, determine the minimal criteria
required to attack the vulnerability.
Then look for these criteria in a signature.
Second, for an attack to succeed, the packet
MUST have MORE than four lines of data…
The content of the lines doesn’t matter!
If the packet has more than four lines, it will
overwrite our server’s instructions/logic!
So let’s add this to our signature as well!
and the packet has MORE than 4 lines…

77. ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
The solution: DON’T fingerprint each worm!
Signature:
If a network packet is being sent
to an ACME v1.5 Server…
Wave #4 Solution – Vulnerability-centric Signatures
Instead, determine the minimal criteria
required to attack the vulnerability.
Then look for these criteria in a signature.
and the packet has MORE than 4 lines…
Now if we find a network packet that meets
both of these requirements…
It’s almost certainly an attack and we should
block the packet from reaching the server!

78. ACME 1.5 Server Logic
1. Wait for another computer to
connect over the ‘net to me
2. Accept data sent by the other
computer & save it on lines 5, 6, …
3. Process the data and return
a result to the other computer
4. Skip to line 9
5.
6.
7.
8.
9. Go back to line 1
The solution: DON’T fingerprint each worm!
Signature:
If a network packet is being sent
to an ACME v1.5 Server…
Wave #4 Solution – Vulnerability-centric Signatures
Instead, determine the minimal criteria
required to attack the vulnerability.
Then look for these criteria in a signature.
and the packet has MORE than 4 lines…
Now if we find a network packet that meets
both of these requirements…
It’s almost certainly an attack and we should
block the packet from reaching the server!
then BLOCK the packet!

79. Signature:
If a network packet is being sent
to an ACME v1.5 Server…
Wave #4 Solution – Vulnerability-centric Signatures
and the packet has MORE than 4 lines…
then BLOCK the packet!

80. Signature:
If a network packet is being sent
to an ACME v1.5 Server…
Wave #4 Solution – Vulnerability-centric Signatures
and the packet has MORE than 4 lines…
then BLOCK the packet!
Our new signature makes NO reference to the
content of the packet other than its length.
It’s worm-agnostic!
And we can write such a signature the moment
we learn about a new vulnerability!
Before the hacker can even create a worm!
Instead, it specifies the minimum criteria a
packet must meet to succeed in an attack.

81. Solution: Microsoft requires digital signatures
Wave #1: Simple Computer Viruses Solution: Antivirus Signatures
Wave #2: Polymorphic Viruses Solution: Emulation-based Scanning
Wave #3: Macro Viruses
Today1990 19951986
Wave #4: Worms
1999
Solution: Vulnerability-centric Signatures
Wave #4 Solution – Vulnerability-centric Signatures

82. Wave #5 Problem – Web-based Malware
Today
Wave #5: Web-based Malware
2004

83. Attacks:
The “Buffer Overflow” Hack
Wave #5 Problem – Web-based Malware
Using a New Kind of Attacker-side Polymorphism
Malware
Attack
File
Malware
Attack
File

84. Attacks:
The “Buffer Overflow” Hack
Wave #5 Problem – Web-based Malware
Using a New Kind of Attacker-side Polymorphism
Malware
Attack
File
Malware
Attack
File

85. Attacks:
The “Buffer Overflow” Hack
Wave #5 Problem – Web-based Malware
Using a New Kind of Attacker-side Polymorphism
Malware
Attack
File
Malware
Attack
File

86. Attacks:
The “Buffer Overflow” Hack
Wave #5 Problem – Web-based Malware
Using a New Kind of Attacker-side Polymorphism
Malware
Attack
File
Malware
Attack
File
Compressed
(obfuscated)
Malware
Unpacker
(e.g., LZW)

87. Attacks:
The “Buffer Overflow” Hack
Wave #5 Problem – Web-based Malware
Using a New Kind of Attacker-side Polymorphism
Compressed
(obfuscated)
Malware
Unpacker
(e.g., LZW)

88. Attacks:
The “Buffer Overflow” Hack
Wave #5 Problem – Web-based Malware
Using a New Kind of Attacker-side Polymorphism
Compressed
(obfuscated)
Malware
Unpacker
(e.g., LZW)

89. Attacks:
The “Buffer Overflow” Hack
Wave #5 Problem – Web-based Malware
Using a New Kind of Attacker-side Polymorphism
(original)
Malware
Attack
Logic

90. Attacks:
The “Buffer Overflow” Hack
Wave #5 Problem – Web-based Malware
Using a New Kind of Attacker-side Polymorphism
(original)
Malware
Attack
Logic
The attackers
can tightly control and
update their
polymorphism!

91. Wave #5 Solution – ????
These threats may have
looked different on the surface…

92. Wave #5 Solution – ????
These threats may have
looked different on the surface…
And their instructions may have
differed substantially… 00101110
00000111
11101010
11000010
00011001
01000011
11111011
11011101

93. Wave #5 Solution – ????
But their underlying behavioral
patterns were strikingly similar!
These threats may have
looked different on the surface…
And their instructions may have
differed substantially… 00101110
00000111
11101010
11000010
00011001
01000011
11111011
11011101
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen

94. But their underlying behavioral
patterns were strikingly similar!
These threats may have
looked different on the surface…
And their instructions may have
differed substantially… 00101110
00000111
11101010
11000010
00011001
01000011
11111011
11011101
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
1. Lower security settings
2. Create a new file in the system folder
3. Modify the settings to auto-load this file
4. Do NOT display anything on the screen
Idea:
Why not monitor all software as it runs…
and block programs with known patterns of malicious behavior?
Wave #5 Solution – Behavior Blocking

95. Question:
How do we identify malicious
patterns of behavior?

96. Question:
How do we identify malicious
patterns of behavior?
Answer:
We create a decision tree
based on an analysis of
millions of malware samples!

97. Question:
How do we identify malicious
patterns of behavior?
Creates
system
file?
Creates
autoload
setting?
92%
chance of
malware
NO YES
NO YES
NO YES
NO YES
NO YES
…Displays
data on
screen?
85%
chance of
malware
NO YES
…
Answer:
We create a decision tree
based on an analysis of
millions of malware samples!
NO YES
Deletes
password
database?
Lowers
security
settings?
Displays
data on
screen?
Creates
admin
account?
87% chance
it’s a normal
program
95% chance
it’s a normal
program
83% chance
it’s a normal
program
97% chance
it’s a normal
program

98. Today1990 1995 1999
Solution: Microsoft requires digital signatures
Wave #2: Polymorphic Viruses Solution: Emulation-based Scanning
Wave #3: Macro Viruses
Wave #4: Worms Solution: Vulnerability-centric Signatures
Wave #5: Web-based Malware
2004
Solution: Behavior Blocking
Wave #5 Solution – Behavior Blocking

99. In the mid-late 2000s, attackers shifted into high gear,
using automation to generate millions of unique malware strains,
each tailored to evade antivirus protection.
Wave #6 Problem – Auto-generated Malware Explosion
Today
Wave #6: Auto-generated Malware
2007

100. 00011001
01000011

101. 00011001
01000011
00011001
01000011
00011001
01000011

102. 00011001
01000011

103. 00011001
01000011
00011001
01000011
00011001
01000011

104. How could we possibly detect these millions of threats?
So we didn’t know about them…
No one reported them…
So we couldn’t fingerprint them…
They were all but invisible!
Wave #6 Problem – Auto-generated Malware Explosion
?

105. Wave #6 Solution – ?????

106. Wave #6 Solution – ?????
Could we somehow leverage
the wisdom of hundreds of millions of users
to compute a safety rating
for every single file, good or bad, on the Internet?

107. But then it hit us…
Some internet users are riskier than others…

108. BAD GOOD
Internet Hygiene
But then it hit us…
Some internet users are riskier than others…
Some are
infected frequently…

109. BAD GOOD
Internet Hygiene
But then it hit us…
Some internet users are riskier than others…
Some are
infected frequently…
Others are
really safe…
BAD GOOD
Internet Hygiene

110. What if we took each new file
which of our millions of users adopted it and which avoided it?
and looked at…
And all our users have to do is be themselves!

111. FILE
B
FILE
A
What if we took each new file
which of our millions of users adopted it and which avoided it?
and looked at…
And all our users have to do is be themselves!

112. Wave #6 Solution – A Fundamental Shift
Traditional approaches
detect malware based
on its instructions
or how it behaves.
Computer Virus-Antivirus Co-evolution Part 2

113. Wave #6 Solution – A Fundamental Shift
The Hygiene-based approach
is fundamentally different!
It classifies software based its
associations, not its content.
Traditional approaches
detect malware based
on its instructions
or how it behaves.
Computer Virus-Antivirus Co-evolution Part 2

114. Wave #6 Solution – Hygiene-based Reputation
Today1999 2004
Wave #4: Worms Solution: Vulnerability-centric Signatures
Wave #5: Web-based Malware
Wave #6: Auto-generated Malware
2007
Solution: Behavior Blocking
Solution: Hygiene-based Reputation

115. Wave #7 Problem – Targeted Attacks
115
Today
Wave #7: Targeted Attacks
????

116. How do you block a state-sponsored attacker
with nearly unlimited resources from
compromising your intellectual property?
Wave #7 Problem – Targeted Attacks

117. Wave #7 Solution – ???
? 50/50
“They modify [their malware] until we don't detect so it is almost
irrelevant what happens from a static scanning perspective.”
– Eric Chien, Distinguished Engineer, Symantec

118. Our proposal has three parts:
Wave #7 Solution – A big-data-driven Security Service
1. Security products must become collectors of
security-relevant data in addition to detecting obvious attacks.

119. Our proposal has three parts:
Wave #7 Solution – A big-data-driven Security Service
1. Security products must become collectors of
security-relevant data in addition to detecting obvious attacks.
2. This telemetry will be hosted in a secure, elastic,
multi-tenant big-data platform.

120. Our proposal has three parts:
Wave #7 Solution – A big-data-driven Security Service
1. Security products must become collectors of
security-relevant data in addition to detecting obvious attacks.
2. This telemetry will be hosted in a secure, elastic,
multi-tenant big-data platform.
3. We will then leverage a combination of manual and
automated, intra- and inter-enterprise mining to identify attacks.

121. Network connections
Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…

122. Email metadata
Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…

123. Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…
Log file deletions

124. Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…
Settings changes

125. Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…
Files adopted

126. Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…
Logins (incl. failed logins)

127. Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…
Secure, Siloed Big-data Store
CONNECTION HISTORY
…
Source Destination File
ACME CO.
LOGINHISTORY
…
Source Destination File
EMAIL HISTORY
…
Source Destination File
CONNECTION HISTORY
…
Source Destination File
BRAVO CO.
LOGINHISTORY
…
Source Destination File
EMAIL HISTORY
…
Source Destination File

128. Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…
Secure, Siloed Big-data Store
CONNECTION HISTORY
…
Source Destination File
ACME CO.
LOGINHISTORY
…
Source Destination File
EMAIL HISTORY
…
Source Destination File
CONNECTION HISTORY
…
Source Destination File
BRAVO CO.
LOGINHISTORY
…
Source Destination File
EMAIL HISTORY
…
Source Destination File

129. Anonymization Layer
Wave #7 Solution – A big-data-driven Security Service
Acme Corp Bravo Corp
…
Secure, Siloed Big-data Store
CONNECTION HISTORY
…
Source Destination File
ACME CO.
LOGINHISTORY
…
Source Destination File
EMAIL HISTORY
…
Source Destination File
CONNECTION HISTORY
…
Source Destination File
BRAVO CO.
LOGINHISTORY
…
Source Destination File
EMAIL HISTORY
…
Source Destination File
As security researchers discover
new indications of compromise…
They can mine the big-data store to
discover related in-progress attacks.
And the telemetry can then be used
for forensic purposes – to identify the
who/what/when/where/how of an intrusion.

130. Wave #7 Solution – Big Data driven Security Service
Today2004 2007
Wave #5: Web-based Malware Solution: Behavior Blocking
Wave #6: Auto-Generated Malware
Wave #7: Targeted Attacks
????
Solution: Hygiene-based Reputation
Solution: Big-Data driven Security Service

131. Wave #8 Problem – Crypto Ransomware
131
Today
Wave #8: Crypto Ransomware
2013

133. Ransomware on mobile

137. Wave #8 Solution – ???
Detect attempts to encrypt
Other Ideas?
Raise cyber security awareness

138. Credits
• Carey Nachenberg
• Original creator of this deck

139. Thank You