|
|
[ Pobierz całość w formacie PDF ]
emerging new viruses can add up and affect their performance. Different AV vendors
deal with them differently; some of them take into consideration the type of file being
scanned, and that gives them a hint of what part of the code they should look at.
As discussed in section 2, viruses are clever at changing their look with
alternating source code. A good mutation engine will generate very different strains and
each strain will not have the signature of the original virus. In the case of polymorphic
and metamorphic viruses, it is not possible to have a unique signature for the virus
family. This means that although signatures of various strains are known there is always a
good chance that another strain will succeed in bypassing the signature detection.
5.2 Checksum
Checksum is used to verify the integrity of any kind of files. It is normally used to
check the correctness of TCP/IP packets that are the main source of communication on
the Internet. Software manufacturers use checksum to detect unauthorized modifications
made to bypass their license check. The concept of checksum is also used in generating
message authentication code (MAC) to check the integrity of messages [6]. Today’s
viruses also use checksum to see if their code is tampered with before it starts infecting.
25
There are many checksum programs that are readily available for download. Since
they are called only when a new program is accessed, they do not have a high
performance impact. Executable files are not changed often, so a checksum can be used
to verify their integrity. When an integrity check fails, there is a chance that a virus will
have modified it and this helps in detecting the malicious behavior. Checksum is an
example of “detection by change” methodology, where a malicious activity is detected
when files are changed.
Checksum is a traditional method of detecting the unwanted changes; however,
there are a few viruses like the latest Hidan [17] from the Chiton family of W32 viruses
that will calculate a new checksum after infection. It later replaces the existing checksum
with the new value, thus escaping the detection.
5.3 Hardware-based security
Next Generation Secure Computing Base (NGSCB) is a hardware-based security
system that allows only “trusted” agents to access secrets on the system. These secrets
can be memory, signatures and keys used by the user. Unlike other AV tools these
systems need not depend on a particular virus and have common detection mechanisms
for all malware. However, an operating system needs to be configured in order to use this
system.
Apart from using NGSCB to sign documents, digital rights management [6] can
be used to keep viruses at bay.
Access control lists (ACL) are often used in an
authorization process, and are checked to see if a user is allowed to perform an action.
Viruses will never be given access to perform malicious activities if ACLs for each
application are maintained properly. In other words a proper authorization for
applications is needed in a system where privilege for each application is clearly defined.
The operating system has to be configured to use this system. As it can also be
programmed to identify if an application is behaving oddly, this can be taken as an anti-
virus technology. Efficiency of this system depends upon how frequently new
applications are used. A home user might need to rebuild the complete access matrix
every time new software is installed and this imposes considerable overhead [16]. On the
other hand, at an organizational level which does not change often, this would be a very
good solution. An experienced system administrator would know which applications are
allowed to do what.
26
The toughest problem in this system is how to measure the trustworthiness of an
application. To set the allowed operations of an applications, definitions of what is not
malicious need to be defined, which again depends upon what existing malware has
caused or might cause. There is always a possibility that viruses will modify or delete
these access lists, but then again this is a common problem for all anti-virus products.
5.4 Heuristics Based Analysis
Heuristics is prominently used for discovering unknown viruses depending upon
known virus behavior. Every new file is monitored and scored against a predefined set of
indicators that are determined through analyzing known viruses. When the score of these
indicators is high it is flagged as a virus. Although there are known to be false positives
in this process, it is fairly effective in detecting unknown and new strains of viruses.
Static heuristic analysis deals with inspecting code sequences for known virus-
like code. A flagged malicious behavior in the static case would trigger the dynamic
heuristics. Dynamic heuristics emulate the program under consideration to further
explore it. It looks for indicators like very big files, large debug sections, entry-point code
redirection, suspicious kernel operation and many more. If the program fails the
heuristics test, the user is warned about the same; otherwise the heuristics scanner
continues closely watching the program’s system calls and interrupts [23]. Indicators
used in the analysis sometimes number in the hundreds. Using too many indicators is
disadvantageous as it flags non-viruses, and tweaking the right score threshold poses
considerable challenges in using heuristics.
In the case of polymorphic viruses, the code is executed in an emulator until it is
decrypted and a known signature is seen; this process needs to be continued in case of
multi-layered encryptions. Metamorphic viruses do not have a signature and their
detection depends upon the indicators for any doubtful actions. But metamorphic viruses
[ Pobierz całość w formacie PDF ]
zanotowane.pldoc.pisz.plpdf.pisz.plblacksoulman.xlx.pl |
|
|
|
|
