This tutorial is just a resume, we do not talk about sandbox analysis and other advanced method. Sorry for my English.
METHODS OF DETECTION OF MALWARE
The "malware" is a software used in to damage a digital system.
A "malware" indicates all worms, Trojans...
*Anti-worms/virus/malware: An antivirus, unlike a malware, An antivirus is made to detect and eradicate a malware.
H goes for it, to analyze the ram, the peripherals of storage (USB, Hard disk) and to analyze files incoming (downloaded on the Internet, for example) periodically.
I. ForewordIn the "war" of malwares, it was necessary to invent methods for detect and for delete in its totality a malware without the human interaction, which can on no account, to detect alone a well hidden virus. For that purpose, the developers invented what we call "antiviruses" today, everybody knows him, it is our best friend, when we buy a PC, It is the first thing which we are going to make, download our antivirus (free, or paying, the difference is small). But do you know how this works? It is what we go to see in this tutorial, he present to u 4 methods the most used in the detection of malware...
II. Summary:
1. Method Of Signatures detection
[a) Detection (and removal)
B) Bypassing
]2. Method of Spectrum analys
[a) Detection (and roval)
B) Bypassing
]3. Comportemental analysis method
[a) Detection (and remoal)
B) Bypassing
]4. Heuristics Method
[a) Detection (and removal)
B) Bypassing
]5. Links
1. Method Of Signatures detection A) Détéction (and removal)This method of detection called also "Scanning", it is the most wide-spread at the dev of antimalware, simply, because it is very simple to program it. This technique is also the first affected by the antimalware, because this one allows to detect the malware before its execution in memory.
The antivirus goes "scan" the file and try to find a piece of code which we shall call "signature", this signature is registered in the database of the antimalware (and it is unique, every software has its own signature, logic) And he is regularly put updated..
The only drawback of this technique it isbecause she NEED to be "maintained" ALL THE TIME, because every day new malwares appear, their signatures are not in the database, so the malwares cannot be detected and eradicated by the antimalware of the system and and it is for it, that the updates are ESSENTIAL for an antimalware(And it is with that, that we compare the paying and free anti-malware)
B) BypassingThe developers of malware have now (finally, for a long time) new techniques "to by-pass" an anti-malwares, for the method of detection by signature, the malware will just have to be "polymorph" (= take several forms)
The mechanism is very simple, the malware has a routine of encryption of its signature and decoding and these viruses are going to change signature in every replication of this one, what returns him undetectable in 99% for the method of detection by signature.
2. Method of Spectrum analysA) Detection (and removal)
The method of analysis by signature being vulnerable by polymorphism malware, the antimalware laboratories have developed a technique allowing to detect the polymorphism, this method is called, as you guessed him, " the spectrum analysis ".
The anti-malware is going to analyze in fact the instructions in the suspicious file and, according to the presence or the absence of very particular instructions, which are not normally used, or according to the frequency ( the distribution) of such instructions, they decide to indicate a parasite file or not. It comes from the principle that every compiled program is supposed to contain a track of the compileur in the code of the program (ex of compileur Visual C++ Microsoft). And as (in theory) a polymorphic code is supposed to crypt the signature, he crypt at the same time the trace of the signatures of the compiler. The antimalware being in the presence of unusal secance, he going to detect the program like a malware.
Example of signature of a compiler (Visual C++ 5.0 Microsoft):PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH XXXXXXX.00000000
PUSH XXXXXXX.00000000
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
ADD ESP,-58
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR SS:[EBP-18],ESPB) Bypassingthis is now the "war" between antiviruses and malware, the researchers simply by-passed this method by inject into the program, a suite of useless instructions which its engine could not generate, to be able to deceive the spectrum analysis.
3. Comportemental analysis method A) Detection (and removal)One of the actions that the antivirus makes h24 (normally, for good av), is the behavioral analysis, this technique, as I said it, is always run, she is always active.
It is one of the most effective methods because she allows the detection of malware without he is "known" in the database.
His functioning is this one:
- he scrutinizes any attempts of writing in a program and / or modification of a system file (or other hostile action) which is going to betray a virus and thus, to warn the user of the system.
There is also an "hardware"monitor which is as his name indicates it, incorporated into the material, it is the ultimate level security, because it forbids any access to sensitive(perceptible) files of the system.
B) BypassingNothing found on this subject.
4. Method Heuristics (heuristics algorithm)A) Detection (and abolition)The heuristics method is by far the best method to detect a malware (because she allows to detect the polymorphic malwares), it bases itself on the analysis of the machine code, in search of code which could be dangerous for its execution, or suspect. (Called viral code)
BUT warning, the heuristics method is said "passive" (as the method of detection by signature) because it does not execute the code and is only analyzing it, for it, av using this technique, are provided with a disassembler.
For example, a polymorph virus can be detected by a technique of heuristics analysis, the antivirus is going to browse the code, just in the decryption routine, and in THIS momment he will declare the file malicious, because the decryption routine is going to browse the code to change it. (= and it is a viral instruction)
He did not declare, of course, a malicious file as seeing the first suspect instruction, it will take a certain amount of information to sound the alert.
B) BypassingWe can imagine a kind " of anti-disassembling" (supposition) to bypass the analysis.
Links:Because I did not the intuitive knowledge:
-
http://vxheavens.com/lib/ama00.html-
http://antivirus-inf.blogspot.fr
