Author Topic: METHODS OF DETECTION OF MALWARE [RESUME]  (Read 3623 times)

0 Members and 1 Guest are viewing this topic.

Kanade

  • Guest
METHODS OF DETECTION OF MALWARE [RESUME]
« on: November 25, 2013, 04:34:11 am »
This tutorial is just a resume, we do not talk about sandbox analysis and other advanced method. Sorry for my English.

METHODS OF DETECTION OF MALWARE

Definitions:

* Malware:
The "malware" is a software used in to damage a digital system.
A "malware" indicates all worms, Trojans...



*Anti-worms/virus/malware:
An antivirus, unlike a malware, An antivirus is made to detect and eradicate a malware.
H goes for it, to analyze the ram, the peripherals of storage (USB, Hard disk) and to analyze files incoming (downloaded on the Internet, for example) periodically.

I. Foreword

In the "war" of malwares, it was necessary to invent methods for detect and for delete in its totality a malware without the human interaction, which can on no account, to detect alone a well hidden virus. For that purpose, the developers invented what we call "antiviruses" today, everybody knows him, it is our best friend, when we buy a PC, It is the first thing which we are going to make,  download our antivirus (free, or paying, the difference is small). But do you know how this works? It is what we go to see in this tutorial, he present to u 4 methods the most used in the detection of malware...

II. Summary:

1. Method Of Signatures detection
[a) Detection (and removal)
B) Bypassing]
2. Method of Spectrum analys
[a) Detection (and roval)
B) Bypassing]
3. Comportemental analysis method
[a) Detection (and remoal)
B) Bypassing]
4. Heuristics Method
[a) Detection (and removal)
B) Bypassing]
5. Links


1. Method Of Signatures detection
A) Détéction (and removal)

This method of detection called also "Scanning", it is the most wide-spread at the dev of antimalware, simply, because it is very simple to program it. This technique is also the first affected by the antimalware, because this one allows to detect the malware before its execution in memory.
The antivirus goes "scan" the file and try to find a piece of code which we shall call "signature", this signature is registered in the database of the antimalware (and it is unique, every software has its own signature, logic) And he is regularly put updated..
The only drawback of this technique it isbecause she NEED to be "maintained" ALL THE TIME, because every day new malwares appear, their signatures are not in the database, so the malwares cannot be detected and eradicated by the antimalware of the system and and it is for it, that the updates are ESSENTIAL for an antimalware(And it is with that, that we compare the paying and free anti-malware)

B) Bypassing

The developers of malware have now (finally, for a long time) new techniques "to by-pass" an anti-malwares, for the method of detection by signature, the malware will just have to be  "polymorph" (= take several forms)
The mechanism is very simple, the malware has a routine of encryption of its signature and decoding and these viruses are going to change signature in every replication of this one, what returns him undetectable in 99% for the method of detection by signature.


2. Method of Spectrum analys
A) Detection (and removal)

The method of analysis by signature being vulnerable by polymorphism malware, the antimalware laboratories have developed a technique allowing to detect the polymorphism, this method is called, as you guessed him, " the spectrum analysis ".
The anti-malware is going to analyze in fact the instructions in the suspicious file and, according to the presence or the absence of very particular instructions, which are not normally used, or according to the frequency ( the distribution) of such instructions, they decide to indicate a parasite file or not. It comes from the principle that every compiled program is supposed to contain a track of the compileur in the code of the program (ex of compileur Visual C++ Microsoft). And as (in theory) a polymorphic code is supposed to crypt the signature, he crypt  at the same time the trace of the signatures of the compiler. The antimalware being in the presence of unusal secance, he going to detect the program like a malware.

Example of signature of a compiler (Visual C++ 5.0 Microsoft):

PUSH EBP
 MOV EBP,ESP
 PUSH -1
 PUSH XXXXXXX.00000000
 PUSH XXXXXXX.00000000
 MOV EAX,DWORD PTR FS:[0]
 PUSH EAX
 MOV DWORD PTR FS:[0],ESP
 ADD ESP,-58
 PUSH EBX
 PUSH ESI
 PUSH EDI
 MOV DWORD PTR SS:[EBP-18],ESP


B) Bypassing

this is now the "war" between antiviruses and malware, the researchers simply by-passed this method by inject into the program, a suite of useless instructions which its engine could not generate, to be able to deceive the spectrum analysis.


3. Comportemental  analysis method
A) Detection (and removal)

One of the actions that the antivirus makes h24 (normally, for good av), is the behavioral analysis, this technique, as I said it, is always run, she is always active.
It is one of the most effective methods because she allows the detection of malware without he is "known" in the database.
His functioning is this one:
- he scrutinizes any attempts of writing in a program and / or modification of a system file (or other hostile action) which is going to betray a virus and thus, to warn the user of the system.
There is also an  "hardware"monitor which is as his name indicates it, incorporated into the material, it is the ultimate level security, because it forbids any access to sensitive(perceptible) files of the system.

B) Bypassing

Nothing found on this subject.


4. Method Heuristics (heuristics algorithm)
A) Detection (and abolition)

The heuristics method is by far the best method to detect a malware (because she allows to detect the polymorphic malwares), it bases itself on the analysis of the machine code, in search of code which could be dangerous for its execution, or suspect. (Called viral code)
BUT warning, the heuristics method is said "passive" (as the method of detection by signature) because it does not execute the code and is only analyzing it, for it, av using this technique, are provided with a disassembler.
For example, a polymorph virus  can be detected by a technique of heuristics analysis, the antivirus is going to browse the code, just in the decryption routine, and in THIS momment he will declare the file malicious, because the decryption routine is going to browse the code to change it. (= and it is a viral instruction)
He did not declare, of course, a malicious file as seeing the first suspect instruction, it will take a certain amount of information to sound the alert.

B) Bypassing
We can imagine a kind " of anti-disassembling" (supposition) to bypass the analysis.

Links:

Because I did not the  intuitive knowledge:
- http://vxheavens.com/lib/ama00.html
- http://antivirus-inf.blogspot.fr

Regards,
Kanade/ウルフ
« Last Edit: November 25, 2013, 06:51:06 pm by Kanade »

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: METHODS OF DETECTION OF MALWARE [RESUME]
« Reply #1 on: November 25, 2013, 07:39:08 am »
What can I say... I appreciate the contribution. This is a really good idea, however very poorly executed.
Since this is your first tutorial, I'll let this one slide. But you could have extended more on each field. The format is OK. The english is horrible and it looks like you used Google translate or something. Really not cool.

About what you posted... well, the info seems legit to me... but the chart is misleading and wrong, no to mention polish words in there.

+1 for the effort, though!
« Last Edit: November 25, 2013, 07:39:55 am by Kulverstukas »

Kanade

  • Guest
Re: METHODS OF DETECTION OF MALWARE [RESUME]
« Reply #2 on: November 25, 2013, 09:24:33 am »
Lol... What can i say...

i'm very sorry for my english, you know, japanese and english are two languages very differents

Quote
But you could have extended more on each field.
Yeah, of course! this just an "resume"/summary

 
Quote
you used Google translate or something
Just an dictionary (JA - EN) and a little bit google traduction for expression...
I promise you that I would do tonight with the help of a qualified translator :)

I delete this tut. for a new version later.
« Last Edit: November 25, 2013, 09:44:37 am by Kanade »

Kanade

  • Guest
Re: METHODS OF DETECTION OF MALWARE [RESUME]
« Reply #3 on: November 25, 2013, 06:53:31 pm »
I have edited it, i hope this is a little bit understandable

Offline 0poitr

  • Peasant
  • *
  • Posts: 149
  • Cookies: 64
    • View Profile
Re: METHODS OF DETECTION OF MALWARE [RESUME]
« Reply #4 on: November 25, 2013, 07:16:09 pm »
Quote
the antimalware laboratories
almost read it animalware :P
Imagination is the first step towards Creation.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: METHODS OF DETECTION OF MALWARE [RESUME]
« Reply #5 on: November 25, 2013, 09:26:02 pm »
The english is still a bit weird (especially the use of "he" and "she", when it should be "it").
But I really like the contribution. +1 Cookie for you.

Kanade

  • Guest
Re: METHODS OF DETECTION OF MALWARE [RESUME]
« Reply #6 on: November 25, 2013, 10:04:43 pm »
The english is still a bit weird (especially the use of "he" and "she", when it should be "it").
But I really like the contribution. +1 Cookie for you.
Yeah sorry!
but thanks you, i really appreciate it.