Defending againts malware and stealth techniques

Patches: most worms exploit known vulnerabilities
Signatures: must be developed automatically to keep up
Intrusion and anomaly detection: notice suspicious activity

Antivirus and antimalware

The basic strategy is a signature-based detection: database of byte-level or instruction-level signatures that match known malware.

Other complementary strategies are used:

Heuristics: check for sign of infection. For example: where code execution starts, heder size, suspicius code section name, patched import address table, ...
Behavioral detection: detect signs of known malware and common behavors of malwares.

Stealth techniques

General stealth techniques

Dormant period during which no malicious behavior is exhibited
Event-triggered payload
Anti-virtualization techniques: modern malware detect execution environment to complicate analysis
- virtual machines
- hardawre supported virtual machines
- emulators
Encryption / Packing: encrypt the malicius content using a small routin changing the key at each execution
Rootkit techniques: after becoming root on a machine, plant a kit to remain root. Your kit could, for example, make files, processes, directories disappear to hide the attacker. Can be:
- userland (backdoored login, trojanized utilites to hide, ...)
- kernel-space (SYS_CALL table, interrupt description table, ...)
- in bios
- on firmware
- in virtualization systems

Virus stealth techniques

Virus scanners quicly discover viruses by searching around entry point.

Entry point obfusctaion

Multicavity viruses
Hijact control later (after the program is launched), for example overwriting import table addresses or function call instructions

Virus and Worm stealth techniques

Polymorphism: change layout (shape) with each infection. The same payload is encrypted with different keys.
Metamorphism: create different versions of code that look different but have the same semantics (do the same thing). Example of ways to do methamorphism are dead code insertions and instruction reorder.

Malware analysis

Is an ex-post workflow after the malware has been identifies:

reported by someone
automatically analyzed
manually analyzed
antivirus signature developed

Two main type of analysis are carried:

Static analysis: parse the executable code. Hight code coverage and works in dormant code but suffers from obfuscation.
Dynamic analysis: Observe the runtime behavior of the executable. Low code coverage and do not work with dormant code but is does not suffer from obfuscation.

Introduction to computer security

Authentication

Access control

Exercises on introduction

Exercises on authentication and access control

Introduction to cryptography and perfect ciphers

Computationally secure ciphers and pseudorandom number generators

Chosen Plaintext Attacks (CPAs)

Data integrity and Message Authentication Codes (MAC)

Asymmetric cryptosystems

Data authentication and digital signatures

The public key binding problem and digital certificates

Fundamentals of Information Theory

Exercises on cryptography

Introduction to software security

Recalls of Linux

Buffer overflows

Format String Bugs

Exercises on software security

Introduction to web security

Cross Site Scripting (XSS)

SQL injection

Cookies and sessions

Cross-Site Requests Forgery (CSRF)

Other vulnerabilities

Exercises on web security

Network Protocol Attacks

Firewalls

Architectures for secure networks

TLS and SET

Exercises on network security

Malwares introduction

Defending againts malware and stealth techniques

Exercises on malwares

Defending againts malware and stealth techniques

Antivirus and antimalware

Stealth techniques

General stealth techniques

Virus stealth techniques

Virus and Worm stealth techniques

Malware analysis

No Comments