3. PE Portable Executable: a Look

3. PE Portable Executable: a Look

1. Introduction Anti-virus software has in true sense evolved a lot in these years. Time has gone where there were anti-virus software which used to detect the malwares or viruses based on scanning the executable hex`s dump and finding an appropriate string (also called as String based detection). Nowadays, more and more advanced technologies are been incorporated in detecting malwares for example, advanced heuristics, signature and its variants based, sandboxing, behavioral based approach etc. Now many AV not only offers deep scan option which scans almost all files stored in secondary memory but also scans offsets in the memory (also called as opcodes). But, if we look at the real-time statistics by Bit Defender AV[1] , we can come to know that each hour there are new malwares and viruses reported. This is shown in the figure below. Figure [1] Real-time virus reporting (Dated: 29/09/13) From the stats above one may have a question rising in their mind that nowadays the AVs scans each and every files even that present in the opcodes of the memory then why there is drastic spread of malwares as compared to last decade? The answer to these is that very smart people whom we call Crackers/Hackers have found the way to bypass these AVs. Page 1 They know the very detail about how the AV works and which AV have which type of detection capabilities for example if it scans based on string detection or if it scans based on sandboxing approach. We sometimes fail to remember that they (Crackers and Hackers) too have AV scanners from which they may scan their newly developed malware and viruses and can easily spread via plethora of medium, mostly the Internet. Below is the snapshot of a Virus scanning portal[2] which has almost 45 scan engines to detect if the file consists of executable code. Figure [2] Online file scanner having almost 45 different scan engines Crackers and Hackers also have easy access to various debuggers and dissemblers in which they may change their developed code to bypass some specific targeted AV. This report throws light on the way the AVs work along with their different detection techniques, the structure of windows executable (also called as PE structure) along with the brief details of where the signature of any file is stored (signature which anti-virus looks for) and finally the techniques for bypassing AVs. Page 2 2. Anti-Virus: How they work According to Wikipedia.org Antivirus or anti-virus software is software used to prevent, detect and remove malware (of all descriptions), such as: computer viruses, malicious BHOs, hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious LSPs, dialers, fraudtools, adware and spyware. Computer security, including protection from social engineering techniques, is commonly offered in products and services of antivirus software companies.This page discusses the software used for the prevention and removal of malware threats, rather than computer security implemented by software methods. To prevent the viruses to enter into our machine, there are only two ways[3]: To isolate the system i.e. disconnecting it from the network, neither using any CDs/DVDs nor USB drives for data transfer. To use an AV software. Sometimes we wonder that how an AV scans the files present on our machine and flags it as malicious depending on the code containing that file. AV nowadays scans our system on real-time basis, scans the file and if found it safe for the windows file loader[4] to load then it let the file to be copied on the hard-disk (HDD) but if the AV finds the file malicious for the windows file loader to load then it flags it malicious(or suspicious) and waits for the user action. Snapshot below gives its high level view. Figure [3] High level view of AV working mechanism We can say that an AV software is no more than program that is used for analyzing information and then, if it finds that something is infected, it either disinfects it or waits for the user action. Information is analyzed based on the origin of the information i.e. the source of information. AV will operate differently when it is monitoring CDs/DVDs data transfer operation than when monitoring internet traffic or data transfers over LAN network. The principal of operation is all the same but there are subtle differences. The information which is in the “source system” must reach to its “destination system”. Page 3 The information interpretation also varies depending on whether it is implemented in some sort of operating systems or on some kind of application. This interpretation mechanism must be specific to each operating system or the component in which the AV is going to be implemented. For example if we are implementing the AV software for some firewall then it is the firewall that will provide the information to the AV to scan it. Once the information is passed to AV, the information is scanned and one of the two possibilities takes place, they are: The cleaned information is returned to the interpretation mechanism, which in turn will return it to the system so that it can continue towards its final destination. A warning is sent to the user interface. This user interface can vary greatly. In an AV for workstations, a message can be displayed in the form of pop up message on screen, but in server side the alert is send to the administrator`s email, an internal network message or is sent via SMS. Snapshot below explains whole process. Source System Destination System Interpretation of Information Scanning of Information Disinfection Alert Figure [4] Complete AV working process Page 4 2.1 Anti-virus: Virus Detection techniques (Scan Engines) Regardless of how the information to be scanned is obtained, the most important function of the antivirus now comes into play: the virus scan engine. This engine scans the information it has intercepted for viruses, and if viruses are detected, it disinfects them. As of the methods known till now, the information is scanned as one of the five known methods, they are as follows: 1. Signature based detection 2. Heuristic based detection 3. Sensing threat technology 4. Behavioral based detection(also called as artificial intelligence based detection) 5. Protective defense based detection 6. And Sandbox based detection 2.1.1 SIGNATURE BASED DETECTION Signature-based detection[5]: also referred as “scan string-based technologies” works by scanning the contents of computer files and cross-referencing their contents with the “code signatures” belonging to known viruses. A library of known code signatures is updated and refreshed constantly by the anti-virus software vendor. If a viral signature is detected, the software acts to protect the user’s system from damage. Suspected files are typically quarantined and/or encrypted in order to render them inoperable and useless. Clearly there will always be new and emerging viruses with their own unique code signatures. So once again, the anti-virus software vendor works constantly to assess and assimilate new signature-based detection data as it becomes available, often in real time so that updates can be pushed out to users immediately and zero-day vulnerabilities can be avoided. AV program searches within given files for the presence of certain strings (also only in certain regions).If these predefined strings are found, then antivirus report A Threat has been detected. Next-generation signature-based detection: New variants of computer virus are of course developed every day and security companies now work to also protect users from malware that attempts to disguise itself from traditional signature-based detection. Virus authors have tried to avoid their malicious code being detected by writing “oligomorphic“, “polymorphic” and more recently “metamorphic” viruses with signatures that are either disguised or changed from those that might be held in a signature directory. Page 5 2.1.2 HEURISTIC BASED DETECTION Heuristic based detection[6]: It is used to detect new, unknown viruses in your system that has not yet been identified. Only some antiviruses can do this type of scan, the majority are only able to detect known viruses. Virus detection is based on recognition of a signature or string of code which identifies a certain virus. Similar to how investigators use characteristics to identify criminals; antiviruses look for ‘digital footprints’ in order to recognize a virus. Nevertheless, to detect an unknown virus, a particular signature or recognized code does not yet exist. For this reason a heuristic scan is used. Heuristic methods are based on the piece- by-piece examination of a virus, looking for a sequence or sequences of instructions that differentiate the virus from ‘normal’ programs. The first heuristic engines were introduced to detect DOS viruses in 1989.Heuristic (hyu-'ris- tik) is an adjective for methods that help in problem solving. These program searches instructions or commands within a file that are not found in typical good application programs. As a result, a heuristic engine is able to detect potentially malicious files and report them as a virus. Such AV might also emulate running the file to see what it would do if executed, attempting to do this without noticeably slowing down the system. A single suspicious attribute might not be enough to flag the file as malicious. However, several such characteristics might exceed the expected risk threshold, leading the AV to classify the file as malware. The biggest downside of heuristics is it can inadvertently flag legitimate files as malicious. 2.1.3 SENSING THREAT TECHNOLOGY Threat sense technology: In past when a virus was released it was detected by antivirus experts after 15-30 days.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    32 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us