Copyright © 2006, Idea Group Inc. 1 Chapter IV Malware and Antivirus Deployment for Enterprise Security By: Raj Sharman,K. Pramod Krishna, H. Raghov Rao

Copyright © 2006, Idea Group Inc.

1

Chapter IV

Malware and Antivirus Deployment for Enterprise Security

By: Raj Sharman,K. Pramod Krishna, H. Raghov Rao & Shambhu Upadhyaya

Presented by: Abdallah Rasheed

Spring 08


2

Outline

Types Malware. Approach to antivirus S/W implementation. Mechanism of virus/antivirus.


3

Malware

“short for malicious software and is typically used as a catch-all term to refer to the class of software designed to cause damage to any device”.

Ex: – a virus, a worm, a Trojan, spyware, or backdoor.


4

Malware impact

Increases business risk. Reduces productivity. Loss of customer confidence. Time consuming. Cost of antivirus / firewalls.


5

Malware history

1986, “Pakistani Brain” virus. 1987, “ Merry Christmas” worm. 1988, “Morris worm”. 1990s, more complex viruses.

– OS executable.– Network/protocol worms.


6

Antivirus Solution:

The Layered Approach:– Layer 1: Gateway and

content security– Layer 2: Intranet servers– Layer 3: Desktops and

user community

Figure 1. Three-layer defense in enterprise network


7

Layer 1 — Gateway Security and Content Security

Deals with the internet visible servers & “Demilitarized Zone “DMZ.– Gateway Traffic:

Firewall filters.

– Content Scanning: Email attachment. Scan emails for a text. Spam emails.


8

Layer 2 — Intranet Servers

Email servers– Virtual Private Network (VPN)– Remote Access Server (RAS)

Proxy servers. File servers.

– Risk minimizing.– Increasing of storage space.


9

Layer 3 — Desktop and User Community

Sources of virus infection:– The use of Webmail.– Instant messaging tools.– peer-to-peer file sharing– downloads from the Internet.

Administrator privileges Automated scan. Educating user.


10

Antispyware in Enterprise Network

Symptoms of spyware:– unauthorized pop-up advertisements making Web

browsing difficult;– sudden change in the performance of the

computer slowing it down considerably.– appearance of new and unwanted toolbar on the

browser without installation.– increased crashing of operating systems, Web

browsers.


11

Why Antispyware

Increased IT support costs. Theft of intellectual property; Privacy violations. Information disclosure. loss of credibility and damage to the

organization.


12

Antivirus detection techniques

Pattern Recognition– examines key suspect areas and uses the virus

pattern file to compare and detect viruses.

Integrity Checking– Initial records of the status of all files on HDD.– Check summing programs to detect changes.– Possibility of virus; – Otherwise; False alarms.


13

Cont. Techniques

X-Raying– See the picture of a virus body– Based on the encryption algorithm

32-Bit Viruses and PE File Infectors– Windows 95 that uses 32-bit OS.– PE file infector run themselves each time the host

file is executed.


14

Cont. Techniques

Entry Point Obscuring (EPO)– Places “ Jump-to-Virus” Instruction in the code.– Insert a viral code in un used space in the file.– Detection is more complex.

Encrypted Virus– Has virus decryption body routine & the encrypted

body.– Decryption of the virus body.


15

Cont. Techniques

Polymorphic Viruses– A mutation engine generates randomized

decryption techniques each time the virus infects a new program.

– No fixed signature and no fixed decryption routine.

– Decryption routine is time consuming.


16

Polymorphic Detection

Generic decryption.“A scanner loads the file being scanned into a self-

contained virtual container created in the RAM”– When an infected file is executed, the decryption

routine executes.– The virus decrypts itself, exposing the virus body

to the scanner.– The scanner Identify the virus signature.


17

Heuristic-Based Generic Decryption

– a generic set of rules that helps differentiate non-virus from virus behavior.

– Inconsistencies may led to the presence of an infected file

– Running for long period, exposes the virus body.


18

Anti-Emulation

Emulation is to allow the virus to run inside a virtual computer to decrypt itself and reveal its code.

anti-emulation systems are incorporated into the decryptor of a virus so that it does not decrypt properly and hence will not reveal its code.


19

Retrovirus

Tries to bypass the antivirus by:– modifying the code of an antivirus program file– stopping the execution of the program– using methods in the virus code that cause

problems for antivirus.– exploiting a specific weakness or a backdoor in

an antivirus.


20

Backdoor

“ Trojan allows access to computer resources using network connection”

Hackers download scripts onto PCs, essentially hijacking them, and then use them to launch a denial-of service attack.

Those PCs become slave computers.


21

Virus Infection Cycle of W32/Gobi

PE virus , written in assembly. Infects (.exe) files in windows directory. Changing the registry file.

– Once the registry hook is done, Gobi infects programs launched from Windows Explorer before letting them run.


22

Conclusions

Malicious code and Internet-based attacks keep increasing , some of the future forecasts regarding malware are:

– Spam mails, phishing will continue to be a major concern in e-mail usage.

– Social engineering is emerging as one of the biggest challenges, as there is no technical defense against the exploitation of human weaknesses.

– The time between vulnerability disclosure and release of malware exploiting the vulnerability continues to get shorter, requiring more proactive assessment tools.


23

References

Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues,by Merrill Warkentin and Rayford Vaughn, Idea Group Inc.

Argaez, E. D. (2004). How to prevent the online invasion of spyware and adware. March 25, 2008, <http://www.internetworldstats.com/articles/art053.htm>

Documents

Copyright © 2006, Idea Group Inc. 1 Chapter IV Malware and Antivirus Deployment for Enterprise Security By: Raj Sharman,K. Pramod Krishna, H. Raghov Rao