If not redirected, please click here https://www.thesecuritybuddy.com/data-breaches-prevention/virus-detection-techniques-and-ngav-or-next-generation-of-anti-virus/
There is always a big contest between virus creators and anti-virus experts. And, it is getting more and more complicated day by day. Virus writers keep trying new tactics to infect systems and the security experts always find out a way to overcome them. And, the battle continues.
Computer Viruses evolved a lot since
when they were first developed and with that evolved their
concealment tactics. As a result, traditional anti-virus programs
gradually started becoming ineffective. Next Generation Anti-Virus or
NGAV is a technology which uses dynamic analysis instead of static
ones to overcome the shortcomings of traditional Anti-virus programs.
Computer Viruses and their concealment techniques
Computer Viruses take different
techniques to conceal themselves, so that they remain undetected by
the Anti-virus programs. A number of such strategies are given below
:
Encryption
Encryption is basically the most primitive approach taken by the virus writers to evade detection. Encrypted viruses consist of mainy two parts – a decryptor and the virus body. The actual code of the virus is encrypted in the virus body and the function of the decryptor is to decrypt the virus body and transfer the control of execution to it.
The main purpose of encryption, as
said, is to avoid detection by anti-virus programs. Many anti-virus
programs use static analysis to analyze the code of the virus and use
that to detect a virus. If the main body of the virus is encrypted,
it becomes difficult for the security experts to analyze and detect
the virus.
Sometimes, encryption is also used in
viruses to prevent unintentional tampering of the code of the virus.
Oligomorphism
Though encryption in viruses make virus
detection more difficult, it did not prove to be good enough for
avoiding detection. Anti-virus programs often analyze known viruses
and find out unique signatures or patterns in the virus code, using
which the particular virus gets detected. So, once an encrypted virus
is successfully analyzed and signature is obtained, the anti-virus
programs can use that to detect new infections. So, if the decryptor
of the virus remains same in the new infections, it would become
easier to detect the virus.
Oligomorphism is a technique used by
the virus writers in which the decryptor loop keeps changing in the
new infections. Normally, a set of decryptors is interchangeably used
in the new infections, so that signature matching based on fixed
pattern in the decryptor loop becomes difficult.
Polymorphism
As said above, many anti-virus programs
use signatures to detect infection of known viruses. When a virus is
successfully analyzed, security experts find out a unique bit pattern
in the virus called signature of the virus. Later, when a computer
gets scanned for viruses, the signature is matched with a new virus
to detect it.
In Polymorphism, the virus writers keep
changing some instructions in the new generations, so that signature
matching fails in the new infections. The virus modifies some pieces
of its body to look dissimilar in the new infections. And, in the new
generations, they again construct a different decryptor for the next
infection.
The main difference between
Oligomorphism and Polymorphism is, Polymorphic viruses have the
capability of creating infinite number of new decryptors. And, each
new decryptor may use several encryption techniques to encrypt the
main virus body. As a result, Polymorphic viruses are much more
difficult to detect.
Metamorphism
In Metamorphism, the virus writers
mutate the viris body with different looking, but similar functioning
instructions. As a result, the virus body looks different in the new
infections and it becomes difficult for the anti-virus programs to
detect them. These viruses are usually not encrypted.
Virus Detection Techniques
Techniques of virus detection also
evolved much and security experts started applying new techniques to
detect viruses. Some most popular virus detection techniques are
mentioned below :
String Scanning
In this method, signature string is
scanned in the new virus using some special conditions in byte
comparison process. It uses wildcards, generic degree etc to match
the signature.
Bookmarks
This technique is used to reduce false
positives in detecting viruses. Several techniques can be used as
Bookmarks, for example the offset of virus signature from the
beginning of the virus code may be a good Bookmark.
Smart Scanning
Virus writers often conceal their code
with a set of dummy instructions like NOP. In Smart Scanning, junk
instructions like NOP or address of data and subroutines etc are
first removed from the virus body and then the virus is scanned for
signature matching. This technique is mainly used to detect macro
viruses written in text format.
Skeleton Detection
This technique was invented by Russsian
virus researcher Eugene Kaspersky, who is also founder of Kaspersky
Anti-Virus.
In this method works by removing set of
instructions from a file that do not probably belong to the virus
code and then the scanning process starts. It parses statements one
by one to remove unimportant statements and blank gaps and gets the
skeleton of the code. And, the skeleton is then searched for virus
signatures.
Exact Identification
In this method, more than one number of
constant bytes in the virus code are searched for scanning. As a
result, the number of false positives in the virus detection improves
much.
Heuristics Analysis
In this method, a number of heuristics
is used to detect infections of viruses. Some commonly used heuristic
flags may be :
- Possible gap between sections
- Suspicious section characteristics
- Suspicious code section name
- Multiple or suspicious PE Headers
- Suspicious imports from kernel
- Suspicious code redirection
Static Decryptor Detection
This method is used to detect encrypted
viruses. String scanning specific to the particular virus is used to
detect the decryptor of the virus.
X-RAY Scanning
When an encrypted virus is first
detected, the plaintext body of the particular virus is obtained.
And, on some specific parts of the plaintext code like top and tail
of the file, entry points etc, a number of encryption techniques
commonly used by the virus writers are applied. Using those,
signature is scanned in an unknown virus.
This technique is normally used in
Polymorphic viruses. But, the problem with this method is it is very
time consuming.
Code Emulation
This technique is widely used to detect
viruses. In this method, a virtual environment simulates the CPU,
memory, storage resources and some necessary functions of an
Operating Systems and the virus code is made to run in that
environment. Once the code runs, the behavior of the code is observed
and analyzed. And, that information is utilized to detect new
infections of the virus.
Disadvantages of traditional anti-virus techniques
Though the techniques of virus
detection improved a lot over time, they have their own
disadvantages, which eventually made traditional anti-virus programs
ineffective. A number of them are mentioned below :
- Signature scanning method usually maintains a database of signatures of known viruses, using which unknown viruses are scanned. But, as number of viruses started increasing drastically over time, it became quite impractical to maintain such databases of virus signatures.
- Signature database do not contain signatures of newly found viruses, until they are analyzed successfully and added to the database. This makes traditional anti-virus programs quite ineffective in detecting new viruses.
- Traditional techniques of detecting virus is ineffective for detecting Zero-day threats.
- Hackers often use techniques like crypters, server side polymorphism etc which make much difficult for the traditional anti-virus programs to detect them.
The Next Generation Anti-Virus or NGAV
Next Generation Anti-Virus or NGAV
is a technique which relies on machine learning to dissect new
viruses in an automated way. It uses some dynamic analysis approach
to detect viruses, instead of relying on analysis based on peviously
captured samples of viruses. As a result, they are much more
effective in detecting new viruses and Zero-day threats than the
traditional anti-virus programs.
An NGAV may use several techniques to
detect viruses. Some of them are mentioned below :
Automated Static Analysis
In this method, the suspicious binary
file is divided into parts and each part is analyzed based upon
features visible in the binary code. If it sees behavior or
characteristics that are known to be malicious, it flags the binary
file as infected. And, this technique is applied in an automated way.
Dynamic Analysis through Emulation
The suspicious binary is encapsulated
within an optimized emulated environment and its behavior is
analyzed. If any malicious characteristics are found, the binary is
flagged to be infected.
Dynamic Analysis through Virtualization
In this technique, the suspicious
binary is analyzed in a virtual environment, instead of an emulated
one to detect malicious characteristics.
Dynamic Analysis through Bare-metal
In this case, the suspicious binay is
analyzed in an environment that most accurately replicates that of a
real and vulnerable device and its characteristics are observed. Many
a times, when a malware can detect that it is being run in a virtual
environment, it changes its behavior to avoid getting analyzed. This
method is quite effective to analyze such malware programs.
So, to summarize :
- NGAV does not rely on prior knowledge of some malicious binary to detect its infections.
- It dynamically analyze suspicious binaries to detect malicious behaviors.
- It does not require manual intervention to detect newly found viruses.
NGAV uses Machine Learning to detect
newly found viruses in automated fashion. It applies the above
mentioned methods to detect malicious behaviors and then extracts
corresponding features of a malicious binary. It then trains the
software with those features, so that when those features are
observed in a suspicious new binary, it can flag it as infected.
This article gives a brief overview of
techniques used in virus detection and Next Generation Anti-Virus.
Hope you liked it.
Read More
What is Deep Packet Inspection ?
What is SSL Inspection ?
What is Next Generation Firewall ?
What is a Zero Day Threat and how to prevent it ?
How does Network Segmentation improve security and what is VLAN ?
What is Web Application Firewall ?
What is an Intrusion Detection System ?
What is Honeypot ?
Read More
What is Deep Packet Inspection ?
What is SSL Inspection ?
What is Next Generation Firewall ?
What is a Zero Day Threat and how to prevent it ?
How does Network Segmentation improve security and what is VLAN ?
What is Web Application Firewall ?
What is an Intrusion Detection System ?
What is Honeypot ?
I love how antivirus technology works. The way it traced heuristics and behavior of the malware. But some AV virus detects software as malware even if its not a malware. The only AV software that hasnt mistaken since Ive used it is ESET Antivirus.
ReplyDeleteYes eset is buggy free does the job great software.
ReplyDelete