Antivirus Software

By: Eng. Ammar J.Mahmood

Supervised by: Dr. Lo’ai Tawalbeh
New York Institute of Technology (NYIT)-
Jordan’s campus
12/20/21 Eng. Ammar Mahmood 1
Introduction
 Antivirus software consists of computer
programs that attempt to identify, thwart and
eliminate computer viruses and other malicious
software (malware).
 Malware or Malicious Software is software
designed to infiltrate or damage a computer
system without the owner's informed consent.
 Types of malware include spyware, adware,
Trojan horses, Worms, and viruses.

12/20/21 Eng. Ammar Mahmood 2

 Malware

“Know your enemy”

12/20/21 Eng. Ammar Mahmood 3

The Virus
 A computer virus is a self-replicating computer
program written to alter the way a computer
operates, without the permission or knowledge
of the user
 Why people create computer viruses?
 Some virus writers consider their creations to be
works of art, and see virus writing as a creative hobby
 Viruses have been written as research projects,
pranks, vandalism, to attack the products of specific
companies

12/20/21 Eng. Ammar Mahmood 4

The Virus
 Why people create computer viruses?
 Some viruses were intended as "good
viruses". They spread improvements to the
programs they infect, or delete other viruses.
These viruses are, however, quite rare, still
consume system resources, may accidentally
damage systems they infect.

12/20/21 Eng. Ammar Mahmood 5

The Virus
 Viruses can be subdivided into a number of types, the
main ones being:
 Boot sector viruses:
 alters or hides in the boot sector, usually the 1st sector, of a
bootable disk or hard drive.
 contains code for bootstrapping programs (usually activates, but not
necessarily, operating systems)
 Boot sector infector viruses replace the bootstrap code in the boot
sectors (of floppy disks, hard disks, or both) with viral code.
 the BIOS on IBM PC compatible machines is ignorant of whether a
disk has in fact been high-level formatted and had an operating
system installed in it
 This results in a security vulnerability. A user who sees the error
message may not be aware that the code in the boot sector of the
disk has already been run by that point, and that if the disk was
infected by a boot-sector computer virus

12/20/21 Eng. Ammar Mahmood 6

The Virus
 Companion viruses: creates new files (typically
.COM but can also use other extensions such as
".EXD") that have the same file names as
legitimate .EXE files. When a user types in the name
of a desired program, if a user does not type in ".EXE"
but instead does not specify a file extension, DOS will
assume he meant the file with the extension that
comes first in alphabetical order and run the virus.
 Email viruses: is a virus which uses e-mail
messages as a mode of transport. These viruses
often copy themselves by automatically mailing
copies to hundreds of people in the victim's address
book.

12/20/21 Eng. Ammar Mahmood 7

The Virus
 Logic bombs and time bombs: employs code that
lies inert until specific conditions (e.g.infected a
certain number of hosts ) are met. The resolution of
the conditions will trigger a certain function (such as
printing a message to the user and/or deleting files).
 Macro viruses: often written in the scripting
languages for Microsoft programs such as Word and
Excel, is spread in Microsoft Office by infecting
documents and spreadsheets.
 Cross-site scripting virus: is a type of virus that
utilizes cross-site scripting vulnerabilities to replicate.

12/20/21 Eng. Ammar Mahmood 8

The Virus
 Methods to avoid detection
 Avoiding bait files and other undesirable hosts: A virus
needs to infect hosts in order to spread further. In some cases, it
might be a bad idea to infect a host program. For example, many
anti-virus programs perform an integrity check of their own code.
Infecting such programs will therefore increase the likelihood
that the virus is detected.
 Bait files (or goat files) are files that are specially created by anti-
virus software
 Anti-virus professionals can use bait files to take a sample of a virus
 Anti-virus professionals can use bait files to study the behavior of a
virus and evaluate detection methods.
 Some anti-virus software employs bait files that are accessed
regularly. When these files are modified, the anti-virus software
warns the user that a virus is probably active on the system.

12/20/21 Eng. Ammar Mahmood 9

The Virus
 Stealth\Rootkit:
 A virus can hide itself by intercepting the anti-virus
software’s request to read the file and passing the
request to the virus, instead of the OS.
 The virus can then return an uninfected version of

the file to the anti-virus software, so that it seems

that the file is "clean“.
 Modern anti-virus software employs various

techniques to counter stealth mechanisms of

viruses.

12/20/21 Eng. Ammar Mahmood 10

The Virus
 A rootkit is a set of software tools intended to
conceal running processes, files or system data
from the operating system
 Rootkit types:
 Virtualised: These rootkits work by modifying the boot
sequence of the machine to load themselves instead of
the original operating system. Once loaded into memory
a virtualised rootkit then loads the original operating
system as a Virtual Machine thereby enabling the rootkit
to intercept all hardware calls made by the guest OS
 Kernel level:Kernel level rootkits add additional code
and/or replace a portion of kernel code with modified
code to help hide a backdoor on a computer system

12/20/21 Eng. Ammar Mahmood 11

The Virus
 Rootkit types
 Library level :commonly patch, hook, or replace system calls
with versions that hide information about the attacker.
 Application level rootkits may replace regular application
binaries with trojanized fakes, or they may modify the behavior
of existing applications using hooks, patches, injected code, or
other means.
 The only completely reliable method to avoid stealth is to
boot from a medium that is known to be clean.
 Done byshut down the computer suspected of infection and
check its storage by booting from an alternative media (e.g.
rescue CD-ROM or USB flash drive). A non-running rootkit
cannot hide its presence and most established antivirus
programs will identify rootkits armed via standard OS calls

12/20/21 Eng. Ammar Mahmood 12

The Virus
 Self-modification:
 Some viruses employ techniques that make detection by
means of signatures difficult or impossible.
 These viruses modify their code on each infection. That is,
each infected file contains a different variant of the virus.
 Simple self-modifications: some viruses modified themselves
only in simple ways. For example, they regularly exchanged
subroutines in their code for others that would perform the
same action - for example, 2+2 could be swapped for 1+3.
This poses no problems to a somewhat advanced virus
scanner.

12/20/21 Eng. Ammar Mahmood 13

The Virus
 Encryption with a variable key:
 A more advanced method is the use of simple encryption to
encipher the virus.
 the virus consists of a small decrypting module and an
encrypted copy of the virus code
 the virus is encrypted with a different key for each infected
file, the only part of the virus that remains constant is the
decrypting module.
 a virus scanner cannot directly detect the virus using
signatures, but it can still detect the decrypting module,
which still makes indirect detection of the virus possible.

12/20/21 Eng. Ammar Mahmood 14

The Virus
 Polymorphic code:
 Polymorphic code was the first technique that posed a
serious threat to virus scanners.
 Same as encrypted viruses except that decryption module is
also modified on each infection.
 To enable polymorphic code, the virus has to have a
polymorphic engine (also called mutating engine or mutation
engine) somewhere in its encrypted body
 Anti-virus software can detect it by decrypting the viruses
using an emulator, or by statistical pattern analysis of the
encrypted virus body.

12/20/21 Eng. Ammar Mahmood 15

The Virus
 Metamorphic code:
 To avoid being detected by emulation, some viruses rewrite
themselves completely each time they are to infect new
executables.
 it does this by translating its own code into a temporary
representation, and then back to normal code again
 Metamorphic code is more effective than polymorphic code. This
is because most anti-virus software will try to search for known
virus-code even during the execution of the code
 A metamorphic virus is usually very large and complex. For
example, W32/Simile consisted of over 14000 lines of Assembly
language code, 90% of it part of the metamorphic engine.

12/20/21 Eng. Ammar Mahmood 16

The Virus
 Replication strategies
 In order to replicate itself, a virus must be
permitted to execute code and write to
memory. For this reason, many viruses attach
themselves to executable files that may be
part of legitimate programs
 Viruses can be divided into two types, on the
basis of their behavior when they are
executed

12/20/21 Eng. Ammar Mahmood 17

The Virus
 Nonresident viruses:
 immediately search for other hosts that can be
infected, infect these targets, and finally transfer
control to the application program they infected
 Nonresident viruses can be thought of as
consisting of a finder module and a replication
module
 The finder module is responsible for finding new
files to infect. For each new executable file the
finder module encounters, it calls the replication
module to infect that file.

12/20/21 Eng. Ammar Mahmood 18

The Virus
 Resident viruses
 Resident viruses do not search for hosts when they are started.
Instead, a resident virus loads itself into memory on execution
and transfers control to the host program.
 The virus stays active in the background and infects new hosts
when those files are accessed by other programs or the
operating system itself.
 Resident viruses contain a replication module that is similar to
the one that is employed by nonresident viruses. However, this
module is not called by a finder module. Instead, the virus loads
the replication module into memory when it is executed and
ensures that this module is executed each time the operating
system is called to perform a certain operation

12/20/21 Eng. Ammar Mahmood 19

The Virus
 Resident viruses are sometimes subdivided into a
category:
 Fast infectors: are designed to infect as many files as
possible. It can infect every potential host file that is
accessed.
 This poses a special problem to anti-virus software, since a
virus scanner will access every potential host file on a computer
when it performs a system-wide scan. If the virus scanner fails
to notice that such a virus is present in memory, the virus can
"piggy-back" on the virus scanner and in this way infect all files
that are scanned.
 The disadvantage of this method is that infecting many files
may make detection more likely, because the virus may slow
down a computer or perform many suspicious actions that can
be noticed by anti-virus software.
12/20/21 Eng. Ammar Mahmood 20
The Virus
 2nd category Slow infectors:
 are designed to infect hosts infrequently. For
instance, some slow infectors only infect files when
they are copied.
 Slow infectors are designed to avoid detection by
limiting their actions: they are less likely to slow
down a computer noticeably, and will at most
infrequently trigger anti-virus software that detects
suspicious behavior by programs.
 The slow infector approach does not seem very
successful however.

12/20/21 Eng. Ammar Mahmood 21

The Virus
 Host types:
 Binary executable files (such as COM files and EXE files in MS-
DOS, Portable Executable files in Microsoft Windows, and ELF
files in Linux)
 Volume Boot Records of floppy disks and hard disk partitions
 The master boot record (MBR) of a hard disk
 General-purpose script files (such as batch files in MS-DOS and
Microsoft Windows, VBScript files, and shell script files on Unix-
like platforms).
 Application-specific script files (such as Telix-scripts)
 Documents that can contain macros (such as Microsoft Word
documents, Microsoft Excel spreadsheets, AmiPro documents,
and Microsoft Access database files)

12/20/21 Eng. Ammar Mahmood 22

The Worm
 A computer worm is a self-replicating computer
program. It uses a network to send copies of
itself to other nodes (computer terminals on the
network) and it may do so without any user
intervention.
 Unlike a virus, it does not need to attach itself to
an existing program.
 Worms always harm the network (if only by
consuming bandwidth), whereas viruses always
infect or corrupt files on a targeted computer.

12/20/21 Eng. Ammar Mahmood 23

The Worm
 Types of computer worms:
 Email Worms Spread via email messages. Typically
the worm will arrive as email, where the message
body or attachment contains the worm code, but it
may also link to code on an external website.
 Instant messaging worms The spreading used is via
instant messaging applications by sending links to
infected websites to everyone on the local contact list
 IRC worms Chat channels are the main target and
the same infection/spreading method is used as
above

12/20/21 Eng. Ammar Mahmood 24

The Worm
 Types of computer worms:
 File-sharing networks worms Copies itself into a
shared folder, most likely located on the local
machine. The worm will place a copy of itself in a
shared folder under a harmless name. Now the worm
is ready for download via the P2P network and
spreading of the infected file will continue.
 Internet worms
 Those which target low level TCP/IP ports directly, rather
than going via higher level protocols such as email or IRC.
 A classic example is "Blaster" which exploited a vulnerability
in Microsoft's Remote procedure call (RPC). An infected
machine aggressively scans random computers on both its
local network and the public Internet attempting an exploit
against port 135 which, if successful, spreads the worm to
that machine.
12/20/21 Eng. Ammar Mahmood 25
The Worm
 Payloads:
 Many worms have been created which are only
designed to spread, and don't attempt to alter the
systems they pass through.
 A "payload" is code designed to do more than spread
the worm - it might delete files on a host system (e.g.
the ExploreZip worm), encrypt files in a cryptoviral
extortion attack, or send documents via e-mail.
 A very common payload for worms is to install a
backdoor in the infected computer to allow the
creation of a "zombie" under control of the worm
author

12/20/21 Eng. Ammar Mahmood 26

 Antivirus SW

12/20/21 Eng. Ammar Mahmood 27

Antivirus
 Antivirus software typically uses two different
techniques to accomplish his mission:
 Examining (scanning) files to look for known viruses
matching definitions in a virus dictionary
 Identifying suspicious behavior from any computer
program which might indicate infection. Such analysis
may include data captures, port monitoring and other
methods.

12/20/21 Eng. Ammar Mahmood 28

Antivirus modes
 Anti-virus programs have two basic modes:
 “static” file scanning: useful for when you have to
scan a file or a volume to check to see if any of the
files are currently infected with malware
 real-time “dynamic” scanning: is really what is needed
to prevent the computer from getting infected in the
first place. In this mode, all files that the operating
system opens or uses are scanned first before they
are fully opened.

12/20/21 Eng. Ammar Mahmood 29

Approaches
 Dictionary
 A signature is a characteristic byte-pattern that is part of a
certain virus or family of viruses
 In the virus dictionary approach, when the antivirus software
examines a file, it refers to a dictionary of known viruses that
the authors of the antivirus software have identified. If a piece of
code in the file matches any virus identified in the dictionary,
then the antivirus software can take one of the following
actions:
1. attempt to repair the file by removing the virus itself from the file
2. quarantine the file (such that the file remains inaccessible to
other programs and its virus can no longer spread)
3. delete the infected file

12/20/21 Eng. Ammar Mahmood 30

Approaches
 Dictionary
 the virus dictionary approach requires periodic
(generally online) downloads of updated virus
dictionary entries.
 users identify new viruses "in the wild", they can send
their infected files to the authors of antivirus software,
who then include information about the new viruses in
their dictionaries.
 Dictionary-based antivirus software typically examines
files when the computer's operating system creates,
opens, closes or e-mails them. In this way it can
detect a known virus immediately upon receipt

12/20/21 Eng. Ammar Mahmood 31

Approaches
 Dictionary
 System Administrator can typically schedule
the antivirus software to examine (scan) all
files on the user's hard disk on a regular
basis.
 Although the dictionary approach can
effectively contain virus outbreaks in the right
circumstances.

12/20/21 Eng. Ammar Mahmood 32

Approaches
 Dictionary
 Virus’sTechnology to avoid the Dictionary
Approach is:
 Metamorphic code
 Polymorphic code

 Oligomorphic engine is generally used by a

computer virus to generate a decryptor for itself in a

way comparable to a simple polymorphic engine

12/20/21 Eng. Ammar Mahmood 33

Approaches
 Dictionary
 Previous technology weakness are:
 Polymorphism:
 A small portion of it is left unencrypted and used to jumpstart
the encrypted software. Anti-virus software targets this small
unencrypted portion of code.
 Anti-virus software can detect it by decrypting the viruses using
an emulator, or by statistical pattern analysis of the encrypted
virus body.
 most oligomorphic viruses aren't able to generate more than
just a few hundred different decryptors, so detecting them
with simple signatures is still possible

12/20/21 Eng. Ammar Mahmood 34

Approaches
 Suspicious behavior:
 The suspicious behavior approach doesn't
attempt to identify known viruses, but instead
monitors the behavior of all programs.
 If one program tries to write data to an
executable program, for example, the
antivirus software can flag this suspicious
behavior, alert a user and ask what to do.

12/20/21 Eng. Ammar Mahmood 35

Approaches
 Suspicious behavior
 the suspicious behavior approach therefore provides
protection against brand-new viruses that do not yet
exist in any virus dictionaries.
 However, it can also sound a large number of false
positives, and users probably become desensitized to
all the warnings.
 If the user clicks "Accept" on every such warning,
then the antivirus software obviously gives no benefit
to that user

12/20/21 Eng. Ammar Mahmood 36

Approaches
 Suspicious behavior weakness
 The fact the many legal SW behave like malicious SW
make the job of antivirus harder
 Ex:There are commercial software that have many
features as dynamic code encryption/decryption, code
replace, metamorphic engine, API export, anti
debug/dump/trace and more. They are used to
protect software programs from illegal use(cracking
and reverse engineering)

12/20/21 Eng. Ammar Mahmood 37

Approaches
 Heuristic analysis:
 try to emulate the beginning of the code of each new
executable that the system invokes before
transferring control to that executable.
 If the program seems to use self-modifying code or
otherwise appears as a virus (if it immediately tries to
find other executables, for example), one could
assume that a virus has infected the executable.
 Heuristic scanners have a higher rate of false
positives than do signature scanners but they have
the significant advantage of being able to detect
unknown viruses.

12/20/21 Eng. Ammar Mahmood 38

Approaches
 Sandbox:
 sandbox is a security mechanism for safely
running programs. It is often used to execute
untested code, or programs from unverified
third-parties, suppliers and untrusted users.
 emulates the operating system and runs the
executable in this simulation. After the program has
terminated, software analyzes the sandbox for any
changes which might indicate a virus.
 Because of performance issues, this type of detection
normally only takes place during on-demand scans
12/20/21 Eng. Ammar Mahmood 39
Approaches
 Sandbox:
 Also this method may fail as virus can be
nondeterministic and result in different actions
or no actions at all done then run - so it will be
impossible to detect it from one run.
 The sandbox typically provides a tightly-
controlled set of resources for guest programs
to run in

12/20/21 Eng. Ammar Mahmood 40

Weaknesses of antivirus SW
 Many security professionals agree that the
current approach to defend against
malicious software with antivirus is not
good enough, but it is best solution that we
have right now.
 Here is the brief summary of the main
shortcomings in the antivirus software:

12/20/21 Eng. Ammar Mahmood 41

Weaknesses of antivirus SW
1. Reactive approach: Your antivirus as good as your
definition files. If you did not update them, the antivirus
program will not be able to detect a new malware. The
most critical problems for the antivirus software to detect
malicious code are:
 new or modified malicious code
 rootkit programs
 Software Misuse
2. Inability to protect themselves: With sufficient system
permissions, malware can change antivirus settings and
configuration.

12/20/21 Eng. Ammar Mahmood 42

Weaknesses of antivirus SW
3. Inability to revert the results of malware infection
process.
 Too often, “installation process” of malware includes copying
files, changing registry and system configuration files, changing
other software configuration. Some of these changes still
present in the infected system, even after an antivirus program
delete or disinfect malware files.
 Almost for every severe virus/worm, antivirus vendors issues
“Removal Tool”.
 this is means that the antivirus vendors saying to their
customers: “our antivirus isn’t good enough to clean your system
– please use this tool”

12/20/21 Eng. Ammar Mahmood 43

Retro Viruses
 retro viruses are the viruses that attack security
programs
 “Attack is the best defense strategy”
 The malware instead of hiding from detection by
security SW it target these SW as its (part of)
malicious action
 We will discuss in the next slides some of the
technique used by the Retro viruses

12/20/21 Eng. Ammar Mahmood 44

The Black Antivirus
 a(white) antivirus used for the good purposes while Black
Antivirus is the same antivirus, but used for the “bad”
purposes.
 An unexpected problem:
 “virus definition database” has the definitions for security tools
used today in the computer security world to defend and protect
computer systems.
 Malware could includes antivirus engine and signature definition
files for security tools.
 To protect our tools we need to evade the Antivirus
detection! Therefore, our security tools need to be a
polymorphic or even metamorphic.

12/20/21 Eng. Ammar Mahmood 45

The Black Intrusion Detection
System:
 Malware can use IDS system to “shut down” security
systems at the network level.
 Such malware will primary target internal corporate
LAN and could carry itself an IDS engine or change
the existing one with new rules (if possible).
 malware carry engine itselfand use MAC and ARP
poisoning to sniff in a switched network.
 Any communication that passes the wire were the
malware was able to “see” it, is a subject for this
attack.
 The solution for this problem may be the use of covert
channels

12/20/21 Eng. Ammar Mahmood 46

 Practical
Examples

12/20/21 Eng. Ammar Mahmood 47

Virus Example
 Win32/Simile:
 is a metamorphic computer virus written in assembly language
for Microsoft Windows (most recent version in early March 2002)
 It was written by the virus writer Mental Driller
 When the virus is first executed, it checks the current date. If the
host file (the file that is infected with the virus) imports the file
User32.dll, then on the 17th of March, June, September, or
December, a message is displayed.
 Depending on the version of the virus the case of each letter in
the text is altered randomly. On May 14, a message saying
"Free Palestine!" will be displayed if the system locale is set to
Hebrew.

12/20/21 Eng. Ammar Mahmood 48

Virus Example
 The virus then rebuilds itself. This metamorphic process
is very complex and accounts for around 90% of the
virus' code
 After the rebuild, the virus searches for executable files
in folders on all fixed and remote drives.
 The virus contains checks to avoid infecting "goat" or
"bait" files
 The infection process uses the structure of the host, as
well as random factors, to control the placement of the
virus body and the decryptor.
 The virus contains no destructive payload

12/20/21 Eng. Ammar Mahmood 49

SQL slammer worm
 The SQL slammer worm is a computer worm that
caused a denial of service on some Internet hosts and
dramatically slowed down general Internet traffic
 It spread rapidly, infecting most of its 75,000 victims
within ten minutes.
 it exploited two buffer overflow bugs in Microsoft's
flagship SQL Server and Desktop Engine database
products
 The worm is a small (376 bytes) piece of code that does
little other than generate random IP addresses and send
itself out to those addresses.

12/20/21 Eng. Ammar Mahmood 50

SQL slammer worm
 If a selected address happens to belong to a
host that is running an unpatched copy of
Microsoft SQL Server Resolution MSDE
Service, the host immediately becomes infected
and begins spraying the Internet with more
copies of the worm program.
 The worm is so small that it does not contain
code to write itself to disk, so it only stays in
memory, and it is easy to remove.

12/20/21 Eng. Ammar Mahmood 51

Antivirus Example
 one of the most popular full-featured
freeware anti-virus applications for
Microsoft Windows users.
 Official website: http://www.avast.com/

12/20/21 Eng. Ammar Mahmood 52

Antivirus Example
 Features :
 Standard Shield — Real-time protection
 IM shield — Instant Messenger protection
 P2P shield — P2P protection
 Internet Mail — E-mail protection
 Outlook/Exchange — Microsoft Outlook/Exchange protection
 Web Shield — HTTP protection (local transparent proxy)
 Script blocker — script checker
 Network Shield — basic protection against well-known network
worms. Acts as a lightweight Intrusion Detection System
 Audible alarms — vocal warnings such as "Caution, a virus has
been detected!"
 boot-time scan — through the program interface, a user can
schedule a boot-time scan to remove viruses that load during
Windows startup and therefore difficult to remove.

12/20/21 Eng. Ammar Mahmood 53

Resources
 http://www.securityelf.org/files/Andrey_Bayora_software_
misuse.pdf
 http://en.wikipedia.org/wiki/Antivirus
 http://www.research.ibm.com/antivirus/SciPapers/Gordo
n/Strategy.html
 http://www.sans.org/reading_room/whitepapers/maliciou
s/68.php
 http://en.wikipedia.org/wiki/Software_virus
 http://www.symantec.com/security_response/writeup.jsp
?docid=2002-030617-5423-99
 http://en.wikipedia.org/wiki/Computer_virus

12/20/21 Eng. Ammar Mahmood 54

12/20/21 Eng. Ammar Mahmood 55