How antiviruses work. Methods for detecting malware.

[Brother]

The debate about whether antivirus software is needed or whether it is completely useless has not subsided since the emergence of antivirus applications themselves. The ongoing struggle between virus makers and security software manufacturers lasts about the same length: some are constantly inventing more and more detection algorithms, others are trying to bypass them at all costs.

How do modern anti-virus programs work, and what methods do cybercriminals use to combat them? This is what today's article is about.

How do anti-virus companies update their databases?​

With regard to modern antivirus technologies, the very concept of "antivirus" is more a tribute to fashion than a term that correctly reflects the essence of things. Classic file viruses, that is, malicious programs that can infect executable files or dynamic libraries and spread without user intervention, are very rare today. The overwhelming majority of malware currently encountered in the wild are Trojans that are not capable of infecting file objects or self-replicating. Worms are a little less likely to fall into the hands of analysts: these programs can create copies of themselves on removable media or network drives, "creep" over the network or e-mail channels, but they cannot infect files. All other traditional categories of malware differ from each other only in the basic set of functions,

How Do Malware Samples Get Into Virus Labs? Traditionally, anti-virus companies have several channels for receiving new samples. First of all, these are online services like VirusTotal, that is, servers on which any anonymous user can check the detection of an arbitrary file by a dozen of the most popular anti-virus engines at once. Each uploaded sample, regardless of the test results, is automatically sent to vendors for a more detailed study.

Obviously, a huge stream of garbage arrives from such resources to virus laboratories, including completely harmless text files and pictures, so at the input it is filtered by specially trained robots and only after that it is transferred along the conveyor further. These same services are successfully used by small companies wishing to save money on the maintenance of their own virus laboratories. They stupidly copy other people's detections to their databases, which is why they regularly experience epic failures when some vendor jokingly or by mistake puts an infected verdict on one or another component of such an antivirus, after which the crashes down, causing butthert from users and hysterical laughter from competitors.

The second channel is "drift", suspicious files that users transfer to the virtual lab through the antivirus company's website, at the request of the support service, or are unloaded from quarantine. The third channel is honeypots, special baits for virus makers in the form of virtual servers with open ports and logins-passwords like root / root, where some bot bots happily upload their creations, marveling at the crooked hands of the admins. Finally, the fourth way is the exchange of databases between vendors themselves, but in recent years, due to heightened competition in the market and a narrowed feed base, cooperation between antivirus companies has practically disappeared.

After a sample enters the virus laboratory, it is sorted by file type and analyzed by automated analytics tools that can establish a verdict based on formal or technical criteria - for example, a packer. And only if the robots fail to see through the malware, it is transferred to virus analysts for instrumental or manual analysis.

Anatomy of an antivirus​

Antivirus programs from different manufacturers include a different number of components, and even more, one and the same company may release several versions of antivirus, including a specific set of modules and targeting different market segments. For example, some antiviruses have a parental control component that allows you to restrict the access of underage computer users to sites of certain categories or regulate their time in the system, and some do not. One way or another, usually modern anti-virus applications have the following set of functional modules:

• anti-virus scanner - a utility that searches for malware on disks and in the device's memory at the user's request or on a schedule;
• resident monitor - a component that monitors the state of the system in real time and blocks attempts to download or launch malicious programs on the protected computer;
• firewall (firewall) - a component that monitors the current connection, including analysis of incoming and outgoing traffic, and also checks the source and destination addresses in each packet of information transmitted from the computer and arriving at the computer - data coming from the external environment to a computer protected by a firewall without pre-request, tracked and filtered. From a functional point of view, the firewall acts as a kind of filter that controls the flow of information transmitted between the local computer and the Internet, a protective barrier between the computer and the rest of the information space;
• web antivirus is a component that prevents a user from accessing dangerous resources that distribute malware, phishing and fraudulent sites using a special address database or rating system;
• mail antivirus - an application that checks the security of attachments to e-mail messages and / or links sent by e-mail;
• anti-rootkit module - a module designed to combat rootkits (malicious programs that have the ability to hide their presence in an infected system);
• a preventive protection module is a component that ensures the integrity of data vital for the health of the system and prevents dangerous actions of programs;
• update module - a component that ensures timely updating of other anti-virus modules and virus databases;
• Quarantine is a centralized protected storage in which suspicious (in some cases definitely infected) files and applications are placed before a final verdict is issued on them.

Depending on the version and purpose of the anti-virus program, it may include other functional modules, for example, components for centralized administration, remote control.

Signature detection​

Modern anti-virus programs use several methods of detecting malicious programs in various combinations. The main one is signature-based threat detection.

This method of detecting malware is based on the creation of so-called signatures - unique digital file identifiers, which are a special set of bytes and are obtained based on the contents of the file being examined. In fact, a signature is a kind of “fingerprint” of a file: a signature can be used to uniquely identify a particular file or application. File hashes, such as SHA-1 or SHA-256, are structured in a similar way - in this case, hashing means converting the contents of a file using a one-way mathematical function (cryptographic hashing algorithm), which results in a unique set of hexadecimal characters. Such a function is called unidirectional because it is very easy to get a hash from a file, but it is no longer possible to recover the original file from the hash. The virus signature is somewhat more complicated: in addition to the hash,

The signatures are collected in a block of data called virus databases. The virus databases of anti-virus programs are periodically updated to add signatures of new threats that have been investigated since the last update.

The anti-virus program examines files stored on disks (or downloaded from the Internet) and compares the results of the study with the signatures recorded in the anti-virus database. If it matches, the file is considered malicious. This technique itself has a significant flaw: an attacker only needs to change the file structure by a few bytes, and its signature will change. Until a new sample of malware gets into the virus laboratory and its signature is added to the databases, the antivirus will not be able to recognize and eliminate this threat.

Behavioral Analysis​

In addition to signature detection, most modern anti-virus programs use some kind of behavioral analysis mechanism. Behavioral analysis can be classified as a type of probabilistic analysis - as the name of this method implies, the antivirus program monitors the behavior of applications and, if it seems suspicious to it, blocks the operation of a potentially dangerous program.

One safe method to investigate the behavior of an application is to run it in a so-called sandbox - a secure, isolated virtual container from which the application cannot access OS components and the file system. If the program's behavior makes the antivirus suspicious, for example, it performs an injection, modifies the boot record, or changes the structure of the executable file, it can be recognized as potentially dangerous or malicious.

Heuristic analysis​

Heuristic analysis is a type of probabilistic analysis of malware based on logical algorithms that identify and neutralize a potentially dangerous application. Heuristic analysis comes to the aid of users in cases where a threat cannot be detected using signature-based detection.

Simplifying, the basic principle of heuristic analysis can be described as follows. Each function that a program can implement in the operating system is assigned a certain conditional "hazard rating". Some actions of the application may be considered less dangerous, others more. If, in terms of the totality of actions performed by the application, it exceeds a certain conditional "security threshold", it is recognized as potentially malicious.

For example, if a program runs in the background, does not have a graphical interface, sequentially polls remote servers, and then tries to download an application from them and launch it on the system, it is highly likely to be a downloader Trojan. Or the Google Chrome browser update utility. This, obviously, is the main Achilles' heel of the heuristic method for analyzing virus threats - the high probability of "fall-positive", false positives.

Another method of heuristic analysis is the emulation of program execution. The anti-virus loads the suspicious application into its own buffer memory, parses the code into instructions and executes them one by one, checking the result.

Heuristic analysis is used to identify and neutralize threats that are still unknown to the antivirus - that is, those whose signatures are not currently available in the virus databases. This logically leads to another drawback of heuristic algorithms - even if a previously unknown threat can be detected, it is not always possible to immediately "cure" it. In many cases, the user has to wait for the next update of the virus databases containing treatment algorithms specifically for this malicious program.

Proactive Defense (HIPS)​

Proactive anti-virus protection (HIPS - Host-based Intrusion Prevention System) can also be classified as a type of anti-virus protection based on behavioral analysis. Antivirus monitors running applications and informs the user about certain actions of the program. It is up to the user to decide whether to allow or disallow the program to perform any action. This is a classic HIPS implementation. There is also the so-called expert option, in which the antivirus independently blocks the actions of certain applications based on a set of rules and permissions included in it. The user can, if necessary, add any program to the list of exclusions, allowing it to perform any or only selected actions on the protected system.

Anti-virus countermeasures​

Unfortunately, the struggle between virus writers and anti-virus software manufacturers is permanent: the former are constantly inventing new and new ways to bypass anti-virus protection, while the latter are trying to improve algorithms for searching and detecting malware. Let's list the main techniques used by virus makers.

Repackaging​

The most widespread and popular method actively used by virus writers to bypass signature detection. As I said, the signature can be called a kind of analogue of the fingerprints of each specific file, while it is unique for the file object. Accordingly, if even minor changes are made to the file, the antivirus will not be able to "recognize" it using the signature, and such a file will not be detected by the antivirus until it reaches the research laboratory.

The easiest way to change the structure of a file without changing its functionality is to cover it with a software packer. Software packers compress the contents of the application file and add code to it to unpack and execute the program. Some of them also include various encryption features that make it difficult to analyze and research such an application. This is what cybercriminals use.

Each time the file is repackaged, its signature changes, and it becomes "invisible" to the anti-virus signature detection system. Some virus writers, in order to complicate the study of a virus or Trojan, pack and encrypt their creations in "several layers" - then another compressed and encrypted object is hidden under one packer, another one underneath, and the whole structure as a result resembles a kind of logical nesting doll, get to "Core" which is very difficult.

Sometimes cybercriminals use another method: a special script is installed on the server from which the victims are distributed the malware. When this script is activated (for example, when a user follows a link), it extracts the malware's binary file from the corresponding server directory, packs it on the fly, and only then "gives" it to the user. Thus, each victim receives his own, unique copy of the malicious program, guaranteed to be undetectable by signature.

Obfuscation​

Obfuscation (from the English obfuscate - "confuse", "confuse") - deliberate obfuscation, complication of the code of a malicious program while maintaining its functionality in order to complicate its research and analysis. For obfuscation purposes, virus writers sometimes add junk code, unnecessary instructions, multiple jumps and multiple calls to various functions to an application. There are special utilities designed to obfuscate application code - obfuscators.

Application obfuscation complicates reverse engineering, that is, decompilation of a malicious program and the study of its functionality at the code level, but at the same time makes it difficult for virus writers to debug an application, and in some cases increases its size and slows down performance.

Anti-debugging​

Most modern malware is equipped with powerful anti-debugging mechanisms that prevent it from being investigated. A number of viruses and Trojans check when they start to see if they are trying to run them in an isolated environment ("sandbox"), under a debugger, or in a virtual machine. This is implemented in different ways - for example, the malware tries to get the names of running processes (and compare them with a given list), looks for characteristic strings in the titles of open windows. If a malicious application detects an attempt to run in a virtual environment or under a debugger, it terminates.

Similarly, many malware searches among installed or running programs for popular antivirus applications and try to terminate them, and if this fails, they unload themselves. There are also more interesting options: for example, the Trojan known as Trojan.VkBase.73 changed the Windows boot parameters, installed a special service in the system that, when the system was rebooted in safe mode, removed the antiviruses installed on the computer ... The Trojan then placed in the notification area of the taskbar the icon of the corresponding antivirus application that it had previously uninstalled. As a result, the user does not even know that his computer no longer has anti-virus protection. After successful removal of the anti-virus protection, a message is displayed on the screen in Russian or English (depending on the version of the anti-virus software and OS locale) with the following content: “Attention! Antivirus [name of antivirus] operates in enhanced protection mode. This is a temporary measure necessary for an immediate response to threats from virus programs. No action is required from you. "This message is displayed so that the user is not worried when they find that the antivirus icon in the Windows taskbar notification area is no longer responding to mouse clicks.

To bypass the sandbox, some viruses or Trojans have special "slowdown mechanisms" that "slow down" the malicious functionality of the application or "put it to sleep" for a certain period, activating destructive functions after a certain time. This allows you to lull the vigilance of the security program, which, by running the application in the sandbox and making sure it is safe, gives it the green light. For example, one of the modern Trojans uses this mechanism to bypass automated analysis systems: it creates a file in a temporary folder, in which it writes one byte a million times, and then reads one byte from it a million times. As a result of such harmless long-term cyclical actions, the behavioral analysis procedure is completed before the Trojan starts to realize its main functions.

Afterword​

Algorithms for detecting malware, as well as methods for combating antiviruses, are being improved every day. However, unique algorithms for bypassing anti-virus protection appear extremely rarely - as a rule, virus makers use standard and well-proven methods for a long time. Security software developers who are well versed in all these techniques often find themselves half a step ahead of virus writers. This is why antivirus protection is still a fairly effective method of dealing with malicious and potentially dangerous programs - especially for inexperienced users.