Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,561
- Points
- 113
Discussions about whether antiviruses are necessary or completely useless have not subsided since the advent of the antivirus applications themselves. Approximately the same amount of time is spent in the ongoing struggle between virus makers and security software manufacturers: some are constantly inventing new detection algorithms, while others are trying to circumvent them at all costs.
How do modern antivirus programs work and what methods do attackers use to fight them? About this today's article.
How do antivirus companies fill up their databases?
As applied to modern antivirus technologies, the very concept of "antivirus" is more a fashion statement than a term that correctly reflects the essence of things. Classic file viruses, i.e. malicious programs that can infect executable files or dynamic libraries and spread without user intervention, are very rare today. The vast majority of malware currently found in the "wild" are Trojans that can neither infect file objects nor self-replicate. A little less often, analysts get worms: these programs can create copies of themselves on removable media or network drives, "crawl" over the network or email channels, but they can't infect files. All other traditional categories of malware differ from each other only in a basic set of functions, but their architecture can be reduced to these three groups.
How do malware samples get into virus labs?
Antivirus companies traditionally have several channels for receiving new samples. First of all, these are online services like VirusTotal, that is, servers where any anonymous user can check the detection of an arbitrary file by a dozen of the most popular antivirus engines at once. Each uploaded sample, regardless of the verification results, is automatically sent to vendors for more detailed research. It is obvious that a huge stream of garbage arrives from such resources to virus laboratories, including completely harmless text files and images, so it is filtered at the entrance by specially trained robots and only then passed along the pipeline further. These services are also successfully used by small companies that want to save money on maintaining their own virus laboratories. They stupidly copy other people's detectors into their databases, which is why they regularly experience epic files when some vendor jokingly or due to a misunderstanding puts an infected verdict on one or another component of such an antivirus, after which it joyfully transfers its own library to quarantine and crashes with a crash, causing users to butt out and hysterical laughter from competitors.
The second channel is "samotek", suspicious files that users send to virlab through the site of an antivirus company, at the request of the support service, or download from quarantine.
The third channel is hanipots, special lures for virmakers in the form of virtual servers with ports open to the outside and logins-passwords like root/root, where some bot owners happily fill in their creations, marveling at the crookedness of admins. Finally, the fourth way is to exchange databases between vendors themselves, but in recent years, due to increased competition in the market and a narrowed feed base, cooperation between antivirus companies has practically come to naught. Once a sample gets into the virus lab, it is sorted by file type and examined by automatic analytics tools that can determine the verdict based on formal or technical criteria for example, by the packer. And only if the robots fail to detect the malware, it is passed to virus analysts for instrumental or manual analysis.
Anatomy of an antivirus program
Antivirus programs from different manufacturers include a different number of components, and even more so, the same company may release several versions of antivirus software that include a certain set of modules and target different market segments. For example, some antivirus programs have a parental control component that allows you to restrict the access of underage computer users to sites of certain categories or regulate the time of their work in the system, and some do not. In any case, modern antivirus applications usually have the following set of functional modules: an antivirus scanner is a utility that searches for malware on the device's disks and memory at the user's request or on a schedule; resident monitor is a component that monitors the system status in real time and blocks attempts to download or run malware on the protected computer.
Firewall - a component that monitors the current connection, including analysis of incoming and outgoing traffic, as well as checks the source and destination addresses in each packet of information transmitted from the computer and received by the computer data coming from the external environment to the firewall-protected computer without prior request is tracked and filtered.
From a functional point of view, the firewall acts as a kind of filter that controls the flow of information transmitted between the local computer and the Internet, a protective barrier between the computer and the rest of the information space; web antivirus-a component that prevents user access to dangerous resources that distribute malware, phishing and fraudulent sites using a special address database or rating system; mail antivirus an application that checks the security of attachments to e-mail messages and (or) links sent by e-mail; anti-rootkit module-a module designed to combat rootkits (malicious programs that have the ability to hide their presence in an infected system); preventive protection module a component that ensures the integrity of vital data for system performance and prevents dangerous actions of programs; an update module is a component that provides timely updates to other antivirus modules and virus databases; quarantine is a centralized, secure repository that stores suspicious (in some cases definitely infected) files and applications before a final verdict is made on them. Depending on the version and purpose of the antivirus program, it may also include other functional modules, such as components for centralized administration or remote management.
Signature detection
Modern antivirus programs use several methods of detecting malicious programs in various combinations. The main one is signature detection of threats. This method of detecting malware is based on the creation of so called signatures-unique digital file identifiers, which are a special set of bytes and are obtained based on the contents of the file under study. In fact, a signature is a kind of" fingerprint " of a file: using the signature, you can uniquely identify a particular file or application.
File hashes, such as SHA-1 or SHA-256, are arranged in a similar way - In this case, hashing means converting the file contents using a unidirectional mathematical function (cryptographic hashing algorithm), which results in a unique set of hexadecimal characters. This function is called unidirectional because it is very easy to get a hash from a file, but it is no longer possible to restore the original file from the hash. The virus signature is somewhat more complicated: in addition to the hash, it also contains a number of unique features of the file. Signatures are collected in a block of data called virus databases. The virus databases of antivirus programs are periodically updated to include signatures of new threats that have been investigated since the last update. The antivirus program examines files stored on disks (or downloaded from the Internet) and compares the results of the study with the signatures recorded in the antivirus database.
If there is a match, this file is considered malicious. This technique itself has a significant flaw: an attacker only needs to change the file structure by a few bytes, and its signature will change. Until a new malware sample gets into the virus lab and its signature is added to the databases, the antivirus will not be able to recognize and eliminate this threat.
Behavioral analysis
In addition to signature detection, most modern antivirus programs use certain behavioral analysis mechanisms. Behavioral analysis can be attributed to a type of probabilistic analysis as the name of this method suggests, an antivirus program monitors the behavior of applications and, if it seems suspicious to it, blocks the operation of a potentially dangerous program.
One of the safe ways to investigate the behavior of an application is to run it in a so called sandbox-a secure, isolated virtual container from which the application cannot access OS components and the file system. If the behavior of a program makes the antivirus suspicious, for example, it performs an injection, modifies the boot record, or changes the structure of the executable file, it may be considered potentially dangerous or malicious.
Heuristic analysis
Heuristic analysis is a type of probabilistic malware analysis based on logical algorithms that allow you to identify and disable a potentially dangerous application. Heuristic analysis helps users when a threat cannot be detected using signature detection. To simplify, the basic principle of heuristic analysis can be described as follows. Each function that a program can implement in the operating system is assigned a certain conditional "hazard rating". Some app actions may be considered less dangerous, while others may be considered more dangerous.
If the aggregate of actions performed by the application exceeds a certain conditional "security threshold", it is recognized as potentially malicious. For example, if a program runs in the background, does not have a graphical interface, consistently polls remote servers, and then tries to download an application from them and run it on the system, it is highly likely to turn out to be a Trojan downloader. Or the Google Chrome browser update utility. This, obviously, is the main Achilles heel of the heuristic method for analyzing viral threats a high probability of a "false positive" or false positive.
Another method of heuristic analysis is emulation of program execution. The antivirus loads the suspicious application into its own buffer memory, parses the code into instructions, and executes them one at a time, checking the result.Heuristic analysis is used to identify and neutralize threats that are still unknown to antivirus software that is, those whose signatures are not currently available in virus databases. This logically implies another drawback of heuristic algorithms even if a previously unknown threat can be detected, it is not always possible to immediately "cure" it. In many cases, the user has to wait for the next update of the virus databases containing treatment algorithms specifically for this malware.
Proactive Protection (HIPS)
Proactive antivirus protection (HIPS-Host-based Intrusion Prevention System, eng. "intrusion prevention system») it can also be attributed to a type of anti-virus protection based on behavioral analysis. The antivirus program monitors running applications and informs the user about certain actions of the program. It is up to the user to decide whether or not to allow the program to perform an action. This is a classic version of the HIPS implementation.
There is also the so-called expert option, in which the antivirus independently blocks the actions of certain applications based on a set of rules and permissions embedded in it. If necessary, the user can add a program to the list of exceptions, allowing it to perform any or only selected actions on the protected system.
Methods of countering antivirus programs
Unfortunately, the struggle between virus writers and antivirus software manufacturers is permanent: the former are constantly inventing new ways to bypass antivirus protection, while the latter are trying to improve malware search and detection algorithms. Let's list the main methods used by virmakers.
Repackaging
The most common and popular method actively used by virus writers to bypass the signature detector. As I said before, a signature can be called a kind of analog of fingerprints of each specific file, and it is unique for the file object. Accordingly, if even minor changes are made to the file, the antivirus will not be able to "identify" it using the signature, and such a file will not be detected by the antivirus until it gets to the research laboratory.
The easiest way to change the structure of a file without changing its functionality is to "cover" it with a software packager. Software packagers compress the contents of an application file and append the code necessary for unpacking and executing the program. Some of them also include various encryption functions that make it difficult to analyze and study such an application. This is what intruders use. Each time a file is repackaged, its signature changes, and it becomes "invisible" to the antivirus signature detection system.
Some virus writers, in order to make it difficult to study a virus or Trojan, pack and encrypt their creations in "several layers" then another compressed and encrypted object is hidden under one packer, and another one is hidden under it, and the whole design eventually resembles a kind of logical matryoshka doll, which can be very difficult to get to the "core".
Sometimes hackers also use a different method: a special script is installed on the server from which malware is distributed to victims. When this script is activated (for example, when a user clicks on a link), it extracts the malware binary file from the corresponding server directory, packages it on the fly, and only then "gives" it to the user. In this way, each victim receives its own unique instance of malware that is guaranteed not to be detected by the signature.
Obfuscation
Obfuscation (from the English obfuscate - "obfuscate", "confuse") - deliberate obfuscation, complicating the code of a malicious program while preserving its functionality in order to complicate its research and analysis. For obfuscation purposes, virus writers sometimes add "junk" code, unnecessary instructions, multiple transitions, and multiple calls to various functions to the application. There are special utilities designed to obfuscate application code - obfuscators. Application obfuscation makes reverse engineering difficult, i.e. decompiling malware and studying its functionality at the code level, but at the same time it makes it harder for virus writers to debug the application, and in some cases it increases its size and reduces performance.
Anti-debugging
Most modern malware programs are equipped with powerful anti-debugging mechanisms that prevent their investigation. A number of viruses and Trojans check to see if they are trying to run in an isolated environment ("sandbox"), under a debugger, or in a virtual machine when they start working. This is implemented using various methods for example, the malware tries to get the names of running processes (and compare them with a given list), and searches for characteristic lines in the headers of open windows. If a malicious application detects an attempt to run in a virtual environment or under a debugger, it exits. Similarly, many malware viruses search for applications of popular antivirus programs among installed or running programs and try to terminate them, and if this does not work, they are unloaded themselves. There are also more interesting options: for example, the Trojan, known as Trojan. VkBase. 73, changed the Windows boot parameters, installed a special service in the system that deleted the antivirus programs installed on the computer when the system rebooted in safe mode. The Trojan then placed the icon of the corresponding antivirus application that it had previously deleted in the notification area of the taskbar. As a result, the user does not even realize that their computer no longer has anti-virus protection. After successful removal of the antivirus protection, a message in Russian or English (depending on the version of the antivirus software and the OS locale) is displayed with the following content: "Attention! Antivirus [name of antivirus] works in enhanced protection mode. This is a temporary measure that is necessary for immediate response to threats from virus programs. No action is required of you." This message is displayed so that the user does not worry if they find that the antivirus program icon in the notification area of the Windows taskbar no longer responds to mouse clicks. To bypass the sandbox, some viruses or Trojans have special "deceleration mechanisms "that "slow down" the malicious functionality of the application or" put it to sleep " for a certain period of time, activating destructive functions after a certain time. This allows you to lull the vigilance of the security program, which, after launching the application in the sandbox and making sure that it is safe, gives it a "green light". For example, one of the modern Trojans uses such a mechanism to bypass automated analysis systems: it creates a file in a temporary folder in which it writes one byte a million times, and then reads one byte from it a million times. As a result of such harmless, long-running cyclical actions, the behavioral analysis procedure is completed before the Trojan begins to implement its main functions.
Afterword
Malware detection algorithms, as well as anti-virus methods, are being improved every day. However, unique algorithms for bypassing antivirus protection appear extremely rarely - As a rule, virus makers use standard and long-proven methods. Security software developers who know all these techniques well often find themselves half a step ahead of virus writers. That is why antivirus protection is still a fairly effective method of combating malicious and potentially dangerous programs-especially for inexperienced users.
How do modern antivirus programs work and what methods do attackers use to fight them? About this today's article.
How do antivirus companies fill up their databases?
As applied to modern antivirus technologies, the very concept of "antivirus" is more a fashion statement than a term that correctly reflects the essence of things. Classic file viruses, i.e. malicious programs that can infect executable files or dynamic libraries and spread without user intervention, are very rare today. The vast majority of malware currently found in the "wild" are Trojans that can neither infect file objects nor self-replicate. A little less often, analysts get worms: these programs can create copies of themselves on removable media or network drives, "crawl" over the network or email channels, but they can't infect files. All other traditional categories of malware differ from each other only in a basic set of functions, but their architecture can be reduced to these three groups.
How do malware samples get into virus labs?
Antivirus companies traditionally have several channels for receiving new samples. First of all, these are online services like VirusTotal, that is, servers where any anonymous user can check the detection of an arbitrary file by a dozen of the most popular antivirus engines at once. Each uploaded sample, regardless of the verification results, is automatically sent to vendors for more detailed research. It is obvious that a huge stream of garbage arrives from such resources to virus laboratories, including completely harmless text files and images, so it is filtered at the entrance by specially trained robots and only then passed along the pipeline further. These services are also successfully used by small companies that want to save money on maintaining their own virus laboratories. They stupidly copy other people's detectors into their databases, which is why they regularly experience epic files when some vendor jokingly or due to a misunderstanding puts an infected verdict on one or another component of such an antivirus, after which it joyfully transfers its own library to quarantine and crashes with a crash, causing users to butt out and hysterical laughter from competitors.
The second channel is "samotek", suspicious files that users send to virlab through the site of an antivirus company, at the request of the support service, or download from quarantine.
The third channel is hanipots, special lures for virmakers in the form of virtual servers with ports open to the outside and logins-passwords like root/root, where some bot owners happily fill in their creations, marveling at the crookedness of admins. Finally, the fourth way is to exchange databases between vendors themselves, but in recent years, due to increased competition in the market and a narrowed feed base, cooperation between antivirus companies has practically come to naught. Once a sample gets into the virus lab, it is sorted by file type and examined by automatic analytics tools that can determine the verdict based on formal or technical criteria for example, by the packer. And only if the robots fail to detect the malware, it is passed to virus analysts for instrumental or manual analysis.
Anatomy of an antivirus program
Antivirus programs from different manufacturers include a different number of components, and even more so, the same company may release several versions of antivirus software that include a certain set of modules and target different market segments. For example, some antivirus programs have a parental control component that allows you to restrict the access of underage computer users to sites of certain categories or regulate the time of their work in the system, and some do not. In any case, modern antivirus applications usually have the following set of functional modules: an antivirus scanner is a utility that searches for malware on the device's disks and memory at the user's request or on a schedule; resident monitor is a component that monitors the system status in real time and blocks attempts to download or run malware on the protected computer.
Firewall - a component that monitors the current connection, including analysis of incoming and outgoing traffic, as well as checks the source and destination addresses in each packet of information transmitted from the computer and received by the computer data coming from the external environment to the firewall-protected computer without prior request is tracked and filtered.
From a functional point of view, the firewall acts as a kind of filter that controls the flow of information transmitted between the local computer and the Internet, a protective barrier between the computer and the rest of the information space; web antivirus-a component that prevents user access to dangerous resources that distribute malware, phishing and fraudulent sites using a special address database or rating system; mail antivirus an application that checks the security of attachments to e-mail messages and (or) links sent by e-mail; anti-rootkit module-a module designed to combat rootkits (malicious programs that have the ability to hide their presence in an infected system); preventive protection module a component that ensures the integrity of vital data for system performance and prevents dangerous actions of programs; an update module is a component that provides timely updates to other antivirus modules and virus databases; quarantine is a centralized, secure repository that stores suspicious (in some cases definitely infected) files and applications before a final verdict is made on them. Depending on the version and purpose of the antivirus program, it may also include other functional modules, such as components for centralized administration or remote management.
Signature detection
Modern antivirus programs use several methods of detecting malicious programs in various combinations. The main one is signature detection of threats. This method of detecting malware is based on the creation of so called signatures-unique digital file identifiers, which are a special set of bytes and are obtained based on the contents of the file under study. In fact, a signature is a kind of" fingerprint " of a file: using the signature, you can uniquely identify a particular file or application.
File hashes, such as SHA-1 or SHA-256, are arranged in a similar way - In this case, hashing means converting the file contents using a unidirectional mathematical function (cryptographic hashing algorithm), which results in a unique set of hexadecimal characters. This function is called unidirectional because it is very easy to get a hash from a file, but it is no longer possible to restore the original file from the hash. The virus signature is somewhat more complicated: in addition to the hash, it also contains a number of unique features of the file. Signatures are collected in a block of data called virus databases. The virus databases of antivirus programs are periodically updated to include signatures of new threats that have been investigated since the last update. The antivirus program examines files stored on disks (or downloaded from the Internet) and compares the results of the study with the signatures recorded in the antivirus database.
If there is a match, this file is considered malicious. This technique itself has a significant flaw: an attacker only needs to change the file structure by a few bytes, and its signature will change. Until a new malware sample gets into the virus lab and its signature is added to the databases, the antivirus will not be able to recognize and eliminate this threat.
Behavioral analysis
In addition to signature detection, most modern antivirus programs use certain behavioral analysis mechanisms. Behavioral analysis can be attributed to a type of probabilistic analysis as the name of this method suggests, an antivirus program monitors the behavior of applications and, if it seems suspicious to it, blocks the operation of a potentially dangerous program.
One of the safe ways to investigate the behavior of an application is to run it in a so called sandbox-a secure, isolated virtual container from which the application cannot access OS components and the file system. If the behavior of a program makes the antivirus suspicious, for example, it performs an injection, modifies the boot record, or changes the structure of the executable file, it may be considered potentially dangerous or malicious.
Heuristic analysis
Heuristic analysis is a type of probabilistic malware analysis based on logical algorithms that allow you to identify and disable a potentially dangerous application. Heuristic analysis helps users when a threat cannot be detected using signature detection. To simplify, the basic principle of heuristic analysis can be described as follows. Each function that a program can implement in the operating system is assigned a certain conditional "hazard rating". Some app actions may be considered less dangerous, while others may be considered more dangerous.
If the aggregate of actions performed by the application exceeds a certain conditional "security threshold", it is recognized as potentially malicious. For example, if a program runs in the background, does not have a graphical interface, consistently polls remote servers, and then tries to download an application from them and run it on the system, it is highly likely to turn out to be a Trojan downloader. Or the Google Chrome browser update utility. This, obviously, is the main Achilles heel of the heuristic method for analyzing viral threats a high probability of a "false positive" or false positive.
Another method of heuristic analysis is emulation of program execution. The antivirus loads the suspicious application into its own buffer memory, parses the code into instructions, and executes them one at a time, checking the result.Heuristic analysis is used to identify and neutralize threats that are still unknown to antivirus software that is, those whose signatures are not currently available in virus databases. This logically implies another drawback of heuristic algorithms even if a previously unknown threat can be detected, it is not always possible to immediately "cure" it. In many cases, the user has to wait for the next update of the virus databases containing treatment algorithms specifically for this malware.
Proactive Protection (HIPS)
Proactive antivirus protection (HIPS-Host-based Intrusion Prevention System, eng. "intrusion prevention system») it can also be attributed to a type of anti-virus protection based on behavioral analysis. The antivirus program monitors running applications and informs the user about certain actions of the program. It is up to the user to decide whether or not to allow the program to perform an action. This is a classic version of the HIPS implementation.
There is also the so-called expert option, in which the antivirus independently blocks the actions of certain applications based on a set of rules and permissions embedded in it. If necessary, the user can add a program to the list of exceptions, allowing it to perform any or only selected actions on the protected system.
Methods of countering antivirus programs
Unfortunately, the struggle between virus writers and antivirus software manufacturers is permanent: the former are constantly inventing new ways to bypass antivirus protection, while the latter are trying to improve malware search and detection algorithms. Let's list the main methods used by virmakers.
Repackaging
The most common and popular method actively used by virus writers to bypass the signature detector. As I said before, a signature can be called a kind of analog of fingerprints of each specific file, and it is unique for the file object. Accordingly, if even minor changes are made to the file, the antivirus will not be able to "identify" it using the signature, and such a file will not be detected by the antivirus until it gets to the research laboratory.
The easiest way to change the structure of a file without changing its functionality is to "cover" it with a software packager. Software packagers compress the contents of an application file and append the code necessary for unpacking and executing the program. Some of them also include various encryption functions that make it difficult to analyze and study such an application. This is what intruders use. Each time a file is repackaged, its signature changes, and it becomes "invisible" to the antivirus signature detection system.
Some virus writers, in order to make it difficult to study a virus or Trojan, pack and encrypt their creations in "several layers" then another compressed and encrypted object is hidden under one packer, and another one is hidden under it, and the whole design eventually resembles a kind of logical matryoshka doll, which can be very difficult to get to the "core".
Sometimes hackers also use a different method: a special script is installed on the server from which malware is distributed to victims. When this script is activated (for example, when a user clicks on a link), it extracts the malware binary file from the corresponding server directory, packages it on the fly, and only then "gives" it to the user. In this way, each victim receives its own unique instance of malware that is guaranteed not to be detected by the signature.
Obfuscation
Obfuscation (from the English obfuscate - "obfuscate", "confuse") - deliberate obfuscation, complicating the code of a malicious program while preserving its functionality in order to complicate its research and analysis. For obfuscation purposes, virus writers sometimes add "junk" code, unnecessary instructions, multiple transitions, and multiple calls to various functions to the application. There are special utilities designed to obfuscate application code - obfuscators. Application obfuscation makes reverse engineering difficult, i.e. decompiling malware and studying its functionality at the code level, but at the same time it makes it harder for virus writers to debug the application, and in some cases it increases its size and reduces performance.
Anti-debugging
Most modern malware programs are equipped with powerful anti-debugging mechanisms that prevent their investigation. A number of viruses and Trojans check to see if they are trying to run in an isolated environment ("sandbox"), under a debugger, or in a virtual machine when they start working. This is implemented using various methods for example, the malware tries to get the names of running processes (and compare them with a given list), and searches for characteristic lines in the headers of open windows. If a malicious application detects an attempt to run in a virtual environment or under a debugger, it exits. Similarly, many malware viruses search for applications of popular antivirus programs among installed or running programs and try to terminate them, and if this does not work, they are unloaded themselves. There are also more interesting options: for example, the Trojan, known as Trojan. VkBase. 73, changed the Windows boot parameters, installed a special service in the system that deleted the antivirus programs installed on the computer when the system rebooted in safe mode. The Trojan then placed the icon of the corresponding antivirus application that it had previously deleted in the notification area of the taskbar. As a result, the user does not even realize that their computer no longer has anti-virus protection. After successful removal of the antivirus protection, a message in Russian or English (depending on the version of the antivirus software and the OS locale) is displayed with the following content: "Attention! Antivirus [name of antivirus] works in enhanced protection mode. This is a temporary measure that is necessary for immediate response to threats from virus programs. No action is required of you." This message is displayed so that the user does not worry if they find that the antivirus program icon in the notification area of the Windows taskbar no longer responds to mouse clicks. To bypass the sandbox, some viruses or Trojans have special "deceleration mechanisms "that "slow down" the malicious functionality of the application or" put it to sleep " for a certain period of time, activating destructive functions after a certain time. This allows you to lull the vigilance of the security program, which, after launching the application in the sandbox and making sure that it is safe, gives it a "green light". For example, one of the modern Trojans uses such a mechanism to bypass automated analysis systems: it creates a file in a temporary folder in which it writes one byte a million times, and then reads one byte from it a million times. As a result of such harmless, long-running cyclical actions, the behavioral analysis procedure is completed before the Trojan begins to implement its main functions.
Afterword
Malware detection algorithms, as well as anti-virus methods, are being improved every day. However, unique algorithms for bypassing antivirus protection appear extremely rarely - As a rule, virus makers use standard and long-proven methods. Security software developers who know all these techniques well often find themselves half a step ahead of virus writers. That is why antivirus protection is still a fairly effective method of combating malicious and potentially dangerous programs-especially for inexperienced users.
