Saturday, February 18, 2012

Malware Detection Techniques


Techniques used for malware detection classified into two categories:
1)Anomaly based detection
                                            An anomaly based detection techniques uses the knowledge of what is considered as normal to find out what actually is malicious.a special type of anomaly based detection is Specification based detection.
Specification based detection makes use of certain rule set of what is considered as normal in order to decide the maliciousness of the program violating the predefined  rule set.This program violating the rule set are consider as malicious program.Or it is considered as malicious to finds out maliciousness of the program under inspection.

2)Signature based detection
Commercial antivirus scanner look for signature which are typically a sequence of bytes within the malware code to declare that the program scanned is malicious in nature.
Basically there are three type of malware: Basic,Polymorphic,Metamorphic malware
  a) Basic malware
In basic malware the program entry is changed such that control is transferred to malicious payload.
Detection is relatively if the signature can be found for the viral code.
                                Entry ---------> Original code ---------> Malicious code


  b) Polymorphic malware 
Polymorphic viruses mutates while keeping the original code intact. A polymorphic malware consists of encrypted malicious code along with the decryption module. To enable the polymorphic      virus the virus has got polymorphic engine somewhere in the virus body.The polymorphic engine generates new mutants each time it is executed.Strong static analysis based on API sequencing is used for polymorphic virus detection.

          Entry --------> Original code --------> Decrypt code --------> Virus code


  c) Metamorphic malware
this malware can reprogram itself using certain obfuscation techniques so that the children never look like the parents.such malware evade the detection's from he malware detector since each new variant generated will have different signature, hence it is impossible to store the signature of multiple variants of same malware sample.In order to thwart detection a metamorphic engine has to be implemented with some sort of disassemble in order to parse the input code. After disassembly, the engine willl transform the program code and will produced new code that will retain its functionality and would still look different from the original code.

                   Virus                    Form                    Form                     Form
                     A                           B                      C                            D      
                      |                             |                      |                             |
                      |                             |                      |                             |
                   (S1 )                       (S2)                     (S3)                       (S4)

Posted by at No comments:
Subscribe to: Posts (Atom)