Tuesday, January 7, 2020

The Antivirus Hackers

The Antivirus 


Introduction to Antivirus Software 
Antivirus software is designed to prevent computer infections by detecting malicious software, commonly called malware, on your computer and, when appropriate, removing the malware and disinfecting the computer.

What is Antivirus software?
Antivirus software is special security software that aims to give better protection than that offered by the underlying operating system (such as Windows or Mac OS X).AV software uses various techniques to identify malicious software, which often self-protects and hides deep in an operating system.

Typical Misconceptions

Discovering known malicious patterns and bad behaviors in programs
Discovering known malicious patterns in documents and web pages
Discovering known malicious patterns in network packets

Features of Antivirus 

There are  following  common features found in AV products/software....
The capability to scan compressed files and packed executable..
Tools for performing on-demand or real-time file or directory scanning..
A self-protection driver to guard against malware attacking the actual AV..
Firewall and network inspection functionality..
Command-line and graphical interface tools..
A daemon or service ..
A management console..

Advanced Features
The following some of the most common advanced features supported by AV products..

  • Packet Filters and Firewalls
  • Self-Protection
  • Anti-Exploiting
 Update System

Antivirus software is updated more often than most types of software on your computer.All modern antivirus software implements some sort of auto-updating feature. The components that are updated include the core kernel files, signature files, GUI, tools, libraries, or other product files.These update rules are not set in stone, because sometimes when an update is performed, the entire set of signatures and plug-in files is changed.

Understanding the Update Protocols 
There are some commonalities between all the update protocols:

They use HTTP or HTTPS (or both) for downloading signatures—In some rare cases, FTP has been observed (mainly in obsolete or old products).

They include catalog files—The list of downloadable files and remote relative URIs or full URLs is available in one or more catalog files. Such catalog files may contain information about the supported platforms and different product versions.

They verify the downloaded files—The downloaded update files are usually verified before the old files are updated. Although each antivirus product goes through a verification process, they do so in very different ways, from using simple CRC checks (Cyclic Redundancy Checks) to RSA (a public key-based Crypto system) signatures.

Understanding Antivirus Signatures
Signatures are a key part of any antivirus engine. The signatures are typically hashes or byte-streams that are used to determine whether a file or buffer contains a malicious payload.

Typical Signatures
The following sections will cover the most notable signatures..
  1. Byte-Streams
The simplest form of an antivirus signature is a byte-stream that is specific to a malware file and that does not normally appear on non-malicious files. An antivirus engine may simply search for this entire string:



X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

  • Custom Checksums
Most antivirus engines create their own set of CRC-like signatures. 
The interesting point is that such custom checksums do not offer any benefit to antivirus developers (other than using a hashing function that is unknown, which forces a reverse-engineer analyzing the targeted AV engine to discover where that function is, analyze it, and, likely, implement it). 

  • Checksums
The most typical signature-matching algorithm is used by almost all existing AV engines and is based on calculating CRCs. 


MODIFIED CRC ALGORITHMS

All the antivirus engines that have been analyzed so far use the CRC32 algorithm. However, in some cases, the original CRC32 algorithm is not used, but is replaced by a modifi ed version. For example, the tables of constants used by the original algorithm may be changed or the number of rounds may be changed. This is something that you must consider when analyzing the signatures of the antivirus product being targeted. CRC32 hashes can diff er from the original CRC32 algorithm and may cause you some headaches


Cryptographic Hashes
A cryptographic hash function generates a “signature” that univocally identifies one buffer and just one buffer, which thus reduces the odds of producing a false positive.The antivirus 
industry decided to use such hash functions because they do not produce false positives.

  • Fuzzy Hashing

A fuzzy hash signature is the result of a hash function that aims to detect groups of fi les instead of just a single fi le, like the cryptographic hash functions’ counterparts do. A fuzzy hash algorithm is not affected by the same rules as a cryptographic hash; instead it has the following properties:

Minimal or no diffusion at all—A minimal change in the input should minimally affect the generated output and only to the corresponding block of output, if it affects it at all. In a good cryptographic hash, a minimal change in the input must change the complete hash.

No confusion at all—The relationship between the key and the generated fuzzy hash is easy to identify, corresponding one to one. For example, a tiny change in the fi rst block should change only the fi rst generated output byte (if at all).

A good collision rate—The collision rate must be defi ned by the actual application. For example, a high collision rate may be acceptable for spam detection, but it may not be suitable for malware detection (because of the high number of false positives it generates).Such a fi le will generate the following signature:

$ md5sum ls
 fa97c59cc414e42d4e0e853ddf5b4745  ls 
$ ssdeep ls 
ssdeep,1.1--blocksize:hash:hash,filename 1536:MW9/IqY+yF00SZJVWCy62Rnm1lPdOHRXSoyZ03uawcfXN4qMlkW:MW9/ZL/
 T6ilPdotHaqMlkW 
," ls"

Graph-Based Hashes for Executable Files

Some advanced antivirus products contain signatures for program graphs. A software program can be divided into two different kinds of graphs:

Call graph—A directed graph showing the relationships between all the functions in a program (that is, a graph displaying all callers and callees of each function in the software piece).

Flow graph—A directed graph showing the relationships between basic blocks (a portion of code with only one entry point and only one exit point) of some specific function.

1 comment:

Hack Me Tech