There is always a big contest between virus creators and anti-virus experts. And, it is getting more and more complicated day by day. Virus writers keep trying new tactics to infect systems and the security experts always find out a way to overcome them. And, the battle continues.
Computer Viruses evolved a lot since when they were first developed and with that evolved their concealment tactics. As a result, traditional anti-virus programs gradually started becoming ineffective. Next Generation Anti-Virus or NGAV is a technology which uses dynamic analysis instead of static ones to overcome the shortcomings of traditional Anti-virus programs.
Computer Viruses and their concealment techniques
Computer Viruses take different techniques to conceal themselves, so that they remain undetected by the Anti-virus programs. A number of such strategies are given below :
Encryption is basically the most primitive approach taken by the virus writers to evade detection. Encrypted viruses consist of mainy two parts – a decryptor and the virus body. The actual code of the virus is encrypted in the virus body and the function of the decryptor is to decrypt the virus body and transfer the control of execution to it.
The main purpose of encryption, as said, is to avoid detection by anti-virus programs. Many anti-virus programs use static analysis to analyze the code of the virus and use that to detect a virus. If the main body of the virus is encrypted, it becomes difficult for the security experts to analyze and detect the virus.
Sometimes, encryption is also used in viruses to prevent unintentional tampering of the code of the virus.
Though encryption in viruses make virus detection more difficult, it did not prove to be good enough for avoiding detection. Anti-virus programs often analyze known viruses and find out unique signatures or patterns in the virus code, using which the particular virus gets detected. So, once an encrypted virus is successfully analyzed and signature is obtained, the anti-virus programs can use that to detect new infections. So, if the decryptor of the virus remains same in the new infections, it would become easier to detect the virus.
Oligomorphism is a technique used by the virus writers in which the decryptor loop keeps changing in the new infections. Normally, a set of decryptors is interchangeably used in the new infections, so that signature matching based on fixed pattern in the decryptor loop becomes difficult.
As said above, many anti-virus programs use signatures to detect infection of known viruses. When a virus is successfully analyzed, security experts find out a unique bit pattern in the virus called signature of the virus. Later, when a computer gets scanned for viruses, the signature is matched with a new virus to detect it.
In Polymorphism, the virus writers keep changing some instructions in the new generations, so that signature matching fails in the new infections. The virus modifies some pieces of its body to look dissimilar in the new infections. And, in the new generations, they again construct a different decryptor for the next infection.
The main difference between Oligomorphism and Polymorphism is, Polymorphic viruses have the capability of creating infinite number of new decryptors. And, each new decryptor may use several encryption techniques to encrypt the main virus body. As a result, Polymorphic viruses are much more difficult to detect.
In Metamorphism, the virus writers mutate the viris body with different looking, but similar functioning instructions. As a result, the virus body looks different in the new infections and it becomes difficult for the anti-virus programs to detect them. These viruses are usually not encrypted.
Virus Detection Techniques
Techniques of virus detection also evolved much and security experts started applying new techniques to detect viruses. Some most popular virus detection techniques are mentioned below :
In this method, signature string is scanned in the new virus using some special conditions in byte comparison process. It uses wildcards, generic degree etc to match the signature.
This technique is used to reduce false positives in detecting viruses. Several techniques can be used as Bookmarks, for example the offset of virus signature from the beginning of the virus code may be a good Bookmark.
Virus writers often conceal their code with a set of dummy instructions like NOP. In Smart Scanning, junk instructions like NOP or address of data and subroutines etc are first removed from the virus body and then the virus is scanned for signature matching. This technique is mainly used to detect macro viruses written in text format.
This technique was invented by Russsian virus researcher Eugene Kaspersky, who is also founder of Kaspersky Anti-Virus.
In this method works by removing set of instructions from a file that do not probably belong to the virus code and then the scanning process starts. It parses statements one by one to remove unimportant statements and blank gaps and gets the skeleton of the code. And, the skeleton is then searched for virus signatures.
In this method, more than one number of constant bytes in the virus code are searched for scanning. As a result, the number of false positives in the virus detection improves much.
In this method, a number of heuristics is used to detect infections of viruses. Some commonly used heuristic flags may be :
- Possible gap between sections
- Suspicious section characteristics
- Suspicious code section name
- Multiple or suspicious PE Headers
- Suspicious imports from kernel
- Suspicious code redirection
Static Decryptor Detection
This method is used to detect encrypted viruses. String scanning specific to the particular virus is used to detect the decryptor of the virus.
When an encrypted virus is first detected, the plaintext body of the particular virus is obtained. And, on some specific parts of the plaintext code like top and tail of the file, entry points etc, a number of encryption techniques commonly used by the virus writers are applied. Using those, signature is scanned in an unknown virus.
This technique is normally used in Polymorphic viruses. But, the problem with this method is it is very time consuming.
This technique is widely used to detect viruses. In this method, a virtual environment simulates the CPU, memory, storage resources and some necessary functions of an Operating Systems and the virus code is made to run in that environment. Once the code runs, the behavior of the code is observed and analyzed. And, that information is utilized to detect new infections of the virus.
Disadvantages of traditional anti-virus techniques
Though the techniques of virus detection improved a lot over time, they have their own disadvantages, which eventually made traditional anti-virus programs ineffective. A number of them are mentioned below :
- Signature scanning method usually maintains a database of signatures of known viruses, using which unknown viruses are scanned. But, as number of viruses started increasing drastically over time, it became quite impractical to maintain such databases of virus signatures.
- Signature database do not contain signatures of newly found viruses, until they are analyzed successfully and added to the database. This makes traditional anti-virus programs quite ineffective in detecting new viruses.
- Traditional techniques of detecting virus is ineffective for detecting Zero-day threats.
- Hackers often use techniques like crypters, server side polymorphism etc which make much difficult for the traditional anti-virus programs to detect them.
The Next Generation of Anti-Virus or NGAV
Next Generation of Anti-Virus or NGAV is a technique which relies on machine learning to dissect new viruses in an automated way. It uses some dynamic analysis approach to detect viruses, instead of relying on analysis based on peviously captured samples of viruses. As a result, they are much more effective in detecting new viruses and Zero-day threats than the traditional anti-virus programs.
An NGAV may use several techniques to detect viruses. Some of them are mentioned below :
Automated Static Analysis
In this method, the suspicious binary file is divided into parts and each part is analyzed based upon features visible in the binary code. If it sees behavior or characteristics that are known to be malicious, it flags the binary file as infected. And, this technique is applied in an automated way.
Dynamic Analysis through Emulation
The suspicious binary is encapsulated within an optimized emulated environment and its behavior is analyzed. If any malicious characteristics are found, the binary is flagged to be infected.
Dynamic Analysis through Virtualization
In this technique, the suspicious binary is analyzed in a virtual environment, instead of an emulated one to detect malicious characteristics.
Dynamic Analysis through Bare-metal
In this case, the suspicious binay is analyzed in an environment that most accurately replicates that of a real and vulnerable device and its characteristics are observed. Many a times, when a malware can detect that it is being run in a virtual environment, it changes its behavior to avoid getting analyzed. This method is quite effective to analyze such malware programs.
So, to summarize :
- NGAV does not rely on prior knowledge of some malicious binary to detect its infections.
- It dynamically analyze suspicious binaries to detect malicious behaviors.
- It does not require manual intervention to detect newly found viruses.
NGAV uses Machine Learning to detect newly found viruses in automated fashion. It applies the above mentioned methods to detect malicious behaviors and then extracts corresponding features of a malicious binary. It then trains the software with those features, so that when those features are observed in a suspicious new binary, it can flag it as infected.