Wednesday, May 6, 2020

A Survey on Malware and Malware Detection Systems

Question: Describe about A Survey on Malware and Malware Detection Systems? Answer: Introduction Malicious software or Malware refers to those software that are being used to either gather those information that are sensitive, or it is used to gain an access to the those operations that are private. Interestingly, Malware is also used for disrupting computer operations. Malware has fame because it is spiteful, and it could harm our file or program for computer user. Malicious contain viruses, worm, Trojan horse and also spyware (Saeed and Abuagoub, 2013). Malware program assemble information about a computer user without permission. Badware is the term that is used to refer, both the true malware and to those software, that causes harm unintentionally. Being intrinsically malicious is nothing but a kind of variation of unfriendly invasive or incense software or of a code, which is scheduled. It helps in secretly accessing a computer method and that too without the holders knowledge and consent (Alatabbi, 2013).Therefore, it can be said that the development of the malicious has a relationship with the development of the software engineering. The reason behind this is that in the year 1968, officially for the first time, the design and the building of the software was being put forward in the NATO Software Engineering Conference. Malicious, by this time, has been recognized as a world problem that is affecting different parts of the globe. As stated in the report of 2009, by the Microsoft security intelligence (Anti-spyware Anti-adware Anti-Malware, 2015). Malicious is now not regarded as software, which could be used to intrude, break or even damage, network of the computer system. Today, it has its existence mainly because it is profit-making tools for the criminals. Makers of Malicious, instead of developing a very new kind of malware from the scratch, are in the search for a one-time development of a particular code that will help in the generation of a new kind of variant from the existing malware that is there. The particular case helps in the quick and the easy development of the variant of an existing Malware, because of which it could have a quick entry in the market (Bao, 2012). The statistical analysis of Microsoft Security Intelligence Report [BWM06], states that among the 97,924 variants, which were collected during the year2006, 50% of all the variants that were found include the first seven families who were there; whereas the next 25 families accounted for the 75% of all the variants that were found. Thus, it can be assumed that with this method, the new and the spiteful methods that are there can be a part of the variation of an untamed and previous method. Definition of Malware The software program that is designed to either damage or to perform any unwanted action in a computer is also known as the malicious software, or malware (Barabas et al. 2013).Spanish meaning of mal is bad an therefore, one could also refer to Malware as Badware. People have tried to define the term malware, and while doing so they have described the characteristic features of Malware. Fred Cohen, in the year 1986, tried to define computer virus in his Ph.D. thesis, using rigorous mathematical way [Coh85] (blog.sucuri.net, 2015). According to him A virus can be described by a sequence of symbols which is able, when interpreted in a suitable environment (a machine), to modify other sequences of symbols in that environment by including a, possibly evolved, the duplicate of itself. The thesis though is based or rather focused on the virus and does not bring into consideration those general issues, which is a part of the malware. He made a firm distinction when he coined the term Malwar e (Blythe, Dietrich and Camp, 2012). The birth of the computer virus took place in the year 1983, on 10th of November, at the Lehigh University when Cohen came up with VAX11/750. It was not a program but it was a program that was similar to that of a virus. It had the ability to install, and at the same time infect other computer system Along with the development of the internet and the computer, the definition of Malware has gone through changes. The Software that is considered to be the malicious found are rarely the part of the particular features of the software, rather it is there because of the discern intent that is there from the part of the author (Chen and Zeng, 2012). The following view is widely accepted from an empirical standpoint. Malware is responsible for compensating or insinuating a method inside the computer without either the knowledge or the consent of the owner. Malware, is actually a word that is made from the combination of two words and among those two words one is low and the other is software. Although the white collar computer workers definite it differently, for them it is a umbrella term for all kind of variation of an annoying software program, or the intrusiveness; it is also a variation of hostility as well as program code. History of Malware The practical learning of the Malware is only possible if there is a learning of its history as well (Dro.deakin.edu.au, 2015). The study of Malware will be insignificant if the study of the history is not there, the history helps in better understanding of those references that is being provided by the experts. Prior to the wide spread access of the internet communication, the network communication was limited between local network and the stations. Thus, earlier there was a limited presence of the Malware (Flegel and Robertson, 2013).The nature of threat evolved with the evolution of the internet. Therefore, there is a direct relation between the evolution of internet and Malware. McAfee [McA05], states that Brain was one of the earliest virus, which was introduced in the year 1986. Brain infected the boot sector that used to be there in the floppy disks. Floppy disks were the one of the major sources of transmitting data from one computer to the other (Dro.deakin.edu.au, 2015). In the year 1995, on the month of July, the initial and the major alteration of the virus took place; when there was the expansion of the foremost micro-virus. Brain is different from the other viruses in the boot sector mainly because of that fact that it was written in such a format, which is readable (Jiang and Zhou, 2013). Type of Malware The Worms and the Viruses: Worms and viruses forms the earliest and the very known type of the Malicious Software. The program, which with the malicious objective propagates either through the internet or through the LAN, is called the worms. The worms also indulge in those programs, which are responsible for penetrating into a machine, which is remote and launching copies that too on the victim machine and lastly they are also responsible for spreading it to the other machines (Grimes, 2015). LAN and WAN, file sharing (P2P), instant messaging, IRC, are those different networking channels which help the worms to propagate. According to Hole (2015), the expansion of the live worm is possible through the email attachments, through ICQ, also through the P2P network and through IRC accessible and messaging files. The packet worms, which are then in less number are responsible for directly penetrating the victims computer and then executing the code there. There are various ways, which help the worms to penetrate in the compute of the victim and then execute the code there. The various ways include the emails that are there with the attachments, networks that are poorly configured, networks that are open to the outside access, the vulnerabilities that are there in the applications and in the operating systems (Jang et al. 2015). A difference lies between the virus and the worm, a worm needs user intervention to span and in case of a virus the spanning take place automatically. Thus, the infection transferred by email or Microsoft Word official paper, where with the opening a file or email by the receiver could be responsible for infecting the system. Thus according to Jiang and Zhou (2013), the act will referred as an act of the virus and not that of the worm. Trojans: The Greek mythical story of the Trojan War is responsible for naming of this virus Trojan Horse or in short Trojan. Trojan, being a private program, runs commands secretly so that it could accomplish 7 of its goal. Although, while accomplishing its goal, shut down or being removed by the user or the manager, whosoever is using it is not accompanying it (Kapse and Gupta, 2015). The appearance and the performance or the action of Trojan is completely opposite in nature and at times they may not be malicious as well. Trojan today has a notorious fame because of it has been used and installed in the backdoor programs (Kim and Chung, 2013). Dropper is the name of that Trojan, which is being used to inject the worms into the networks of local users. Therefore, in short Trojan refers to those programs where users are invited to run a program but the fact that it is a spiteful and damaging payload, is being concealed from the users. (Kotenko and Skormin, 2012). The payload may take effect at once, which could at once lead to masses of undesirable effects, this include removing the users files or the further position of the spiteful and at the same time it also include undesirable software. RootKits: A RootKits refers to a schedule or rather to an amalgamation of several schedules, which planned in such a way that it could take central control (in terms of UNIX root access, and in terms of Windows Managers access of a computer method), without the authorization of the legitimate owner of the system (Lu et al. 2013). Accessing the hardware, or rather resetting the switch is seldom required. The reason behind this is that root kit deliberately seizes to gain control of the operating system on which the equipment is running. The, root kits actions are directed towards un-clearing their existence on the system; and through subversion as well as through avoidance of standard operating system security mechanisms, the un-clearing of the existence is done. At times, there are Trojans as well, who convinced the users and the user feels that it is safe to run on their methods (Mowbray and Shimonski, 2014). Concealing the running procedure, or hiding the files or system data, are those tech niques that are used in accomplishing it. The emergence of the RootKits took place as a regular and at times emergency computer application. Although in the recent years RootKits, has been developed as a Malware, who help the intruder in intruding, while avoiding detection. Root kits exist for various operating systems, which include operating systems like Microsoft Windows, Linux and Solaris and Mac OS X (Malware Forensics Field Guide for Windows Systems, 2013). Depending on the internal details of the operating methods of piece of machinery, it is possible for RootKits to either modify the existing operating systems or to install themselves in the form of new drivers or the kernel modules. Backdoors: The method is used for bypassing the normal as well as the authentication procedures, known as Backdoors. The easy access of the system in the future is possible through the installation of one or more backdoors in the computer (Pinto et al., 2014). Prior to the entry of the malicious software, backdoors can be installed in the computer. It is often advisable that the computer manufacturers pre-install the backdoors so as to provide a support to the customers; although the thing has never been verified at all (Provataki and Katos, 2013). ci) Crackers, too install backdoors in their computers because it help them to have a secure access to the remote computer and at the same time it also help them to hide from the casual inspection. Trojan Horses, worms, are the few ways, which will help the crackers to install backdoors. Spyware and Adware: Software that is being installed in the computer system without the knowledge of its owner is known as Spyware. Spyware is equipped in collecting information and sending it back to the person, who is carrying on the attack.. The stolen information is being used to both learn as well as to steal things like passwords or credit card numbers, the attacker could also change the settings of your browser, at the same time the attacker could also add abominable browser toolbars (searchenterprisedesktop.techtarget.com, 2015). The most common way of spreading and distributing spyware is with the help of the Trojan Horse, most of the time it is being bundled with those desirable software that users usually download. Therefore, at the time of installing the software the Spyware is also being installed in the computer. If at times there is an attempt from the part of the authors of the Spyware to act legally then there can be an inclusion of the end user license stating the terms and conditions in a very loose term. There are chances that the users will not go through it. BOT A different kind of Malware is the Robot or in shorts the BOT, it is a kind of an automated process, which helps in the interaction with other network services (seclab.cs.ucsb.edu, 2015). BOT helps gathering information from things, such as the web crawlers; it also helps in automatic interaction with things such as the IM, or the instant messaging, it also help in the automatic interaction with the Internet Relay Chat or the IRC, or with the other web interfaces. Remotely controlling an operator and grouping them together to what is known as the Botnet or Zombie army is only possible because of a BOT software [BCJ+09, CJM05] (Sikorski and Honig, 2012). Attackers, if they want to hide their actual identity or if they want to, also amplify their attacks then they could use the bots or rather the zombies as a kind of anonymous proxy. Botnet, in short could be referred to a large pool of what is known as the compromised computer hosts, which are there across the Internet. At the time of using a flood type attack, which is both remote control and launched broad base, the attackers could use the Botnet. Current bots that has a presence in a wild, are generally hybrid of those threats that has occurred previously (Siron and Syrewicze, 2014). Therefore, it can be said that they can hide from the detection like the viruses, or they can carry on with their propagation like the worms; it can also be that the Botnet may attack like the stand alone tools that are there and thus could both integrate the command as well as the control system. The Botnet could control the networks by exploiting the Backdoors, which are generally opened by the worms and the viruses. Bots work by hiding themselves in such a way that they can infect the networks by avoiding any kind of immediate notice. Hacker Utilities and the Program Considered Malicious The Utilitarian as well as the Malicious Program Carried Out by the Hackers are the following: Construction that could lead to the creation of the worms, Trojans, and the viruses is a utility. Development of the Program libraries are there so that it can be used for the creation of the Malware. Encryption of the infected files so that the hackers could hide them from the antivirus software, is again another utility of the hackers. Interference in the normal computer functions with the help of the Jokers. There are certain programs that deliberately provide wrong information to the users regarding the actions that are carried out in the computer system. There are certain other programs, designed in such a way that it either can directly or indirectly, infect the networked or the local machines. The Significant Benefit of the Automatic of the Effective and the Automatic Malware Detection and Classification Determining whether a Malware is an instant and new Malware or a variant of the known family, could be possible with a quick process, and provided the Malware be found in wild. The anti-virus analyst could predict the damage a Malware can cause if the Malware is a variant of a known family, and accordingly could provide necessary measures, which will help in removing the Malware (Song and Touili, 2013). Moreover, if there are dew sets of sample of the Malware belonging to various families then implementing removal procedure, or rather generalizing the signature or creating strategies for the mitigation of whole class of program is significantly, a very easy thing [BCH+09]. There are certain amount of similarity between the old and the known Malware and the new Malware, thus providing information, which is valuable for the further analysis. Analysts should focus on the analysis of the new malware rather than going through a grueling analysis of those variants, which belong to the known family. The research conducted here is actually a section of a big project - Analysis and Classification of Malicious Code it has the supported of the ARC grant number LP0776260, which belongs to the auspices, of Australian Research Council also supported by the research partner CA Technologies. My supervisor was Prof. Lynn Batten and Dr. Rafiqul Islam, from Deakin University, and Dr. Steve Versteeg from CA Technologies, helped me a lot with this particular project. Initially I had to use the CA Zoo for unpacking the malicious software and was responsible for setting up a database so that I could collect data from the malware (Tibetangeeks.com, 2015). I have also done the customization of the ida2sql so that the format that we have wished to use in the project could be used and the data in it could be mange properly. I performed a preliminary test, based on the gathered data to determine the features of the extracted malware that might be useful for the classification. The discovery made by me helped e in distinguishing between that software whose features are based on function length. The discovery is discussed in Chapter 4 for the function length test. Further, I took up more samples of Malware and used the string features, which forms the basis of this test I made a comparison between the results that are found in the function length test. After conducting these two tests, I started considering about the dynamic information that I received from the Malware. I wanted to compare the results of this particular test with that of the results of a static feature. According to www.computerweekly.com, (2015), when the extended team showed their interest for malware detection rather than showing it for its classification, then clear ware was included in the test. Earlier the clean ware test was considered as the test of another family, yet at the time of my development of the research with the dynamic features, I conducted the malicious software test against the clean ware. The test has an importance because a large amount of clean ware, which include the auto-updating clean ware, use those APIs that are mostly being exploited by the malware; hence if there is a nave approach toward these tests then there are chances that often incorrect identification will result in clean ware being identified as the malware (www.fortinet.com, 2015). Finally, my team wished to have a test, where there is an integration of those features that are both dynamic and static in nature; and the features are used for conducting the test. Setting this up will be possible if determining of the set of data is being carried out, for which usable log inputs are required and could be used for both the tests. Therefore, carrying it out will require my unpacking more and more malware, finding cleaner ware and lastly returning to those tests that were previously conducted. Therefore, my decision centered around deriving a vector of a common size that is capable of incorporating all those features that are required to include in it. Chapter 8 shows the result of the integrated dynamic test. A target of 97% of accuracy has been reached with this test. Flaws and vulnerabilities Now the question is why spiteful is prevalent. It is easy to chalk up the causes for flood depravity and for software insect, but then again the faultlessly operating software can be open to many attacks as well (Zhao and Wang, 2012). For instance, the arrangement of lax default can open up or it can even exacerbate vulnerabilities as well as it happened when the Windows 2000 Server had, the IIS by default was turned on, because of which give Code Red worm of 2000, infected it massively. Guarantee holes that are there in software, often open up in new function of the zeal for institute of the Microsoft, especially in case of the Internet Explorer (www.symantec.com, 2015). Microsoft, although cannot be blamed solely, because of the rise of the Malicious Software. Notable numeral that is associated with the vilest warning requires interaction of the users. The future of malware The Malware, was actually being characterized as the safe virus or as an adware, which is irritation. Although today things have changed for the bad and it is being used to conduct those activities, which are characterized as unlawful. Malware has increased unlawful activities to such an extent that today it is also referred as the crime ware. Ransom ware, tries to hold the user computer file as the hostage. Today, the mass mailing virus will not account for the absolute triumph of the hacker. Today, there has been an increase in the malware writers, who are creating software, which are subversive (Yuan and Lu, 2013).Gaining private user information tactfully, or enslaving the user machines are some of the wishes that the malware writers have in their mind. Malware writers commit crime ware not only because they have evil in their minds but also because they want to have a financial gain. Summary Malicious Software normally propagates to users and computers through file attached to email or hiding within legitimate traffic. Attackers have taken an upper hand of social media to give out spiteful. While most spiteful codes are concealed in small sized files that make them easier to expansion over the Internet, spiteful can be embedded in all file sizes. This official paper offers some intuition on how spiteful checkup show is related to the size of malware-infected files and how different scrutinize systems can help to strike a balance between performance and security. Spiteful can come in nearly any size file. To brand their code easily breed through The Internet, Spiteful creators usually keep the files little. Spiteful is typically found within files that are less than one megabyte (MB) in size. The little size of the Spiteful file allows Spiteful pleased to be transfer red over request such as email, peer to peer download, IM and chat Easily and carry out quickly. References: A.Saeed, I., Selamat, A. and M. A. Abuagoub, A. (2013). A Survey on Malware and Malware Detection Systems. International Journal of Computer Applications, 67(16), pp.25-31. Alatabbi, A. (2013). Malware Detection using Computational Biology Tools. IJET, pp.315-319. Anti-spyware Anti-adware Anti-Malware, (2015). Anti-spyware Anti-adware Anti-Malware. [online] Available at: Anti-spyware Anti-adware Anti-Malware, 6 Dec 2015 https://destroyadware.com/articles/removal/malware-removal-summary/ [Accessed 18 Dec. 2015]. Bao, Z. (2012). Web-Age Information Management. Berlin: Springer. Barabas, M., Homoliak, I., Drozd, M. and Hanacek, P. (2013). Automated Malware Detection Based on Novel Network Behavioral Signatures. IJET, pp.249-253. blog.sucuri.net, (2015). blog.sucuri.net. [online] Available at: https://blog.sucuri.net/2013/03/2012-web-malware-trend-report-summary.html Bijay Swain ,Jul 2009 ,Virus Spyware and cookies 6 Dec 2015 [Accessed 18 Dec. 2015]. Blythe, J., Dietrich, S. and Camp, L. (2012). Financial cryptography and data security. Heidelberg: Springer. Chen, C., Cheng, S. and Zeng, R. (2012). A proactive approach to intrusion detection and malware collection. Security and Communication Networks, 6(7), pp.844-853. Dro.deakin.edu.au, (2015). DRO. [online] Available at: https://dro.deakin.edu.au/eserv/DU:30043244/Tian-thesis-2011.pdf Kevin Beaver,Malware Detection for it,6 Dec 2015 [Accessed 18 Dec. 2015]. Flegel, U., Markatos, E. and Robertson, W. (2013). Detection of intrusions and malware, and vulnerability assessment. Berlin: Springer. Grimes, R. (2015). How do I know if my computer is infected with malware?. [online] InfoWorld. Available at: https://www.infoworld.com/article/2883958/antimalware/how-to-detect-malware-infection-in-9-easy-steps.html [Accessed 18 Dec. 2015]. Hole, K. (2015). Toward Anti-fragility: A Malware-Halting Technique. IEEE Security Privacy, 13(4), pp.40-46. Jang, J., Kang, H., Woo, J., Mohaisen, A. and Kim, H. (2015). Andro-AutoPsy: Anti-malware system based on similarity matching of malware and malware creator-centric information. Digital Investigation, 14, pp.17-35. Jiang, X. and Zhou, Y. (2013). Android Malware. Dordrecht: Springer. Kapse, G. and Gupta, A. (2015). Testing Android Anti-Malware against Malware Obfuscations. International Journal of Computer Applications, 111(17), pp.6-9. Kim, K. and Chung, K. (2013). IT convergence and security 2012. Dordrecht: Springer. Kong, D. and Yan, G. (2013). Discriminant malware distance learning on structuralinformation for automated malware classification. ACM SIGMETRICS Performance Evaluation Review, 41(1), p.347. Kotenko, I. and Skormin, V. (2012). Computer network security. Heidelberg: Springer. Lu, H., Wang, X., Zhao, B., Wang, F. and Su, J. (2013). ENDMal: An anti-obfuscation and collaborative malware detection system using syscall sequences. Mathematical and Computer Modelling, 58(5-6), pp.1140-1154. Malware Forensics Field Guide for Windows Systems. (2013). Network Security, 2013(12), p.4. Mobile malware tops one million, but Google says problem exaggerated. (2013). Network Security, 2013(10), p.2. Mowbray, T. and Shimonski, R. (2014). Cybersecurity. Indianapolis, Ind.: John Wiley Sons. Pinto, M., Adair, S., Hartstein, B., Richard, M., Stuttard, D. and Hale Ligh, M. (2014). Attack and Defend Computer Security Set. Hoboken: Wiley. Provataki, A. and Katos, V. (2013). Differential malware forensics. Digital Investigation, 10(4), pp.311-322. seclab.cs.ucsb.edu, (2015). seclab.cs.ucsb.edu. [online] Available at: https://seclab.cs.ucsb.edu/academic/projects/topics/malware-detection/ Roger A. Grimes,jun 2007,Security Adviser,6 Dec 2015 [Accessed 18 Dec. 2015]. Sikorski, M. and Honig, A. (2012). Practical malware analysis. San Francisco: No Starch Press. Siron, E. and Syrewicze, A. (2014). Hyper-V Security. Birmingham: Packt Publishing. Song, F. and Touili, T. (2013). On pushdown systems model checking. [S.l.]: [s.n.]. Tibetangeeks.com, (2015). Malware Summary. [online] Available at: https://www.tibetangeeks.com/using_tech/security-on_your_computer/malware-summary.html [Accessed 18 Dec. 2015]. www.computerweekly.com, (2015). www.computerweekly.com. [online] Available at: https://www.computerweekly.com/news/2240080549/Malware-overview-the-full-details 2 july 2007,Malware Summary, 6 Dec 2015 [Accessed 18 Dec. 2015]. www.fortinet.com, (2015). www.fortinet.com. [online] Available at: https://www.fortinet.com/sites/default/files/whitepapers/MalwareFileSize.pdf Daniel Cid, March 2007 Web Malware trend Report summary, 6 Dec 2015 [Accessed 18 Dec. 2015]. www.symantec.com, (2015). www.symantec.com. [online] Available at: https://www.symantec.com/connect/articles/what-are-malware-viruses-spyware-and-cookies-and-what-differentiates-them Malware Overview, 6 Dec 2015 [Accessed 18 Dec. 2015]. Xu, D. and Yu, C. (2013). Automatic Discovery of Malware Signature for Anti-Virus Cloud Computing. AMR, 846-847, pp.1640-1643. Yuan, Y., Wu, X. and Lu, Y. (2013). Trustworthy computing and services. Berlin: Springer. Zhao, Z., Wang, J. and Wang, C. (2012). An unknown malware detection scheme based on the features of graph. Security and Communication Networks, 6(2), pp.239-246. Bibliography Kapse, G. and Gupta, A. (2015). Testing Android Anti-Malware against Malware Obfuscations. International Journal of Computer Applications, 111(17), pp.6-9. Mahawer, D. and Nagaraju, A. (2013). Metamorphic malware detection using base malware identification approach. Security and Communication Networks, 7(11), pp.1719-1733. Mohd Shaid, S. and Maarof, M. (2014). Malware Behaviour Visualization. Jurnal Teknologi, 70(5). Rastogi, V., Chen, Y. and Jiang, X. (2014). Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks. IEEE Trans.Inform.Forensic Secur., 9(1), pp.99-108. searchenterprisedesktop.techtarget.com, (2015). searchenterprisedesktop.techtarget.com. [online] Available at: https://searchenterprisedesktop.techtarget.com/opinion/Malware-detection-questions-for-IT-to-answer-for-desktop-security Malware Analysis and Detection,6 Dec 2015 [Accessed 18 Dec. 2015].

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.