Investigating Dynamic Malware Analysis Tool - Research Proposal Example

Malware Detection Affiliation Malware detection Task Research Limitation Malware has evolved into a more lethal threat by use of multiple vectors to launch attacks and exploit both unknown and known computer vulnerabilities and can infest prescanned files and folders with lightning speed. It will be expedient to equip scanners for the detection of evolved or mutated (metamorphic), and variant or obfuscated (polymorphic) malware versions (Mukkamala, Sulaiman, Chavez, & Sung, 2007). However, the current malware detection scanning techniques have serious limitations. An easy obfuscation of a software, which is a common technique used to protect reverse engineering technique of a software, can circumvent the empirical antivirus tools used for malware detection. Signature based detection is susceptible to invasion. Since the pattern or the signature is obtained from a familiar malware, this detection technique is easily evaded by obfuscating a program such as junk insertion and packing (Mishra, 2010). Even simple obfuscation such as code re-ordering and inserting no-ops can create a variant of malware able to evade signature-based detectors. This technique is also not able to detect unknown malware. The signatures of this program are architecture by close observation of known malware hence signature-based detection is only able to detect “known malware.” At times, signature-based detection fails to pick a variant of an already known malware. In this respect, signature-based detection offers minimal zero-day protection (Venugopal & Hu, 2008). In addition, the signature database grows exponentially since the detector uses a specific signature for every variant of malware. Task 2 Research Alternate Methods, Advantages and Disadvantages Heuristic analysis Heuristic scanning bears a close resemblance to signature scanning with the only difference being, instead of checking for particular signatures; heuristic scanning will check for certain commands or instructions within a program, which are not typically found in application programs (Aycock, 2006). The heuristic engine ultimately is better placed to sense for potentially malicious executions in previously unexamined and new malicious behavior such as virus replication mechanism, payload of Trojan or worm distribution routine. Advantages Generic virus protection renders all other malware scanners obsolete and offers sufficient protection to stop any malware. The user is saved from weekly software updates since the software is able to detect all malwares. Disadvantages Although heuristic malware check offers tremendous benefits, today this technology is not adequate. Virus writers are able to come up with viruses that disregard the rules and thus render the set virus detection rules incapable. Any changes to the set rules call for download; hence, they require updating and even then, they are not able to block many new malwares (Konstantinou & Wolthusen, 2008). This property makes them similar to scanners. In addition, failure of detection of known malware and false alarms potentials are higher in heuristic technique than in scanners. Generic signature detection This technique is specifically fashioned to identify variations of viruses. A number of viruses are re-made and rename themselves to various names but essentially stem from the same classification (or family). Genetic technique consults previous virus definition and uses it to locate the identical “cousins” even when they have evolved to unusual characters with slightly different names (Liao, Richard Lin, Lin, & Tung, 2013). Advantages Generic scanning is not dependent on individual virus behaviors or signatures. Hence, they are handy in detecting unknown and new viruses and viruses of unknown and new behaviors. Generic detection does not need periodic database update. Disadvantages Same family multiple virus scanning uses wild cards signatures. Failure can be anticipated in such an arrangement because new viruses belonging to the same family may fail to lie in the scope of the wild card detected. When this happens, a new virus gets a loop to pass the virus check Behavior blocking This method of detection attempts to detect virus activity type, such as trying to format a disk that is not generally an execution of most common programs (Kirda, Kruegel, Banks, Vigna, & Kemmerer, 2006). In other instances, the program may make an attempt of moving a file into the operating system folders. These behaviors are instantly flagged by behavior blocking techniques. Advantages A behavior blocker blocks the virus from infecting the computer, thereby eliminating the necessity for virus removal except in the already infected original folder. They also endure longer compared to several other techniques. Since the method does not check for specific viruses, but the behavior, it eliminates the need for an upgrade with new virus detection. Disadvantages The behavior block calls for the malicious code to be executed in the target machine before identification of all its behavior. This can be catastrophic before the behavior has been identified and blocked consecutively. Task 3 Research Existing Tools Norman sandbox The Norman sandbox executes a sample in a strictly monitored virtual environment, which resembles the Windows operating system. The environment is ideal since is simulates host computer, local area connection and to a degree, internet connectivity. The simulation thus provides support for relevant operating system mechanisms such as multi-threading support and memory protection (Shukla, 2007). Norman sandbox pays attention to worm’s detection that spread via P2P networks, email and viruses that attempt to replicate network shares. JoeBox creates a log containing high degree information of actions that have been performed regarding file registry, system activities and file system. JoeBox is designed to run on actual hardware, not relying on any emulation techniques or virtualization (Shukla, 2007). The system’s architecture is a model of client-server. The single controller instance is able to control multiple clients who are responsible for executing the analysis. The parent machine gathers analysis data. Task 4 types of malware San box ThreatAnalyzer is a customizable sandbox. The user is able to recreate their entire environment. They are, therefore, able to tell how the malware will affect the network infrastructure and tethered computers. Threat analyzer is then tuned to check for suspicious network activity and data exfiltration, anomalous sensitive systems access and applications (Colajanni, Gozzi, & Marchetti, 2008). Nuage sandbox also comes handy. It can be used for feature testing of ad hoc, as an environment for demonstration or quick code validation. Task 5 Deploying Malware Sandbox Before deploying a sandbox, a few things are worth considering. Among them are the kinds of files intended for analysis, volume of analysis, the platform in which the analysis will run and the information one intends to retrieve from a file. Creating a virtual environment is a critical part in sandbox deployment (Colajanni et al., 2008). A design plan defining the operating system, and the software to install should be in the ground before starting on virtualization. Consider automated analysis of malware is not deterministic with its success depending on numerous factors. Create a system as realistic as you can and able to manage all the requirements Task 6 Evaluating Malware Recently, Symantec has released “Digital Immune System” incorporated in Norton corporate antivirus edition. After the system suspects’ virus-like activity, a sample is instantly uploaded and submitted to the center of analysis. If the virus resembles a known virus, the vaccine is auto downloaded to a computer, which is affected enabling the software to clean it (van der Made, 2006). This significantly reduces the time the computer takes to clean a virus thereby reducing chances of infecting other computers. References Aycock, J. (2006). Computer viruses and malware (Vol. 22). Springer. Colajanni, M., Gozzi, D., & Marchetti, M. (2008). Collaborative architecture for malware detection and analysis. In Proceedings of The Ifip Tc 11 23rd International Information Security Conference (pp. 79–93). Springer. Kirda, E., Kruegel, C., Banks, G., Vigna, G., & Kemmerer, R. (2006). Behavior-based Spyware Detection. In Usenix Security (Vol. 6). Konstantinou, E., & Wolthusen, S. (2008). Metamorphic virus: Analysis and detection. Royal Holloway University of London, 15. Liao, H.-J., Richard Lin, C.-H., Lin, Y.-C., & Tung, K.-Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16–24. Mishra, U. (2010). Methods of Virus detection and their limitations. SSRN eJournal, Mukkamala, S., Sulaiman, A., Chavez, P., & Sung, A. H. (2007). Limitations of Current Anti- Virus Scanning Technologies. Advances in Enterprise Information Technology Security. Shukla, J. (2007). Application Sandbox to Detect, Remove, and Prevent Malware. Google Patents. Van der Made, P. A. (2006). Computer immune system and method for detecting unwanted code in a computer system. Google Patents. Venugopal, D., & Hu, G. (2008). Efficient signature based malware detection on mobile devices. Mobile Information Systems, 4(1), 33–49. Read More