- (pdf) computer virus and protection methods using lab analysis
- 2021: microsoft security essentials is recognized one of the worst antiviruses
- 2021: two thirds of antiviruses for android were useless
- Analysis of checksums
- Behavioural analysis
- Classification of antiviruses
- Classification of antiviruses by an operation mode
- Heuristic analysis
- How antivirus software works
- Rules of prevention of infection of computers
- Technologies of the probabilistic analysis
- Technologies of the signature analysis
- Technologies of virus detection
- Virus vs. antivirus – презентация, доклад, проект
- Why traditional antiviruses do not cope
(pdf) computer virus and protection methods using lab analysis
them from different viruses the hidden Trojan software uses
different methods and it is still not enough to say that they are fully
protected.
C.Anti-Virus Programs
There are number of anti-virus programs that detect, block and
delete any malicious programs that are running in the systems.
There are four mechanism and techniques that are being used by
anti-virus softwares which are: (i) Signature based detection (ii)
Heuristic-based detection (iii) Behavioral based detection and (iv)
Cloud-based detection.
1)Signature based detection: Signature based detection is an
essential technique of the anti-virus programs. This method
operates on matching of fingerprints to the file with the
signature of the virus; signature is a series of bytes in the file.
Although this technique has drawbacks like it cannot flag the
malicious file if the signature of the new virus is not created
yet, it is still more promising than other ones in the market.
2)Heuristic-based detection:In this technique anti-virus
programs operate by examining the static file for any
suspicious characteristics without an exact signature match.
This technique may also flag a legitimate file as malicious.
3)Behavioural-based detection:Behavioural-base detection
works by observing suspicious behaviours of the file. This
method operates by executing and unpacking the malcode and
it listens to the keystrokes etc., this technique give anti-virus
program the ability to detect any malicious program in the
computer system [6].
4)Cloud-based detection:Cloud-based techniques identify
malwares by collecting data from different protected
computers and analyzes all the data on the provider’s systems
and sends results to the clients’ system. The decision is made
on the clients’ local system by analyzing the characteristics
and behavioristics of the client [6].
II.MATERIALS &METHOD
For this research a pragmatic approach was used to get
the required results, and techniques like qualitative method is
used to extract informationabout the computer viruses and
their source codes to analyze and know, how a basic
computer virus works and the basic components of virus
operate [7]. This will lead the research from the very basic
mechanism of the computer virus to the one of the advanced
and sophisticated virus codes which can trick an anti-virus
and disable its functionalities [8]. This also shows what tools
a hacker can use to extract interesting data from the victim’s
machine. After getting the required information it was
applied to those codes to compile it as a working computer
virus. A test computer virus was created to study the working
of a virus where it demonstrates destructive and non-
destructive behaviours. This paper has also studied the
possible defend mechanisms and techniques to prevent such
infection to our computer systems.
Test environment
In our test environment we used virtual machines to
perform our testing, weused different software’s to create
viruses that gave us options to select the type of virus and
payloads we want to use, in our scenario, and we used the
following software tools,
Virus construction tools(i) Virus maker, (ii) JPS virus making
tool, (iii) Internet worm maker thing
In this testing, we created a virus by choosing the specific
payloads and functions and saved iton the test computer, which
was ready to invade computers by just sending them to the target
machine. The purpose of these tests is to observe the operations of
different anti-virus programs to assess if they are able to detect and
block such threat and if yes, then what will be the ratio ofthis
success.
Virus payload Trigger mechanism:
Viruses can use different trigger mechanisms to launch their
attacks on the system or perform any task, if there are a number of
triggering mechanisms, such as, (i) The counter trigger (ii)
Keystroke counter, (iii) Time trigger, and (iv) The system parameter
trigger. There are number of other logics that are used in the
viruses to perform any required task, few of the logical payloads are
1) Date, 2) Time, 3) Disk, 4) space, 5) Country, 6) Video mode, 7)
BIOS, 8) ROM version, 9) Keyboard status, 10) Anti-Virus search,
11) Processor check, 12) Null trigger, 13) Logic bomb, 14) Brute
force attack, 15) Halt the machine, 16) Start making noises, 17)
Fool the video display, 18) Disk Attacker, 19) Damaging hardware,
20) Disk Failure, 21) CMOS battery failure, 22) Monitor Failure, 23)
Keyboard Failure, 24) Stealth Attack, 25) Indirect Attack.
To analyze the virus, we used IDA and ollyDbg software which
provide the result in order to study the ability and structure of a
computer virus.
Creation of computer virus
To create a virus to test these environment JPS virus maker 3.0
was used, which providesthe number options to select the
payloads. In this scenario the most basic payload was selected like
to mute the computer sound. Other payloads were also tested on the
system.
Analysing Virus
Analyzing computer virus is always a bigger task and it requires
some expertise [9]. Here IDA and ollyDbg were used for analyzing
our virus.
Figure 8. JPS Virus Maker GUI for designing our test virus.
884
§
2021: microsoft security essentials is recognized one of the worst antiviruses
In October, 2021 the German anti-virus laboratory AV-Test published results of complex testing of antiviruses. According to a research, honor the corporate software of Microsoft intended for protection against harmful activity most worse copes with the duties.
Based on the tests which are carried out in July-August, 2021, experts of AV-Test called the best antivirus for Windows 7the solution Kaspersky Internet Security which got 18 points at assessment of level of protection, performance and convenience of using.
Top three included the Trend Micro Internet Security and Bitdefender Internet Security programs which earned 17.5 points. It is possible to learn about provision of products of other anti-virus companies which got to a research from illustrations below:
Specialists awarded Microsoft Security Essentials only 13.5 points. It is more only, than at Comodo Internet Security. The product of Microsoft had the smallest an indicator regarding convenience of work and one of the lowest according to protection level.
Comodo got only 1.5 points for performance, so the product has a serious impact on high-speed performance of a system and considerably slows down work of Windows 7.
2021: two thirds of antiviruses for android were useless
In March, 2021 the Austrian laboratory AV-Comparatives specializing in testing of anti-virus software published results of a research which showed uselessness the majority of similar programs for Android.
Only 23 antiviruses, placed in the official Google Play Store directory, precisely will recognize malware in 100% of cases. Other software or does not react to mobile threats, or adopts for them absolutely safe annexes.
Specialists studied 250 antiviruses and reported that only 80% from them can reveal more than 30% of malwares. Thus, 170 applications failed the test. The number of products which coped with tests included generally solutions of large producers, including Avast, Bitdefender, ESET, F-Secure, G-Data, Kaspersky Lab, McAfee, Sophos, Symantec, Tencent, Trend Micro and Trustwave.
Within the experiment researchers installed each anti-virus application on the separate device (without emulator) and automated devices on start of the browser, loading and the subsequent installation of the malware. Each device was tested on the example of 2 thousand by Android viruses most distributed in 2021.
According to AV-Comparatives calculations, the majority of anti-virus solutions for Android are counterfeits. Tens of appendices are had almost identical interface, and their creators are interested in advertizing demonstration obviously more, than in writing of the working virus scanner.
Some antiviruses “see” threat in any application which is not entered in their “white list”. Because of it they, in a row absolutely incredible things, gave the alarm because of own files as developers forgot to mention them in “white list”.[1]
Analysis of checksums
The analysis of checksums is a method of change tracking in objects of a computer system. On the basis of the analysis of nature of changes – simultaneity, mass character, identical changes of lengths of files – it is possible to draw a conclusion about system infection.
Analyzers of checksums (the name auditors of changes is also used) as well as behavioural analyzers do not use additional objects in work and issue a verdict about presence of a virus in a system only by method of expert evaluation. Similar technologies are applied in scanners at access – at the first check from the file checksum is withdrawn and is located in a cache, before the following verification of the same file the sum is withdrawn once again, compared, and in case of lack of changes the file is considered not infected.
Behavioural analysis
The behavioural analysis – technology in which the decision on the nature of the checked object is made on the basis of the analysis of the transactions executed by it. We will very narrowly put the behavioural analysis into practice as the majority of the actions characteristic of viruses, can be executed also by normal applications.
Classification of antiviruses
Now there is no single system of classification of an anti-virus software.
Classification of antiviruses by an operation mode
The Kaspersky Lab classifies antiviruses by an operation mode:
Check in real time
Heuristic analysis
The heuristic analysis – the technology based on probabilistic algorithms of which work identification of suspicious objects is result. In the course of the heuristic analysis the structure of the file, its compliance to virus templates is checked. The most popular heuristic technology is check of contents of the file regarding existence of modifications of already known signatures of viruses and their combinations. It helps to define hybrids and new versions of earlier known viruses without additional updating of anti-virus base.
The heuristic analysis is applied to detection of unknown viruses, and, as a result, does not assume treatment. This technology is not capable of 100% to define a virus before it or not and as any probabilistic algorithm sins with false operations.
How antivirus software works
Antivirus software typically runs as a background process, scanning computers, servers or mobile devices to detect and restrict the spread of malware. Many antivirus software programs include real-time threat detection and protection to guard against potential vulnerabilities as they happen, as well as system scans that monitor device and system files looking for possible risks.
Antivirus software usually performs these basic functions:
In order to scan systems comprehensively, antivirus software must generally be given privileged access to the entire system. This makes antivirus software itself a common target for attackers, and researchers have discovered remote code execution and other serious vulnerabilities in antivirus software products in recent years.
Rules of prevention of infection of computers
- Never to open investments in letters from strangers or the organizations.
- In the operating system to include display of expansions of files.
- It is obligatory to check expansions of the attached files even if the letter came from the famous sender. If the name of the attached file comes to an end on “dangerous” expansions – at all not to open them. Ask the sender to send files in other format.
- To timely set updates of the operating system and application programs.
- Install a license anti-virus software on the computer and monitor that bases of signatures of viruses were regularly updated.
Technologies of the probabilistic analysis
Technologies of the probabilistic analysis are in turn subdivided into three categories:
- Heuristic analysis
- Behavioural analysis
- Analysis of checksums
Technologies of the signature analysis
The signature analysis – the virus detection method consisting in verification of presence in files of signatures of viruses.
The signature analysis is the most known method of virus detection and is used practically in all modern antiviruses. A set of virus signatures which is stored in anti-virus base is necessary for an antivirus for conducting check.
In view of the fact that the signature analysis assumes verification of files on existence of signatures of viruses, the anti-virus base needs periodic updating for maintenance of relevance of an antivirus. The principle of work of the signature analysis also defines limits of its functionality – an opportunity to detect only already known viruses – against new viruses the signature scanner is powerless.
On the other hand, existence of signatures of viruses assumes a possibility of treatment of the infected files detected by means of the signature analysis. However, treatment is admissible not for all viruses – trojans and the majority of worms do not respond to treatment on the design features as are the integral modules created for causing damage.
Competent implementation of a virus signature allows to detect the known viruses with absolute probability.
Technologies of virus detection
The technologies applied in antiviruses can be broken into two groups:
- Technologies of the signature analysis
- Technologies of the probabilistic analysis
Virus vs. antivirus – презентация, доклад, проект
Why traditional antiviruses do not cope
The modern malicious code can:
- Target creation under the company
- Polymorphism
- Unknown yet to anybody the code – is not present a signature
It is difficult to be protected