polimd/Computer Security/lesson_19.md

Computer Security - lesson 19

Stefano Zanero

23 June 2016

Antivirus and Anti-malware

Commercial products for antivirus employ signature based detection or heuristics but they never apply behavioral detection that is limited to the research field. This is basically because commercial products are focused on detecting malware and not analyzing its behaviour.

Viruses and Worm stealth techniques.

• Polimorphism is when the virus changes its shape with every infection, for example encrypting the malicious payload every time with a different key. The problem in this case for analyzers is that often signatures recognize the dectyptor code and not the malicious code, so one signature mathes 100s viruses.

• Packing is used by malware to encrypt the code but also used my DRM software.

Rootkits

The word rootkit originally meant the set of software to gain root access and maintain it on a machine.

Userland rootkits would require trojanize lots of utilities that otherwise could be used to detect the attack, like ls, du, netstat...

It is much simpler but more difficult to have a kernel exploit.

For computers it is a very important issue the supply chain, or the fact that you cannot ensure that the vendors of all the components of your computer or the oem vendor haven't compromised your device.