Intrusion Detection - Malware, Virus, Antivirus, Antivirus Technology

Enterprise 2023-08-22 18:52:09 views: null

Table of contents

1. What is Malware? 

2. What are the characteristics of malware? 

3. What types of malware can be divided into? 

3.1.1 Classified according to the mode of transmission:

3.1.2 Classified by function:

4. What anti-virus techniques are available for malware?

5. What are the anti-virus technologies? 

5.1 Stand-alone anti-virus

5.2 Gateway Anti-Virus

6. What is the working principle of the anti-virus gateway? 

7. What is the working process of the anti-virus gateway? 

8. What is the configuration process of the anti-virus gateway?

1. What is Malware? 

Malware (Malware) refers to software designed to carry out malicious activities against computer systems, networks or individual users. Malware can exist in various forms, including viruses, worms, Trojan horses, spyware, adware, ransomware, and more. These malware can cause damage to the system like destroying data, stealing personal information, taking control of computer, encrypting files etc. Malware is usually spread through email attachments, downloaded files, infected links, etc. In order to protect the security of computers and personal information, users should regularly update anti-virus software, do not open strange email attachments at will, do not download files from unknown sources, and keep the latest patches for operating systems and applications.

2. What are the characteristics of malware? 

After the virus infects the system, it will undoubtedly make various modifications and damages to the system. Sometimes the virus will cause the infected system to pop up web pages, occupy high CPU resources, automatically pop up/close windows, automatically terminate certain processes, and other abnormal phenomena

(1) Download feature

Many Trojan horses and backdoor program spyware will automatically connect to a certain website on the Internet to download other virus files or updated versions/other variants of the virus itself.

(2) Backdoor features

  • Backdoor programs and many Trojan horses, worms and spyware will open and listen to a certain port in the infected system, allowing remote malicious users to remotely control the system;

  • In some cases, the virus will automatically connect to a certain channel of an IRC site, so that specific malicious users in this channel can remotely access the infected computer.

(3) Information collection characteristics

  • QQ password and chat history

  • Online game account password

  • Online banking account password

  • User web browsing records and surfing habits

(4) Self-hidden features

Most viruses will set the attributes of their own files to "hidden", "system" and "read-only". Viruses are more hidden and difficult to be found.

(5) File infection characteristics

  • Viruses will insert malicious codes into normal executable files in the system, causing normal system files to be damaged and unable to run, or infecting normal system files to become virus bodies;

  • Some file viruses infect other types of files on the system.

  • Wannacry is a typical file-type virus. It is divided into two parts, one part is the worm part, which uses the "eternal blue" vulnerability of windows to spread through the network. One part is the ransomware part. When the computer is infected with wannacry, the ransomware part will be automatically installed and encrypt various types of files in the computer, including audio, images, and documents. At the same time, a blackmail box pops up for blackmail

(6) Characteristics of network attacks

  • Trojan horses and worms can modify the network settings of a computer, making the computer unable to access the network;

  • Trojan horses and worms can also attack other computers in the network, send a large number of data packets to block the network, and even deceive other computers in the network by distributing broadcast packets with false gateway addresses, thereby paralyzing the entire network.

  • Lovebug virus is a worm virus that spreads through the Windows Outlook mail system. It disguises itself as a love letter and sets the subject of the mail as "I LOVE YOU" to lure victims to open it, hence the name. After the lovebug virus is running, it quickly finds 50 contacts in the mailbox address book and then sends and spreads it.

3. What types of malware can be divided into? 

3.1.1 Classified according to the mode of transmission:

(1) Viruses:

A virus is a program based on hardware and operating system, which has the ability to infect and destroy, which is related to the structure of the virus program. The host program attacked by the virus is the habitat of the virus, the destination of the virus transmission, and the starting point of the next infection.

The general process/principle of computer virus infection is as follows: When the computer runs the infected host program, the virus seizes control; finds the breakthrough of infection; embeds the virus program into the infected target. The infection process of computer virus is very similar to the infection process of biological virus. It parasitizes in the host program, enters the computer and relies on the operation of the operating system and host program to replicate itself and reproduce in large numbers.

Virus infection targets include: hard disk system allocation table sector (master boot sector (reason: very hidden)), hard disk boot sector, floppy disk boot sector, executable files (.exe), command files (.com), overlay files (.ovl), COMMAND file, IBMBIO file, IBMDOS file.

The host program attacked by the virus is the habitat of the virus. It is the destination of virus transmission and the starting point of the next infection.

Main mode of transmission: infection file transmission

Virus = normal file + malicious code

Example: "Panda Burning Incense" is a virus that has the ability to automatically spread and infect hard disks and has powerful destructive capabilities. It can not only infect exe, com, pif, src, html, asp and other files in the system, it can also stop a large number of antivirus software processes and deletes files with the extension gho.

(2) Worms:

Worms are malicious codes that make malicious codes replicate, spread and run in different devices mainly through the network. A program that infects itself and copies itself to another computer.

principle:

Address range: Generally, it is the intranet address

Propagation method: sending attack data packets through the network

Note: The original worm virus was because in the DOS environment, when the virus broke out, a worm-like thing would appear on the screen, randomly swallowing the letters on the screen and reshaping them.

Example: Eternal Blue: On the evening of April 14, 2017, the hacker group Shadow Brokers (Shadow Brokers) announced a large number of network attack tools, including the "Eternal Blue" tool, which exploits the SMB vulnerability of the Windows system Can obtain the highest authority of the system.

(3) Trojan horse:

Trojans are installed by attackers through deceptive methods without the user's knowledge. Trojan horse system software generally consists of three parts: Trojan horse configuration program, control program and Trojan horse program (server program).

principle:

Propagation process:

Hackers use the Trojan horse configuration tool to install a Trojan horse server on each birthday; install it on the end user terminal through various means such as Spam, Phish, Worm, etc.; use social engineering or other technical means to make the Trojan horse run; the Trojan horse steals user privacy information and sends it to hackers; while allowing hackers to control the terminal.

Mode of transmission: bundling, using web pages

The function of the hanging code is to open another webpage at the same time when the webpage is opened. Of course, this web page may contain a large number of Trojan horses, or it may be just for defrauding traffic.

3.1.2 Classified by function:

(1) back door

Malicious code with full operating rights on the infected device:

  • Typical functions: file management, screen monitoring, keyboard monitoring, video monitoring, command execution, etc.

  • Typical family: gray pigeon, pCshare

(2) Blackmail

Extort users to pay ransom by encrypting files

  • Encryption features:

    • Mainly adopts asymmetric mask method

    • Encrypt documents, emails, databases, source code, images, compressed file types

  • Typical family: Wannacry, GandCrab, Globelmposter

  • Other features:

    • Transactions via Bitcoin or other virtual currencies

    • Propagate by calling mail and blasting rd password

(3) Mining

The attacker implants mining tools into the infected device, consumes the computing resources of the infected device for mining, and obtains malicious codes for digital currency revenue.

Features:

  • No damage to the data and system of the infected device

  • Possible hardware damage to the device due to heavy consumption of device characteristics

4. What anti-virus techniques are available for malware?

(1) The principle of file avoidance:

The ultimate goal of hackers in researching Trojan horse protection is to make certain changes to prevent files that would have been detected and killed from being killed under the premise of ensuring the normal functions of the original files.

There are many ways to achieve the purpose of not being killed, the most direct way is to stop the anti-virus software, or make the virus Trojan "change" into a normal file.

However, how to turn a virus or Trojan horse into a normal file is actually a difficult problem for hackers, but as long as one learns a principle of anti-virus protection, other anti-virus programs can also be bypassed.

(2) The principle of changing the feature code to avoid killing:

The so-called signature, we can understand it as a blacklist of anti-virus software. Hackers obviously can't remove the Trojan horse from the blacklist of the anti-virus software, so they have to make the virus change! For example, there was a Trojan horse called "Grey Pigeon" in the blacklist. The hackers changed it to "White Pigeon" instead of Gray Pigeon! Of course, this is just an example. In reality, anti-virus software cannot be fooled just by changing the name.

As far as the current anti-virus technology is concerned, changing the signature to achieve the effect of avoiding killing actually contains two ideas.

One idea is to change the signature, which is also the initial method of avoiding killing. For example, if a file has a sentence like "Grey Pigeon went online successfully!" in a certain address, it indicates that it is a Trojan horse. Just change the sentence in the corresponding address to something else. If it is irrelevant, directly delete it It's okay to delete it.

The second is the anti-killing idea proposed for the current verification and killing technology. Although its principle is still a feature code, it has been separated from the concept of a feature code in a pure sense, but it remains the same. In fact, the checksum is also calculated based on the distinctive blocks in the virus file. If the checksum of a certain area of ​​a file matches the characteristics in the virus database, the anti-virus software will call the police. Therefore, if you want to prevent the anti-virus software from alarming, as long as you make some changes to the specific area of ​​the virus, the checksum of this area will be changed, so as to achieve the purpose of deceiving the anti-virus software, as shown in the figure. This is why when locating a signature, sometimes locating twice but getting different results.

(3) Spend commands to avoid killing:

A waste instruction is actually a meaningless instruction, which can also be called a garbage instruction. Whether the flower instruction exists has no effect on the execution result of the program, so its only purpose is to prevent the disassembly program, or to set up obstacles to the disassembly.

However, this obstacle is also fatal to anti-virus software. If the hackers add clever instructions, the Trojan horse can easily escape the detection and killing!

But why does it affect the judgment of anti-virus software? Everyone already knows through the previous study that most anti-virus software judges whether a file is poisonous by signature codes. In order to improve the accuracy, the current signature codes are all within a certain offset limit, otherwise the Virus software has a serious impact on the efficiency! However, after hackers add a garbled instruction to a program, part of the program’s offset will be affected. If the anti-virus software cannot recognize this garbled instruction, then the offset of the signature it detects will be shifted by a certain position as a whole. Trojans cannot be detected normally.

Of course, this is only a method for the first-generation scanning technology, but even if the anti-virus software uses virtual machine analysis, checksum scanning or heuristic analysis, spending instructions will also play a certain role. The functions of flower instructions are also different. Its most fundamental idea is to disrupt the running order of programs and set traps for crackers (anti-virus personnel). And if spending instructions can successfully protect the real code of the software from being easily disassembled, then for anti-virus software, what it detects is naturally not the real content in the Trojan horse file.

(4) Packing to avoid killing:

Speaking of software packing, simply put, software packing can also be called software encryption (or software compression), but the encryption (or compression) method and purpose are different.

General encryption is to prevent random access to our data by strangers. But packing is different. Its purpose is to reduce the size of the packed application, or to prevent the program from being damaged and used by criminals, such as the most common shareware. If the software is not protected, then the software will It will be easily cracked, and no one will buy a registration code from the author of the software.

Since the packed software can still run normally, which parts of the software are encrypted by these shells? In fact, we can start from the word "packing" itself. Why not call it encryption, anti-theft or other names, but call it packing?

We can think of unpacked software as delicious food, and too many people want it and want to feast on it! So the owner of the food preserved it and put it in a hard case that only he could open, so that no one else could think about it. And when his guests arrive, he can easily open this hard shell for the guests to taste...

The above-mentioned shell is the protection we add, it will not destroy the program inside, when we run this packed program, the system will first run the "shell" of the program, and then the shell will gradually restore the encrypted program to the memory , and finally run the program. In this way, in our opinion, it seems that the program after packing has not changed much, but it has achieved the purpose of encryption, which is the role of the shell.

Now, let's look back at the anti-virus software. If we can't restore the packed files, then the anti-virus software will naturally not understand. The structure of the encrypted file has undergone earth-shaking changes, and the original feature code has long since disappeared, so the anti-virus software will naturally think it is a normal file.

From the above three methods, we can see that the file-based anti-virus program basically destroys the characteristics of the original program. Whether it is directly modifying the feature code, adding a fancy command, or packing it, there is only one final purpose, that is, It is to scramble or encrypt the data inside the executable file.

(5) Memory avoidance:

Since the method of avoiding file killing has spread in the hacker circle, anti-virus companies have upgraded this game to another level-in-memory.

Memory has always been a battleground for military strategists in the field of computer security. From information interception, software cracking, to kernel hooks, kernel modification, and buffer overflow, the main battlefield is in memory, which shows how much memory is. Complex and unpredictable place. The reason why the memory is complex is that the memory is generally the last controllable physical storage device before data enters the CPU. Here, the data is often processed into a form that can be directly executed by the CPU, and the principle of packing and avoiding killing that we mentioned earlier may become invalid here.

We know that the CPU cannot be specially designed for a certain packaged software, so the executable code of a certain packaged software cannot be read by the CPU. This requires that when the shell code is executed, the original software should be decrypted first, and put into the memory, and then the CPU is notified to execute.

If so, theoretically speaking, any encrypted executable data must be decrypted before being executed by the CPU, otherwise the CPU cannot execute it. It is precisely because of this feature that anti-virus companies set up a checkpoint here, which makes most of the virus and Trojan horses that have been processed with the original file anti-killing skills have been killed.

In fact, compared with the reason above, anti-virus companies choose to scan memory more from a strategic point of view.

Because the program that will be executed is definitely more threatening than the program that is not executed. No matter how powerful the virus Trojan horse is, as long as it can be guaranteed that it will not be executed, it will be regarded as a junk file at most in the user's computer, and it will not pose any threat to the user and the network.

But how do hackers fight against memory killing? In fact, the routine is the same as file scanning, because the memory scanning principle of anti-virus software is the same as that of scanning files on the hard disk, and they are all compared by feature codes. Scanning and file scanning do not use the same set of feature codes, which leads to a virus Trojan having two sets of feature codes at the same time, and they must be destroyed in order to escape the killing of anti-virus software.

Therefore, except for packing, the basic thinking of hackers against anti-virus software has not changed. As for packing, as long as you add a "violent" shell that will confuse the original code of the program, you can still escape the detection and killing of anti-virus software.

(6) Behavior exemption:

When file scanning and memory scanning failed one after another, anti-virus vendors proposed the concept of behavioral scanning, starting from the earliest "file firewall"

From the later "active defense" to the current "cloud detection and killing", in fact, behavioral detection and killing technology has been applied.

As for behavioral detection and killing, how will hackers crack it? We all know that the reason why an application is called a virus or a Trojan horse is because

Behavior after execution for them is different from normal software.

Therefore, since the behavioral scanning and killing was adopted by most anti-virus companies in 2007, the threshold of hacker avoidance technology has been raised to the top level.

Anti-virus companies have completely raised this game to the deepest level in the software field - the bottom layer of the system, which has led to an explosive growth of various high-tech knowledge that hackers need to master. blocked the door.

However, since the initial behavioral detection and killing has just emerged, the active defense modules of many anti-virus products are not strictly controlled, and the applied technology is not advanced, which has led to the emergence of a large number of kernel-level virus Trojans. With the gradual warming up of technology, the technologies of the offensive and defensive sides finally became evenly matched, and anti-virus companies benefited from the preconceived laws in the computer field, making hackers passive from then on.

Therefore, hacker avoidance technology has developed to the present, and there has been a trend of moving closer to the field of penetration and intrusion. Hackers call the method of evading active defense 0 Day, and more and more Trojans choose to use local buffer overflow and other attacks. method to break through the active defense.

But anti-virus enthusiasts should not be paralyzed by this. Any technology in the field of hacking has always walked on the two legs of ideas and technology, and anti-virus technology is no exception. Beginners in hacking techniques still come up with many methods, effectively breaking through the current active defense and cloud scanning and killing.

5. What are the anti-virus technologies? 

5.1 Stand-alone anti-virus

Antivirus software mainly implements virus detection and killing through some engine technologies, such as the following mainstream technologies:

  • signature technology

    • Anti-virus software has a virus signature library, which contains the signature codes of various viruses. The signature code is a special program extracted from virus samples, which is different from normal programs. The scanned information is compared with the signature database, and if the signature database is matched, the scanned information is considered to be a virus.

  • Behavior scanning technology

    • When a virus is running, it will have various behavioral characteristics, such as adding files with special suffixes to the system, monitoring user behavior, etc. When a detected information is detected to have these characteristic behaviors, it is considered that the detected information is a virus .

5.2 Gateway Anti-Virus

In the following situations, anti-virus features are usually used to ensure network security:

  • Intranet users can access the Internet and often need to download files from the Internet.

  • Servers deployed on the intranet often receive files uploaded by users on the external network

As a gateway device, the FW isolates the internal and external networks, and the internal network includes user PCs and servers. Intranet users can download files from the extranet, and extranet users can upload files to the intranet server. To ensure the security of files received by intranet users and servers, you need to configure the antivirus function on the FW.

6. What is the working principle of the anti-virus gateway? 

  • First Packet Detection Technology

    • Judging whether the file is a virus file by extracting the header characteristics of the PE (Portable Execute; portable executable under Windows system, including exe, dll, "sys, etc.) file. Extract the header data of the PE file, which usually contains Some special operations, and use the hash algorithm to generate the signature of the file header, compare it with the anti-virus first packet rule signature, if they match, it will be judged as a virus.

  • heuristic detection technique

    • Heuristic detection means that when anti-virus detection is performed on a transferred file, it is found that the program of the file has potential risks, and it is very likely to be a virus file. For example, file packing (such as encrypting to change its signature data to avoid scanning and killing), when these behaviors inconsistent with normal files reach a certain threshold, the file is considered to be a virus.

    • Heuristics rely on the "self-learning ability", using experience to judge a file with some abnormal behavior as a virus file like a programmer.

    • The response action of the heuristic detection is the same as that of the virus detection of the corresponding protocol. Heuristic detection can improve the security of the network environment and eliminate security risks, but this function will reduce the performance of virus detection and there is a risk of false positives, so the system disables this function by default.

    • Start virus heuristic detection function: heuristic-detect enable.

  • File reputation detection technology

    • File reputation detection is to calculate the MD5 of the full text, and detect by matching the MD5 value with the file reputation feature database. The file reputation signature library contains the MD5 values ​​of a large number of well-known virus files. In terms of file reputation detection technology, Huawei mainly relies on the static update of the file reputation library and the dynamic cache learned through linkage with the sandbox.

    • File reputation detection depends on sandbox linkage or file reputation library

7. What is the working process of the anti-virus gateway? 

  1. After network traffic enters the sensor-only engine, the sensor-only engine first conducts an in-depth analysis of the traffic to identify the protocol type and file transfer direction corresponding to the traffic.
  2. Determine whether the protocol used for file transfer and the direction of file transfer support virus detection
    1. The NGFW supports virus detection for files transferred using the following protocols:
      1. FTP ( File Transfer Protocol ): file transfer protocol
      2. HTTP ( Hypertext Transfer Protocol ): Hypertext Transfer Protocol
      3. POP3 ( Post Office Protocol - Version 3 ): The third version of the Post Office Protocol
      4. SMTP ( Simple Mail Transfer Protocol ): Simple Mail Transfer Protocol
      5. IMAP ( Internet Message Access Protocol ): Internet Information Access Protocol
      6. NFS ( Network File System ): Network File System
      7. SMB ( Server Message Block ): file sharing server
    2. NGFW supports virus detection for files in different transmission directions
      1. Upload: Refers to the client sending files to the server.
      2. Download: Refers to the server sending a file to the client.
  3. Determine whether it hits the whitelist, after hitting the whitelist, FW will not perform virus detection on the file
    1. The white list consists of white list rules, administrators can configure white list rules for trusted domain names, URLs , IP addresses or IP address segments, so as to improve the detection efficiency of anti-virus. The effective scope of the whitelist rule is limited to the antivirus configuration file, each antivirus configuration file has its own whitelist
  4. For domain names and URLs, whitelist rules have the following four matching methods:
    1. Prefix matching: host-text or url-text is configured in the form of "example" , that is, as long as the prefix of the domain name or URL is "example" , the whitelist rule is matched.
    2. Suffix matching: host-text or url-text is configured as "example" , that is, as long as the suffix of the domain name or URL is "example" , the whitelist rule is matched.
    3. Keyword matching: host-text or url-text is configured in the form of "example" , that is, as long as the domain name or URL contains "example" , the whitelist rule is matched.
    4. Exact match: The domain name or URL must be exactly the same as the host-text or url-text to match the whitelist rule
  5. virus detection
    1. The intelligent perception engine extracts the features of the files that meet the virus detection, and the extracted features are matched with the features in the virus feature database. If it matches, the file is considered to be a virus file and processed according to the response action in the configuration file. If there is no match, the file is allowed through. When the linkage detection function is enabled, files that do not match the virus signature database can also be sent to the sandbox for in-depth detection. If the sandbox detects a malicious file, the file feature of the malicious file is sent to the FW , and the FW saves the feature of the malicious file in the linkage detection cache. When the malicious file is detected next time, it will be processed according to the response action in the configuration file.
    2. The virus signature database is formed by Huawei by analyzing the characteristics of various common viruses. The signature library defines various common virus signatures , and assigns a unique virus ID to each virus signature . After the device loads the virus signature database , it can identify the viruses defined in the signature database. At the same time, in order to identify the latest viruses in a timely manner, the virus signature database on the device needs to be continuously updated from the security center platform ( sec.huawei.com ).
  6. When the NGFW detects that the transmitted file is a virus file, it needs to perform the following processing:
    1. It is judged whether the virus file hits the virus exception. In the case of a virus exception, the file is allowed through.
    2. The virus exception is the virus white list. In order to avoid file transfer failure due to system false positives and other reasons, when the user thinks that a detected virus is a false positive, the corresponding virus ID can be added to the virus exception to invalidate the virus rule. If the detection result hits a virus exception, the response action for the file is release.
    3. If it is not a virus exception, it is judged whether the virus file hits the application exception. If it is an application exception, it will be processed according to the response actions (release, alarm and block) of the application exception .
    4. Application exceptions can configure different response actions for applications than protocols. Applications are carried on the protocol, and multiple applications can be carried on the same protocol.
    5. Due to the relationship between the application and the protocol, there are also the following regulations when configuring the response action:
      • If only the response action of the protocol is configured, all applications carried by the protocol will inherit the response action of the protocol.
      • If both the protocol and the application are configured with response actions, the response actions of the application shall prevail.
    6. If the virus file hits neither the virus exception nor the application exception, it will be processed according to the corresponding response action corresponding to the protocol and transmission direction .

8. What is the configuration process of the anti-virus gateway?

8.1 First enter the firewall to configure ip for interface 0/0/0 and enable all services:

[USG6000V1]int gi 0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip add 192.168.159.100 24
[USG6000V1-GigabitEthernet0/0/0]service-manage all permit

8.2 Enter the ip in the browser to enter the firewall 

Set up the antivirus profile:

8.3 Add the anti-virus gateway when establishing the routing policy:

Guess you like

Origin blog.csdn.net/qq_68163788/article/details/131989456
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com