- Feb 2, 2013
- 23
Malware Detection Techniques
Signature Based or Pattern Matching or String or Mask or Fingerprinting Technique
A signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Depending
on the type of scanner being used, it may be a static hash which, in its simplest form, is a calculated numerical value of a snippet
of code unique to the virus. Or, less commonly, the algorithm may be behavior-based. A single signature may be consistent
among a large number of viruses. A virus signature is the viral code. To identify viruses and other malware, antivirus software
compares the contents of a file to a dictionary of virus signatures.
Heuristic Analysis or Pro-Active Defense
Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning
looks for certain instructions or commands within a program that are not found in typical application programs. As a result, a
heuristic engine is able to detect potentially malicious functionality in new, previously unexamined, malicious functionality such
as the replication mechanism of a virus, the distribution routine of a worm or the payload of a Trojan.
Here are a few of the common heuristic scanning techniques:
File Emulation or Sandbox or Dynamic:
Also known as “sandbox testing” or dynamic scanning, file emulation allows the file to run in a controlled virtual system (or
“sandbox”) to see what it does. If the file acts like a virus, it’s deemed a virus.
File Analysis or Rule Based:
File analysis involves the software taking an in-depth look at the file and trying to determine its intent, destination, and purpose.
Perhaps the file has instructions to delete certain files, and should be considered a virus.
Weight Based
A heuristic engine based on a weight-based system, which is a quite old styled approach, rates each functionality it detects with
a certain weight according to the degree of danger it may pose. If the sum of those weights reaches a certain threshold, also an
alarm can be triggered.
Rule Based
Nearly all nowadays utilized heuristic approaches implement rule-based systems. This means, that the component of the
heuristic engine that conducts the analysis (the analyzer) extracts certain rules from a file and this rules will be compared against
a set of rule for malicious code. If there matches a rule, an alarm can be triggered.
Generic Signature Detection
This technique is particularly designed to locate variations of viruses. Several viruses are re-created and make themselves known
by a variety of names, but essentially come from the same family (or classification). Genetic detection uses previous antivirus
definitions to locate these similar “cousins” even if they use a slightly different name or include some unusual characters. The
best way to illustrate this idea is with identical twins. They may have slightly different fingerprints, but their DNA is identical.
Heuristic Detection is an effective way to locate unknown threats for the most up-to-date realtime protection, but there are
downsides. Obviously this sort of scanning and analysis can take some time, which may slow-down system performance.
The main concern with heuristic detection is that it often increases false positives. False positives are when the antivirus
software determines a file is malicious (and quarantines or deletes it) when in reality it is perfectly fine and/or desired. Because
some files may look like viruses but really aren’t, they are restricted and stopped from working on your computer.
Behavioral Blocking
The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior
of all programs. It involves Behavior based Heuristics and Generic Detections. If one program tries to write data to an
executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do.
Unlike the signature based approach, the suspicious behavior approach therefore provides protection against brand-new viruses
that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives
In recent years, however, sophisticated behavior analysis has emerged, which analyzes processes and calls to the kernel in
context before making a decision, which gives it a lower false positive rate than rules based behavior monitoring.
Unlike heuristics or fingerprint-based scanners, behavior blocking software integrates with the operating system of a host
computer and monitors program behavior in real-time for malicious actions. The behavior blocking software then blocks
potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include:
1) Attempts to open, view, delete, and/or modify files;
2) Attempts to format disk drives and other unrecoverable disk operations;
3) Modifications to the logic of executable files, scripts of macros;
4) Modification of critical system settings, such as start-up settings;
5) Scripting of e-mail and instant messaging clients to send executable content; and,
6) Initiation of network communications.
If the behavior blocker detects that a program is initiating would-be malicious behaviors as it runs, it can block these behaviors
in real-time and/or terminate the offending software. This gives it a fundamental advantage over such established anti-virus
detection techniques such as fingerprinting or heuristics. While there are literally trillions of different ways to obfuscate and
rearrange the instructions of a virus or worm, many of which will evade detection by a fingerprint scanner or heuristic,
eventually malicious code must make a well-defined request to the operating system. Given that the behavior blocker can
intercept all such requests, it can identify and block malicious actions regardless of how obfuscated the program logic appears
to be.
Signature Based or Pattern Matching or String or Mask or Fingerprinting Technique
A signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Depending
on the type of scanner being used, it may be a static hash which, in its simplest form, is a calculated numerical value of a snippet
of code unique to the virus. Or, less commonly, the algorithm may be behavior-based. A single signature may be consistent
among a large number of viruses. A virus signature is the viral code. To identify viruses and other malware, antivirus software
compares the contents of a file to a dictionary of virus signatures.
Heuristic Analysis or Pro-Active Defense
Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning
looks for certain instructions or commands within a program that are not found in typical application programs. As a result, a
heuristic engine is able to detect potentially malicious functionality in new, previously unexamined, malicious functionality such
as the replication mechanism of a virus, the distribution routine of a worm or the payload of a Trojan.
Here are a few of the common heuristic scanning techniques:
File Emulation or Sandbox or Dynamic:
Also known as “sandbox testing” or dynamic scanning, file emulation allows the file to run in a controlled virtual system (or
“sandbox”) to see what it does. If the file acts like a virus, it’s deemed a virus.
File Analysis or Rule Based:
File analysis involves the software taking an in-depth look at the file and trying to determine its intent, destination, and purpose.
Perhaps the file has instructions to delete certain files, and should be considered a virus.
Weight Based
A heuristic engine based on a weight-based system, which is a quite old styled approach, rates each functionality it detects with
a certain weight according to the degree of danger it may pose. If the sum of those weights reaches a certain threshold, also an
alarm can be triggered.
Rule Based
Nearly all nowadays utilized heuristic approaches implement rule-based systems. This means, that the component of the
heuristic engine that conducts the analysis (the analyzer) extracts certain rules from a file and this rules will be compared against
a set of rule for malicious code. If there matches a rule, an alarm can be triggered.
Generic Signature Detection
This technique is particularly designed to locate variations of viruses. Several viruses are re-created and make themselves known
by a variety of names, but essentially come from the same family (or classification). Genetic detection uses previous antivirus
definitions to locate these similar “cousins” even if they use a slightly different name or include some unusual characters. The
best way to illustrate this idea is with identical twins. They may have slightly different fingerprints, but their DNA is identical.
Heuristic Detection is an effective way to locate unknown threats for the most up-to-date realtime protection, but there are
downsides. Obviously this sort of scanning and analysis can take some time, which may slow-down system performance.
The main concern with heuristic detection is that it often increases false positives. False positives are when the antivirus
software determines a file is malicious (and quarantines or deletes it) when in reality it is perfectly fine and/or desired. Because
some files may look like viruses but really aren’t, they are restricted and stopped from working on your computer.
Behavioral Blocking
The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior
of all programs. It involves Behavior based Heuristics and Generic Detections. If one program tries to write data to an
executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do.
Unlike the signature based approach, the suspicious behavior approach therefore provides protection against brand-new viruses
that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives
In recent years, however, sophisticated behavior analysis has emerged, which analyzes processes and calls to the kernel in
context before making a decision, which gives it a lower false positive rate than rules based behavior monitoring.
Unlike heuristics or fingerprint-based scanners, behavior blocking software integrates with the operating system of a host
computer and monitors program behavior in real-time for malicious actions. The behavior blocking software then blocks
potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include:
1) Attempts to open, view, delete, and/or modify files;
2) Attempts to format disk drives and other unrecoverable disk operations;
3) Modifications to the logic of executable files, scripts of macros;
4) Modification of critical system settings, such as start-up settings;
5) Scripting of e-mail and instant messaging clients to send executable content; and,
6) Initiation of network communications.
If the behavior blocker detects that a program is initiating would-be malicious behaviors as it runs, it can block these behaviors
in real-time and/or terminate the offending software. This gives it a fundamental advantage over such established anti-virus
detection techniques such as fingerprinting or heuristics. While there are literally trillions of different ways to obfuscate and
rearrange the instructions of a virus or worm, many of which will evade detection by a fingerprint scanner or heuristic,
eventually malicious code must make a well-defined request to the operating system. Given that the behavior blocker can
intercept all such requests, it can identify and block malicious actions regardless of how obfuscated the program logic appears
to be.
Kindly rectify me, if I am wrong.
