Detecting undetectable computer viruses
Reply needed 1 Malware detection techniques are ways that help in identifying and detecting malware for effective countermeasures to be taken against them. These techniques are essential for the safety of computer systems from loss of data. The signature-based technique is one of the methods used to detect malware in a computer system.
Every object in a computer system including programs, documents, images and others have attributes that make them unique. These create unique digital fingerprints known as signatures. When algorithms are used, they can through an object to identify its signature. The signature-based technique is one way in which malware can be identified in a computer system for countermeasures to be taken to prevent loss of data and damage.
When a malware is written on a program, document, or image, the signature gets embedded on its code (Cloonan, 2019). The signature-based method then identifies it as a malware and the family in which it belongs to but it is mostly used with antivirus programs. In this case, the antivirus program disassembles the code of the file infected. It then searches for a pattern resembling any malware family. This technique can either be static, dynamic or hybrid. Its main strength is that it is well known and understood making it an easy malware detection method.
Reference
Cloonan, J. (2019). Advanced Malware Detection – Signatures vs. Behavior Analysis – Cyber Defense Magazine. Retrieved 1 April 2020, from https://www.cyberdefensemagazine.com/advanced-malware-detection/
Reply needed 2 Using signature-based detection, is one of the malware detection out there. Each file is analyzed, assigned a signature or hash (a unique alphanumeric way to identify malware), and then added to the signature database, where it’s used for comparison in subsequent malware incidents. When a suspicious file is found on a computer running the antivirus (AV) software, the program looks for patterns that may match with a known malware family. If a match is made with a known variant, it’s blocked.
Although signature-based IDS can easily detect known attacks, it is difficult to detect new attacks, for which no pattern is available.
Reference:
Axelsson, S (2000). “Intrusion Detection Systems: A Survey and Taxonomy” (retrieved 21 May 2018)
Reply needed 3 While most organizations use an anti-virus and firewall to protect their sensitive information, it is within their best interest to also invest in an Intrusion Detection System (IDS) to detect pre-existing malware. Once a malware reaches the network level, and IDS can better prepare the organization to handle the intrusion. For example, an Anomaly based IDS can help establish a base-line of normal traffic. After the baseline is established, the IDS will detect and report any suspicious traffic, such as malware, more quickly. In particular, SNORT can detect port scanning which is often an indicator of an incoming malware attack (“How SNORT network intrusion detection system can successfully counter malware,” 2018). This same functionality can also be used to prevent a device from becoming a DDoS zombie as a dedicated port needs to be available before taking over your device (“How SNORT network intrusion detection system can successfully counter malware,” 2018).
A signature based IDS can also be used. A signature IDS has a library of information about pre-existing malware functions, and if it detects activity similar to a known malware variant, it will send an alert (“How SNORT network intrusion detection system can successfully counter malware,” 2018) . An IDS like SNORT can detect malware more efficiently than an antivirus since signatures for Snort tend to be created quicker compared to anti-virus companies (“How SNORT network intrusion detection system can successfully counter malware,” 2018) . New rulesets typically come out once a week or once a month from providers while certain providers can even produce new malware signatures daily (“How SNORT network intrusion detection system can successfully counter malware,” 2018). Of course, keeping an IDS updated daily would require a dedicated security team, but it would help detect and possible delay a devastating attack.
Another option other than SNORT is Sagan. Sagan in is an open-sourced network-based IDS that can run on any *nix operating systems such as Linux, FreeBSD, and OpenBSD (“What is Sagan,” n.d.). It is commonly described as “high performance” with the ability to log real-time event analysis by using a multithread architecture (“What is Sagan,” n.d.). Additionally, Sagan’s reported strengths include supporting script execution during event detection, log normalization, automatic firewall supported through “Snortsam,” and GeoIP alerting and detection (“What is Sagan,” n.d.).
References:
How Snort network intrusion detection system can successfully counter, block, and detect malware. (2018). Retrieved from https://tacticalflex.zendesk.com/hc/en-us/articles/360010598474-How-Snort-Network-Intrusion-Detection-System-Can-Successfully-Counter-Block-and-Detect-Malware
What is Sagan. (n.d.). Retrieved from https://quadrantsec.com/sagan_log_analysis_engine/
Reply 4 needed There are many methods for detecting malware on a computer system, anomaly based detection is a novel approach. Many virus detection currently works on signature detection which provides no security for viruses that do not have defined signatures (Venhatachalam, 2010). In anomaly based detection different metrics are used to detect odd or abnormal behavior as the indication of a virus (Venhatachalam, 2010). Different metrics that can be used to feed anomaly detection such as Network behavior where things such as traffic volume, protocol, and interaction (Venhatachalam, 2010). For example if one user on a computer normally works from 0900-1700 on workdays only but traffic is detected from that ip address over the weekend using protocols not usually seen from that user, this would likely trigger Network based anomaly detection. Another benefit of anomaly detection is no specific behavior has to be blocked, for example a system administrator would very often use lots of data on off hours on a business network, but if this falls within normal patterns it would not trigger anomaly based rules and there is no need to block after hours data on a network for all users to try to stop viruses. Two weaknesses of anomaly based detection are the amount of time required to established an accurate baseline, and a higher likelihood of false positives (Venhatachalam, 2010). To compare activities to a system’s normal the normal must be established, and any major change to that normal will trigger anomaly based detection. For example with Covid making most employees work from home, any Network anomaly based detection would likely show many false positives as a standard pattern is disrupted. Also any virus that could slowly change the system may escape detection by only performing activities below the level of anomaly detection.
Looking into different methods of virus detection will all show potential benefits, with the potential benefits of anomaly based detection it should not be ignored.
Matt
References:
Morville, P. (2006). Anomaly detection is the best way to prevent virus, worm attacks. Retrieved from https://www.networkworld.com/article/2309450/anomaly-detection-is-the-best-way-to-prevent-virus–worm-attacks.html
Venhatachalam, S. (2010). Detecting undetectable computer viruses. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.167.1002&rep=rep1&type=pdf
__ Reply 5 needed The information starts from the top with the email address that the message was sent to. There are also details about when the email was sent, the IP address (74.6.130.122) of the sending server, and when the recipient received the message.
X-Apparently-To: marcellinekameni@yahoo.fr; Sat, 07 Mar 2020 21:12:54 +0000
Return-Path: augustpide@yahoo.com
Authentication-Results: mta1028.mail.ir2.yahoo.com;
dkim=pass (ok) header.i=@yahoo.com header.s=s2048;
spf=pass smtp.mailfrom=@yahoo.com;
dmarc=pass(p=reject sp=NULL dis=none) header.from=yahoo.com;
Received-SPF: pass (domain of yahoo.com designates 74.6.130.122 as permitted sender)
-X-Apparently-To: This shows to whom the message was addressed. The message was received by the recipient_mail_exchanger from sender_mail_server.
-Sat, 07 Mar 2020 21:12:54 +0000: Delivery-Date
Return-Path: The email address which should be used for bounces. The email address for return mail. This is the same as “Reply-To:”
The mail server will send a message to the specified email address if the message cannot be delivered.
-Authentication-Results: Three ways used to authenticate: DKIM, SPF, and DMARC.
-dkim=pass: DKIM is a method to associate a domain name to an email. Furthermore, it allows an organization to check the (cryptographic) signature to ensure untampered transit of the message. Here it ensures the ownership of the message (pass).
-spf=pass: Sender Policy Framework (SPF) is a framework to prevent sender address forgery. SPF is used to describe what mail server is allowed to send messages for a domain.
-dmarc=pass: DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. DMARC is a standard that allows email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it is not. This makes it easier to identify spam and phishing messages, and keep them out of peoples’ inboxes. This information helps senders improve the mail authentication infrastructure so that all their mail can be authenticated. Here the result is “pass”.
-Received-SPF: It is used to avoid fake email addresses (as sender email address). The system can detect if the mail server, which wants to send a message to the recipient mail-exchanger, is valid for the sender’s email address (domain). The result (Received-SPF) here is “pass”. Validation results is ‘pass’ since sender_server_domain_name IP address (74.6.130.122) sends emails for ‘yahoo.com’ domain. If the validation result is ‘fail’, then it is highly likely that someone tried to spoof the sender’s email address and/or content.
The header lines begin with “Received”: and provide a trace of the email from its origin to your mail server. It will show the origin along with the list of servers that processed this email before reaching your mailbox. The ‘Received:’ parameter of your email gives you many valuable clues to identify the legitimacy of the source.
(3) The message was sent from the sender’s computer with the IP address (74.6.130.122) to the mail server of the sender.
X-Originating-IP: [74.6.130.122]
What Students Are Saying About Us
.......... Customer ID: 12*** | Rating: ⭐⭐⭐⭐⭐"Honestly, I was afraid to send my paper to you, but splendidwritings.com proved they are a trustworthy service. My essay was done in less than a day, and I received a brilliant piece. I didn’t even believe it was my essay at first 🙂 Great job, thank you!"
.......... Customer ID: 14***| Rating: ⭐⭐⭐⭐⭐
"The company has some nice prices and good content. I ordered a term paper here and got a very good one. I'll keep ordering from this website."