THIS IS A BETA VERSION OF THE ARTICLE
Malware & Anti-Virus Architecture
By Cecilia McGuire - MS InfoSec
What you will learn
- DIY Basic Anti-Virus – Visual Basic
- Introduction Malware Architecture
- Different types of Malware
- Detecting Malware
- Other Countermeasures
What you should know
- Basic Visual Basic Programming
- Basics principles of malware
This Do-it-Yourself on Malware and Anti-virus technologies is a beginner’s “how-to” on malware and antivirus technologies. The scope of Malware is vast and dynamic, covering an array of Malicious programs such as Viruses, Trojan Horses, rootkits, spyware, browser hijacking, worms, to name a few. As a consequence the scope is limited to some of the fundamentals principles of Malware and Antivirus technologies. Where possible links are provided for readers wishing to learn more. A guide to developing a basic antivirus using Visual Basic 2013 to provide readers with the building blocks they need to create a more advanced, personalised custom antivirus utility.
Malware (Malicious Software) are programs designed to interrupt, disrupt, steal data or gain access to target computer systems. Many common types of malware programs include Viruses, Trojan Horses, rootkits, spyware, browser hijacking, worms and many others. The number of new forms of malware being released continues to grow rapidly and each of these malicious programs has its own unique characteristics. Which are designed with the intent to interrupt, fabricate, modify and intercept elements of hardware, software and data. When these malicious programs drop their payload they will attack the availability, integrity, authenticity and confidentiality of computers, networks, mobile technologies, servers, etc (Pfleeger, 2003, p15).
Components of Malware can be composed of up to six main elements (Harris, 2012) (but not necessarily all). The six elements are:
- Insertion: Mechanism which enables it to install itself on the target system
- Avoidance: Mechanisms in place to avoid detection
- Eradication: Removes itself after the payload has been executed
- Replication: The ability to create copies of itself and to propagate to other machines (e.g. Worm)
- Trigger: A trigger event that initiates its payload (e.g. Time and date, mouse click, etc.)
- Payload: Carries out its function (e.g. format a hard drive, installs a back door, exploits vulnerability, etc.)
For the purposes of this article, the scope will be limited to viruses, as the entire scope of malware is simply too large for the purposes of this article. For more information on malware, please go to http://www.kaspersky.com/au/internet-security-center/threats/malware-classifications
A virus is a malicious code designed to target vulnerable hosts then infecting them with their malicious code. The main objective is to deliver its payload and replicate itself. Viruses belong to their own category within the scope of malware and there are many different designs of viruses. What unites this malicious software is its ability to self-propagate (Harris, 2012). Stealth Virus, Polymorphic, Multipart virus, script virus, meme viruses, self-garbling viruses are just a few of the different types of viruses, far too many to go into any detail in this article. To learn more about the architecture of viruses refer to the link below containing a library of links of different categories of viruses, located at: http://www.virusbtn.com/resources/glossary/metamorphic_virus.xml
Antivirus software detects viruses using two common methodologies – Signature based detection and heuristic based detection to detect malicious code. Signature based detection is an effective way to detect malicious software. The signature is usually based upon part of the code that was extracted from the virus itself. The antivirus software will scan files, email messages and other data using specific protocols and then compares this data to the signatures stored in its database. When the data matches the signature the antivirus software will carry out a range of actions (depending on configuration and rules) such as quarantining the file, removing the file with virus and logging/warning the event has occurred. The main challenge with signature based detection is that the antivirus is dependent on the database containing viruses to be current and there can be a delayed response time between new threats being updated in the virus database. Alternatively Heuristic detection analyses the assembly of the malicious code, examining the code and logic in order to identify whether the software is designed to execute malicious activities. Heuristic detection provides advantages in its ability to identify unknown malware resolving the challenges with signature detection databases requiring regular updates.
Building your own Antivirus
There are many different ways to build your own antivirus application. Now that you have a fundamental understanding of Malware and Antivirus architecture, this will provide you with basics you need to develop a simple antivirus application to strengthen your knowledge. Live antivirus programs are designed to operate at lower levels of the operating system and network protocol stacks and as such it is recommended that C/C++ languages are used instead.
As explained earlier, Antivirus programs detect viruses via signature based detection and heuristic based detection. For the purposes of this DIY, we will create an antivirus using signature based detection, where a simple text file containing virus signatures are scanned against selected directory files.
To learn more and download your own test virus signature files go to: http://www.eicar.org/
The Visual Basic Code is used to develop the Anti-Virus was created with the intention to provide basic GUI functionality which can be improved upon with time, as it is the Malware Architecture and the ability to plug-in the GUI into use advance Virus Library’s therefore providing a comprehensive up to date picture of malware in current circulation today.
Scope: the instructions provided for this Do-It-Yourself Anti-Virus will be to create a very basic GUI, as the goal of this exercise is to develop a better understanding into Malware architecture – not to master development of GUI’s.
Again, to create a full anti-virus solution would require extensive development work, far beyond the scope of this DIY. This example will provide the basic VB code to create your own basic antivirus application.
First we will start with setting up the basics of the GUI, composed of the basic building blocks of:
- Scan, stop & delete buttons
- Combo box to select directories to be scanned
- List box containing files and results
- Progress Bar
Once you have built your GUI using the components mentioned above, you should have a GUI similar to:
Screenshot – Example Antivirus GUI
The next step is to add your test virus database, preferably a simple text file, containing virus signatures (can also be downloaded from link provided earlier). Simply drag and drop this file into the resources in your Solution Explorer view.
Next is to develop code so that your GUI can execute tasks. A template of the code you require to develop the antivirus program is provided below and will need to be entered into your VB 2013 Forms code view. Simply copy the code below and paste this into your form ensuring that your GUI object names & design resemble the below code:
Now all you will have to do is click: “Start Scan”
As you can see in this screenshot captured, the antivirus utility you have developed will scan the selected files based on the list of viruses in the virus library you included.
The challenge with Anti-Virus is that they only detect viruses residing within your systems, they are designed react to identified malicious threats. For this reason it is important to include additional preventative measures within your architecture, such as Firewalls, Spyware protection and Intrusion Prevention technologies where necessary in order to ensure that a defence-in-depth strategy is protecting your systems.
- Berger-Sabbatel G., Korczynski M. & Duda, A. (n.d). Architecture of a Platform for Malware Analysis and Conﬁnement. Retrieved 10th of March 2014 from: http://www.kt.agh.edu.pl/~korczynski/plateforme-indect-paper.pdf
- Harris, S. (2012). CISSP All-in-One Exam Guide, 6th Edition. McGraw Hill, U.S.A.
- Pfleeger, C & Pfleeger, S. (2003), Security in Computing, Third Addition, Pearson Education inc.
- SANS (2007). Malware Analysis: Environment Design and Architecture. Retrieved 10th of March 2014 from: http://www.sans.org/reading-room/whitepapers/threats/malware-analysis-environment-design-artitecture-1841
- Schneier, B. (2000). Secrets and Lies: Digital Security in a Networked World, New York ; Chichester : John Wiley
About the Author
MSc Information Security & 10+ years of international experience in IT Security with Government/Blue Chip/Fortune 100 companies. Through this experience I have gained valuable insight into international security requirements and upcoming trends. I maintain expertise in: Smart Cards, Identity Management, Wireless & Mobile Technologies; Vulnerability Assessment, Ethical Pen-Testing, cryptography, Network Forensics, as well as Business Continuity and Risk Management. Experienced in compliance standards including PCI DSS, ISO27001, ISO13001, ISO7816, ISO9001 and others. Since 2012 I have worked for Gemalto as a Technical Consultant.
Outside of work, I enjoy travelling, learning about different cultures, philosophising and quality night-life. I like connecting with people, my public profiles is available at: https://www.linkedin.com/pub/cecilia-mcguire/4/528/955
Cecilia McGuire ©2014. The author assigns eForensics Magazine a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. The authors also grant a non-exclusive license to eForensics Magazine to publish this document in full in the Conference Proceedings. Any other usage is prohibited without the express permission of the author.