Kaspersky Lab core detection technologies - Comprehensive protection from threats of today and tomorrow
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Kaspersky Lab
core detection
technologies
Comprehensive protection
from threats of today and
tomorrow
WhitepaperCONTENTS
1 INTRODUCTION ............................................................................................................................... 4
2 GOOD & BAD ANTI-VIRUS ENGINES ............................................................................................ 5
3 KEY FEATURES OF THE KASPERSKY® ANTI-VIRUS ENGINE .................................................. 6
3.1 SIGNATURE ANALYSIS .................................................................................................................... 6
3.2 CHECKSUMMING............................................................................................................................ 7
3.3 TECHNIQUES FOR DETECTING POLYMORPHIC VIRUSES .................................................................... 7
Reduced masks.................................................................................................................................... 8
Known plaintext cryptanalysis .............................................................................................................. 8
Statistical analysis ................................................................................................................................ 9
Emulation ............................................................................................................................................. 9
Polymorphic viruses: summary ........................................................................................................... 9
3.4 PROCESSING COMPLEX OBJECTS ................................................................................................. 10
3.5 HEURISTIC ANALYSIS ................................................................................................................... 11
Static heuristic analysis ...................................................................................................................... 11
Dynamic heuristic analysis ................................................................................................................. 12
3.6 GENERIC DETECTION ................................................................................................................... 12
3.7 DETECTION OF MALICIOUS CONTENT ............................................................................................ 13
3.8 DETECTION OF ROOTKITS ............................................................................................................ 13
3.9 DETECTION OF MOBILE THREATS .................................................................................................. 15
3.10 DETECTION OF SPYWARE ............................................................................................................ 16
Adware ............................................................................................................................................... 18
Pornware ............................................................................................................................................ 18
Riskware............................................................................................................................................. 18
3.11 UPDATING VIRUS SIGNATURES ..................................................................................................... 18
4 OTHER CORE DETECTION TECHNOLOGIES ............................................................................. 19
4.1 PROACTIVE DEFENSE MODULE .................................................................................................... 19
Worm.Generic .................................................................................................................................... 20
Worm.P2P.Generic ............................................................................................................................ 20
Trojan.Generic.................................................................................................................................... 20
Buffer overrun..................................................................................................................................... 20
Data Execution ................................................................................................................................... 20
Root shell ........................................................................................................................................... 20
Internet Browser Launchers ............................................................................................................... 20
Invaders.............................................................................................................................................. 21
Hidden Objects (Rootkits) .................................................................................................................. 21
Suspicious values in registry .............................................................................................................. 21
Strange system behavior.................................................................................................................... 21
Hidden installers................................................................................................................................. 21
Keyloggers ......................................................................................................................................... 21
Trojan Cryptors................................................................................................................................... 21
Hidden data sending .......................................................................................................................... 21
Private data and password access..................................................................................................... 21
Application Integrity Control ............................................................................................................... 22
Registry Guard ................................................................................................................................... 22
Office Guard ....................................................................................................................................... 22
Kaspersky Lab core detection technologies
24.2 PERFORMANCE OPTIMIZATION ..................................................................................................... 22
iChecker™ and iSwift™ ..................................................................................................................... 22
Suspension of scanning when the system is under load.................................................................... 23
iCure™ ............................................................................................................................................... 23
4.3 COMBATING ACTIVE THREATS ...................................................................................................... 23
Active threat disinfection .................................................................................................................... 23
Rescue Disk ....................................................................................................................................... 24
5 CONCLUSION ................................................................................................................................ 24
6 APPENDIX 1. TODAY’S THREAT LANDSCAPE: FROM CYBER VANDALISM TO CYBER
CRIME...................................................................................................................................................... 25
7 APPENDIX 2. EVALUATING ANTI-VIRUS PRODUCTS ............................................................... 28
Magazine reviews............................................................................................................................... 28
Tests and certifications based on the WildList ................................................................................... 29
Comprehensive anti-virus detection tests .......................................................................................... 29
Summary ............................................................................................................................................ 30
Kaspersky Lab core detection technologies
31 Introduction
It’s clear that the nature of the threat to PC users has changed significantly over
the years. Today’s threats are more complex than ever before. Much of today’s
malware (short for malicious software), which includes Trojans, backdoors and
spammers’ proxy servers as well as viruses and worms, is purpose-built to hijack
users’ machines; and a single Trojan can easily be found on many thousands of
infected PCs. Malicious code may be embedded in e-mail, injected into fake
software packs, or placed on ‘grey-zone’ web pages for download by a Trojan
installed on an infected machine. There has also been a growth in spyware,
adware, dialers and other ‘unwanted’, but non-viral, programs. The scale of the
problem, in terms of numbers alone, has also continued to increase.1
At the same time, the anti-virus market is saturated with products. This raises the
question of how to choose the best product. Which ones will guarantee maximum
protection? Which ones offer the most efficient combination of technologies
capable of comprehensively protecting your computer and network from all types
of malware and potentially unwanted programs?
The core of any anti-virus product is the anti-virus engine, a software module
purpose-built to find and remove malicious code. The engine is developed
independently of any specific product implementation. So it plugs-in equally well
into personal products, like personal scanners or real-time monitors, or solutions
for servers, mail scanners, file servers, firewalls and proxy-servers.
The reliability of malicious code detection, and hence, the security level provided
by the engine, ultimately depends on the engine’s structure, its detection methods
and the heuristic technologies implemented in the engine.
This document outlines the key elements of the Kaspersky® anti-virus engine and
other core technologies. This includes scanning features that are common to
many anti-virus products, but also unique technologies that make the Kaspersky®
anti-virus engine so effective at finding and removing malicious code.
1
Kaspersky Lab anti-virus databases now contain more than 250,000 records.
Kaspersky Lab core detection technologies
42 Good & bad anti-virus engines
Anti-virus vendors tend to conceal the details of their engines from the public.
And with good reason, of course, since they have no wish to publish information
that hackers or virus writers might be able to use to circumvent particular
techniques used in the engine. However, there are indirect ways you can
determine whether a particular engine is good or bad, i.e. is it more or less
effective at finding and removing malicious code?
Below is a list of the main criteria for selecting an anti-virus engine.
• Quality of detection indicates the effectiveness with which the anti-virus
program detects viruses, worms, Trojans and potentially undesirable
programs (including spyware programs). The best way to assess an anti-
virus vendor’s detection capability is to check out its track record in a
range of independent tests.2
• Level of proactive detection indicates a program’s ability to find new,
unknown threats. Proactive detection has become increasingly important
given the speed at which today’s threats spread. Unfortunately, it’s very
difficult to assess a product’s capability in this area without access to a
virus collection. However, a number of independent test organizations
have begun to include this in their test methodologies. In addition, the
number of false alarms is also indicative of the quality of an engine’s
heuristic analyzer. Clearly, high proactive detection levels are only useful
if they don’t come with a high false positive rate.
• Number of false alarms is an important measure of an engine’s quality. If
an anti-virus program reports an infection in a clean file, this is called a
false alarm, or false-positive. Not only do frequent false alarms undermine
a user’s confidence in a program’s heuristic analyzer. They can also
prevent a user from recognizing a new virus (the program wrongly detects
legitimate programs so often that the user stops trusting it.)
• Detection of malicious code inside compressed, archived and packed
formats is critical because virus writers frequently compress their code
using different compression utilities, to produce several distinct
executables. In fact, all these viruses are duplicates of the same virus.
And if an anti-virus engine supports all (or almost all) popular compression
utilities, it will easily detect all copies of the same virus and determine its
name. Other anti-virus programs, by contrast, will require a virus definition
update (and may also require additional time for analysis by one of their
virus researchers).
2
See Appendix 2 Evaluating anti-virus tests for further information.
Kaspersky Lab core detection technologies
5• Update size and frequency are also indicative of the quality of an anti-
virus engine (as well as the quality of the vendor’s research team). While
the engine itself is designed to be updated infrequently, frequent updates
to the anti-virus databases guarantee that a user will be constantly
protected from the latest threats. The size of each database update (as
well as the number of detected threats) shows the quality of the anti-virus
databases and, to some degree, the engine itself.
• Engine-only updating, without the need to update the entire anti-virus
program, indicates the efficiency of the engine technology. In some cases,
in order to detect a virus, a user must update not only the anti-virus
database but also the engine. If it’s not easy for the customer to update
the engine, the user’s computer or network may become infected with a
new virus. In addition, engine-only updating allows a vendor to quickly
troubleshoot and improve the engine, or extend its functionality.
3 Key features of the Kaspersky® anti-virus engine
The appearance of the first computer viruses forced programmers to react quickly.
This led to the creation of the first anti-virus programs. Since then, anti-virus
software has changed dramatically in response to the changing threat posed by
each successive generation of malware. Today’s anti-virus programs differ as
much from the old solutions as an up-to-date PC differs from, say, a calculator.
The Kaspersky® anti-virus engine is integrated into all Kaspersky® anti-virus
products and delivers a unique combination of technologies necessary for the
successful detection of malicious code. The Kaspersky® anti-virus engine is
designed on the basis of a powerful and flexible logical subsystem that employs
all the latest methods to find and remove malware. The key features of the
Kaspersky® anti-virus engine are outlined below.
3.1 Signature analysis
A signature is a unique sequence of bytes that is specific to a piece of malicious
code. Signature analysis, or a modification of it, was (and remains) one of the first
methods used in anti-virus engines to detect viruses and other malware. Obvious
advantages of this method are its high speed (especially with the use of special
Kaspersky Lab core detection technologies
6algorithms) and the fact that several threats can be detected using just one
signature.
On the other hand, a serious disadvantage is that for reliable detection of
malicious code, the signature must be large, at least 22-40 bytes (anti-virus
producers usually use longer signatures, of up to 64 bytes, to ensure detection).
So the size of the anti-virus database also increases.
Another challenge to this method is that much contemporary malware is written in
high level languages such as C++, Delphi or Visual Basic. These programs
contain fragments of code that do not change (the so-called run time library). If an
incorrect signature is used, this leads to false alarms, where a clean file is
reported to be infected. The false alarm problem can be solved by using
extremely large signatures, or by restricting detection to certain data areas like
relocation tables or text strings, which is undesirable.
3.2 Checksumming
Checksumming is a method based on calculating CRC (Cyclic Redundancy
Check) checksums and is a modification of signature analysis. The method was
developed to overcome the main disadvantage of the signature method, large
databases and frequent false alarms. Checksumming accounts for not only the
search string (or, to be more precise, a checksum for the string) but the location of
the string in the body of a malicious program. The location is used to calculate the
checksums for the entire file. Thus, instead of a 10-12 byte search string (the
minimum size), the checksum takes four bytes and the location data also take four
bytes. However, checksumming is more time consuming than signature analysis.
3.3 Techniques for detecting polymorphic viruses
Self-encryption and polymorphism are used in most types of virus in order to
make them more difficult to detect. Polymorphic viruses are extremely hard to
detect because they do not have signatures, i.e. there’s no constant fragment of
virus-specific code. In most cases, two samples of the same polymorphic virus
will not have a single coinciding fragment.
There are many kinds of polymorphic virus, from boot and DOS file viruses to
Windows viruses, macro and script viruses. Polymorphic ‘envelopes’ are also
used to hide Trojan programs.
Kaspersky Lab core detection technologies
7Viruses are called polymorphic if their body is self-changing during replication to
avoid the presence of any constant search strings. Polymorphic viruses can not
be detected (or can be detected only with great difficulty) using so-called virus
signatures or masks, sequences of unchanging virus-specific code.
Polymorphism is achieved by encrypting the main code of the virus with non-
constant keys containing random sets of decryption commands, or by changing
the executable virus code. There are also other rather exotic examples of
polymorphism. For example the DOS virus Bomber is not encrypted, but the
sequence of instructions which passes control to the body of the virus is
completely polymorphic.
It is problematic to use signatures (sometimes called search strings), as outlined
above, to detect polymorphic viruses. Since the code changes with each
infection, it becomes impossible to select the correct signature. Even a very large
signature can not be used to identify an encrypted virus uniquely without giving
false alarms. It’s not difficult to see why. The polymorphic virus encrypts its body,
converting the virus code into a variable. And variable code can not be selected
for a signature.
So for detection of polymorphic viruses, additional techniques must be used.
Reduced masks
If the encryption algorithm used by the virus is not sufficiently sophisticated, it’s
possible to use elements within the encrypted body of the virus to take the
encryption key out of the equation and obtain static code. The signature, or mask,
can then be taken from the resulting static code.
Known plaintext cryptanalysis
Known plaintext cryptanalysis is another method for dealing with polymorphic
viruses. It uses the known original virus code and the known encrypted code (or
suspicious code that looks like an encrypted virus body), the engine reconstructs
the keys and the algorithm of the decrypting program. The engine then decodes
the encrypted virus body by applying this algorithm to the encoded fragment.
Using a system of equations to decode an encrypted virus body is similar to the
classical cryptographic problem of decoding an encoded text without keys.
However, there are two key differences. First, most of the data required for the
solution is known. Second, the solution must be reached using available RAM
and within a limited period of time.
In general, this method is less time consuming and uses a smaller amount of
memory than emulation of virus instructions (see below). However, this makes it
necessary to construct a system of equations and it becomes rather complicated.
The main problem is the mathematical analysis of the equation or the system of
equations constructed.
Kaspersky Lab core detection technologies
8Statistical analysis
Statistical analysis is another method used to detect polymorphic viruses. The
engine analyzes the frequency of the processor commands used and uses this
information to make a decision on whether the file is infected or not. This method
is quite effective for those polymorphic viruses that use a limited set of opcodes in
their decryptors, compared to clean files that use other opcodes with a different
frequency.
For example, many complex polymorphic viruses rarely use the DOS interrupt 21h
(CDh 21h opcode) in their decryptors, while most legitimate programs use it
frequently. The main disadvantage of this method is that there is a family of
complex polymorphic viruses that uses the opcodes of virtually all processors and
the set of commands changes dramatically from infection to infection, thus making
it impossible to detect such viruses using a frequency table.
Emulation
The increase in the number of polymorphic viruses in the early 1990s, and in
particular the first appearance of polymorphic viruses in the field, led to the
development of a method of emulating the program code (also known as
sandboxing). Using this method, program execution (of both infected and clean
programs) is emulated in a virtual environment, called a sandbox or virtual
machine. After this emulation process, where the program is a polymorphic virus,
the buffer contains a decoded virus body ready to be detected using standard
methods (signature analysis or CRC checksumming). Current systems emulate
not only processor opcodes, but also operating system calls.
It is quite difficult to write a decent emulator. In addition, when an emulator is
used, the actions of every command must be constantly controlled to prevent the
program from occasionally executing the destructive virus instructions that are
present in most known viruses. It’s also important to stress that program
emulates the execution of virus instructions, rather than tracing them, because
tracing virus activities increases the risk of executing destructive instructions or
the codes responsible for activating the virus itself.
Polymorphic viruses: Summary
In practice, deciding on the use of the above methods for detecting polymorphic
viruses (reduced masks, cryptanalysis, statistical analysis and emulation), comes
down finding an optimal balance that offers maximum speed and minimum
memory usage. The code of most self-encrypting viruses can easily be decoded
using emulation. If emulation is not an optimal solution, the virus code can be
decoded using a subprogram that applies cryptanalysis to this code. To detect
viruses that are non-decodable, or that can not be emulated, the engine uses a
method of reduced masks.
In complex cases, the Kaspersky® anti-virus engine uses a combination of the
above methods. A fragment of the decryptor code is emulated to distinguish
commands that are responsible for the decrypting algorithm. Then, based on the
Kaspersky Lab core detection technologies
9information obtained, the engine constructs and solves a system of equations to
decrypt and detect the virus code.
The above-described methods are combined in the case of multiple encoding,
where a virus encrypts its body several times using various encryption algorithms.
A combination of methods for decoding information or, in other words, ‘pure’
emulation of the decoder code, is often used in the engine because every new
virus must be analyzed and integrated into the anti-virus database in the shortest
time, which is sometimes not possible with mathematical analysis. As a result,
more laborious detection methods are used, leaving behind the mathematical
methods that can be applied to analyze the decryption algorithms.
3.4 Processing complex objects
In recent years anti-virus engines have changed dramatically. For the first anti-
virus programs, it was enough to check system memory, executable files, and
boot sectors. After several years, due to the increased popularity of special
compression utilities, anti-virus developers encountered the problem of how to
extract a compressed file before scanning it. Then, a new problem appeared
when viruses started infecting archives (and users often sent each other infected
archives). Anti-virus programs had to learn how to process archived files.
There were other related problems too. The first macro virus to infect Microsoft®
Word documents appeared in 1995. Word documents are stored in a closed,
complex format and some anti-virus producers are still unable to process such
files effectively. Contemporary anti-virus engines must also be able to scan e-mail
databases and e-mail messages.
It’s critical for anti-virus programs to be able to scan such complex objects
because there could be a hidden threat lurking within any one of them. The
Kaspersky® anti-virus engine currently supports over 300 distinct run-time
packers, with more than 2,800 versions; and over 80 archiving utilities, with more
than 500 versions. Thus the total number of formats supported is around 3300.3
The engine supports a wide range of utilities for compressing executable files, as
well as encryption systems. These include the following:
Diet, AVPACK, COMPACK, Epack, ExeLock, ExePack, Expert, HackStop, Jam,
LzExe, LzCom, PaquetBuilder, PGMPAK, PkLite, PackWin, Pksmart, Protect,
ProtEXE, RelPack, Rerp, Rjcrush, Rucc, Scramb, SCRNCH, Shrink, Six-2-Four,
Syspack, Trap, UCEXE, Univac, UPD, UPX , WWPACK, ASPack, ASProtect,
Astrum, BitArts, BJFnt, Cexe, Cheaters, Dialect, DXPack, Gleam, CodeSafe,
ELFCrypt, JDPack, JDProtect, INFTool, Krypton, Neolite, ExeLock, NFO,
NoodleCrypt, OptLink, PCPEC, PEBundle, PECompact , PCShrink, PE-Crypt, PE-
3
As of March 2007. The full list of supported formats is available from Kaspersky Lab.
Kaspersky Lab core detection technologies
10Diminisher, PELock, PEncrypt, PE-Pack, PE-Protect, PE-Shield, Petite, Pex,
PKLite32, SuperCede, TeLock, VBox, WWPack32, XLok and Yoda.
The engine also supports a wide range of archivers and installers. This reduces
the time taken to analyze new viruses, thus accelerating the response to new
threats and providing the highest level of detection of known viruses. Archivers
and installers supported include the following:
CAB, ARJ, ZIP, GZIP, Tar, AIN, HA, LHA, RAR, ACE, BZIP2, WiseSFX,
CreateInstall, Inno Installer, StarDust Installer, MS Expand, GKWare Setup,
SetupFactory, SetupSpecialist, NSIS, Astrum, PCInstall, and Effect Office.
Support for all these archivers, and modifications of them, is particularly important
when scanning e-mail traffic, because a great number of viruses are sent via e-
mail as archives.
Objects are extracted regardless of the archive nesting depth. For example, if an
infected file is compressed with the UPX utility and then archived in a ZIP file,
which in turn is archived in a CAB file, the Kaspersky engine will still be able to
extract the original file and detect the virus.
The engine uses a smart algorithm that avoids extracting so-called archive
bombs, highly compressed and therefore seemingly small archives that expand
into huge files or several identical files. Such archives usually take quite a long
time to scan, but the Kaspersky® anti-virus engine can instantly recognize such
bombs among normal archives.
3.5 Heuristic analysis
In the early 1990s, as the number of viruses grew to exceed several hundreds,
anti-virus experts investigated the possibility of detecting viruses that were
currently unknown and for which there was no signature. As a result, the so-
called heuristic analyzers were created.
A heuristic analyzer is a set of subprograms that analyze the code of executable
files, macros and scripts, in memory, files or boot sectors, in order to detect
various types of malware. The two main principles used in heuristic analyzers are
static and dynamic analysis.
Static heuristic analysis
This involves a search for general short signatures specific to most viruses (so-
called suspicious commands). For example, many viruses search for files using
the *.EXE mask, open the file found and write their code into this file. The task of
the heuristic analyzer is to find signatures that are indicative of these activities.
Then the program analyzes the signatures and, if a number of suspicious
commands are found, it decides that the file is infected. This method is easy to
Kaspersky Lab core detection technologies
11implement and delivers high-speed scanner performance. However, the level of
detection of new malicious programs is rather low.
Dynamic heuristic analysis
This was developed simultaneously with the introduction of code emulators into
anti-virus programs (see above). The dynamic method emulates program
performance and logs all suspicious actions. This log is then used to decide
whether or not the program is infected or not. Unlike the static method, the
dynamic heuristic analysis method requires more resources but provides a higher
level of detection.
The heuristic analyzer integrated into the Kaspersky® anti-virus uses both
cryptanalysis and statistical analysis. It was designed from the outset as an
extensible module, unlike many other first-generation heuristic analyzers that were
designed to detect malicious code only in executable files. At present, the
Kaspersky® heuristic analyzer successfully detects malicious code in executable
files, disk sectors and computer memory. It also effectively reveals new script
viruses and malware for Microsoft® Office (and other programs that use VBA), as
well as code written in high level languages like Microsoft® Visual Basic.
Due to its flexible architecture and combination of various methods, the
Kaspersky® heuristic analyzer is able to detect new malware very efficiently. At
the same time, the number of false alarms has been minimized.
3.6 Generic detection
Generic detection refers to the detection and removal of multiple threats using a
single virus signature. The starting-point for generic detection is that successful
threats are often copied by others, or further refined by the original author(s). The
result is a spate of viruses, worms or Trojans, each one distinct but belonging to
the same family. In many cases, the number of variants can run into tens, or even
hundreds.
Generic detection involves creating a signature that is able to identify all threats
belonging to the same family. So when NewVirus appears, the definition created
to detect it will also successfully identify NewVirus.b, NewVirus.c, NewVirus.d, etc.
if and when they’re created. Such techniques extend also to detection of exploit
code that may be used by a virus or worm. Of course, generic detection is not
guaranteed to find all variants in the family. However, it has proved effective in
detecting many new threats without the need for an updated signature. Where it’s
feasible, detection of multiple variants using a single definition is also more
efficient.
Kaspersky Lab core detection technologies
123.7 Detection of malicious content
Malicious code today takes many forms. Traditional threats like classic viruses
and worms are still circulating, but have declined in number in relative terms.
Today’s ‘weapon of choice’ for malware authors is the Trojan. This class of
malware includes a wide array of programs, each tailored to a specific purpose:
Backdoor Trojans, PWS Trojans, Trojan Droppers, Trojan Downloaders and
Trojan Proxies. There is also an increasing number of potentially undesirable
non-viral programs.
Historically, malware authors have focused on e-mail as their main attack vector;
and, until a recently, the e-mail worm was the main threat facing enterprises. E-
mail remains a key means of delivering malicious code: today it often takes the
form of direct spamming to a target population of PCs, rather than mass-mailing
using e-mail addresses harvested from infected machines.
However, SMTP is not the only attack vector today. Web browsers provide
employees with a doorway to the Internet and the browser is how they are
exposed to content on the web, including malicious content. HTTP and FTP can
also be used to deliver malicious code to a computer.
The specific methods can vary. Malicious code may be embedded in HTML e-
mail messages, in the form of VBS (Visual Basic Script) or JavaScript, or within
web pages (using ActiveX). Or malicious code may be injected directly into fake
software packs or placed on ‘grey-zone’ web pages for download by a Trojan
already installed on a victim machine.
The use of exploits to deliver malicious code has now become commonplace. The
term exploit describes a program, piece of code or even some data written by a
hacker or virus writer that is designed to take advantage of a bug or vulnerability in
an application or operating system. Using the exploit, an attacker gains
unauthorized access to, or use of, the application or operating system.
The use of exploits by hackers and virus writers has increased during the last few
years. Typically, exploit code is used to gain access to confidential data or to use
the victim machine for further unauthorized use.
The various means by which code may be delivered to a victim computer are
sometimes referred to as ‘active content’ or ‘content’. Kaspersky Lab provides
protection from malicious or potentially undesirable code, regardless of the means
used to deliver it to the computer.
3.8 Detection of rootkits
The term rootkit is borrowed from the Unix world, where it was used to describe
tools used to maintain ‘root’ access while remaining invisible to the system
administrator. Today it refers to stealth techniques employed by malware authors
Kaspersky Lab core detection technologies
13to hide the changes they have made to a victim machine. Typically, the malware
author obtains access to the system by cracking a password or exploiting a
vulnerability and then uses this to gain other system information until he achieves
administrator access to the machine.
Rootkits are often used to hide the presence of a Trojan, by concealing registry
edits, the Trojan’s process(es) and other system activity. This is done either by
replacing legitimate system files or libraries, or by installing a kernel module on
the system. The aim is to intercept system information and so prevent the user
from seeing what’s really going on, namely a range of malicious activity. It could
be the theft of banking data through the use of a keylogger, the hijacking of a
victim machine for widespread distribution of spam e-mail, or the collective
(mis)use of victim machines in a DDoS (Distributed Denial of Service) attack
designed to extort money from a specific organization.
However, rootkits are not only used to increase the life expectancy of out-and-out
malicious code such as viruses, worms and Trojans. They are being used
increasingly by adware programs, quasi-legal applications used to advertise
goods or services, to prevent their removal from the system on which they’re
installed.
The first step in installing the rootkit is for a hacker to gain user-level access. This
is then used to gain root, or administrator, access to the system. Of course, the
fact that most users simply use the administrator's account, rather than creating a
separate user account, makes it much easier for a hacker to install a rootkit on the
victim machine: and this is a major factor that has contributed to the increased
use of rootkits. Once the rootkit is installed and running, it is able to conceal
network activity, registry data, processes running on the system and anything else
that might alert the user to its activity.
There are user-mode and kernel-mode rootkits. Kernel-mode rootkits, as the
name suggests, operate at a low level within the operating system and are able to
hide themselves more effectively than user-level rootkits.
It’s clear that the threat landscape has changed markedly in recent years. The
transition to cyber crime means that more is at stake and malware authors have
more reason than ever to conceal their actions on victim machines. For this
reason, rootkits are likely to remain a key weapon in the arsenal of malware
authors.
Of course, the low-level nature of rootkits, and the way they hook into the system,
makes them difficult to detect and even more difficult to remove. Effective
detection and removal of rootkits has become essential; and this requires an anti-
virus engine that implements advanced detection and cleaning techniques.3
3
The Proactive Defense Module [PDM], integrated into Kaspersky® Anti-Virus 6.0, Kaspersky® Internet
Security 6.0, Kaspersky® Anti-Virus 6.0 for Windows Workstations, is able to detect new, unknown rootkits,
block them and roll-back any changes they have made to the system. For more details on the PDM, see the
section below on Other core detection technologies.
Kaspersky Lab core detection technologies
143.9 Detection of mobile threats
The use of increasingly sophisticated mobile devices within the corporate world
continues to grow and with it the use of wireless technologies of one sort of
another. Today, there’s little you can do with a laptop that you can’t do with a
handheld computer.
Enterprises operate today in an ‘open space’, with employees connected, and
therefore open to attack, wherever they work: in the work place, at home, or on
the road. Mobile devices operate beyond the reach of traditional network security;
and as they start to carry more and more valuable corporate data, they become a
more attractive target for the writers of malicious code.
The first worm for mobile phones, Cabir, appeared in June 2004. Since then
Cabir has spread to more than 40 countries across the globe. Cabir spreads
using Bluetooth. This is the most common method for wireless transmission of
data, so it’s no surprise that it has become the chosen means of infection for
many virus writers. Research4 carried out by Kaspersky Lab’s Alexander Gostev
shows clearly that significant numbers of Bluetooth-enabled devices are left in
discoverable mode: open to infection and open to hackers.
In a very short period of time, we have seen viruses, worms and Trojans for mobile
devices; that is, the array of threats that took twenty years to develop on PCs!
Currently, we see around ten new mobile threats per week. Many are fairly basic,
but it’s clear that malware authors are aware of the long-term potential for using
mobile devices for making money illegally. In April 2006, we saw the first Trojan
Spy for Symbian OS. Flexispy is a commercial Trojan that takes over control of
smartphones and sends call information and SMS data to the author or ‘master’ of
the Trojan. Evidence showed that its author was selling his creation for $50. And
we’ve seen similar malware for Windows Mobile, currently the second most
popular operating system for mobile devices.
Since most mobile threats we’ve seen so far require user interaction (accept the
file transfer then agree to run it), it might seem surprising how well they spread.
That is, until you consider the success of PC-based worms that require similar
user action. The key is social engineering, used by writers of viruses and worms
as a way of beguiling unsuspecting users into running malicious code: often using
the lure of free pornographic pictures, movie downloads, free services or make-
money-fast schemes.
It’s no different on mobile phones. For example, the Comwar worm uses MMS
(Multimedia Messaging Service) to send itself to contacts found in a phone’s
address book, at a cost of around €0.35 per message. Research5 conducted by
Kaspersky Lab’s Konstantin Sapronov found that 25% of users with devices in
4
See http://www.viruslist.com/en/analysis?pubid=188833782
5
http://www.viruslist.com/en/analysis?pubid=181198286
Kaspersky Lab core detection technologies
15discoverable mode accepted files transmitted to their devices using Bluetooth:
this figure rose significantly where the filename contained the word ‘sex’.
The payload of mobile threats varies. The phone may become unusable while the
worm remains installed: the Skuller Trojan, distributed via download from a
variety of mobile sites, replaces system icons with a skull icon: and the services
related to the icons no longer work. The Mosquit Trojan sends SMS (Short
Messaging Service) messages to premium rate numbers. Crimeware programs
like Brador, Flexspy or one of the other mobile Trojans, allow the malware author
or ‘master’ to steal confidential data stored on a mobile device. It’s worth noting in
this context that users seldom encrypt the data they store on their device, and
many don’t even use a power-on password.
While virus writers are still experimenting with mobile technology, we’ve already
seen some interesting developments. These include Lasco, a hybrid virus/worm
combination; Cxover, that infects files on mobile devices and PCs; and
RedBrowser, a Trojan that targets phones running Java (J2ME), i.e. non-
smartphones.
Although it’s clear that mobile devices are far from immune to attack, it’s hard to
predict when the proof-of-concept trickle will turn into a flood. This will depend
largely on usage. Once the number of smartphones, and their use for conducting
online business, reaches critical mass, the criminal underground will target them,
just as they target any commonly used system. Today criminals use the data
stored on desktops and laptops to make money illegally. Tomorrow they will seek
to harvest data from mobile devices for the same purpose.
Detection for mobile threats is integrated into the Kaspersky® anti-virus engine.
Kaspersky Lab adds detection for new mobile threats as they appear, to ensure
that users are well-protected from this growing threat.
3.10 Detection of spyware 6
As outlined above, the Kaspersky® anti-virus engine delivers a unique
combination of technologies necessary to successfully find and remove all kinds
of malware.
However, there are other ways for hackers, spammers and other cyber criminals
to harm users. During the last few years there has been a growth in the number
of non-viral, but potentially hostile, programs that can be used by criminals to
attack users or hijack their machines for malicious purposes. This includes
adware and the malware-related application classified by Kaspersky Lab as
riskware and pornware. Such programs can not be defined as malware per se. In
fact, they may be legitimate applications. But their potential for misuse by hackers
6
For more information on spyware programs, see the Kasperskly Lab white paper Detecting spyware and other
potentially hostile non-viral programs.
Kaspersky Lab core detection technologies
16and other cyber criminals means that users increasingly see them as undesirable
applications and need the means to identify them.
Kaspersky Lab has a long history in detecting and removing Trojan spyware
programs. This goes back to 1996 when Kaspersky Lab included detection and
removal for the first AOL password stealing Trojans. Today, Kaspersky Lab has a
consistent track record in independent tests for detection of Trojans and other
malware. Kaspersky Lab also delivers exceptional protection from potentially
hostile programs, so-called spyware.
Detection of potentially hostile programs is especially important for enterprises,
since such applications can bring significant security and legal risks, including:
• Financial losses that result from theft of confidential corporate information.
• Reduced computer performance and lower employee productivity.
• Increased risk of legal liability.
• Increased remote access costs.
Spyware is something of a grey area, so there’s no clear definition. However, as
the name suggests, it’s often loosely defined as software designed to harvest data
from a computer and forward it to a third party without the knowledge or consent
of the computer’s owner. This includes monitoring key strokes, collecting
confidential information (passwords, credit card numbers, PIN numbers, etc.),
harvesting e-mail addresses or tracking browsing habits. There’s a further by-
product, of course: such activities inevitably affect network performance, slowing
down the system and consequently affecting the whole business process.
The lack of a hard-and-fast definition stems from the fact that spyware is really
just a catch-all term for a wide assortment of malware-related programs. To
illustrate this point, consider the definition of spyware created by the Anti-Spyware
Coalition (ASC) in August 2005. The ASC defines ‘spyware and other potentially
unwanted technologies’ as those that ‘impair users' control over material changes
that affect their user experience, privacy, or system security; use of their system
resources, including what programs are installed on their computers; or collection,
use, and distribution of their personal or otherwise sensitive information.’ Clearly,
this definition, like others,covers a whole range of malware and malware-related
programs, including Backdoor Trojans, Trojan Proxies and PSW Trojans.
Although such programs are not new, their use for malicious purposes has
increased in recent years and they have received much greater attention, both
from the media and from vendors who have developed (or bought) stand-alone
anti-spyware products.
Detection and removal of spyware applications is integrated into the Kaspersky®
anti-virus engine and anti-virus databases.7 Other types of program often referred
to as spyware are presented below.
7
KL placed FIRST in the Computer Bild spyware test, July 2005.
KL placed FIRST in the Computer Bild spyware test, March 2006.
KL won SC Magazine ‘Best Anti-spyware’ award in 2006.
KL holds West Coast Labs. Checkmark ‘Anti-Spyware’ certification.
Kaspersky Lab core detection technologies
17Adware
Adware programs are designed to launch advertisements, often pop-up banners,
on infected machines and/or to re-direct search engine results to promotional web
sites. They are often built into freeware or shareware programs: the price the
user pays for the free program is the installation of an adware program.
Sometimes adware programs are downloaded surreptitiously from a web site and
installed on a user’s machine. Hacker tools, often referred to as Browser
Hijackers (because they subvert the web browser to install a program without the
user’s knowledge), download adware programs via a web browser vulnerability.
Browser Hijackers may change browser settings, re-direct incorrect or incomplete
URLs, or change the default homepage. They may also re-direct searches to
‘pay-to-view’ (often pornographic) web sites. Typically, adware programs do not
show themselves in the system in any way: there is no listing under Start |
Programs, no icons in the system tray and nothing in the task list. In addition,
adware programs seldom come with a de-installation procedure and attempts to
remove them manually may cause the original carrier program to malfunction.
Pornware
Pornware is the generic term used by Kaspersky lab to describe malware-related
programs that either use the computer’s modem to connect to pornographic pay-
to-view services, or download pornographic content from the web, without the
consent of the user.
Riskware
Riskware is the generic term used by Kaspersky Lab to describe programs that
are legitimate in themselves, but that have the potential for misuse by cyber
criminals: for example, remote administration utilities. Such programs have
always had the potential to be misused, but they now have a higher profile. During
the last few years, virus writing and hacker techniques have started to merge. In
the changing climate, such riskware programs have come into their own as a
means of controlling machines for malicious purposes.
3.11 Updating virus signatures
The anti-virus databases are an inseparable part of an anti-virus engine. As
already observed, a well-designed engine is not updated frequently, whereas the
databases must be constantly updated because they store signatures, checksums
and special modules for detecting new malware. It’s well-known that new threats
appear every day.8 So it’s important to update the anti-virus database as
frequently as possible. In the early days of PC viruses, quarterly updates were
enough for most customers. Later, monthly updates became standard. Even five
years ago, it was normal to update the anti-virus database weekly.
8
As of March 2007 more than 200 new records are added to the Kaspersky® anti-virus databases every day.
Kaspersky Lab core detection technologies
18Now it’s better to update more frequently. Home users should update their
databases every day. Enterprises, with thousands of PCs to protect, have a
higher risk of infection because of the number of possible victims, so protection is
more critical. It’s advisable for enterprises to update several times a day (at least
every three to six hours). ISPs should check for new updates even more
frequently: and this applies equally to corporate e-mail servers and other
perimeter anti-virus defenses9.
The elements included in the anti-virus databases are also significant, since the
databases may contain not only virus signatures, but also other program
procedures. Such procedures offer a way of updating the engine through the
normal database update.
The Kaspersky® anti-virus databases are updated hourly. Owing to the smart
architecture of the Kaspersky® anti-virus engine, these updates are incremental,
adding detection just for new threats rather than replacing the entire database
each time the user does an update. The average size of an update is 20KB,
although sometimes Kaspersky Lab releases updates containing specific
enhancements (to scan within a new unpacker, for example), in which case an
update may be up to 300KB. Approximately 70% of the anti-virus engine
functionality is integrated into the databases. In this way, for example, support for
a new archiver or compression utility can be added to the anti-virus databases at
any time. Thus, regular daily updates provide not only enhanced detection for
malware, but also updated engine functionality. This feature ensures a very quick
response to any given situation and maximum protection against viruses.
4 Other core detection technologies
Kaspersky Lab continually develops new technologies designed to ensure that the
company remains in the vanguard for detection and removal of malicious code
and potentially hostile programs and to ensure that Kaspersky Lab solutions
deliver optimal performance.
4.1 Proactive Defense Module
Proactive detection refers to an anti-virus solution’s ability to find new, unknown
threats before they appear and without the need for a specific signature.
Analyzing new varieties of malicious code, and releasing updates to deal with
them, takes time, however efficient the processes employed by a virus analyst
9
One ISP that partners with Kaspersky Lab checks for new updates every 10 minutes.
Kaspersky Lab core detection technologies
19team. Unless an anti-virus solution includes proactive detection methods,
customers will remain unprotected from new threats until a signature update is
available. In fact, anti-virus programs have never relied exclusively on signature
analysis. However, today’s threats are more numerous, faster spreading and
more dangerous than ever before and proactive detection is a vital element in any
comprehensive defence strategy.
The Kaspersky Lab Proactive Defense Module (PDM)10 blends a range of
proactive technologies to give a high level of protection from new threats. The
PDM provides real-time analysis of processes in the system. If a dangerous,
suspicious or hidden process is launched, the PDM blocks the process, alerts the
user and rolls-back any changes made to the file system and registry, undoing
any changes made by the suspicious process.
The PDM monitors application behavior for the following types of suspicious activity.
Worm.Generic
These programs try to re-distribute their code across networks, using local shared
folders or e-mail.
Worm.P2P.Generic
These programs try to use local folders to spread automatically across peer-to-
peer networks, or use e-mail to spread across the Internet.
Trojan.Generic
These programs cause damage to a computer, impair its functioning or threaten
the integrity of data stored on it.
Buffer overrun
A buffer overrun is a programming error that allows malicious code to ‘piggyback’
a legitimate process by writing its own code beyond the boundaries of a memory
buffer. The PDM detects processes that try to exploit a buffer overrun in order to
launch themselves as a separate process in memory.
Data Execution
These programs try to evade activity analyzers by allocating themselves non-
executable memory and planting their code there.
Root shell
These programs are used by cyber criminals to gain remote shell access to a
victim machine.
Internet Browser Launchers
These programs try to launch a user’s default browser with specific parameters, to
transmit data to an executable program or script residing on a remote server.
10
The PDM is included in Kaspersky® Anti-Virus 6.0, Kaspersky Internet Security 6.0, Kaspersky® Anti-Virus 6.0
for Windows Workstations.
Kaspersky Lab core detection technologies
20Invaders
These programs inject their code into a user’s address space and then pass the
execution flow to this code, giving them the same rights as the user.
Hidden Objects (Rootkits)
These programs conceal their presence on a system, hiding installed files, registry
changes and running processes. As well as concealing themselves, they can not
be terminated in Task Manager.
Suspicious values in registry
These programs create their own registry keys, accessible only to this program:
they can not be opened using a registry editor.
Strange system behavior
This includes several types of suspicious activity.
• Programs that try to access physical memory directly.
• Programs that try to make changes to the R0-R3 gateway handler (as part of
rootkit installation, for example], the subroutine responsible for allowing
applications to call kernel functions.
• Programs that add suspicious values to the registry.
Hidden installers
These programs, including Trojan-Droppers and Trojan-Downloaders,
surreptitiously install their components into the system.
Keyloggers
Keyloggers and keyboard spy programs record information about keys pressed by
the user, usually without his/her knowledge or consent. The methods can vary,
but include polling the keyboard and the use of keyboard filter drivers. Their
purpose is to obtain confidential data, including passwords and PINs. Typically
this data is copied to the hard disk and then secretly transferred to the author or
‘master’ of the keylogger using e-mail or some other method.
Trojan Cryptors
These programs, including ‘ransomware’ programs like GpCode and Krotten,
encrypt document files. The PDM checks for such changes and is able to roll-
back any changes (i.e. encryption) made by the Trojan Cryptor.
Hidden data sending
This includes programs that use a special Internet Explorer mechanism to send on
behalf of the browser. This enables them to evade detection by a personal
firewall, since they are normally configured to allow Internet Explorer to send data.
Private data and password access
These are Trojan-PSW programs that try to collect personal data such as ICQ and
other passwords.
The PDM includes three additional subsystems designed to block malicious code.
Kaspersky Lab core detection technologies
21You can also read
