Host Organization
Wayang Golek
Supporting Organizations
Solution Graphics

<<< Back

Behavior-Based Detection for file infectors

Rajesh Nikam
Lead Research Engineer Quick Heal Technologies Pvt Ltd

Infectors also known as viruses were the first category of malware to appear. Over the years many more categories were added to the threat landscape like Backdoor, Trojan, Adware, Spyware, Rogue anti-viruses to name few. However infectors till today contribute to significant part to the most prevalent malware families. There are changes in the infection mechanisms; however the core infector behavior has remained the same. This common behavior includes enumeration of local, network and USB drives to hunt possible target executable files and patching these files by inserting malicious code by various techniques like cavity, appending, pre-pending viruses or entry point obfuscation. Some of the infectors use complex, polymorphic, multi-level encryption mechanism which pose challenges for writing detection and repair for such infectors. It is observed that most of the commercial Security Products have reactive approach to deal with infector outbreaks. Interestingly Security Products miss behavior-based detection approach for detection of such infectors.

This paper presents a novel technique for infector detection that is based on the infector behavior. This implementation is based on file system monitoring coupled with heuristics to observe Portable Executable (PE) file modifications done by any applications on the computer. If application is found to modify PE file header and insert code in similar pattern, this could be triggered as possible infector behavior. Such application could be blocked from further PE file write access. The presentation includes findings with behavior-based detection implementations and the challenges with prevalent infectors seen in last six-months. Such behavior-based detection approach would help to mitigate infector outbreak in enterprise networks and possible damage to the systems. This approach could be augmented to collect undetected infectors from the user machine which could process in traditional way.