computer virus advancement · john lynch division of science and mathematics university of...
TRANSCRIPT
Computer Virus Advancement
John Lynch
Division of Science and MathematicsUniversity of Minnesota, Morris
Morris, Minnesota, USA
November 12, 2016Morris, Minnesota
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 1 / 29
Overview Abstract
Abstract
Why would we make a virus?
We work at some company that we know isn’tthe greatest.
Long hours, little pay, and Karen keeps takingyour meals out of the fridge.
It’s time for payback with corporate sabotage.
Please don’t actually do this. This is anexample with comedy.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 2 / 29
Overview Outline
Outline
1 Introductions
2 Applications
3 Security
4 Conclusions
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 3 / 29
Overview Definitions
Background
Malware: Software that is created formalicious purposes against computersystems.Computer Virus: One form of malwarethat self-replicates in a systemGenetic Algorithms: A method for solvingoptimization by mimicking biologicalevolution.Anti-Malware: Software developed tocombat malicious software.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 4 / 29
Introductions
Outline
1 IntroductionsGenetic AlgorithmsComputer viruses
2 Applications
3 Security
4 Conclusions
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 5 / 29
Introductions Genetic Algorithms
What it looks like
start
generate initial population
evaluate individual fitness,rank individual fitness
time tostop
generate new population
stopyes
no
method of evolution presented by Thomas Back
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 6 / 29
Introductions Computer viruses
Basic virus structure
partstriggerpayloadinfection mechanism
phasesdormant phasepropagation phasetrigger phaseexecution phase
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 7 / 29
Introductions Computer viruses
Our Virus
supahVirus.bat:swarmMeth:mechMethgoal
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 8 / 29
Applications to Viruses
Outline
1 Introductions
2 ApplicationsHiding in plain sightFaster from training
3 Security
4 Conclusions
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 9 / 29
Applications to Viruses Hiding in plain sight
How :swarmMeth works
This is used during propagation phase.Return the copy of the virus.In Batch this would be creating a newterminal with the same function.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 10 / 29
Applications to Viruses Hiding in plain sight
Simple :swarmMeth
swarmMeth ( ) {i n i t i a l i z e ( t h i s V i r u s ) ;wh i le t r ue do {
r e t u r n copy ( t h i s V i r u s ) ;}
}
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 11 / 29
Applications to Viruses Hiding in plain sight
Improving :swarmMeth
swarmMeth ( ) {i n i t i a l i z e ( t h i s V i r u s ) ;wh i le t r ue do {
mutatedVirus = mutate ( t h i s V i r u s ) ;i f mutatedVirus . name != t h i s V i r u s . name{
i n i t i a l i z e ( mutatedVirus ) ;}
}}
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 12 / 29
Applications to Viruses Hiding in plain sight
Names to change
Supahvirus.bat
Superbvirus.bat
youGetTheIdea.bat
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 13 / 29
Applications to Viruses Faster from training
Heuristic search
Where do we want to search first?What folders are more likely to have what we’re looking for?We need to sort out priorities.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 14 / 29
Applications to Viruses Faster from training
Training our search
Begin training in offline search environments.Randomly create folders that simulate company computer filestructures.Keep track of folder structures that consistently appear, use thosecommon occurrences.
method of training presented by Sadia Noreen et. al. of next generation intelligent network research
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 15 / 29
Applications to Viruses Faster from training
How :mechMeth works
This is the infection mechanism.We move each new copy that we make with:swarmMeth
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 16 / 29
Applications to Viruses Faster from training
Simple :mechMeth
mechMeth ( ) {wh i le t r ue do {
f o r each f o l d e r f i n f o l d e r s {i f ( f o l d e r . name == " secre tFo lder " ) {
copyAndTransfer ( f ) ;} e lse {
i n t o ( swarmMeth , f ) ;}
}}
}
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 17 / 29
Applications to Viruses Faster from training
Improving :mechMeth
mechMeth ( ) {f o l d e r s = new pr i o r i t yMap [ h e u r i s t i c ]wh i le t r ue do {
f o r each f o l d e r f i n f o l d e r s {i f ( f o l d e r . name == " secre tFo lder " ) {
copyAndTransfer ( f )} e lse {
swarmMeth ( )i n t o ( swarmMeth . mutatedVirus , f )i n i t i a l i z e ( mutatedVirus )
}}
}}
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 18 / 29
Applications to Viruses Faster from training
What we can genetically modify
Names, each character that is put into thename of the virus.Payload, different pictures or modifications tofiles.Variations of methods, changing what themethods do and how they do it.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 19 / 29
Security
Outline
1 Introductions
2 Applications
3 SecurityDetecting machine generated malwareDifferent bases of defense
4 Conclusions
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 20 / 29
Security Detecting machine generated malware
Basic anti-malware
Does it have a bad name?Why do these programs have the samename in process and action?Where did the processing power go?If you see something, say something. McGruff the crime dog. all rights reserved.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 21 / 29
Security Detecting machine generated malware
Anti-malware based on signatures
What programs running are doing the same thing?Are the processes using similar power?Are there similar code structures that reappear?Where did all these processes come from?Different name, but we know it’s the same game.
Signature detection based on research by Kandissounon and Chouchane of Columbus University
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 22 / 29
Security Different bases of defense
Defenses
User diligenceCan the user see when andwhere there is a maliciousprocess?How long until a user can takeaction?Does a user have the power tooverride ongoing processes?
Anti-malware diligenceWhen does the anti-malwarenotice something is amiss?Does the anti-malware throttleprocesses that seemmalicious?Can the anti-malware defendagainst its own destruction?Can the anti-malware alert theuser?
Defenses presented by Yang Wang and Chenxi Wang, Carnegie Melon University
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 23 / 29
Conclusions
Outline
1 Introductions
2 Applications
3 Security
4 ConclusionsResultsWhat we’ve learned
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 24 / 29
Conclusions Results
Results
Several studies have been conducted on evolving malware andanti-malware. Both malware and anti-malware are improvable by theseprocesses.
A study introduced evolving malware with basic and signature-basedanti-malware. Evolution based programs significantly improved theefficiency of both malware and anti-malware.
See references for more details on exactness of studies. Sadia Noreenet. al.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 25 / 29
Conclusions What we’ve learned
What we’ve learned
Evolutionary computation may be the cornerstone of improvement tomalware and anti-malware as we make advances in computer science.
Each new generation of viruses and anti-malware will only becomestronger in their efforts to accomplish whatever goals they set.
As a virus is constructed to spread they gain strength by more thanone utility at their disposal.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 26 / 29
Conclusions What we’ve learned
Thanks!
Thank you for your time and don’t do what I just talked about. I mayhave made several watch-lists. Special thanks to Elena Machkasova,Kristin Lamberty, Nic Mcphee, and my reviewer for putting up with me.
Contact:
Questions?
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 27 / 29
References
References
Sadia Noreen, et. al. Evolvable Malware, GECCO ’09 Proceedingsof the 11th Annual conference on Genetic and evolutionarycomputation Pages 1569-1576, Canada
Yang Wang, Chenxi Wang, Modeling the Effects of TimingParameters on Virus Propagation, WORM ’03 Proceedings of the2003 ACM workshop on Rapid malcode Pages 61-66,Washington, DC
Andrea Cani, et. al. Towards Automated Malware Creation: CodeGeneration and Code Integration, SAC ’14 Proceedings of the 29thAnnual ACM Symposium on Applied Computing Pages 157-160,Torino, Italy
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 28 / 29
References
References
Kandissounon, Chouchane, A Method for DetectingMachine-generated Malware, ACM-SE ’11 Proceedings of the 49thAnnual Southeast Regional Conference, Kennesaw, Georgia
Thomas Back, Evolution strategies: basic introduction, GECCO’13 Companion Proceedings of the 15th annual conferencecompanion on Genetic and evolutionary computation Pages265-292, New York, NY
See my senior seminar paper for additional references.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 29 / 29