What is Anti-Malware?

August 3, 2020

In May 2017 the world was devastated by a worldwide cyber attack that affected more than 200,000 computers across 150 countries. Users and companies alike were infected by the rapidly spreading computer virus that attacked critical agency providers like the National Health Service. According to Cyber risk modeling firm Cyence, the hack caused hundreds of millions of dollars in damages that could have been avoided with proper software security updates and vulnerability transparency by governmental agencies like the NSA. Many still remember the historic cyber attack as the infamous WannaCry attack.

Surviving the tech Wild West

Wild_west Image source

With cyber attacks posing real threats to peoples’ livelihoods, it’s not hard to see why protecting yourself from such attacks can be vitally important to governments, businesses and individuals.

It Starts With You

The first line of defense often starts with you, the user, to be situationally aware of your actions on the world wide web. That entails sifting through phishing scams and suspicious websites, links or attachments. More often than not, good internet common sense can save you a lot of trouble; an ounce of prevention is worth a pound of a cure.

Call In The Calvary

In addition to common good internet practices, the second best thing to invest in is anti-malware/antivirus software. Anti-malware’s main objective is to stop any malicious threats from infecting your computer; those include a platitude of threats ranging from computer viruses to internet worms.

Not having antivirus (AV) technology can lead to malware breaches. Currently, malware breaches of all sizes are costing industries $350 billion a year! That is why cyber-breaches incentivize companies and governments to heavily invest in cyber-security.

Anti-malware software is thus an incredibly useful tool to help identify and eliminate many malware threats.

In this article, I will go over the reason why anti-malware is important and what types of malware are out there. Furthermore, I will go over in-depth the certain techniques used to do malware analysis and investigations. Lastly, there will a reading list to give you a review of some great anti-malware software out there.

Team Red: Malicious Rogue Bandits

Bandits and Roguges Image source

What bandits and gangs were to the Wild West, hackers and scammers are in the 21st century. Only difference — they use malware instead of guns to attack and exfiltrate personal data.

Overview: What exactly is Malware?

According to Malwarebytes Labs, Malware, or “malicious software,” is an umbrella term that refers to any malicious program or code that is harmful to systems.

Malware is usually intentionally designed to either destroy data, install additional programs or exfiltrate (steal) data. For instance, malware can break computer systems or even be part of a larger agenda in the case of WannaCry. In summary, malware compromises the confidentiality, integrity, and availability (CIA for short) of a victim’s data.

It is important to understand why malware is a huge concern. Companies large and small are constant targets for malware attacks.

Furthermore, individuals who aren’t likely end-targets can still become potentially impacted as an intermediary; that is, they can be used, for example, as bots in a much larger botnet to enact major attacks like DDoS(distributed denial of service) attacks, etc. These attacks typically result in loss of data, intellectual property, competitive advantage, and loss of overall consumer confidence.

Malware Arsenal

bandit_arsenal Image source

Now, let’s look at some of the major forms of malware.

Viruses

Computer viruses can run on any operating system, be it Windows or Mac. Computer viruses are actually, contrary to common belief, a type of malware. Viruses are defined as follows:

  1. A computer virus requires a host program.
  2. A computer virus requires user action to transmit from one system to another.
  3. A computer virus attaches bits of its own malicious code to other files or replaces files outright with copies of itself.

Worms

In contrast to computer viruses, worms are capable of spreading and executing itself from one system to another without user interaction. Afterward, worms can do various malicious tasks such as dropping a payload, affecting the file system and consuming computer resources.

There are two main types of worms: Network Service Worms, Mass Mailing Worms.

Trojan Horse Programs

Next, we have the Trojan horse programs. According to Greek mythology, the Greeks built a wooden horse to subterfuge the city of Troy. Much like the Greek Trojan, the computer Trojan horse aims to infect your computer using deception by tricking users into running seemingly benign computer programs.

Ransomware

Finally we have ransomware. Ransomware “is malicious software that blocks access to the victim’s data until a ransom is paid.” — David Koff. It usually involves encrypting one’s files to render it unreadable to the victims. This incentivizes victims to pay up, usually using cryptocurrencies such as Bitcoin.

Team Blue: The Marshal and Deputy

marshal_badge Image source

In the Wild West the marshal and deputy were there to protect the simple town folk from bandits and gangs. That is now the job of Anti-Malware.

Overview: What exactly is Anti-Malware?

Anti-malware is software that protects the user from infrastructure destruction, financial ruin, loss of data or loss of consumer confidence, etc. through sophisticated malware techniques in detection, containment and prevention.

Anti-malware usually contains various techniques for malware protection and can provide different protection strategies and tools for different malware attacks such as anti-phishing or anti-ransomware protection.

virus_prtection Image source

Malware Protection

There are roughly four areas that comprise malware protection:

  • Recovery
  • Identification/Analysis
  • Containment
  • Eradication/Mitigation

In this article we are more interested in the identification part. Identification and forensics can be split up into two main parts: static malware analysis and dynamic malware analysis. There are many other forms of analysis such as memory and resource use forensics, web and network analysis and specific sandboxing techniques. However, that is beyond the scope of this blog post.

Malware Analysis

This is nowhere near a comprehensive list of Malware Analysis but more of an overview. There will be a reading list for those who are more interested in the nitty-gritty details.

Static Malware Analysis

Static malware analysis is a way of examining code without executing it on your device. There are many techniques and tools, both paid and open-source that help carry out forensic investigation. The following tools and techniques are:

Disassemble

Malware is sometimes reversed-engineered/dissembled using tools called disassemblers. “A disassembler is a computer program that translates machine language into assembly language” — wiki. Now for those of you who don’t speak tech-speak, this means AV is looking into the low-level program instructions to find out if the program will execute malicious code without executing it. Cool!

File Fingerprinting

File fingerprinting is a unique bit string identifier for large data items. Just as a fingerprint can be used to identify the person a file fingerprint can identify the original file. AV software has a database of fingerprints of malware so that they can quickly identify the bad apples from the good ones.

Packer Detection

Hackers are not dumb so more often times than not they add a level of armor to their code called a packer. Packers compress or encrypt executable files so that it’s harder to find out the true contents of a file. Lucky for us, AV also have a few tricks themselves to identify packers and retrieve their content.

They look at something called the portable executable (PE) header which contains information about the file format in Windows similar to ELF for Linux and Mach-O for MacOS.

Dynamic Malware Analysis

Virtualization/Sandboxing

In the aim to provide a safe space to analyze code, highly controlled environments called sandboxes are frequently used to test and run unverified programs which may contain malicious code.

Virtualization and/or sandboxing allows a host to determine what and how much resources a program can have or use at a given time. All without worrying of infecting the computer!

Debugger

Debuggers such as GDB or WinDBG are programs that allow you to look at how programs behave during runtime as well as what effects it has on the host’s system. Debuggers give a wide variety of insights about how code is executed instruction by instruction.

Elect Your Town Sheriff

town_sheriff

Image source

Now that you know about the good guys and the bad guys, how are you going to protect yourself? I recommend anyone to take a look at What is Malware? And How to Protect Yourself Against It; it will give you a brief review on possible good anti-malware software.

In Summary

We covered four main areas in this article; we covered an overview of malware and its major forms; we went in depth on several major types of malware. We also talked about the what anti-malware does and its main objective. Lastly, we gave a general malware analysis overview usually done by anti-software.

I hope you enjoyed this brief overview of anti-malware!


About the author

Earl Potters

Earl is a Junior at CU Boulder pursuing a degree in Computer Science. Earl’s passions are robotics and rugby. He is the founder of RoboBoat at CU Boulder, a robotics club that focus on designing and building ASV(Autonomous Surface Vehicles) for the annual Roboboat International Competition.

This article was contributed by a student member of Section's Engineering Education Program. Please report any errors or innaccuracies to enged@section.io.