Written by Sang-Myung Choi - HAURI Virus Lab

The rapid growth of PC and internet provided us many conveniences but also created lots of malicious codes at the same time.
Every year, the number of malicious codes is remarkably increased.  One of AV research firm in Germany, AV-Test.org, annouced an interesting report recently as below.
It is based on statictics of unique malicious samples which are rapidly increased every year.
The number of accumulated samples based on May, 2009 is about 22 milliion and, it is increasing double every year in few years.

Now, I want to share the information how AV companies detect those malicious codes and repair the infected samples.

1. Genaral behaviors of malicious codes

(1) Initial infection
- An initial file is created through a vulnerability (more than 80%)
To infect a PC by a malicious code, some of pre-event should be happened such as click an attachement in emails, connect a USB into PC or download a specific file from internet.
Most of infection can be preventable by a security patch.

(2) File creation
- Self-copy, Download, Drop
When a PC is initially infected by a malicious code, it copies itself into somewhere in the system. It usually copy the initially created malicious code in the system folder. Also, it tries to download other malicious codes from internet or carry other malicious codes out of itself.

- APIs that create files
CreateFile
ReadFile
WriteFile
CopyFile
GetSystemDirectory
GetWindowsDirectory

- APIs that try to download
URLDownloadToFileA

- APIs that try to drop
FindResourceA, LoadResource

(3) Register to be executed (when booting)
- Registry, Service, BHO
A malicious code tries to be live in the system as long as it can and, it always needs some agency that can run it whenever the system is started.
To do this, the malicious code registers the path of malicious code file in the registry and service. Also, it registers in BHO(Browser Helper Object).

The most common path of registry that is used by malicious codes is as below.
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- HKML\SYSTEM\CurrentControlSet\Services

And, to do this kind of behaviors, the malicious code uses the following APIs(related with registry and service).
- RegCreateKey
- RegOpenKeyEx
- RegSetValueEx
- RegQueryValueEx
- CreateServiceA
- OpenServiceA
- StartServiceA

(4) Process run
- Process, Thread, DLL injection, Service
A malicious code is usually run independantly or as a thread injected to other normal processes. Also, it is injected in DLL or search suitable processes to quit those security programs.

Below APIs help those behaviors, expecially, CreateRemote Thread is used for injection other DLL type of malicious codes into processes.
- CreateProcess
- FindProcess
- TerminateProcess
- CreateThread
- CreateRemoteThread
- WriteProcessMemory
- ShellExecute
- StartServiceA

(5) Network activity
- Port open, Specific domain/port connection, IRC connection
Most active activities of malicious codes are mainly appeared as network activities. Because, the network activity is necessary to transfer the PC user information to malicious code creator.

Below list is APIs that is related with network activities.
- WSAStartup
- WSASend
- socket
- send
- recv
- listen
- accept
- gethostbyname
- InternetGetConnectedState

(6) Malicious behaviors
- Security disabled. Online game account stealing, DDoS, Spam mail delivery.

2. Malicious code detection technique

(1) Signature base
Signature base detection technique is used to recognize a unique malicious code and a signaure is a specific data part of being used to recognize a unique file when the AV program scans files. The signaure is also called as a pattern.
Most AV products include the signature type of database of all malicious codes that they have. This database is reguraly updated to signatures by virus analyzers. When the AV program scans a new file, it checks whether the signatures is matched or not with files from database.

The following is a part of signature of YARA which is a tool of open source project. It defines a specific string as a signature and if the string is matched with a file, it recognizes and detects the malicious code.

[Malicious code signature of YARA]


To design and create a signature, we need to first recognize the operation system and file type that a malicious code executes. Because most operating systems are based on Windows system, most maliciouse codes are designed based on Windows system as well.
To be able to execute a file in Windows system, it must have PE(Portable Executable) format which is an executable file format of Windows. Thus, most malicious codes have PE format and also the signature has PE format.

[PE Architecture]

This method doesn't cause many false positive, however, it can not detect variant malicious codes. Some of AV products still use this way.
Basically, the signature base detection technique provides very accurate and fast detection but, if the malicious code is changed a little, it can not be detected at all. So, this method is not useful for variants.

(2) Heuristic base detection technique
The heuristic base detection technique that uses system rule and pattern is to detect unknown malicious codes.
Most AV products use some of heuristic techniques to assist the signature base detection technique so that the detetion can be improved.

The Generic detection technique is one of well-known heuristic technique and it can detect variant and suspicious malicious codes.
In case a malicious code has PE format of Windows system, there are some doubtful PE formats as below and it is used for heuristic detection.

- When a code execution is started from final section.
- The characteristics of suspicious section.
- Move to other section from suspicious entry point.
- Suspicious section name.

To define the rule-set, a heuristic detection techniqe needs many research, analysis and test compare to the signature base detection.

Most AV products have relied on signature base detection method in the past but, nowadays, more research and practical use have been increasing to detect malicious codes more effectively
Heuristic detection method has enhanced detection rate and effectivity. On the other hand, it has some disadvantages that the detection response time is slow and the possibility of false positive is high.
From now on, how to overcome these disadvantages will decide the technique of AV companies.