427 Botnet fm qxd

www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
163
rather than resolving it. IDS signatures and AV signatures (or
search strings, or identities, or .DATs, or patterns, or defini-
tions …) are similar in concept in that both are “attack signa-
tures”; they are a way of identifying a particular attack or
range of attacks, and in some instances they identify the same
attacks. However, the actual implementation can be very dif-
ferent. Partly this is because AV search strings have to be com-
pact and tightly integrated for operational reasons; it
wouldn’t be practical for a scanner to interpret every one of
hundreds of thousands of verbose, standalone rules every
time a file was opened, closed, written, or read, even on the
fastest multiprocessor systems. Digital signatures and Tripwire
signatures are not really attack signatures at all: They’re a way
of fingerprinting an object so that it can be defended against
attack.
■
It has a specific (though by no means universally used) tech-
nical application in antivirus technology, applied to the use
of a simple, static search string. In fact, AV scanning tech-
nology had to move far beyond that many years ago.
Reasons for this include the rise of polymorphic viruses,
some of which introduced so many variations in shape
between different instances of the same virus that there was
no usable static string that could be used as a signature.
However, there was also a need for faster search techniques
as systems increased in size and complexity.
■
The term is often misunderstood as meaning that each virus
has a single unique identifier, like a fingerprint, used by all
antivirus software. If people think about what a signature
looks like, they probably see it as a text string. In fact, the
range of sophisticated search techniques used today means
that any two scanner products are likely to use very dif-
ferent code to identify a given malicious program.
In fact, AV uses a wide range of search types, from UNIX-like regular
expressions to complex decryption algorithms and sophisticated search
algorithms. These techniques increase code size and complexity, with
inevitable increases in scanning overhead. However, in combination with
other analytical tools such as code emulation and sandboxing, they do
help increase the application’s ability to detect unknown malware or
variants, using heuristic analysis, generic drivers/signatures, and so on. 
427_Botnet_05.qxd 1/9/07 9:59 AM Page 163

To this end, modern malware is distributed inconspicuously, spammed out
in short runs or via backdoor channels, the core code obscured by repeated
rerelease, wrapped and rewrapped using runtime packers, to make detection
by signature more difficult.These technical difficulties are increased by the
botherder’s ability to update or replace the initial intrusive program.
Tools & Traps…

Download 6,98 Mb.

Do'stlaringiz bilan baham: