Beruflich Dokumente
Kultur Dokumente
Table of Contents
Abstract.............................................................................................................................................................................3
The developing threat .......................................................................................................................................................4
Don Quixote in the floppy disk era: 1986–1994 ............................................................................................................4
Macro viruses reign supreme: 1995–1998....................................................................................................................4
Viruses affect the bottom line: 1998 and the new millennium.......................................................................................5
®
McAfee next generation scanning technology ................................................................................................................6
Battle-tested engine technology....................................................................................................................................6
Versatile language base................................................................................................................................................6
· Efficient virus variant detection...........................................................................................................................6
· Accurate virus detection .....................................................................................................................................8
· Faster “find and fix” solutions .............................................................................................................................8
· ActiveDAT ..........................................................................................................................................................9
· Update stability...................................................................................................................................................9
· Cleaning .............................................................................................................................................................9
Encrypted virus detection..............................................................................................................................................9
· Polymorphic virus detection ...............................................................................................................................9
· Generic decryption of polymorphic viruses ......................................................................................................10
Advanced heuristic analysis........................................................................................................................................11
· Negative heuristics ...........................................................................................................................................11
· False alarm elimination ....................................................................................................................................11
· Macro heuristics ...............................................................................................................................................12
· Win32 PE heuristics .........................................................................................................................................12
· Virus scanning sensitivity tools ........................................................................................................................12
Internet virus code scanning .......................................................................................................................................12
· Java applets .....................................................................................................................................................12
· ActiveX controls................................................................................................................................................12
· Scripting viruses ...............................................................................................................................................12
Packers and archives ..................................................................................................................................................13
· Trojans and their use of Win32 compression utilities.......................................................................................13
Recursive decompression scanning ...........................................................................................................................13
· ZIP file virus detection ......................................................................................................................................13
Summary.........................................................................................................................................................................14
2
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
Abstract
Businesses worldwide have lost a total of US$7.6 billion in the first two quarters of 1999 at
the hands of Melissa, the Explore.Zip worm and other viruses. This is a conservative
number in that not everyone tracks cost, and most companies tend to undercount and
underreport.
—Michael Erbschloe, Computer Economics Inc., June 18, 1999
The war against viruses continues to escalate, with losses in the billions of dollars. While virus defense systems of the
past kept pace with the then adolescent stage of virus patterns, scanners for the new millennium have evolved
greatly. Their in-depth inspection techniques and statistical behavior pattern matching reflect the equally evolved
nature of today’s threats.
No longer is such code isolated to floppy disks or a particular make of computer. In an interconnected web of
networks, today's viruses have erased borders and have emerged as complex security threats. Fighting the war has
forced security providers to effect the same level of change. The end result is advanced engine designs and next-
generation scanning technology unlike anything the industry has ever seen.
The particulars of these evolutionary virus scanning changes, a clear description of their impact, and an
outline of new virus warfare weaponry for businesses are discussed in this white paper.
3
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
As a result of such a limited virus environment, anti-virus protection such as McAfee’s first anti-virus scanner was
simplistic in nature. Using hypotheses of what future threats could occur, the defense was based more on remote
threats rather than real-world crises. Virus samples had to be collected from a small circle of acquaintances,
haphazardly, in unsecured environments. Designed with his “friend vs. foe” expertise, developed through his
years in the defense industry, McAfee’s early scanners used pattern matching techniques. These scanners had to
fully identify a known virus, then match a fix against it. “Friendly” code, or code that could not be fully matched to
know threats, was allowed through—with the hope that no new virus was embedded in the file.
At around the same time, in the UK, Dr. Alan Solomon began his investigations into the emergent virus threat. His
expertise in the field of data recovery drew him into the field of virus detection. Dr. Solomon was asked to
examine a suspect floppy disk with the volume label “© Brain.” His analysis confirmed that the boot sector
contained executable code designed to install itself in memory and copy itself to other floppy disks. This was
Brain, the first PC virus. Unlike today, when more than 200 new viruses appear every month, it was still possible
in 1986 for some “experts” to even question the existence of viruses. However, this became increasingly difficult
in the years that followed. The development of detection and cleaning routines for these early viruses formed the
first building blocks of the Dr Solomon's scanning engine, which today, in its fourth generation, lies at the heart of
McAfee's security solutions.
By the early 1990s, well-known viruses like Stoned, Jerusalem, and Cascade began to circulate around the PC-
user community. Most file-transfers took place using floppy disks and many of these early viruses were boot
sector infectors, spreading only via floppy disks. Scanners remained localized, reading floppy disks upon access,
and matching suspicious code to known viruses only. John McAfee, Alan Solomon, and other anti-virus
researchers around the world could spend days analyzing a sample, since an outbreak was unlikely unless many
diskettes with the infection were passed around. Few viruses, or virus incidents, drew serious media attention
before March 1992, when the world’s media focused on Michelangelo virus and its potential threat to data. One of
the by-products of the Michelangelo incident was that corporations found other viruses lurking in their systems
and began to take the virus threat seriously.
The early 1990s saw a growing sophistication in the development of viruses. More and more viruses started to
incorporate stealth techniques, designed to prevent PC-users from noticing changes made by the virus (an
increase in file-size, for example). Some virus writers began to variably-encrypt their code, to prevent anti-virus
programs from using a simple search “string” to identify the virus. These polymorphic viruses forced anti-virus
vendors to develop more advanced techniques for analyzing disks and files.
4
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
Scanners, as a result, were stretched to the limits. Advanced algorithms had to be designed and implemented, to
detect and remove macro viruses. While infected floppy disks could be isolated and quarantined for later
cleaning, macro viruses afforded scanners no such luxury. New virus definitions had to be delivered within hours,
to prevent rapid proliferation. And cleaning now became essential.
Viruses affect the bottom line: 1998 and the new millennium
Today it’s no longer simply a virus threat. Internet worms, Trojans, and backdoors are now a significant—and
growing—threat, alongside EXE infectors and macro viruses. Increasingly, the term “malware” is used to
encompass all threats. Macro viruses are no longer the dominant force they were. Internet worms account for
over 70% of all threats. Many of today’s viruses and worms are “mailers” and “mass-mailers”. They infect by
“hijacking” the email system, using it to spread automatically. They affect vast numbers of computers in locations
throughout the world. The connectivity provided by the Internet means that viruses and worms only have to hit
once to strike deep. Lightening speed connections make time-consuming grunt-scans obsolete, and the sheer
number of viruses—over 60,000—makes pure pattern matching impossible. Together with the dramatic increase
of viruses per month, the advanced nature of virus attacks has had a marked effect on the nature of scanning
technology.
5
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
· Mature technology
· Versatile language base
· Advanced heuristic analysis
· Expanded scanning capabilities
· Generic detection and cleaning
Besides using history to their advantage, researchers at McAfee have taken advantage of other phenomena.
Documented software industry trends reveal that first generation technologies inevitably contain technical
inefficiencies that are difficult to measure in a laboratory setting prior to product integration. It’s only real-world testing
across multiple platforms, in large-scale environments, that allows scanning techniques to be benchmarked. Once
measured in the real world, scanning technology can then be further honed and re-engineered to suit specific
customer requirements. Later scan engine implementations incorporate all the previously learned techniques and are
battle-tested for use in mission-critical applications.
The McAfee scan engine is in its fourth generation. The engine has a strong pedigree, battle-tested prior to 1998
through several versions of Dr Solomon's Anti-Virus Toolkit. With superior levels of detection and cleaning achieved
over many years of research and refinement, the scan engine was also optimized for use in a variety of point products
across the network. Late in 1998, this technology was integrated into the entire McAfee product line, from desktop
and server products to the demanding environments of email servers and Internet gateways. Moreover, a large
number of application and managed service providers use the scan engine SDK (Software Developers Kit) to
integrate McAfee’s advanced scanning technology directly into their own solutions, allowing them to deliver the
protection their customers demand.
Virtran works by enabling the scanner to locate the specific point in a file, boot sector or MBR (Master Boot
Record) containing the virus code. The scanner does not need to “grunt-scan,” or scan from one end of a file or
sector to the other, checking for virus code. McAfee AVERT (Anti-Virus Emergency Response Team) researchers
6
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
can determine where in the file the virus code is located and then program the engine to look in this specific
location. This knowledge, built into the virus definition file (DAT), allows the scanner simply to search for the virus
in a specific location within the file. If the specific sequence of bytes sought for (sometimes called a signature or
virus definition) is not there, the file is reported to be clean.
The huge experience of the McAfee AVERT team, with its many combined years in analyzing viruses, worms and
other malicious code, means that McAfee researchers have become expert in recognizing which parts of a virus
are likely to appear in any new variants of a virus. So detection algorithms use as few “static” strings as possible,
making detection of a virus and its variants more and more “future-proof”. This technology makes it possible to
find and remove many viruses of the same family with a single definition—while some anti-virus products are
forced to create detection routines for each one individually. This technology, developed over several years, has
brought enormous benefit to McAfee customers, who get proactive detection against viruses that don’t yet exist.
File File
En gin e En gin e
“G runt-scanning” Virtran
single-point scanning
Single-point virus scanning enabled by McAfee’s use of the Virtran language provides faster and more
accurate virus detection.
7
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
While other anti-virus vendors are only now moving towards a “generic” detection approach, McAfee has been
using this methodology for several years. These years of experience mean that McAfee is also able to clean
these viruses—something that is incredibly difficult to achieve. This technology has protected McAfee customers
against threats from major virus outbreaks, including AnnaKournikova, Homepage, Badtrans.b, Fbound.c, Klez..h,
Frethem, and many other viruses and worms—long before they appeared in public.
Co d e R e d.a
V er b
M c A fe e w i th
Co d e R e d.b
s c a n e n g in e n e w fi x e s
Co d e R e d.c
V er b V er b
The efficient architecture of the McAfee scan engine, using Virtran, enables virus researchers to draw
quickly on the library of existing engine verbs to develop new language structures that detect entire
families of viruses. These updates are normally released weekly as part of the DAT update, although
more frequently in outbreak scenarios. Inferior designs avoid integration and simply add code upon code
until the product becomes bloated.
1 Virus writers occasionally release viruses in security vendor environments in the hope that the virus will attack a commercial product and exploit a vulnerability. In this
case, it is unclear why the virus writer chose to expose the large private collection to a commercial vendor. Rather than cause damage, the submitted collection actually
helped McAfee speed its research into new strains of viruses by providing virus samples for which we could produce fixes before the viruses went public.
8
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
· ActiveDAT
Even greater flexibility has been built into the McAfee scan engine with the inclusion of ActiveDAT technology.
ActiveDAT supplements the already powerful Virtran verbs with MicroC instructions. This means that scan engine
functionality can be extended “on the fly” - to deal with new attack mechanisms - simply by including a new DAT
file. ActiveDAT technology was added in March 2000 and has since allowed McAfee to provide seamless
detection for a number of new threats, including Jini.a1 and ZMist.
· Update stability
The original McAfee scan engines that updated virus defense systems by adding code, or by expanding pattern
matching capabilities, are primitive compared to today’s scanning technology. Virtran’s integration into the scan
engine stabilizes the defense system and ensures there are no detection misses and that virus cleaning is
effective.
This design feature also eases the task of developing virus cleaners, a prime benefit in the event of a virus
outbreak. While “grunt-scanning” methods waste time in detecting viruses, the McAfee scan engine helps
developers spend less time figuring out detection routines and more time getting fixes out to customers quickly,
before virus infiltration is widespread. Yesterday’s method of building code upon code cannot adequately protect
against current virus threats.
· Cleaning
Cleaning is essential. If an anti-virus scanner simply flags an infection, the user or system administrator must
replace the file—either from an original master disk or CD (EXE files) or from a backup (documents,
spreadsheets, etc.). However, if the scanner is able to clean the infected file, business continuity is maintained,
down-time is minimized, and costs are reduced. The difference between cleaning and not cleaning files means
that either your anti-virus program is able restore your hard work or it is not. For the second option, it will display a
pop-up message telling you that the file is infected and should be deleted and replaced with a clean backup. In
this event, there are two things to consider. 1) You will lose all incremental work carried out since your last
backup. 2) You do have a backup, don’t you?
9
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
d a
a b
b c
e d
c e
e b
a e
b a
d c
c d
Polymorphic viruses are one of the more difficult virus types for scanners to detect because of their dynamic
nature. Such viruses change their sequence of bytes with each infection. The McAfee scan engine includes
the Generic Decryption Engine (GDE) for specialized polymorphic virus detection.
· Generic decryption of polymorphic viruses
The McAfee scan engine includes a module called the Generic Decryption Engine (GDE) that provides excellent
capabilities to detect and remove polymorphic viruses. The GDE analyzes the algorithm used in the decryptor-
loader of the polymorphic virus—that is, the code segment that the virus uses to decrypt its own code before
executing. The GDE then applies the algorithm to the encrypted code, using it to “see through” the encryption
used by the virus. Once the virus code has been decrypted in this manner, a standard sequence may be used to
identify the virus positively. This enables the engine to find all the instances of a polymorphic virus. In addition, it
does not produce false alarms and enables the engine to clean the infected file or disk sector. Use of the GDE
also affects the speed of understanding and recognizing new virus strains, even as they change. For corporate
enterprises, this rapid polymorphic detection rate helps prevent further spread or virus damage.
10
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
X Y Z 21 X YZ 21
D ecr yp tor -
l oad er
Y Z X 23
G DE YZ X 2 3 G DE
13Z X Y
13 ZXY
The Generic Decryption Engine (GDE), exclusive to the McAfee scan engine, analyzes polymorphic viruses to
determine a sequenced encryption routine. Once the GDE determines the sequence, it then applies the
encryption routine to the next appearance of the same polymorphic virus to detect it, even in its changed
form.
Advanced heuristic analysis
Perhaps the most exciting development in today’s new levels of virus detection and cleaning is the approach towards
intelligently estimating whether or not something is a virus. Most major anti-virus approaches today use some form of
heuristic analysis, to detect new viruses that have not been seen before. This involves searching through the code in
a file to determine whether that code takes actions that appear to be actions typical of a virus. The more virus-like
code that is found, the more likely that a virus is present. Once the level of virus-like code is found to reach a pre-
determined threshold, the scanner reports a possible infection. While virus scanners of the past could rely just on
tables of signatures to match against known viruses, the significant rise in the number of new viruses prompted
McAfee to find newer ways to catch unknown viruses. Catching them before they became widespread and caused
damage became a priority, as companies hooked up to the Internet, leaving their corporate assets vulnerable to
outsiders.
· Negative heuristics
While most organizations seek tight control over security, CIOs understand that there’s a trade-off that could
result is an inability of the business to perform basic functions. If security technologies shut down functions at the
user’s every turn, security just becomes an obstacle. With anti-virus scanners in particular, the danger is a high
level of false positives. Weaker scanning technologies generate many false alarms because of the inefficiencies
of their detection routines.
The McAfee scan engine uses not only traditional heuristic analysis techniques, but also performs a sophisticated
“non-virus” identification approach called "negative heuristic" analysis. While the scanning engine is searching
through code to determine whether it contains any virus-like commands, it also searches for code that is distinctly
not like a virus. The combination of “positive” and “negative” heuristics enables a simultaneous, bi-directional
virus analysis. It is an approach that reflects the changed nature of viruses, and the realization that to be a virus
defense expert, one must think like the virus writers and try and second-guess their hiding places.
11
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
· Macro heuristics
To deal with the large numbers of macro viruses, McAfee’s advanced heuristic scanning includes macro
heuristics. The threat from macro viruses is much reduced compared to previous years. Nevertheless, macro
viruses still represent a threat to corporate systems. They often infect Microsoft Office files by inserting unwanted
words or phrases. The combined scanning method of positive and negative heuristics in the McAfee engine
significantly improves macro virus detection rates.
· Win32 PE heuristics
One of the major reasons for updating your anti-virus scanner is to ensure that you get the best possible detection
and cleaning from your product. The McAfee scan engine is updated regularly with new and enhanced
capabilities. The 4160 engine includes improved Win32 heuristics, to allow detection of even more new viruses
targeting 32-bit Windows files (programs that run under Windows 9x, Windows NT4, Windows 2000, Windows
ME, and Windows XP) even before they have appeared. This advanced protection reduces the risk of McAfee
customers being hit by a new virus before they have an opportunity to update their protection.
Although such Internet code is, in fact, more reminiscent of a security breach rather than a virus, viruses are
increasingly using multiple forms to carry out attacks. The extensible and efficient McAfee scan engine includes
defense capability against both Java and ActiveX.
· Java applets
“Java applets” refers to executable code written in Java, a Sun Microsystems technology, that is frequently found
on Web sites in the form of animation such as a rotating stock ticker. Java is also used increasingly in corporate
applications such as Lotus Notes, and in intranet tools. Java applets are automatically and transparently run
through a Java Virtual Machine that is part of commonly used Internet browsers like Netscape Navigator. The
extensible and efficient McAfee engine includes defense against malicious Java applets that break Java Virtual
Machine sandbox restrictions or perform otherwise potentially hazardous actions.
· ActiveX controls
“ActiveX controls” refers to executable code written in ActiveX, a Microsoft technology, also found frequently
throughout the World Wide Web. ActiveX controls automatically and transparently run through Web-based
browsers such as Internet Explorer. The extensible and efficient McAfee scan engine includes defense against
malicious ActiveX controls, particularly important due to the lack of an advanced security model for ActiveX code.
· Scripting viruses
VisualBasic Script is scanned through a similar heuristic method to that used by the macro heuristic engine.
12
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
First, Windows applications can be “packed”—this is a technique used to make the program physically smaller,
while still allowing the program to run as it did before. These “packers” are quite often used legitimately—which
some anti-virus vendors conveniently ignore, classifying any file that has been “packed” as being a potential
threat! This causes huge amounts of work for the IT department, ensuring that users are not worried
unnecessarily about these innocent files.
However, the problem with packers is that they change the sequence of code within the file in the same way as a
polymorphic virus does. The McAfee scan engine deals with packers in the same way as it deals with
polymorphic viruses. It is able to decrypt hundreds of different variants of these packers—thereby enabling Trojan
horse identification to proceed even when the author decides to re-package the Trojan in a different physical
form. Those anti-virus vendors that do not support these packers have to write additional detection routines for
each different packed variant—and they can’t do this proactively.
Second, the McAfee AVERT team has developed a major breakthrough in detection of Trojans—a technique that
is independent of the packers used to “hide” the Trojan. Using this method, a single driver can be used to identify
the Trojan whether it has been packed with WWPack, Petite, Neolite, or any of the hundreds of variants of
packers available.
When a file is compressed, the bytes within the file are re-arranged as part of the space-saving process. If the file is
infected, the bytes belonging to the virus are also re-arranged and the characteristic “string” that an anti-virus program
looks for may no longer exist. There could be a “hidden threat” lurking within any compressed or archive file. For this
reason, it’s essential for anti-virus programs to understand different compression formats and to be able to scan these
files for viruses.
13
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER
Summary
Virus defense was once a localized, simple process that involved matching known threats against a list, with no
delivery deadlines or virus fix timetables. In the networked world of the Internet, such weapons are almost obsolete,
and the demands of virus defense users have changed. Today’s scanning technology requires updated capabilities
against new world threats, as well as new techniques to speed the development of virus definitions. In addition, the
McAfee scan engine has evolved significantly in order to catch viruses that have never before been seen. McAfee
scanning technology, tested in real-world scenarios, versatile in its infrastructure, efficient and broad in its scanning
abilities and advanced in several key technical areas of virus defense engine design, offers an unprecedented
approach in the continuing war against viruses, worms, and other malicious code. Its flexible design and novel
architecture also allows McAfee to respond quickly as new threats appear. These attributes have made the McAfee
scan engine the industry’s leading virus defense weapon—for corporations, for military and government organizations
fighting multi-national virus attacks and for providers of application and managed services.
McAfee, the global leader in Internet security solutions and services, provides solutions for today's demanding e-
business environments and stands ready for the threats of tomorrow.
Network Associates, McAfee, AVERT, and PrimeSupport are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in
the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks
in this document are the sole property of their respective owners. ©2002 Networks Associates Technology, Inc. All Rights Reserved.
6-AVD-AVP-002/1102
14