Abstract
Malware continues to be a signification problem facing computer use in today’s world, historically anti-virus software re has employed the use of static signatures to detect instances of known malware signature based detection has fallen out of favor to many, and detection technique based on identifying malicious program behavior are now part of the anti-virus tool kit, however, static approaches to malware detection have been heavily researched and can employ modern finer prints that significially improve on the simple string signatures used in the past, instance based learning can allow the detection of an entire family of malware variants based on a single signature of static features, statistical machine learning can turn the features extracted into a predictive anti-virus system able to detect novel and previously unseen malware samples, this paper surveys the approaches and techniques used in static malware detection.
CHAPTER ONE INTRODUCTION 1.1 BACKGROUND OF STUDY
Malware is a generic term used to describe all kinds of malicious software (e.g., viruses, worms, or Trojan horses). Malicious software not only poses a major threat to the security and privacy of computer users and their data, but is also responsible for a significant amount of financial loss. Unfortunately, the problem of malicious code is likely to continue to grow in the future, as malware writing is quickly turning into a profitable business.
Malware authors often sell their creations to miscreants, who then use the malicious code to compromise large numbers of machines that are linked together in so-called bonnets. These bonnets are then abused as platforms to launch denial-of-service attacks or as spam relays. Malware programs frequently contain checks that determine whether certain files or directories exist on a machine and only run parts of their code when they do. Others require that a connection to the Internet is established or that a specific mutex object does not exist. In case these conditions are not met, the malware may terminate immediately. This is similar to malicious code that checks for indications of a virtual machine environment, modifying its behavior if such indications are present in order to make its analysis in a virtual environment more difficult. Other functionality that is not invoked on every run are malware routines that are only executed at or until a certain date or time of day. For example, some variants of the Bagel worm included a check that would deactivate the worm completely after a certain date. Another example is the Michelangelo virus, which remains dormant most of the time, delivering its payload only on March 6 (which is Michelangelo’s birthday). Of course, functionality can also be triggered by other conditions, such as the name of the user or the IP address of the local network interface. Finally, some malware listens for certain commands that must be sent over a control channel before an activity is started. For example, bots that automatically log into IRC servers often monitor the channel for a list of key words that trigger certain payload routines. When the behavior of a program is determined from a single run as in current industrial analysis systems, it is possible that many of the previously mentioned actions cannot be observed. This might lead a human analyst to draw incorrect conclusions about the risk of a certain sample.
1.2 STATEMENT OF MALWARE PROBLEM
A network problem from an online advertising provider prompted malicious software warnings across many popular news website, including bangordailynews.com Trojans are increasingly a problem for Mac user in the 1990s hackers enjoyed a virtual wild west of unpatched exploitable software, but as the new decade rolled around companies lice Microsoft corp. (MSFT) as a result it’s become header for malware to install on windows computers without some hackers have circumvented this by creating programs that tick the user into approving the installation via exploiting trust, the approach has become tremendously successful and to day Trojan –type malware are responsible for a large percentage of the window botnet.
1.3 AIM AND OBJECTIVE OF THE STUDY
Some of the malware capabilities that crowd source has the ability
- To give detailed perspective into the various system and efficiently handle the malware threat and reduce the impact business for achieving these objective, in response to the emergence of spyware a small industry has sprung up dealing in antispyware software.
- To detects debugger based reversing
- To encrypt and decrypts data
- To provides remote desktop capacity
- To steal or modifies cookies
- To mines or steals bit coins
- To communicate with database
- To takes screenshots
- To access webcam
- To down and upload files
- To logs keystrokes
- To communicate via socks protocol
The main objective of dealing with malware is discuses below
- To know the program that detects malware
- To carryout a full scan of your computer, another principle objective are to exploit whatever possible means to your computer system.
- To providing a forum for discussions related to testing of anti-malware and related products.
- Developing and publicizing objective standards and best practices for testing of anti-malware and related product.
- Promoting education and awareness of issue related to the testing of anti-malware and related product
- Providing tools and resources to aid standard based testing methodologies
1.4 SCOPE OF THE STUDY
The scope of this research study aimed to develop an anti –virus to the computer system that is infected with malicious virus that causes damages to file, document, and loss of files in the computer system.
1.5 LIMITATION OF THE STUDY
The research study (project) is only restricted on dealing with malware the malicious virus that affect the computer system limit this research project work are as follow:
- The factor, time duration for the research project is not enough to carryout proper research work.
- Financial factor, inadequate finance in searching on the internet for materials is a problem to student
- Power failure, irregular power supply (electricity) need for the operation of most business centre that uses material on the internet
- The duration period that the project was kept before approved and registration of the project topic is a factor.
- Student is not given access to the library to source for material at the right time.
The above factor work against to delay this project
1.6 PURPOSE OF THE STUDY
The purpose of study malware is to know the program behavior and verify if it has malicious functionality or behavior, today malware is use primarily to steel sensitive information of personal, financial or business importance black hat hacker with harmful intentions, malware is sometime used broadly against government or corporate website together guarded information or to disrupt their operation in general however malware is often used against individuals to gain personal information such as society security number , bank, or credit card number and so on, left unguarded personal and networked computer can considerable risk against the threats, these are most frequently counter acted by various type firewall and virus software, network; since the rise of widespread broadband internet access malicious software has more frequently been designed for profit, since 2003 the majority of widespread virus and worms have been designed to take control of users computer for black market exploitation.
1.7 DEFINATION OF TERM USED
Botnet: derived from the word “robot,” and used in a variety of Internet contexts, in the context of this paper, it refers to a program that runs in the background on a personal computer of an unsuspecting user, having been installed by malware. Botnet: a collection of bots that receive instructions from the same “master” program.
Data Host: company that maintains servers on the Internet that process data for customers using a standard technology such as web or email servers Exfiltration method by which malware exports data from an infected host, typically refers to an unauthorized process of acquiring data from a computer system through network channels or unauthorized portable media.
Footprint: With reference to software component is used to indicate the physical characteristics of a file such as its size, the file names as well as the operating system’s resource utilization. These characteristics help to uniquely identify the various software components encountered during the investigative process.
Jabber: a communications protocol used for instant messaging
Kernel: operating system component that serves as a bridge between software applications and system services provided by hardware, and typically designed to facilitate a trusted channel between the OS user and system-level functionality
Malware: malicious software, any and all software that is deployed with malicious intent
Operating System: software that directly manages and controls interaction with hardware devices that combine to compose a computer, provides common services to applications, and makes resources available to users.
Phishing: email-born malware propagation systems.
Root kit: enables privileged access to a system and the ability to hide that access by subverting the provided authentication, authorization, and audit functions
Socks: a protocol that allows multiple network connections to route network traffic through a single network-enable device
Zero-Day: modifier for the word threat or attack, meaning that the vulnerability that is used by the threat agent is not known to potential victims.