Malware Detection and Prevention Using Set Theory

THESIS
SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENT FOR THE AWARD OF THE DEGREE OF

MASTER OF TECHNOLOGY (Computer Science & Engineering)

Submitted by SUCHITRA CHOUDHARY Department of Computer Science & Engineering June 2013

SUBHARTI INSTITUTE OF TECHNOLOGY AND ENGINEERING SWAMI VIVEKANAND SUBHARTI UNIVERSITY MEERUT, INDIA-250005

Page | 1

Department of Computer science &Engineering Subharti Institute of Technology and Engineering

Certificate
This is to certify that this thesis entitled Malware Detection and Prevention Using Set Theory by SUCHITRA CHOUDHARY (Roll No. 1101210010), submitted in partial fulfillment of the requirements for the degree of Master of Technology in Computer Science & Engineering of the Swami Vivekananda Subharti University, Meerut, during the academic year 2012-13, is a bonafide record of work carried out under our guidance and supervision. The results embodied in this report have not been submitted to any other University or Institution for the award of any degree or diploma

(Guide)

. (External Examiner)

(Head of Department)

Dr. Khaleel Ahmad CS/IT Department

Page | 2

Department of Computer Science &Engineering Subharti Institute of Technology and Engineering

CANDIDATE'S DECLARATION I hereby certify that the work which is being presented in the thesis entitled Malware detection and prevention using Set theory by SUCHITTRA CHOUDHARY in partial fulfillment of requirements for the award of degree of M.Tech. (Computer Science & Engineering) submitted in the Department of (Computer Science & Engineering) at SUBHARTI INSTITUTE OF TECHNOLOGY & ENGINEERING, SWAMI VIVEKANADA SUBHARTI UNIVERSITY is an authentic record of my own work carried out during a period from 2012 to 2013 under the supervision of Dr.Khaleel Ahmad. The matter presented in this thesis has not been submitted by me in any other University / Institute for the award of M.Tech Degree.

Signature of the Student SUCHITRA CHOUDHARY R0LL NO-1101210010

Page | 3

Department of Computer Science &Engineering Subharti Institute of Technology and Engineering

ACKNOWLEDGEMENT
I would like to place on record my deep sense of gratitude to,Dr. Khaleel Ahmad, Dept.of Computer Science & Engineering, S.I.T.E, MEERUT, India for hisgenerous guidance, help and useful suggestions. I express my sincere gratitude to Prof. (Dr. Jayant Shekhar), Technical Director, S.I.T.E, S.V.S.U Meerut, India, for his stimulating guidance,continuous encouragement and supervision throughout the course of present work. I also wish to extend my thanks to my colleagues for their great support and for their insightfulcomments and constructive suggestions to improve the quality of this research work.

(NAME OF STUDENT)
SUCHITRA CHOUDHARY

Page | 4

Abstract: As dependence of electronic device (such as computer, laptop and mobile) increases, so an almost large amount of data and information is stored on these electronic devices. These electronic devices, interconnected in local, national and international networks, use and share a high number of various software programs. Individuals, corporations, hospitals, communication networks, authorities among others are totally dependent on accessibility of the data and information stored. Malware have different objectives and apply different techniques. By the use of malware the attacker can get the personal information of the user. In this thesis we have proposed the novel model for malware detection and prevention for security purpose. The proposed models in this thesis detect the malware software and prevent the electronic devices from the malware software which can destroy or delete the data from electronic devices. In this thesis we proposed an algorithm for the detection and prevention model, we use set theory for detection and prevention the malware software. In this thesis we try our better effort to implement the proposed model and algorithm for detecting and preventing the electronic device from the malware software and provide better and effective result to the user. This model will provide better result rather than other malware detection model or approaches.

Page | 5

ContentsPage
Certificate..............................................................................................................1 Candidates Declaration..2 Acknowledgement..3 Abstract...4

Chapter: 1 Introduction
1. Introduction10 1.1 Trojan Horse.12 1.1.1 Purpose and Use of Trojan horse..13 1.2 Worms..14 1.3 Virus 14 1.3.1 File infectors.15 1.3.2 System or boot-record infectors...15 1.3.3 Macro viruses15 1.4 Key loggers..16 1.4.1Software-based key loggers:..16 1.4.2 Hardware-based key loggers:...17 1.5 Rootkit:.......19 1.5.1 User mode rootkit:...19 1.5.2 Kernel mode rootkit:....20

Page | 6

1.6:Wabbit: ...21 1.7 Spyware:..21 1.7.1 Routes of infection:..21 1.7.2 Effects and behaviors.....22 1.8 Adware ....................23 1.9 Bot ..23 1.10 Bug ..23 1.11 Ransomware .24 2. Type of Malware...24 2.1 Host need program.....25 2.2. No need host program....25

Chapter: 2Related work

2. Related work....26

Chapter: 3Proposed work

3. Proposed work.............................................28 3.1 Malware detection model......29 3.2 Algorithm for Malware detection model...30 3. 3 Malware prevention model.......31 3.4 Algorithm for Malware prevention model.....32

Chapter: 4 Implementation
4.1Startup Page:...33
Page | 7

4.2 Page for Browse:..34 4.3 Modules for scanning:..35 4.4 Process for scanning:....36 4.4.1 Detected Malware software for Set A:..37 4.4.2 Detecting Malware software for Set C: .38 4.4.3 Detecting Malware software for Set B:..39 4.5 Complete Scanning stage:..40 4.6 Provide Malware Information:...41 4.7 Delete Process for Malware Set A:.42 4.7.1 Deleting Malware Software Set A:.43 4.7.2 Provide Delete Information for Malware Set A..44 4.8 Delete Process for Malware Set B:..45 4.8.1 Deleting Malware Software Set B46 4.8.2 Provide Delete Information for Malware Set B47 4.9 Delete Process for Malware Set B:48 4.9.1 Deleting Malware Software Set C:.49 4.10 Abort Scanning Process:..50

Chapter: 5Conclusion
5.1 Conclusion....51 5.2 Future Work..51

Page | 8

List of figure
1.1 Beast Control Program13 1.2 A log file from a software-based key logger..16 1.3 A hardware-based key logger..17 1.4 A connected hardware-based key logger18 1.5 Computer security rings..19 1.6 Malicious websites attempt to install spyware on readers' computers21 2.1Type of Malware.24 3.1 Malware Detection Process....29 3.2 Malware Prevention Process31 4.1 Startup page.....33 4.2 Browse page....34 4.3 Scan Modules..35 4.4 Scanning Process...36 4.5 Detected Malware (Set A)..37 4.6 Detected Malware (Set C)..38 4.7 Detected Malware (Set B)..39 4.8Comlete Stage ....40

Page | 9

4.9 Malware Information...41 4.10 Delete Malware (Set A) .42 4.11 Deleting Process (Set A)....43 4.12 Deleted Malware (Set A)....44 4.13 Delete Malware (Set B) ..45 4.14 Deleting Process (Set B) .46 4.15 Deleted Malware (Set B).47 4.16 Delete Malware (Set C) ..48 4.17 Deleting Process (Set C) ..49 4.18 Abort Scanning Process .50

Page | 10

CHAPTER: 1 Introduction
1. Introduction: Web applications in the 21st century dont exist in a silo and need a plethora of external input to provide or augment core functionality [1]. Most of the web applications that we have developed have some form of integration with an enterprise application through web services or some legacy APIs. Where these programs already exist, the process is sometimes realized by using middleware, either packaged by a vendor or written on a custom basis [2]. Over the years we have gained experience in integrating applications, a substantial body of knowledge on best practices has emerged. The first step in the application integration process is selecting an integration broker. Too often, an enterprise focuses on a subset of criteria [3]. These might include a strategic relationship with the vendor, the cost of the product, and demonstrations by well-practiced sales support engineers. A serious amount of energy is spent in this step to select the right integration broker [4]. Application integration is unlike application development. Instead of developing and assembling a set of components to create an application, application integration assembles independent applications to create a system. As a consequence, the specifications required are more extensive than those used in a typical software development project [5]. Having the right IS organization is more important than having the right technology [6]. Most successful integration projects during the next five years will involve a new IS function: the central integration competency center [7]. This unit is responsible for bringing consistency to interface development, deployment and maintenance within an enterprise. At MSC we work very closely with the IS organization to bring the necessary resources to accomplish the integration [8]. The security of web application is a complex of relations constituting the users interest protection; i.e. a factual status of how these relations are protected including the admissible amount of threats [9].

Page | 11

Security solutions encrypt the data to prevent data from being stolen [10]. However, a malicious program or a hacker may corrupt the data in order to make it unrecoverable, making the system unusable. Data Protection is a rogue anti-spyware program from the same family as Digital Protection. This rogue is installed through the use of Trojans that pretend to be software updates or codes required viewing online videos. When the Trojan is run, it will install Data Protection on to your computer without your knowledge or consent. The rogue will then be configured to start automatically when Windows starts. When installed, the installer will also attempt to remove various anti-virus & anti-malware programs that are installed on your computer in order to protect itself from being removed. When Data Protection is run it will automatically scan your computer and list a variety of infections, but will not allow you to remove any of them until you first purchase the program. The files it states are infections, though; either do not exist or are legitimate Microsoft files that are required for the proper operation of Windows. Therefore, do not manually delete any of the files it states are infections as you may cause problems with your compute [11]. Data consistency and multistep process integration focus on creating a system of applications. Composite application integration creates an application that has an architecture that contains components whose functionality may be part of independent applications. Forensic Science is the technique to identify that criminal whose involve in illegal action in the organization. Forensic science is a very broad term. It covers any aspect of science which may be of use in a court room [12]. It is the application of a broad spectrum of science to answer questions of interest to legal system. Malware detection and prevention is also a part of forensic science. Malware (malicious program/ rogue code) are software program capable of reproducing themselves and usually capable of causing unintended hidden logic which many times lead to great harms to files or other program on the system and network. Malware or malicious software is software designed to damage a computer system without the owner's informed. Malwareis software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a
Page | 12

variety of forms of hostile or intrusive software. Malware includes computer viruses, worms, Trojan horses, key loggers software and other malicious programs; the majority of active malware threats are usually worms or Trojans rather than viruses. In law, malware is sometimes known as a computer contaminant, as in the legal codes of several U.S. states [13]. However, some malware is disguised as genuine software, and may come from an official company website in the form of a useful or attractive program which has the harmful malware embedded in it along with additional tracking software that gathers marketing statistics. 1.1 Trojan horse: A Trojan horse is a non-self-replicating type of malware which gains privileged access to the operating system while appearing to perform a desirable function Trojans do not attempt to inject themselves into other files like a computer virus . Trojan horses may steal information, or harm their host computer systems. Trojans may use drive-by downloads or install via online games or internet-driven applications in order to reach target computers [14]. The term comes from Greek mythology about the Trojan War, as told in the Aeneid by Virgil and mentioned in the Odyssey by Homer. According to legend, the Greeks presented the citizens of Troy with a large wooden horse in which they had secretly hidden their warriors. During the night, the warriors emerged from the wooden horse and overran the city.

Page | 13

Figure: 1.1 Beast Control Program.

Beast is a Windows-base Trojan horse sitting invisibly in an infected computer and this program gives full control of that computer to the attacker [15]. 1.1.1 Purpose and uses of Trojan Horse: A Trojan may give a hackerremote access to a targeted computer system. Operations that could be performed by a hacker on a targeted computer system may include [16]: Use of the machine as part of a botnet Blue screen of death Electronic money theft and disabling all internet traffic on the host Data theft (e.g. retrieving passwords or credit card information) Installation of software, including third-party malware Downloading or uploading of files on the user's computer Modification or deletion of files

Page | 14

Keystroke logging Watching the user's screen Viewing the user's webcam Controlling the computer system remotely Anonymizing remote third-party internet viewing

Trojan horses in this way may require interaction with a hackerto fulfill their purpose, though the hacker does not have to be the individual responsible for distributing the Trojan horse. Which the hacker can then use to control the target computer. 1.2 Worms: A computer wormis a standalone malwarecomputer program that replicates itself in order to spread to other computers. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer [17]. The most common type of worm is the email worm. True to its type, worm, email worms do not infect other files as do viruses but rather they simply make copies of themselves over and over again. Again true to its type, email worms do this via email, by sending themselves to email addresses found on the infected users system. Email worms can spread globally within moments by using this simple tactic. Consider one person who becomes infected but happens to have twenty email addresses found on his system. All twenty of those addresses will be sent a copy of the worm. If any of the recipients become infected, they will also unwittingly spread copies of the worm to all their friends, colleagues, and business associates whose email addresses happen to be on their system. 1.3 Virus: A computer virus is a computer program that can replicate itself and spread from one computer to another. Malware such as Trojan horses and worms is sometimes confused with viruses, which are technically different: a worm can exploit security vulnerabilities to spread itself automatically to

Page | 15

other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions [18]. Worms and Trojan horses, like viruses, may harm a computer system's data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing themselves. Generally, there are three main classes of viruses: 1.3.1 File infectors. Some file infector viruses attach themselves to program files, usually selected .COM or .EXE files. Some can infect any program for which execution is requested, including .SYS, .OVL, .PRG, and .MNU files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly-contained programs or scripts sent as an attachment to an e-mail note. 1.3.2 System or boot-record infectors. These viruses infect executable code found in certain system areas on a disk. They attach to the DOS bootsector on diskettes or the Master Boot Record on hard disks. A typical scenario (familiar to the author) is to receive a diskette from an innocent source that contains a boot disk virus. When your operating system is running, files on the diskette can be read without triggering the boot disk virus. However, if you leave the diskette in the drive, and then turn the computer off or reload the operating system, the computer will look first in your A drive, find the diskette with its boot disk virus, load it, and make it temporarily impossible to use your hard disk. (Allow several days for recovery.) This is why you should make sure you have a bootable floppy. 1.3.3 Macro viruses. These are among the most common viruses, and they tend to do the least damage. Macro viruses infect your Microsoft Word application and typically insert unwanted words or phrases. The best protection against a virus is to know the origin of each program or file you load into your computer or open from your e-mail program. From time to time, you may get an e-mail message warning of a new virus. Unless the warning is from a source you recognize, chances are good that the warning is a virus hoax [19].

Page | 16

1.4 Key loggers: Key loggers are a malware process based on hardware and software. In key logger, it will attack on the target system and send information to the attacker. There are two type of key logger software based key logger and hardware based key logger [20]. 1.4.1Software-based key loggers:

Figure 1.2 A Log File From a Software-Based Key Logger. These are software programs designed to work on the target computers operating system. From a technical perspective. There are five categories of software based key logger: Hypervisor-based: The key logger can theoretically reside in a malware hypervisor running underneath the operating system, which remains untouched. It effectively becomes a virtual machine. Blue Pill is a conceptual example. Kernel-based: This method is difficult both to write and to combat. Such key loggers reside at the kernel and are thus difficult to detect, especially for user-mode applications. They are frequently implemented as rootkits that subvert the operating system kernel and gain

Page | 17

unauthorized access to the hardware, making them very powerful. A key logger using this method can act as a keyboard device driver for example, and thus gain access to any information typed on the keyboard as it goes to the operating system. API-based: These key loggers hook keyboard APIs; the operating system then notifies the key logger each time a key is pressed and the key logger simply records it. Windows APIs such as GetAsyncKeyState (), GetForegroundWindow (), etc. are used to poll the state of the keyboard or to subscribe to keyboard events. These types of key loggers are the easiest to write, but where constant polling of each key is required, they can cause a noticeable increase in CPU usage, and can also miss the occasional key [21]. A more recent example simply polls the BIOS for pre-boot authentication PINs that have not been cleared from memory. Form grabbing based: Form grabbing-based key loggers log web form submissions byrecording the web browsing on submit event functions. This records form data before it is passed over the Internet and bypasses HTTPS encryption. Memory injection based: Memory Injection -based key loggers alter memory tables associated with the browser and other system functions to perform their logging functions. By patching the memory tables or injecting directly into memory, this technique can be used by malware authors who are looking to bypass Windows User Account Control. The Zeus and Spyeye Trojans use this method exclusively [22]. 1.4.2 Hardware-based key loggers:

Figure 1.3 A Hardware-Based Key Logger.

Page | 18

Figure 1.4 A Connected Hardware-Based Key Logger. Hardware-based key loggers do not depend upon any software being installed as they exist at a hardware level in computersystem. Hardware key loggers are used for keystroke logging by means of a hardware circuit that is attached somewhere in between the computer keyboard and the computer, typically in line with the keyboard's cable connector [23]. More stealthy implementations can be installed or built into standard keyboards, so that no device is visible on the external cable. Both types log all keyboard activity to their internal memory, which can be subsequently accessed, for example, by typing in a secret key sequence. A hardware key logger has an advantage over a software solution: it is not dependent on being installed on the target computer's operating system and therefore will not interfere with any program running on the target machine or be detected by any software. However its physical presence may be detected if, for example, it is installed outside the case as an inline device between the computer and the keyboard. Some of these implementations have the ability to be controlled and monitored remotely by means of a wireless communication standard.

Page | 19

1.5 Rootkit: A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.] The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware. Rootkit installation can be automated, or an attacker can install it once they've obtained root or Administrator access. Obtaining this access is a result of direct attack on a system. Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. The key is the root/Administrator access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it. Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. There are following type of rootkit.

1.5.1 User mode root kit:

Figure 1.5 Computer Security Rings

Page | 20

User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces. Some inject a

dynamically libraryinto other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application. Injection mechanisms include Use of vendor-supplied application extensions. For example, Windows Explorer has public interfaces that allow third parties to extend its functionality. Interception of messages. Debuggers. Exploitation of security vulnerabilities. Function hooking or patching of commonly used APIs, for example, to mask a running process or file that resides on a file system. Since user mode applications all run in their own memory space, the rootkit needs to perform this patching in the memory space of every running application. In addition, the rootkit needs to monitor the system for any new applications that execute and patch those programs' memory space before they fully execute. 1.5.2 Kernel mode rootkit: Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers. Most operating systems support kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit has unrestricted security access, but is more difficult to write. The complexity makes bugs common, and any bugs in code operating at the kernel level may seriously impact system stability, leading to discovery of the rootkit. One of the first widely known kernel rootkits was developed for Windows NT 4.0 and released in Phrack magazine in 1999 by Greg Hoglund [24].

Page | 21

Kernel rootkits can be especially difficult to detect and remove because they operate at the same security level as the operating system itself, and are thus able to intercept or subvert the most trusted operating system operations. Any software, such as antivirus software, running on the compromised system is equally vulnerable.In this situation, no part of the system can be trusted. 1.6 Wabbit: A wabbit is a type of self-replicating computer program. Unlike viruses, wabbits do not infect host program or documents. Unlike worms, wabbits do not use network capabilities of computer to spread. Instead, a wabbit [25]. 1.7 Spyware: Spyware is a software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge [26]. 1.7.1 Routes of infection:

Figure 1.6 Malicious Websites Attempt to Install Spyware on Readers' Computers. Spyware does not necessarily spread in the same way as a virus or worm because infected

Page | 22

systems generally do not attempt to transmit or copy the software to other computers. Instead, spyware installs itself on a system by deceiving the user [27]. Most spyware is installed without users' knowledge, or by using deceptive tactics. Spyware may try to deceive users by bundling itself with desirable software. Other common tactics are using a Trojan horse. Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it a frequent target. Its deep integration with the Windows environment make it susceptible to attack into the Windows operating system [28]. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behavior to add toolbars or to redirect traffic. 1.7.2 Effects and behaviors: A spyware program is rarely alone on a computer: an affected machine usually has multiple infections. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic [29]. Stability issues, such as applications freezing, failure to boot, and system-wide crashes are also common. Spyware, which interferes with networking software, commonly causes difficulty connecting to the Internet. In some infections, the spyware is not even evident. Users assume in those situations that the performance issues relate to faulty hardware, Windows installation problems, or

another infection. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.

Page | 23

1.8 Adware: Adware (short for advertising-supported software) is a type of malware that automatically delivers advertisements. Common examples of adware include pop-up ads on websites and advertisements that are displayed by software. Often times software and applications offer free versions that come bundled with adware. Most adware is sponsored or authored by advertisers and serves as a revenue generating tool [30]. While some adware is solely designed to deliver advertisements, it is not uncommon for adware to come bundled with spyware that is capable of tracking user activity and stealing information.

1.9 Bot: Bots are software programs created to automatically perform specific operations. While some bots are created for relatively harmless purposes (video gaming, internet auctions, online contests, etc), it is becoming increasingly common to see bots being used maliciously. Bots can be used in botnets (collections of computers to be controlled by third parties) for DDoS attacks, as spambots that render advertisements on websites, as web spiders that scrape server data, and for distributing malware disguised as popular search items on download sites [31]. Websites can guard against bots with CAPTCHA tests that verify users as human.

1.10 Bug: Bug is a flaw produces an undesired outcome. These flaws are usually the result of human error and typically exist in the source code or compilers of a program. Minor bugs only slightly affect a programs behavior and as a result can go for long periods of time before being discovered. More significant bugs can cause crashing or freezing [32]. Security bugs are the most severe type of bugs and can allow attackers to bypass user authentication, override access privileges, or steal data. Bugs can be prevented with developer education, quality control, and code analysis tools.

Page | 24

1.11 Ransomware: Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom. The malware restricts user access to the computer either by encrypting files on the hard drive or locking down the system and displaying messages that are intended to force the user to pay the malware creator to remove the restrictions and regain access to their computer. Ransomware typically spreads like a normal computer worm ending up on a

computer via a downloaded file or through some other vulnerability in a network service[33].

2: Type of malware program.

Host need program Malware program

No need host program

Figure: 2.1 Type of Malware Program

There are two type of malware program. Figure: 1 show type of malware program. These malware program are Host need program and no need host program.

Page | 25

2.1: Host need program: Programs that must require a host program. These programs cannot exit by themselves; they need some application, utility or some application program [34].

2.2: No need host program: Program does not require host program. These programs can exit independently [34].

Page | 26

CHAPTER: 2 Related Work

2.1 Related Work: As dependency on internet and electronic device such as computer, laptop and mobile extended. There are many disadvantages such as lack of security, User ID theft, Leakage of information, etc.There are many person who are performing their work in this field such as Gursimran Kaur, Bharti Nagpal research the topic Malware Analysis & its Application to Digital Forensic they purposed the following field. First, they study the about how to analyze the malware on the system for digital investigation. Second they introduce malware analysis tools. Finally, they also described malware analysis for digital forensic Investigation [35]. Gollmann defines computer security as the prevention and detection of unauthorized actions performed by users of a computer system. In general, three key objectives or security services are pointed out: confidentiality, integrity and availability. In order to protect assets in computer systems with respect to security services, several mechanisms have beeninvented, including encryption, authentication and access control. Whenimplementing computer security in systems one must consider important designparameters, including within which layers security mechanisms shouldbe implemented [36]. According to Spett, the field of computer security has evolved overtime. When the only means of compromising data was by infecting a personalcomputer with a virus contained on a floppy disk, desktop securitywas applied. In parallel with the expansion of the Internet corporations Developed internal and external networks, resulting in a need for networksecurity. As corporations intensified the offering of services through applications,computer security reached its current age, also concerning theapplication layer of systems: application security [37]. Security professionals and corporations have, according to Levine and OWASP and Spett, traditionally spent a major part of their securityefforts and resources on operating system and network security. Assessmentservices heavily relied on automated tools to find holes in those layers.Conventional security measures typically included network monitoring andlogging, authentication protocols, firewalls, intrusion detection systems andencryption techniques. Furthermore, special security measures, e.g. accesscontrol mechanisms, have been integrated in Database Management Systems(DBMS), to ensure database security. As a result, network inherentcomponents such as routers and web servers as well as operating systems andDBMSs are
Page | 27

in general easy to protect. Attack methods aimed at these componentshave been known for some time and standardized countermeasureshave been developed and implemented to prevent and detect such threatseffectively [38]. According to Craig Valli and Murray Brand,The ability to forensically analyze malicious software (malware) is becoming an increasingly importantdiscipline in the field of Digital Forensics. This is because malware is becoming stealthier, targeted, profitdriven, managed by criminal organizations, harder to detect and much harder to analyze. Malware analysisrequires a considerable skill set to delve deep into malware internals when it is designed specifically to detectand hinder such attempts [39]. ,

Page | 28

CHAPTER: 3 Proposed Work

3: Proposed work: In this thesis we have proposed the model for malware detection and proposed the model for malware prevention. By, these models the system first detect the malware and after that prevent the system from the malware. In this thesis, we use set theory for detection the malware and prevention the malware.These models will find the malware and do not delete that malware at once. Firstly, these models send the malware to the Set according to the category. After detecting all the malware then these models will delete the malware software by selecting the Set. By which it will be take less time to delete the malware software.

Page | 29

3.1: Malware Detection Model:

start

N Malware purppose Y Self replicated code Y N This is trojan horse go to in Set A This code is not Malware

Infects a carrier to replicate code? Y This code is virus go to in set C N

N This is worm go to in Set B

Undetected file go to in Set D

End

Figure: 3.1 Malware Detection Process

Page | 30

3.2: Algorithm for Malware Detection Model: 1: Start 2: IF Malware Purpose 3: Then IF Self Replicated Code 4: Then IF Infects a carrier to replicate 5: Then This code is virus GOTO Step-10 6: ELSE This code is worm GOTO Step 10 7: ELSE This code is Trojan GOTO Step-10 8: ELSE There is no malware code GOTO Step-10 9: IF Undetected File GOTO Step-10 10: END When the malware detection code executes it will check the file is the file is malware purpose or not as shown in figure 3.1. If the file is not malware purpose then it will show that there is no malware code. If the file is malware purpose then it will be check the code is self replicated or not. As figure 3.1 describe, if the code is not self replicated code then, this is Trojan and send the code in Set A. If the code is self replicated then check it will be infects a carrier to replicate or not. If code is not infects a carrier to replicate then this worm and send in Set B. If the code is infects a carrier to replicate then this is virus and send in Set C. If the file is not detected then the file will send in Set D as describe in figure 3.1.

Page | 31

3.3: Malware Prevention Model:

Start

Y Is set A Delete set A

Y Is set B

Delete set B

Y Is set C

Delete set C

N Y Is set D Delete set D

There is no malware code

End

Figure: 3.2 Malware Prevention Process

Page | 32

3.4: Algorithm for Malware Prevention Model: 1: Start 2: IF Set A 3: Then Delete Set A 4: Else IF Set B 5: Then Delete Set B 6: Else IF Set C 7: Then Delete Set C 8: Else IF Set D 9: Then Delete Set D 10: Else There is Malware Code 11: End After the detection of malware model the malware prevention model will work. The malware prevention model will work as shown in figure 3.2. The model will check, if there is Set A then the model will delete the Set A, otherwise the model will execute for the next step. If the model finds the Set B then it will delete the Set B and now check For Set C, if the model will find Set C then the model will delete the Set C, now the model will check for Set D, if there is exits Set D then the Set D will be deleted, otherwise give the message that there is no malware code as shown in figure 3.2.

Page | 33

CHAPTER: 4 Implementation
4.1 Startup Page: In this thesis we try our better effort to implement these models. Figure show how these models are work and how they perform result. In figure 4.1, it shows the startup page by which we can scan the system and prevent the system from the malware. This is the first step or basic window for selection of the particular partition want to proceed for malware detection.

Figure: 4.1 Startup page

Page | 34

4.2 Page for Browse:

Figure: 4.2 Browser Page

Figure 4.2 shows the browser page, by which we can select the path which folder or which drive we can want to scan. By the browser we can select the whole system for the scanning for the protection form the malware. We can select the path or cancel by the message box which is display on the screen. User can select the particular directory of folder on which the useform the want to perform the scaning process.

Page | 35

4.3 Modules for scanning:

Figure: 4.3 Scan Modules

After select the path from the browser page startup page want to select the scan button for scanning. If the user does not select the scan button then, this virus scanner cannot scan the system. After selecting the scan button the virus scanner start the scanning, that path which the user select for scanning.

Page | 36

4.4 Process for scanning:

Figure: 4.4 Scanning Process

After selecting the scan button the virus scanner start working for scanning. During the scanning only cancel button will work, the other button will not work. In the scanning period, whenever we want to stop scanning we can stop by the cancel button. In scanning whenever the virus scanner found the virus in the given path, it can show in the tag, which malware it can found.

Page | 37

4.4.1 Detected Malware software for Set A:

Figure: 4.5 Detected Malware(Set A)

The figure 4.5 shows that the scanner found the Set A relative malware software and show the counting number 1, that the scanner found one malware which is belonging to the Trojan malware software. As the scanner found other malware software the counting number will be increase.

Page | 38

4.4.2 Detecting Malware software for Set C:

Figure: 4.6 Detected Malware (Set C)

Figure 4.6 shows that the scanner found the malware software which belongs to the Set C and the counting number will increase as the other malware software will found which belong to the Set C. The Set C shows the worm malware software.

Page | 39

4.4.3 Detecting Malware software for Set B:

Figure: 4.7 Detected Malware (Set B)

Figure 4.7 shows that the scanner found the malware software which belongs to the Set B and the counting number will increase as the other malware software will found which belong to the Set B. The Set B shows the worm malware software.

Page | 40

4.5 Complete Scanning stage:

Figure: 4.8 Complete Stage

Figure 4.8 shows that the scanning will be completed and the virus scanner shows the result which malware software it cam found and how many malware software the virus scanner found. The message box show that the scanning completed. After selecting the ok button the user will have to give the command which malware the user want to delete first.

Page | 41

4.6 Provide Malware Information:

Figure: 4.9 Malware Information

Figure 4.9 shows that the virus scanner wants command that, which malware the user wants to delete first. After selecting the command the virus scanner will work to delete the malware software. That Set will delete first which will be selected otherwise the virus scanner will not work.

Page | 42

4.7 Delete Process for Malware Set A:

Figure:4.10 Delete Malware(Set A)

Figure 4.10 shows that the Set A selected first for delete the malware software. After deleting the Set A the virus scanner will again want command for deleting the malware software. The virus scanner deleted the whole set and show the result in the deleting file tag which malware file are delete.

Page | 43

4.7.1 Deleting Malware Software Set A:

Figure: 4.11 Deleting Process (Set A)

Figure 4.11 show that the virus scanner will give the message box to the user for deleting the Set A. If user select Ok button then the virus scanner will delete the Set A, otherwise the virus scanner will not delete the Set A belonging malware software.

Page | 44

4.7.2 Provide Delete Information for Malware Set A:

Figure: 4.12 Deleted Malware Information

Figure 4.12 show that the virus scanner will wait for the other command for selecting the Set which the user wants to delete. And figure also show the result that which malware software the virus scanner deleted in the delete files tag. After selecting the command the virus scanner will work start until it can wait for other query

Page | 45

4.8Delete Process for Malware Set B:

Figure: 4.13 Delete Malware (Set B)

Figure 4.13 shows that the Set B selected now for delete the malware software. After deleting the Set B the virus scanner will again want command for deleting the malware software. The virus scanner deleted the whole set and show the result in the deleting file tag which malware file are delete.

Page | 46

4.8.1 Deleting Malware Software Set B:

Figure: 4.14 Deleting Process( Set B)

Figure 4.14 show that the virus scanner will give the message box to the user for deleting the Set B. If user select Ok button then the virus scanner will delete the Set B, otherwise the virus scanner will not delete the Set B belonging malware software.

Page | 47

4.8.2 Provide Delete Information for Malware Set B:

Figure: 4.15 Deleted Malware Information

Figure 4.15 show that the virus scanner will wait for the other command for selecting the Set which the user wants to delete. And figure also show the result that which malware software the virus scanner deleted in the delete files tag. After selecting the command the virus scanner will work start until it can wait for other query.

Page | 48

4.9 Delete Process for Malware Set B:

Figure: 4.16 Delete Malware (Set C)

Figure 4.16 shows that the Set C selected now for delete the malware software. After deleting the Set C the virus scanner will again want command for deleting the malware software. The virus scanner deleted the whole set and show the result in the deleting file tag which malware file are delete.

Page | 49

4.9.1 Deleting Malware Software Set C:

Figure: 4.17 Deleting Process (Set C)

Figure 4.17 show that the virus scanner will give the message box to the user for deleting the Set C. If user select Ok button then the virus scanner will delete the Set C, otherwise the virus scanner will not delete the Set C belonging malware software.

Page | 50

4.10 Abort Scanning Process:

Figure: 4.18 Abort Scanning Process

After deleting all malware software, when the user want to stop the scanning or want to close the startup page the virus scanner give the message box to the user for asking to stop the scanning. If the user select the yes button then, the scanner will stop the scanning otherwise it will wait for other query.

Page | 51

CHAPTER: 5 Conclusion
5.1 Conclusion: In this thesis we are analyzed currently the dependence of electronic (such as computer, laptop, mobile etc) device increases in various field such as in corporate field, individual field etc. As the demand increased the possibility of attack of malware are also increases. So in this thesis we design the malware detection model and malware prevention model for security purpose. We use Set Theory for the malware detection and prevention. 5.2 Future Work: In this these we work on the three malware software that is Trojan, worm and virus. In future we will work on other malware software that will apply to detect the malware and secure the software.

Page | 52

References:
1. Aycock, J. (2006). Computer Viruses and Malware. New York: Springer 2. Erdlyi, G. (2008). IDA Python. 3. Falliere, N. (2007). Windows Anti-Debug Reference. Retrieved October 1, 2007 from 4. http://www.securityfocus.com/infocus/1893 5. Ferrie, P. (2008). Anti-Unpacker Tricks. Retrieved October 8, 2008 from

http://www.datasecurityevent. 6. com/uploads/unpackers.pdf 7. Hex-Rays. (2008). IDA Pro. 8. Kessler, G. (2007). Anti-Forensics and the Digital Investigator. Retrieved May 04, 2008, fromhttp://scissec.scis.ecu.edu.au/conference_proceedings/2007/forensics/01_Kessler_A nti-Forensics.pdf 9. Larsson, L. (2007). Meeting the Swedish Bank Hacker. Retrieved April 14, 2007 from 10. http://computersweden.idg.se/2.2683/1.93344 11. Masood, S. G. (2004). Malware Analysis for Administrators. Retrieved 17 March, 2007 fromhttp://www.securityfocus.com/infocus/1780 12. Metasploit LLC. (2008). Metasploit. 13. Microsoft. (2007). Virtual PC. 14. Python Software Foundation. (2008). Python. 15. Rogers, M. (2006). Panel session at CERIAS 2006 Information Security Symposium. RetrievedOctober8,2008,fromhttp://www.cerias.purdue.edu/symposium/2006/materials/p dfs/antiforensics.pdf 16. Smith, S., & Quist, D. (2006). Hacking Malware: Offense is the new Defense. Retrieved July24,2007fromhttp://www.offensivecomputing.net/dc14/valsmith__dquist_hacking_ma lware_us06.pdf 17. Symantec. (2008). Symantec Global Internet Security Threat Report. Trends for JulyDecember 07. Retrieved 18. October8,2008fromhttp://www.symantec.com/en/uk/business/theme.jsp?themeid=threatr eport

Page | 53

19. Yason,

M.

(2007).

The

Art

of

Unpacking.

Retrieved

Feb

12,

2008

fromhttps://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07yason-WP.pdf 20. VMware. (2008). VMware. 21. Zeltser, L. (2007). Reverse Engineering Malware: Tools and Techniques Hands-On. Bethesda: SANS Institute. 22. S. L. Garfinkel, Digital forensics research: The next 10 years, in Proceedings of the Digital Forensics Research Conferences(DFRWS), 2010. 23. M. Christiansen, Bypassing Malware Defenses, SANS Institute InfoSec Reading Room, pp. 3-4 May 7, 2010. 24. Farid Daryabar,Ali Dehghantanha,Hoorang Ghasem Broujerdi, "Investigation of Malware Defence and Detection Techniques",International Journal of Digital Information and Wireless Communications (IJDIWC) 1(3): 682687 The Society of

DigitalInformation and Wireless Communications, 2012. 25. Computer Economics. 2007 Malware Report: Annual Worldwide Economic Damages fromMalwareExceed$13Billion,June2007.http://www.computereconomics.com/page.cf m?name=Malware%20Report Accessed 25/01/2012. 26. Smith, S., & Quist, D. Hacking Malware: Offense is the new Defense 2006. http://www.offensivecomputing.net/dc14/valsmith__dquist_hacking_malware_us06.pdf Accessed 02/01/2012. 27. D. Bem Virtual Machine for Computer Forensics - the Open Source Perspective, Open Source Software for Digital Forensics,Springer, 2010.R. Meadows, Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity, Elsevier Science, 2009. 28. Casey, E.: Digital Evidence and Computer Crime, 2nd Edition, Elsevier Academic Press, 2004. 29. http://www.askoxford.com/concise_oed/forensic?view=uk : forensic accessed on 7 June 20011. 30. Kruse, W. G. & Heiser, J. G. 2001. Computer Forensics. Incident Response Essentials. Addison-Wesley.

Page | 54

31. J. Aviv and A. Haeberlen. Challenges in experimentingwith botnet detection systems. In USENIX 4th CSET Workshop,San Francisco, CA, August 2011. 32. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian,and J. Nazario. Automated Classification and Analysis ofInternet Malware. In 10th International Symposium on RecentAdvances in Intrusion Detection (RAID), September 2007. 33. D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda,and G. Vigna. Efficient Detection of Split Personalities inMalware. In 17th Annual Network and Distributed SystemsSecurity Symposium (NDSS), San Diego, CA, February 2010. 34. P. Barford and M. Blodgett. Toward Botnet Mesocosms.In USENIX 1st Workshop on Hot Topics in UnderstandingBotnets (HotBots), Cambridge, MA, April 2007. 35. U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, andE. Kirda. Scalable, BehaviorBased Malware Clustering. In16th Annual Network & Distributed System Security Symposium(NDSS), San Diego, CA, February 2009. 36. U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel.A View on Current Malware Behaviors. In 2nd USENIXWorkshop on Large-Scale Exploits and Emergent Threats(LEET), Boston, MA, April 2009. 37. U. Bayer, E. Kirda, and C. Kruegel. Improving the Efficiencyof Dynamic Malware Analysis. In 25th ACM Symposium OnApplied Computing (SAC), Sierre, Switzerland, March 2010. 38. U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A Toolfor Analyzing Malware. In 16th Annual EICAR Conference,Hamburg, Germany, April 2006.

Page | 55