INVESTIGATION OF MALWARE DEFENCE AND DETECTION TECHNIQUES

Malwares are considered as a major threat vector which can be potentially caused huge damage to both network infrastructure as well as network applications. In this paper, different techniques such as repacking, reverse engineering and hex editing for bypassing host-based Anti Virus (AV) signatures are illustrated, and the description and comparison of different channels and methods when malware might reach the host from outside the networks are demonstrated. After that, bypassing HTTP/SSL and SMTP malware defences as channels are discussed. Finally, a new malware detection technique base on honeynet systems is discussed and its strengths and weaknesses were highlighted. best way for detection prevention by defences, we survey a detection system base on honeynet for organization to detect unknown malware before the malware reaches to their private networks. II. REVIEW OF RELATED WORKS Many companies’ employees use unknown sources in Internet and they download executable files, which might be malicious files. The reason of preventing these activities by security administrators in companies is given and it is shown that how new malware or an existing malware, which is changed, might be pass by AV engines [4]. The ability of AVs in detection of some malware is indicated and it is tested to determine how often the malware are recognized by standard AVs. All the malware, which are mentioned in this part, have been scanned in VirusTotal [4]. It is a free service from Hispasec Sistemas and VirusTotal site scans all uploaded files by using 41 AVs base on signature detection method and each AV has updated with the newest malware signature [4]. The result of detection is different between stored and executed malware, which respectively shows malicious behavior and signature; therefore, it is not always deduced from only stored files [5]. The example is a malware with a known signature, which has changed its codes. But when a malware runs, the malicious signature may re-emerge base on packet’s nature [5]. There are two different situations that malware can be detected or bypassed. First, bypassing host-based AVs and second Bypassing from AV gateways [5], which are protecting a network. different ways that a malware might bypass host-based defenders is given below: