1

I'm a newbie to software security. I'm designing a network and I was wondering is it possible to detect if a program upgrade being downloaded on the network is malicious just by analyzing the structure of the downloaded executable?

I tried some literature search but couldn't find much. Any help is highly appreciated. Thank you!

user1690356
  • 11
  • 2
  • 1
    On linux, the command `rm -rf /` will wipe your computer. `rm` is a binary somewhere, and works by accessing the "delete file" api. Malware that wipes your entire drive would _also_ use the "delete file" api. Does `rm` count as malicious? – Clockwork-Muse Feb 12 '20 at 04:22

4 Answers4

3

No you can't, not all the time reliably. To detect viruses simply by static analysis would likely contradict Rice's Theorem which says that such problem is undecidable.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
1

Both: Yes/No

Sticking with the question, it seems this is not mission critical project.

So might be one solution would be to detect malicious program based on signatures or in one word signature-based detection.

But to create huge database of signatures and maintaining is another job, where antivirus/antimalware products are good at.

So using good Anti-malware would solve the issue also uploading to VirusTotal would work if programs are not classified.

Kumar Aman
  • 1
  • 1
  • Imagine if it were a simple PD controller that you needed to update. Then you could have a way of analyzing if you are updating the right thing. Doesn't that work? – user1690356 Feb 12 '20 at 15:44
  • From my understanding, for a simpler device, the problem is that they are too simple. Modern antivirus detect signatures of complex machine programs cause they are profitable. It is like getting reverse shell using telnet(GTFOBins), legal but unethical, whereas in pc, programs are complex enough to be detected. – Kumar Aman Feb 12 '20 at 16:11
0

In general, no it is not possible. You might be able to get some benefit from a network intrusion detection system (ex: snort) or some anti-virus software. But nothing will guarantee safety. For the most critical of infrastructure, you should verify the hashes that have been cryptographically-signed by the software vendors. Short of that, at least make sure that you download from trusted HTTPS sites that publish SHA hash keys, and compare the SHA with the file you download.

All that being said, if the software vendor is malicious there isn't anything you can do to detect it. Rely on your government's legal system, and only work with software vendors which are subject to their laws.

Jake Feasel
  • 231
  • 1
  • 3
0

There are solutions available that provide real-time sandboxing* for files and applications. They are extensively used in mail filtering and malware analysis. Cuckoo is one of them, which is free and can be integrated in various solutions. Consider this, because most product titles that come to my mind right now cost K's :$

*Sandboxing is a technique which uses real time virtual environments to run and test a file for malicious behaviour.

Chris Tsiakoulas
  • 1,757
  • 1
  • 9
  • 9