profile picture
profile picture for mobile

JORDAN HOOK

SOFTWARE DEVELOPER

Berzerk Anti-Malware

Category: Desktop Application (C#)


Berzerk Anti-Malware

The Berzerk Anti-Malware program started off as a small study I started after a few of my family members suffered from ransomware; a type of virus in which encrypts a host systems files and holds them for ransom until you pay to have them unlocked. The project began as just a few open source tools I made to quickly analyze a couple of files and catalog my findings however, due to an extreme interest in the topics i was researching I decided to further develop my tools in such a way that it could possibly benefit others as well. Thus, the Berzerk Anti-Malware project was born.

Currently the project is only accessible to a select few people in which are assisting me testing the software in order to prevent bugs and false positives from harming your computers. When the project is ready for release this notice will be change. If you are interested in assisting with the project(development, testing or otherwise) please contact me via my email: me@jordanhook.com and I will follow-up with you.

Feel free to take a look at the public analytics board in the mean time via this link: Berzerk Community Watch

Throughout this project posting I will attempt to explain how some of the components are working within the project as well as provide images and supporting video documentation of the software.

Before continuing I thought now might be a good time to explain the reasoning behind the name; Berzerk. Berzerk; sometimes spelled as Berserk described as being out of control with anger or excitement. In addition it can also be referred to a Berserker; in summary, a Norse Champion warrior who would fight with a trance-like fury and enter battle absence of armour. I know what you're thinking, that doesn't sound so secure? Well idea behind Berzerk Anti-Malware is that it protects you as a Berserker would enter combat; fast, accurate, efficient and reliable. With this being said though this may sound resource heavy, I would like to assure you that the project main purpose to work work efficiently and cooperatively with any current security solution you are running. 

Components

There are currently 4 components in which Berzerk utilizes in order to help protect your system.

Pattern Scanning Engine

This is a very standard component for most anti-malware or virus solutions as it provides a accurate assessment of known malware types. It works by analyzing a a file and it's information and matches it against a database of known virus looking for similarities. This is traditionally done by matching one or more strings. The issue with this method is that dynamic virus or malware that can change itself through through encryption and other various forms of evasion can typically avoid a definition based detection however, it is not impossible a pattern is found. However, because of this and how frequently malware is updated and changes new definitions should be added on a day to day basic. Berzerk should receive an update every one or two days with regards to the database version. You are able to see the current DB version and check for updates through the software's user interface on the settings tab.

As per the screenshot, the current database version is 1.82 which is means there has been 182 updates to the database released. This does not reflect on how many signatures are currently in the database however, it does provide a rough representation of how often I update the database. DB 0.1 was released on October 12, 2016, today is March 31st, 2017 which is 170 days since the database was started. This means I update the database on an average of 1.10 times a day. This is really dependent on my time as analyzing malware and creating signatures does take time. Some days you may receive more than one update, some days you may not receive any at all (if this is the case, expect a large update the next time). The signature definition database is also limited to the amount of malware that I am able to obtain, I currently pull from around 6 different sources on a daily basis and try to analyze anything Berzerk does not already detect. Once those automated malware sources are depleted I move into searching the web for various malicious attacks and potentially harmful websites in order to obtain newer, fresher samples. If you would like to contribute to the database or submit a sample in which Berzerk does not detect please email me via me@jordanhook.com (NOTE, DO NOT PROVIDE MALWARE SAMPLE IN EMAIL I WILL PROVIDE YOU WITH A LINK IN WHICH YOU CAN UPLOAD IT TO).

Heuristic Detection Engine

For those of you that know a little bit about malware analysis should understand that simply pattern scanning just wont cut it. Too many new kinds of malware are created and released on a daily basis in order for pattern matching to provide any relevant protection. Ten years ago, may be even fifteen, pattern matching would have been enough however, malware devs are getting smarter but don't worry so are we. Heuristic Analysis of malware is the ability to analyze the behaviour of a certain malware and flag files based on how they are acting on your system. In order words instead of searching for a specific pattern of bytes in a file we are analyzing the type of file, where it's located, what files it's touching, where it is running, etc. Based on this information we are actually able to flag certain files as malicious. For example, a very common flow for a trojan or trojan dropper to take on your computer is to copy itself into hidden folders on your system and then add itself so that it starts with your computer. Though this is a little to vague to simply flag a program doing this a malware this should provide you with some understanding in how a heuristic detection may work. The down side of Heuristics detection engines is that they tend to provide a lot of false positives. For example with the rules specified above, the software may be tempted to flag the Google Chrome as malicious has it copies itself into your computer and adds itself to startup, though this is a legitimate program it could be seen as malicious if the rules of the system are too vague. However, the pros do out weigh the cons as Heuristic scanning is typically extremely fast and provides the ability to detect unknown threats (threats that aren't in the pattern database yet).

Injection Detection Engine

Recently I have integrate an additional layer of security into the Berzerk system. It's sort of a combination of both the Pattern Scanning and Heuristics engine as it analyzes running processes by behaviour and some of it's contents in order to verify if a another program has modified it's running environment. Typically malware droppers or installs like to store their payload a encrypted data within themselves to help prevent pattern based detections. When the dropper is ran it will decrypt the payload and inject it into an already running program on the computer; in order words it will take the encrypted virus and hide it inside your firefox or google chrome or another program running on your computer. Though this feature is still very early in development here is an example of it in action.

Network Activity Monitor

This last component has not yet been introduced to the software in any releases however, the idea behind it is to monitor your network activity from afar and lookout for specific behaviours and or patterns of data being sent in which is known for malware. For example a specific handshake a trojan may use before transmitting your data to the command and control centre.

Additional Images

.

.

.

.

.

.

More information coming soon.