Aegis

Inspiration

Every 40 seconds, there is a business server becomes a victim of ransomware. Each year, $11.5 billion is cost due to ransomware. Ransomware is very hard to detect by antivirus software because it behaves more like a normal software than a virus. We want to protect servers from ransomware. So, we build a software called Aegis to do this.

What it does

Aegis protects servers from ransomware by preventing ransomware running. Any software, including ransomware, has to request resources from the system core before running. When we start Aegis, it logs all normal programs' fingerprints into a whitelist. Then, it starts to monitor all requests and detects the requests coming from ransomware by checking whether the new program requesting resources has a fingerprint in the whitelist. Once Aegis detects ransomware, it stops the system from allocating any resources to the ransomware. Thus, ransomware is unable to run. Aegis protects servers from any malware such as Ransomware, Trojan, Spyware, Virus, as well as any unauthorized software, and report to the administrator via SMS and phone calls.

How we built it

We used Visual C++ to access the system core to first create a whitelist of trustable programs, then monitor new requests for resources for new processes. Once the request comes from a program whose fingerprint is not in the whitelist, we label it malware/virus/ransomware and don't allow it executing. We also used the service from Nexmo to send messages to the administrator when unauthorized software attempts to execute in the server.

Challenges we ran into

The most challenging is how to monitor all the processes and intercept unauthorized processes in the initialization step. After doing research, we realized that we must develop a Windows Kernel to do this work, but another problem is that we also have to sign the driver by using a digital certificate. Thanks to Microsoft, it offers plenty of examples that guide us how to develop a Kernel drive, as well as how to bypass the validation by using a test certificate. Another problem is how to use Visual C++ to communicate with Nexmo SMS and Voice API since Nexmo does not offer codes examples related to C. In order to overcome this problem, we set up a proxy server that can convert C++ request to Python, then finally solved it.

Accomplishments that we're proud of

The final outcome for the project is pretty good. We were targeting at getting off ransomware. But the result is that Aegis is able to get off all malware including ransomware, trojan, Spyware, Virus, etc.

What we learned

The detailed procedure when executing a software: requesting recourse from system core, then run the process, then thread. How to access the system core of windows How to detect and compare software’s fingerprint

What's next for Aegis

The next step for Aegis is to enable it to protect not only servers, but also normal PCs. The anti-malware for a server is easier because servers only run certain processes, so we can easily log all programs’ fingerprints. But for PCs, users always install and run new programs. Our idea is to conclude a certain behavior pattern for ransomware. For requests coming from the new software, we decide whether it is ransomware. If it is ransomware, we stop it; otherwise, we add it into the whitelist.