next virus generation

8/8/2019 Next Virus Generation

1/30

HITB 2007HITB 2007 -- DubaiDubai

April, 2007April, 2007

Next Virus Generation: an OverviewNext Virus Generation: an Overview

Angelo P. E. Rosiello

e-mail:[email protected]

rosiello.org


2/30

Something About Me!Something About Me!

I am Italian and I took a degree cum laude in ComputerScience Engineering at Politecnico di Milano in 2006.

In the security field I collaborate with Prof. ChristopherKruegel and Prof. Engin Kirda from the TechnicalUniversity of Vienna on new ICT security solutions.

http://www.seclab.tuwien.ac.at/people/angelo/

I was speaker at: SyScan 06, NocoNName 06,ITUnderground Warsaw 06, Net&System 06 (Best PaperAward), ITUnderground Prague 07 (accepted),

Confidence 07 (accepted).I wrote some articles for: IEEE, HackerJournal, Hakin9,InfoSecWriters (Best Paper Award).


3/30

OutlineOutline

Introduction

Viruses: some Definitions

Antivirus Programs

Antivirus in Action

Armoured Computer Virus

Armouring Techniques

Once Upon a Time...The Whale Virus

The MyDoom Virus

Armouring Techniques: an Overview

Why Viruses didn't Represent a SeriousMenace for Antivirus Companies?

CryptoVirus

Environmental Key

The Bradley Virus

Inside The Bradley

The Bradley: Key Management

The Environmental key Protocol

S

ome RemarksCryptovirAnalysis

Catching the Binaries

Analysis of the Binaries

Cracking the Key

Conclusions

Q&A


4/30

IntroductionIntroduction

As speaking antiviruses work thanks the capability toanalyze viral codes and to upgrade viral databases.

In this way people can download the latest virussignatures and upgrades to stay safe.

We are going to describe here a new generation ofviruses that is undetectable because of the antiviralanalysis complexity


5/30

Viruses: some DefinitionsViruses: some Definitions

Viruses are programs that self-replicate recursively,meaning that infected systems spread the virus to

other systems, which then propagate the virus

further. While many viruses contain a destructive

payload, it's quite common for viruses to do nothingmore than spread from one system to another.(McAfee)

A virus is a succession of instructions which, once

interpreted in the right environment, changes otherssuccessions of instructions so that a new copy

(optionally different) of itself is created in this

environment. (Fred Cohen)


6/30

Antivirus ProgramsAntivirus Programs

Software that searches for known viruses. Also knownas a "virus scanner." As new viruses are discovered bythe antivirus vendor, their binary patterns are addedto a signature database that is downloadedperiodically to the user's antivirus program viaInternet.


7/30

Antivirus in ActionAntivirus in Action

Antiviruses typically work in two ways:They scan files against all known viruses, eachtime a file is opened.

They compute the signatures of each file and

put them in a database. When a file is going tobe opened the signature is compared with theone in the database. If the check is successfulthe file is executed else the file was probably

corrupted by some virus.Other techniques not cited here could be used.


8/30

Armoured Computer VirusArmoured Computer Virus

DefinitionAn armoured code is a program which contains

instructions whose goal is to delay, complicate orforbid its own analysis during either its execution or

through its disassembly.


9/30

Armouring TechniquesArmouring Techniques

During the last years some virus writers introduceddifferent techniques to fight antiviral detectionalgorithms:

Code Obfuscation;

Polymorphism;Encryption routines;

Etc.

We all remember some instances of this kind ofviruses: Whale, MyDoom, etc.


10/30

Once Upon a Time...The Whale VirusOnce Upon a Time...The Whale Virus

The Whale virus appeared in september 1990, old butsmart!

Many techniques were applicated to make hard itsanalysis, such as:

Dynamic decryption and encryption;Code obfuscation;

Code nesting;

Polymorphism (30 different random variants);

etc.When the virus is running it tries to detect if adebugger is in execution, freezing the keyboard.


11/30

The MyDoom VirusThe MyDoom Virus

MyDoom was one of the first modern viruses usingencryption techniques to make antiviral analysis amore difficult task, however it didn't represent aserious menace for analysts.

It was considered the fastest and most devastatingmalware ever, has caused $43.9 billion in economicdamage in 215 countries, according to a report bymi2g Intelligence Unit, a digital risk firm.


12/30

Armouring Techniques: anArmouring Techniques: anOverview (1/3)Overview (1/3)

Polymorphism: nowadays this technique is widely usedalso in shellcodes coding. The aim here is to changethe code in the syntax, or the ordering of theinstructions but always preserving the semantic. Inorder to identify the virus, analysts must study its

mutation engine. Fortunately no polymorphic coderepresented a NP problem, yet. Many methodologieslet identify mutations, such as the extraction andanalysis of CDFGs.


13/30

Armouring Techniques: an Overview (2/3)Armouring Techniques: an Overview (2/3)

Code Obfuscation: even when a language is compiledto an executable file, it's possible to run a decompiler(e.g. gdb) which converts these files back intohuman-readable form, simplifying analysis.Obfuscation serves to increase the difficulty ofdecompilation. Three types of transformation areusually used:

Lexical: changing the name of variables;

Control Flow: making the control more complex(loops nesting, etc.)

Data Flow: changing the flow of data (e.g.Order of data).


14/30

Armouring Techniques: anArmouring Techniques: anOverviewOverview

Encryption: encrypting the payload of a virus means(potentially) making analysis a complex task, ifextracting the key is not trivial. Encryption alsoimplies polymorphysm, in fact, the code automaticallywill change using different keys.


15/30

Why Viruses didn't Represent a Serious Menace forWhy Viruses didn't Represent a Serious Menace forAntivirus Companies?Antivirus Companies?

Since the main purpose of a virus is to spread as soonas possible, it's easy to get a copy of the code and then

to begin the analysis.Analysis itself is not a complex task because armouringtechniques, used in the past, imply to solve a problemof polynomial complexity.


16/30

Cryptography as a MenaceCryptography as a Menace

Cryptography is the science of keeping data secure.In this contest the payload of the virus is thecryptographic subject, and virus writers want to keepit secure!

The combination of virus science and cryptographycreated cryptovirology. The aim of cryptovirology is toimprove resistance of viruses to analysis. In this casewe can also speak of cryptoviranalysis.


17/30

CryptoVirusCryptoVirus

The main limitation while designing a cryptovirus iswhere to locate the cryptographic key.

The virus must run, thus, the key must be somewherein the body of the host, to enable the decryption ofthe payload.

If the key is into the host, it can also be discovered byanalysts, and this is bad (...for a cryptovirus writer!)

Key Exposure: a mobile agent evolving in a hostileenvironment cannot embed keys because if it is

captured, key recovery is immediate and so is itsanalysis.


18/30

CryptoVirus: Environmental KeyCryptoVirus: Environmental Key

Filiol (May 2005) proposed, in his article, the use ofenvironmental key as the virus cryptographic keyand realized the Bradley Virus.

Environmental Key: key cannot be embedded in theagent because it would exposed, therefore it mustdepend on the environment where the agent residesand it must be dynamic.

The notion of environmental keys was first introducedby Riordan and Schneier in 1998.


19/30

The Bradley VirusThe Bradley Virus

The Bradley Virus is avirus family of the nextgeneration and thecomplexity of its analysisis not polynomial!

Let's have a look at thestructure of the codes.

DecipheringEngine

EVP1

EVP2

EVP3

D

CPV1

CPV2

CPV3


20/30


21/30

The Bradley: Key ManagementThe Bradley: Key Management

We said that D collects and tests activation data, butwhere are these data?

the local DNS address.

- a particular data that is in the target system.

- the current system time (mm/dd). the hash of external data, under the control of thevirus and attacker. (e.g. a particular value inside awebpage).


22/30

The Environmental key ProtocolThe Environmental key Protocol

D computes a digest of 160-bits (using SHA-1) by thefollowing function:

H(H( ) )

where is the first 512 bits of EVP1 and indicates thebinary XOR operator).

If V=M, where M is the activation code (it's in the codeof the virus and it is the hash of the key not the key

itself!) then K1= H( ) else stop executionand disinfect the host from the viral code.


23/30

The Environmental key ProtocolThe Environmental key Protocol

If V=M then D deciphers EVP1, i.e. VP1=DK1(EVP1) and

executes it. The anti-antiviral code is now running!

Now D must compute K2, i.e. K2=H(K1 2), where2 is the 512 last bits of VP1.

D deciphers EVP2, i.e. VP2=DK2(EVP2) and executes it.

The infection code is now running!To launch the last segment K3 must be computed,thus, K3=H(K1 K2 3), where 3 is the 512 last bitsof VP2.

D deciphers EVP3, i.e. VP3=DK3(EVP3) and executes it.The optional code is now running!


24/30

Some RemarksSome Remarks

The environmental data must change every time, andit must be under the virus owner control (it's enoughto control ) .

While infecting, the code of the virus changed everytime since the environmental key changed!

Some optimizations:

the viral code can be compressed.

K1, K2 and K3 can be made indipendent using somemore environmental variable.


25/30

CryptovirAnalysisCryptovirAnalysis

The Bradley Virus' designer suggests us that only twocases can be considered in cryptoviranalysis:

The analyst has got the code of the virus.

The analyst didn't get the code.


26/30

Catching the BinariesCatching the Binaries

The probability that an analyst can obtain a copy ofthe virus' binaries is very low, because the virus wasdesigned to execute dedicated attacks and ifenvironmental data fails it disinfects the host.

To have a consistent probability to catch a copy of thevirus, a very large number of honeypots should beused, and this isn't feasible.


27/30

Analysis of the BinariesAnalysis of the Binaries

The l sis f c e r tectedb theenvir nment l key ener ti n r t c l defined in

the Br dleyis a problem which has exponentialcomplexity. (Fili l)

It is ssible t nalyze the viral c de ifand nly if

K1 is known.

K1 is thehashofa combinationofenvironmental data

and it's not nder the control of theanalyst.

is thehashof the keyand is resent in vir s'

binaries, b t sincea strong cryptographic hashf nctionwas sed(i.e. SH -1), we knowverywell

that is not reversible!


28/30

Cracking the KeyCracking the Key

In order to obtain the key there are two ways:Collision attacks

Dictionary attacks

Both have got exponential complexity.


29/30

ConclusionsConclusions

In this presentation we described a new generation ofviruses that are undetectable by existing antivirusesand their analysis corresponds to solve a problem ofexponential complexity.

Integrity checkers may detect a running infection (ifthey are not corrupted by the virus!) but the problemto analyze the viral code still remains.

It seems quite obvious that antivirus companies must

adopt teams of skilled analysts to face such ageneration of viruses.


30/30

Q&AQ&A

Thanks for your attention....

Angelo P. E. Rosiello

[email protected]

next virus generation

Documents