viruses and anti-viruses
TRANSCRIPT
Plan of talkKinds of malwareAnti-Virus TechnologiesAnti-Anti-Virus TechniquesExample Timid VirusCode Explanation
2
Kinds of malwareWorms SpywareTrojan horsesAdware
WormsA computer worm is a self-replicating
computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.
Worm Propagation
Leverage Network Connectivity 5
Spyware Spyware is computer software that collects personal
information about users without their informed consent. The term Spyware, is often used interchangeably with adware and malware.
Personal information is secretly recorded with a variety of techniques, including logging keystrokes, recording Internet web browsing history, and scanning documents on the computer's hard disk. It can cause theft of passwords and financial details to the merely annoying recording Internet search history for targeted advertising .Spyware may collect different types of information. Some variants attempt to track the websites a user visits and then send this information to an advertising agency. More malicious variants attempt to intercept passwords or credit card numbers as a user enters them into a web form or other applications.
Trojan horsesA Trojan horse is a program that unlike a
virus contains or installs a malicious program (sometimes called the payload or 'trojan'). The term is derived from the classical myth of the Trojan Horse. Trojan horses may appear to be useful or interesting programs (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.
The famous usage in hacking.
Trojan
Leverages gullible users 8
AdwareAdware or advertising-supported
software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.
The functional logic of a virus Search for a file to infect. Open the file to see if it is infected. If infected, search for another file. Else, infect the file. Return control to the host program.
Virus
V
Virus – Needs a host
11
Virus Propagation
Leverage User Connectivity12
13
Detection TechnologiesStatic Anti-Virus (AV) Scanners
Signature-based Strings Regular expressions
Static behavior analyzerDynamic AV Scanners
Behavior Monitors
14
Virus (Malware) Identification
Anti-VirusSignature
Virus
Form - A Antivirus scanners use extracted patterns, or “signatures” to identify known malware.
Signature
15
Static SignatureHex strings from virus variants
67 33 74 20 73 38 6D 35 20 76 37 6167 36 74 20 73 32 6D 37 20 76 38 6167 39 74 20 73 37 6D 33 20 76 36 61
Hex string for detecting virus67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61?? = wildcard
16
Static Signature Ex-:
8BEF 33C0 BF?? ???? ??03 FDB9 ??0A 0000 8A85 ???? ???? 3007 47E2 FBEB 17
Dynamic Signature
Monitor a running program to detect malicious behavior
For example, if an application opens another executable for write access, the blocker might display a warning asking for the user's permission to grant the write access , we will discuss the anti of that anti virus later.
18
19
Attacking Integrity CheckersIntercept open() system call
Open a non-infected backup of the file insteadRestore system to original state after attackInfect system before checksums are
computed
20
Attacking static signature - Metamorphism
Virus
Form - CM M
VirusVirus
Form - A Form - B
•Metamorphic malware change as it propagates
•Creates multiple variants of itself
21
Metamorphism Example
mov [ebp - 3], eax
push ecxmov ecx,ebpadd ecx,33push esimov esi,ecxsub esi,34mov [esi-2],eaxpop esipop ecx
push ecxmov ecx, ebppush eaxmov eax, 33add ecx, eaxpop eax
push esimov esi, ecxpush edx
mov edx, 34sub esi, edxpop edxmov [esi - 2], eaxpop esipop ecx
push ecxmov ecx, [ebp + 10]mov ecx, ebppush eaxadd eax, 2342mov eax, 33add ecx, eaxpop eaxmov eax, esipush eaxmov esi, ecxpush edxxor edx, 778fmov edx, 34sub esi, edxpop edxmov [esi-2], eaxpop esipop ecx
push ecxmov ecx,ebpadd ecx,33mov [ecx-36],eaxpop ecx
22
Attacking static signature- Metamorphism
Anti-VirusSignature
Virus
Form - CM M
VirusVirus
Form - A Form - B
Too many signatures challenge the AV Scanner
Using different signatures for most variants cannot scale.
23
Attacking Behavior MonitorsSome viruses can wait patiently until write
access to the object is granted. These viruses are called slow infectors. Such viruses typically wait until the user makes a copy of an executable object; the virus (which is already loaded in memory) will be able to infect the target in the file cache before the file is created on the disk. Slow infectors attack behavior blockers effectively
24
25
“Undo” Metamorphism
mov [ebp - 3], eax
push ecxmov ecx,ebpadd ecx,33push esimov esi,ecxsub esi,34mov [esi-2],eaxpop esipop ecx
push ecxmov ecx, ebppush eaxmov eax, 33add ecx, eaxpop eax
push esimov esi, ecxpush edx
mov edx, 34sub esi, edxpop edxmov [esi - 2], eaxpop esipop ecx
push ecxmov ecx, [ebp + 10]mov ecx, ebppush eaxadd eax, 2342mov eax, 33add ecx, eaxpop eaxmov eax, esipush eaxmov esi, ecxpush edxxor edx, 778fmov edx, 34sub esi, edxpop edxmov [esi-2], eaxpop esipop ecx
push ecxmov ecx,ebpadd ecx,33mov [ecx-36],eaxpop ecx
26
Detecting Metamorphism
Behavior MonitorsRun suspect program in an emulator (
code emulation) Analyze behavior while running
Look for changes in file structure Some viruses modify files in a consistent way
Disassemble and look for virus-like instructions
27
Code EmulationCode emulation is an extremely powerful
virus detection technique. A virtual machine is implemented to simulate the CPU and memory management systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the scanner, and no actual virus code is executed by the real processor.
28
Virus Phylogeny
W32.Beagle.J@mm
W32/Bagle.j@mm
W32.Klez.I@mm
W32/Klez.i@MM
W32/NetSky.B
W32.Beagle.AO@mm
W32.Beagle.U@mm
W32.Beagle.A@mm
W32.Klez.F@mm
W32/Bagle.a@mm
W32/Klez.f@MM
W32/Bagle.ao@mm
W32/Bagle.u@mm
W32/Klez.e@MM
W32.NetSky.D
W32.NetSky.B
W32.NetSky.A
W32/Bugbear.17916intd
W32/NetSky.A
??
Virus Phylogeny
W32/Bagle.a@mmW32/Bagle.j@mm
W32/Klez.i@MMW32/Klez.f@MM
W32/Bagle.aq@mmW32/Bagle.u@mm
W32/Klez.e@MM
W32.NetSky.DW32.NetSky.BW32.NetSky.A
W32/Bugbear.17916intdW32/NetSky.BW32/NetSky.A
Symantec McAfee
??
??
Deobfuscator of CallsNORMAL CALL
L0: call L5L1: …L2: …L3: …L4: …L5: <proc>L6: …
OBFUSCATED CALL
L0a: push L1L0b: push L5L0c: retL1: …L2: …L3: …L4: …L5: <proc>L6: …
Call Obfsucations to prevent static analysis
31
DOC: Deobfuscator of Calls
32
33
Timid
Our example of malware
34
What Timid Virus do Timid is a file infecting virus. It does not become memory
resident. It infects .COM files, including COMMAND.COM. Timid appears to be an escaped research virus, and is now found in the public domain.
Each time a file infected with Timid is executed, the Timid virus infects the first uninfected .COM file in the current directory. If no uninfected .COM files exist in the current directory, a system hang occurs.
The string "VI", is located in the fourth and fifth byte of infected files. Together with a jump (E9h) instruction located at the beginning of the infected file, it forms the infection marker used by the virus to determine if the file was previously infected.
35
Overwriting Viruses
Overwriting Viruses
Overwriting Viruses
Overwriting Viruses
Difference Between .COM and .EXE files
A.COM file is a direct image of how the program will look in main memory, A .COM file is limited to 64K or 100H for all segments combined, but a .EXE file can have as many segments as your linker will handle and be as large as RAM can take.
The actual file extension doesn't matter.
In EXE files we create the stack segment , but in the COM files it creates the stack automatically .
40
Difference Between .COM and .EXE files
How to Write a .COM programProgram Size
maximum 64K (including 256-byte PSP)data, stack, and code in one (64k) segmentstack segment in a COM program is automatically
GeneratedInitialization for COM Program
All four segment registers are automatically initialized with PSP address
Addressing begins at address 100H after .CODE directive, need the directive:
ORG 100H
How to assemble it
Example of .COM codeMAIN SEGMENT BYTE
ASSUME CS:MAIN,DS:MAIN,SS:NOTHINGORG 100H
START:FINISH:
mov ah,4CHmov al,0int 21H
MAIN ENDSEND START
A.BAT fileA .BAT file is a file that contains a
sequence, or batch, of commands . Batch files are useful for storing sets of commands that are always executed together because you can simply enter the name of the batch file instead of entering each command individually.
TIMIDTIMID The Host of our Virus
labels
63
SummaryMalware kinds
Virus, worms, Trojans, adware, spyware, etc.Anti-Virus Technologies
Static, Dynamic ScannersAV Process
Anti-AV TechniquesTransform, Hide
Research ResultsUndo transformationDetect obfuscationCreate phylogeny
Code explanation
64