Dr richard ford rford@fit edu
Download
1 / 19

Polymorphic Viruses - PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on

Dr. Richard Ford [email protected] Polymorphic Viruses. What are we going to talk about?. Szor 7 Another way viruses try to evade scanners. Virus Scanners. Look for “known” viruses Basically, used to look for hex strings in files Virus writers tried to make this more difficult… .

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Polymorphic Viruses' - freya


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Dr richard ford rford@fit edu

Dr. Richard Ford

[email protected]

Polymorphic Viruses


What are we going to talk about
What are we going to talk about?

  • Szor 7

  • Another way viruses try to evade scanners


Virus scanners
Virus Scanners

  • Look for “known” viruses

  • Basically, used to look for hex strings in files

  • Virus writers tried to make this more difficult…


Encrypted viruses
“Encrypted” viruses

  • First virus: Cascade

  • Benefit: Forces the vendor to choose a hex string from a small part of the virus code

  • Increases chances of a false positive


Cascade
Cascade

LEA si, Start MOV sp, 0682Decrypt: XOR [si], si XOR [si], sp INC si DEC sp JNZ DecryptStart:


Similarly
Similarly…

MOV EDI, 00403045hADD EDI, EBPMOV ECX, 0A6BhMOV AL, [key]

Decrypt:XOR [EDI], ALINC EDILOOP DecryptJMP Start

DB key 86

Start:


Nesting and other complications
Nesting and other complications

  • Virus writer can implement multiple layers of “encryption”

    • Why do I keep using “”’s?

  • Use multiple keys

  • Start of loop can be obfuscated

  • Can “not” store the decryption key in the body

  • Can use strong Crypto (but…)


Weakness
Weakness?

  • Well, in these examples, the decryption routine is static

  • Can detect on the decryption routine if not the virus body… can the attacker do better?


Oligomorphic viruses
Oligomorphic Viruses

  • What?

    • Having or passing through few changes of form.

  • Example: Whale virus carried multiple decryptors with it

  • Of course, such viruses require painstaking analysis…


Polymorphic
Polymorphic

  • Next level: millions of possible decryption routines, dynamically generated

  • First known: 1260

  • Technique used: insert “junk” instructions into the decryption loop


Example
Example

  • INC DINOPCLCINC AXLOOP Decrypt


Detection
Detection?

  • One possibility: code optimization

  • Well-known from other parts of CS…

  • But was attacked directly by MTE


Mutation engine
Mutation Engine

  • Module for providing polymorphism

  • Called a function passing:

    • Work segment

    • Pointer to code to encrypt

    • Length of the virus body

    • Base of the decryptor

    • Entry-point of the host

    • Target location of the encrypted code

    • Size of decryptor (tiny, small, medium, large)

    • Bit field of registers not to use

  • Returns: a buffer containing the encrypted virus plus a decryption routine


Mte sample
MTE: Sample

  • MOV BP, A16CMOV CL, 03ROR BP, CLMOV CX, BPMOV BP, 856EOR BP, 740FMOV SI, BPMOV BP, 3B92ADD BP, SIXOR BP, CXSUB BP, B10C ; sets final value of BP…


Cntd…

  • Decrypt:MOV BX, [BP+0D2B]ADD BX, 9D64XCHG [BP+0D2B], BXMOV BX, 8F31SUB BX, BPMOV BP, 8F33SUB BP, BXJNZ DecryptSTART:


How to detect
How to Detect?

  • Let’s talk about it…


Other techniques
Other Techniques

  • Carry your source and look for a compiler

  • Why is this so very horrible?

    • And then there’s System.Reflection.Emit to worry about…


Metamorphic viruses
Metamorphic Viruses

  • Muttik: “metamorphics are body-polymorphic”

  • Example: ZPerm

    • Uses JMPs to reorder its own code


Assignment
Assignment

  • Due: 2 weeks today before class

  • Write a METAMORPHIC “Hello World” generator that:

    • Create 10 COM files

    • Each time you run, you should create different files

    • Must use C/C++

  • Turn in the solution in SVN with JUST THE FILES I NEED to check out and compile with no challenges


ad