chapter 3 viruses n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 3 Viruses PowerPoint Presentation
Download Presentation
Chapter 3 Viruses

Loading in 2 Seconds...

play fullscreen
1 / 60

Chapter 3 Viruses - PowerPoint PPT Presentation

  • Uploaded on

Chapter 3 Viruses. Virus Definition. Recall definition from Chapter 2… Self-replicating: yes Population growth: positive Parasitic: yes  When executed, tries to replicate itself into other executable code So, it relies in some way on other code Does not propagate via a network. Virus.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Chapter 3 Viruses

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
virus definition
Virus Definition
  • Recall definition from Chapter 2…
  • Self-replicating: yes
  • Population growth: positive
  • Parasitic: yes 
  • When executed, tries to replicate itself into other executable code
    • So, it relies in some way on other code
  • Does not propagate via a network
  • 3 parts to a virus
  • Infection mechanism --- how it spreads
    • Multipartite virus uses multiple means
  • Trigger --- decides when/how to deliver payload
  • Payload --- what it does other than spread
    • Either intentional or accidental
virus pseudocode
Virus Pseudocode
  • Without infection mechanism…
    • It’s not a virus, it’s a logic bomb
  • But trigger and payload are optional
  • Generic virus pseudocode

def virus():


if trigger() is true:


infection pseudocode
Infection Pseudocode
  • Targets must be “local”
  • Don’t select already infected targets
    • Can be a double edged sword

def infect():

repeat k times:

target = select_target()

if no target:



virus classification
Virus Classification
  • Possible to classify in many ways
  • Here, we classify in 2 ways:
  • Target
    • What/where does the virus infect?
  • Concealment strategy
    • What does it do to remain undetected?
classification by target
Classification by Target
  • Briefly consider 3 cases
  • Boot-sector infectors
  • Executable file infectors
  • Data file infectors
    • Macro viruses
boot sequence
Boot Sequence
  • Generic boot sequence
  • Power on
  • ROM-based instructions run
    • Self-test, device detection, initialization
    • Boot device IDed, boot block read from it
    • Control transferred to the loaded code --- this step known as primary boot
boot sequence continued
Boot Sequence Continued
  • Code loaded in primary boot step loads larger, fancier program
    • This is secondary boot
  • Secondary boot loads/runs OS kernel
boot sector infector
Boot Sector Infector
  • Why infect boot sector?
  • A boot-sector infector (BSI)
    • Infects by copying itself to boot block
  • May copy boot block elsewhere
    • Could be tricky, require lots of code
    • So a fixed “safe” location chosen
    • Different viruses may use same “safe” location (e.g., Stoned and Michelangelo)
boot sector infector1
Boot Sector Infector
  • BSI once popular, not so much now
  • Why?
    • Machines don’t reboot so often
    • Much harder to infect, due to better defenses
file infectors
File Infectors
  • OS views some files as executable
    • Like “exe” and similar
  • Files that can be run by a command-line "shell" also considered executable
    • Batch files, shell scripts, …
  • File infector --- infects executable file
    • Exe, shell code, consider executable
    • Binary executable is most common target
file infectors1
File Infectors
  • Two main issues…
    • Where to put the virus within file?
    • How to execute the virus when infected file is run?
  • Consider these two (interrelated) questions in next few slides
beginning of file
Beginning of File
  • Older exe formats (e.g., .COM) treat entire file as chunk of code and data
    • Entire file loaded into memory
    • Execution starts by jumping to the beginning of the loaded file
  • Can put virus at start of such a file
    • That is, prepend the virus code
end of file
End of File
  • Append a virus (even easier?)
  • Then how does virus get executed?
  • Some possibilities…
  • Replace first line(s) with a jump to viral code --- save overwritten code
  • Later, transfer control back to code
    • How to do this?
end of file1
End of File
  • How to transfer control back to code?
    • Run saved instructions in saved location
    • Restore the infected code back to its original state and run it
  • Many exe file formats specify start location in file header
    • If so, virus can change start location to point to its own code and jump to the original start location when done
overwritten into file
Overwritten into File
  • Virus places itself atop original code
  • Can avoid changes in file size
  • Easy for virus to get control
  • But… overwriting code will break the original code
    • Making virus easier to discover
  • Is it possible to overwrite without breaking the code?
overwritten into file1
Overwritten into File
  • Smart ways to overwrite?
  • Overwrite repeated data
    • May be trickier to execute virus
  • Save overwritten data (like BSI)
  • Use over-allocated space in a file
  • Compress code to make space
  • For these to work, virus must be small
merged with file
Merged with File
  • Could try to merge virus with target
  • I.e., intermixing virus/target code
  • Difficult
    • So, it’s “rarely seen”
  • But, supposedly, Zmist does this
    • So, apparently it is possible
    • That’s impressive…
not in file
Not in File
  • Companion virus --- separate from, but naturally executed before target
  • No modification to infected code
  • May take advantage of process used by OS or shell to search for exe files
  • Like a Trojan horse but it’s a virus…
    • …since it’s self-replicating
companion virus
Companion Virus
  • Virus is earlier in the search path
    • Same name as the target file, almost…
  • E.g., MS-DOS searches for “foo” by
    • Look for
    • Look for foo.exe
    • Look for foo.bat
  • If the target file is a foo.exe, companion virus is in file
companion virus1
Companion Virus
  • Windows registry associates file types with applications
  • Can modify registry so that companion virus runs instead of exe
    • Then companion can transfer control to the corresponding exe
  • In effect, all exes infected at once!
companion virus2
Companion Virus
  • ELF file format used on recent Unix’s
  • Has "interpreter" specified in each exe file header
    • Points to run-time linker
  • Companion virus can replace the run-time linker
    • As above, effect is that all exe files infected at once
companion virus3
Companion Virus
  • Companion viruses possible in GUI
  • App’s icon can be overwritten with the icon for the companion virus
  • When a user clicks on “app” icon…
    • Companion virus runs instead
macro virus
Macro Virus
  • Some apps allow data files to have macros embedded in them
  • Macros are short snippets of “code” interpreted by the application
  • Such a languages often provide enough functionality to write a virus
macro virus1
Macro Virus
  • Macros often run automatically when file is loaded
    • Easy to write compared to low-level code
  • First proof of concept in 1989
  • Hit “mainstream” in 1995
    • Virus known as Concept
    • Targeted Microsoft Word (of course)
    • Installed in “global macros”
    • Infected all edited documents
macro virus concept
Macro Virus: Concept
  • Targeted Word Docs
  • AutoOpen macro --- runs automatically when file opened
    • How you get the virus from infected file
  • FileSaveAs --- when “file  save as” selected from menu
    • So the virus can infect other docs
classification by concealment strategy
Classification by Concealment Strategy
  • Most viruses try to hide
    • Why?
  • So, how do they hide?
    • Encryption
    • Polymorphism
    • Etc., etc.
  • Yet another way to classify viruses..
no concealment
No Concealment
  • Do nothing to hide
  • This is easiest for virus writer…
    • …but also easiest to detect, analyze
  • Why encrypt?
  • Virus body is “hidden” from view
    • In particular, the signature is hidden
  • Distinguish between strong encryption and obfuscation
  • Viruses usually only obfuscated
    • Very weak encryption
  • How to encrypt?
    • Let me count the ways…
  • Simple encryption
    • Rotate, increment, negate, etc.
  • Static encryption key
    • E.g., XOR fixed byte to all bytes
  • Variable encryption key
    • Like static, but key changes
encryption continued
Encryption (Continued)
  • Substitution cipher
    • Permute the bytes
    • Could be via lookup table
    • Could even have multiple ciphertexts decrypt to same plaintext
  • Strong encryption
    • DES, AES, RC4, etc.
    • Might use crypto libraries
  • Tries to hide the infection
    • Not just hide the virus signature
  • Examples of stealth techniques
    • Change timestamp and/or other file info to pre-infection values
    • Intercept I/O calls to hide presence (in MS-DOS user-accessible interrupts)
    • Hijack secondary boot loader
  • Stealth viruses “overlap” rootkits
  • Rootkit --- installed on compromised machine so attacker can use it
    • Stealth is critical to rootkit success
  • Some malware use rootkits
    • For example, Ryknos Trojan hid itself using a rootkit designed for DRM
reverse stealth virus
Reverse Stealth Virus
  • What is “reverse stealth”?
  • Make everything look infected!
  • Why is this malicious?
    • Damage may be done by AV software trying to disinfect
  • Oligomorphic or semi-polymorphic
  • Code is encrypted
  • Decryptor code is morphed
    • But not too many different decryptors
  • For example
    • Whale had 30 different decryptors
    • Memorial had 96 decryptors
  • How to detect?
  • Like oligomorphic, but lots more decryptors
  • Essentially, an infinite number
  • For example
    • Tremor has almost 6 billion decryptors
  • So, AV software cannot have a signature for each decryptor
  • 2 problems for polymorphic writer…
  • How to generate decryptors?
    • Use a mutation engine
    • Engine is part of encrypted virus
  • How to detect previous infections?
    • Data “hiding”: timestamp, file size, file system features, external storage, …
    • “Inoculate” system by faking infection?
mutation engine
Mutation Engine
  • Equivalent instruction substitution
    • One or more instructions
  • Instruction reordering
  • Register swap
  • Reorder data
  • Spaghetti code
  • Insert junk code
  • Run-time code modification/generation
mutation engine1
Mutation Engine
  • Subroutine permutation
  • DIY virtual machine
  • Concurrency --- threads 
  • Inlining/outlining
  • “Threaded” code --- not threads

Jump directly from one subroutine to another, without returning

  • Subroutine interleaving
mutation engine2
Mutation Engine
  • Many, many other possibilities
  • Possible overlap with optimizing compilers?
    • Seems more like de-optimizing…
equivalent instructions
Equivalent Instructions
  • All of these lines set register r1 to 0

clear r1

xor r1,r1

and 0,r1

move 0,r1

concurrency example
Concurrency Example

r1 = 12 start thread T

r2 = 34 => r1 = 12

r3 = rl + r2 wait for signal

r3 = r1 + r2



r2 = 34

send signal

exit thread T

  • Aside: Concurrency may be very effective anti-reversing technique
    • Use multiple threads
    • Intentional deadlock
    • “Junk” threads
  • Described in masters project:
  • Improved software activation using multithreading
  • Mutation also can be used for good
  • Makes reverse engineering attacks more difficult
  • Make software more “diverse”
  • Apply polymorphism to virus body
    • Aka, “body polymorphic”
  • No encryption/decryption needed
  • Body must change a lot
    • Goal is to have no common signature
  • Mutation code must be mutated too!
    • Otherwise, a signature will exist
    • Different from polymorphic (why?)
  • Two types of metamorphic generators
    • Both types difficult to produce
  • Standalone
    • Apply generator offline
    • Easy to make old malware into “new”
  • Malware “carries its own generator”
    • Necessary if self-propagating
    • A much more difficult problem
metamorphism apparition
Metamorphism: Apparition
  • Apparition --- metamorphic virus
  • Delivered in source code (Pascal)
  • If compiler is present…
    • Insert junk code and compile
  • A very lame approach
  • Real metamorphism must be done in assembly or (better yet) machine code
metamorphism simile
Metamorphism: Simile
  • Simile --- metamorphic virus
  • Simile’s metamorphic generator
    • 12,000 lines of assembly
    • Translate Simile to intermediate form
    • Then remove all old transformations
    • Obtains a base form of virus
    • Apply new set of transformations
    • Generate new (morphed) machine code
metamorphism metaphor
  • Metamorphic PermutatingHigh-Obfuscating Reassembler
    • That is,MetaPHOR
  • Described in How I Made Metaphor and What I’ve Learnt by The Mental Driller
  • Complex expander/shrinker strategy
  • Almost impossible to analyze
metamorphism mwor
  • Metamorphic Worm, i.e., MWOR
  • Experimental metamorphic malware designed by former masters student
  • Modeled on MetaPHOR, but…
    • Easier to understand
    • Better for experiments and testing
    • A useful research tool
  • How to detect?
  • The bottom line…
  • Metamorphics difficult to detect
    • Machine learning works well on hacker malware, but can be defeated
  • Metamorphics also difficult to write
    • Most “metamorphic” generators aren’t
  • Current state of the art?
    • “Undetectable” metamorphic viruses
strong encryption
Strong Encryption
  • What is strong encryption?
  • Use a real cipher
  • For this to be useful, must not store key with code
    • Why not?
  • But must decrypt the virus
  • How to get the key to the code?
strong encryption key
Strong Encryption: Key
  • Store key on the web
    • Then must go fetch the key
    • But then how to get the key?
  • Binary virus --- 2 parts
    • Low probability that both parts arrive
  • “Environmental” key generation
    • Key based on machine-specific info
    • Key derived at runtime
    • Harder to analyze
  • Other???
virus kits
Virus Kits
  • Many malware construction kits
    • See VX Heavens
  • Many kits claim to be metamorphic
    • Or polymorphic, or encrypted, or …
    • You should be very skeptical of claims
    • Some have nice GUI interface
  • Success is failure?
    • The more successful, the more likely it has been studied and can be detected