Post on 17-Dec-2015
Chapter 5
Anti-Anti-Virus
Anti-Anti-Virus All viruses self-replicate Anti-anti-virus means it’s “openly
hostile” to AV Anti-anti-virus techniques?
o Aggressively attack AV softwareo Make analysis of virus difficulto Try to avoid being detected using
knowledge of how AV works
Anti-Virus Virus? Anti-anti-virus versus “anti-virus
virus”o What the … ?
This chapter is about anti-anti virus Aside: What is an anti-virus virus?
o Virus attacks other viruses, oro AV software that propagates virally, oro Software that drops a virus, then offers
to remove it for a fee
Retroviruses Also known as “anti-antivirus
viruses” Virus with active defense What techniques are used? Kill AV (and related) processes
o Virus lists active processeso Kills things like Avgw.exe, Scan32.exe,
Navw32.exe, Regedit.exe, Zonealarm.exe
o Might also do this for processes run at startup
Retroviruses
Example: Ganda virus Kills running AV-like processes Examines processes run at startup
o If it appears to be AV-related…o …replace 1st instruction with “return”
Stealthier?o Starve AV software by lowering priorityo Prevent AV software from connecting to
company database, etc.
Entry Point Obfuscation Viruses often hijack usual entry
pointo But this is fairly obvious
Set entry point at random location?o Probably not a good idea --- why?
Find calls to ExitProcess API?o Used by Simile and Ganda
Look for known code sequences?o Compilers produce stereotypical code
Anti-Emulation Recall that emulation is used for AV How can virus defeat emulation?
1. Outlast2. Outsmart3. Overextend
AV solution to 2 & 3 is better emulatoro Of course, this comes at a price…
Anti-Emulation: Outlast How to “outlast” an emulator?1. Lots of (disguised) do-nothing
code2. Only be malicious, say, 1/10th of
timeo Then AV might mark code as safeo Subsequently, virus has a free hand
3. Entry point obfuscationo Emulator might assume virus will
appear early in execution of infected code
Anti-Emulation: Outsmart Try to counter dynamic heuristics Example: In some cases,
decryption is a good dynamic heuristic
To counter this, virus could…o Spread decryption throughout code,
not all in one loopo Then emulator might never reach its
“decryption” threshold
Anti-Emulation: Overextend
How to push emulator to the limit?1. Use undocumented instructions
o If not handled correctly, it’s emulated
2. Bugs in CPUo If handled correctly, it’s emulated
3. Exhaust or abuse memory4. Check for differences between
system calls, e.g., check “time” twiceo Emulator might return fixed value
Anti-Emulation: Overextend
How to push emulator to the limit?5. Import obscure libraries6. Use external resources, e.g., web
pageo Almost impossible to emulate external
stuff
7. Emulator-specific checkso E.g., a known interface to outside
Armoring “Armor” virus --- make analysis
more difficult Two types of techniques used:1. Anti-debugging
o Examples?
2. Anti-disassemblyo Examples?
Anti-Debugging Look for inserted breakpoints
o Like error detection/correction Look for single-stepping
o Interrupt pushed onto stack after every instruction… so push then immediately pop, or
o Time the execution, oro Dynamically modify next instruction,
since processors usually pre-fetch Last 2 also anti-emulation
techniques
Anti-Debugging If all else fails, ask:
o IsDebuggerPresent() In Linux, request to trace a process
more than once failso How can virus take advantage of this?
Anti-Debugging Speaking of threads… Interlocking and deadlocking threads
o Only small part of code appearso Different parts each time
Fairly strong for anti-debuggingo Improved software activation using multithread
ing
Could be even more effective if combined with encrypted codeo Project, anyone?
Anti-Disassembly Anti-disassemblymentarianism? Goals
1. Disassembly cannot be automated2. Code not available until it executes
For 1, one idea is to mix code and datao Once mixed, separating is unsolvable
Anti-Disassembly Mixing code and data can result in
false disassembly
Disassemblers not so easily confused…
Anti-Disassembly How to make code unavailable for
static analysis?1. Dynamically generate code at
runtime2. Self-modifying code
o A red flag for heuristic analysis
3. Use the environment to “construct” code at runtimeo How’s that?
Anti-Disassembly Constructed code? Hash stuff and extract “code”
bits…o Perhaps combine with buffer overflow?o Project, anyone?
Anti-Disassembly Encrypted code
o Decrypt in parts as neededo Flush plaintext when doneo Combine with anti-debuggingo Watch for MiM type of attacks
My startup company did all of this Might do similar things with
threadso Intentionally “delicate” timing
Tunneling Virus traces system functions it
useso To be sure they “go to” the right placeo If not, code is being monitored
How to trace code?o Static heuristic or emulationo Just like the AV stuff…
Can’t tunnel into kernel on modern OSo But still might be useful technique
Tunneling AV software can hide from
tunneling if it’s installed in the kernelo Unless virus is in the kernel too…
But, virus in kernel would be bad for lots and lots of other reasons
Integrity Checker Attacks How to avoid integrity check?
o Integrity check can detect any change Stealth virus might hide
o But only from weak integrity check Infect when legitimate change to
file In one infamous case…
o Delete integrity check database and all checksums recomputed
Avoidance Hide in places not searched Possibilities include
o USB keyo Some types of fileso New type of packero Etc.
Pretty lame?