Design and Implementation of The FiltroMatic™ Presented By: Lord Viper Scorpion D4 C0rrupt0r The...
-
Upload
shana-mcbride -
Category
Documents
-
view
213 -
download
0
Transcript of Design and Implementation of The FiltroMatic™ Presented By: Lord Viper Scorpion D4 C0rrupt0r The...
Design and Implementation of The FiltroMatic™
Presented By:
Lord Viper Scorpion
D4 C0rrupt0r
The Dark Stallion of Chaos
Master of Terror
Why Worry About Macro Viruses?
There are a lot of maladjusted individuals with no better way to deal with their frustration with society
Microsoft allows macros way too many privileges, and this is really easy to exploit
Macro viruses cause a lot of damage– $12.1B in 1999, according to Computer Economics– Melissa alone caused $80 million in damage
Why are Current Methods Ineffective and How can we Improve Them?
Commercial anti-virus programs only check for fingerprints of known viruses
We propose a generalized macro filter that looks for viruses based on the content of the code
How does one determine if code is “bad” or not?
VBA Background
What is VBA and how is it used?– General purpose scripting language for Office
applications– Used to automate repetitive tasks, format documents…
Where does it derive its functionality?– From Application object libraries– From the Windows API, .DLLs on the host system
So what’s the problem?– A VBA macro has the same privileges on the host as a
native executable
Dealing with Microsoft’s Lack of Foresight
How can we compensate for the security vulnerabilities introduced by VBA?– By scanning macros for code that is clearly
malicious– By alerting the user of possible misuse of code that
could go either way– By trying to identify malicious macros without
flagging legitimate ones
Designing a Macro Filter
Background Research– Learned VBA mechanisms– Reviewed known malicious macros– Compiled a list of VBA functions common to macro
viruses– Reviewed legitimate macros to determine where
“gray” areas exist
Example of VBA Malcode
From the “Friends” macro virus:Open “C:\autoexec.bat” For Append As #1
Print #1, “@echo off”
Print #1, “c:\dos\fast.com”
Close #1
Another Example of VBA Malcode
From “Galicia Kalidade” macro virus:If EdicinBuscarEncontrado() <> 0 Then
FijarAtributos "C:\IO.SYS",0
FijarAtributos "C:\MSDOS.SYS",0
Kill "C:\IO.SYS"
Kill "C:\MSDOS.SYS"
Yet Another VBA Malcode Example
From the “Atom” macro virus:Sub MAIN
On Error Goto KillError
If Day(Now()) = 13 And Month(Now() = 12) Then
Kill “*.*”
End If
KillError:
End Sub
Yes, You Guessed It … Another VBA Virus Example
From the “Retro” macro virus:If Not Y Then
F$ = WindowName$()
S$ = F$ + ":Puritan“ MacroCopy S$, "Global:Puritan"
S$ = F$ + ":Rtr“ MacroCopy S$, "Global:Retro"
S$ = F$ + ":FSAB“ MacroCopy S$, "Global:FileSaveAs"
S$ = F$ + ":FSAB“ MacroCopy S$, "Global:FSAB"
S$ = F$ + ":AOB“ MacroCopy S$, "Global:AOB“
End If
Implementation of our Filter
We chose to implement it as a Java library that developers could integrate into their applications.
Implementation consists of MacroScanner, MalCodeItem, MalCodeList, Report, and ReportItem.
Tailored scanner to minimize false positives. What weaknesses does our method have?
Sample of Scanning Results for Malicious Macros
Virus Number WarningsMelissa 11
WordSavr 2
Vengine 2
Polyssa 12
Magnum 17
Hassle 27
Sample of Scanning Results for Legitimate Macros
Macro Number of WarningsGood-1 0
Good-2 0
Good-3 0
Good-4 0
Good-5 0
Good-6 0
Conclusions
Macro viruses tend to use the same mechanisms to spread and attack
Our filter takes advantage of these similarities to detect known and unknown macro viruses