Encrypted Oli Go Morphic
-
Upload
waldemarvillamayor-venialbo -
Category
Documents
-
view
218 -
download
0
Transcript of Encrypted Oli Go Morphic
-
7/28/2019 Encrypted Oli Go Morphic
1/13
1
Spring, 2008
Encrypted and OliogomorphicViruses
Spring, 2008
CS 351 Defense Against the Dark Arts
2
Encrypted Viruses
Virus encryption is both an anti-disassembly technique and an obstacle
to virus detection using code patterns
Encryption takes many formsThe most advanced, difficult to defeatviruses use encryption techniques
We will devote several lectures tounderstanding, detecting, anddisinfecting various encrypted viruses
-
7/28/2019 Encrypted Oli Go Morphic
2/13
2
Spring, 2008
CS 351 Defense Against the Dark Arts
3
Simple EncryptionThe earliest viruses to use encryption used avery simple decryption algorithm, such asXORing code with its own address
The point was not to use advancedalgorithms that were hard to analyze; just toslow down analysis and defeat pattern-basedvirus detection
Because the decryptor code is always presentin unencrypted form, there is not much point
in choosing complex encryption/decryptionmethods
The DOS virus Cascade was the firstencrypted virus
Spring, 2008
CS 351 Defense Against the Dark Arts
4
Example: Cascade VirusThe simple decryptor of Cascade, circa1990:lea si,Start ; start of encrypted code (computed by
virus)
mov sp,0682h ; length of encrypted code (1666 bytes)
Decrypt:
xor [si],si ; xor code with its address
xor [si],sp ; xor code with its inverse index
inc si ; increment address pointer
dec sp ; decrement byte counter
jnz Decrypt ; loop if more bytes to decrypt
Start: ; virus code body
-
7/28/2019 Encrypted Oli Go Morphic
3/13
3
Spring, 2008
CS 351 Defense Against the Dark Arts
5
Cascade Virus WalkthroughSetting up the indices:lea si,Start ; start of encrypted code (computed by
virus)
The virus does not have a Start labelwhose address is determined by acompiler
Instead, it computes the address atinfection time, depending on thelocation in the file being infected
Virus uses hex offsets; we show Startto make it more readable
Spring, 2008
CS 351 Defense Against the Dark Arts
6
Cascade Virus WalkthroughStack pointer used as countermov sp,0682h ; length of encrypted code (1666 bytes)
Virus knows its own length before itinfects a new file
Using the stack pointer is an anti-debugger technique
Cascade is therefore an armored virusHowever, this line of code is adistinctive pattern (signature) for thisvirus
-
7/28/2019 Encrypted Oli Go Morphic
4/13
4
Spring, 2008
CS 351 Defense Against the Dark Arts
7
Cascade Virus Walkthrough
The XOR encryption lines:xor [si],si ; xor code with its address
xor [si],sp ; xor code with its inverse index
The XOR operation is reversible:0f237h XOR 0682h = 0f4b5h
0f4b5h XOR 0682h = 0f237h
Very fast to encrypt and decrypt, yetsufficient to prevent detection by
patternsIMPORTANT: Even the hex patterns are file-
dependent, because they depend on addresses
Spring, 2008
CS 351 Defense Against the Dark Arts
8
Cascade Virus WalkthroughIncrement counters/indices and loop:inc si ; increment address pointer
dec sp ; decrement byte counter
jnz Decrypt ; loop if more bytes to decrypt
With pattern-based detection impededby encryption, an anti-virus researcher
would like to step through thedecryptor in a debugger and see the
decrypted code
However, use of stack pointer inhibitsmost debugger use
-
7/28/2019 Encrypted Oli Go Morphic
5/13
5
Spring, 2008
CS 351 Defense Against the Dark Arts
9
Analyzing Cascade
Prevention in the OS: dont allowwriting to the executable code segment
Virus writer can work around this by decryptinginto a buffer, rather than decrypting code in its
place
The best attack upon a simpleencrypted virus is to detect the code
patterns of the decryptor, e.g.mov sp,0682h ; length of encrypted code (1666 bytes)
Spring, 2008
CS 351 Defense Against the Dark Arts
10
Difficult Decryptors
One decryptor loop might traverse the virusbody, applying a decryptor function (e.g.XOR or something more complex), thenanother decryptor loop can traverse the viruscode in reverse order applying a differentdecryption function, etc.
The unencrypted decryptor code coulddecrypt a piece of code that is a morecomplex decryptor, which then decryptsanother decryptor, which decrypts the virus
Static analysis of the patterns of the first decryptor wouldbe irrelevant; that decryptor could be common to manyviruses and also to commercial software
-
7/28/2019 Encrypted Oli Go Morphic
6/13
6
Spring, 2008
CS 351 Defense Against the Dark Arts
11
Detecting Decryptors
The main loop of the decryptor (a tight loop withXORs) looks like it would be a good subject forpattern-based detection
But, many different viruses can use the samedecryptor algorithm and have totally differentpayloads and behaviors
A virus could pad itself out so that it has the samelength as other, unrelated viruses
Even worse is the fact that some commercialsoftware is obfuscated by an anti-debug wrapper,
which looks just like the decryptor code for Cascade,in order to prevent reverse engineering of theirproduct
Can produce false positives
Spring, 2008
CS 351 Defense Against the Dark Arts
12
Detecting Decryptors cont.
Memory allocation within thedecryptor can produce a good codepattern to match
Decryptor has three locations inwhich it can decrypt the virus code:
1. In place; OS can disallow this2. In heap; allocation code is
unencrypted and makes pattern-based detection easier
3. On the stack; stealthiest choice
-
7/28/2019 Encrypted Oli Go Morphic
7/13
7
Spring, 2008
CS 351 Defense Against the Dark Arts
13
Detecting Decryptors cont.
How can an encrypted virus bedetected if it uses stack allocation,makes itself look like a commercialanti-debug wrapper, makes itself the
same length as unrelated viruses,etc.?
Emulation and dynamic analysis arecommon approaches
Expensive Proprietary
Spring, 2008
CS 351 Defense Against the Dark Arts
14
Alternatives: Phoenix and SDT
A Phoenix Instrumentation Tool couldbe generated to dump the code afterthe decryption has occurred
Still need to black-box or sandbox theapplication to prevent damage
SDT (software dynamic translation, orrun-time compilation) decodes aprogram into a buffer as it runs
Can examine decrypted code in the translationcache/buffer
-
7/28/2019 Encrypted Oli Go Morphic
8/13
8
Spring, 2008
CS 351 Defense Against the Dark Arts
15
Virus Code Evolution
Simile is one example of a virus thatevolves in order to frustrate pattern-baseddetection
Each time it replicates, it generates adifferent memory allocation code sequencein the decryptor
Can be done with simple obfuscations, code re-orderings,etc.
No single pattern matches the allocator More common is mutating the decryptorcode itself and using stack allocation
Spring, 2008
CS 351 Defense Against the Dark Arts
16
Decryptor Mutation
Viruses that can evolve by mutating as theyreplicate can be classified in three categories,based on the degree of variety they produce:
1. Oligomorphic viruses can produce a few dozendecryptors; they select one at random whenreplicating
2. Polymorphic viruses dynamically generate coderearrangements and randomly insert junkinstructions to produce millions of variants
3. Metamorphic viruses apply polymorphictechniques to the entire virus body rather than
just to a decryptor, so that one generation differsgreatly from the previous generation; noencryption is even necessary to be classified asmetamorphic
-
7/28/2019 Encrypted Oli Go Morphic
9/13
9
Spring, 2008
CS 351 Defense Against the Dark Arts
17
Oligomorphic Viruses Detecting encrypted viruses that have
distinctive decryptors was too easy (in theopinion of virus writers!)
Whale was the first oligomorphic virus It carried several dozen decryptors in its
body as data; when replicating, it selectedone at random, encrypted the virus bodywith it, and deposited the body and the
decryptor in the target file
Spring, 2008
CS 351 Defense Against the Dark Arts
18
Oligomorphic Viruses cont.
Carrying the decryptors as data is a burdento the virus, making it larger
Memorial was a Windows 95 oligomorphicvirus that generated96 differentdecryptors, choosing one at replicationtime
Detecting 96 different patterns is an impractical solutionfor virus scanners that must deal with thousands of
viruses; pattern database size explosion would result
It inserted junk instructions at variouspoints in the decryptor code
-
7/28/2019 Encrypted Oli Go Morphic
10/13
10
Spring, 2008
CS 351 Defense Against the Dark Arts
19
Junk Instructions
A junk instruction can be a no-op or do-nothinginstruction, but it can also be an instruction thatuses registers or memory locations that areunused in the decryptor
Given the following decryptor loop for theMemorial oligomorphic virus:
Decrypt:
xor [esi],al ; decrypt a byte with key in AL
inc esi ; go to next byte
inc al ; slide the key up
dec ecx ; decrement the byte counter
jnz Decrypt ; loop back if more to decrypt
Spring, 2008
CS 351 Defense Against the Dark Arts
20
Junk Instructions cont.
Code patterns can be obfuscated with junkinstructions:
Decrypt:
add ebx,edx ; junk
xor [esi],al ; decrypt a byte with key in AL
dec edx ; junk
inc esi ; go to next byte
mov [whocares],edx ; junk
inc al ; slide the key up
dec ecx ; decrement the byte counter
jnz Decrypt ; loop back if more to decrypt
-
7/28/2019 Encrypted Oli Go Morphic
11/13
11
Spring, 2008
CS 351 Defense Against the Dark Arts
21
Junk Instructions cont.
A different variant puts different junk instructionsat different offsets:
Decrypt:
add bh,4 ; junk
xor edx,edx ; junk
xor [esi],al ; decrypt a byte with key in AL
inc esi ; go to next byte
xchg ebx,edx ; junk
inc al ; slide the key up
cmp ebx,edx ; junk
dec ecx ; decrement the byte counter
jnz Decrypt ; loop back if more to decrypt
Spring, 2008
CS 351 Defense Against the Dark Arts
22
Junk Instructions cont.
The index increment instructions are order-independent, creating more variants:
Decrypt:
add bh,4 ; junk
xor edx,edx ; junk
xor [esi],al ; decrypt a byte with key in AL
inc al ; slide the key up
xchg ebx,edx ; junk
inc esi ; go to next byte
cmp ebx,edx ; junk
dec ecx ; decrement the byte counter
jnz Decrypt ; loop back if more to decrypt
-
7/28/2019 Encrypted Oli Go Morphic
12/13
-
7/28/2019 Encrypted Oli Go Morphic
13/13
13
Spring, 2008
CS 351 Defense Against the Dark Arts
25
Detecting Oligomorphic Viruses
Clearly, it is easy to produce numerousvariants of a decryptor
Filtering out no-ops and do-nothings doesnot remove the obfuscation
Emulation, debugging, or proprietarydynamic analyses are needed to producethe decrypted virus for analysis
A Phoenix Instrumentation of the binary, orSDT capture of the decrypted virus, couldbe good alternatives
Spring, 2008
CS 351 Defense Against the Dark Arts
26
Assignment
Read Szor, Chapter 7 through section 7.5(already assigned previously)