Encrypted Oli Go Morphic

7/28/2019 Encrypted Oli Go Morphic

1/13

1

Spring, 2008

Encrypted and OliogomorphicViruses

Spring, 2008

CS 351 Defense Against the Dark Arts

2

Encrypted Viruses

Virus encryption is both an anti-disassembly technique and an obstacle

to virus detection using code patterns

Encryption takes many formsThe most advanced, difficult to defeatviruses use encryption techniques

We will devote several lectures tounderstanding, detecting, anddisinfecting various encrypted viruses


2/13

2

Spring, 2008


3

Simple EncryptionThe earliest viruses to use encryption used avery simple decryption algorithm, such asXORing code with its own address

The point was not to use advancedalgorithms that were hard to analyze; just toslow down analysis and defeat pattern-basedvirus detection

Because the decryptor code is always presentin unencrypted form, there is not much point

in choosing complex encryption/decryptionmethods

The DOS virus Cascade was the firstencrypted virus

Spring, 2008


4

Example: Cascade VirusThe simple decryptor of Cascade, circa1990:lea si,Start ; start of encrypted code (computed by

virus)

mov sp,0682h ; length of encrypted code (1666 bytes)

Decrypt:

xor [si],si ; xor code with its address

xor [si],sp ; xor code with its inverse index

inc si ; increment address pointer

dec sp ; decrement byte counter

jnz Decrypt ; loop if more bytes to decrypt

Start: ; virus code body


3/13

3

Spring, 2008


5

Cascade Virus WalkthroughSetting up the indices:lea si,Start ; start of encrypted code (computed by

virus)

The virus does not have a Start labelwhose address is determined by acompiler

Instead, it computes the address atinfection time, depending on thelocation in the file being infected

Virus uses hex offsets; we show Startto make it more readable

Spring, 2008


6

Cascade Virus WalkthroughStack pointer used as countermov sp,0682h ; length of encrypted code (1666 bytes)

Virus knows its own length before itinfects a new file

Using the stack pointer is an anti-debugger technique

Cascade is therefore an armored virusHowever, this line of code is adistinctive pattern (signature) for thisvirus


4/13

4

Spring, 2008


7

Cascade Virus Walkthrough

The XOR encryption lines:xor [si],si ; xor code with its address

xor [si],sp ; xor code with its inverse index

The XOR operation is reversible:0f237h XOR 0682h = 0f4b5h

0f4b5h XOR 0682h = 0f237h

Very fast to encrypt and decrypt, yetsufficient to prevent detection by

patternsIMPORTANT: Even the hex patterns are file-

dependent, because they depend on addresses

Spring, 2008


8

Cascade Virus WalkthroughIncrement counters/indices and loop:inc si ; increment address pointer

dec sp ; decrement byte counter

jnz Decrypt ; loop if more bytes to decrypt

With pattern-based detection impededby encryption, an anti-virus researcher

would like to step through thedecryptor in a debugger and see the

decrypted code

However, use of stack pointer inhibitsmost debugger use


5/13

5

Spring, 2008


9

Analyzing Cascade

Prevention in the OS: dont allowwriting to the executable code segment

Virus writer can work around this by decryptinginto a buffer, rather than decrypting code in its

place

The best attack upon a simpleencrypted virus is to detect the code

patterns of the decryptor, e.g.mov sp,0682h ; length of encrypted code (1666 bytes)

Spring, 2008


10

Difficult Decryptors

One decryptor loop might traverse the virusbody, applying a decryptor function (e.g.XOR or something more complex), thenanother decryptor loop can traverse the viruscode in reverse order applying a differentdecryption function, etc.

The unencrypted decryptor code coulddecrypt a piece of code that is a morecomplex decryptor, which then decryptsanother decryptor, which decrypts the virus

Static analysis of the patterns of the first decryptor wouldbe irrelevant; that decryptor could be common to manyviruses and also to commercial software


6/13

6

Spring, 2008


11

Detecting Decryptors

The main loop of the decryptor (a tight loop withXORs) looks like it would be a good subject forpattern-based detection

But, many different viruses can use the samedecryptor algorithm and have totally differentpayloads and behaviors

A virus could pad itself out so that it has the samelength as other, unrelated viruses

Even worse is the fact that some commercialsoftware is obfuscated by an anti-debug wrapper,

which looks just like the decryptor code for Cascade,in order to prevent reverse engineering of theirproduct

Can produce false positives

Spring, 2008


12

Detecting Decryptors cont.

Memory allocation within thedecryptor can produce a good codepattern to match

Decryptor has three locations inwhich it can decrypt the virus code:

1. In place; OS can disallow this2. In heap; allocation code is

unencrypted and makes pattern-based detection easier

3. On the stack; stealthiest choice


7/13

7

Spring, 2008


13

Detecting Decryptors cont.

How can an encrypted virus bedetected if it uses stack allocation,makes itself look like a commercialanti-debug wrapper, makes itself the

same length as unrelated viruses,etc.?

Emulation and dynamic analysis arecommon approaches

Expensive Proprietary

Spring, 2008


14

Alternatives: Phoenix and SDT

A Phoenix Instrumentation Tool couldbe generated to dump the code afterthe decryption has occurred

Still need to black-box or sandbox theapplication to prevent damage

SDT (software dynamic translation, orrun-time compilation) decodes aprogram into a buffer as it runs

Can examine decrypted code in the translationcache/buffer


8/13

8

Spring, 2008


15

Virus Code Evolution

Simile is one example of a virus thatevolves in order to frustrate pattern-baseddetection

Each time it replicates, it generates adifferent memory allocation code sequencein the decryptor

Can be done with simple obfuscations, code re-orderings,etc.

No single pattern matches the allocator More common is mutating the decryptorcode itself and using stack allocation

Spring, 2008


16

Decryptor Mutation

Viruses that can evolve by mutating as theyreplicate can be classified in three categories,based on the degree of variety they produce:

1. Oligomorphic viruses can produce a few dozendecryptors; they select one at random whenreplicating

2. Polymorphic viruses dynamically generate coderearrangements and randomly insert junkinstructions to produce millions of variants

3. Metamorphic viruses apply polymorphictechniques to the entire virus body rather than

just to a decryptor, so that one generation differsgreatly from the previous generation; noencryption is even necessary to be classified asmetamorphic


9/13

9

Spring, 2008


17

Oligomorphic Viruses Detecting encrypted viruses that have

distinctive decryptors was too easy (in theopinion of virus writers!)

Whale was the first oligomorphic virus It carried several dozen decryptors in its

body as data; when replicating, it selectedone at random, encrypted the virus bodywith it, and deposited the body and the

decryptor in the target file

Spring, 2008


18

Oligomorphic Viruses cont.

Carrying the decryptors as data is a burdento the virus, making it larger

Memorial was a Windows 95 oligomorphicvirus that generated96 differentdecryptors, choosing one at replicationtime

Detecting 96 different patterns is an impractical solutionfor virus scanners that must deal with thousands of

viruses; pattern database size explosion would result

It inserted junk instructions at variouspoints in the decryptor code


10/13

10

Spring, 2008


19

Junk Instructions

A junk instruction can be a no-op or do-nothinginstruction, but it can also be an instruction thatuses registers or memory locations that areunused in the decryptor

Given the following decryptor loop for theMemorial oligomorphic virus:

Decrypt:

xor [esi],al ; decrypt a byte with key in AL

inc esi ; go to next byte

inc al ; slide the key up

dec ecx ; decrement the byte counter

jnz Decrypt ; loop back if more to decrypt

Spring, 2008


20

Junk Instructions cont.

Code patterns can be obfuscated with junkinstructions:

Decrypt:

add ebx,edx ; junk


dec edx ; junk


mov [whocares],edx ; junk





11/13

11

Spring, 2008


21


A different variant puts different junk instructionsat different offsets:

Decrypt:

add bh,4 ; junk

xor edx,edx ; junk



xchg ebx,edx ; junk


cmp ebx,edx ; junk



Spring, 2008


22


The index increment instructions are order-independent, creating more variants:

Decrypt:

add bh,4 ; junk

xor edx,edx ; junk



xchg ebx,edx ; junk


cmp ebx,edx ; junk




12/13


13/13

13

Spring, 2008


25

Detecting Oligomorphic Viruses

Clearly, it is easy to produce numerousvariants of a decryptor

Filtering out no-ops and do-nothings doesnot remove the obfuscation

Emulation, debugging, or proprietarydynamic analyses are needed to producethe decrypted virus for analysis

A Phoenix Instrumentation of the binary, orSDT capture of the decrypted virus, couldbe good alternatives

Spring, 2008


26

Assignment

Read Szor, Chapter 7 through section 7.5(already assigned previously)

Encrypted Oli Go Morphic

Documents

Transcript of Encrypted Oli Go Morphic