Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.
-
Upload
elizabeth-simpson -
Category
Documents
-
view
216 -
download
0
Transcript of Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.
![Page 1: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/1.jpg)
Polymorphic VirusesPolymorphic VirusesA brief surveyA brief survey
Joseph Hamm
Shirlan Johnson
![Page 2: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/2.jpg)
11-Sep-2002 CS 6265 Fall 2002
ContentsContents
Prologue Introduction The Evolution of Polymorphic Viruses Polymorphism Detection Epilogue
![Page 3: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/3.jpg)
11-Sep-2002 CS 6265 Fall 2002
ProloguePrologue
1941– First theories for self-replicating programs
1980s – ©Brain (Pakistan) and Stoned (New Zealand)
attacks floppy boot sectors– Jerusalem(Israel) – first virus to infect other
than .COM & .EXE– Den Zuk (Indonesia) – first “antivirus” virus –
removes & inoculates against ©Brain
![Page 4: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/4.jpg)
11-Sep-2002 CS 6265 Fall 2002
ProloguePrologue 1990s
– 1st virus exchange (VX) BBS (Bulgaria) goes online
– AT&T (1st successful critical infrastructure?) attack
– Dark Avenger releases 1st PME – MtE - enables other viruses to morph in over 4,000,000,000 different forms
– 1st polymorphic virus appear – Tequila (Switzerland)
– Nowhere Man releases Nowhere Utilities which include the Virus Creation Lab (VCL) w/ “Borland interface”
![Page 5: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/5.jpg)
11-Sep-2002 CS 6265 Fall 2002
Polymorph Engine - 1Polymorph Engine - 1
What is a Polymorph Engine?
A program with the abilities to encrypt (or jumble up) another program or data and provide a unique decryptor for it and do this in such a way that no two encryptions of the same program or data will look alike.
![Page 6: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/6.jpg)
11-Sep-2002 CS 6265 Fall 2002
Polymorph Engine - 2Polymorph Engine - 2
A PME typically consists of:
The random number generator. The junk code generator. The decryptor generator.
![Page 7: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/7.jpg)
11-Sep-2002 CS 6265 Fall 2002
Polymorphism LevelsPolymorphism Levels Level 1
– Viruses having a set of decryptors with constant code, choosing one while infecting.
Level 2– Virus decryptor contains one or several constant
instructions, the rest of it is changeable. Level 3
– Decryptor contains unused functions- "junk" like NOP, CLI, STI etc.
Level 4 – Decryptor uses interchangeable instructions and changes
their order (instructions mixing).– Decryption algorithm remains unchanged.
![Page 8: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/8.jpg)
11-Sep-2002 CS 6265 Fall 2002
Polymorphism Levels – Cont’d.Polymorphism Levels – Cont’d. Level 5
– Levels 1 - 4 are used, decryption algorithm is changeable, repeated encryption of virus code and even partial encryption of the decryptor code is possible.
Level 6– Permutating viruses. The main code of the virus is subject to
change. It is divided into blocks which are positioned in random order while infecting.
Level 7– Levels 1 – 6 plus Heuristic, Goat & Emulator counter-
measures
![Page 9: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/9.jpg)
11-Sep-2002 CS 6265 Fall 2002
Sample Polymorphic Virus CodeSample Polymorphic Virus Code MOV DX,10 ;Real part of the decryptor! MOV SI,1234 ;junk AND AX,[SI+1234] ;junk CLD ;junk MOV DI,jumbled_data ;Real part of the decryptor! TEST [SI+1234],BL ;junk OR AL,CL ;junk main_loop: ADD SI,SI ;junk instruction, real loop! XOR AX,1234 ;junk
![Page 10: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/10.jpg)
11-Sep-2002 CS 6265 Fall 2002
Polymorphic Behavior - 1Polymorphic Behavior - 1
![Page 11: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/11.jpg)
11-Sep-2002 CS 6265 Fall 2002
Polymorphic Behavior - 2Polymorphic Behavior - 2
![Page 12: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/12.jpg)
11-Sep-2002 CS 6265 Fall 2002
Polymorphic Behavior - 3Polymorphic Behavior - 3
![Page 13: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/13.jpg)
11-Sep-2002 CS 6265 Fall 2002
Polymorphic Behavior - 4Polymorphic Behavior - 4
![Page 14: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/14.jpg)
11-Sep-2002 CS 6265 Fall 2002
AV Polymorphic Response - 1AV Polymorphic Response - 1
Scan Strings– Work by searching for a pattern of bytes in FIXED
positions and a FIXED sequence.
Variable Scan Strings– Work by searching for a pattern of bytes in
VARIABLE positions but in a FIXED sequence.
Cryptanalysis– Works by finding part of the VIRUS BODY and
then performing some very basic cryptanalysis on it and then decrypting it (if possible).
![Page 15: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/15.jpg)
11-Sep-2002 CS 6265 Fall 2002
AV Polymorphic Response - 2AV Polymorphic Response - 2
Generic Decryptor (Emulator)– Works by emulating instructions in the
polymorphic decryptor in order to make the virus decrypt itself and then it detects the virus by a standard scan string.
Heuristics– Searches for inconsistencies between the
code being analyzed and normal everyday code found in programs.
![Page 16: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/16.jpg)
11-Sep-2002 CS 6265 Fall 2002
AV Strategy - 1AV Strategy - 1
![Page 17: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/17.jpg)
11-Sep-2002 CS 6265 Fall 2002
AV Strategy - 2AV Strategy - 2
![Page 18: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/18.jpg)
11-Sep-2002 CS 6265 Fall 2002
AV Strategy - 3AV Strategy - 3
![Page 19: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/19.jpg)
11-Sep-2002 CS 6265 Fall 2002
AV Strategy - 4AV Strategy - 4
![Page 20: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/20.jpg)
11-Sep-2002 CS 6265 Fall 2002
AV Strategy - 5AV Strategy - 5
![Page 21: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/21.jpg)
11-Sep-2002 CS 6265 Fall 2002
Heuristic AV StrategyHeuristic AV Strategy
![Page 22: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/22.jpg)
11-Sep-2002 CS 6265 Fall 2002
VX Response to AV Tactics - 1VX Response to AV Tactics - 1
Anti Scan String methods– Avoid the use of code common to every decryptor.
NOTE: Make enough alternatives so that it makes multiple variable scan strings not an option to AV!
Anti - Cryptanalysis– Simply add multiple encryption– A loop using a single XOR with byte/word is very
easy to crypt-analyze but a loop using XOR b/w, ADD b/w, SUB b/w, ROL b/w in one loop is VERY hard to crypt-analyze.
![Page 23: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/23.jpg)
11-Sep-2002 CS 6265 Fall 2002
VX Advice to Next GenVX Advice to Next Gen If you are going to make a good engine
remember the following points:- It must not have fixed bytes in fixed positions.- It must not have fixed bytes in variable positions.- It must not be able to be decrypted by generic
decryption engines in AV software.- It helps if the code is heuristically "clean" but it is
not the “be all and end all” of an engine to be this way.
- Make sure it is very difficult to analyze by AV.- Make sure next to impossible to remove if it does
get caught.
![Page 24: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/24.jpg)
11-Sep-2002 CS 6265 Fall 2002
EpilogueEpilogue
Polymorphic viruses represent yet another escalatory step in the conflict between those who seek to compromise (VX community) and those who defend (AV community) computer systems. As the techniques and strategies improve, one can expect the threat of polymorphic viruses to only increase.
![Page 25: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/25.jpg)
11-Sep-2002 CS 6265 Fall 2002
References -1References -1 AVP Virus Encyclopaedia
– http://www.kav.ch/avpve/ History of Computer Viruses by Robert M. Slade
– http://www.bocklabs.wisc.edu/~janda/sladehis.html Understanding & Managing Polymorphic Viruses
– http://www.symantec.com/avcenter/whitepapers.html Virus Timeline & Scientific Papers
– http://researchweb.watson.ibm.com/antivirus/index.htm– http://www.cknow.com/vtutor/vthistory.htm
![Page 26: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/26.jpg)
11-Sep-2002 CS 6265 Fall 2002
References -2References -2 VX Papers & Articles
– http://vx.netlux.org/lib_diff.shtml– Guide to improving Polymorphic Engines by Rogue Warrior
– A General Description of the Methods Behind a Polymorph Engine by The Black Baron
Viruses Revealed by David Harley, etc.
![Page 27: Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649d195503460f949eebfa/html5/thumbnails/27.jpg)
Questions?Questions?