Stealth Virus

Would you believe if I say this is not entirely true?

So lets explore the world of stealth virus & the mechanisms they use to conceal themselves in our systems

What is a virus?• A virus is a computer program that was written to

purposely damage computer systems .

• Initially it was a hobby, later research, now a profession.

• Frederick Cohen coined the term 'Virus'.

• Cohen's definition of virus: "A virus is a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself.”

• A piece of code to be called a virus should be able to replicate itself. Along with this it can cause damage the computer.

Generic Structure of a Virus

The Replicator

The Concealer

The Bomb

Controls the spread of the virus to other files

Keeps the virus from being detected

Executes when the activation conditions are

satisfied. Often called Payload . IT is optional

How Virus Replicates?

P1

P2

V1

V2

Uninfected File

Virus

P1

P2

P1

V1

P2

P1

V1

P2

P1

V2

Infected File

Pre-stealth

Tunneling VirusesArmored VirusesAggressive Retroviruses

Tunneling Viruses

• Tunneling viruses attempt to be the first on a call chain of interrupts, installing themselves in front of other resident applications.

• In this way, control gets to the virus first, and the virus proceeds to execute the original handler to bypass antivirus monitoring programs.

• A virus examines these system entry points (tunnels). It can tunnel or trace back along the program associated with system call.

• E.g.: Eddie virus

Armored Viruses

• Authors of armored viruses want to be sure that the virus code is even more difficult for scanners to detect.

• Even if the scanners use techniques such as heuristics that can pinpoint previously unknown computer viruses.

• Furthermore, if a virus sample is obtained by any means, its author wants to make the analysis of the virus code as difficult as possible to further delay rapid response to the virus attack.

• The primary goal is to confuse the analyzer. Commonly used techniques are Encrypted Data, Obfuscated Code.

• E.g.: W32/Blaster worm.

Aggressive Retroviruses

• A retrovirus is a computer virus that specifically tries to bypass or hinder the operation of an antivirus, personal firewall, or other security programs.

• There are many possible ways for an attacker to achieve this because most Windows users work with their computers as a user with administrative privileges.

• This gives computer viruses the potential to kill the processes and files that belong to antivirus software or to disable the antivirus programs.

• E.g.: Disabling AutoProtect.

Size Stealth

Infected File • Most viruses are detected because of the increase in the host's file size.

• In a Size Stealth virus the size of the file remains same even after infection.

• Size Stealth is a method which can hide your true file size.

+ =

VIRUSUNINFECTED FILE

1000 bytes

100 bytes

1000 bytes

How is it possible?

Method 1

• The DOS operating system has 2 methods for searching files: one via FCB (11h/12h) and the other with file handles (4Eh/4Fh).

• So, we have to hide the files from both, FCB and file handles. E.g.: Respect!

• The Respect hides by making an handler on INT 21h which can trap

– 4Bh : For executing the infected or virus file

– 11h, 12h : Search files using FCB

– 4Eh, 4Fh : Search Files via File Handles

– 57h : Get or set file date and time

How do we know that a file is infected?

• Virus could "mark" file in some way. E.g.: 4th byte is equal to xx. But this hits both Virus size and speed. Also it cannot hide.

• A file's date in 90's was something like 04-28-96. 04 is the month, 28 the day of the month and (19)96 the year. The virus used to add 100 to years so that date would be (20)06. The user still saw that as 04-28-96. E.g.: Respect!

• The seconds field in the date would be set to a particular date

• The virus would alter dates on the fly. If the 57h function is requested by a program, virus handler will trap the request first. Then check if the specified file is infected with our virus. If yes subtract 100 years, and put the new value in memory. So the virus has started hiding.

Method 2

• A virus might intercept system calls which examine the contents or attributes of infected files.

• The results of these calls must be altered to correspond to the file's original state.

• For example, a stealth virus might remove the virus code from an executable when it is read (rather than executed) so that an anti-virus software package will examine the original, uninfected host program.

• E.g.: Skywalker

Skywalker infects

• Important offsets :Offset 0Dh : File Time Packed. Used to check if the file is infected by virus.

Offset 11h : File Size. Subtract the size of the virus from this value.

Offset 20h : File Name. To see if the file if being opened is a COM or EXE file.

• Steps followed by Skywalker to infect:1. Intercept the open calls (3Dh and 6Ch). Fake an INT 21h to get the file handle.

2. Check the file's time (offset 0Dh) to see if the file is infected (marked) with virus.

3. If file is infected subtract the size of our virus from offset 11h (file size).

Full Stealth

• The full stealth on disk method consists of disinfecting on open and reinfecting on close.

• In order to make full stealth virus writers intercept the open and the close functions.

• So, when the AV software or the user will try to open the file to view its content, they disinfect the file or to put it simpler, remove the virus from file.

• This way, the file will be clean and no one will suspect that our virus is active in memory.

• And then, when the file gets closed it will be reinfected. • E.g.: Paranoid

Disinfect on Open

• Fake a INT 21h call to intercept the 3Dh & 6Ch function• Check if the file that is being opened is a COM or EXE• Open file for reading and writing• Check whether file is infected or not • If not infected exit• Save the file's time & date• Read the original bytes in memory• Write the original code • Restore file size• Subtract the length of our virus• Restore original year• Truncate the file• Close the file

Reinfect on close

• Fake an INT 21h call to intercept the 3Eh function• Check if infected• IF the file is infected close the file• Save file time, date & size• Write the virus to host• Set old file's time/date• Mark the file for stealth

Redirection Stealth

• Also known as "true full stealth" or as "full stealth in memory", this technique is one of the best file related stealth methods ever known.

• To redirect something means to change its direction.

• In conclusion, this redirects all the reads to infected bytes to uninfected ones.

• Hence the name "redirection stealth".

Encrypted Viruses

• One of the easiest ways to hide the functionality of the virus code was encryption. The first known virus that implemented encryption was Cascade on DOS.

• How to make life difficult• Multiple layers of encryption are used.

• The start of decryptor is obfuscated.

• The attacker can decide not to store the key for encryption anywhere in the virus. Instead, the virus uses brute force to decrypt itself.

• The direction of the loop can change.

• There is only one decryption loop, but it uses multiple keys to decrypt each encrypted piece of information on the top of the others.

The Decryptor of the Cascade Virus

lea si, Start ; position to decrypt (dynamically set)

mov sp, 0682 ; length of encrypted body (1666 bytes)

Decrypt:xor [si],si ; decryption key/counter 1xor [si],sp ; decryption key/counter 2inc si ; increment one counterdec sp ; decrement the otherjnz Decrypt ; loop until all bytes are

decrypted

Start: ; Encrypted/Decrypted Virus Body

Oligomorphic Viruses

• A virus is said to be oligomorphic if it is capable of mutating its decryptor only slightly.

• They change their decryptors in new generations. The simplest technique to change the decryptors is to use a set of decryptors instead of a single one.

• The first known virus to use this technique was Whale.

• W95/Memorial had the ability to build 96 different decryptorpatterns. Thus the detection of the virus based on the decryptors code was an impractical solution

Polymorphic Viruses

• Polymorphic viruses can mutate their decryptors to a high number of different instances that can take millions of different forms.

• The first known polymorphic virus, 1260, was written in the U.S. by Mark Washburn in 1990.

• 1260 is an effective polymorphic engine that generates a high variety of decryptors.

The Dark Avenger Mutation Engine

• For novice virus writers, it was difficult to write a polymorphic virus.

• However, more advanced virus writers came to their rescue.

• The MtE engine was released as an object that could be linked to any simple virus.

• The first version MtE was released during the summer of 1991, later followed by another version in early 1992.

The parameters to the engine include the following:• A work segment• A pointer to the code to encrypt• Length of the virus body• Base of the decryptor• Entry-point address of the host• Target location of encrypted code• Size of decryptor (tiny, small, medium, or large)• Bit field of registers not to use

• MtE's impact on antivirus software was clear. Most AV engines had to go through a painful rearchitecting to introduce a virtual machine for the use of the scanning engine.

Metamorphic Viruses

• Metamorphic viruses do not have a decryptor or a constant virus body but are able to create new generations that look different.

• They do not use a data area filled with string constants but have one single-code body that carries data as code.

• Metamorphic computer viruses have the ability to change their shape by themselves from one form to another, but they usually avoid generating instances that are very close to their parent shape.

• Can be very detrimental on operating systems like LINUX since the compiler is available by default.

• Universities face a major threat by metamorphic viruses than industries

Conclusion

• The virus of tomorrow is not just binary thread that is periled by Antivirus software. They are going to explore new concealment strategies. Probably there might be viriisitting in servers for years doing nasty things and go unnoticed.

• They will pose bigger & tougher challenges to the antivirus researchers. They are going to keep them awake for nights analyzing strands of virus or even exploring where these strands are hidden.

Questions ?

Thank You!