Telecommunications Networking II

Lecture 41f

Viruses and Worms

Viruses (and Worms)references:

William Stallings-Cryptography and Network Security Chapter 15.2

Viruses and Worms

• Virus: “A program that can “infect” other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs” (ref: Stallings p504)

• Worm “Network worm programs use network connections to pass from system to system” (ref: Stalling p504)

Viruses and Worms

• Virus: extraneous executable code that attaches itself to a file or an application, and that can reproduce itself to infect other files or applications

• Worm: a stand-alone executable program that can replicate itself, and that can utilize system resources to spread to multiple systems

Simple Virus Structure (ref Stalling p 506)

Program V:=

{goto main;1234567;

subroutine infect executable := {loop: file := get random executable file if (first-line-of-file = 1234567) then goto loop else prepend V to file;} main: main-program := {infect-executable; goto next;}

next:

}

Viruses and Worms

• The simple virus (prior slide)postpends or prepends a fixed executable set of instructions to a file or application

• Changes the size of the file

Viruses and Worms

• If we know how long a file is supposed to be, then we can detect the infection by noting the mismatch between the length of the infected file and the length of an un-infected file.

• However, it is relatively easy to defeat the above detection method…e.g., by compressing the original file

Compression Virus (Stalling p 507)

1. Compress next victim file

2. Prepend virus code to compressed victim file

…..

3. Execute virus code (infect new files, etc.)

4. Decompress current victim file file

5. Run, decompressed file

Viruses and Worms

• Parasite virus: Attaches itself to an executable file; replicates and infects another file when the executable file is executed

• Memory-resident virus: lodges in main memory and infects every program that executes

• Boot sector virus:

Viruses and Worms

• Polymorphic virus: transforms (morphs) itself every time it replicates..to avoid detection of its signature

• Macro virus: infects documents (non-executable + macros) that are opened using Microsoft Word or other Office applications; and which can, iteratively, infect other documents, delete files, etc.

Polymorphic Viruses

• Polymorphic viruses attempt to hide themselves from virus signature detection by changing (morphing) themselves every time they replicate

Polymorphic Viruses• Change with each new infection

• Are (for example) comprised of two parts– A decryptor– An encrypted virus file

• Both the decryptor and the encrypted file change each time the virus replicates…so that neither one has a fixed signature

Infected application

Decryptor

Encrypted virusfile

App. 1

How does it work1?

Decryptor

Encrypted virusfile

App. 1

Infected app.

Decryptor

App. 1

Mutator EngineVirus version xyz

Executing

1

1. The decryptor executable will decrypt the encrypted virus file

How does it work2?

App. 1

Decryptor

Mutator Engine

New Decryptor

Decryptor

Encryptedvirus file

Decryptor

Encrypted virus file

App. 2

2

3

4

2. Virus1 finds the victim(App.2)3. Mutator Engine creates a new Decryptor, a new virus file, and encrypts the new virus file4. Virus2 is prepended to App. 2

Virus version xyz+1

Mutator Engine

Virus version xyz

“The Black Baron’s” Tutorial (http://www.pins.co.uk/upages/probertm/vx_poly.htm)

MOV SI,jumbled_data; Point to the jumbled data MOV CX,10 ; Ten bytes to decrypt

main_loop: XOR BYTE PTR [SI],55 ; (unscramble) a byte INC SI ; Next byte LOOP main_loop ; Loop for the 9 remaining bytes

In other words: encrypt by XOR’ing 55 with each byte of the virus file; and decrypt by XOR’ing 55 again

ultra-simple decryptor

“The Black Baron’s” Tutorial

MOV CX,10 MOV SI,jumbled_datamain_loop: XOR BYTE PTR [SI],55 INC SI LOOP main_loop

Permuted ultra-simple decryptor

“The Black Baron’s” Tutorial

MOV CX,10 NOP NOP MOV SI,jumbled_data NOPmain_loop: NOP NOP XOR BYTE PTR [SI],55 NOP INC SI NOP NOP NOP NOP LOOP main_loop

NOP’s addedto Decryptor

“The Black Baron’s” Tutorial MOV DX,10 ;Real part of the decryptor! MOV SI,1234 ;junk AND AX,[SI+1234] ;junk CLD ;junk MOV DI,jumbled_data ;Real part of the decryptor! TEST [SI+1234],BL ;junk OR AL,CL ;junkmain_loop: ADD SI,SI ;junk instruction, real loop! XOR AX,1234 ;junk XOR BYTE PTR [DI],55 ;Real part of the decryptor! SUB SI,123 ;junk INC DI ;Real part of the decryptor! TEST DX,1234 ;junk AND AL,[BP+1234] ;junk DEC DX ;Real part of the decryptor! NOP ;junk XOR AX,DX ;junk SBB AX,[SI+1234] ;junk AND DX,DX ;Real part of the decryptor! JNZ main_loop ;Real part of the decryptor!

Junk added toDecrpytor

Detecting Virusesref: Stalling pp 510-514

• Look for a known virus signature

• Heuristic methods: look for structures in a file that look like they may be associated with a virus (e.g., an decryption loop)

• Checksums (easily defeated using compression and de-compression techniques or by changing the checksum)

• Digital signatures

Virus Signature Detection

Example:

20,000 files to checkx30,000 virus signatures to test against= 600,000,000 tests to perform

@ 1 test per microsecond => 10 minutes to perform the virus check

Heuristic

Intuitive: e.g., seems like it might work

Plausible: seems to make sense

Not proven: but, then again, its hard to say how effective it will be

Example: Stock analysts present heuristic arguments to support their predictions

Detecting Viruses ref: Stalling pp 510-514

• Identify viruses by the actions they cause

• Pre-execute all programs in an emulator (I.e., interpret the instructions one at a time, under control of the virus detection engine) to observe such things as decryption processes and the signatures of decrypted viruses