1 / 12

Stealth

Dr. Richard Ford rford@fit.edu. Stealth. What are we going to talk about?. Szor 5.2.5 A.k.a. Stealth Viruses “How viruses hide”. What is Stealth?. Loosely, it’s trying to hide from your attacker In the same way as we use in “normal” language http://www.youtube.com/watch?v=Do6hTwZ6Un8.

tavon
Download Presentation

Stealth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dr. Richard Ford rford@fit.edu Stealth

  2. What are we going to talk about? • Szor 5.2.5 • A.k.a. Stealth Viruses • “How viruses hide”

  3. What is Stealth? • Loosely, it’s trying to hide from your attacker • In the same way as we use in “normal” language • http://www.youtube.com/watch?v=Do6hTwZ6Un8

  4. Passive v. Active • Passive stealth might be not changing external attributes • Active stealth requires the virus to take an “active” role in the process

  5. Steganography… • Hiding in plain sight • Basically, Windows has so many different places to hide code, sometimes you don’t need to hide it, just bury it

  6. Directory-level Stealth • Semi-stealth: just hide the changes to the file length • Quite easy – look at the power of the DOS and Windows API • Requires a virus to be memory-resident

  7. More Stealth… IAT • Can use code like Detours to hook the IAT • Very flexible technique, which can be used completely transparently!

  8. Read Stealth • Return the “real” body of the file on reads/seeks • Requires the virus to intercept calls to reads and can cause problems on writes

  9. Full Stealth • FRODO • Problem: if the stealth is perfect… • Can even go to Cluster and Sector-level stealth

  10. Hardware-level stealth • Drawback of hooking Int 13h? • Right! • So… can hook Int 76h instead. Sneaky, eh? • Also, could play with microcode

  11. Next Lesson • Polymorphism

More Related