1 / 19

Polymorphic Viruses

Dr. Richard Ford rford@fit.edu. Polymorphic Viruses. What are we going to talk about?. Szor 7 Another way viruses try to evade scanners. Virus Scanners. Look for “known” viruses Basically, used to look for hex strings in files Virus writers tried to make this more difficult… .

freya
Download Presentation

Polymorphic Viruses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Richard Ford rford@fit.edu Polymorphic Viruses

  2. What are we going to talk about? • Szor 7 • Another way viruses try to evade scanners

  3. Virus Scanners • Look for “known” viruses • Basically, used to look for hex strings in files • Virus writers tried to make this more difficult…

  4. “Encrypted” viruses • First virus: Cascade • Benefit: Forces the vendor to choose a hex string from a small part of the virus code • Increases chances of a false positive

  5. Cascade LEA si, Start MOV sp, 0682Decrypt: XOR [si], si XOR [si], sp INC si DEC sp JNZ DecryptStart:

  6. Similarly… MOV EDI, 00403045hADD EDI, EBPMOV ECX, 0A6BhMOV AL, [key] Decrypt:XOR [EDI], ALINC EDILOOP DecryptJMP Start DB key 86 Start:

  7. Nesting and other complications • Virus writer can implement multiple layers of “encryption” • Why do I keep using “”’s? • Use multiple keys • Start of loop can be obfuscated • Can “not” store the decryption key in the body • Can use strong Crypto (but…)

  8. Weakness? • Well, in these examples, the decryption routine is static • Can detect on the decryption routine if not the virus body… can the attacker do better?

  9. Oligomorphic Viruses • What? • Having or passing through few changes of form. • Example: Whale virus carried multiple decryptors with it • Of course, such viruses require painstaking analysis…

  10. Polymorphic • Next level: millions of possible decryption routines, dynamically generated • First known: 1260 • Technique used: insert “junk” instructions into the decryption loop

  11. Example • INC DINOPCLCINC AXLOOP Decrypt

  12. Detection? • One possibility: code optimization • Well-known from other parts of CS… • But was attacked directly by MTE

  13. Mutation Engine • Module for providing polymorphism • Called a function passing: • Work segment • Pointer to code to encrypt • Length of the virus body • Base of the decryptor • Entry-point of the host • Target location of the encrypted code • Size of decryptor (tiny, small, medium, large) • Bit field of registers not to use • Returns: a buffer containing the encrypted virus plus a decryption routine

  14. MTE: Sample • MOV BP, A16CMOV CL, 03ROR BP, CLMOV CX, BPMOV BP, 856EOR BP, 740FMOV SI, BPMOV BP, 3B92ADD BP, SIXOR BP, CXSUB BP, B10C ; sets final value of BP…

  15. Cntd… • Decrypt:MOV BX, [BP+0D2B]ADD BX, 9D64XCHG [BP+0D2B], BXMOV BX, 8F31SUB BX, BPMOV BP, 8F33SUB BP, BXJNZ DecryptSTART:

  16. How to Detect? • Let’s talk about it…

  17. Other Techniques • Carry your source and look for a compiler • Why is this so very horrible? • And then there’s System.Reflection.Emit to worry about…

  18. Metamorphic Viruses • Muttik: “metamorphics are body-polymorphic” • Example: ZPerm • Uses JMPs to reorder its own code

  19. Assignment • Due: 2 weeks today before class • Write a METAMORPHIC “Hello World” generator that: • Create 10 COM files • Each time you run, you should create different files • Must use C/C++ • Turn in the solution in SVN with JUST THE FILES I NEED to check out and compile with no challenges

More Related