130 likes | 421 Views
Dr. Richard Ford rford@fit.edu. Stealth. What are we going to talk about?. Szor 5.2.5 A.k.a. Stealth Viruses “How viruses hide”. What is Stealth?. Loosely, it’s trying to hide from your attacker In the same way as we use in “normal” language http://www.youtube.com/watch?v=Do6hTwZ6Un8.
E N D
Dr. Richard Ford rford@fit.edu Stealth
What are we going to talk about? • Szor 5.2.5 • A.k.a. Stealth Viruses • “How viruses hide”
What is Stealth? • Loosely, it’s trying to hide from your attacker • In the same way as we use in “normal” language • http://www.youtube.com/watch?v=Do6hTwZ6Un8
Passive v. Active • Passive stealth might be not changing external attributes • Active stealth requires the virus to take an “active” role in the process
Steganography… • Hiding in plain sight • Basically, Windows has so many different places to hide code, sometimes you don’t need to hide it, just bury it
Directory-level Stealth • Semi-stealth: just hide the changes to the file length • Quite easy – look at the power of the DOS and Windows API • Requires a virus to be memory-resident
More Stealth… IAT • Can use code like Detours to hook the IAT • Very flexible technique, which can be used completely transparently!
Read Stealth • Return the “real” body of the file on reads/seeks • Requires the virus to intercept calls to reads and can cause problems on writes
Full Stealth • FRODO • Problem: if the stealth is perfect… • Can even go to Cluster and Sector-level stealth
Hardware-level stealth • Drawback of hooking Int 13h? • Right! • So… can hook Int 76h instead. Sneaky, eh? • Also, could play with microcode
Next Lesson • Polymorphism