Goals
Viruses and Worms o Introduction to malware taxonomy o Appreciating the evolution of viruses Encryption, polymorphism, metamorphism o General Anti-Virus (AV) detection techniques
Thrursday, November 20, 2014 o Understanding the arms race between virus writers Sources: see final slide and anti-virus detectors. o Appreciate that: if you take your time, use a few patterns, and use many levels of indirection, you are very hard to beat CS342 Computer Security
Department of Computer Science Wellesley College
Viruses and Worms 22-2
TypeMalware TaxonomyCharacteristics Malware (MALicious softWARE) Virus Self-replicating code that infects a host file. Usually requires human interaction to spread. Sometimes used as generic term for all malware. o A generic term increasingly being used to describe any form of Worm Self-replicating code that spreads across a network. malicious software like: Usually does not require human interaction to spread. Rabbit Virus or worm that multiplies without bound viruses, worms, Trojan horses, rootkits, spyware, Trojan Horse Disguises itself as a useful program while masking malicious mobile code, backdoors, dialers, ransomware hidden malicious purpose. o Combinations are common Backdoor/Trapdoor Bypasses normal security controls to give attacker access User-level Rootkit Replaces or modifies executable programs used by system administrators and Some malware are actually combinations of more basic malware users (e.g., a rootkit can be viewed as Trojan horse backdoor tool) Kernel-level Rootkit Manipulates the OS kernel to hide and create backdoors o Broadly classified according to: Spyware Monitors user interaction and collects information (e.g., via keylogger) • Infection technique: how does it propagate? Logic Bomb Dormant malicious code triggered by date or event. • Impact on target: what does it do? Easter Egg Cute but harmless behavior triggered by special input. Malicious Mobile Code Small programs downloaded and executed locally with minimal user intervention. • Type of exploited vulnerability: How (by violating which Typically written in Javascript, VBScript, Java, or ActiveX assumption) did it get in? Combination Malware Combines techniques to increase effectiveness
Viruses and Worms 22-3 Viruses and Worms 22-4 Malware evolution Virus Basics Themes: o Frederick B. Cohen s definition: o Increasing complexity/sophistication o Acceleration of rate of A virus is a program that can infect other programs by tool/technique release o Movement from viruses -> worms modifying them to include a, possibly evolved, version of itself. -> kernel level exploits o Virus = code that attaches itself to host programs and runs when host program executes. Running the host program usually requires user intervention.
o Self-replication: when the virus runs, it copies (a possibly mutated version of) itself to other host programs.
• Self-replicating mutating code is a cornerstone of artificial life research.
o A virus needs a target location method to find other hosts.
Figure from Skoudis Malware, p.16. o A running virus may also execute a payload = mischievous or malicious action.
Viruses and Worms 22-5 Viruses and Worms 22-6
Highly Destructive Malicious Viruses How do Viruses Spread?
o Delete all/many files. Infected program Uninfected program owned by user 1 owned by user 2 Michelangelo virus deleted a partition on Michelangelo s birthday. o Consume resources (processor, memory, bandwidth …) virus v ⇒ denial of service.
o Such viruses can have trouble spreading. Why is Ebola relatively uncommon in apes/humans (at least until User 2 simply executes user 1 s infected program. 2014 …) Unlike buffer overflow, setuid not necessary!
Infected program Infected program owned by user 1 owned by user 2
virus v virus v
Viruses and Worms 22-7 Viruses and Worms 22-8 Somewhat Destructive Malicious Viruses Nondestructive Viruses
o Install backdoors for botnots, other attacks. Many viruses spread without doing damage, but can still be o Data-diddling: modify one bit of randomly selected file, swap digits annoying or do accidental damage. in phone numbers, spreadsheets, etc. (hard to track to virus). o Elk Cloner: first microcomputer virus (Apple II) displayed poem: o Wazzu virus: randomly scramble words and insert wazzu ELK CLONER: o Typo virus: introduce typing errors for fast typists. o Random deletion: delete randomly chosen file not recently THE PROGRAM WITH A PERSONALITY
accessed. IT WILL GET ON ALL YOUR DISKS o Protection changing: change ownership and protection bits on files. IT WILL INFILTRATE YOUR CHIPS YES IT S CLONER o Executive error virus: underling installs virus that makes IT WILL STICK TO YOU LIKE GLUE supervisor incompetent. IT WILL MODIFY RAM TOO SEND IN THE CLONER o Covert channel virus: in confidentiality lattice, unclassified user introduces virus to copy secret information through covert o Marburg virus: drew random icons on desktop. channel. o Spanska virus: displayed animations o Ken Thompson, Reflections on Trusting Trust: insert login Trojan into C compiler object code that can t be detected in source! o Haiku virus displayed randomly generated haiku.
Viruses and Worms 22-9 Viruses and Worms 22-10
Benevolent Viruses Viruses Infection Techniques o Overwriting The payload of a virus can do good as well as bad. E.g. • Overwrite host program, changing behavior (easy to discover) o Antivirus virus: good virus that deletes bad viruses. • Typically overwrite beginning, but can overwrite later (in which case virus may not be executed). o Compression virus: automatically compress files to save space (but there s a time/space tradeoff). o Appending • Add virus code to end of program, and jump to virus. o Maintenance virus: install system updates, clean up undeleted temporary files, reset incorrect protection bits, defragment disk, • Typically virus jumps back to program to evade detection. etc. o Prepending o Distributed database virus: make copies of information across • Add virus code to front of host program. multiple machines and modify old copies to be consistent with • Parastic virus: variant that overwrites start of program, but moves recent changes. starting code later. Ethical questions: o Cavity Virus • Squirreled away in holes in program o Is it OK to distributed good viruses? • doesn t change program size o What if good virus goes has unexpected bad consequences – e.g., o Compressing Virus accidentally consumes lots of resources. o Compresses program and inserts self so as not to change program size. Viruses and Worms 22-11 Viruses and Worms 22-12
Viruses Propagation Methods Virus Propagation Vectors
o Insert a copy into every executable (.COM, .EXE) o Removable storage
o Insert a copy into boot sectors of disks • Floppies, writable CDs/DVDs, USB flash drives
• Stoned virus infected PCs booted from infected floppies, o Email Attachments stayed in memory and infected every floppy inserted into PC • Can contain executable parts
o Infect TSR (terminate-and-stay-resident) routines o Downloads
• By infecting a common OS routine, a virus can always stay in o Shared Directories memory and infect all disks, executables, etc. Multi-user systems, networked file system (e.g., puma), o Infect macros in documents/spreadsheets, etc. peer-to-peer (P2P) networks • A virus in MS Word Normal.dot file can infect all documents.
o Infect shell scripts and other source code.
Viruses and Worms 22-13 Viruses and Worms 22-14
Basic Anti-Virus (AV) Techniques Signature-Based Scanning o Signature-based detection • signature = pattern/fingerprint matching virus • AV engine checks files against database of signatures to (1) identify o Hex strings from virus variants and (2) disinfect file containing virus, • 67 33 74 20 73 38 6D 35 20 76 37 61 • On-demand scanning (user explicitly requests) vs. on-access scanning (done every time a file is opened, modified, and/or closed). • 67 36 74 20 73 32 6D 37 20 76 38 61 • Need to update signature database frequently • 67 39 74 20 73 37 6D 33 20 76 36 61 o Heuristic detection • Check program for virus-like behavior (access boot sector, find all o Hex string for detecting virus files in current directory, write to .EXE file, delete files) • Emulate behavior before executing or execute in sandbox. • 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 • o Integrity checking ?? = wildcard • Record file fingerprints (sizes, checksums, hashes) in pristine system and check later (e.g. Tripwire). • Used by some AV scanners to avoid more detailed scanning • Must store fingerprints carefully! Viruses and Worms 22-15 Viruses and Worms 22-16 Anti-Virus Problems Arms Race between Virus Writers/Detectors o False Positives: one version of McAfee flagged Excel! o Encrypted virus: virus consists of a constant decryptor, a key (that o False Negatives: fail to detect malware changes between copies), and the encrypted virus body.
o Long detection times slows down machines • Detector finds decryptor and key & uses it to decrypt/identify virus o Oligomorphic virus: mutate decryptor slightly by using o Developing signatures/keeping databases current: > 100K new viruses/week! several decryptors or build decryptors out of simple patterns.
o What to do when virus detected: Delete vs. quarantine o Polymorphic virus: mutate decryptors into millions of forms via obfuscation techniques (reordering and junk instructions), but keep o Vendors focus on big clients, not individual users (unencrypted) body same o Bad guys can disable/intercept AV scans o Metamorphic virus: mutate virus bodies via obfuscation techniques, • turn off AV scans but keep functionality • make infected file appear normal to AV detector o shuffle registers • block access to AV websites/downloads/updates o reorder instructions o Arms race o insert junk instructions • Bad guys test new viruses against AV o change source code and recompile • Stealth techniques for hiding/changing viruses Viruses and Worms 22-17 Viruses and Worms 22-18
Benign Code Can be Encrypted/Obfuscated Detecting Oligomorphic/Polymorphic Viruses
Q: Why not just flag all encrypted/obfuscated code as viruses? 1. Run suspect program in an emulator A: Because these techniques are commonly used in benign code to 2. Wait until it decrypts protect intellectual property by complicating reverse engineering. 3. Decrypted code will be identical for various copies Especially used in cases where code otherwise easy to inspect: 4. Use signature scanning on decrypted virus body • machine code
• virtual machine code (e.g., JVM, .NET)
• HTML
• Javascript
• Source code of interpreted languages (Python, PERL, shell scripts, etc.)
Viruses and Worms 22-19 Viruses and Worms 22-20 Virus Detection by Emulation Detecting Polymorphic Viruses: Challenges
o Determining when decryption is complete. Randomly generates a new key Decrypt and execute and corresponding decryptor code o Doesn t work very well against viruses not located near beginning Mutation A of infected executable.
Virus body o Some viruses use random code block insertion or insert millions of NOPs at the entry point prior to the main virus body.
Mutation B • Emulator executes code for a while, does not see virus body and decides the code is benign. When main virus body is finally executed, virus propagates
Mutation C o Decryptor may be able to determine whether it’s running in an emulator and behave differently in this case.
To detect an unknown mutation of a known virus , emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body
Viruses and Worms 22-21 Viruses and Worms 22-22
Metamorphic Viruses Metamorphic Virus [Szor, 2001]
o Obvious next step: mutate the virus body, too!
o Virus can carry its source code (which deliberately contains some o An early generation useless junk) and recompile itself c7060F000055 mov dword ptr [esi], 550000Fh • Apparition virus (Win32) c746048BBC5151 mov dword ptr [esi+0004], 5151BCBBh • Virus first looks for an installed compiler (Unix machines have C compilers installed by default) o A later generation • Virus changes junk in its source and recompiles itself • New binary mutation looks completely different! BF0F000055 mov edi, 550000Fh 893E mov [esi], edi o Many macro and script viruses evolve and mutate their code 5F pop edi 52 push edx • Macros/scripts are usually interpreted, not compiled B640 mov dh, 40 BA8BEC5151 mov edx, 5151EC8Bh 53 push ebx 8BDA mov ebx, ebx 895E04 mov [esi+0004], ebx
Viruses and Worms 22-23 Viruses and Worms 22-24 Metamorphic Mutation Techniques Example of Zperm Mutation
o Same code, different register names
• Regswap (Win32)
o Same code, different subroutine order
• BadBoy (DOS), Ghost (Win32)
• If n subroutines, then n! possible mutations
o Decrypt virus body instruction by instruction, push instructions Hunting for Metamorphic at www.symantec.com/avcenter/reference/ on stack, insert and remove jumps, rebuild body on stack hunting.for.metamorphic.pdf • Zmorph (Win95) o Body makeup not constant • Can be detected by emulation because the rebuilt body has a o Detect by running suspect program in an emulator and analyze constant instruction sequence behaviour while running o Can also disassemble and look for virus-like instructions ! Hard problem!
Viruses and Worms 22-25 Viruses and Worms 22-26
Mutation Engines Virus-Specific Detection
o Real Permutating Engine/RPME (introduced in Zperm virus), o Many viruses can t be detected by simple scanning. Instead, need ADMutate, many others more complex analysis and/or emulation.
o Employ a large set of obfuscating techniques o AV software includes programs written in virus detection languages • Instructions are reordered, branch conditions reversed for detecting specific viruses. • Jumps and NOPs inserted in random places o Special-case detection is time-consuming, so rely on filtering to • Garbage opcodes inserted in unreachable code areas identify cases where it s likely to be productive. • Instruction sequences replaced with other instructions that have the same effect, but different opcodes • SUB EAX, EAX ⇒ XOR EAX, EAX • PUSH EBP; MOV EBP, ESP ⇒ PUSH EBP; PUSH ESP; POP EBP
o There is no constant, recognizable virus body!
Viruses and Worms 22-27 Viruses and Worms 22-28 How Hard Is It to Write a Virus? Worms vs. Viruses
o Can be challenging to write a virus from scratch o Both are self-replicating programs (just ask Audrey Kao & Era Vuksani from CS342 Fall ‘10!) o Worms are (usually) self-contained; viruses attach to a host o In practice, study and modify existing viruses. program
o Many virus construction kits available. o Worms are (usually) self-activating; viruses require human intervention to spread. • AV vendors familiar with such kits and defend against the kinds of viruses they create. o Worms spread via networks; viruses can, too, but can also spread via other means.
o Worms offer a scale of propagation (in terms of speed, number of hosts infected, potential for damage) not easily achieved by other mechanisms. They are the tool of choice for recruiting zombie