Malware 1: Viruses
Tuesday, December 2, 2008 Sources: see final slide
CS342 Computer Security
Department of Computer Science Wellesley College
Today’s class goals o Introducti on to malware taxonomy o Appreciating the evolution of viruses o Polymorphism/Metamorphism o General Anti-Virus (AV) detection techniques o Understanding the arms race between virus writers and anti-virus detectors. o Appreciate ag ain that: if y ou take y our tim e, have few patterns and use many levels of indirection, you are very hard to beat
Malware: Viruses and Worms 24-2
1 Malware (MALicious softWARE)
o A gggygeneric term increasingly being used to describe any form of malicious software like o viruses, worms, trojan horses, rootkits, spyware, malicious mobile code, backdoors, dialers, ransomware o Combinations are common o Some malware are actually combinations of more basic malware (e.g., a rootkit can be viewed as Trojan horse backdoor tool) o Broadly classified according to o Infection technique: “how does it propagate?” o Impact on target: “what does it do?” o Type of exploited vulnerability: “ How (by violating which assumption) did it get in?”
Malware: Viruses and Worms 24-3
Malware Taxonomy Type Characteristics
Virus Self-replicating code that infects a host file. Usually requires human interaction to spread. Sometimes used as generic term for all malware. Worm Self-replicating code that spreads across a network. Usually does not require human interaction to spread. Rabbit Virus or worm that multiplies without bound
Trojan Horse Disguises itself as a useful program while masking hidden malicious purpose. Backdoor/Trapdoor Bypasses normal security controls to give attacker access
User-level Rootkit Replaces or modifies executable programs used by system administrators and users Kernel-level Rootkit Manipulates the OS kernel to hide and create backdoors
Spyware Monitors user interaction and collects information (e.g ., via keylogger)
Logic Bomb Dormant malicious code triggered by date or event.
Easter Egg Cute but harmless behavior triggered by special input.
Malicious Mobile Code Small programs downloaded and executed locally with minimal user intervention. Typically written in Javascript, VBScript, Java, or ActiveX Combination Malware Combines techniques to increase effectiveness
Malware: Viruses and Worms 24-4
2 Malware evolution
Themes: o Increasing complexity/sophistication o Acceleration of rate of tool/technique release o Movement from viruses -> worms -> kernel level exploits
Figure from Skoudis Malware, p.16.
Malware: Viruses and Worms 13-5
Virus Basics o Virus = code that attaches itself to host programs and runs when host program executes. Running the host ppgrogram usually req uires user intervention. o Self-replication: when the virus runs, it copies (a possibly mutated version of) itself to other host programs. It needs a method to find other hosts. o A running virus may also execute a payload = mischievous or malicious action. o Note: self-replicating mutating code is a cornerstone of artificial life research.
Malware: Viruses and Worms 13-6
3 Viruses Infection Techniques
o Overwriting o Overwrite host program, changing behavior (easy to discover) o Typically overwrite beg inning , but can overwrite later (in which case virus may not be executed. o Appending o Add virus code to end of program, and jump to virus. o Typically virus jumps back to program to evade detection. o Prepending o Add virus code to front of host program. o Parastic virus: variant that overwrites start of program, but moves starting code later. o Cavity Virus o Squirreled away in “holes” in program o doesn’t change program size Malware: Viruses and Worms 13-7
Viruses Propagation Methods
o Insert a copy into every executable (.COM, .EXE) o Insert a copy into boot sectors of disks o “Stoned” virus infected PCs bootbooteded from infected floppies, stayed in memory and infected every floppy inserted into PC o Infect TSR (terminate-and-stay-resident) routines o By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc. o Infect macros in documents/spreadsheets, etc. o A virus in MS Word Normal.dot file can infect all documents. o Infect shell scripts and other source code.
Malware: Viruses and Worms 13-8
4 Viruses Propagation Vectors
o Removable storage o Floppies, writable CDs/DVDs, USB flash drives o Email Attachments o Downloads o Shared Directories
Malware: Viruses and Worms 13-9
Anti-Virus (AV) Techniques o Signature-based detection o signature = pattern/fingerprint matching virus o AV engine checks files against database of signatures o On-demand scanning vs. on-access scanning o Need to update signature database frequently o Heuristic detection o Check program for virus-like behavior (access boot sector, find all files in current directory, write to .EXE file, delete files) o Emulate behavior before executing or execute in sandbox. o Integrity checking o Record file fingerprints (sizes, checksums, hashes) in pristine system and check later (e.g. Tripwire). o Used by some AV scanners to avoid more detailed scanning o Must store fingerprints carefully!
Malware: Viruses and Worms 13-10
5 Signature-Based Scanning
o Hex strings from virus variants o 67 33 74 20 73 38 6D 35 20 76 37 61 o 67 36 74 20 73 32 6D 37 20 76 38 61 o 67 39 74 20 73 37 6D 33 20 76 36 61
o Hex string for detecting virus o 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 o ?? = wildcard
Malware: Viruses and Worms 13-11
Anti-Virus Problems o False Positives o McAfee flagged Excel! o False Negatives o Fail to detect malware o Long detection times slows down machines o Developing signatures/keeping databases current o 100K new viruses/week! o What to do when virus detected o Delete vs. quarantine o Vendors focus on big clients, not individual users o Bad guys can disable/intercept AV scans o Arms race o Bad guys test new viruses against AV o Stealth techniques for hiding/changing viruses
Malware: Viruses and Worms 13-12
6 Defeating Signature-based Scanning
o Signatures are really just patterns of code The antidote to patterns is RANDOMNESS
o Encrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body
o Polymorphic viruses o Viruses that mutate and/or encrypt parts of their code with a randomly generated key, but keep same functionality
o Metamorphic viruses o Viruses whose (possibly decrypted) body changes from variant to variant
Malware: Viruses and Worms 13-13
Evolution of Polymorphic Viruses
o Polymorphic viruses: constantly create new random encryptions of the same virus body o Marburg (Win95), HPS (Win95), Coke (Win32) o Virus must contain a polymorphic engine for creating new keys and new encryptions of its body o Rather than use an explicit decryptor in each mutation, Crypto virus (Win32) decrypts its body by brute-force key search o Oligomorphic viruses: different versions of virus have differen t encryptions of the same bdbody o Small number of decryptors (96 for Memorial viruses); to detect, must understand how they are generated
Malware: Viruses and Worms 13-14
7 Detecting Polymorphic Viruses
1. Run suspect program in an emulator 2. Wait until it decrypts 3. Decrypted code will be identical for various copies 4. Use signature scanning on decrypted virus body
Malware: Viruses and Worms 13-15
Virus Detection by Emulation
Randomly generates a new key Decrypt and execute and corresponding decryptor code MttiMutation A
Virus body
Mutation B
Mutation C
To detect an unknown mutation of a known virus , emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body Malware: Viruses and Worms 13-16
8 Detecting Polymorphic Viruses: Challenges o Determining when decryption is complete o Doesn’t work veryyg well against metamorp hic viruses and viruses not located near beginning of infected executable o Decryptor may be able to determine whether its running in an emulator.
Malware: Viruses and Worms 13-17
Defeating Anti-Virus Emulators
o To detect polymorphic viruses, emulators execute suspppect code for a little bit and look for opcode sequences of known virus bodies o Some viruses use random code block insertion or insert millions of NOPs at the entry point prior to the main virus body o Emulator executes code for a while, does not see virus body and decides the code is benign… when main virus body is finally executed, virus propagates
Malware: Viruses and Worms 13-18
9 Metamorphic Viruses
o Obvious next step: mutate the virus body, too! o Virus can carry its source code (which deliberately contains some useless junk) and recompile itself o Apparition virus (Win32) o Virus first looks for an installed compiler (Unix machines have C compilers installed by default) o Virus changes junk in its source and recompiles itself o New binary mutation looks completely different! o Many macro and script viruses evolve and mutate their code o Macros/scripts are usually interpreted, not compiled
Malware: Viruses and Worms 13-19
Metamorphic Virus [Szor, 2001]
o An early generation c7060F000055 mov dword ptr [esi], 550000Fh c746048BBC5151 mov dword ptr [esi+0004], 5151BCBBh o A later generation BF0F000055 mov edi, 550000Fh 893E mov [esi], edi 5F pop edi 52 push edx B640 mov dh, 40 BA8BEC5151 mov edx, 5151EC8Bh 53 push ebx 8BDA mov ebx, ebx 895E04 mov [esi+0004], ebx
Malware: Viruses and Worms 13-20
10 Metamorphic Mutation Techniques
o Same code, different register names o Regswap (Win32) o Same code, dffdifferent subroutine order o BadBoy (DOS), Ghost (Win32) o If n subroutines, then n! possible mutations o Decrypt virus body instruction by instruction, push instructions on stack, insert and remove jumps, rebildbuild bdbody on stktack o Zmorph (Win95) o Can be detected by emulation because the rebuilt body has a constant instruction sequence
Malware: Viruses and Worms 13-21
Example of Zperm Mutation
“Hunting for Metamorphic” at www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
o Body makeup not constant o Detect by running suspect program in an emulator and analyze behaviour while running o Can also disassemble and look for virus-like instructions Hard problem!
Malware: Viruses and Worms 13-22
11 Mutation Engines o Real Permutating Engine/RPME (introduced in Zperm virus), ADMutate, many others o Employ a large set of obfuscating techniques o Instructions are reordered, branch conditions reversed o Jumps and NOPs inserted in random places o Garbage opcodes inserted in unreachable code areas o Instruction sequences replaced with other instructions that have the same effect, but different opcodes o Mutate SUB EAX, EAX into XOR EAX, EAX or PUSH EBP; MOV EBP, ESP into PUSH EBP; PUSH ESP; POP EBP o There is no constant, recognizable virus body!
Malware: Viruses and Worms 13-23
How Hard Is It to Write a Virus?
o 498 matches for “virus creation tool” in Spyware Encyclopedia o IldiIncluding dozens o f poly- and metamorp hic eng ines o OverWriting Virus Construction Toolkit o "The perfect choice for beginners“ o Biological Warfare Virus Creation Kit o Note: all viruses will be detected by Norton Anti- Virus o Vbs Worm Generator (for Visual Basic worms) o Used to create the Anna Kournikova worm o Many others
Malware: Viruses and Worms 13-24
12 Resources o Daniel Bilar, Intro To Malware, CS342 slides, Oct. 6, 2006 o Ed Skoudis, Malware: Fighting Malicious Code, Prentice Hall, 2004 o Sean Smith and John Marchesini, The Craft of System Security, Chapter 6: Implementation Security. o Peter Szor, The Art of Computer Virus Research and Defense, Addison Wesley, 2005. o John Viega,”Why Anti-Virus Sucks, and How to Fix It”, Talk to Harvard’s Center for Research on Computation and Society (CRCS), Wed. Oct. 8, 2008 (see video of talk at http://crcs.seas.harvard.edu/2008/09/24/wednesday-october-8- 2008-john-viega-on-tbd/
Malware: Viruses and Worms 24-25
13