Viruses, Worms, and Polymorphic Code Oh My - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Viruses, Worms, and Polymorphic Code Oh My

Description:

Small programs that make copies of themselves, usually without ... Anna Kournikova worm appears. Sircam spreads through unprotected network shares and email ... – PowerPoint PPT presentation

Number of Views:175
Avg rating:3.0/5.0
Slides: 28
Provided by: toddja7
Category:

less

Transcript and Presenter's Notes

Title: Viruses, Worms, and Polymorphic Code Oh My


1
Viruses, Worms, and Polymorphic Code Oh My!
  • Todd Jackson
  • EE 579 Seminar
  • 13 February 2006

2
Outline
  • Viruses
  • Elk Cloner, Dark Avenger, Concept
  • Worms
  • Brief history
  • Prevention
  • Polymorphic code
  • Basics
  • Decryption Engines
  • Applications to viruses and worms

3
Viruses
  • Small programs that make copies of themselves,
    usually without the users knowledge
  • Cannot spread to other computers on their own
  • Name comes from Fred Cohen(1984) paper
  • Created for a variety of purposes
  • Slowly going extinct with the advent of worms

4
16 bit viruses
  • Mostly annoying
  • Elk Cloner (1982)
  • Destructive viruses
  • Jerusalem (1986)
  • Boot sector viruses
  • Stoned (1987)
  • File (COM/EXE/SYS/OVL) infectors
  • Dark Avenger (1989)

5
Elk Cloner (1982)
  • First virus to appear in the wild
  • Written by a 15-year-old
  • Infected Apple-II systems as an annoyance
  • Non-destructive and mostly non-intrusive
  • Spread to non-infected floppy disks

6
Elk Cloner (1982)
  • After 50 boots with an infected disk, the
    following message appears
  • Elk Cloner The program with a personality
  • It will get on all your disks
  • It will infiltrate your chips
  • Yes it's Cloner!
  • It will stick to you like glue
  • It will modify ram too
  • Send in the Cloner!
  • Also spread using CATALOG command
  • Stored boot counts in unused spaces on disk

7
Dark Avenger (1989)
  • Memory resident EXE, COM, and OVL file infector,
    including COMMAND.COM
  • Can infect an executable as it is copied
  • Both source and destination are infected
  • Backups are easily infected
  • Every 16 file infections caused a random sector
    on the hard drive to be destroyed

8
32 bit viruses
  • Appear after Windows 95 released
  • Win95/Boza (1995),Win32/Cabanas (1997)
  • Macro viruses appear, easy to write
  • Win32/Concept (1995)
  • More destructive viruses appear
  • Win95/CIH (1998) aka. Chernobyl
  • New targets
  • Win32/Kriz (1999) attacks kernel32.dll

9
Concept (1995)
  • First Word macro virus found in the wild
  • Used an AutoOpen macro to launch, and a
    FileSaveAs macro to replicate into a template
  • Displays a message Thats enough to prove my
    point
  • Many variants appear, based on original Concept
    code

10
Virus Capabilities
  • Viruses try to hide their presence
  • Brain (1986) redirected requests for the boot
    sector to the original
  • Polymorphic viruses try to evade signature
    detection by changing their code
  • Multipartite viruses have multiple components
  • Flip.2153.A (1993), Ghostball (1989)
  • Metamorphic viruses completely rewrite themselves
  • Win32.Simile.A (2002)

11
Other Operating Systems
  • Bliss (1996)
  • Infected UNIX/Linux PCs
  • Nice virus with some worm-like features
  • Required the user to run the program
  • ANTI (1989)
  • Effective on Mac System 6
  • Irreparably damages applications
  • OS emulators can give unpredictable results

12
Worms
  • Can reproduce and attempt to infect other
    computers without user intervention
  • Completely self-contained
  • Rely heavily on network and Internet availability
    or social engineering
  • Wide range of effects on infected hosts
  • Worms usually exploit well known security issues
    those who have not patched are affected
  • Inherit a lot of features, payloads and
    developments from viruses

13
Notable Worms
  • Morris worm (1988)
  • Used a buffer overflow exploit in finger
  • Melissa (1999) Multipartite worm
  • Spread using either Word 97/2000 or by mass
    mailing using Outlook 97/98
  • VBS/Loveletter (2000)
  • Caused 10 billion in damage
  • First to exploit VBScript prominently

14
2001 Worms Armageddon
  • Ramen worm affects Red Hat 6.2 and 7
  • Anna Kournikova worm appears
  • Sircam spreads through unprotected network shares
    and email
  • Code Red and Code Red II attack IIS
  • Nimda appears, using back doors opened by Code
    Red II and Sadmind and other vulnerabilities
  • Klez exploits buggy email clients, variants try
    to kill Nimda and Code Red, drops an EXE virus
    and corrupts others

15
Win32/Nimda
  • Four vectors of infection
  • Email, EXE file infector, WWW search, Network
    shares
  • First virus to modify web servers to offer
    infected files for download
  • First virus to use workstations to search for
    webservers
  • Allows it to find internal web servers
  • Does not infect Word documents but places itself
    in directories where documents are located to
    increase exposure

16
2003 Worms Armageddon Reloaded
  • SQL Slammer affects routers world wide, infection
    rate doubles every 8.5 seconds
  • Blaster and Sobig.F released within a week of
    each other
  • Welchia attempts to remove Blaster and patch
    systems, but is more destructive
  • Sober begins to disable security software

17
Prevention
  • The majority of worm outbreaks could have been
    prevented
  • Firewalls, Anti-virus software
  • Patching
  • Good security policies
  • User education
  • Discussions on other techniques
  • Deterrence due to jail sentences/fines
  • Removal of incentives to write viruses and worms

18
Disclosure
  • Full Disclosure Immediate public disclosure
  • Pro Provides incentive for software companies to
    release patches quickly, especially to save face
  • Con Virus/Worm writers can get started writing
    exploits before patches are released
  • Others say to wait until the patch is released,
    or another time that the vendor prefers
  • Pro Virus/worm writers who dont know cant
    become aware, patching is quick
  • ConIf virus/worm writers are already exploiting
    the hole, users are left in the dark
  • Witty worm Released 48 hours after patch

19
Polymorphic Code
  • Popularized by Dark Avenger in 1992
  • Perform an operation on the code of a program and
    generate a different inverse operation each time
  • Attempt to defeat signature based intrusion
    detection systems and virus scanners

20
Basics of Polymorphism
  • This shellcode executes /bin/bash
  • push byte 0x68
  • push dword 0x7361622f
  • push dword 0x6e69622f
  • mov ebx,esp
  • xor edx,edx
  • push edx
  • push ebx
  • mov ecx,esp
  • push byte 11
  • pop eax
  • int 80h
  • This string gets encoded as
  • \x6A\x68\x68\x2F\x62\x61\x73\x68\x2F\x62\x69\x6
    E\x89\xE3\x31\xD2 \x52\x53\x89\xE1\x6A\x0B\x58\xCD
    \x80
  • It is easily detected!

21
Basics of Polymorphism
  • Take code C (eg. the previous shellcode) and
    encrypt it into K
  • CCCCCC - KKKKKK
  • The resulting string K is not executable, add a
    decryption engine D in front of K
  • KKKKKK - DDDDKKKKKK
  • D can be detected, so D has to change each time

22
Basics of Polymorphism
  • Buffer overflow exploit
  • -------------------------------------------------
    ---
  • NOP shellcode bytes to cram return
    address
  • -------------------------------------------------
    ---
  • Polymorphic buffer overflow exploit
  • -----------------------------------------------
    ------------------
  • NOP Decipher code shellcode cram bytes
    return address
  • -----------------------------------------------
    ------------------
  • Signatures can look for NOPs, so NOPs can be
    filled with legal, but garbage instructions
  • Simple INCR/DECR, ADD/SUB combinations can be
    detected by security software which emulates code
  • Random one-byte instructions recommended

23
Decipher Routines
  • Two common methods of generating a decipher
    routine
  • Keep the same algorithm, but generate different
    code
  • Generate a new algorithm each time
  • Can insert dummy instructions in the decipher
    code as well
  • Can use different registers in each version
  • XOR operations are very simple algorithms
  • Cipher key management and length is an issue

24
Polymorphism, Viruses and Worms
  • 1260 (1990) is said to be the first polymorphic
    virus, designed to prove that signature detection
    is not perfect
  • Descendants had improvements, but were detected
    as 1260 infections
  • Dark Avengers Mutation Engine (MtE) could be
    applied to any virus to become polymorphic
  • Other polymorphic engines have since been created
  • Polymorphic worms include the Bagle family

25
Conclusion
  • Viruses are small programs that use other things
    (files, disks) as carriers to spread, but are
    slowly going extinct
  • Worms are self contained programs that are
    spreading much more rapidly due to easy
    connectivity
  • Polymorphism is an attempt at obfuscation, and
    has been implemented in both viruses and worms

26
Questions?
27
References
  • Viruses and Spam (http//www.sophos.com/sophos/doc
    s/eng/comviru/viru_ben.pdf)
  • VX Heavens (http//vx.netlux.org)
  • IBM Research (http//research.ibm.com/antivirus)
  • Polymorphic Shellcode Engine Using Spectrum
    Analysis (http//www.phrack.org/phrack/61/p61-0x0
    9_Polymorphic_Shellcode_Engine.txt)
  • Douglas Schweitzer. Securing the Network from
    Malicious Code
Write a Comment
User Comments (0)
About PowerShow.com