Development of highlevel language viruses under Windows - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Development of highlevel language viruses under Windows

Description:

1' will be replaced by the EXE's filename (with full path) ... Naming to svchost ( Dirty Way ) All we need to do is name our evil executable file to svchost.exe ... – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 26
Provided by: JR72
Category:

less

Transcript and Presenter's Notes

Title: Development of highlevel language viruses under Windows


1
Development of high-level language viruses under
Windows
µCon security conference 2008
  • Breno Dario Ulisses Rocha

2
File Infection
  • File infection overview
  • Overwriting
  • Prepending
  • PE Infection
  • Source File Infection

3
File Infection
  • Prepend-like
  • Most used technique for
  • file infection in HLL-viruses
  • Just reading/writing operations
  • Deal with abstract .exe files instead of PE
    structure
  • Can be implemented in almost all languages

4
File Infection
  • Prepend-like (dirty side)
  • Infected files get bigger, so the user may notice
  • Tiny executables should be avoided for stealth
    reasons

5
File Infection
  • Alternate Data Streams (ADS)
  • Requires to be running at least one hard drive
    with the NT file system
  • (NTFS), and luckily most systems do these
    days.
  • Compatibility with the Macintosh Hierarchical
    File System (HFS).
  • Files stored on a HFS consist of two parts
    (known as forks).
  • Data fork and Resource fork.
  • Windows systems using NTFS stores Macintosh
    resource forks in a hidden
  • NTFS stream.
  • Information stored on resource fork does not
    alter in any way the original file
  • (eg. Last modified date or file size).

6
File Infection
  • Prepend ADS for stealth
  • Hide virus body in the resource fork
  • Infect file with a tiny executable instead of
    the entire virus
  • Traveling problems

7
  • Spreading

8
Spreading
  • Search Mechanism
  • In-Memory Strategies
  • Direct Action
  • Memory-Resident
  • Temporary Memory-Resident
  • How to Spreading (Most common mechanisms)
  • E-mail
  • Shared Folders
  • P2P Folders
  • USB Watcher

9
Spreading
  • Registry Shell Spawning
  • Temporary Memory-Resident
  • Relies on the operating system
  • How do you know which are EXE targets ?
  • Windows registry
  • HKEY_CLASSES_ROOT\exefile\shell\open\comm
    and
  • "1"
  • What does that ?
  • "1" will be replaced by the EXE's filename
    (with full path)
  • will be replaced by it's parameters.

10
Spreading
  • Example
  • File Name test.exe
  • Path C\windows\
  • Command Line
  • "C\windows\test.exe" -arg1 -arg2
  • Use that feature
  • Change the registry entry to
  • "C\Windows\System32\virus.exe" "1"
  • Command Line
  • "C\windows\system32\virus.exe"
    "C\windows\test.exe" -arg1 -arg2
  • "our virus will be executed
    EVERY TIME an EXE file is started."

11
Registry Shell Spawning
12
  • Self Protection

13
Process Hiding
  • API Hooking ( Fashion Way )
  • Intercepts messages of hooked process
  • TaskManager retrieves information about the list
    of processes running calling the function
    NtQuerySystemInformation on ntdll
  • The goal is to intercept calls of
    NtQuerySystemInformation made by taskManager and
    drop the information of our evil process before
    it reach taskManagers process
  • Some times avoided because of its complexity
  • For this technique we need to inject a dll into
    target process memory space
  • So as a payload the virus must carry in a dll

14
Process Hiding
  • Naming to svchost ( Dirty Way )
  • All we need to do is name our evil executable
    file to svchost.exe
  • There is always more than one svchost process
    running so our virus will stay unnoticed by the
    user
  • Some says its a lame technique but the true is
    its very effective
  • Its widely used cause there is no implementation
    needed

15
Fucking AVs
  • AV Killer
  • AV Killer does the dirty job of takig AVs out of
    orbit
  • The first thing we need to implement an AV
    Killer is a list of AVs process names
  • The virus loops thru the running processes list
    looking for specific names and kill them
  • The technique can be dangerous if is misused

16
  • Advanced Code Evolution Techniques

17
Evolution of Code
  • Encrypted Viruses
  • Oligomorphic Viruses
  • Polymorphic Viruses
  • Metamorphic Viruses

Evolution of Code
18
Evolution of Code
  • Evolution baby evolution!!!
  • Antivirus defense techniques
  • Signatures Verification
  • Heuristic Analysis

19
Evolution of Code
  • Encrypted
  • First method implemented

20
Evolution of Code
  • Encrypted Perl Virus

21
Evolution of Code
  • Oligomorphic
  • Evolved form of Encrypted Viruses
  • Semi-polymorphics
  • Multiple decription patterns
  • Has the hability of hide in a random way

22
Evolution of Code
  • Oligomorphic Perl Virus

23
Evolution of Code
  • Polymorphic
  • Next step of oligomorphics techniques evolution
  • Oligmorphics X Polymorphics
  • Techniques
  • Junk instructions
  • Permutation
  • Entry Point Obfuscation

24
Evolution of Code
  • Metamorphic
  • Natural Polymorphics evolution
  • Polymorphics X Metamorphics
  • Black Box

25
References
  • 29a labs ( vx.netlux.org/29a )
  • Ready Rangers Liberation Front (
    vx.netlux.org/rrlf )
  • DoomRiderz ( vx.netlux.org/doomriderz )
  • EOF-PROJECT ( www.eof-project.net )
  • VX Heavens ( vx.netlux.org )
Write a Comment
User Comments (0)
About PowerShow.com