Malicious Software and Security Programming Lecture 6 - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Malicious Software and Security Programming Lecture 6

Description:

Stealth is simply a set of techniques viruses can use in ... Anti-disassembly. Selective reproducing ... Anti-disassembly. Make making sense of code ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 26
Provided by: Lesley106
Category:

less

Transcript and Presenter's Notes

Title: Malicious Software and Security Programming Lecture 6


1
Malicious Software and Security Programming
Lecture 6
  • In this lecture we will examine a number of
    anti-anti-virus techniques
  • Stealth
  • Polymorphism encryption
  • Retroviruses
  • Anti-emulation
  • Armoured

2
Stealth
  • Stealth is simply a set of techniques viruses can
    use in order to conceal themselves from
    anti-virus software
  • Principally it consists in manipulating the OS
    environment in such a way as to make it appear
    that the state of the system is identical to that
    which it had prior to the virus having reproduced
    itself into some elements of the system thereby
    actually changing them

3
  • Stealth normally requires that the virus make
    itself memory resident (similar to the behaviour
    checker anti-virus program)
  • The simplest form of stealth involves the virus
    in intercepting software interrupts as the
    behaviour checker does
  • So it will hook interrupts, processing any
    requests that concern a file that it has infected
    and present information to the program using the
    software interrupt which would be the case if the
    file had not been infected.

4
  • So it would intercept requests for file size or
    date of last modification and return the
    pre-infected values
  • It can also in response to a file read request
    make sure that the virus only returns the
    pre-infected file contents e.g. in a file
    appending virus, reading the entry point at the
    start of the code would make the virus return the
    host code with the original host code from the
    start of the program swapped back into its
    correct position, attempt to read beyond the end
    of the host gets an EOF value returned

5
  • One virus deletes itself from all copies of the
    infected file that someone else makes so anyone
    wanting to examine the file on an isolated system
    that does not have the virus running as memory
    resident will actually get a clean copy of the
    file all would appear well
  • Since they are usually many different ways of
    getting at the same information, the stealth
    virus must try and subvert all of them

6
  • Anti-virus software must therefore check all
    known ways of getting at this information in
    order to detect possible inconsistencies which
    would highlight something strange going on
  • anti-virus software may bypass the interrupt
    mechanism entirely interrupt tunnelling

7
  • This means locating the actual ISR code and going
    straight to it in order to bypass any
    re-direction via an intercepted vector in the
    vector table i.e. it bypasses the vector table.
    This would defeat simple stealth viruses.
  • Of course the same mechanism is available to
    virus to defeat behaviour checkers that intercept
    software interrupts it can tunnel past the
    interrupt to the ISR

8
  • The virus can also modify the ISR code to call
    the viruses code first so it has the same
    effect as hooking an interrupt this would
    defeat interrupt tunnelling that an anti-virus
    software might do
  • The only option left for the anti-virus software
    is to attempt direct hardware access with all the
    hardware dependent problems that results

9
Polymorphism
  • Scanners work on the basis of finding some
    invariants in the virus code which it can se as a
    signature
  • Polymorphism and encryption are mechanisms that
    attempt to eliminate such invariants
  • Typically some form of encryption is used to hide
    the main body of the virus with different keys
    used for each copy of the virus

10
  • The decryption component then uses polymorphic
    techniques to ensure that there is no reasonable
    invariant that can be used in the decryption part
    of the code
  • Encryption/decryption technique is usually
    something simple after all it needs to be quick
    and it is not attempting to defeat a cryptanalyst
    just scanner technology so it just needs
    something that will give it a different set of
    bytes each file it infects

11
  • So could be something as simple as XORing virus
    code with some of the bytes of the genuine host
    code and with a 32 bit key value and many other
    variants on similar idea
  • The decryption code can have its code structure
    mutated from each copy to the next by
    interleaving code that has no real effect into
    code that does the decryption

12
  • One very simple but effective technique would be
    to push some registers that have values the
    decryptor is suing on the stack execute code to
    do something to those registers and even change a
    data area set up for this purpose and then pop
    the original values back do 2 or 3 decryption
    instructions and then push some registers, do
    some thing (modify the dummy data area) and pop
    the values back, etc.

13
  • This is very difficult for a heuristic analyser
    to see as pushing registers doing something and
    popping the original values back is absolute
    standard assembly language and compiler code
    generation practice all normal code does this
    sort of thing all the time by having a dummy
    data area it even looks like real work is being
    done by the process

14
  • Many techniques e.g. can dynamically construct
    the real virus code in a data area and then jump
    to that area for execution i.e. treat machine
    code of virus as data that is put together in
    data area so virus code that is scanned does
    not do anything inappropriate

15
Retroviruses
  • Name is applied to viruses that in some way or
    other target anti-virus software
  • It should be noted that anti-virus software have
    signatures just as viruses do, so virus can scan
    memory to find memory resident anti-virus
    software and having found it modify part of its
    code so as to render it harmless to the virus
  • Windows registry give virus a lot of information
    about what is installed on the system and where
    it is to be fond in the file system

16
  • Hence can modify scanner software or virus
    signature database
  • Of course anti-virus software knows this and will
    have an integrity checking mechanism built in
    hash function on its code which is checked as
    soon as the scanner is invoked.

17
  • Of course virus writer may know what the hash
    function is that is used and even if there is an
    key used as a parameter to hash function that
    key must be stored somewhere on system (and this
    location must be recorded in some fashion in
    anti-virus software code)
  • so virus may know where key is stored in which
    case it can modify anti-virus software and
    recompute hash function with correct key and put
    in new hash function so all looks OK
  • As I said yesterday if you can infect virus
    scanner you have the perfect host to permit virus
    to infect all and any files on the system

18
Anti-emulation viruses
  • As name suggests these viruses attempt to defeat
    code emulators
  • 3 standard techniques
  • 1. Outlast emulator i.e. delay obvious virus
    activity until after the first 2000 or so
    instructions have occurred
  • 2. Overextend essentially try and make emulator
    fall over e.g. undocumented CPU instructions
    which the emulator may not be designed to emulate
    many others

19
  • 3. Outsmart essentially having code that looks
    innocuous enough under heuristic type analysis or
    behaviour checking so emulator may be looking
    for activity that is typical of decrypting a
    virus body e.g. sequentially stepping through
    some area of memory changing bytes at those
    locations in some consistent manner so
    decryptor could decrypt in multiple passes or in
    segments rather than all at once

20
Armoured viruses
  • These are essentially viruses that have been
    designed to make them difficult for anti-virus
    companies to analyse
  • 2 types
  • Anti-debugging
  • Anti-disassembly
  • Selective reproducing

21
Anti-debugging
  • May try and understand virus code activity by
    running it in a debugging environment
  • Virus may have code that checks to see if it
    being run by a debugger e.g. it could
    occasionally scan its own code looking for creak
    points if it finds one then it is being
    debugged and it can then take appropriate action
    e.g. locate and modify debugger code.

22
Anti-disassembly
  • Make making sense of code extremely difficult
  • Classically by mixing data and code together
    e.g. on some occasions using a memory location as
    data and other occasions executing it as code
  • Dynamic code construction techniques discussed
    earlier

23
Selective reproduction
  • When a file is first identified as potentially
    being infected by a new virus some one sends the
    file to the anti-virus software developers
  • They are inundated with such files and do not
    have the manpower to individually examine each
    one

24
  • So they might test to determine whether a virus
    is present by putting the potentially infected
    file in a controlled environment with other
    executables and allowing it to run and then
    checking to see it other candidate files have
    been infected if so then you have a virus and
    you then investigate it carefully

25
  • However the controlled environments used by such
    companies tend to be predictable and relatively
    clean or sterile not at all like the messy
    environment of a typical real system so virus
    can check the environment it is running in and if
    it appears suspiciously clean it can elect not
    reproduce it self and go dormant result the
    anti-virus software guys think it is a false
    alarm as the supposed infected file did not
    infect any other files and so clearly does not
    contain a virus
Write a Comment
User Comments (0)
About PowerShow.com