Malicious Software and Security Programming Lecture 6

1
Malicious Software and Security Programming
Lecture 6

• In this lecture we will examine a number of
  anti-anti-virus techniques
• Stealth
• Polymorphism encryption
• Retroviruses
• Anti-emulation
• Armoured

2
Stealth

• Stealth is simply a set of techniques viruses can
  use in order to conceal themselves from
  anti-virus software
• Principally it consists in manipulating the OS
  environment in such a way as to make it appear
  that the state of the system is identical to that
  which it had prior to the virus having reproduced
  itself into some elements of the system thereby
  actually changing them

3

• Stealth normally requires that the virus make
  itself memory resident (similar to the behaviour
  checker anti-virus program)
• The simplest form of stealth involves the virus
  in intercepting software interrupts as the
  behaviour checker does
• So it will hook interrupts, processing any
  requests that concern a file that it has infected
  and present information to the program using the
  software interrupt which would be the case if the
  file had not been infected.

4

• So it would intercept requests for file size or
  date of last modification and return the
  pre-infected values
• It can also in response to a file read request
  make sure that the virus only returns the
  pre-infected file contents e.g. in a file
  appending virus, reading the entry point at the
  start of the code would make the virus return the
  host code with the original host code from the
  start of the program swapped back into its
  correct position, attempt to read beyond the end
  of the host gets an EOF value returned

5

• One virus deletes itself from all copies of the
  infected file that someone else makes so anyone
  wanting to examine the file on an isolated system
  that does not have the virus running as memory
  resident will actually get a clean copy of the
  file all would appear well
• Since they are usually many different ways of
  getting at the same information, the stealth
  virus must try and subvert all of them

6

• Anti-virus software must therefore check all
  known ways of getting at this information in
  order to detect possible inconsistencies which
  would highlight something strange going on
• anti-virus software may bypass the interrupt
  mechanism entirely interrupt tunnelling

7

• This means locating the actual ISR code and going
  straight to it in order to bypass any
  re-direction via an intercepted vector in the
  vector table i.e. it bypasses the vector table.
  This would defeat simple stealth viruses.
• Of course the same mechanism is available to
  virus to defeat behaviour checkers that intercept
  software interrupts it can tunnel past the
  interrupt to the ISR

8

• The virus can also modify the ISR code to call
  the viruses code first so it has the same
  effect as hooking an interrupt this would
  defeat interrupt tunnelling that an anti-virus
  software might do
• The only option left for the anti-virus software
  is to attempt direct hardware access with all the
  hardware dependent problems that results

9
Polymorphism

• Scanners work on the basis of finding some
  invariants in the virus code which it can se as a
  signature
• Polymorphism and encryption are mechanisms that
  attempt to eliminate such invariants
• Typically some form of encryption is used to hide
  the main body of the virus with different keys
  used for each copy of the virus

10

• The decryption component then uses polymorphic
  techniques to ensure that there is no reasonable
  invariant that can be used in the decryption part
  of the code
• Encryption/decryption technique is usually
  something simple after all it needs to be quick
  and it is not attempting to defeat a cryptanalyst
  just scanner technology so it just needs
  something that will give it a different set of
  bytes each file it infects

11

• So could be something as simple as XORing virus
  code with some of the bytes of the genuine host
  code and with a 32 bit key value and many other
  variants on similar idea
• The decryption code can have its code structure
  mutated from each copy to the next by
  interleaving code that has no real effect into
  code that does the decryption

12

• One very simple but effective technique would be
  to push some registers that have values the
  decryptor is suing on the stack execute code to
  do something to those registers and even change a
  data area set up for this purpose and then pop
  the original values back do 2 or 3 decryption
  instructions and then push some registers, do
  some thing (modify the dummy data area) and pop
  the values back, etc.

13

• This is very difficult for a heuristic analyser
  to see as pushing registers doing something and
  popping the original values back is absolute
  standard assembly language and compiler code
  generation practice all normal code does this
  sort of thing all the time by having a dummy
  data area it even looks like real work is being
  done by the process

14

• Many techniques e.g. can dynamically construct
  the real virus code in a data area and then jump
  to that area for execution i.e. treat machine
  code of virus as data that is put together in
  data area so virus code that is scanned does
  not do anything inappropriate

15
Retroviruses

• Name is applied to viruses that in some way or
  other target anti-virus software
• It should be noted that anti-virus software have
  signatures just as viruses do, so virus can scan
  memory to find memory resident anti-virus
  software and having found it modify part of its
  code so as to render it harmless to the virus
• Windows registry give virus a lot of information
  about what is installed on the system and where
  it is to be fond in the file system

16

• Hence can modify scanner software or virus
  signature database
• Of course anti-virus software knows this and will
  have an integrity checking mechanism built in
  hash function on its code which is checked as
  soon as the scanner is invoked.

17

• Of course virus writer may know what the hash
  function is that is used and even if there is an
  key used as a parameter to hash function that
  key must be stored somewhere on system (and this
  location must be recorded in some fashion in
  anti-virus software code)
• so virus may know where key is stored in which
  case it can modify anti-virus software and
  recompute hash function with correct key and put
  in new hash function so all looks OK
• As I said yesterday if you can infect virus
  scanner you have the perfect host to permit virus
  to infect all and any files on the system

18
Anti-emulation viruses

• As name suggests these viruses attempt to defeat
  code emulators
• 3 standard techniques
• 1. Outlast emulator i.e. delay obvious virus
  activity until after the first 2000 or so
  instructions have occurred
• 2. Overextend essentially try and make emulator
  fall over e.g. undocumented CPU instructions
  which the emulator may not be designed to emulate
  many others

19

• 3. Outsmart essentially having code that looks
  innocuous enough under heuristic type analysis or
  behaviour checking so emulator may be looking
  for activity that is typical of decrypting a
  virus body e.g. sequentially stepping through
  some area of memory changing bytes at those
  locations in some consistent manner so
  decryptor could decrypt in multiple passes or in
  segments rather than all at once

20
Armoured viruses

• These are essentially viruses that have been
  designed to make them difficult for anti-virus
  companies to analyse
• 2 types
• Anti-debugging
• Anti-disassembly
• Selective reproducing

21
Anti-debugging

• May try and understand virus code activity by
  running it in a debugging environment
• Virus may have code that checks to see if it
  being run by a debugger e.g. it could
  occasionally scan its own code looking for creak
  points if it finds one then it is being
  debugged and it can then take appropriate action
  e.g. locate and modify debugger code.

22
Anti-disassembly

• Make making sense of code extremely difficult
• Classically by mixing data and code together
  e.g. on some occasions using a memory location as
  data and other occasions executing it as code
• Dynamic code construction techniques discussed
  earlier

23
Selective reproduction

• When a file is first identified as potentially
  being infected by a new virus some one sends the
  file to the anti-virus software developers
• They are inundated with such files and do not
  have the manpower to individually examine each
  one

24

• So they might test to determine whether a virus
  is present by putting the potentially infected
  file in a controlled environment with other
  executables and allowing it to run and then
  checking to see it other candidate files have
  been infected if so then you have a virus and
  you then investigate it carefully

25

• However the controlled environments used by such
  companies tend to be predictable and relatively
  clean or sterile not at all like the messy
  environment of a typical real system so virus
  can check the environment it is running in and if
  it appears suspiciously clean it can elect not
  reproduce it self and go dormant result the
  anti-virus software guys think it is a false
  alarm as the supposed infected file did not
  infect any other files and so clearly does not
  contain a virus