Plan of talkKinds of malwareAnti-Virus TechnologiesAnti-Anti-Virus TechniquesExample Timid VirusCode Explanation

2

Kinds of malwareWorms SpywareTrojan horsesAdware

WormsA computer worm is a self-replicating

computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.

Worm Propagation

Leverage Network Connectivity 5

Spyware Spyware is computer software that collects personal

information about users without their informed consent. The term Spyware, is often used interchangeably with adware and malware.

Personal information is secretly recorded with a variety of techniques, including logging keystrokes, recording Internet web browsing history, and scanning documents on the computer's hard disk. It can cause theft of passwords and financial details to the merely annoying recording Internet search history for targeted advertising .Spyware may collect different types of information. Some variants attempt to track the websites a user visits and then send this information to an advertising agency. More malicious variants attempt to intercept passwords or credit card numbers as a user enters them into a web form or other applications.

Trojan horsesA Trojan horse is a program that unlike a

virus contains or installs a malicious program (sometimes called the payload or 'trojan'). The term is derived from the classical myth of the Trojan Horse. Trojan horses may appear to be useful or interesting programs (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.

The famous usage in hacking.

Trojan

Leverages gullible users 8

AdwareAdware or advertising-supported

software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.

The functional logic of a virus Search for a file to infect. Open the file to see if it is infected. If infected, search for another file. Else, infect the file. Return control to the host program.

Virus

V

Virus – Needs a host

11

Virus Propagation

Leverage User Connectivity12

13

Detection TechnologiesStatic Anti-Virus (AV) Scanners

Signature-based Strings Regular expressions

Static behavior analyzerDynamic AV Scanners

Behavior Monitors

14

Virus (Malware) Identification

Anti-VirusSignature

Virus

Form - A Antivirus scanners use extracted patterns, or “signatures” to identify known malware.

Signature

15

Static SignatureHex strings from virus variants

67 33 74 20 73 38 6D 35 20 76 37 6167 36 74 20 73 32 6D 37 20 76 38 6167 39 74 20 73 37 6D 33 20 76 36 61

Hex string for detecting virus67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61?? = wildcard

16

Static Signature Ex-:

8BEF 33C0 BF?? ???? ??03 FDB9 ??0A 0000 8A85 ???? ???? 3007 47E2 FBEB 17

Dynamic Signature

Monitor a running program to detect malicious behavior

For example, if an application opens another executable for write access, the blocker might display a warning asking for the user's permission to grant the write access , we will discuss the anti of that anti virus later.

18

19

Attacking Integrity CheckersIntercept open() system call

Open a non-infected backup of the file insteadRestore system to original state after attackInfect system before checksums are

computed

20

Attacking static signature - Metamorphism

Virus

Form - CM M

VirusVirus

Form - A Form - B

•Metamorphic malware change as it propagates

•Creates multiple variants of itself

21

Metamorphism Example

mov [ebp - 3], eax

push ecxmov ecx,ebpadd ecx,33push esimov esi,ecxsub esi,34mov [esi-2],eaxpop esipop ecx

push ecxmov ecx, ebppush eaxmov eax, 33add ecx, eaxpop eax

push esimov esi, ecxpush edx

mov edx, 34sub esi, edxpop edxmov [esi - 2], eaxpop esipop ecx

push ecxmov ecx, [ebp + 10]mov ecx, ebppush eaxadd eax, 2342mov eax, 33add ecx, eaxpop eaxmov eax, esipush eaxmov esi, ecxpush edxxor edx, 778fmov edx, 34sub esi, edxpop edxmov [esi-2], eaxpop esipop ecx

push ecxmov ecx,ebpadd ecx,33mov [ecx-36],eaxpop ecx

22

Attacking static signature- Metamorphism

Anti-VirusSignature

Virus

Form - CM M

VirusVirus

Form - A Form - B

Too many signatures challenge the AV Scanner

Using different signatures for most variants cannot scale.

23

Attacking Behavior MonitorsSome viruses can wait patiently until write

access to the object is granted. These viruses are called slow infectors. Such viruses typically wait until the user makes a copy of an executable object; the virus (which is already loaded in memory) will be able to infect the target in the file cache before the file is created on the disk. Slow infectors attack behavior blockers effectively

24

25

“Undo” Metamorphism

mov [ebp - 3], eax

push ecxmov ecx,ebpadd ecx,33push esimov esi,ecxsub esi,34mov [esi-2],eaxpop esipop ecx

push ecxmov ecx, ebppush eaxmov eax, 33add ecx, eaxpop eax

push esimov esi, ecxpush edx

mov edx, 34sub esi, edxpop edxmov [esi - 2], eaxpop esipop ecx

push ecxmov ecx, [ebp + 10]mov ecx, ebppush eaxadd eax, 2342mov eax, 33add ecx, eaxpop eaxmov eax, esipush eaxmov esi, ecxpush edxxor edx, 778fmov edx, 34sub esi, edxpop edxmov [esi-2], eaxpop esipop ecx

push ecxmov ecx,ebpadd ecx,33mov [ecx-36],eaxpop ecx

26

Detecting Metamorphism

Behavior MonitorsRun suspect program in an emulator (

code emulation) Analyze behavior while running

Look for changes in file structure Some viruses modify files in a consistent way

Disassemble and look for virus-like instructions

27

Code EmulationCode emulation is an extremely powerful

virus detection technique. A virtual machine is implemented to simulate the CPU and memory management systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the scanner, and no actual virus code is executed by the real processor.

28

Virus Phylogeny

W32.Beagle.J@mm

W32/Bagle.j@mm

W32.Klez.I@mm

W32/Klez.i@MM

W32/NetSky.B

W32.Beagle.AO@mm

W32.Beagle.U@mm

W32.Beagle.A@mm

W32.Klez.F@mm

W32/Bagle.a@mm

W32.Klez.E@mm.enc

W32/Klez.f@MM

W32/Bagle.ao@mm

W32/Bagle.u@mm

W32/Klez.e@MM

W32.NetSky.D

W32.NetSky.B

W32.NetSky.A

W32/Bugbear.17916intd

W32/NetSky.A

??

Virus Phylogeny

W32.Beagle.AO@mmW32.Beagle.U@mm

W32.Beagle.A@mmW32.Beagle.J@mm

W32.Klez.I@mmW32.Klez.F@mm

W32/Bagle.a@mmW32/Bagle.j@mm

W32.Klez.E@mm.enc

W32/Klez.i@MMW32/Klez.f@MM

W32/Bagle.aq@mmW32/Bagle.u@mm

W32/Klez.e@MM

W32.NetSky.DW32.NetSky.BW32.NetSky.A

W32/Bugbear.17916intdW32/NetSky.BW32/NetSky.A

Symantec McAfee

??

??

Deobfuscator of CallsNORMAL CALL

L0: call L5L1: …L2: …L3: …L4: …L5: <proc>L6: …

OBFUSCATED CALL

L0a: push L1L0b: push L5L0c: retL1: …L2: …L3: …L4: …L5: <proc>L6: …

Call Obfsucations to prevent static analysis

31

DOC: Deobfuscator of Calls

32

33

Timid

Our example of malware

34

What Timid Virus do Timid is a file infecting virus. It does not become memory

resident. It infects .COM files, including COMMAND.COM. Timid appears to be an escaped research virus, and is now found in the public domain.

Each time a file infected with Timid is executed, the Timid virus infects the first uninfected .COM file in the current directory. If no uninfected .COM files exist in the current directory, a system hang occurs.

The string "VI", is located in the fourth and fifth byte of infected files. Together with a jump (E9h) instruction located at the beginning of the infected file, it forms the infection marker used by the virus to determine if the file was previously infected.

35

Overwriting Viruses

Overwriting Viruses

Overwriting Viruses

Overwriting Viruses

Difference Between .COM and .EXE files

A.COM file is a direct image of how the program will look in main memory, A .COM file is limited to 64K or 100H for all segments combined, but a .EXE file can have as many segments as your linker will handle and be as large as RAM can take.

The actual file extension doesn't matter.

In EXE files we create the stack segment , but in the COM files it creates the stack automatically .

40

Difference Between .COM and .EXE files

How to Write a .COM programProgram Size

maximum 64K (including 256-byte PSP)data, stack, and code in one (64k) segmentstack segment in a COM program is automatically

GeneratedInitialization for COM Program

All four segment registers are automatically initialized with PSP address

Addressing begins at address 100H after .CODE directive, need the directive:

ORG 100H

How to assemble it

Example of .COM codeMAIN SEGMENT BYTE

ASSUME CS:MAIN,DS:MAIN,SS:NOTHINGORG 100H

START:FINISH:

mov ah,4CHmov al,0int 21H

MAIN ENDSEND START

A.BAT fileA .BAT file is a file that contains a

sequence, or batch, of commands . Batch files are useful for storing sets of commands that are always executed together because you can simply enter the name of the batch file instead of entering each command individually.

TIMIDTIMID The Host of our Virus

labels

63

SummaryMalware kinds

Virus, worms, Trojans, adware, spyware, etc.Anti-Virus Technologies

Static, Dynamic ScannersAV Process

Anti-AV TechniquesTransform, Hide

Research ResultsUndo transformationDetect obfuscationCreate phylogeny

Code explanation

64