Viruses & Antiviral Programs Seminar Malware Bonn-Aachen International Center for Information...

Viruses & Antiviral Programs

Seminar MalwareBonn-Aachen International Center for Information Technology Computer Security GroupDaniel LoebenbergerShahram Faridani19.November 2007

19.11.2007 Seminar Malware - bit 1

Overview

• Brief history of CIH• Propagation• Technical specifications• Removal and security measures• Variations of CIH• Coping with malicious software• Halting problem• Virus identification and obfuscation• Virus string & pattern matching• Countermeasure to scanners• Polymorphic & metamorphic viruses• Smart virus scanner


Overview

• Heuristic virus detection• Interrupt patching• Actual state of affairs• Summery• References


A Brief History Of CIH

• CIH Virus also known as Chernobyl or Spacefiller.– Originally CIH, the name Chernobyl was coined because of the

complete coincidence of the payload trigger date in some variants

of the virus, actually the virus writer's birthday and the Chernobyl

accident, which happened in Ukraine on April 26, 1986


A Brief History Of CIH

• author of the CIH virus:– Chen Ing Hau of Taiwan is also one of the more interesting

examples of legal battles involving virus writers.

• one of the most harmful widely circulated viruses.

• A Hardware destructive virus (very similar to Aragon Virus).– first discovered in 1992.

– It infects boot records and has the payload of resetting the BIOS.

– On computers running outdated BIOSes, this can result in hardware damage (the CIH virus being famous for this).


Propagation Of CIH

• It has been among the ten most common viruses for several months.

• It seems that at least four underground pirate software groups got infected with the CIH virus during summer 1998.

– They inadvertently spread the virus globally in new pirated softwares they released through their own channels.

• Some new games which will spread world-wide very quickly.

• Persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus.

• Later on, CIH was available by accident from several commercial sources, such as:


Propagation Of CIH

• Origin Systems website where a download related to the popular Wing Commander game was infected.

• At least three European PC gaming magazines shipped magazines where the cover CD-ROM was infected

– One of them even included a note inside advising users to disinfect their machines after using the CD-ROM.

• Yamaha shipped an infected version of a firmware update software for their CD-R400 drives.

• A widely spread demo version of the Activision game SiN was

infected as well.

• IBM shipped a batch of new Aptiva PCs with the CIH virus pre-installed during March 1999, just a month before the virus activates destructively.


Removal & Security Measures

• Most scanners detect CIH, however complete removal is almost impossible.

• Due to its infection mechanism, most antivirus software can deactivate the virus but cannot completely clean infected files.

• Ramifications: 1. infected files cannot be restored to their original state, and will therefore produce different

hashes or checksums than the original file, which could cause the file to fail integrity checks2. because the virus signature is still present within the file, the antivirus software will continue

to flag infected files, usually as "CIH (inactive)“.

• The only way to get completely rid of CIH is to replace the affected files with copies of untouched originals. For systems that were thoroughly infected, this likely entails a complete reinstallation of the operating system and software.


Removal & Security Measures

Some hardware manufacturers

for instance , Gigabyte went for

the Dual BIOS. This feature was

implemented at the time of the

CIH virus that could potentially

destroy the motherboard if it was

flashed into the BIOS, so

Gigabyte came out with this Dual

BIOS. It‘s a backup mechanism

that if one BIOS fails, the

backup BIOS will automatically

activate and the user will suffer no

downtime at all and it gives the

user peace of mind while flashing

the BIOS.


Modification History

• V1.0 (04/26/1998):

1. Create the virus program.

2. The virus modification IDT to get Ring0 privilege.

3. Virus code doesn’t reload into system.

4. Call IFSMgr_InstallFileSystemApiHook to hook file system.

5. Modifies entry point of IFSMgr_InstallFileApiHook.

6. When system opens existing PE file, the file will be infected, and the file doesn’t need to be reinfected.

7. It is also infected, even the file is READ-ONLY.

8. When the file is infected, the modification date and time of the file also don’t be changed.

9. When my virus uses IFSMgr_Ring0_FileI0, it will not call previous FileSystemApiHook, it will call the function that the IFS manager would normally call to implement this particular I/O request.

10. The virus size is only 656 bytes.


Ring0

• Hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults and malicious behavior

• Ring0 is the level with the most privileges and interact most

directly with the physical memory

and CPU.


Privilege rings for the x86, along with their common uses


• V1.0 (04/26/1998):

1. Create the virus program.

2. The virus modification IDT to get Ring0 privilege.

3. Virus code doesn’t reload into system.

4. Call IFSMgr_InstallFileSystemApiHook to hook file system.

5. Modifies entry point of IFSMgr_InstallFileApiHook.

6. When system opens existing PE file, the file will be infected, and the file doesn’t need to be reinfected.

7. It is also infected, even the file is READ-ONLY.

8. When the file is infected, the modification date and time of the file also don’t be changed.

9. When my virus uses IFSMgr_Ring0_FileI0, it will not call previous FileSystemApiHook, it will call the function that the IFS manager would normally call to implement this particular I/O request.

10. The virus size is only 656 bytes.



• V1.1(05/15/1998):

1. Especially, the file that be infected will increase it’s size.

2. Hook and modify structured exception handing.

when exception error occurs, our OS should be in Windows NT. So the virus will not continue to run, it will jump to original application to run.

3. Use better algorithm, reduce virus code size.

4. The virus basic size is only 796 bytes

• V1.2(05/21/1998):

1. Kill all hard disk, and BIOS

2. Modify the bug of v1.1

3. The virus basic size is 1003 bytes.



• V1.3(05/24/1998):

1. Modify the bug that WinZip self-extractor occurs error. So when open WinZip self-extractor => doesn’t infect it.


• V1.4(05/31/1998):

1. Full modify the bug: WinZip self-extractor occurs error.

2. Change the date of killing computers.

3. Modify virus version copyright.



Other Variations

• CIH.110664– This is a minor, fairly recent variation.

• CIH.110007– The CIH got a new look.

– Scanning the security holes in host OS.

– The version caused:• Ip conflicts.• Font removal• System Netbios Conflicts

• According to astalavista group – the virus can infect network systems because many anti-virus software are unaware of this

type of virus.

– it actually does not harm a system, but prompt conflicts on port 139 of the windows systems


Coping With Malicious Software

• Undecidability Of Virus Detection:– Fact is a number of real-world problems that would be nice to be able to solve are not

solvable.

• Halting Problem(Alan Turing – 1963): – The halting problem is a decision problem about properties of computer programs on a fixed

Turing-complete model of computation.

– The answer in form “yes” or “no”.

– It can be represented as a set: k := { (i,x) | program i will eventually halt if run with input x}.

– Difficulty: lies in the requirement that the decision procedure must work for all programs and inputs.

– Obviously it can not be!


Halting Problem:

• Three examples:– While(true)

{ x = x+1};

// doesn’t halt, it goes on forever in an infinite loop.

Printf(“hallo world”);

// halts very quick, and regardless of its input.

function findTwinPrimeAbove(int N)

int p = N

loop

if p is prime and p + 2 is prime then

return

else p = p + 1

// in depending on N it can halt or doesn’t (matter of time and capacity).


Halting Problem:

• Question: relation between halting problem & virus detection?– Unfortunate consequence in the theory of secure computing :

The same applies to testing whether or not an arbitrary program is infected with an arbitrary virus.

– Adleman (Leonard Max Adleman , 1945) proved:

If an algorithm exists that can prove the presence of viruses in general case -> exists an algorithm that solves the halting problem

(Reductio ad absurdum - proof by contradiction)

• Regardless of this fundamental limitation to virus detection, methods are needed to identify viruses since hackers continue to write and release new viruses.


Virus Identification & Obfuscation

• Several challenges surrounding the design of robust computer viruses and designing algorithms to detect viruses.

• String matching: – Is used by antivirus programs to identify virus strains.

– Also a method that is use by viruses to identify themselves. Viral self-identification is necessary to prevent overpopulation and to prevent

A host being infected several of times. Development of string matching antiviral programs lead to the development of

polymorphic viruses.

– Polymorphic viruses: viruses, which are specifically designed to foil string matching programs.


Virus String Matching

• By definition, a virus spreads by copying a possibly altered version of itself to other programs.

• An unavoidable problem in designing such viruses: possibility of multiple infection. Problem: infecting the same program so many times end up that the user notice a

suspicious loss in disk space.

• How does a virus know if it already infected a given program?– Implies that viruses need an algorithm for identifying whether or not a given executable is

already infected.

– The same decision problem that antiviral software faces while analyzing the same executable.


Virus String Matching

• First method: A viral detection algorithm is therefore a mixed blessing for both parties:

1. Virus writer: prevents the virus from multiple infecting, minimizes the chances of being discovered. But, it gives a detection algorithm to antiviral analyst, when the virus is found.

2. Antiviral analyst: lowers the chance that a user will find the virus due to unexplained loss of disk space. But once found it has the benefit of identifying in the wild.

• Maybe primitive but very dangerous– Viruses that are indiscriminate about the executables they infect are very dangerous since

they have the potential to bring down host systems by their replication alone.

• Second method: slow the rate of infection– Prevents a virus from being discovered right away, without including a self-detection

mechanism.


Pattern Matching

• Idea: take a string of bytes from the virus that does not change from generation to generation and use it to find other instances of the virus.

• Why does it work?– Simplest viruses copy themselves to host applications without significantly altering

themselves.

• Antiviral programs called scanners perform this scanning process.

• The approach is not flawless– This method sometimes produces false positive results.– For instance by a complicated copy-protection operations that contain a large

amount of binary data.– New patches for programs.


Countermeasure to Scanners

• Design the virus so that it dose not contain any of the strings contained in the database.

• Very effective, the scanner is not capable to find the virus, if the needed search string is included in the list of search strings.

• Consequently, scanners are not very proactive in identifying viruses.

• Only proactive, when a new virus reuses the code of other virus, or a trivial modification of it.

• A practical alternative: find a way to modify its own code sequence.– Polymorphic viruses or evolutionary viruses.


Obfuscation


Program VirusProgram

Polymorphic Viruses

• Numerous polymorphic viruses in the wild.

• For example the tremor hat almost 6,000,000,000 forms.

• A polymorphic virus consists of two parts:– Header– Body

• When dormant, body remains in encrypted form.– when activated, header is the first section of code to receive control from the operating

system.

• Functionality: – the header decrypts the body in memory .Once the body is decrypted the header transfers

control to the body. The body performs the normal viral operations. When the body is finished sends control to the host program.


Polymorphic Viruses


Main body of virus in encrypted form

Decryption header

4 3

2

1

Host program Decrypts body

Control sent to host program

Control flows naturally to body after decryption

Control sent to virus

Typical polymorphic virus

Obfuscation

• Encrypted virus body + morphed decryption routine.

the decrypted body performs the viral operation

=> Detection: heuristic detection


Infected Program

**********************************

Metamorphic Virus

• Metamorphic: reprogramming or infecting executable of different OS.

• can reprogram itself:– do it by translating its own code into a temporary representation, edit the temporary

representation of itself, and then write itself back to normal code again.– Metamorphic engine undergoes the changes.

• used by some viruses when they are about to infect new files, as the result is that the “children” will never look like their “parents”.

• Pattern recognition can be avoided again.

• Metamorphic code is more effective than polymorphic code. – This is because most anti-virus software will try to search for known virus-code even during the

execution of the code.


Obfuscation

• Metamorphic viruses– Morph the whole virus body.

=> Detection method

?


Infected Program

Virus

Example


Virus Code(from Chernobyl CIH 1.4)

Morphed virus Code(from Chernobyl CIH 1.4)

Metamorphic Virus

• Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems.

– Windows and GNU/Linux or even different computer architectures.

• Often, the virus does this by carrying several viruses with itself.– The beginning of the virus is then coded so that it translates to correct machine-code for all

of the platforms that it is supposed to execute in.

• It is possible in theory for a metamorphic virus to rewrite the temporary representation of itself into another set of instructions, intended for another computer architecture.

– The API would also have to be changed.

• API (application programming interface):– source code interface that an operating system or library provides to support

requests for services to be made of it by computer programs.


Smart Virus Scanner

• Better virus detection tool– Analyze the program structure ( instead of signature matching).– Check for irrelevant instructions.

• What are irrelevant instructions?– NOPs– Control flow instructions that do not change the control flow.

• E.g. jump/branches to the next instructions.

– Instruction that modify dead (are not in use) register.– Sequence of instructions which do not modify the architectural state

• E.g. add ebx, 1 sub ebx, 1

• Check whether viral properties are present in a program– E.g. program writes a executable.– E.g. program monitors as executables are loaded into memory and changes them.– E.g. program behaves just like virus xyz.

• Check if the program exhibits those properties.– If yes => is infected


Heuristic Virus Detection

• Abnormal program behavior

• Viruses perform actions that are not typical of normal programs.– Result: there are several heuristics that can be used to detect them.

• Virus replicates by definition.– Word processors, web browsers and e-mail program does not replicate.

• Exception: patches– Patches are programs that add or overwrite code to a program on the machine.

• Check for code abnormalities.– Unusual program entry points and unusual program behavior as self-replicating code.


Detecting Abnormal Program Behavior• PEAT (portable executable analysis toolkit):

– Designed to detect malware that has been added to programs, after they have been compiled.

• Interrupts:– Application programs access operating system routines using software

interrupts.– E.g. keystroke from the keyboard.– The program places various parameters in CPU registers and then execute a

software interrupt instruction (interrupt handler).– CPU (temporarily) suspends the operation and look up the address of the

operating system routine for that interrupt in the interrupt vector table.


Interrupts


…

ROM OS handler

OS handler

Operating system software interrupt handling

Interrupt table

Interrupt Patching


…

ROM OS handler

OS handler

heuristic activity monitor

Interrupt patching

• Two advantages: 1. can monitor the activities.

2. Know the data flow, so I can control the interrupt.


Interrupt Patching

• Implementation in MIPS:– EPC

• 32- bit register• Contains the address of corresponding instruction

– Cause• 32-bit register • Contains the result of the exception.

– Undefined instruction:0– Arithmetic overflow: 1

– Control signals• EPSWrite• Cause Write• IntCause: 1-bit control signal for the content of the lowest bit.• Exception address: (c 000 0000)hex address of exception handler.

• To patch interrupt, an interrupt handler is loaded into memory in a persistent and non-relocatable block (register).

• When the handler finishes executing it sends control to the address that was originally contained in the interrupt table.


Actual State of Affairs

• Visualizing executable viruses using self-organizing maps.– Each virus has it’s own character and can’t hide it through SOMs.

– Like DNA , it’s an unique generic code.

• SOMs can figure out the family without knowing it’s signature.

• Aim:– design the SOM in a way that neurons will flag the presence of peculiar patterns in Windows

executable files

– and that the position of the active neurons will reflect the position of potentially malicious

content in the file.

• Expectation:– files infected by viruses of the same family => similar pattern in files.


Actual State of Affairs


Summary

• Originally CIH, Chernobyl because of the payload trigger date.• One of the most widely circulated viruses.• Only for DOS-base operating systems.• Hardware destructive (similar to Aragon).• Propagation through different software within a short time.• Most scanner can detect it but cannot completely clean infected

files.• Only way to get rid of CIH is to replace infected files with copes of

untouched originals.• Dual BIOS a security measures, the back up BIOS activates

automatically.


Summary

• There different variations of the virus still in the wild.• Undecidability of virus detection, halting problem.• Methods needed to identify viruses

– String/pattern matching– Polymorphic viruses– Metamorphic viruses

• Smart virus scanner– Check for irrelevant instructions.

– Check whether viral properties are present in a program.

– Detecting abnormal program behavior.

• Interrupt patching, monitoring activities.

– Visualizing viruses using self-organizing maps.


References

[1] . Malicious cryptography exposing cryptovirology, Dr. Moti Yung, ISBN: 0-7645-4975-8

Published by wiley publishing, Inc., Indianapolis, Indiana.

[2]. www.f-secure.com, F-Secure Corporation

[3]. Virus Scanning as Model Checking, Mihai Christodorescu, University of Wisconsin, Madison

[4]. Computer organization & design, the hardware/software interface. David A. Patterson and John L. Hennessy. Second edition, Morgan Kaufmann Publishers.

ISBN: L-55860-428-b.

[5]. Visualizing Windows Executable Viruses Using Self-Organizing Maps, InSeon Yoo, Telecommunications, Networks and Security Research Group, Department of Informatics, University of Fribourg.

[6]. www.geot.com.

[7]. http://www.mirrors.wiretapped.net/security/info/textfiles/DOJ/DoJ5-08.txt


Viruses & Antiviral Programs Seminar Malware Bonn-Aachen International Center for Information...

Documents

Transcript of Viruses & Antiviral Programs Seminar Malware Bonn-Aachen International Center for Information...