Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.

Slides:



Advertisements
Similar presentations
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Advertisements

Programming 8086 – Part IV Stacks, Macros
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Assembly Programming Notes for Practical2 Munaf Sheikh
1/2002JNM1 AL 00 Immediate Addressing Mode Mov AL, 3CH AL 3C.
Computer Organization & Assembly Language
Introduction to Assembly Here we have a brief introduction to IBM PC Assembly Language –CISC instruction set –Special purpose register set –8 and 16 bit.
Addressing modes – 1 The way in which an operand is specified is called the Address Mode.
Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.
Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.
Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
1  2004 Morgan Kaufmann Publishers Chapter Six. 2  2004 Morgan Kaufmann Publishers Pipelining The laundry analogy.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Microprocessor Systems Design I Instructor: Dr. Michael Geiger Spring 2014 Lecture 4: x86 memory.
CEN 226: Computer Organization & Assembly Language :CSC 225 (Lec#8) By Dr. Syed Noman.
Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
6.828: PC hardware and x86 Frans Kaashoek
CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.
1/2002JNM1 Positional Notation (Hex Digits). 1/2002JNM2 Problem The 8086 has a 20-bit address bus. Therefore, it can access 1,048,576 bytes of memory.
1 Part I PS 3 discussion of SPINS paper CS 588 February 22, 2005
HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.
Structure Classifications &
Chapter 4 - Implementing Standard Program Structures in 8086 Assembly Language from Microprocessors and Interfacing by Douglas Hall.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2015.
Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area.
Telecommunications Networking II Lecture 41f Viruses and Worms.
1 ICS 51 Introductory Computer Organization Fall 2009.
4-Oct Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Sept  direct mode: OK for static addresses  indirect register mode:
Video systems. Lesson plan Review the code for the previous exercise Video systems Review for midterm exam.
1 Pre-Exam Lecture 4 Final Examination is scheduled on Monday December 18th at 1:30PM in class 4 There are 8 questions with or without sub- parts and.
Introduction to Assembly II Abed Asi Extended System Programming Laboratory (ESPL) CS BGU Fall 2013/2014.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
Computer and Information Sciences College / Computer Science Department CS 206 D Computer Organization and Assembly Language.
Dr. Richard Ford  Szor  A.k.a. Stealth Viruses  “How viruses hide”
Microprocessors CSE- 341 Dr. Jia Uddin Assistant Professor, CSE, BRAC University Dr. Jia Uddin, CSE, BRAC University.
Microprocessors CSE- 341 Dr. Jia Uddin Assistant Professor, CSE, BRAC University Dr. Jia Uddin, CSE, BRAC University.
Assembly language programming
Introduction to assembly programmıng language
Format of Assembly language
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to.
Techniques, Tools, and Research Issues
Assembly IA-32.
Assembly Language Programming Part 2
ADDRESSING MODES.
Symbolic Instruction and Addressing
Introduction to Assembly Language
Programming 8086 – Part IV Stacks, Macros
ارايه دهنده : حسن عسكرزاده
8086 Registers Module M14.2 Sections 9.2, 10.1.
اصول اساسی برنامه نویسی به زبان اسمبلی
Morgan Kaufmann Publishers Computer Organization and Assembly Language
Symbolic Instruction and Addressing
Detecting Obfuscated Code Using Cosine Similarity
EECE.3170 Microprocessor Systems Design I
EECE.3170 Microprocessor Systems Design I
Symbolic Instruction and Addressing
Computer Architecture CST 250
X86 Assembly Review.
EECE.3170 Microprocessor Systems Design I
UNIT-II Assembly Language Programs Involving Logical
Chapter 6 –Symbolic Instruction and Addressing
Process.
Intel 8086.
CS-401 Computer Architecture and Assembly Language Programming
Presentation transcript:

Dr. Richard Ford

 Szor 7  Another way viruses try to evade scanners

 Look for “known” viruses  Basically, used to look for hex strings in files  Virus writers tried to make this more difficult…

 First virus: Cascade  Benefit: Forces the vendor to choose a hex string from a small part of the virus code  Increases chances of a false positive

LEAsi, Start MOVsp, 0682 Decrypt: XOR[si], si XOR[si], sp INCsi DECsp JNZDecrypt Start:

MOVEDI, h ADDEDI, EBP MOVECX, 0A6Bh MOVAL, [key] Decrypt: XOR[EDI], AL INCEDI LOOP Decrypt JMP Start DB key86 Start:

 Virus writer can implement multiple layers of “encryption”  Why do I keep using “”’s?  Use multiple keys  Start of loop can be obfuscated  Can “not” store the decryption key in the body  Can use strong Crypto (but…)

 Well, in these examples, the decryption routine is static  Can detect on the decryption routine if not the virus body… can the attacker do better?

 What?  Having or passing through few changes of form.  Example: Whale virus carried multiple decryptors with it  Of course, such viruses require painstaking analysis…

 Next level: millions of possible decryption routines, dynamically generated  First known: 1260  Technique used: insert “junk” instructions into the decryption loop

 INCDI NOP CLC INCAX LOOP Decrypt

 One possibility: code optimization  Well-known from other parts of CS…  But was attacked directly by MTE

 Module for providing polymorphism  Called a function passing:  Work segment  Pointer to code to encrypt  Length of the virus body  Base of the decryptor  Entry-point of the host  Target location of the encrypted code  Size of decryptor (tiny, small, medium, large)  Bit field of registers not to use  Returns: a buffer containing the encrypted virus plus a decryption routine

 MOV BP, A16C MOV CL, 03 ROR BP, CL MOV CX, BP MOV BP, 856E OR BP, 740F MOV SI, BP MOV BP, 3B92 ADD BP, SI XOR BP, CX SUB BP, B10C; sets final value of BP…

 Decrypt: MOV BX, [BP+0D2B] ADD BX, 9D64 XCHG [BP+0D2B], BX MOV BX, 8F31 SUB BX, BP MOV BP, 8F33 SUB BP, BX JNZ Decrypt START:

 Let’s talk about it…

 Carry your source and look for a compiler  Why is this so very horrible?  And then there’s System.Reflection.Emit to worry about…

 Muttik: “metamorphics are body- polymorphic”  Example: ZPerm  Uses JMPs to reorder its own code

 Due: 2 weeks today before class  Write a METAMORPHIC “Hello World” generator that:  Create 10 COM files  Each time you run, you should create different files  Must use C/C++  Turn in the solution in SVN with JUST THE FILES I NEED to check out and compile with no challenges

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.