Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.

Slides:

Advertisements

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Advertisements

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

Chapter 3 (Part 1) Network Security

CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.

Unit 18 Data Security 1.

Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.

Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.

Created by Dragon Lee May Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

SCSC 455 Computer Security 2011 Spring Chapter 5 Malware.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

1 Ola Flygt Växjö University, Sweden Malicious Software.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Computer Viruses Preetha Annamalai Niranjan Potnis.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.

D. Beecroft Fremont High School VIRUSES.

Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

VIRUSES - Janhavi Naik. Overview Structure Classification Categories.

HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.

Structure Classifications &

1 Chapter 19: Malicious Software Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal, U of Kentucky)

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

1 Higher Computing Topic 8: Supporting Software Updated

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.

Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2015.

What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys or erases data files.

For any query mail to or BITS Pilani Lecture # 1.

Telecommunications Networking II Lecture 41f Viruses and Worms.

Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 25 – Virus Detection and Prevention.

RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.

Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.

Malicious Software.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

Chapter 19 – Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War,

Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.

METAMORPHIC VIRUS NGUYEN LE VAN.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

MALICIOUS SOFTWARE Rishu sihotra TE Computer

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.

Week-14 (Lecture-1) Malicious software and antivirus: 1. Malware A user can be tricked or forced into downloading malware comes in many forms, Ex. viruses,

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Computer Viruses Author: Alyse Allen.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to.

Techniques, Tools, and Research Issues

Computer Technology Notes 5

Chap 10 Malicious Software.

Chap 10 Malicious Software.

Malicious Program and Protection

Presentation transcript:

slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses

slide 2 Malware uMalicious code often masquerades as good software or attaches itself to good software uSome malicious programs need host programs Trojan horses, logic bombs, viruses uOthers can exist and propagate independently Worms, automated viruses uThere are many infection vectors and propagation mechanisms

slide 3 Trojan Horses uA trojan horse is malicious code hidden in an apparently useful host program uWhen the host program is executed, trojan does something harmful or unwanted User must be tricked into executing the host program In 1995, a program distributed as PKZ300B.EXE looked like a new version of PKZIP… When executed, it formatted your hard drive. uTrojans do not replicate This is the main difference from worms and viruses

slide 4 “Reflections on Trusting Trust” uKen Thompson’s 1983 Turing Award lecture –Linked from the course website (reference section) 1.Added a backdoor-opening Trojan to login program 2.Anyone looking at source code would see this, so changed the compiler to add backdoor at compile-time 3.Anyone looking at compiler source code would see this, so changed the compiler to recognize when it’s compiling a new compiler and to insert Trojan into it u“The moral is obvious. You can’t trust code you did not totally create yourself. (Especially code from companies that employ people like me).”

slide 5 Viruses uVirus propagates by infecting other programs Automatically creates copies of itself, but to propagate, a human has to run an infected program –Self-propagating malicious programs are usually called worms uViruses employ many propagation methods Insert a copy into every executable (.COM,.EXE) Insert a copy into boot sectors of disks –“Stoned” virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC Infect TSR (terminate-and-stay-resident) routines –By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc.

slide 6 Virus Techniques uStealth viruses Infect OS so that infected files appear normal to user uMacro viruses A macro is an executable program embedded in a word processing document (MS Word) or spreadsheet (Excel) When infected document is opened, virus copies itself into global macro file and makes itself auto-executing (e.g., gets invoked whenever any document is opened) uPolymorphic viruses Viruses that mutate and/or encrypt parts of their code with a randomly generated key

slide 7 Evolution of Polymorphic Viruses (1) uAnti-virus scanners detect viruses by looking for signatures (snippets of known virus code) Virus writers constantly try to foil scanners uEncrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body Cascade (DOS), Mad (Win95), Zombie (Win95) Relatively easy to detect because decryptor is constant uOligomorphic viruses: different versions of virus have different encryptions of the same body Small number of decryptors (96 for Memorial viruses); to detect, must understand how they are generated

slide 8 Evolution of Polymorphic Viruses (2) uPolymorphic viruses: constantly create new random encryptions of the same virus body Marburg (Win95), HPS (Win95), Coke (Win32) Virus must contain a polymorphic engine for creating new keys and new encryptions of its body –Rather than use an explicit decryptor in each mutation, Crypto virus (Win32) decrypts its body by brute-force key search uPolymorphic viruses can be detected by emulation When analyzing an executable, scanner emulates CPU for a bit. Virus will eventually decrypt and try to execute its body, which will be recognized by scanner. This only works because virus body is constant!

slide 9 Virus Detection by Emulation Virus body Randomly generates a new key and corresponding decryptor code Mutation A Decrypt and execute Mutation C Mutation B To detect an unknown mutation of a known virus, emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body

slide 10 Metamorphic Viruses uObvious next step: mutate the virus body, too! uVirus can carry its source code (which deliberately contains some useless junk) and recompile itself Apparition virus (Win32) Virus first looks for an installed compiler –Unix machines have C compilers installed by default Virus changes junk in its source and recompiles itself –New binary mutation looks completely different! uMany macro and script viruses evolve and mutate their code Macros/scripts are usually interpreted, not compiled

slide 11 Metamorphic Mutation Techniques uSame code, different register names Regswap (Win32) uSame code, different subroutine order BadBoy (DOS), Ghost (Win32) If n subroutines, then n! possible mutations uDecrypt virus body instruction by instruction, push instructions on stack, insert and remove jumps, rebuild body on stack Zmorph (Win95) Can be detected by emulation because the rebuilt body has a constant instruction sequence

slide 12 Real Permutating Engine (RPME) uIntroduced in Zperm virus (Win95) in 2000 uAvailable to all virus writers, employs entire bag of metamorphic and anti-emulation techniques Instructions are reordered, branch conditions reversed Jumps and NOPs inserted in random places Garbage opcodes inserted in unreachable code areas Instruction sequences replaced with other instructions that have the same effect, but different opcodes –Mutate SUB EAX, EAX into XOR EAX, EAX or PUSH EBP; MOV EBP, ESP into PUSH EBP; PUSH ESP; POP EBP uThere is no constant, recognizable virus body!

slide 13 Example of Zperm Mutation uFrom Szor and Ferrie, “Hunting for Metamorphic” Linked from the course website (reference section)

slide 14 Defeating Anti-Virus Emulators uRecall: to detect polymorphic viruses, emulators execute suspect code for a little bit and look for opcode sequences of known virus bodies uSome viruses use random code block insertion engines to defeat emulation Routine inserts a code block containing millions of NOPs at the entry point prior to the main virus body Emulator executes code for a while, does not see virus body and decides the code is benign… when main virus body is finally executed, virus propagates Bistro (Win95) used this in combination with RPME

slide 15 Putting It All Together: Zmist uZmist was designed in 2001 by Russian virus writer Z0mbie of “Total Zombification” fame uNew technique: code integration Virus merges itself into the instruction flow of its host “Islands” of code are integrated into random locations in the host program and linked by jumps When/if virus code is run, it infects every available portable executable –Randomly inserted virus entry point may not be reached in a particular execution

slide 16 MISTFALL Disassembly Engine uTo integrate itself into host ’s instruction flow, virus must disassemble and rebuild host binary See overview at uThis is very tricky Addresses are based on offsets, which must be recomputed when new instructions are inserted Virus must perform complete instruction-by-instruction disassembly and re-generation of the host binary –This is an iterative process: rebuild with new addresses, see if branch destinations changed, then rebuild again –This requires 32MB of RAM and explicit section names (DATA, CODE, etc.) in the host binary – doesn’t work with every file

slide 17 Simplified Zmist Infection Process Pick a Portable Executable binary < 448Kb in size Disassemble, insert space for new code blocks, generate new binary Insert mutated virus body Split into jump-linked “islands” Mutate opcodes (XOR  SUB, OR  TEST) Swap register moves and PUSH/POP, etc. Encrypt virus body by XOR (ADD, SUB) with a randomly generated key, insert mutated decryptor Insert random garbage instructions using Executable Trash Generator Decryptor must restore host’s registers to preserve host’s functionality Randomly insert indirect call OR jump to decryptor’s entry point OR rely on instruction flow to reach it

slide 18 How Hard Is It to Write a Virus? u498 matches for “virus creation tool” in Spyware Encyclopedia Including dozens of poly- and metamorphic engines uOverWritting Virus Construction Toolkit "The perfect choice for beginners“ uBiological Warfare Virus Creation Kit Note: all viruses will be detected by Norton Anti-Virus uVbs Worm Generator (for Visual Basic worms) Used to create the Anna Kournikova worm uMany others

slide 19 Reading Assignment uStallings 10.1 uOptional: “Hunting for Metamorphic” by Szor and Ferrie Linked from the course website (reference section)