Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson

11-Sep-2002CS 6265 Fall 2002 Contents  Prologue  Introduction  The Evolution of Polymorphic Viruses  Polymorphism  Detection  Epilogue

11-Sep-2002CS 6265 Fall 2002 Prologue  1941 –First theories for self-replicating programs  1980s –©Brain (Pakistan) and Stoned (New Zealand) attacks floppy boot sectors – Jerusalem(Israel) – first virus to infect other than.COM &.EXE –Den Zuk (Indonesia) – first “antivirus” virus – removes & inoculates against ©Brain

11-Sep-2002CS 6265 Fall 2002 Prologue  1990s –1 st virus exchange (VX) BBS (Bulgaria) goes online –AT&T (1 st successful critical infrastructure?) attack –Dark Avenger releases 1 st PME – MtE - enables other viruses to morph in over 4,000,000,000 different forms –1 st polymorphic virus appear – Tequila (Switzerland) –Nowhere Man releases Nowhere Utilities which include the Virus Creation Lab (VCL) w/ “Borland interface”

11-Sep-2002CS 6265 Fall 2002 Polymorph Engine - 1  What is a Polymorph Engine?  A program with the abilities to encrypt (or jumble up) another program or data and provide a unique decryptor for it and do this in such a way that no two encryptions of the same program or data will look alike.

11-Sep-2002CS 6265 Fall 2002 Polymorph Engine - 2 A PME typically consists of:  The random number generator.  The junk code generator.  The decryptor generator.

11-Sep-2002CS 6265 Fall 2002 Polymorphism Levels  Level 1 –Viruses having a set of decryptors with constant code, choosing one while infecting.  Level 2 –Virus decryptor contains one or several constant instructions, the rest of it is changeable.  Level 3 –Decryptor contains unused functions- "junk" like NOP, CLI, STI etc.  Level 4 –Decryptor uses interchangeable instructions and changes their order (instructions mixing). –Decryption algorithm remains unchanged.

11-Sep-2002CS 6265 Fall 2002 Polymorphism Levels – Cont’d.  Level 5 –Levels are used, decryption algorithm is changeable, repeated encryption of virus code and even partial encryption of the decryptor code is possible.  Level 6 –Permutating viruses. The main code of the virus is subject to change. It is divided into blocks which are positioned in random order while infecting.  Level 7 –Levels 1 – 6 plus Heuristic, Goat & Emulator counter- measures

11-Sep-2002CS 6265 Fall 2002 Sample Polymorphic Virus Code Sample Polymorphic Virus Code  MOV DX,10 ;Real part of the decryptor!  MOV SI,1234 ;junk  AND AX,[SI+1234] ;junk  CLD ;junk  MOV DI,jumbled_data ;Real part of the decryptor!  TEST [SI+1234],BL ;junk  OR AL,CL ;junk  main_loop: ADD SI,SI ;junk instruction, real loop!  XOR AX,1234 ;junk

11-Sep-2002CS 6265 Fall 2002 Polymorphic Behavior - 1

11-Sep-2002CS 6265 Fall 2002 Polymorphic Behavior - 2

11-Sep-2002CS 6265 Fall 2002 Polymorphic Behavior - 3

11-Sep-2002CS 6265 Fall 2002 Polymorphic Behavior - 4

11-Sep-2002CS 6265 Fall 2002 AV Polymorphic Response - 1  Scan Strings –Work by searching for a pattern of bytes in FIXED positions and a FIXED sequence.  Variable Scan Strings –Work by searching for a pattern of bytes in VARIABLE positions but in a FIXED sequence.  Cryptanalysis –Works by finding part of the VIRUS BODY and then performing some very basic cryptanalysis on it and then decrypting it (if possible).

11-Sep-2002CS 6265 Fall 2002 AV Polymorphic Response - 2  Generic Decryptor (Emulator) –Works by emulating instructions in the polymorphic decryptor in order to make the virus decrypt itself and then it detects the virus by a standard scan string.  Heuristics –Searches for inconsistencies between the code being analyzed and normal everyday code found in programs.

11-Sep-2002CS 6265 Fall 2002 AV Strategy - 1

11-Sep-2002CS 6265 Fall 2002 AV Strategy - 2

11-Sep-2002CS 6265 Fall 2002 AV Strategy - 3

11-Sep-2002CS 6265 Fall 2002 AV Strategy - 4

11-Sep-2002CS 6265 Fall 2002 AV Strategy - 5

11-Sep-2002CS 6265 Fall 2002 Heuristic AV Strategy

11-Sep-2002CS 6265 Fall 2002 VX Response to AV Tactics - 1  Anti Scan String methods –Avoid the use of code common to every decryptor. NOTE: Make enough alternatives so that it makes multiple variable scan strings not an option to AV!  Anti - Cryptanalysis –Simply add multiple encryption –A loop using a single XOR with byte/word is very easy to crypt-analyze but a loop using XOR b/w, ADD b/w, SUB b/w, ROL b/w in one loop is VERY hard to crypt-analyze.

11-Sep-2002CS 6265 Fall 2002 VX Advice to Next Gen  If you are going to make a good engine remember the following points: - It must not have fixed bytes in fixed positions. - It must not have fixed bytes in variable positions. - It must not be able to be decrypted by generic decryption engines in AV software. - It helps if the code is heuristically "clean" but it is not the “be all and end all” of an engine to be this way. - Make sure it is very difficult to analyze by AV. - Make sure next to impossible to remove if it does get caught.

11-Sep-2002CS 6265 Fall 2002 Epilogue  Polymorphic viruses represent yet another escalatory step in the conflict between those who seek to compromise (VX community) and those who defend (AV community) computer systems. As the techniques and strategies improve, one can expect the threat of polymorphic viruses to only increase.

11-Sep-2002CS 6265 Fall 2002 References -1  AVP Virus Encyclopaedia –  History of Computer Viruses by Robert M. Slade –  Understanding & Managing Polymorphic Viruses –  Virus Timeline & Scientific Papers – –

11-Sep-2002CS 6265 Fall 2002 References -2  VX Papers & Articles – –Guide to improving Polymorphic Engines by Rogue Warrior –A General Description of the Methods Behind a Polymorph Engine by The Black Baron  Viruses Revealed by David Harley, etc.

Questions?