Who’s watching your network Deep Inside an AntiVirus Engine Network Associates, Inc. Jimmy Kuo Director, AV Research Deep Inside an AntiVirus Engine Network Associates, Inc. Jimmy Kuo Director, AV Research Stanford, 16MAR99
Who’s watching your network Short description of viruses Environments Purposes of an antivirus engine Detection technologies Virus removal technologies Wrap-upAgendaAgenda
Who’s watching your network Viruses Replicate!
Who’s watching your network File Viruses Com, Exe (DLL, VxD), Bat, Sys, mIRC, Html Boot Viruses Boot Sector Master Boot Records Macro Viruses Word, Excel, PowerPoint, Access Multipartite Virus Types
Who’s watching your network Virus growth through the years: *Dr Solomon’s count of viruses and trojans
Who’s watching your network PC OLE2 files Compressed files Self-extracting files.BAT files, mIRC script, VB Script UNIX filesystems Environment Determination
Who’s watching your network FTP HTTP SNMP SMTP NNTP TCP/IP Mime, uuencode, SSL, PGPProtocolsProtocols
Who’s watching your network We deal with users with problems on their computer, problems they do not know how to handle. 1. Relieve the panic. 2. Understand the problem. 3. Resolve what the user understands to be the problem.PurposePurpose
Who’s watching your network 1. Detect all viruses. 2. The program is running on a clean machine. 3. Don’t give them a reason not to use your product. McAfee (NAI) Mantra
Who’s watching your network The Technology The Technology
Who’s watching your network Data organization –In memory –On disk Only things essential to detection are stored in memory. Names, repair information, virus information all stored on disk. Signature Search
Who’s watching your network All strings kept in memory. All strings of the same type. Method died out when viruses neared Signature Organization, Case 0
Who’s watching your network Split into virus types: Boot viruses, File viruses (Algorithmic detection, CRC detection), Macro viruses. Boot virus strings swapped to disk. Pull it in only if target file looks like a boot image. (55AA signature) CRCs used for those viruses that don’t change. Keep verification information on disk. Signature Organization, Case 1
Who’s watching your network All detection strings kept in memory. Sorted into separate bins. Only the particular bin that could contain the virus string is stored in low memory. All else stored in EMS or XMS. Virus removal information and names stored on disk. Signature Organization, Case 2
Who’s watching your network All detection strings stored in memory. Some are classed as “not necessary for the average user” and not used unless specifically requested. All verification information stored on disk (or EMS or XMS if available). Strings sorted into groups which have common start characteristics. Signature Organization, Case 3
Who’s watching your network Needs to be “front end fast.” If there’s a virus, it can take longer. But most things are not viruses, so it should be as quick as possible to determine that the target is not there. No time allowed for front end setup. So, quick and simple wins out. Signature Search Algorithms
Who’s watching your network Code Tracers Simplified emulation, but faster. Static emulation. Only have to know instruction length and flow transfer statements.
Who’s watching your network Code Tracing, Case 1 Given a target COM file, For specific cases of known flow transfers (jmp, call, push/ret, minor variations of such), Get to a fixed location, start searching for viruses here. Problem cases: polymorphic entry code
Who’s watching your network Code Tracing, Case 2 Given a target COM file, Trace code path through all available paths, until out of buffer. Remember opcodes. Use in opcode string matching. First time out of buffer, trace again. Remember opcodes again. Problem cases: Appending virus, appended to a small host.
Who’s watching your network Code Tracing, Case 3 Given a target COM file, Organize your virus database according to the different types of entry code. Search against only those viruses that use that type of entry code. This is the current technique we’re using.
Who’s watching your network Intel 80x86, primarily Now also needed. Portable. Apple emulation.EmulatorsEmulators
Who’s watching your network Prefetch queue length. How much of the environment do you include in the emulation? The “perfect” emulator takes too much time and memory. Result: Emulate situations required for known viruses. Needs upgrading to match reality. Emulator Problems
Who’s watching your network Matrix of opcode digraphs. Map the set of opcodes gathered from code trace onto the opcode digraphs of known viruses. If it does not match, it cannot be that virus. Add digraph matrices together to save memory space. Code Matrix
Who’s watching your network Loop detection. –Likely to need decrypting (emulate) Probability distribution (a particular virus uses Rotates much too often). Polymorphic viruses too difficult to handle otherwise. Special Case Code
Who’s watching your network An OLE2 file is a filesystem in a file. It’s a proprietary format belonging to Microsoft. Cracking the OLE2 format was easy. Next comes the Word document stream, the Excel spreadsheet stream, WordBasic, Visual Basic,... OLE2 Files (Macro Viruses)
Who’s watching your network Word6 macro encryption/protection is a single byte XOR. Key is available in document. Office97 macro protection is GUI only. Actual code is not encrypted at all. Excel95 password protection is almost trivial. Uses 16 byte XOR key with minor on-the-fly calculations. Other Macro Virus Issues
Who’s watching your network Office97 password protection against Open uses MD5. [Yuk!] PowerPoint97 streams stored as GZIP compressed data streams. WordBasic is tokenized language. VisualBasic is p-code. But there’s a separate compressed code body for “Edit.” Other Macro Virus Issues...
Who’s watching your network VisualBasic5 now supported across other applications! Soon, we’ll have to crack other file formats, not just OLE2. VisualBasic6 coming out in next few months. Things can up-convert, some can downconvert. Emulators for all these languages! Still More Macro Virus Issues
Who’s watching your network Must have “sufficient” variant determination. –Bytes to cut. –Where from. –Where to retrieve original information. –Where did the virus replace/take that original info from? Virus removal database does not need to stay in memory. Virus Removal
Who’s watching your network Variant determination. –Different sizes. –Different CRC values over different ranges. –String found at different position. –The specific variant does something unique. Need to know this for user information. Varient Determination
Who’s watching your network Virus Payloads affect: –Registry –Added instructions in files. (AUTOEXEC.BAT) –Additional files dropped. –Things added to WIN.INI. –“Bad sector” repair. –Anything software can do. Side Effect Removal
Who’s watching your network Speed Issues Memory management. Memory, hard disk, floppy. 640K memory, XMS, EMS, 32-bit memory, memory swapping. Clean machine.
Who’s watching your network Final Thought Compare what was covered in this presentation against an access control package. Project: The following files are allowed to be executed by this set of people. AND NOTHING ELSE!
Who’s watching your network Questions & Answers
Your Partner Against the Virus Problem Your Partner Against the Virus Problem