HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg November 8, 2005 CS510 – Advanced Security Portland State University

Overview Win32 Virus Evolution Polymorphism to Metamorphism Detection Techniques Counter-Measures, Counter-Counter-Measures, …ad nauseum. Potential “future” virus (worm) developments.

Virus Scanners Dominant market solution to the virus problem, focus of this paper. Other defenses exist however (integrity checking, behavior blocking). Typically scan files for a virus signature (strings from known malware). Main challenge: virus code obfuscation. (randomize, randomize, randomize!)

Virus Evolution Encrypted Viruses Easiest way to hide functionality. Send (plain-text) decryptor along with virus. Counter-Measure: AV’s just start looking at decryptor signatures. Counter-Counter-Measure: randomized decryptors.

Polymorphic Viruses Permutate decryptors using different methods (XOR, multiple layers of encryption, etc.) Polymorphism is about changing appearance, but decrypted virus is the same. When the virus eventually reveals itself, even in a brief window, this snapshot of the core virus code is very useful to AV.

Metamorphic Viruses Metamorphism is about altering the virus code body itself. Behavior and functionality change, so much harder to profile. Win32/Apparition Virus First evolving virus to not rely polymorphic decryptors. Virus carries source code and recompiles on host (if compiler installed). Randomly inserts and removes junk code.

Polymorphic vs. Metamorphic

Simple Metamorphism May, 2000 – Win32/Ghost Modular reordering used to alter global signature. m ! permutations (10 modules ~3.6 million possible signatures). Counter-Measure: String-Detection. Finer-grained subset analysis, more resilient to change.

Simple Metamorphism December, 1998 – Win95/Regswap 5A pop edx BF mov edi,0004h 8BF5 mov esi,ebp B80C mov eax,000Ch 81C add edx,0088h 8B1A mov ebx,[edx] 899C mov [esi+eax* ],ebx 58 pop eax BB mov ebx,0004h 8BD5 mov edx,ebp BF0C mov edi,000Ch 81C add eax,0088h 8B30 mov esi,[eax] 89B4BA mov [edx+edi* ],esi Unchanged code underlined, so wildcard-string detection should still spot (e.g. 81**** B**… ).

Complex Metamorphism July, Win32/Evol Implements metamorphic engine that uses machine code instruction equivalences. Also inserts garbage. a. An early generation: C7060F mov dword ptr [esi], Fh C746048BEC5151 mov dword ptr [esi+0004],5151EC8Bh b. And one of its later generations: BF0F mov edi, Fh 893E mov [esi],edi 5F pop edi 52 push edx B640 mov dh,40 BA8BEC5151 mov edx,5151EC8Bh 53 push ebx 8BDA mov ebx,edx 895E04 mov [esi+0004],ebx Magic DWORDS (e.g Fh) changed also, so wild- card string detection fails after 3 rd generation.

Complex Metamorphism September, 2000 – Win95/Zperm Also inserts garbage instructions. Replaces single instructions with equivalent ones. (e.g. xor eax, eax  sub eax, eax ) Reorders jump instructions, so search string detection will not work. Permutations are n! where n = number of core virus code instructions.

Zperm example

Host Mutation Bistro, Smorph, Zmist Virus not only mutates itself but the host application. This randomizes the point-of-entry. Metamorphism extended to virus behavior, not just signature. Harder to repair infected file, and far less predictable. Detection must be algorithmic (emulator or VM analysis).

Advanced Metamorphic Engines Zmist Most complex binary virus encountered to date (of paper). Little bit of everything discussed so far. Does not simply append virus code segment but actually integrates itself into the host code. Moves code blocks, inserts instructions, changes branches and regenerates all surrounding code, data references, even checksum. Random entry point means virus may never receive control (branch not taken). 3 different types of infection, each with its own probabilistic behavior.

Detection Techniques Geometric Detection Uses ‘shape heuristics’ Analyzes changes made to the file structure. e.g. suspicious memory block allocations. Prone to false positives. Used in conjunction with virus infection markers, can reduce number of false positives.

Detection Techniques Disassembly Can be useful for avoiding false-positives: …66 3D 4D 5A… *common red-flag (exe?) but is it CMP AX, ‘ZM’ or MOV EDI, 5A4D3D66 ? Combined with state machine can try to isolate “interesting” instructions from garbage, nop’s, jumps, etc. Could thwart viruses that insert lots of garbage but keep core instructions in same order.

Detection Techniques Interactive AV Scanning Engines Key to ant goog anti-metamorphic AV software. CPU emulator allows virus to execute in a virtual sandbox. Trap and test for specific behaviors known a priori. e.g. when ACG virus reaches instruction i, registers a&b have values x&y. Can also do stack analysis (Evol).

Detection Techniques Emulator-Based Heuristics Zero-day exploits. Heuristic analysis of suspicious behavior (if it walks like a virus and talks like virus..) VM’s allow deeper level of analysis than CPU emulator, and fewer false-positives. Limitations: 1. Hard to virtualize everything. 2. Performance issues. 3. Easy counter-measures for emulator evasion: No active internet connection? Do nothing. Random behavior: infect on Sundays only. Insert lots of benign behavior before payload (Zperm).

Future Developments Concepts seen here extended to distributed worm behavior. Self-updating viruses (they can patch too). More cooperative behavior among worm instantiations: Information exchange. Exporting/Importing code. Have seen this sort of thing already Code Red DDOS, Slapper (P2P). Nimbda checking backdoors left by Code Red II and Sadmind/IIS worms. Reproductive cross-mutations (hostA x virusB = ?) - Darwinism meets computer security.

Questions? Thanks.