Telecommunications Networking II Lecture 41f Viruses and Worms
Viruses (and Worms) references: William Stallings-Cryptography and Network Security Chapter 15.2
Viruses and Worms Virus: “A program that can “infect” other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs” (ref: Stallings p504) Worm “Network worm programs use network connections to pass from system to system” (ref: Stalling p504)
Viruses and Worms Virus: extraneous executable code that attaches itself to a file or an application, and that can reproduce itself to infect other files or applications Worm: a stand-alone executable program that can replicate itself, and that can utilize system resources to spread to multiple systems
Simple Virus Structure (ref Stalling p 506) Program V:= {goto main; ; subroutine infect executable := {loop: file := get random executable file if (first-line-of-file = ) then goto loop else prepend V to file;} main: main-program := {infect-executable; goto next;} next: }
Viruses and Worms The simple virus (prior slide) postpends or prepends a fixed executable set of instructions to a file or application Changes the size of the file
Viruses and Worms If we know how long a file is supposed to be, then we can detect the infection by noting the mismatch between the length of the infected file and the length of an un- infected file. However, it is relatively easy to defeat the above detection method…e.g., by compressing the original file
Compression Virus (Stalling p 507) 1. Compress next victim file 2. Prepend virus code to compressed victim file ….. 3. Execute virus code (infect new files, etc.) 4. Decompress current victim file file 5. Run, decompressed file
Viruses and Worms Parasite virus: Attaches itself to an executable file; replicates and infects another file when the executable file is executed Memory-resident virus: lodges in main memory and infects every program that executes Boot sector virus:
Viruses and Worms Polymorphic virus: transforms (morphs) itself every time it replicates..to avoid detection of its signature Macro virus: infects documents (non- executable + macros) that are opened using Microsoft Word or other Office applications; and which can, iteratively, infect other documents, delete files, etc.
Polymorphic Viruses Polymorphic viruses attempt to hide themselves from virus signature detection by changing (morphing) themselves every time they replicate
Polymorphic Viruses Change with each new infection Are (for example) comprised of two parts –A decryptor –An encrypted virus file Both the decryptor and the encrypted file change each time the virus replicates…so that neither one has a fixed signature
Infected application Decryptor Encrypted virus file App. 1
How does it work1? Decryptor Encrypted virus file App. 1 Infected app. Decryptor App. 1 Mutator Engine Virus version xyz Executing 1 1. The decryptor executable will decrypt the encrypted virus file
How does it work2? App. 1 Decryptor Mutator Engine New Decryptor Decryptor Encrypted virus file Decryptor Encrypted virus file App Virus1 finds the victim(App.2) 3. Mutator Engine creates a new Decryptor, a new virus file, and encrypts the new virus file 4. Virus2 is prepended to App. 2 Virus version xyz+1 Mutator Engine Virus version xyz
“The Black Baron’s” Tutorial ( MOV SI,jumbled_data; Point to the jumbled data MOV CX,10 ; Ten bytes to decrypt main_loop: XOR BYTE PTR [SI],55 ; (unscramble) a byte INC SI ; Next byte LOOP main_loop ; Loop for the 9 remaining bytes In other words: encrypt by XOR’ing 55 with each byte of the virus file; and decrypt by XOR’ing 55 again ultra-simple decryptor
“The Black Baron’s” Tutorial MOV CX,10 MOV SI,jumbled_data main_loop: XOR BYTE PTR [SI],55 INC SI LOOP main_loop Permuted ultra-simple decryptor
“The Black Baron’s” Tutorial MOV CX,10 NOP MOV SI,jumbled_data NOP main_loop: NOP NOP XOR BYTE PTR [SI],55 NOP INC SI NOP LOOP main_loop NOP’s added to Decryptor
“The Black Baron’s” Tutorial MOV DX,10 ;Real part of the decryptor! MOV SI,1234 ;junk AND AX,[SI+1234] ;junk CLD ;junk MOV DI,jumbled_data ;Real part of the decryptor! TEST [SI+1234],BL ;junk OR AL,CL ;junk main_loop: ADD SI,SI ;junk instruction, real loop! XOR AX,1234 ;junk XOR BYTE PTR [DI],55 ;Real part of the decryptor! SUB SI,123 ;junk INC DI ;Real part of the decryptor! TEST DX,1234 ;junk AND AL,[BP+1234] ;junk DEC DX ;Real part of the decryptor! NOP ;junk XOR AX,DX ;junk SBB AX,[SI+1234] ;junk AND DX,DX ;Real part of the decryptor! JNZ main_loop ;Real part of the decryptor! Junk added to Decrpytor
Detecting Viruses ref: Stalling pp Look for a known virus signature Heuristic methods: look for structures in a file that look like they may be associated with a virus (e.g., an decryption loop) Checksums (easily defeated using compression and de-compression techniques or by changing the checksum) Digital signatures
Virus Signature Detection Example: 20,000 files to check x 30,000 virus signatures to test against = 600,000,000 tests to 1 test per microsecond => 10 minutes to perform the virus check
Heuristic Intuitive: e.g., seems like it might work Plausible: seems to make sense Not proven: but, then again, its hard to say how effective it will be Example: Stock analysts present heuristic arguments to support their predictions
Detecting Viruses ref: Stalling pp Identify viruses by the actions they cause Pre-execute all programs in an emulator (I.e., interpret the instructions one at a time, under control of the virus detection engine) to observe such things as decryption processes and the signatures of decrypted viruses