1. Dr. Richard Ford rford@fit.edu

2.  Szor 7  Another way viruses try to evade scanners

3.  Look for “known” viruses  Basically, used to look for hex strings in files  Virus writers tried to make this more difficult…

4.  First virus: Cascade  Benefit: Forces the vendor to choose a hex string from a small part of the virus code  Increases chances of a false positive

5. LEAsi, Start MOVsp, 0682 Decrypt: XOR[si], si XOR[si], sp INCsi DECsp JNZDecrypt Start:

6. MOVEDI, 00403045h ADDEDI, EBP MOVECX, 0A6Bh MOVAL, [key] Decrypt: XOR[EDI], AL INCEDI LOOP Decrypt JMP Start DB key86 Start:

7.  Virus writer can implement multiple layers of “encryption”  Why do I keep using “”’s?  Use multiple keys  Start of loop can be obfuscated  Can “not” store the decryption key in the body  Can use strong Crypto (but…)

8.  Well, in these examples, the decryption routine is static  Can detect on the decryption routine if not the virus body… can the attacker do better?

9.  What?  Having or passing through few changes of form.  Example: Whale virus carried multiple decryptors with it  Of course, such viruses require painstaking analysis…

10.  Next level: millions of possible decryption routines, dynamically generated  First known: 1260  Technique used: insert “junk” instructions into the decryption loop

11.  INCDI NOP CLC INCAX LOOP Decrypt

12.  One possibility: code optimization  Well-known from other parts of CS…  But was attacked directly by MTE

13.  Module for providing polymorphism  Called a function passing:  Work segment  Pointer to code to encrypt  Length of the virus body  Base of the decryptor  Entry-point of the host  Target location of the encrypted code  Size of decryptor (tiny, small, medium, large)  Bit field of registers not to use  Returns: a buffer containing the encrypted virus plus a decryption routine

14.  MOV BP, A16C MOV CL, 03 ROR BP, CL MOV CX, BP MOV BP, 856E OR BP, 740F MOV SI, BP MOV BP, 3B92 ADD BP, SI XOR BP, CX SUB BP, B10C; sets final value of BP…

15.  Decrypt: MOV BX, [BP+0D2B] ADD BX, 9D64 XCHG [BP+0D2B], BX MOV BX, 8F31 SUB BX, BP MOV BP, 8F33 SUB BP, BX JNZ Decrypt START:

16.  Let’s talk about it…

17.  Carry your source and look for a compiler  Why is this so very horrible?  And then there’s System.Reflection.Emit to worry about…

18.  Muttik: “metamorphics are body- polymorphic”  Example: ZPerm  Uses JMPs to reorder its own code

19.  Due: 2 weeks today before class  Write a METAMORPHIC “Hello World” generator that:  Create 10 COM files  Each time you run, you should create different files  Must use C/C++  Turn in the solution in SVN with JUST THE FILES I NEED to check out and compile with no challenges