Presentation is loading. Please wait.

Presentation is loading. Please wait.

Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.

Published byElizabeth Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson."— Presentation transcript:

1 Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson

2 11-Sep-2002CS 6265 Fall 2002 Contents  Prologue  Introduction  The Evolution of Polymorphic Viruses  Polymorphism  Detection  Epilogue

3 11-Sep-2002CS 6265 Fall 2002 Prologue  1941 –First theories for self-replicating programs  1980s –©Brain (Pakistan) and Stoned (New Zealand) attacks floppy boot sectors – Jerusalem(Israel) – first virus to infect other than.COM &.EXE –Den Zuk (Indonesia) – first “antivirus” virus – removes & inoculates against ©Brain

4 11-Sep-2002CS 6265 Fall 2002 Prologue  1990s –1 st virus exchange (VX) BBS (Bulgaria) goes online –AT&T (1 st successful critical infrastructure?) attack –Dark Avenger releases 1 st PME – MtE - enables other viruses to morph in over 4,000,000,000 different forms –1 st polymorphic virus appear – Tequila (Switzerland) –Nowhere Man releases Nowhere Utilities which include the Virus Creation Lab (VCL) w/ “Borland interface”

5 11-Sep-2002CS 6265 Fall 2002 Polymorph Engine - 1  What is a Polymorph Engine?  A program with the abilities to encrypt (or jumble up) another program or data and provide a unique decryptor for it and do this in such a way that no two encryptions of the same program or data will look alike.

6 11-Sep-2002CS 6265 Fall 2002 Polymorph Engine - 2 A PME typically consists of:  The random number generator.  The junk code generator.  The decryptor generator.

7 11-Sep-2002CS 6265 Fall 2002 Polymorphism Levels  Level 1 –Viruses having a set of decryptors with constant code, choosing one while infecting.  Level 2 –Virus decryptor contains one or several constant instructions, the rest of it is changeable.  Level 3 –Decryptor contains unused functions- "junk" like NOP, CLI, STI etc.  Level 4 –Decryptor uses interchangeable instructions and changes their order (instructions mixing). –Decryption algorithm remains unchanged.

8 11-Sep-2002CS 6265 Fall 2002 Polymorphism Levels – Cont’d.  Level 5 –Levels 1 - 4 are used, decryption algorithm is changeable, repeated encryption of virus code and even partial encryption of the decryptor code is possible.  Level 6 –Permutating viruses. The main code of the virus is subject to change. It is divided into blocks which are positioned in random order while infecting.  Level 7 –Levels 1 – 6 plus Heuristic, Goat & Emulator counter- measures

9 11-Sep-2002CS 6265 Fall 2002 Sample Polymorphic Virus Code Sample Polymorphic Virus Code  MOV DX,10 ;Real part of the decryptor!  MOV SI,1234 ;junk  AND AX,[SI+1234] ;junk  CLD ;junk  MOV DI,jumbled_data ;Real part of the decryptor!  TEST [SI+1234],BL ;junk  OR AL,CL ;junk  main_loop: ADD SI,SI ;junk instruction, real loop!  XOR AX,1234 ;junk

10 11-Sep-2002CS 6265 Fall 2002 Polymorphic Behavior - 1

11 11-Sep-2002CS 6265 Fall 2002 Polymorphic Behavior - 2

12 11-Sep-2002CS 6265 Fall 2002 Polymorphic Behavior - 3

13 11-Sep-2002CS 6265 Fall 2002 Polymorphic Behavior - 4

14 11-Sep-2002CS 6265 Fall 2002 AV Polymorphic Response - 1  Scan Strings –Work by searching for a pattern of bytes in FIXED positions and a FIXED sequence.  Variable Scan Strings –Work by searching for a pattern of bytes in VARIABLE positions but in a FIXED sequence.  Cryptanalysis –Works by finding part of the VIRUS BODY and then performing some very basic cryptanalysis on it and then decrypting it (if possible).

15 11-Sep-2002CS 6265 Fall 2002 AV Polymorphic Response - 2  Generic Decryptor (Emulator) –Works by emulating instructions in the polymorphic decryptor in order to make the virus decrypt itself and then it detects the virus by a standard scan string.  Heuristics –Searches for inconsistencies between the code being analyzed and normal everyday code found in programs.

16 11-Sep-2002CS 6265 Fall 2002 AV Strategy - 1

17 11-Sep-2002CS 6265 Fall 2002 AV Strategy - 2

18 11-Sep-2002CS 6265 Fall 2002 AV Strategy - 3

19 11-Sep-2002CS 6265 Fall 2002 AV Strategy - 4

20 11-Sep-2002CS 6265 Fall 2002 AV Strategy - 5

21 11-Sep-2002CS 6265 Fall 2002 Heuristic AV Strategy

22 11-Sep-2002CS 6265 Fall 2002 VX Response to AV Tactics - 1  Anti Scan String methods –Avoid the use of code common to every decryptor. NOTE: Make enough alternatives so that it makes multiple variable scan strings not an option to AV!  Anti - Cryptanalysis –Simply add multiple encryption –A loop using a single XOR with byte/word is very easy to crypt-analyze but a loop using XOR b/w, ADD b/w, SUB b/w, ROL b/w in one loop is VERY hard to crypt-analyze.

23 11-Sep-2002CS 6265 Fall 2002 VX Advice to Next Gen  If you are going to make a good engine remember the following points: - It must not have fixed bytes in fixed positions. - It must not have fixed bytes in variable positions. - It must not be able to be decrypted by generic decryption engines in AV software. - It helps if the code is heuristically "clean" but it is not the “be all and end all” of an engine to be this way. - Make sure it is very difficult to analyze by AV. - Make sure next to impossible to remove if it does get caught.

24 11-Sep-2002CS 6265 Fall 2002 Epilogue  Polymorphic viruses represent yet another escalatory step in the conflict between those who seek to compromise (VX community) and those who defend (AV community) computer systems. As the techniques and strategies improve, one can expect the threat of polymorphic viruses to only increase.

25 11-Sep-2002CS 6265 Fall 2002 References -1  AVP Virus Encyclopaedia –http://www.kav.ch/avpve/http://www.kav.ch/avpve/  History of Computer Viruses by Robert M. Slade –http://www.bocklabs.wisc.edu/~janda/sladehis.htmlhttp://www.bocklabs.wisc.edu/~janda/sladehis.html  Understanding & Managing Polymorphic Viruses –http://www.symantec.com/avcenter/whitepapers.htmlhttp://www.symantec.com/avcenter/whitepapers.html  Virus Timeline & Scientific Papers –http://researchweb.watson.ibm.com/antivirus/index.htmhttp://researchweb.watson.ibm.com/antivirus/index.htm –http://www.cknow.com/vtutor/vthistory.htmhttp://www.cknow.com/vtutor/vthistory.htm

26 11-Sep-2002CS 6265 Fall 2002 References -2  VX Papers & Articles –http://vx.netlux.org/lib_diff.shtmlhttp://vx.netlux.org/lib_diff.shtml –Guide to improving Polymorphic Engines by Rogue Warrior –A General Description of the Methods Behind a Polymorph Engine by The Black Baron  Viruses Revealed by David Harley, etc.

27 Questions?

Download ppt "Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson."

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Computer Virus Presented by Cora Banks MOT-19 Ms.Cross.

Computer Virus Presented by Cora Banks MOT-19 Ms.Cross.
Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.

Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.
Software-based Code Attestation for Wireless Sensors.

Software-based Code Attestation for Wireless Sensors.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.

Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Computer Viruses. History Malicious software – 1970’s Programs distributed over exchange servers speeds spread of viruses Brain sparks term: Virus.

Computer Viruses. History Malicious software – 1970’s Programs distributed over exchange servers speeds spread of viruses Brain sparks term: Virus.
Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.

Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.
Pairwise Alignment of Metamorphic Computer Viruses Student:Scott McGhee Advisor:Dr. Mark Stamp Committee:Dr. David Taylor Dr. Teng Moh.

Pairwise Alignment of Metamorphic Computer Viruses Student:Scott McGhee Advisor:Dr. Mark Stamp Committee:Dr. David Taylor Dr. Teng Moh.
Learning From Mistakes—A Comprehensive Study on Real World Concurrency Bug Characteristics Shan Lu, Soyeon Park, Eunsoo Seo and Yuanyuan Zhou Appeared.

Learning From Mistakes—A Comprehensive Study on Real World Concurrency Bug Characteristics Shan Lu, Soyeon Park, Eunsoo Seo and Yuanyuan Zhou Appeared.
Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.

Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.
No.24 Prerawat Denvutivorkarn M.2/2. Definition: antivirus is protective software designed to defend your computer against malicious software. Malicious.

No.24 Prerawat Denvutivorkarn M.2/2. Definition: "antivirus" is protective software designed to defend your computer against malicious software. Malicious.
Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.
Cryptanalysis. The Speaker  Chuck Easttom  

Cryptanalysis. The Speaker  Chuck Easttom  
Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…

Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Similar presentations

Ads by Google