Computer and Information Security - PowerPoint PPT Presentation

1 / 38

About This Presentation

Title:

Computer and Information Security

Description:

... source code (which deliberately contains some useless junk) and recompile itself ... Virus changes junk in its source and recompiles itself ... – PowerPoint PPT presentation

Number of Views:68

Avg rating:3.0/5.0

Slides: 39

Provided by: sja8

Learn more at: http://faculty.sjcny.edu

Category:

more less

Transcript and Presenter's Notes

Title: Computer and Information Security

1
Computer and Information Security

Chapter 10
Malicious Software

2
Overview

Viruses and Related Threats
Malicious Programs
The Nature of Viruses
Antivirus Approaches
Advanced Antivirus Techniques

3
Malicious Logic

Malicious logic is a set of instructions that
cause a sites security policy to be violated.
Trojan horses
viruses
worms

4
Viruses and Malicious Programs

Computer Viruses and related programs have the
ability to replicate themselves on an ever
increasing number of computers. They originally
spread by people sharing floppy disks. Now they
spread primarily over the Internet (a Worm).
Other Malicious Programs may be installed by
hand on a single machine. They may also be built
into widely distributed commercial software
packages. These are very hard to detect before
the payload activates (Trojan Horses, Trap Doors,
and Logic Bombs).

5
Taxonomy of Malicious Programs
Malicious Programs
Need Host Program
Independent
Trapdoors
Logic Bombs
Trojan Horses
Viruses
Bacteria
Worms
6
Definitions

Virus - code that copies itself into other
programs
A Bacteria replicates until it fills all disk
space, or CPU cycles
Payload - harmful things the malicious program
does, after it has had time to spread
Worm - a program that replicates itself across
the network (usually riding on email messages or
attached documents (e.g., macro viruses)
Macro - virus composed of sequence of
instructions that are interpreted rather than
executed directly

7
Definitions

Boot Sector is used to bootstrap a system or
mount a disk- executed when the system sees the
disk for the first time
Boot sector infector - virus that inserts itself
into the boot sector of a disk

8
Definitions

TSR - terminate and stay resident virus - stays
active in memory after the application has
terminated
Stealth viruses - conceal the infection of files
Polymorphic - viruses that change form each time
it inserts itself into a program

9
Definitions

Trojan Horse - instructions in an otherwise good
program that cause bad things to happen (sending
your data or password to an attacker over the
net).
Logic Bomb - malicious code that activates on an
event (e.g., date).
Trap Door (or Back Door) - undocumented entry
point written into code for debugging that can
allow unwanted users.
Easter Egg - extraneous code that does something
cool. A way for programmers to show that they
control the product.

10
Virus Phases

Dormant phase - the virus is idle
Propagation phase - the virus places an identical
copy of itself into other programs
Triggering phase the virus is activated to
perform the function for which it was intended
Execution phase the function is performed

11
Virus Protection
Have a well-known virus protection program,
configured to
scan disks and downloads automatically for known
viruses.
Do not execute programs (or "macro's") from
unknown
sources (e.g., PS files, Hypercard files, MS
Office documents,
Avoid the most common operating systems and email
programs, if possible.
12
Virus Structure
13
Virus Techniques

Stealth viruses
Infect OS so that infected files appear normal to
user
Macro viruses
A macro is an executable program embedded in a
word processing document (MS Word) or spreadsheet
(Excel)
When infected document is opened, virus copies
itself into global macro file and makes itself
auto-executing (e.g., gets invoked whenever any
document is opened)
Polymorphic viruses
Viruses that mutate and/or encrypt parts of their
code with a randomly generated key

14
Types of Viruses

Parasitic Virus - attaches itself to executable
files as part of their code. Runs whenever the
host program runs.
Memory-resident Virus - Lodges in main memory as
part of the residual operating system.
Boot Sector Virus - infects the boot sector of a
disk, and spreads when the operating system boots
up (original DOS viruses).
Stealth Virus - explicitly designed to hide from
Virus Scanning programs.
Polymorphic Virus - mutates with every new host
to prevent signature detection.

15
Macro Viruses

Microsoft Office applications allow macros to
be part of the document. The macro could run
whenever the document is opened, or when a
certain command is selected (Save File).
Platform independent.
Infect documents, delete files, generate email
and edit letters.

16
Antivirus Approaches

1st Generation, Scanners searched files for any
of a library of known virus signatures. Checked
executable files for length changes.
2nd Generation, Heuristic Scanners looks for
more general signs than specific signatures (code
segments common to many viruses). Checked files
for checksum or hash changes.
3rd Generation, Activity Traps stay resident in
memory and look for certain patterns of software
behavior (e.g., scanning files).
4th Generation, Full Featured combine the best
of the techniques above.

17
Advanced Antivirus Techniques

Generic Decryption (GD)
CPU Emulator
Virus Signature Scanner
Emulation Control Module
For how long should a GD scanner run each
interpretation?

18
Advanced Antivirus Techniques
19
A Compression Virus
20
Trojans and Viruses
21
Malware

Malicious code often masquerades as good software
or attaches itself to good software
Some malicious programs need host programs
Trojan horses, logic bombs, viruses
Others can exist and propagate independently
Worms, automated viruses
There are many infection vectors and propagation
mechanisms

22
Trojan Horses

A trojan horse is malicious code hidden in an
apparently useful host program
When the host program is executed, trojan does
something harmful or unwanted
User must be tricked into executing the host
program
In 1995, a program distributed as PKZ300B.EXE
looked like a new version of PKZIP When
executed, it formatted your hard drive.
Trojans do not replicate
This is the main difference between worms and
viruses

23
Reflections on Trusting Trust

Ken Thompsons 1983 Turing Award lecture
Linked from the course website (reference
section)
Added a backdoor-opening Trojan to login program
Anyone looking at source code would see this, so
changed the compiler to add backdoor at
compile-time
Anyone looking at compiler source code would see
this, so changed the compiler to recognize when
its compiling a new compiler and to insert
Trojan into it
The moral is obvious. You cant trust code you
did not totally create yourself. (Especially code
from companies that employ people like me).

24
Viruses

Virus propagates by infecting other programs
Automatically creates copies of itself, but to
propagate, a human has to run an infected program
Self-propagating malicious programs are usually
called worms
Viruses employ many propagation methods
Insert a copy into every executable (.COM, .EXE)
Insert a copy into boot sectors of disks
Stoned virus infected PCs booted from infected
floppies, stayed in memory and infected every
floppy inserted into PC
Infect TSR (terminate-and-stay-resident) routines
By infecting a common OS routine, a virus can
always stay in memory and infect all disks,
executables, etc.

25
Evolution of Polymorphic Viruses (1)

Anti-virus scanners detect viruses by looking for
signatures (snippets of known virus code)
Virus writers constantly try to foil scanners
Encrypted viruses virus consists of a constant
decryptor, followed by the encrypted virus body
Cascade (DOS), Mad (Win95), Zombie (Win95)
Relatively easy to detect because decryptor is
constant
Oligomorphic viruses different versions of virus
have different encryptions of the same body
Small number of decryptors (96 for Memorial
viruses) to detect, must understand how they are
generated

26
Evolution of Polymorphic Viruses (2)

Polymorphic viruses constantly create new random
encryptions of the same virus body
Marburg (Win95), HPS (Win95), Coke (Win32)
Virus must contain a polymorphic engine for
creating new keys and new encryptions of its body
Rather than use an explicit decryptor in each
mutation, Crypto virus (Win32) decrypts its body
by brute-force key search
Polymorphic viruses can be detected by emulation
When analyzing an executable, scanner emulates
CPU for a bit. Virus will eventually decrypt and
try to execute its body, which will be recognized
by scanner.
This only works because virus body is constant!

27
Virus Detection by Emulation
28
Metamorphic Viruses

Obvious next step mutate the virus body, too!
Virus can carry its source code (which
deliberately contains some useless junk) and
recompile itself
Apparition virus (Win32)
Virus first looks for an installed compiler
Unix machines have C compilers installed by
default
Virus changes junk in its source and recompiles
itself
New binary mutation looks completely different!
Many macro and script viruses evolve and mutate
their code
Macros/scripts are usually interpreted, not
compiled

29
Metamorphic Mutation Techniques

Same code, different register names
Regswap (Win32)
Same code, different subroutine order
BadBoy (DOS), Ghost (Win32)
If n subroutines, then n! possible mutations
Decrypt virus body instruction by instruction,
push instructions on stack, insert and remove
jumps, rebuild body on stack
Zmorph (Win95)
Can be detected by emulation because the rebuilt
body has a constant instruction sequence

30
Real Permutating Engine (RPME)

Introduced in Zperm virus (Win95) in 2000
Available to all virus writers, employs entire
bag of metamorphic and anti-emulation techniques
Instructions are reordered, branch conditions
reversed
Jumps and NOPs inserted in random places
Garbage opcodes inserted in unreachable code
areas
Instruction sequences replaced with other
instructions that have the same effect, but
different opcodes
Mutate SUB EAX, EAX into XOR EAX, EAX or
PUSH EBP MOV EBP, ESP into PUSH EBP PUSH
ESP POP EBP
There is no constant, recognizable virus body!

31
Example of Zperm Mutation

From Szor and Ferrie, Hunting for Metamorphic
Linked from the course website (reference section)

32
Defeating Anti-Virus Emulators

Recall to detect polymorphic viruses, emulators
execute suspect code for a little bit and look
for opcode sequences of known virus bodies
Some viruses use random code block insertion
engines to defeat emulation
Routine inserts a code block containing millions
of NOPs at the entry point prior to the main
virus body
Emulator executes code for a while, does not see
virus body and decides the code is benign when
main virus body is finally executed, virus
propagates
Bistro (Win95) used this in combination with RPME

33
Putting It All Together Zmist

Zmist was designed in 2001 by Russian virus
writer Z0mbie of Total Zombification fame
New technique code integration
Virus merges itself into the instruction flow of
its host
Islands of code are integrated
into random locations in the host
program and linked by jumps
When/if virus code is run, it infects
every available portable executable
Randomly inserted virus entry point
may not be reached in a particular execution

34
MISTFALL Disassembly Engine

To integrate itself into host s instruction
flow, virus must disassemble and rebuild host
binary
See overview at http//vx.netlux.org/lib/vzo21.ht
ml
This is very tricky
Addresses are based on offsets, which must be
recomputed when new instructions are inserted
Virus must perform complete instruction-by-instruc
tion disassembly and re-generation of the host
binary
This is an iterative process rebuild with new
addresses, see if branch destinations changed,
then rebuild again
This requires 32MB of RAM and explicit section
names (DATA, CODE, etc.) in the host binary
doesnt work with every file

35
Simplified Zmist Infection Process
Pick a Portable Executable binary Decryptor must restore hosts registers to
preserve hosts functionality
36
How Hard Is It to Write a Virus?