Title: Computer and Information Security
1Computer and Information Security
- Chapter 10
- Malicious Software
2Overview
- Viruses and Related Threats
- Malicious Programs
- The Nature of Viruses
- Antivirus Approaches
- Advanced Antivirus Techniques
3Malicious Logic
- Malicious logic is a set of instructions that
cause a sites security policy to be violated. - Trojan horses
- viruses
- worms
4Viruses and Malicious Programs
- Computer Viruses and related programs have the
ability to replicate themselves on an ever
increasing number of computers. They originally
spread by people sharing floppy disks. Now they
spread primarily over the Internet (a Worm). - Other Malicious Programs may be installed by
hand on a single machine. They may also be built
into widely distributed commercial software
packages. These are very hard to detect before
the payload activates (Trojan Horses, Trap Doors,
and Logic Bombs).
5Taxonomy of Malicious Programs
Malicious Programs
Need Host Program
Independent
Trapdoors
Logic Bombs
Trojan Horses
Viruses
Bacteria
Worms
6Definitions
- Virus - code that copies itself into other
programs - A Bacteria replicates until it fills all disk
space, or CPU cycles - Payload - harmful things the malicious program
does, after it has had time to spread - Worm - a program that replicates itself across
the network (usually riding on email messages or
attached documents (e.g., macro viruses) - Macro - virus composed of sequence of
instructions that are interpreted rather than
executed directly
7Definitions
- Boot Sector is used to bootstrap a system or
mount a disk- executed when the system sees the
disk for the first time - Boot sector infector - virus that inserts itself
into the boot sector of a disk
8Definitions
- TSR - terminate and stay resident virus - stays
active in memory after the application has
terminated - Stealth viruses - conceal the infection of files
- Polymorphic - viruses that change form each time
it inserts itself into a program
9Definitions
- Trojan Horse - instructions in an otherwise good
program that cause bad things to happen (sending
your data or password to an attacker over the
net). - Logic Bomb - malicious code that activates on an
event (e.g., date). - Trap Door (or Back Door) - undocumented entry
point written into code for debugging that can
allow unwanted users. - Easter Egg - extraneous code that does something
cool. A way for programmers to show that they
control the product.
10Virus Phases
- Dormant phase - the virus is idle
- Propagation phase - the virus places an identical
copy of itself into other programs - Triggering phase the virus is activated to
perform the function for which it was intended - Execution phase the function is performed
11Virus Protection
Have a well-known virus protection program,
configured to
scan disks and downloads automatically for known
viruses.
Do not execute programs (or "macro's") from
unknown
sources (e.g., PS files, Hypercard files, MS
Office documents,
Avoid the most common operating systems and email
programs, if possible.
12Virus Structure
13Virus Techniques
- Stealth viruses
- Infect OS so that infected files appear normal to
user - Macro viruses
- A macro is an executable program embedded in a
word processing document (MS Word) or spreadsheet
(Excel) - When infected document is opened, virus copies
itself into global macro file and makes itself
auto-executing (e.g., gets invoked whenever any
document is opened) - Polymorphic viruses
- Viruses that mutate and/or encrypt parts of their
code with a randomly generated key
14Types of Viruses
- Parasitic Virus - attaches itself to executable
files as part of their code. Runs whenever the
host program runs. - Memory-resident Virus - Lodges in main memory as
part of the residual operating system. - Boot Sector Virus - infects the boot sector of a
disk, and spreads when the operating system boots
up (original DOS viruses). - Stealth Virus - explicitly designed to hide from
Virus Scanning programs. - Polymorphic Virus - mutates with every new host
to prevent signature detection.
15Macro Viruses
- Microsoft Office applications allow macros to
be part of the document. The macro could run
whenever the document is opened, or when a
certain command is selected (Save File). - Platform independent.
- Infect documents, delete files, generate email
and edit letters.
16Antivirus Approaches
- 1st Generation, Scanners searched files for any
of a library of known virus signatures. Checked
executable files for length changes. - 2nd Generation, Heuristic Scanners looks for
more general signs than specific signatures (code
segments common to many viruses). Checked files
for checksum or hash changes. - 3rd Generation, Activity Traps stay resident in
memory and look for certain patterns of software
behavior (e.g., scanning files). - 4th Generation, Full Featured combine the best
of the techniques above.
17Advanced Antivirus Techniques
- Generic Decryption (GD)
- CPU Emulator
- Virus Signature Scanner
- Emulation Control Module
- For how long should a GD scanner run each
interpretation?
18Advanced Antivirus Techniques
19A Compression Virus
20Trojans and Viruses
21Malware
- Malicious code often masquerades as good software
or attaches itself to good software - Some malicious programs need host programs
- Trojan horses, logic bombs, viruses
- Others can exist and propagate independently
- Worms, automated viruses
- There are many infection vectors and propagation
mechanisms
22Trojan Horses
- A trojan horse is malicious code hidden in an
apparently useful host program - When the host program is executed, trojan does
something harmful or unwanted - User must be tricked into executing the host
program - In 1995, a program distributed as PKZ300B.EXE
looked like a new version of PKZIP When
executed, it formatted your hard drive. - Trojans do not replicate
- This is the main difference between worms and
viruses
23Reflections on Trusting Trust
- Ken Thompsons 1983 Turing Award lecture
- Linked from the course website (reference
section) - Added a backdoor-opening Trojan to login program
- Anyone looking at source code would see this, so
changed the compiler to add backdoor at
compile-time - Anyone looking at compiler source code would see
this, so changed the compiler to recognize when
its compiling a new compiler and to insert
Trojan into it - The moral is obvious. You cant trust code you
did not totally create yourself. (Especially code
from companies that employ people like me).
24Viruses
- Virus propagates by infecting other programs
- Automatically creates copies of itself, but to
propagate, a human has to run an infected program - Self-propagating malicious programs are usually
called worms - Viruses employ many propagation methods
- Insert a copy into every executable (.COM, .EXE)
- Insert a copy into boot sectors of disks
- Stoned virus infected PCs booted from infected
floppies, stayed in memory and infected every
floppy inserted into PC - Infect TSR (terminate-and-stay-resident) routines
- By infecting a common OS routine, a virus can
always stay in memory and infect all disks,
executables, etc.
25Evolution of Polymorphic Viruses (1)
- Anti-virus scanners detect viruses by looking for
signatures (snippets of known virus code) - Virus writers constantly try to foil scanners
- Encrypted viruses virus consists of a constant
decryptor, followed by the encrypted virus body - Cascade (DOS), Mad (Win95), Zombie (Win95)
- Relatively easy to detect because decryptor is
constant - Oligomorphic viruses different versions of virus
have different encryptions of the same body - Small number of decryptors (96 for Memorial
viruses) to detect, must understand how they are
generated
26Evolution of Polymorphic Viruses (2)
- Polymorphic viruses constantly create new random
encryptions of the same virus body - Marburg (Win95), HPS (Win95), Coke (Win32)
- Virus must contain a polymorphic engine for
creating new keys and new encryptions of its body - Rather than use an explicit decryptor in each
mutation, Crypto virus (Win32) decrypts its body
by brute-force key search - Polymorphic viruses can be detected by emulation
- When analyzing an executable, scanner emulates
CPU for a bit. Virus will eventually decrypt and
try to execute its body, which will be recognized
by scanner. - This only works because virus body is constant!
27Virus Detection by Emulation
28Metamorphic Viruses
- Obvious next step mutate the virus body, too!
- Virus can carry its source code (which
deliberately contains some useless junk) and
recompile itself - Apparition virus (Win32)
- Virus first looks for an installed compiler
- Unix machines have C compilers installed by
default - Virus changes junk in its source and recompiles
itself - New binary mutation looks completely different!
- Many macro and script viruses evolve and mutate
their code - Macros/scripts are usually interpreted, not
compiled
29Metamorphic Mutation Techniques
- Same code, different register names
- Regswap (Win32)
- Same code, different subroutine order
- BadBoy (DOS), Ghost (Win32)
- If n subroutines, then n! possible mutations
- Decrypt virus body instruction by instruction,
push instructions on stack, insert and remove
jumps, rebuild body on stack - Zmorph (Win95)
- Can be detected by emulation because the rebuilt
body has a constant instruction sequence
30Real Permutating Engine (RPME)
- Introduced in Zperm virus (Win95) in 2000
- Available to all virus writers, employs entire
bag of metamorphic and anti-emulation techniques - Instructions are reordered, branch conditions
reversed - Jumps and NOPs inserted in random places
- Garbage opcodes inserted in unreachable code
areas - Instruction sequences replaced with other
instructions that have the same effect, but
different opcodes - Mutate SUB EAX, EAX into XOR EAX, EAX or
- PUSH EBP MOV EBP, ESP into PUSH EBP PUSH
ESP POP EBP - There is no constant, recognizable virus body!
31Example of Zperm Mutation
- From Szor and Ferrie, Hunting for Metamorphic
- Linked from the course website (reference section)
32Defeating Anti-Virus Emulators
- Recall to detect polymorphic viruses, emulators
execute suspect code for a little bit and look
for opcode sequences of known virus bodies - Some viruses use random code block insertion
engines to defeat emulation - Routine inserts a code block containing millions
of NOPs at the entry point prior to the main
virus body - Emulator executes code for a while, does not see
virus body and decides the code is benign when
main virus body is finally executed, virus
propagates - Bistro (Win95) used this in combination with RPME
33Putting It All Together Zmist
- Zmist was designed in 2001 by Russian virus
writer Z0mbie of Total Zombification fame - New technique code integration
- Virus merges itself into the instruction flow of
its host - Islands of code are integrated
- into random locations in the host
- program and linked by jumps
- When/if virus code is run, it infects
- every available portable executable
- Randomly inserted virus entry point
- may not be reached in a particular execution
34MISTFALL Disassembly Engine
- To integrate itself into host s instruction
flow, virus must disassemble and rebuild host
binary - See overview at http//vx.netlux.org/lib/vzo21.ht
ml - This is very tricky
- Addresses are based on offsets, which must be
recomputed when new instructions are inserted - Virus must perform complete instruction-by-instruc
tion disassembly and re-generation of the host
binary - This is an iterative process rebuild with new
addresses, see if branch destinations changed,
then rebuild again - This requires 32MB of RAM and explicit section
names (DATA, CODE, etc.) in the host binary
doesnt work with every file
35Simplified Zmist Infection Process
Pick a Portable Executable binary Decryptor must restore hosts registers to
preserve hosts functionality
36How Hard Is It to Write a Virus?
- 498 matches for virus creation tool in Spyware
Encyclopedia - Including dozens of poly- and metamorphic engines
- OverWriting Virus Construction Toolkit
- "The perfect choice for beginners
- Biological Warfare Virus Creation Kit
- Note all viruses will be detected by Norton
Anti-Virus - Vbs Worm Generator (for Visual Basic worms)
- Used to create the Anna Kournikova worm
- Many others
37Reading Assignment
- Stallings 10.1
- Optional Hunting for Metamorphic by Szor and
Ferrie - Linked from the course website (reference section)
38Recommended Reading and WEB Sites
- Denning, P. Computers Under Attack Intruders,
Worms, and Viruses. Addison-Wesley, 1990 - CERT Coordination Center (WEB Site)
- AntiVirus Online (IBMs site)