Viruses, Worms, and Polymorphic Code Oh My

1
Viruses, Worms, and Polymorphic Code Oh My!

• Todd Jackson
• EE 579 Seminar
• 13 February 2006

2
Outline

• Viruses
• Elk Cloner, Dark Avenger, Concept
• Worms
• Brief history
• Prevention
• Polymorphic code
• Basics
• Decryption Engines
• Applications to viruses and worms

3
Viruses

• Small programs that make copies of themselves,
  usually without the users knowledge
• Cannot spread to other computers on their own
• Name comes from Fred Cohen(1984) paper
• Created for a variety of purposes
• Slowly going extinct with the advent of worms

4
16 bit viruses

• Mostly annoying
• Elk Cloner (1982)
• Destructive viruses
• Jerusalem (1986)
• Boot sector viruses
• Stoned (1987)
• File (COM/EXE/SYS/OVL) infectors
• Dark Avenger (1989)

5
Elk Cloner (1982)

• First virus to appear in the wild
• Written by a 15-year-old
• Infected Apple-II systems as an annoyance
• Non-destructive and mostly non-intrusive
• Spread to non-infected floppy disks

6
Elk Cloner (1982)

• After 50 boots with an infected disk, the
  following message appears
• Elk Cloner The program with a personality
• It will get on all your disks
• It will infiltrate your chips
• Yes it's Cloner!
• It will stick to you like glue
• It will modify ram too
• Send in the Cloner!
• Also spread using CATALOG command
• Stored boot counts in unused spaces on disk

7
Dark Avenger (1989)

• Memory resident EXE, COM, and OVL file infector,
  including COMMAND.COM
• Can infect an executable as it is copied
• Both source and destination are infected
• Backups are easily infected
• Every 16 file infections caused a random sector
  on the hard drive to be destroyed

8
32 bit viruses

• Appear after Windows 95 released
• Win95/Boza (1995),Win32/Cabanas (1997)
• Macro viruses appear, easy to write
• Win32/Concept (1995)
• More destructive viruses appear
• Win95/CIH (1998) aka. Chernobyl
• New targets
• Win32/Kriz (1999) attacks kernel32.dll

9
Concept (1995)

• First Word macro virus found in the wild
• Used an AutoOpen macro to launch, and a
  FileSaveAs macro to replicate into a template
• Displays a message Thats enough to prove my
  point
• Many variants appear, based on original Concept
  code

10
Virus Capabilities

• Viruses try to hide their presence
• Brain (1986) redirected requests for the boot
  sector to the original
• Polymorphic viruses try to evade signature
  detection by changing their code
• Multipartite viruses have multiple components
• Flip.2153.A (1993), Ghostball (1989)
• Metamorphic viruses completely rewrite themselves
• Win32.Simile.A (2002)

11
Other Operating Systems

• Bliss (1996)
• Infected UNIX/Linux PCs
• Nice virus with some worm-like features
• Required the user to run the program
• ANTI (1989)
• Effective on Mac System 6
• Irreparably damages applications
• OS emulators can give unpredictable results

12
Worms

• Can reproduce and attempt to infect other
  computers without user intervention
• Completely self-contained
• Rely heavily on network and Internet availability
  or social engineering
• Wide range of effects on infected hosts
• Worms usually exploit well known security issues
  those who have not patched are affected
• Inherit a lot of features, payloads and
  developments from viruses

13
Notable Worms

• Morris worm (1988)
• Used a buffer overflow exploit in finger
• Melissa (1999) Multipartite worm
• Spread using either Word 97/2000 or by mass
  mailing using Outlook 97/98
• VBS/Loveletter (2000)
• Caused 10 billion in damage
• First to exploit VBScript prominently

14
2001 Worms Armageddon

• Ramen worm affects Red Hat 6.2 and 7
• Anna Kournikova worm appears
• Sircam spreads through unprotected network shares
  and email
• Code Red and Code Red II attack IIS
• Nimda appears, using back doors opened by Code
  Red II and Sadmind and other vulnerabilities
• Klez exploits buggy email clients, variants try
  to kill Nimda and Code Red, drops an EXE virus
  and corrupts others

15
Win32/Nimda

• Four vectors of infection
• Email, EXE file infector, WWW search, Network
  shares
• First virus to modify web servers to offer
  infected files for download
• First virus to use workstations to search for
  webservers
• Allows it to find internal web servers
• Does not infect Word documents but places itself
  in directories where documents are located to
  increase exposure

16
2003 Worms Armageddon Reloaded

• SQL Slammer affects routers world wide, infection
  rate doubles every 8.5 seconds
• Blaster and Sobig.F released within a week of
  each other
• Welchia attempts to remove Blaster and patch
  systems, but is more destructive
• Sober begins to disable security software

17
Prevention

• The majority of worm outbreaks could have been
  prevented
• Firewalls, Anti-virus software
• Patching
• Good security policies
• User education
• Discussions on other techniques
• Deterrence due to jail sentences/fines
• Removal of incentives to write viruses and worms

18
Disclosure

• Full Disclosure Immediate public disclosure
• Pro Provides incentive for software companies to
  release patches quickly, especially to save face
• Con Virus/Worm writers can get started writing
  exploits before patches are released
• Others say to wait until the patch is released,
  or another time that the vendor prefers
• Pro Virus/worm writers who dont know cant
  become aware, patching is quick
• ConIf virus/worm writers are already exploiting
  the hole, users are left in the dark
• Witty worm Released 48 hours after patch

19
Polymorphic Code

• Popularized by Dark Avenger in 1992
• Perform an operation on the code of a program and
  generate a different inverse operation each time
• Attempt to defeat signature based intrusion
  detection systems and virus scanners

20
Basics of Polymorphism

• This shellcode executes /bin/bash
• push byte 0x68
• push dword 0x7361622f
• push dword 0x6e69622f
• mov ebx,esp
• xor edx,edx
• push edx
• push ebx
• mov ecx,esp
• push byte 11
• pop eax
• int 80h
• This string gets encoded as
• \x6A\x68\x68\x2F\x62\x61\x73\x68\x2F\x62\x69\x6
  E\x89\xE3\x31\xD2 \x52\x53\x89\xE1\x6A\x0B\x58\xCD
  \x80
• It is easily detected!

21
Basics of Polymorphism

• Take code C (eg. the previous shellcode) and
  encrypt it into K
• CCCCCC - KKKKKK
• The resulting string K is not executable, add a
  decryption engine D in front of K
• KKKKKK - DDDDKKKKKK
• D can be detected, so D has to change each time

22
Basics of Polymorphism

• Buffer overflow exploit
• -------------------------------------------------
  ---
• NOP shellcode bytes to cram return
  address
• -------------------------------------------------
  ---
• Polymorphic buffer overflow exploit
• -----------------------------------------------
  ------------------
• NOP Decipher code shellcode cram bytes
  return address
• -----------------------------------------------
  ------------------
• Signatures can look for NOPs, so NOPs can be
  filled with legal, but garbage instructions
• Simple INCR/DECR, ADD/SUB combinations can be
  detected by security software which emulates code
• Random one-byte instructions recommended

23
Decipher Routines

• Two common methods of generating a decipher
  routine
• Keep the same algorithm, but generate different
  code
• Generate a new algorithm each time
• Can insert dummy instructions in the decipher
  code as well
• Can use different registers in each version
• XOR operations are very simple algorithms
• Cipher key management and length is an issue

24
Polymorphism, Viruses and Worms

• 1260 (1990) is said to be the first polymorphic
  virus, designed to prove that signature detection
  is not perfect
• Descendants had improvements, but were detected
  as 1260 infections
• Dark Avengers Mutation Engine (MtE) could be
  applied to any virus to become polymorphic
• Other polymorphic engines have since been created
• Polymorphic worms include the Bagle family

25
Conclusion

• Viruses are small programs that use other things
  (files, disks) as carriers to spread, but are
  slowly going extinct
• Worms are self contained programs that are
  spreading much more rapidly due to easy
  connectivity
• Polymorphism is an attempt at obfuscation, and
  has been implemented in both viruses and worms

26
Questions?
27
References

• Viruses and Spam (http//www.sophos.com/sophos/doc
  s/eng/comviru/viru_ben.pdf)
• VX Heavens (http//vx.netlux.org)
• IBM Research (http//research.ibm.com/antivirus)
• Polymorphic Shellcode Engine Using Spectrum
  Analysis (http//www.phrack.org/phrack/61/p61-0x0
  9_Polymorphic_Shellcode_Engine.txt)
• Douglas Schweitzer. Securing the Network from
  Malicious Code