Presentation is loading. Please wait.

Presentation is loading. Please wait.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Published byMakena Vize Modified over 9 years ago

Similar presentations

Presentation on theme: "Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003."— Presentation transcript:

1 Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003

2 Smita Thaker2 Agenda History of Viruses Polymorphic Viruses Metamorphic Viruses Summary and Conclusion

3 Smita Thaker 3 History Encrypted viruses - To avoid detection, virus writers encrypted the main portion of the program. Viruses now had 2 parts –Decrypted code –Encrypted Virus Code Polymorphic Viruses – take different forms/shapes Metamorphic Viruses

4 Smita Thaker4 Encryption/Decryption DECRYPT: mov si, OFFSET START mov di, OFFSET START mov cx, VIR_SIZE ELP: lodsb ; al := ds:si xor al, 093H stosb loop ELP START: (Body of virus goes here)

5 Smita Thaker5 POLYMORPHIC VIRUSES Definition Example How it works Detecting polymorphic Viruses –Generic Decryption (GD) Technology

6 Smita Thaker6 Polymorphic Viruses – What are polymorphic Viruses If a virus is programmed to look different each time it replicated, there would be no fixed string for anti-virus to latch onto detect it. Such a virus is known as polymorphic virus. Polymorphic viruses have specially designed mutation engines. They(M.E.) generate a new decryption routine each time, by switching the order of instructions.

7 Smita Thaker7 Example: If the scanner were looking for the instructions mov ax, 2513H mov dx, 1307H int 21H One might modify the virus to instead execute this operation code mov ax, 2513H mov dx, 1307H xchg ax, dx int 21H The scanner can no longer see it, and the virus can go undetected.

8 Smita Thaker8 How it works Polymorphic viruses typically encrypt the body of the virus and front-end it with a variable decryption routine. Thus, the body cannot be scanned because its encrypted, and the mutation engine is capable of generating too many different decryption routines to make search-string scanning viable.

9 Smita Thaker9 Polymorphic Virus Detection Entry point algorithms – special virus detection programs which examine the machine code at the entry-point of each file. Generic Decryption (GD) Technology – Run the file on a protected virtual computer –Can analyze virus body when decrypted. –GD scanner comprises of : CPU Emulator Virus Signature Scanner Emulation Control Module (ECM) –Problem: How long to run each program?

10 Smita Thaker10 Metamorphic Viruses Definition Example How it works –Some Transformations Metamorphic Virus Detection Techniques

11 Smita Thaker11 METAMORPHIC VIRUSES Are body-polymorphic viruses. i.e., viruses where the body of the virus itself changes from instance to instance Polymorphic viruses, on the other hand have a constant virus body, being encrypted with a different decryptor each instance.

12 Smita Thaker12

13 Smita Thaker13 Example:

14 Smita Thaker14 How it works When the virus spreads, it first undoes its current metamorphism to yield a base version of the virus, and then produces a different metamorphed version of the base code. Techniques : Disassembler –Depermutator –Shrinker Expander Permutator Assembler Other transformations

15 Smita Thaker15 Loop: pop ecx nop jecxz SFModMark xor ebx, ebx beqz N1 N1: mov esi, ecx nop mov eax, 0d601h pop edx pop ecx nop call edi xor ebx, ebx beqz N2 N2: jmp Loop Loop: pop ecx jecxz SFModMark mov esi, ecx mov eax, 0d601h pop edx pop ecx call edi jmp Loop Loop: pop ecx nop jecxz SFModMark xor ebx, ebx beqz N1 N1: mov esi, ecx nop mov eax, 0d601h pop edx pop ecx nop call edi xor ebx, ebx beqz N2 N2: jmp Loop Disassemble Expand, Permutate, Assemble A new morphed variant of the virus

16 Smita Thaker16 Some Transformations Insert jmps #make_BIN# MOV AX, 5 MOV BX, 10 ADD AX, BX SUB AX, 1 HLT #make_BIN# MOV AX, 5 MOV BX, 10 ADD AX, BX jmp proc_sub proc_sub: SUB AX, 1 HLT Add redundant labels MOV AX, 1 MOV AX, 2 x1: MOV AX, 1 x2: MOV AX, 2

17 Smita Thaker17 Can insert some NOPs, XOR, ORs anywhere in the program. It doesn't affect any register values. NOP ;do nothing. XOR AL, 0 OR BL, 0

18 Smita Thaker18 Metamorphic Virus Detection Techniques Geometric Detection - based on alterations that a virus has made to the file structure. Use of Emulators for Tracing

19 Smita Thaker19 Summary & Conclusion Evolution of metamorphic viruses is one of the great challenges of this decade

20 Smita Thaker20 References: American Eagle Publication http://www.ameaglepubs.com/freebooks.html Carey Nachenberg, Computer Virus-Coevolution, ACM Digital Library, Vol 40, Issue1, Jan 1997. Christodorescu, M., Detecting Malicious Patterns in Executables via Model Checking (WISA Project), Christodorescu, M., General Purpose Binary Rewriting (WISA Project). Stamp, M. DEFCON 11 Trip Report Szor, P., Ferrie, P., Hunting for Metamorphic, Virus Bulletin Conference, September 2001

Download ppt "Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003."

Similar presentations

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, 2010. All rights reserved. You may modify and copy this slide.

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
There are two types of addressing schemes:

There are two types of addressing schemes:
COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
SMT Solvers for Malware Unpacking 8 July 2013. Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.

SMT Solvers for Malware Unpacking 8 July Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.
Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.

Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.
Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.

Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.
Introduction to Assembly Here we have a brief introduction to IBM PC Assembly Language –CISC instruction set –Special purpose register set –8 and 16 bit.

Introduction to Assembly Here we have a brief introduction to IBM PC Assembly Language –CISC instruction set –Special purpose register set –8 and 16 bit.
Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.

Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.
Assembly Language for Intel-Based Computers, 4 th Edition Chapter 6: Conditional Processing (c) Pearson Education, 2002. All rights reserved. You may modify.

Assembly Language for Intel-Based Computers, 4 th Edition Chapter 6: Conditional Processing (c) Pearson Education, All rights reserved. You may modify.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Assembly Language Advantages 1. It reveals the secret of your computer’s hardware and software. 2. Speed. 3. Some special applications and occasions. Disadvantages.

Assembly Language Advantages 1. It reveals the secret of your computer’s hardware and software. 2. Speed. 3. Some special applications and occasions. Disadvantages.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Administrative Overview 6 Projects Design Review: Monday before 6:30pm Lab Friend Center 010 (“Fishbowl”)

Administrative Overview 6 Projects Design Review: Monday before 6:30pm Lab Friend Center 010 (“Fishbowl”)
Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…

Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Computer Viruses Preetha Annamalai Niranjan Potnis.

Computer Viruses Preetha Annamalai Niranjan Potnis.

Similar presentations

Ads by Google