Presentation on theme: "Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003."— Presentation transcript:
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003
Smita Thaker2 Agenda History of Viruses Polymorphic Viruses Metamorphic Viruses Summary and Conclusion
Smita Thaker 3 History Encrypted viruses - To avoid detection, virus writers encrypted the main portion of the program. Viruses now had 2 parts –Decrypted code –Encrypted Virus Code Polymorphic Viruses – take different forms/shapes Metamorphic Viruses
Smita Thaker5 POLYMORPHIC VIRUSES Definition Example How it works Detecting polymorphic Viruses –Generic Decryption (GD) Technology
Smita Thaker6 Polymorphic Viruses – What are polymorphic Viruses If a virus is programmed to look different each time it replicated, there would be no fixed string for anti-virus to latch onto detect it. Such a virus is known as polymorphic virus. Polymorphic viruses have specially designed mutation engines. They(M.E.) generate a new decryption routine each time, by switching the order of instructions.
Smita Thaker7 Example: If the scanner were looking for the instructions mov ax, 2513H mov dx, 1307H int 21H One might modify the virus to instead execute this operation code mov ax, 2513H mov dx, 1307H xchg ax, dx int 21H The scanner can no longer see it, and the virus can go undetected.
Smita Thaker8 How it works Polymorphic viruses typically encrypt the body of the virus and front-end it with a variable decryption routine. Thus, the body cannot be scanned because its encrypted, and the mutation engine is capable of generating too many different decryption routines to make search-string scanning viable.
Smita Thaker9 Polymorphic Virus Detection Entry point algorithms – special virus detection programs which examine the machine code at the entry-point of each file. Generic Decryption (GD) Technology – Run the file on a protected virtual computer –Can analyze virus body when decrypted. –GD scanner comprises of : CPU Emulator Virus Signature Scanner Emulation Control Module (ECM) –Problem: How long to run each program?
Smita Thaker10 Metamorphic Viruses Definition Example How it works –Some Transformations Metamorphic Virus Detection Techniques
Smita Thaker11 METAMORPHIC VIRUSES Are body-polymorphic viruses. i.e., viruses where the body of the virus itself changes from instance to instance Polymorphic viruses, on the other hand have a constant virus body, being encrypted with a different decryptor each instance.
Smita Thaker13 Example:
Smita Thaker14 How it works When the virus spreads, it first undoes its current metamorphism to yield a base version of the virus, and then produces a different metamorphed version of the base code. Techniques : Disassembler –Depermutator –Shrinker Expander Permutator Assembler Other transformations
Smita Thaker15 Loop: pop ecx nop jecxz SFModMark xor ebx, ebx beqz N1 N1: mov esi, ecx nop mov eax, 0d601h pop edx pop ecx nop call edi xor ebx, ebx beqz N2 N2: jmp Loop Loop: pop ecx jecxz SFModMark mov esi, ecx mov eax, 0d601h pop edx pop ecx call edi jmp Loop Loop: pop ecx nop jecxz SFModMark xor ebx, ebx beqz N1 N1: mov esi, ecx nop mov eax, 0d601h pop edx pop ecx nop call edi xor ebx, ebx beqz N2 N2: jmp Loop Disassemble Expand, Permutate, Assemble A new morphed variant of the virus
Smita Thaker17 Can insert some NOPs, XOR, ORs anywhere in the program. It doesn't affect any register values. NOP ;do nothing. XOR AL, 0 OR BL, 0
Smita Thaker18 Metamorphic Virus Detection Techniques Geometric Detection - based on alterations that a virus has made to the file structure. Use of Emulators for Tracing
Smita Thaker19 Summary & Conclusion Evolution of metamorphic viruses is one of the great challenges of this decade
Smita Thaker20 References: American Eagle Publication Carey Nachenberg, Computer Virus-Coevolution, ACM Digital Library, Vol 40, Issue1, Jan Christodorescu, M., Detecting Malicious Patterns in Executables via Model Checking (WISA Project), Christodorescu, M., General Purpose Binary Rewriting (WISA Project). Stamp, M. DEFCON 11 Trip Report Szor, P., Ferrie, P., Hunting for Metamorphic, Virus Bulletin Conference, September 2001