Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.

Published byShanon Lee Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses

2 slide 2 Malware uMalicious code often masquerades as good software or attaches itself to good software uSome malicious programs need host programs Trojan horses, logic bombs, viruses uOthers can exist and propagate independently Worms, automated viruses uThere are many infection vectors and propagation mechanisms

3 slide 3 Trojan Horses uA trojan horse is malicious code hidden in an apparently useful host program uWhen the host program is executed, trojan does something harmful or unwanted User must be tricked into executing the host program In 1995, a program distributed as PKZ300B.EXE looked like a new version of PKZIP… When executed, it formatted your hard drive. uTrojans do not replicate This is the main difference from worms and viruses

4 slide 4 “Reflections on Trusting Trust” uKen Thompson’s 1983 Turing Award lecture –Linked from the course website (reference section) 1.Added a backdoor-opening Trojan to login program 2.Anyone looking at source code would see this, so changed the compiler to add backdoor at compile-time 3.Anyone looking at compiler source code would see this, so changed the compiler to recognize when it’s compiling a new compiler and to insert Trojan into it u“The moral is obvious. You can’t trust code you did not totally create yourself. (Especially code from companies that employ people like me).”

5 slide 5 Viruses uVirus propagates by infecting other programs Automatically creates copies of itself, but to propagate, a human has to run an infected program –Self-propagating malicious programs are usually called worms uViruses employ many propagation methods Insert a copy into every executable (.COM,.EXE) Insert a copy into boot sectors of disks –“Stoned” virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC Infect TSR (terminate-and-stay-resident) routines –By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc.

6 slide 6 Virus Techniques uStealth viruses Infect OS so that infected files appear normal to user uMacro viruses A macro is an executable program embedded in a word processing document (MS Word) or spreadsheet (Excel) When infected document is opened, virus copies itself into global macro file and makes itself auto-executing (e.g., gets invoked whenever any document is opened) uPolymorphic viruses Viruses that mutate and/or encrypt parts of their code with a randomly generated key

7 slide 7 Evolution of Polymorphic Viruses (1) uAnti-virus scanners detect viruses by looking for signatures (snippets of known virus code) Virus writers constantly try to foil scanners uEncrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body Cascade (DOS), Mad (Win95), Zombie (Win95) Relatively easy to detect because decryptor is constant uOligomorphic viruses: different versions of virus have different encryptions of the same body Small number of decryptors (96 for Memorial viruses); to detect, must understand how they are generated

8 slide 8 Evolution of Polymorphic Viruses (2) uPolymorphic viruses: constantly create new random encryptions of the same virus body Marburg (Win95), HPS (Win95), Coke (Win32) Virus must contain a polymorphic engine for creating new keys and new encryptions of its body –Rather than use an explicit decryptor in each mutation, Crypto virus (Win32) decrypts its body by brute-force key search uPolymorphic viruses can be detected by emulation When analyzing an executable, scanner emulates CPU for a bit. Virus will eventually decrypt and try to execute its body, which will be recognized by scanner. This only works because virus body is constant!

9 slide 9 Virus Detection by Emulation Virus body Randomly generates a new key and corresponding decryptor code Mutation A Decrypt and execute Mutation C Mutation B To detect an unknown mutation of a known virus, emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body

10 slide 10 Metamorphic Viruses uObvious next step: mutate the virus body, too! uVirus can carry its source code (which deliberately contains some useless junk) and recompile itself Apparition virus (Win32) Virus first looks for an installed compiler –Unix machines have C compilers installed by default Virus changes junk in its source and recompiles itself –New binary mutation looks completely different! uMany macro and script viruses evolve and mutate their code Macros/scripts are usually interpreted, not compiled

11 slide 11 Metamorphic Mutation Techniques uSame code, different register names Regswap (Win32) uSame code, different subroutine order BadBoy (DOS), Ghost (Win32) If n subroutines, then n! possible mutations uDecrypt virus body instruction by instruction, push instructions on stack, insert and remove jumps, rebuild body on stack Zmorph (Win95) Can be detected by emulation because the rebuilt body has a constant instruction sequence

12 slide 12 Real Permutating Engine (RPME) uIntroduced in Zperm virus (Win95) in 2000 uAvailable to all virus writers, employs entire bag of metamorphic and anti-emulation techniques Instructions are reordered, branch conditions reversed Jumps and NOPs inserted in random places Garbage opcodes inserted in unreachable code areas Instruction sequences replaced with other instructions that have the same effect, but different opcodes –Mutate SUB EAX, EAX into XOR EAX, EAX or PUSH EBP; MOV EBP, ESP into PUSH EBP; PUSH ESP; POP EBP uThere is no constant, recognizable virus body!

13 slide 13 Example of Zperm Mutation uFrom Szor and Ferrie, “Hunting for Metamorphic” Linked from the course website (reference section)

14 slide 14 Defeating Anti-Virus Emulators uRecall: to detect polymorphic viruses, emulators execute suspect code for a little bit and look for opcode sequences of known virus bodies uSome viruses use random code block insertion engines to defeat emulation Routine inserts a code block containing millions of NOPs at the entry point prior to the main virus body Emulator executes code for a while, does not see virus body and decides the code is benign… when main virus body is finally executed, virus propagates Bistro (Win95) used this in combination with RPME

15 slide 15 Putting It All Together: Zmist uZmist was designed in 2001 by Russian virus writer Z0mbie of “Total Zombification” fame uNew technique: code integration Virus merges itself into the instruction flow of its host “Islands” of code are integrated into random locations in the host program and linked by jumps When/if virus code is run, it infects every available portable executable –Randomly inserted virus entry point may not be reached in a particular execution

16 slide 16 MISTFALL Disassembly Engine uTo integrate itself into host ’s instruction flow, virus must disassemble and rebuild host binary See overview at http://vx.netlux.org/lib/vzo21.htmlhttp://vx.netlux.org/lib/vzo21.html uThis is very tricky Addresses are based on offsets, which must be recomputed when new instructions are inserted Virus must perform complete instruction-by-instruction disassembly and re-generation of the host binary –This is an iterative process: rebuild with new addresses, see if branch destinations changed, then rebuild again –This requires 32MB of RAM and explicit section names (DATA, CODE, etc.) in the host binary – doesn’t work with every file

17 slide 17 Simplified Zmist Infection Process Pick a Portable Executable binary < 448Kb in size Disassemble, insert space for new code blocks, generate new binary Insert mutated virus body Split into jump-linked “islands” Mutate opcodes (XOR  SUB, OR  TEST) Swap register moves and PUSH/POP, etc. Encrypt virus body by XOR (ADD, SUB) with a randomly generated key, insert mutated decryptor Insert random garbage instructions using Executable Trash Generator Decryptor must restore host’s registers to preserve host’s functionality Randomly insert indirect call OR jump to decryptor’s entry point OR rely on instruction flow to reach it

18 slide 18 How Hard Is It to Write a Virus? u498 matches for “virus creation tool” in Spyware Encyclopedia Including dozens of poly- and metamorphic engines uOverWritting Virus Construction Toolkit "The perfect choice for beginners“ uBiological Warfare Virus Creation Kit Note: all viruses will be detected by Norton Anti-Virus uVbs Worm Generator (for Visual Basic worms) Used to create the Anna Kournikova worm uMany others

19 slide 19 Reading Assignment uStallings 10.1 uOptional: “Hunting for Metamorphic” by Szor and Ferrie Linked from the course website (reference section)

Download ppt "Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses."

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.

Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.

CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.

Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.
Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.

Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.

1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Created by Dragon Lee May-2003. Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.

Created by Dragon Lee May Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
SCSC 455 Computer Security 2011 Spring Chapter 5 Malware.

SCSC 455 Computer Security 2011 Spring Chapter 5 Malware.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

Similar presentations

Ads by Google