Challenges in Building and Detecting Portable Source Code Morphers

Slides:



Advertisements
Similar presentations
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Advertisements

Intro to Computer Org. Pipelining, Part 2 – Data hazards + Stalls.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
JETT 2003 Java.compareTo(C++). JAVA Java Platform consists of 4 parts: –Java Language –Java API –Java class format –Java Virtual Machine.
Course Introduction CS 1037 Fundamentals of Computer Science II.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Software Uniqueness: How and Why? Puneet Mishra Dr. Mark Stamp Department of Computer Science San José State University, San José, California.
Video Following is a video of what can happen if you don’t update your security settings! security.
CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:
© The McGraw-Hill Companies, 2006 Chapter 1 The first step.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
APT29 HAMMERTOSS Jayakrishnan M.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
1 “Operating System Protection Through Program Evolution” Dr. Frederick B. Cohen “…one of the major reasons attacks succeed is because of the static nature.
Discovering Similarity of Short Programs by Canonical Form Baohua Wu University of Pennsylvania.
HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.
Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 25 – Virus Detection and Prevention.
PHMMs for Metamorphic Detection Mark Stamp 1PHMMs for Metamorphic Detection.
Control Structures (B) Topics to cover here: Sequencing in C++ language.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Core Java Introduction Byju Veedu Ness Technologies httpdownload.oracle.com/javase/tutorial/getStarted/intro/definition.html.
METAMORPHIC VIRUS NGUYEN LE VAN.
CPS120: Introduction to Computer Science Compiling a C++ Program From The Command Line.
Set 27 HANDLING COMMENTS IN LEX & SEARCHING & SORTING IN C.
1 3 Computing System Fundamentals 3.7 Utility Software.
OCR A Level F453: The function and purpose of translators Translators a. describe the need for, and use of, translators to convert source code.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
The purpose of a CPU is to process data Custom written software is created for a user to meet exact purpose Off the shelf software is developed by a software.
COMPUTER VIRUSES. Definition Of a Computer Virus Computer Viruses Origin Types of Computer Viruses How Does Viruses Attack Computer. How Does a Viruses.
MET4750 Techniques for Earth System Modeling MET 5990 Techniques for Earth System Modeling and Research (
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
Database and Cloud Security
Shellcode COSC 480 Presentation Alison Buben.
Chapter 4 Stacks
MET4750 Techniques for Earth System Modeling
CHP - 9 File Structures.
Text by: Lambert and Osborne
Techniques, Tools, and Research Issues
* Lecture # 7 Instructor: Rida Noor Department of Computer Science
Classes & Objects.
ENEE150 Discussion 13 Section 0101 Adam Wang.
Introduction to C++ Recursion
Intro to PHP & Variables
Un</br>able’s MySecretSecrets
Makefile Tutorial CIS5027 Prof: Dr. Shu-Ching Chen
Semantics-Aware Malware Detection
Chap 10 Malicious Software.
Executive Director and Endowed Chair
File Handling Programming Guides.
Number and String Operations
Executive Director and Endowed Chair
CSC 382/582: Computer Security
Introduction C is a general-purpose, high-level language that was originally developed by Dennis M. Ritchie to develop the UNIX operating system at Bell.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
Chapter 29: Program Security
Programming Fundamentals (750113) Ch1. Problem Solving
Chap 10 Malicious Software.
Functions continued.
Programming Fundamentals (750113) Ch1. Problem Solving
Review: libraries and packages
Malicious Program and Protection
Programming Language Translation
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
IS 135 Business Programming
Introduction to Computer Science
Presentation transcript:

Challenges in Building and Detecting Portable Source Code Morphers BY: RODRIGO SARDINAS TSYS SCHOOL OF COMPUTER SCIENCE COLUMBUS STATE UNIVERSITY RESEARCH SUPERVISOR : RADHOUANE CHOUCHANE

Portable Source Code Morphers / Rodrigo Sardinas Why does this matter? Metamorphic malware Most sophisticated form of malware Re-written each iteration, succeeding version of code different then preceding Same Malware Original Malware Same Malware Updated to previous Malware version. Still won’t work. Won’t Work now AV sig AV sig AV sig Portable Source Code Morphers / Rodrigo Sardinas 1/3/2019

Portable Source Code Morphers / Rodrigo Sardinas Why does this matter? On Nov. 3, 1983: Experimental virus to test security policies [1] The first virus (the term virus was first thought of by Len Adleman) Total system rights granted in under 5 minutes After results, afraid to continue, implemented more security policies 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas Our Experiment Win32/Apparition similar C Insert / Remove garbage Recompile Simpler to change the code in source format[2] Our Research C++ Alter code Make and compile new version of source Our Goal Better understand process to aid in detecting other metamorphic code 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Making Metamorphic Malware Which platform Which language Finding suitable compilers Peter Szor Win32 Example Which techniques you will use 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Techniques Commonly Used in Metamorphic Malware [3][5] NOP instructions Switching registers Function Reordering Program Flow Modification Garbage Insertion Variable Substitution 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas String Example void test(){ string a = "A"; string b = "B"; string c = "C"; for(int i = 0;i<5;i++){ cout<<a; }  We will be changing this code void test(){ string newString = "A"; string b = "B"; string c = "C"; int i = 0; while( i < 5){ cout<<newString; i++; } Into this code  1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas Changing the Code Finding what needs to be changed Be specific Search Methods Markers Has to keep functionality ( This is one way to “detect” metamorphic viruses. ) Example: Variables 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas Changing the Code We want to change a variable inside this method. So we begin by searching for the method. Be specific string toChange = "void test(){"; string quot = "\""; if(pos!=string::npos){ if(pPos==string::npos){ These words appear more than once in the code. How does the computer know which one you’re referring to? First we check for the presence of the string. If it is absent, We keep searching. Next we check for the presence of a quotation mark. This distinguishes the String “void test () {”, from the actual method that we are looking for. 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas Changing the Code Has to keep functionality Change variables everywhere they are used //Change Variable posVar = line.find(changeVar); if(posVar!=string::npos) { line.replace( line.find(changeVar), changeVar.length(), "string newString = \"A\""); } //Change variable where it is used to new one posVar2 = line.find(changeUse); if(posVar2!=string::npos) line.find(changeUse), changeUse.length(), "cout<<newString;"); Find the item you’re changing Length of the item you’re replacing Item you will be replacing it with 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas Changing the Code Search methods / methods to alter the file Search char Scan line & search string Save file (line by line ) into an array of strings 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas Example of Marker code void malware(){ //Change this //B int i; string newString = "A"; string b = "B"; string c = "C"; for(i=0;i<5;i++){ cout<<newString; } void malware(){ //Change this //B int i; string a = "A"; string b = "B"; string c = "C"; for(i=0;i<5;i++){ cout<<a; } Note the markers here. In our case just string comments  We will be changing this  To this  1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas Markers What could be markers? Strings, hash, calculation Finding the markers vs Finding specific thing to change in source Pros / Cons to using markers What makes a good marker? Stealth Morphing markers Introduces more complexity, but allows for more powerful morphing Harder to detect 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Code Content Distribution Majority of code devoted to transforming the code some metamorphic viruses devote up to 90% of their code to their metamorphic engine [4] Malicious Code/Decryptors Metamorphic Engine  1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Limitations & Directions for Further Work Learning c++ I/O methods (best) Ex: Matching Markers Problem Assembly Possible to write assembly from c++ Make more techniques available Markers Stealthy Markers Hashes Code transformation Garbage insertion Portability Issues Network Permissions on host computer Script Viruses 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas Conclusion Creating allows you to see common factors Understanding difficulties gives insight into Malware weaknesses Fairly new, expect to see more “The networked enterprise allows metamorphic binary worms to cause major problems. As a result, we will not be able to turn a blind eye to them and say ‘we do not need to handle them since they are not causing problems to our users.’ They will.”[2] Peter Szor (Security Architect for Symantec Security Response) People already working on this very thing [6] Malfunction 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Portable Source Code Morphers / Rodrigo Sardinas References Fred Cohen, Experiments with Computer Viruses, @ http://all.net/books/virus/part5.html Peter Szor, Hunting for Metamorphic, @ http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf Chet Hosmer, Polymorphic & Metamorphic Malware , @ http://www.blackhat.com/presentations/bh-usa-08/Hosmer/BH_US_08_Hosmer_Polymorphic_Malware.pdf Phillipe Beaucamps, Advanced Metamorphic Techniques in Computer Viruses, @ http://vx.netlux.org/lib/pdf/Advanced%20Metamorphic%20Techniques%20in%20Computer%20Viruses.pdf Jean-Marie Borello, Code Obfuscation Techniques for Metamorphic Viruses, @ http://vx.netlux.org/lib/pdf/Code%20obfuscation%20techniques%20for%20metamorphic%20viruses.pdf Malfunction, @ http://vx.netlux.org/malfunction/engine.html 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.