Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Slides:



Advertisements
Similar presentations
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
Advertisements

There are two types of addressing schemes:
COMP 2003: Assembly Language and Digital Logic
SMT Solvers for Malware Unpacking 8 July Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.
Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.
Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.
Introduction to Assembly Here we have a brief introduction to IBM PC Assembly Language –CISC instruction set –Special purpose register set –8 and 16 bit.
Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.
Assembly Language for Intel-Based Computers, 4 th Edition Chapter 6: Conditional Processing (c) Pearson Education, All rights reserved. You may modify.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Assembly Language Advantages 1. It reveals the secret of your computer’s hardware and software. 2. Speed. 3. Some special applications and occasions. Disadvantages.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Administrative Overview 6 Projects Design Review: Monday before 6:30pm Lab Friend Center 010 (“Fishbowl”)
Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Computer Viruses Preetha Annamalai Niranjan Potnis.
6.828: PC hardware and x86 Frans Kaashoek
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.
Structure Classifications &
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING
Telecommunications Networking II Lecture 41f Viruses and Worms.
Exploitation Of Windows Buffer Overflows. What is a Buffer Overflow A buffer overflow is when memory is copied to a location that is outside of its allocated.
RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.
Normalizing Metamorphic Malware Using Term Rewriting A. Walenstein, R. Mathur, M. R. Chouchane, and A. Lakhotia Software Research Laboratory The University.
CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.
Arithmetic Flags and Instructions
1 ICS 51 Introductory Computer Organization Fall 2009.
Assembly Language. Symbol Table Variables.DATA var DW 0 sum DD 0 array TIMES 10 DW 0 message DB ’ Welcome ’,0 char1 DB ? Symbol Table Name Offset var.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
METAMORPHIC VIRUS NGUYEN LE VAN.
X86 Assembly Language We will be using the nasm assembler (other assemblers: MASM, as, gas)
Computer Organization & Assembly Language University of Sargodha, Lahore Campus Prepared by Ali Saeed.
CSC 221 Computer Organization and Assembly Language Lecture 16: Procedures.
Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.
Week 6 Dr. Muhammad Ayaz Intro. to Assembly Language.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
Microprocessors CSE- 341 Dr. Jia Uddin Assistant Professor, CSE, BRAC University Dr. Jia Uddin, CSE, BRAC University.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Microprocessors CSE- 341 Dr. Jia Uddin Assistant Professor, CSE, BRAC University Dr. Jia Uddin, CSE, BRAC University.
Instruction Set Architecture
Bringing VX back to life!
Credits and Disclaimers
Techniques, Tools, and Research Issues
Chapter 4 Data Movement Instructions
Assembly IA-32.
Assembly Language Programming Part 2
Homework Reading Continue work on mp1
Basic of Computer Organization
CSCD 303 Essential Computer Security Fall 2017
Computer Architecture and Assembly Language
Computer Organization and Assembly Language
Chap 10 Malicious Software.
Fundamentals of Computer Organisation & Architecture
Detecting Obfuscated Code Using Cosine Similarity
Computer Architecture CST 250
Chap 10 Malicious Software.
X86 Assembly Review.
CSC 497/583 Advanced Topics in Computer Security
Credits and Disclaimers
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Presentation transcript:

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003

Smita Thaker2 Agenda History of Viruses Polymorphic Viruses Metamorphic Viruses Summary and Conclusion

Smita Thaker 3 History Encrypted viruses - To avoid detection, virus writers encrypted the main portion of the program. Viruses now had 2 parts –Decrypted code –Encrypted Virus Code Polymorphic Viruses – take different forms/shapes Metamorphic Viruses

Smita Thaker4 Encryption/Decryption DECRYPT: mov si, OFFSET START mov di, OFFSET START mov cx, VIR_SIZE ELP: lodsb ; al := ds:si xor al, 093H stosb loop ELP START: (Body of virus goes here)

Smita Thaker5 POLYMORPHIC VIRUSES Definition Example How it works Detecting polymorphic Viruses –Generic Decryption (GD) Technology

Smita Thaker6 Polymorphic Viruses – What are polymorphic Viruses If a virus is programmed to look different each time it replicated, there would be no fixed string for anti-virus to latch onto detect it. Such a virus is known as polymorphic virus. Polymorphic viruses have specially designed mutation engines. They(M.E.) generate a new decryption routine each time, by switching the order of instructions.

Smita Thaker7 Example: If the scanner were looking for the instructions mov ax, 2513H mov dx, 1307H int 21H One might modify the virus to instead execute this operation code mov ax, 2513H mov dx, 1307H xchg ax, dx int 21H The scanner can no longer see it, and the virus can go undetected.

Smita Thaker8 How it works Polymorphic viruses typically encrypt the body of the virus and front-end it with a variable decryption routine. Thus, the body cannot be scanned because its encrypted, and the mutation engine is capable of generating too many different decryption routines to make search-string scanning viable.

Smita Thaker9 Polymorphic Virus Detection Entry point algorithms – special virus detection programs which examine the machine code at the entry-point of each file. Generic Decryption (GD) Technology – Run the file on a protected virtual computer –Can analyze virus body when decrypted. –GD scanner comprises of : CPU Emulator Virus Signature Scanner Emulation Control Module (ECM) –Problem: How long to run each program?

Smita Thaker10 Metamorphic Viruses Definition Example How it works –Some Transformations Metamorphic Virus Detection Techniques

Smita Thaker11 METAMORPHIC VIRUSES Are body-polymorphic viruses. i.e., viruses where the body of the virus itself changes from instance to instance Polymorphic viruses, on the other hand have a constant virus body, being encrypted with a different decryptor each instance.

Smita Thaker12

Smita Thaker13 Example:

Smita Thaker14 How it works When the virus spreads, it first undoes its current metamorphism to yield a base version of the virus, and then produces a different metamorphed version of the base code. Techniques : Disassembler –Depermutator –Shrinker Expander Permutator Assembler Other transformations

Smita Thaker15 Loop: pop ecx nop jecxz SFModMark xor ebx, ebx beqz N1 N1: mov esi, ecx nop mov eax, 0d601h pop edx pop ecx nop call edi xor ebx, ebx beqz N2 N2: jmp Loop Loop: pop ecx jecxz SFModMark mov esi, ecx mov eax, 0d601h pop edx pop ecx call edi jmp Loop Loop: pop ecx nop jecxz SFModMark xor ebx, ebx beqz N1 N1: mov esi, ecx nop mov eax, 0d601h pop edx pop ecx nop call edi xor ebx, ebx beqz N2 N2: jmp Loop Disassemble Expand, Permutate, Assemble A new morphed variant of the virus

Smita Thaker16 Some Transformations Insert jmps #make_BIN# MOV AX, 5 MOV BX, 10 ADD AX, BX SUB AX, 1 HLT #make_BIN# MOV AX, 5 MOV BX, 10 ADD AX, BX jmp proc_sub proc_sub: SUB AX, 1 HLT Add redundant labels MOV AX, 1 MOV AX, 2 x1: MOV AX, 1 x2: MOV AX, 2

Smita Thaker17 Can insert some NOPs, XOR, ORs anywhere in the program. It doesn't affect any register values. NOP ;do nothing. XOR AL, 0 OR BL, 0

Smita Thaker18 Metamorphic Virus Detection Techniques Geometric Detection - based on alterations that a virus has made to the file structure. Use of Emulators for Tracing

Smita Thaker19 Summary & Conclusion Evolution of metamorphic viruses is one of the great challenges of this decade

Smita Thaker20 References: American Eagle Publication Carey Nachenberg, Computer Virus-Coevolution, ACM Digital Library, Vol 40, Issue1, Jan Christodorescu, M., Detecting Malicious Patterns in Executables via Model Checking (WISA Project), Christodorescu, M., General Purpose Binary Rewriting (WISA Project). Stamp, M. DEFCON 11 Trip Report Szor, P., Ferrie, P., Hunting for Metamorphic, Virus Bulletin Conference, September 2001

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.