METAMORPHIC VIRUS NGUYEN LE VAN.

Slides:

Advertisements

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Advertisements

Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 5 Program Security  MModified by :Ahmad Al Ghoul  PPhiladelphia University.

CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.

Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.

Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.

Automated malware classification based on network behavior

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Video Following is a video of what can happen if you don’t update your security settings! security.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

1 Ola Flygt Växjö University, Sweden Malicious Software.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Computer Viruses Preetha Annamalai Niranjan Potnis.

CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

VIRUSES - Janhavi Naik. Overview Structure Classification Categories.

HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.

Structure Classifications &

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

1 Chapter 19: Malicious Software Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal, U of Kentucky)

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

1 What is a computer virus? Computer program Replicating Problematic "Event" Types Detection and prevention.

1 Higher Computing Topic 8: Supporting Software Updated

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2015.

Hunting for Metamorphic Engines Wing Wong Mark Stamp Hunting for Metamorphic Engines 1.

30.1 Lecture 30 Security II Based on Silberschatz & Galvin’s slides And Stallings’ slides.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Telecommunications Networking II Lecture 41f Viruses and Worms.

Biologically Inspired Defenses against Computer Viruses International Joint Conference on Artificial Intelligence 95’ J.O. Kephart et al.

CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.

PHMMs for Metamorphic Detection Mark Stamp 1PHMMs for Metamorphic Detection.

ANITVIRUSES TECHNIQUES

Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.

Submitted By :- Neeraj Kumar Singh Branch :Electronics&communication Topic : computer Viruses Submitted to :- Ms. Veena Gupta.

Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

Chapter 19 – Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War,

Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.

 Stealth viruses Use certain techniques to avoid detection.  Macro Viruses Infects the macros within a document or template.  Polymorphic viruses Encrypt.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

Operating System Protection Through Program Evolution Fred Cohen Computers and Security 1992.

Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.

Advanced Anti-Virus Techniques

MALICIOUS SOFTWARE Rishu sihotra TE Computer

Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Bringing VX back to life!

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to.

Techniques, Tools, and Research Issues

computer virus infection & symptoms

Chap 10 Malicious Software.

CSC 382/582: Computer Security

Challenges in Building and Detecting Portable Source Code Morphers

Chap 10 Malicious Software.

Malicious Program and Protection

Presentation transcript:

METAMORPHIC VIRUS NGUYEN LE VAN

OUTLINE Introduction Metamorphic techniques Metamorphic virus detection Conclusions Bibliography

INTRODUCTION Virus “A program that can infect other programs by modifying them to include a possibly evolved copy of itself” - Fred Cohen(1987) Typical structure of computer virus Infect-executable Do-damage (payload) Trigger-pulled In 1987, Fred Cohen, the pioneer researcher in computer viruses, defined a computer virus to be: “A program that can infect other programs by modifying them to include a possibly evolved copy of itself”. This is a typical structure of a computer virus which contains three subroutines. The first subroutine, infect-executable, is responsible for finding available executable files and infecting them by copying its code into them. The subroutine do-damage, also known as the payload of the virus, is the code responsible for delivering the malicious part of the virus. The last subroutine, trigger-pulled checks if the desired conditions are met in order to deliver its payload. Examples of conditions could be the day of the week, the number of infections, or the current date. Nowadays, there are so many different kinds of computer viruses that it is difficult to provide a precise definition.

INTRODUCTION Types of computer viruses Boot sector virus File infecting virus Memory resident virus Macro virus Basic virus Polymorphic virus Metamorphic virus Boot sector viruses infect the Master Boot Sector of hard drives or floppy drives and infect other machines only when the machine boots up from an infected floppy disk. Boot Sector viruses were the first successful viruses created and can infect a machine regardless of what Operating Systems runs on it . Today they are rarely found because floppy disks are not so common any more. Program viruses infect executable programs, such as EXE or COM, by attaching themselves to them. The virus executes and infects other executables when its host file is executed. To infect an EXE file, a virus has to modify the EXE Header and the Relocation Pointer Table2, and add its own code to the Load Module. This can be done in many ways. Memory resident viruses remain in memory after the initialization of virus code. They take control of the system and allocate a block of memory for their own code. They remain in memory while other programs run and infect them. File infecting viruses could be memory resident as well. These viruses are written in macro languages and infect files that make use of the particular language. A macro is a series of steps that could otherwise be typed, selected, or configured, but are stored in a single location so they can be automated. Macro languages are used to allow more sophisticated macro development and environment control, like manipulating and creating files, changing menu settings, and much more. In basic viruses, the entry point code is modified to give execution control to the virus code. Detection is trivial using search strings. Polymorphic viruses apply encryption to their body to prevent detection using search strings. Some advanced metamorphic viruses re-program themselves with little pieces of viral code scattered and with garbage code in between. Metamorphic viruses, do not have a decryptor, neither a constant virus body like polymorphic viruses do. However, they are able to create new generation that look different. They do not use a data area filled with string constants but have one single-code body that carries data as code.

INTRODUCTION Replication Basic virus Polymorphic virus Metamorphic virus

INTRODUCTION Metamorphic viruses transform their code as they propagate The main goal of metamorphism is to change the appearance of the virus while keeping its functionality. To achieve this, metamorphic viruses use several metamorphic transformations, such as register usage exchange, code permutation, code expansion, code shrinking, and garbage code insertion Metamorphic viruses transform their code as they propagate The main goal of metamorphism is to change the appearance of the virus while keeping its functionality. To achieve this, metamorphic viruses use several metamorphic transformations, such as register usage exchange, code permutation, code expansion, code shrinking, and garbage code insertion

METAMORPHIC TECHNIQUES (BASIC) Garbage code insertion Register usage exchange Permutation techniques Insertion of jump instructions Instruction replacement Host code mutation Code integration

GARBAGE CODE INSERTION The Win32/Evol virus – July 2000 Win95/Bistro virus – October 2000

REGISTER USAGE EXCHANGE Win95/Regswap virus – Vecna - 1998

PERMUTATION TECHNIQUES Dividing the code into frames, and then position the frames randomly and connect them by branch instructions to maintain the process flow The Win32/Ghost virus – May 2000

INSERTION OF JUMP INSTRUCTION Create new generations is inserting jump instructions within its code Win95/Zperm virus – June 2000

INSTRUCTION REPLACEMENT Replace some of their instructions with other equivalent instructions. The types of instruction replacement include: reversing of branch conditions register moves replaced by push/pop sequences alternative opcode encoding xor/sub and or/test interchanging Other techniques: Host code mutation Code integration

METAMORPHIC VIRUS DETECTION Geometric detection Wildcard string and haft-byte scanning Code disassembling Using emulators Code transformation detection Subroutine depermutation Using regular expression and DFA

GEOMETRIC DETECTION Geometric detection is based on modifications that a virus has made to the file structure. The data section of a file is increased by at least 32KB when it is infected by an encrypted version of the virus, the file might be reported as being infected if the virtual size of its data section is at least 32KB larger than its physical size.

WILDCARD STRING & HALF BYTE SCANNING It is obvious that there exist many common opcodes that are constant to all generations of the Regswap virus. This makes the extraction of usable search strings using wildcards possible.

USING EMULATORS Code emulation implements a virtual machine to simulate the CPU and memory management system and executes malicious code inside the virtual machine. Antivirus scanners can run code inside an emulator and examine it periodically or when interesting instructions are executed.

CODE TRANFORMATIONS Code transformation is a method for undoing the previous transformations done by the virus. Code transformation is used to convert mutated instructions into their simplest form, where the combinations of instructions are transformed to an equivalent but simple form. After the transformation common code exhibited by the virus can be identified.

CONCLUSIONS

BIBLIOGRAPHY [1] F. Cohen. Computer viruses: theory and experiments. Comput. Secur., 6(1):22–35, 1987. [2] Peter Szor. The Art of Computer Virus Research and Defense. Addison Wesley Professional, 1 edition, February 2005. [3] Rodelio G. Finones and Richard t. Fernandez. Solving the metamorphic puzzle. Virus Bulletin, pages 14–19, March 2006. [Video] 10 Devastating Computer Viruses

THANK YOU!