Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bringing VX back to life!

Published byJustina Lynch Modified over 6 years ago

Similar presentations

Presentation on theme: "Bringing VX back to life!"— Presentation transcript:

1 Bringing VX back to life!
projectCANCER Bringing VX back to life!

2 About the Author Senior Security Researcher at NSS Labs
Around 10 years of Reverse Engineering experience Regular speaker at different SecCons

3 Outline Definition Abstract Virus Types of Viruses Detection Methods
Why Metamorphism? Why Virtualization? Metamorphism in the Past New Theory Architecture of PoC Conclusions

4 Virus Definition Peter Szor “A computer virus is a program that recursively and explicitly copies a possible evolved version of itself” Viruses infect other files or system areas with intend to multiply themselves and form new generations. With a few exceptions, viruses do not exist as stand alone files or programs but require a host file. Viruses require user interaction to spread.

5 Abstract Virus PROC Infect { file := RandomExecutable() if (Marker == “VX”) { } else { PrependVirus() PROC Payload { DoSomethigEvilOrNot() PROC GetPayloadTrigger { If (Date.Month == 10 && Date.Day == 29) { return true PROC Main { Infect() if (GetPayLoadTrigger()) { Payload()

6 Types of Viruses Boot Sector File Infectors Memory Resident Macro
Worms Trojan Horses Remote Administration Tools (RAT) Backdoor Trojan Network Redirection Trojan Distributed Attacks Trojan Spyware Rootkits

7 Types of Viruses Encrypted Viruses Oligomorphic Viruses
Prevent static code analysis Prolonging the process of analysis Prevent tampering Evasion of detection Oligomorphic Viruses Polymorphic Viruses

8 1st Gen Detection Methods
String Scanning Wildcards Mismatches Generic Detection Bookmarks Top and Tail EntryPoint/FixedPoint

9 2nd Gen Detection Methods
Smart Skeleton Nearly Exact Identification Exact Identification Heuristic Analysis

10 Algorithmic Scanning Filtering Static Decryptor Detection
X-RAY Scanning Code Emulation Dynamic Decryptor Detection

11 Why Metamorphism? Un-detectability Evolution of the virus
Introduce complexity Create job opportunities for more people in the AV industry

12 Why Virtualization? Obfuscation only is not a means of thwarting reverse engineering Assumptions made that protected programs always revert back to their original unprotected state at some point during execution Needs skills for breaking/cracking Time consuming

13 Metamorphism in the Past
Old model based on pioneers (The Mental Driller, Vecna, Z0MBIE, Benny) who engineered this concept follows the following design Disassembler Shrinker Permutator Expander Assembler

14 Disassembler Core part of the Engine.
Disassembler should be able to decode every instruction targeting the intended platform. Ability to decode instructions that affects IP (Jcc/CALL/…)

15 Shrinker Sometimes referred to as the Compressor.
Some Metamorphic viruses lacks this part Optimize and reduce the generated disassembly. Eliminating exponential growth (n-gen/size) Depends on the design of the Metamorphic engine Works in a similar way code emulators work

16 Permutator Not considered core metamorphism per se.
Basic part of the polymorphic engine. Substitutes instructions in a single or multiple variation(s). xor eax, eax -> sub eax, eax or mov eax, 10 -> xor eax, eax -> add eax, 10

17 Expander Although this part exists only if a Shrinker engine exists, nevertheless some viruses had this part, however n-gens will grow vastly and uncontrollably. This part reverts back what the Shrinker did, doesn’t have to be exactly, but in the same manner. mov eax, 5 -> xor eax, eax -> add eax, 10 -> sub eax, 5

18 New Theory Stop being random Build engines based on rules and theories
Math can help A LOT!

19 Architecture of PoC Load the executable in memory
Loader x86 x64 ARM MIPS Scanner Rewriter Data Flow Analysis Load the executable in memory Determine the type kind of executable to be disassembled. Determine the processor format from the executable. Uncompressed if necessary. Extract pointer/segment relocations

20 Architecture of PoC Loader x86 x64 ARM MIPS Scanner Rewriter Data Flow Analysis Typical executable will have one or more entry-points. Disassemble and trace every entry-point, looking specifically for branch, call and return statements. Discover and mark all individual procedures. Build Control-Flow-Graph (CFG) whose edges represent calls between procedures.

21 Architecture of PoC Loader x86 x64 ARM MIPS Scanner Rewriter Data Flow Analysis Rewrite machine specific instructions to a low level machine independent instructions, more known as an Intermediate Representation (IR). Idiomatic instruction sequences are rewritten to expressions. At this point, all code transformation/mutation/virtualization is processor independent.

22 Architecture of PoC Perform an interprocedural definition analysis.
Loader x86 x64 ARM MIPS Scanner Rewriter Data Flow Analysis Perform an interprocedural definition analysis. Determine for each PROC the preserved registers, modified registers, modified registers after a CALL to a PROC. Interprocedural liveness analysis, to determine registers used as parameters, and which registers are used as return values for PROC.

23 Code Blocks Randomizer
Architecture of PoC PE Rebuilder Virtualization Smart Trash Generator Code Blocks Randomizer Code Blocks DeFusion Code Blocks Fusion Infection Setup the logic paths for the current host file Determine restrictions that needs to be met for the host file prior to infection

24 Code Blocks Randomizer
Architecture of PoC PE Rebuilder Virtualization Smart Trash Generator Code Blocks Randomizer Code Blocks DeFusion Code Blocks Fusion Infection Code that wasn’t identified as a PROC CALL will have a PROC generated for it and added fixups for references along the code

25 Code Blocks Randomizer
Architecture of PoC PE Rebuilder Virtualization Smart Trash Generator Code Blocks Randomizer Code Blocks DeFusion Code Blocks Fusion Infection Random PROC will be chosen and stripped off. 2 decisions can be made at this point If the code for the PROC is relatively small, then the CALL will be replaced with the call If the code is big, then a JMP will be used instead

26 Code Blocks Randomizer
Architecture of PoC PE Rebuilder Virtualization Smart Trash Generator Code Blocks Randomizer Code Blocks DeFusion Code Blocks Fusion Infection PROCs will be randomized for their order.

27 Code Blocks Randomizer
Architecture of PoC PE Rebuilder Virtualization Smart Trash Generator Code Blocks Randomizer Code Blocks DeFusion Code Blocks Fusion Infection Trash instructions should be generated with some logic behind. Never use uncommon instructions unless found in the host xor edi, edi xor edi, edi xor ebx, ebx xor ebx, ebx add edi, ebx inc ebx add edi, ebx

28 Code Blocks Randomizer
Architecture of PoC PE Rebuilder Virtualization Smart Trash Generator Code Blocks Randomizer Code Blocks DeFusion Code Blocks Fusion Infection Virtualize the final code after passing some tests first for opcode frequency VM consists of 17 DWORD REGS Mostly 4 groups of instructions 2 operand arithmetic instructions 1 operand arithmetic and general instructions 1 operand control flow instruction Memory instructions

29 Code Blocks Randomizer
Architecture of PoC PE Rebuilder Virtualization Smart Trash Generator Code Blocks Randomizer Code Blocks DeFusion Code Blocks Fusion Infection Save a copy of the old PE image Create the new PE image, do fixups

30 Conclusion Current malware state is simplistic
Rarely found any innovation, creativity or challenge in analyzing AV claims an APT for any major sample they never caught on a long time period Malware ITW is more or less the same VX scene pretty much dead Respect for the old VXERS and notorious groups

Download ppt "Bringing VX back to life!"

Similar presentations

Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.

Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.

Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
CS 536 Spring 20011 Intermediate Code. Local Optimizations. Lecture 22.

CS 536 Spring Intermediate Code. Local Optimizations. Lecture 22.
1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.

1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.
4/23/09Prof. Hilfinger CS 164 Lecture 261 IL for Arrays & Local Optimizations Lecture 26 (Adapted from notes by R. Bodik and G. Necula)

4/23/09Prof. Hilfinger CS 164 Lecture 261 IL for Arrays & Local Optimizations Lecture 26 (Adapted from notes by R. Bodik and G. Necula)
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Intermediate Code. Local Optimizations

Intermediate Code. Local Optimizations
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.

1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Computer Viruses Preetha Annamalai Niranjan Potnis.

Computer Viruses Preetha Annamalai Niranjan Potnis.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.

HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.
Structure Classifications &

Structure Classifications &
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Similar presentations

Ads by Google