Presentation is loading. Please wait.

Presentation is loading. Please wait.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to.

Published byPhillip Dean Modified over 5 years ago

Similar presentations

Presentation on theme: "Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to."— Presentation transcript:

1 CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2012

2 Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to Computer Security, M.T. goodrich & R. Tamassia, 2011.

3 Viruses Virus propagates by infecting other programs
Automatically creates copies of itself, but to propagate, a human has to run an infected program Self-propagating malicious programs are usually called worms Many propagation methods Insert a copy into every executable (.COM, .EXE) Insert a copy into boot sectors of disks “Stoned” virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC Infect TSR (terminate-and-stay-resident) routines By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc.

4 Virus Phases Dormant phase. During this phase, the virus just exists—the virus is laying low and avoiding detection. Propagation phase. During this phase, the virus is replicating itself, infecting new files on new systems. Triggering phase. In this phase, some logical condition causes the virus to move from a dormant or propagation phase to perform its intended action. Action phase. In this phase, the virus performs the malicious action that it was designed to perform, called payload. This action could include something seemingly innocent, like displaying a silly picture on a computer’s screen, or something quite malicious, such as deleting all essential files on the hard drive.

5 Virus Techniques Macro viruses Stealth techniques
A macro is an executable program embedded in a word processing document (MS Word) or spreadsheet (Excel) When infected document is opened, virus copies itself into global macro file and makes itself auto-executing (e.g., gets invoked whenever any document is opened) Stealth techniques Infect OS so that infected files appear normal Used by rootkits (we’ll look at them later) Mutate, encrypt parts of code with random key

6 Viruses in P2P Networks Millions of users willingly download files
[Shin, Jung, Balakrishnan] Millions of users willingly download files KaZaA: 2.5 million users in May 2006 Easy to insert an infected file into the network Pretend to be an executable of a popular application “Adobe Photoshop 10 full.exe”, “WinZip 8.1.exe”, … ICQ and Trillian seem to be the most popular names Infected MP3 files are rare Malware can open backdoor, steal confidential information, spread spam 70% of infected hosts already on DNS spam blacklists

7 Prevalence of Viruses in KaZaA
[Shin, Jung, Balakrishnan] 2006 study of 500,000 KaZaA files Look for 364 patterns associated with 71 viruses Up to 22% of all KaZaA files infected 52 different viruses and Trojans Another study found that 44% of all executable files on KaZaA contain malicious code When searching for “ICQ” or “Trillian”, chances of hitting an infected file are over 70% Some infected hosts are active for a long time 5% of infected hosts seen in February 2006 were still active in May 2006

8 Dangerous KaZaA Queries
[Shin, Jung, Balakrishnan]

9 Stealth Techniques Mutation: virus has multiple binary variants
[Shin, Jung, Balakrishnan] Mutation: virus has multiple binary variants Defeats naïve signature-based detection Used by the most successful (i.e., widespread) viruses Tanked: 62 variants, SdDrop: 14 variants Aliasing: virus places its copies under different names into the infected host’s sharing folder “ICQ Lite .exe”, “ICQ Pro 2003b.exe”, “MSN Messenger 5.2.exe”

10 Propagation via Websites
[Moshchuk et al.] Websites with popular content Games: 60% of websites contain executable content, one-third contain at least one malicious executable Celebrities, adult content, everything except news Most popular sites with malicious content (Oct 2005) Large variety of malware But most of the observed programs are variants of the same few adware applications (e.g., WhenU)

11 Malicious Functionality
[Moshchuk et al.] Adware Display unwanted pop-up ads Browser hijackers Modify home page, search tools, redirect URLs Trojan downloaders Download and install additional malware Dialer (expensive toll numbers) Keylogging

12 Drive-By Downloads Website “pushes” malicious executable to user’s browser with inline Javascript or pop-up window Naïve user may click “Yes” in the dialog box Can also install malicious software automatically by exploiting bugs in the user’s browser 1.5% of URLs crawled in the Moshchuk et al. study Constant change Many infectious sites exist only for a short time or change substantially from month to month Many sites behave non-deterministically

13 Concealment Encrypted virus Polymorphic virus Metamorphic virus
Decryption engine + encrypted body Randomly generate encryption key +brute force decryption Detection looks for decryption engine Polymorphic virus Encrypted virus with random variations of the decryption engine (e.g., padding code) Detection using CPU emulator Metamorphic virus Different virus bodies Approaches include code permutation and instruction replacement Challenging to detect

14 Polymorphic Viruses Encrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body Relatively easy to detect because decryptor is constant Polymorphic viruses: constantly create new random encryptions of the same virus body Marburg (Win95), HPS (Win95), Coke (Win32) Virus includes an engine for creating new keys and new encryptions of the virus body Crypto (Win32) decrypts its body by brute-force key search to avoid explicit decryptor code Decryptor can start with millions of NOPs to defeat emulation

15 Anti-Virus Technologies
Simple anti-virus scanners Look for signatures (fragments of known virus code) Heuristics for recognizing code associated with viruses Polymorphic viruses often use decryption loops Integrity checking to find modified files Record file sizes, checksums, MACs (keyed hashes of contents) Often used for rootkit detection (we’ll see TripWire later) Generic decryption and emulation Emulate CPU execution for a few hundred instructions, virus will eventually decrypt, can recognize known body Does not work very well against mutating viruses and viruses not located near beginning of infected executable

16 Virus Detection by Emulation
Randomly generates a new key and corresponding decryptor code Decrypt and execute Mutation A Virus body Mutation B Mutation C To detect an unknown mutation of a known virus , emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body

17 Metamorphic Viruses Obvious next step: mutate the virus body, too!
Virus can carry its source code (which deliberately contains some useless junk) and recompile itself Apparition virus (Win32) Virus first looks for an installed compiler Unix machines have C compilers installed by default Virus changes junk in its source and recompiles itself New binary mutation looks completely different! Mutation is common in macro and script viruses Macros/scripts are usually interpreted, not compiled

18 Obfuscation and Anti-Debugging
Common in worms, viruses, bots Goal: prevent analysis of code and signature-based detection; foil reverse-engineering Insert garbage opcodes and change control structure Different code in each instance Effect of code execution is the same, but difficult to detect by passive analysis Packed binaries Detect debuggers and virtual machines, terminate execution

19 Mutation / Obfuscation Techniques
Same code, different register names Regswap (Win32) Same code, different subroutine order BadBoy (DOS), Ghost (Win32) If n subroutines, then n! possible mutations Decrypt virus body instruction by instruction, push instructions on stack, insert and remove jumps, rebuild body on stack Zmorph (Win95) Can be detected by emulation because the rebuilt body has a constant instruction sequence

20 Mutation Engines Real Permutating Engine/RPME, ADMutate, etc.
Large set of obfuscating techniques Instructions are reordered, branch conditions reversed Jumps and NOPs inserted in random places Garbage opcodes inserted in unreachable code areas Instruction sequences replaced with other instructions that have the same effect, but different opcodes Mutate SUB EAX, EAX into XOR EAX, EAX or PUSH EBP; MOV EBP, ESP into PUSH EBP; PUSH ESP; POP EBP There is no constant, recognizable virus body!

21 Example of Zperm Mutation
From Szor and Ferrie, “Hunting for Metamorphic”

Download ppt "Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to."

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.

Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.
Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.

Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.

1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
SCSC 455 Computer Security 2011 Spring Chapter 5 Malware.

SCSC 455 Computer Security 2011 Spring Chapter 5 Malware.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.

CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.

Similar presentations

Ads by Google