Presentation is loading. Please wait.

Presentation is loading. Please wait.

Challenges in Building and Detecting Portable Source Code Morphers

Published byKrista Nelly van Wijk Modified over 5 years ago

Similar presentations

Presentation on theme: "Challenges in Building and Detecting Portable Source Code Morphers"— Presentation transcript:

1 Challenges in Building and Detecting Portable Source Code Morphers
BY: RODRIGO SARDINAS TSYS SCHOOL OF COMPUTER SCIENCE COLUMBUS STATE UNIVERSITY RESEARCH SUPERVISOR : RADHOUANE CHOUCHANE

2 Portable Source Code Morphers / Rodrigo Sardinas
Why does this matter? Metamorphic malware Most sophisticated form of malware Re-written each iteration, succeeding version of code different then preceding Same Malware Original Malware Same Malware Updated to previous Malware version. Still won’t work. Won’t Work now AV sig AV sig AV sig Portable Source Code Morphers / Rodrigo Sardinas 1/3/2019

3 Portable Source Code Morphers / Rodrigo Sardinas
Why does this matter? On Nov. 3, 1983: Experimental virus to test security policies [1] The first virus (the term virus was first thought of by Len Adleman) Total system rights granted in under 5 minutes After results, afraid to continue, implemented more security policies 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

4 Portable Source Code Morphers / Rodrigo Sardinas
Our Experiment Win32/Apparition similar C Insert / Remove garbage Recompile Simpler to change the code in source format[2] Our Research C++ Alter code Make and compile new version of source Our Goal Better understand process to aid in detecting other metamorphic code 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

5 Making Metamorphic Malware
Which platform Which language Finding suitable compilers Peter Szor Win32 Example Which techniques you will use 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

6 Techniques Commonly Used in Metamorphic Malware [3][5]
NOP instructions Switching registers Function Reordering Program Flow Modification Garbage Insertion Variable Substitution 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

7 Portable Source Code Morphers / Rodrigo Sardinas
String Example void test(){ string a = "A"; string b = "B"; string c = "C"; for(int i = 0;i<5;i++){ cout<<a; }  We will be changing this code void test(){ string newString = "A"; string b = "B"; string c = "C"; int i = 0; while( i < 5){ cout<<newString; i++; } Into this code  1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

8 Portable Source Code Morphers / Rodrigo Sardinas
Changing the Code Finding what needs to be changed Be specific Search Methods Markers Has to keep functionality ( This is one way to “detect” metamorphic viruses. ) Example: Variables 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

9 Portable Source Code Morphers / Rodrigo Sardinas
Changing the Code We want to change a variable inside this method. So we begin by searching for the method. Be specific string toChange = "void test(){"; string quot = "\""; if(pos!=string::npos){ if(pPos==string::npos){ These words appear more than once in the code. How does the computer know which one you’re referring to? First we check for the presence of the string. If it is absent, We keep searching. Next we check for the presence of a quotation mark. This distinguishes the String “void test () {”, from the actual method that we are looking for. 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

10 Portable Source Code Morphers / Rodrigo Sardinas
Changing the Code Has to keep functionality Change variables everywhere they are used //Change Variable posVar = line.find(changeVar); if(posVar!=string::npos) { line.replace( line.find(changeVar), changeVar.length(), "string newString = \"A\""); } //Change variable where it is used to new one posVar2 = line.find(changeUse); if(posVar2!=string::npos) line.find(changeUse), changeUse.length(), "cout<<newString;"); Find the item you’re changing Length of the item you’re replacing Item you will be replacing it with 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

11 Portable Source Code Morphers / Rodrigo Sardinas
Changing the Code Search methods / methods to alter the file Search char Scan line & search string Save file (line by line ) into an array of strings 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

12 Portable Source Code Morphers / Rodrigo Sardinas
Example of Marker code void malware(){ //Change this //B int i; string newString = "A"; string b = "B"; string c = "C"; for(i=0;i<5;i++){ cout<<newString; } void malware(){ //Change this //B int i; string a = "A"; string b = "B"; string c = "C"; for(i=0;i<5;i++){ cout<<a; } Note the markers here. In our case just string comments  We will be changing this  To this  1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

13 Portable Source Code Morphers / Rodrigo Sardinas
Markers What could be markers? Strings, hash, calculation Finding the markers vs Finding specific thing to change in source Pros / Cons to using markers What makes a good marker? Stealth Morphing markers Introduces more complexity, but allows for more powerful morphing Harder to detect 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

14 Code Content Distribution
Majority of code devoted to transforming the code some metamorphic viruses devote up to 90% of their code to their metamorphic engine [4] Malicious Code/Decryptors Metamorphic Engine  1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

15 Limitations & Directions for Further Work
Learning c++ I/O methods (best) Ex: Matching Markers Problem Assembly Possible to write assembly from c++ Make more techniques available Markers Stealthy Markers Hashes Code transformation Garbage insertion Portability Issues Network Permissions on host computer Script Viruses 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

16 Portable Source Code Morphers / Rodrigo Sardinas
Conclusion Creating allows you to see common factors Understanding difficulties gives insight into Malware weaknesses Fairly new, expect to see more “The networked enterprise allows metamorphic binary worms to cause major problems. As a result, we will not be able to turn a blind eye to them and say ‘we do not need to handle them since they are not causing problems to our users.’ They will.”[2] Peter Szor (Security Architect for Symantec Security Response) People already working on this very thing [6] Malfunction 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

17 Portable Source Code Morphers / Rodrigo Sardinas
References Fred Cohen, Experiments with Computer Peter Szor, Hunting for Chet Hosmer, Polymorphic & Metamorphic Malware Phillipe Beaucamps, Advanced Metamorphic Techniques in Computer Jean-Marie Borello, Code Obfuscation Techniques for Metamorphic 1/3/2019 Portable Source Code Morphers / Rodrigo Sardinas

Download ppt "Challenges in Building and Detecting Portable Source Code Morphers"

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Intro to Computer Org. Pipelining, Part 2 – Data hazards + Stalls.

Intro to Computer Org. Pipelining, Part 2 – Data hazards + Stalls.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
JETT 2003 Java.compareTo(C++). JAVA Java Platform consists of 4 parts: –Java Language –Java API –Java class format –Java Virtual Machine.

JETT 2003 Java.compareTo(C++). JAVA Java Platform consists of 4 parts: –Java Language –Java API –Java class format –Java Virtual Machine.
Course Introduction CS 1037 Fundamentals of Computer Science II.

Course Introduction CS 1037 Fundamentals of Computer Science II.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Software Uniqueness: How and Why? Puneet Mishra Dr. Mark Stamp Department of Computer Science San José State University, San José, California.

Software Uniqueness: How and Why? Puneet Mishra Dr. Mark Stamp Department of Computer Science San José State University, San José, California.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:
© The McGraw-Hill Companies, 2006 Chapter 1 The first step.

© The McGraw-Hill Companies, 2006 Chapter 1 The first step.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
1 “Operating System Protection Through Program Evolution” Dr. Frederick B. Cohen “…one of the major reasons attacks succeed is because of the static nature.

1 “Operating System Protection Through Program Evolution” Dr. Frederick B. Cohen “…one of the major reasons attacks succeed is because of the static nature.
Discovering Similarity of Short Programs by Canonical Form Baohua Wu University of Pennsylvania.

Discovering Similarity of Short Programs by Canonical Form Baohua Wu University of Pennsylvania.
HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.

HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.
Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.

Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.

Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.

Similar presentations

Ads by Google