Presentation is loading. Please wait.

Presentation is loading. Please wait.

HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg.

Published byReginald Thomas Modified over 8 years ago

Similar presentations

Presentation on theme: "HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg."— Presentation transcript:

1 HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg November 8, 2005 CS510 – Advanced Security Portland State University

2 Overview Win32 Virus Evolution Polymorphism to Metamorphism Detection Techniques Counter-Measures, Counter-Counter-Measures, …ad nauseum. Potential “future” virus (worm) developments.

3 Virus Scanners Dominant market solution to the virus problem, focus of this paper. Other defenses exist however (integrity checking, behavior blocking). Typically scan files for a virus signature (strings from known malware). Main challenge: virus code obfuscation. (randomize, randomize, randomize!)

4 Virus Evolution Encrypted Viruses Easiest way to hide functionality. Send (plain-text) decryptor along with virus. Counter-Measure: AV’s just start looking at decryptor signatures. Counter-Counter-Measure: randomized decryptors.

5 Polymorphic Viruses Permutate decryptors using different methods (XOR, multiple layers of encryption, etc.) Polymorphism is about changing appearance, but decrypted virus is the same. When the virus eventually reveals itself, even in a brief window, this snapshot of the core virus code is very useful to AV.

6 Metamorphic Viruses Metamorphism is about altering the virus code body itself. Behavior and functionality change, so much harder to profile. Win32/Apparition Virus First evolving virus to not rely polymorphic decryptors. Virus carries source code and recompiles on host (if compiler installed). Randomly inserts and removes junk code.

7 Polymorphic vs. Metamorphic

8 Simple Metamorphism May, 2000 – Win32/Ghost Modular reordering used to alter global signature. m ! permutations (10 modules ~3.6 million possible signatures). Counter-Measure: String-Detection. Finer-grained subset analysis, more resilient to change.

9 Simple Metamorphism December, 1998 – Win95/Regswap 5A pop edx BF04000000 mov edi,0004h 8BF5 mov esi,ebp B80C000000 mov eax,000Ch 81C288000000 add edx,0088h 8B1A mov ebx,[edx] 899C8618110000mov [esi+eax*4+00001118],ebx 58 pop eax BB04000000 mov ebx,0004h 8BD5 mov edx,ebp BF0C000000 mov edi,000Ch 81C088000000 add eax,0088h 8B30 mov esi,[eax] 89B4BA18110000mov [edx+edi*4+00001118],esi Unchanged code underlined, so wildcard-string detection should still spot (e.g. 81****181100008B**… ).

10 Complex Metamorphism July, 2000 - Win32/Evol Implements metamorphic engine that uses machine code instruction equivalences. Also inserts garbage. a. An early generation: C7060F000055 mov dword ptr [esi],5500000Fh C746048BEC5151 mov dword ptr [esi+0004],5151EC8Bh b. And one of its later generations: BF0F000055 mov edi,5500000Fh 893E mov [esi],edi 5F pop edi 52 push edx B640 mov dh,40 BA8BEC5151 mov edx,5151EC8Bh 53 push ebx 8BDA mov ebx,edx 895E04 mov [esi+0004],ebx Magic DWORDS (e.g. 5500000Fh) changed also, so wild- card string detection fails after 3 rd generation.

11 Complex Metamorphism September, 2000 – Win95/Zperm Also inserts garbage instructions. Replaces single instructions with equivalent ones. (e.g. xor eax, eax  sub eax, eax ) Reorders jump instructions, so search string detection will not work. Permutations are n! where n = number of core virus code instructions.

12 Zperm example

13 Host Mutation Bistro, Smorph, Zmist Virus not only mutates itself but the host application. This randomizes the point-of-entry. Metamorphism extended to virus behavior, not just signature. Harder to repair infected file, and far less predictable. Detection must be algorithmic (emulator or VM analysis).

14 Advanced Metamorphic Engines Zmist Most complex binary virus encountered to date (of paper). Little bit of everything discussed so far. Does not simply append virus code segment but actually integrates itself into the host code. Moves code blocks, inserts instructions, changes branches and regenerates all surrounding code, data references, even checksum. Random entry point means virus may never receive control (branch not taken). 3 different types of infection, each with its own probabilistic behavior.

15 Detection Techniques Geometric Detection Uses ‘shape heuristics’ Analyzes changes made to the file structure. e.g. suspicious memory block allocations. Prone to false positives. Used in conjunction with virus infection markers, can reduce number of false positives.

16 Detection Techniques Disassembly Can be useful for avoiding false-positives: …66 3D 4D 5A… *common red-flag (exe?) but is it CMP AX, ‘ZM’ or MOV EDI, 5A4D3D66 ? Combined with state machine can try to isolate “interesting” instructions from garbage, nop’s, jumps, etc. Could thwart viruses that insert lots of garbage but keep core instructions in same order.

17 Detection Techniques Interactive AV Scanning Engines Key to ant goog anti-metamorphic AV software. CPU emulator allows virus to execute in a virtual sandbox. Trap and test for specific behaviors known a priori. e.g. when ACG virus reaches instruction i, registers a&b have values x&y. Can also do stack analysis (Evol).

18 Detection Techniques Emulator-Based Heuristics Zero-day exploits. Heuristic analysis of suspicious behavior (if it walks like a virus and talks like virus..) VM’s allow deeper level of analysis than CPU emulator, and fewer false-positives. Limitations: 1. Hard to virtualize everything. 2. Performance issues. 3. Easy counter-measures for emulator evasion: No active internet connection? Do nothing. Random behavior: infect on Sundays only. Insert lots of benign behavior before payload (Zperm).

19 Future Developments Concepts seen here extended to distributed worm behavior. Self-updating viruses (they can patch too). More cooperative behavior among worm instantiations: Information exchange. Exporting/Importing code. Have seen this sort of thing already Code Red DDOS, Slapper (P2P). Nimbda checking backdoors left by Code Red II and Sadmind/IIS worms. Reproductive cross-mutations (hostA x virusB = ?) - Darwinism meets computer security.

20 Questions? Thanks.

Download ppt "HUNTING FOR METAMORPHIC HUNTING FOR METAMORPHIC Péter Ször and Peter Ferrie Symantec Corporation VIRUS BULLETIN CONFERENCE ©2001 Presented by Stephen Karg."

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.

Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.

Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.
Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.

Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.
Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.

Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.

Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…

Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Computer Viruses Preetha Annamalai Niranjan Potnis.

Computer Viruses Preetha Annamalai Niranjan Potnis.

Similar presentations

Ads by Google