Presentation is loading. Please wait.

Presentation is loading. Please wait.

METAMORPHIC VIRUS NGUYEN LE VAN.

Published byAmbrose Walters Modified over 8 years ago

Similar presentations

Presentation on theme: "METAMORPHIC VIRUS NGUYEN LE VAN."— Presentation transcript:

1 METAMORPHIC VIRUS NGUYEN LE VAN

2 OUTLINE Introduction Metamorphic techniques
Metamorphic virus detection Conclusions Bibliography

3 INTRODUCTION Virus “A program that can infect other programs by modifying them to include a possibly evolved copy of itself” - Fred Cohen(1987) Typical structure of computer virus Infect-executable Do-damage (payload) Trigger-pulled In 1987, Fred Cohen, the pioneer researcher in computer viruses, defined a computer virus to be: “A program that can infect other programs by modifying them to include a possibly evolved copy of itself”. This is a typical structure of a computer virus which contains three subroutines. The first subroutine, infect-executable, is responsible for finding available executable files and infecting them by copying its code into them. The subroutine do-damage, also known as the payload of the virus, is the code responsible for delivering the malicious part of the virus. The last subroutine, trigger-pulled checks if the desired conditions are met in order to deliver its payload. Examples of conditions could be the day of the week, the number of infections, or the current date. Nowadays, there are so many different kinds of computer viruses that it is difficult to provide a precise definition.

4 INTRODUCTION Types of computer viruses Boot sector virus
File infecting virus Memory resident virus Macro virus Basic virus Polymorphic virus Metamorphic virus Boot sector viruses infect the Master Boot Sector of hard drives or floppy drives and infect other machines only when the machine boots up from an infected floppy disk. Boot Sector viruses were the first successful viruses created and can infect a machine regardless of what Operating Systems runs on it . Today they are rarely found because floppy disks are not so common any more. Program viruses infect executable programs, such as EXE or COM, by attaching themselves to them. The virus executes and infects other executables when its host file is executed. To infect an EXE file, a virus has to modify the EXE Header and the Relocation Pointer Table2, and add its own code to the Load Module. This can be done in many ways. Memory resident viruses remain in memory after the initialization of virus code. They take control of the system and allocate a block of memory for their own code. They remain in memory while other programs run and infect them. File infecting viruses could be memory resident as well. These viruses are written in macro languages and infect files that make use of the particular language. A macro is a series of steps that could otherwise be typed, selected, or configured, but are stored in a single location so they can be automated. Macro languages are used to allow more sophisticated macro development and environment control, like manipulating and creating files, changing menu settings, and much more. In basic viruses, the entry point code is modified to give execution control to the virus code. Detection is trivial using search strings. Polymorphic viruses apply encryption to their body to prevent detection using search strings. Some advanced metamorphic viruses re-program themselves with little pieces of viral code scattered and with garbage code in between. Metamorphic viruses, do not have a decryptor, neither a constant virus body like polymorphic viruses do. However, they are able to create new generation that look different. They do not use a data area filled with string constants but have one single-code body that carries data as code.

5 INTRODUCTION Replication Basic virus Polymorphic virus
Metamorphic virus

6 INTRODUCTION Metamorphic viruses transform their code as they propagate The main goal of metamorphism is to change the appearance of the virus while keeping its functionality. To achieve this, metamorphic viruses use several metamorphic transformations, such as register usage exchange, code permutation, code expansion, code shrinking, and garbage code insertion Metamorphic viruses transform their code as they propagate The main goal of metamorphism is to change the appearance of the virus while keeping its functionality. To achieve this, metamorphic viruses use several metamorphic transformations, such as register usage exchange, code permutation, code expansion, code shrinking, and garbage code insertion

7 METAMORPHIC TECHNIQUES (BASIC)
Garbage code insertion Register usage exchange Permutation techniques Insertion of jump instructions Instruction replacement Host code mutation Code integration

8 GARBAGE CODE INSERTION
The Win32/Evol virus – July 2000 Win95/Bistro virus – October 2000

9 REGISTER USAGE EXCHANGE
Win95/Regswap virus – Vecna

10 PERMUTATION TECHNIQUES
Dividing the code into frames, and then position the frames randomly and connect them by branch instructions to maintain the process flow The Win32/Ghost virus – May 2000

11 INSERTION OF JUMP INSTRUCTION
Create new generations is inserting jump instructions within its code Win95/Zperm virus – June 2000

12 INSTRUCTION REPLACEMENT
Replace some of their instructions with other equivalent instructions. The types of instruction replacement include: reversing of branch conditions register moves replaced by push/pop sequences alternative opcode encoding xor/sub and or/test interchanging Other techniques: Host code mutation Code integration

13 METAMORPHIC VIRUS DETECTION
Geometric detection Wildcard string and haft-byte scanning Code disassembling Using emulators Code transformation detection Subroutine depermutation Using regular expression and DFA

14 GEOMETRIC DETECTION Geometric detection is based on modifications that a virus has made to the file structure. The data section of a file is increased by at least 32KB when it is infected by an encrypted version of the virus, the file might be reported as being infected if the virtual size of its data section is at least 32KB larger than its physical size.

15 WILDCARD STRING & HALF BYTE SCANNING
It is obvious that there exist many common opcodes that are constant to all generations of the Regswap virus. This makes the extraction of usable search strings using wildcards possible.

16 USING EMULATORS Code emulation implements a virtual machine to simulate the CPU and memory management system and executes malicious code inside the virtual machine. Antivirus scanners can run code inside an emulator and examine it periodically or when interesting instructions are executed.

17 CODE TRANFORMATIONS Code transformation is a method for undoing the previous transformations done by the virus. Code transformation is used to convert mutated instructions into their simplest form, where the combinations of instructions are transformed to an equivalent but simple form. After the transformation common code exhibited by the virus can be identified.

18 CONCLUSIONS

19 BIBLIOGRAPHY [1] F. Cohen. Computer viruses: theory and experiments. Comput. Secur., 6(1):22–35, 1987. [2] Peter Szor. The Art of Computer Virus Research and Defense. Addison Wesley Professional, 1 edition, February 2005. [3] Rodelio G. Finones and Richard t. Fernandez. Solving the metamorphic puzzle. Virus Bulletin, pages 14–19, March 2006. [Video] 10 Devastating Computer Viruses

20 THANK YOU!

Download ppt "METAMORPHIC VIRUS NGUYEN LE VAN."

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.

Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 5 Program Security  MModified by :Ahmad Al Ghoul  PPhiladelphia University.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 5 Program Security  MModified by :Ahmad Al Ghoul  PPhiladelphia University.
CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.

CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.
Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.

Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.
Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.

Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.

Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.

Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.

Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google