DOC PREVIEW
Berkeley COMPSCI 161 - Malware: Viruses

This preview shows page 1-2-3-4-5-6 out of 19 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Malware: VirusesCS 161 - Computer SecurityProfs. Vern Paxson & David WagnerTAs: John Bethencourt, Erika Chin, MatthewFinifter, Cynthia Sturton, Joel Weinbergerhttp://inst.eecs.berkeley.edu/~cs161/April 12, 2010The Problem of Viruses• Virus = code that replicates– Instances opportunistically create new addl. instances– Goal of replication: install code on additional systems• Opportunistic = code will eventually execute– Generally due to user action• Running an app, booting their system, opening an attachment• Separate notions for a virus: how it propagates vs.what else it does when executed (payload)• General infection strategy: find some code lyingaround, alter it to include the virus• Have been around for decades …– … resulting arms race has heavily influenced evolutionof modern malwareOriginal Program InstructionsEntry pointVirusOriginal Program InstructionsEntry point1. Entry pointOriginal Program InstructionsVirus2.!JMP3.!JMPOriginal programinstructions can be:• Application theuser runs• Run-time library /routines residentin memory• Disk blocks usedto boot OS• Autorun file onUSB device• …Many variants arepossible, and ofcourse can combinetechniquesPropagation• When virus runs, it looks for an opportunity to infectadditional systems• One approach: look for USB-attached thumb drive,alter any executables it holds to include the virus– Strategy: if drive later attached to another system &altered executable runs, it locates and infectsexecutables on new system’s hard drive• Or: when user sends email w/ attachment, virusalters attachment to add a copy of itself– Works for attachment types that include programmability– E.g., Word documents (macros), PDFs (Javascript)– Virus can also send out such email proactively, usinguser’s address book + enticing subject (“I Love You”)Payload• Besides propagating, what else can the virus dowhen executing?– Pretty much anything• Payload is decoupled from propagation• Only subject to permissions under which it runs• Examples:– Brag or exhort (pop up a message)– Trash files (just to be nasty)– Damage hardware (!)– Keylogging– Encrypt files• “Ransomware”• Possibly delayed until condition occurs– “time bomb” / “logic bomb”Detecting Viruses• Signature-based detection– Look for bytes corresponding to injected virus code– High utility due to replicating nature• If you capture a virus V on one system, by its nature the virus willbe trying to infect many other systems• Can protect those other systems by installing recognizer for V• Drove development of multi-billion $$ AV industry(AV = “antivirus”)– So many endemic viruses that detecting well-knownones becomes a “checklist” item for security audits• Using signature-based detection also has de factoutility for (glib) marketing– Companies compete on number of signatures …• … rather than their quality (harder for customer to assess)Virus Writer / AV Arms Race• If you are a virus writer and your beautiful newcreations don’t get very far because each time youwrite one, the AV companies quickly push out asignature for it ….– …. What are you going to do?• Need to keep changing your viruses …– … or at least changing their appearance!• Writing new viruses by hand takes a lot of effort• How can you mechanize the creation of newinstances of your viruses …– … such that whenever your virus propagates, what itinjects as a copy of itself looks different?Polymorphic Code• We’ve already seen technology for creating arepresentation of some data that appearscompletely unrelated to the original data:encryption!• Idea: every time your virus propagates, it inserts anewly encrypted copy of itself– Clearly, encryption needs to vary• Either by using a different key each time• Or by including some random initial padding (like an IV)– Note: weak (but simple/fast) crypto algorithm works fine• No need for truly strong encryption, just obfuscation• When injected code runs, it decrypts itself to obtainthe original functionalityVirusOriginal Program InstructionsDecryptorMain Virus CodeKeyDecryptorEncrypted Glob of BitsKeyOriginal Program Instructions}JmpInstead of this …Virus has thisinitial structureWhen executed,decryptor applies keyto decrypt the glob …… and jumps to thedecrypted code oncestored in memoryDecryptorMain Virus CodeKeyDecryptorEncrypted Glob of BitsKeyJmpOnce running, virususes an encryptor witha new key to propagateEncryptor}DecryptorDifferent Encrypted Glob of BitsKey2Polymorphic PropagationNew virus instancebears little resemblanceto originalArms Race: Polymorphic Code• Given polymorphism, how might we then detectviruses?• Idea #1: use narrow sig. that targets decryptor– Issues?• Less code to match against ⇒ more false positives• Virus writer spreads decryptor across existing code• Idea #2: execute (or statically analyze) suspectcode to see if it decrypts!– Issues?• Legitimate “packers” perform similar operations (decompression)• How long do you let the new code execute?– If decryptor only acts after lengthy legit execution, difficult to spot• Virus-writer countermeasures?Metamorphic Code• Idea: every time the virus propagates, generatesemantically different version of it!– Different semantics only at immediate level of execution;higher-level semantics remain same• How could you do this?• Include with the virus a code rewriter:– Inspects its own code, generates random variant, e.g.:• Renumber registers• Change order of conditional code• Reorder operations not dependent on one another• Replace one low-level algorithm with another• Remove some do-nothing padding and replace with different do-nothing padding– Can be very complex, legit code … if it’s never called!Polymorphic Code In ActionHunting for Metamorphic, Szor & Ferrie, Symantec Corp., Virus Bulletin Conference, 2001Metamorphic Code In ActionHunting for Metamorphic, Szor & Ferrie, Symantec Corp., Virus Bulletin Conference, 2001Detecting Metamorphic Viruses?• Need to analyze execution behavior– Shift from syntax (appearance of instructions) tosemantics (effect of instructions)• Two stages: (1) AV company analyzes new virus to findexecution signature, (2) AV software on end systemanalyzes suspect code to test for match to signature• What countermeasures will the virus writer take?– Delay analysis by taking a long


View Full Document

Berkeley COMPSCI 161 - Malware: Viruses

Documents in this Course
Rootkits

Rootkits

11 pages

Load more
Download Malware: Viruses
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Malware: Viruses and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Malware: Viruses 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?