Viruses Worms CS 161 Computer Security Prof Vern Paxson TAs Devdatta Akhawe Mobin Javed Matthias Vallentin http inst eecs berkeley edu cs161 April 19 2011 Announcements Matthias out for at least this coming week Note his sections are still being held HKN reviewing this Thursday 12 15PM Project 2 out today due 11 59PM Thu May 5 Course Summary lecture Comprehensive overview of the material we ve covered For sure works best if you take advantage of the opportunity to ask questions including sending them in advance Malware That Propagates Virus code that propagates replicates across systems by arranging to have itself eventually executed Generally infects by altering stored code Worm code that self propagates replicates across systems by arranging to have itself immediately executed Generally infects by altering running code No user intervention required The Problem of Viruses Virus code that replicates Instances opportunistically create new addl instances Goal of replication install code on additional systems Opportunistic code will eventually execute Generally due to user action Running an app booting their system opening an attachment Separate notions for a virus how it propagates vs what else it does when executed payload General infection strategy find some code lying around alter it to include the virus Have been around for decades resulting arms race has heavily influenced evolution of modern malware Propagation When virus runs it looks for an opportunity to infect additional systems One approach look for USB attached thumb drive alter any executables it holds to include the virus Strategy if drive later attached to another system altered executable runs it locates and infects autorun is handy here executables on new system s hard drive Or when user sends email w attachment virus alters attachment to add a copy of itself Works for attachment types that include programmability E g Word documents macros PDFs Javascript Virus can also send out such email proactively using user s address book enticing subject I Love You Original program instructions can be Entry point Original Program Instructions Virus Entry point Application the user runs Original Program Instructions 2 JMP Virus Original Program Instructions Disk blocks used to boot OS Autorun file on USB device 3 JMP 1 Entry point Run time library routines resident in memory Many variants are possible and of course can combine techniques Payload Besides propagating what else can the virus do when executing Pretty much anything Payload is decoupled from propagation Only subject to permissions under which it runs Examples Brag or exhort pop up a message Trash files just to be nasty Damage hardware Keylogging Encrypt files Ransomware Possibly delayed until condition occurs time bomb logic bomb Detecting Viruses Signature based detection Look for bytes corresponding to injected virus code High utility due to replicating nature If you capture a virus V on one system by its nature the virus will be trying to infect many other systems Can protect those other systems by installing recognizer for V Drove development of multi billion AV industry AV antivirus So many endemic viruses that detecting well known ones becomes a checklist item for security audits Using signature based detection also has de facto utility for glib marketing Companies compete on number of signatures rather than their quality harder for customer to assess Virus Writer AV Arms Race If you are a virus writer and your beautiful new creations don t get very far because each time you write one the AV companies quickly push out a signature for it What are you going to do Need to keep changing your viruses or at least changing their appearance Writing new viruses by hand takes a lot of effort How can you mechanize the creation of new instances of your viruses such that whenever your virus propagates what it injects as a copy of itself looks different Polymorphic Code We ve already seen technology for creating a representation of some data that appears completely unrelated to the original data encryption Idea every time your virus propagates it inserts a newly encrypted copy of itself Clearly encryption needs to vary Either by using a different key each time Or by including some random initial padding like an IV Note weak but simple fast crypto algorithm works fine No need for truly strong encryption just obfuscation When injected code runs it decrypts itself to obtain the original functionality Virus Original Program Instructions Instead of this Original Program Instructions Virus has this initial structure Key Decryptor Encrypted Glob of Bits When executed decryptor applies key to decrypt the glob Key Decryptor Main Virus Code Jmp and jumps to the decrypted code once stored in memory Polymorphic Propagation Key Decryptor Encrypted Glob of Bits Jmp Encryptor Key Decryptor Main Virus Code Once running virus uses an encryptor with a new key to propagate Key2 Decryptor Different Encrypted Glob of Bits New virus instance bears little resemblance to original Arms Race Polymorphic Code Given polymorphism how might we then detect viruses Idea 1 use narrow sig that targets decryptor Issues Less code to match against more false positives Virus writer spreads decryptor across existing code Idea 2 execute or statically analyze suspect code to see if it decrypts Issues Legitimate packers perform similar operations decompression How long do you let the new code execute If decryptor only acts after lengthy legit execution difficult to spot Virus writer countermeasures Metamorphic Code Idea every time the virus propagates generate semantically different version of it Different semantics only at immediate level of execution higher level semantics remain same How could you do this Include with the virus a code rewriter Inspects its own code generates random variant e g Renumber registers Change order of conditional code Reorder operations not dependent on one another Replace one low level algorithm with another Remove some do nothing padding and replace with different donothing padding Can be very complex legit code if it s never called Polymorphic Code In Action Hunting for Metamorphic Szor Ferrie Symantec Corp Virus Bulletin Conference 2001 Metamorphic Code In Action Hunting for Metamorphic Szor Ferrie Symantec Corp Virus Bulletin Conference 2001 Detecting Metamorphic Viruses Need to analyze execution behavior Shift from syntax appearance of instructions to semantics effect of
View Full Document
Unlocking...