Chapter 3

Viruses

Virus Definition Recall definition from Chapter 2… Self-replicating: yes Population growth: positive Parasitic: yes When executed, tries to replicate

itself into other executable codeo So, it relies in some way on other

code Does not propagate via a network

Virus 3 parts to a virus Infection mechanism --- how it

spreadso Multipartite virus uses multiple means

Trigger --- decides when/how to deliver payload

Payload --- what it does other than spreado Either intentional or accidental

Virus Pseudocode Without infection mechanism…

o It’s not a virus, it’s a logic bomb But trigger and payload are

optional Generic virus pseudocode

def virus(): infect() if trigger() is true:

payload()

Infection Pseudocode Targets must be “local” Don’t select already infected targets

o Can be a double edged sword

def infect():repeat k times:

target = select_target()if no target:

returninfect_code(target)

Virus Classification Possible to classify in many ways Here, we classify in 2 ways: Target

o What/where does the virus infect? Concealment strategy

o What does it do to remain undetected?

Classification by Target Briefly consider 3 cases Boot-sector infectors Executable file infectors Data file infectors

o Macro viruses

Boot Sequence Generic boot sequence1. Power on2. ROM-based instructions run

o Self-test, device detection, initialization

o Boot device IDed, boot block read from it

o Control transferred to the loaded code --- this step known as primary boot

Boot Sequence Continued

3. Code loaded in primary boot step loads larger, fancier program

o This is secondary boot

4. Secondary boot loads/runs OS kernel

Boot Sector Infector Why infect boot sector? A boot-sector infector (BSI)

o Infects by copying itself to boot block May copy boot block elsewhere

o Could be tricky, require lots of codeo So a fixed “safe” location choseno Different viruses may use same

“safe” location (e.g., Stoned and Michelangelo)

Boot Sector Infector BSI once popular, not so much now Why?

o Machines don’t reboot so ofteno Much harder to infect, due to better

defenses

Multiple Infections

File Infectors OS views some files as executable

o Like “exe” and similar Files that can be run by a command-

line "shell" also considered executableo Batch files, shell scripts, …

File infector --- infects executable file o Exe, shell code, consider executableo Binary executable is most common

target

File Infectors Two main issues…

1. Where to put the virus within file?2. How to execute the virus when

infected file is run? Consider these two (interrelated)

questions in next few slides

Beginning of File Older exe formats (e.g., .COM)

treat entire file as chunk of code and datao Entire file loaded into memory o Execution starts by jumping to the

beginning of the loaded file Can put virus at start of such a file

o That is, prepend the virus code

Prepended Virus

End of FileAppend a virus (even easier?) Then how does virus get executed? Some possibilities… Replace first line(s) with a jump to

viral code --- save overwritten code Later, transfer control back to code

o How to do this?

End of File How to transfer control back to

code?o Run saved instructions in saved

locationo Restore the infected code back to its

original state and run it Many exe file formats specify start

location in file headero If so, virus can change start location to

point to its own code and jump to the original start location when done

Appended Virus

Overwritten into File Virus places itself atop original

code Can avoid changes in file size Easy for virus to get control But… overwriting code will break

the original codeo Making virus easier to discover

Is it possible to overwrite without breaking the code?

Overwritten into File Smart ways to overwrite? Overwrite repeated data

o May be trickier to execute virus Save overwritten data (like BSI) Use over-allocated space in a file Compress code to make space For these to work, virus must be

small

Merged with File Could try to merge virus with

target I.e., intermixing virus/target code Difficult

o So, it’s “rarely seen” But, supposedly, Zmist does this

o So, apparently it is possibleo That’s impressive…

Not in File Companion virus --- separate from,

but naturally executed before target

No modification to infected code May take advantage of process

used by OS or shell to search for exe files

Like a Trojan horse but it’s a virus…o …since it’s self-replicating

Companion Virus Virus is earlier in the search path

o Same name as the target file, almost…

E.g., MS-DOS searches for “foo” by 1. Look for foo.com 2. Look for foo.exe3. Look for foo.bat

If the target file is a foo.exe, companion virus is in file foo.com

Companion Virus Windows registry associates file

types with applications Can modify registry so that

companion virus runs instead of exeo Then companion can transfer control

to the corresponding exe In effect, all exes infected at once!

Companion Virus ELF file format used on recent

Unix’s Has "interpreter" specified in each

exe file headero Points to run-time linker

Companion virus can replace the run-time linkero As above, effect is that all exe files

infected at once

Companion Virus Companion viruses possible in GUI App’s icon can be overwritten with

the icon for the companion virus When a user clicks on “app” icon…

o Companion virus runs instead

Macro Virus Some apps allow data files to have

macros embedded in them Macros are short snippets of

“code” interpreted by the application

Such a languages often provide enough functionality to write a virus

Macro Virus Macros often run automatically

when file is loadedo Easy to write compared to low-level

code First proof of concept in 1989 Hit “mainstream” in 1995

o Virus known as Concepto Targeted Microsoft Word (of course)o Installed in “global macros”o Infected all edited documents

Macro Virus: Concept Targeted Word Docs AutoOpen macro --- runs

automatically when file openedo How you get the virus from infected

file FileSaveAs --- when “file save as”

selected from menuo So the virus can infect other docs

Macro Virus: Concept

Classification by Concealment Strategy

Most viruses try to hideo Why?

So, how do they hide?o Encryptiono Polymorphismo Etc., etc.

Yet another way to classify viruses..

No Concealment Do nothing to hide This is easiest for virus writer…

o …but also easiest to detect, analyze

Encryption Why encrypt? Virus body is “hidden” from view

o In particular, the signature is hidden Distinguish between strong

encryption and obfuscation Viruses usually only obfuscated

o Very weak encryption

Encrypted Virus

Encryption How to encrypt?

o Let me count the ways…

1. Simple encryptiono Rotate, increment, negate, etc.

2. Static encryption keyo E.g., XOR fixed byte to all bytes

3. Variable encryption keyo Like static, but key changes

Encryption (Continued)

4. Substitution ciphero Permute the byteso Could be via lookup tableo Could even have multiple ciphertexts

decrypt to same plaintext

5. Strong encryptiono DES, AES, RC4, etc.o Might use crypto libraries

Stealth Tries to hide the infection

o Not just hide the virus signature Examples of stealth techniques

o Change timestamp and/or other file info to pre-infection values

o Intercept I/O calls to hide presence (in MS-DOS user-accessible interrupts)

o Hijack secondary boot loader

Stealth Stealth viruses “overlap” rootkits Rootkit --- installed on

compromised machine so attacker can use ito Stealth is critical to rootkit success

Some malware use rootkitso For example, Ryknos Trojan hid itself

using a rootkit designed for DRM

Reverse Stealth Virus What is “reverse stealth”? Make everything look infected! Why is this malicious?

o Damage may be done by AV software trying to disinfect

Oligomorphism Oligomorphic or semi-polymorphic Code is encrypted Decryptor code is morphed

o But not too many different decryptors For example

o Whale had 30 different decryptors o Memorial had 96 decryptors

How to detect?

Polymorphism Like oligomorphic, but lots more

decryptors Essentially, an infinite number For example

o Tremor has almost 6 billion decryptors So, AV software cannot have a

signature for each decryptor

Polymorphism 2 problems for polymorphic

writer… How to generate decryptors?

o Use a mutation engineo Engine is part of encrypted virus

How to detect previous infections?o Data “hiding”: timestamp, file size,

file system features, external storage, …

o “Inoculate” system by faking infection?

Mutation Engine

1. Equivalent instruction substitution o One or more instructions

2. Instruction reordering3. Register swap4. Reorder data5. Spaghetti code6. Insert junk code7. Run-time code

modification/generation

Mutation Engine

8. Subroutine permutation9. DIY virtual machine10.Concurrency --- threads 11.Inlining/outlining12.“Threaded” code --- not threads

Jump directly from one subroutine to another, without returning

13.Subroutine interleaving

Mutation Engine Many, many other possibilities Possible overlap with optimizing

compilers?o Seems more like de-optimizing…

Equivalent Instructions All of these lines set register r1 to

0 clear r1 xor r1,r1 and 0,r1 move 0,r1

Concurrency Example

r1 = 12 start thread Tr2 = 34 => r1 = 12r3 = rl + r2 wait for signal

r3 = r1 + r2 ... T: r2 = 34 send signal exit thread T

Concurrency Aside: Concurrency may be very

effective anti-reversing techniqueo Use multiple threadso Intentional deadlocko “Junk” threads

Described in masters project: Improved software activation using

multithreading

Mutation Mutation also can be used for good1. Makes reverse engineering

attacks more difficult2. Make software more “diverse”

Metamorphism Apply polymorphism to virus body

o Aka, “body polymorphic” No encryption/decryption needed Body must change a lot

o Goal is to have no common signature Mutation code must be mutated

too!o Otherwise, a signature will existo Different from polymorphic (why?)

Metamorphism

Two types of metamorphic generatorso Both types difficult to produce

1. Standaloneo Apply generator offlineo Easy to make old malware into “new”

2. Malware “carries its own generator”o Necessary if self-propagatingo A much more difficult problem

Metamorphism: Apparition Apparition --- metamorphic virus Delivered in source code (Pascal) If compiler is present…

o Insert junk code and compile A very lame approach Real metamorphism must be done

in assembly or (better yet) machine code

Metamorphism: Simile Simile --- metamorphic virus Simile’s metamorphic generator

o 12,000 lines of assemblyo Translate Simile to intermediate formo Then remove all old transformationso Obtains a base form of viruso Apply new set of transformationso Generate new (morphed) machine

code

Metamorphism: MetaPHOR Metamorphic Permutating High-

Obfuscating Reassemblero That is, MetaPHOR

Described in How I Made Metaphor and What I’ve Learnt by The Mental Driller

Complex expander/shrinker strategy

Almost impossible to analyze

Metamorphism: MWOR Metamorphic Worm, i.e., MWOR Experimental metamorphic

malware designed by former masters student

Modeled on MetaPHOR, but…o Easier to understando Better for experiments and testingo A useful research tool

How to detect?

Metamorphism The bottom line… Metamorphics difficult to detect

o Machine learning works well on hacker malware, but can be defeated

Metamorphics also difficult to writeo Most “metamorphic” generators aren’

t Current state of the art?

o “Undetectable” metamorphic viruses

Strong Encryption What is strong encryption? Use a real cipher For this to be useful, must not

store key with codeo Why not?

But must decrypt the virus How to get the key to the code?

Strong Encryption: Key

Store key on the webo Then must go fetch the keyo But then how to get the key?

Binary virus --- 2 partso Low probability that both parts arrive

“Environmental” key generationo Key based on machine-specific infoo Key derived at runtimeo Harder to analyze

Other???

Virus Kits Many malware construction kits

o See VX Heavens Many kits claim to be metamorphic

o Or polymorphic, or encrypted, or …o You should be very skeptical of claimso Some have nice GUI interface

Success is failure?o The more successful, the more likely it

has been studied and can be detected