Chapter 5 Anti-Anti-Virus Anti-Anti-Virus All viruses self-replicate Anti-anti-virus means it’s “openly hostile” to AV Anti-anti-virus techniques? o Aggressively attack AV software o Make analysis of virus difficult o Try to avoid being detected using knowledge of how AV works Anti-Virus Virus? Anti-anti-virus versus “anti-virus virus” o What the … ? This chapter is about anti-anti virus Aside: What is an anti-virus virus? o Virus attacks other viruses, or o AV software that propagates virally, or o Software that drops a virus, then offers to remove it for a fee Retroviruses Also known as “anti-antivirus viruses” Virus with active defense What techniques are used? Kill AV (and related) processes o Virus lists active processes o Kills things like Avgw.exe, Scan32.exe, Navw32.exe, Regedit.exe, Zonealarm.exe o Might also do this for processes run at startup Retroviruses Example: Ganda virus Kills running AV-like processes Examines processes run at startup o If it appears to be AV-related… o …replace 1st instruction with “return” Stealthier? o Starve AV software by lowering priority o Prevent AV software from connecting to company database, etc. Entry Point Obfuscation Viruses often hijack usual entry point o But this is fairly obvious Set entry point at random location? o Probably not a good idea --- why? Find calls to ExitProcess API? o Used by Simile and Ganda Look for known code sequences? o Compilers produce stereotypical code Anti-Emulation Recall that emulation is used for AV How can virus defeat emulation? 1. Outlast 2. Outsmart 3. Overextend AV solution to 2 & 3 is better emulator o Of course, this comes at a price… Anti-Emulation: Outlast How 1. 2. to “outlast” an emulator? Lots of (disguised) do-nothing code Only be malicious, say, 1/10th of time o Then AV might mark code as safe o Subsequently, virus has a free hand 3. Entry point obfuscation o Emulator might assume virus will appear early in execution of infected code Anti-Emulation: Outsmart Try to counter dynamic heuristics Example: In some cases, decryption is a good dynamic heuristic To counter this, virus could… o Spread decryption throughout code, not all in one loop o Then emulator might never reach its “decryption” threshold Anti-Emulation: Overextend How 1. to push emulator to the limit? Use undocumented instructions o If not handled correctly, it’s emulated 2. Bugs in CPU o If handled correctly, it’s emulated 3. 4. Exhaust or abuse memory Check for differences between system calls, e.g., check “time” twice o Emulator might return fixed value Anti-Emulation: Overextend How 5. 6. to push emulator to the limit? Import obscure libraries Use external resources, e.g., web page o Almost impossible to emulate external stuff 7. Emulator-specific checks o E.g., a known interface to outside Armoring “Armor” virus --- make analysis more difficult Two types of techniques used: 1. Anti-debugging o Examples? 2. Anti-disassembly o Examples? Anti-Debugging Look for inserted breakpoints o Like error detection/correction Look for single-stepping o Interrupt pushed onto stack after every instruction… so push then immediately pop, or o Time the execution, or o Dynamically modify next instruction, since processors usually pre-fetch Last 2 also anti-emulation techniques Anti-Debugging If all else fails, ask: o IsDebuggerPresent() In Linux, request to trace a process more than once fails o How can virus take advantage of this? Anti-Debugging Speaking of threads… Interlocking and deadlocking threads o Only small part of code appears o Different parts each time Fairly strong for anti-debugging o Improved software activation using multithreading Could be even more effective if combined with encrypted code o Project, anyone? Anti-Disassembly Anti-disassemblymentarianism? Goals 1. Disassembly cannot be automated 2. Code not available until it executes For 1, one idea is to mix code and data o Once mixed, separating is unsolvable Anti-Disassembly Mixing code and data can result in false disassembly Disassemblers not so easily confused… Anti-Disassembly How to make code unavailable for static analysis? 1. Dynamically generate code at runtime 2. Self-modifying code o A red flag for heuristic analysis 3. Use the environment to “construct” code at runtime o How’s that? Anti-Disassembly Constructed code? Hash stuff and extract “code” bits… o Perhaps combine with buffer overflow? o Project, anyone? Anti-Disassembly Encrypted code o Decrypt in parts as needed o Flush plaintext when done o Combine with anti-debugging o Watch for MiM type of attacks My startup company did all of this Might do similar things with threads o Intentionally “delicate” timing Tunneling Virus traces system functions it uses o To be sure they “go to” the right place o If not, code is being monitored How to trace code? o Static heuristic or emulation o Just like the AV stuff… Can’t tunnel into kernel on modern OS o But still might be useful technique Tunneling AV software can hide from tunneling if it’s installed in the kernel o Unless virus is in the kernel too… But, virus in kernel would be bad for lots and lots of other reasons Integrity Checker Attacks How to avoid integrity check? o Integrity check can detect any change Stealth virus might hide o But only from weak integrity check Infect when legitimate change to file In one infamous case… o Delete integrity check database and all checksums recomputed Avoidance Hide in places not searched Possibilities include o USB key o Some types of files o New type of packer o Etc. Pretty lame?