Polymorphic Viruses
advertisement
Viruses & Antiviral Programs
Seminar Malware
Bonn-Aachen International Center for
Information Technology
Computer Security Group
Daniel Loebenberger
Shahram Faridani
19.November 2007
19.11.2007
Seminar Malware - bit
1
Overview
•
•
•
•
•
•
•
•
•
•
•
•
Brief history of CIH
Propagation
Technical specifications
Removal and security measures
Variations of CIH
Coping with malicious software
Halting problem
Virus identification and obfuscation
Virus string & pattern matching
Countermeasure to scanners
Polymorphic & metamorphic viruses
Smart virus scanner
19.11.2007
Seminar Malware - bit
2
Overview
•
•
•
•
•
Heuristic virus detection
Interrupt patching
Actual state of affairs
Summery
References
19.11.2007
Seminar Malware - bit
3
A Brief History Of CIH
• CIH Virus also known as Chernobyl or Spacefiller.
– Originally CIH, the name Chernobyl was coined because of the
complete coincidence of the payload trigger date in some variants
of the virus, actually the virus writer's birthday and the Chernobyl
accident, which happened in Ukraine on April 26, 1986
19.11.2007
Seminar Malware - bit
4
A Brief History Of CIH
• author of the CIH virus:
– Chen Ing Hau of Taiwan is also one of the more interesting
examples of legal battles involving virus writers.
• one of the most harmful widely circulated viruses.
• A Hardware destructive virus (very similar to Aragon Virus).
–
–
–
19.11.2007
first discovered in 1992.
It infects boot records and has the payload of resetting the BIOS.
On computers running outdated BIOSes, this can result in hardware damage (the CIH virus
being famous for this).
Seminar Malware - bit
5
Propagation Of CIH
• It has been among the ten most common viruses for several
months.
• It seems that at least four underground pirate software groups got
infected with the CIH virus during summer 1998.
–
They inadvertently spread the virus globally in new pirated softwares they released through
their own channels.
• Some new games which will spread world-wide very quickly.
• Persistent rumor about a 'PWA-cracked copy' of Windows 98 which
would be infected by the CIH virus.
• Later on, CIH was available by accident from several commercial
sources, such as:
19.11.2007
Seminar Malware - bit
6
Propagation Of CIH
• Origin Systems website where a download related to the popular
Wing Commander game was infected.
• At least three European PC gaming magazines shipped magazines
where the cover CD-ROM was infected
–
One of them even included a note inside advising users to disinfect their machines after using the
CD-ROM.
• Yamaha shipped an infected version of a firmware update software
for their CD-R400 drives.
• A widely spread demo version of the Activision game SiN was
infected as well.
• IBM shipped a batch of new Aptiva PCs with the CIH virus preinstalled during March 1999, just a month before the virus activates
destructively.
19.11.2007
Seminar Malware - bit
7
Removal & Security Measures
• Most scanners detect CIH, however complete removal is almost
impossible.
• Due to its infection mechanism, most antivirus software can
deactivate the virus but cannot completely clean infected files.
• Ramifications:
1.
2.
infected files cannot be restored to their original state, and will therefore produce different
hashes or checksums than the original file, which could cause the file to fail integrity checks
because the virus signature is still present within the file, the antivirus software will continue
to flag infected files, usually as "CIH (inactive)“.
• The only way to get completely rid of CIH is to replace the affected
files with copies of untouched originals. For systems that were
thoroughly infected, this likely entails a complete reinstallation of the
operating system and software.
19.11.2007
Seminar Malware - bit
8
Removal & Security Measures
Some hardware manufacturers
for instance , Gigabyte went for
the Dual BIOS. This feature was
implemented at the time of the
CIH virus that could potentially
destroy the motherboard if it was
flashed into the BIOS, so
Gigabyte came out with this Dual
BIOS. It‘s a backup mechanism
that if one BIOS fails, the
backup BIOS will automatically
activate and the user will suffer no
downtime at all and it gives the
user peace of mind while flashing
the BIOS.
19.11.2007
Seminar Malware - bit
9
Modification History
• V1.0 (04/26/1998):
1.
Create the virus program.
2.
3.
4.
5.
6.
The virus modification IDT to get Ring0 privilege.
Virus code doesn’t reload into system.
Call IFSMgr_InstallFileSystemApiHook to hook file system.
Modifies entry point of IFSMgr_InstallFileApiHook.
When system opens existing PE file, the file will be infected, and the file doesn’t need to be
reinfected.
7. It is also infected, even the file is READ-ONLY.
8. When the file is infected, the modification date and time of the file also don’t be changed.
9. When my virus uses IFSMgr_Ring0_FileI0, it will not call previous FileSystemApiHook, it will
call the function that the IFS manager would normally call to implement this particular I/O
request.
10. The virus size is only 656 bytes.
19.11.2007
Seminar Malware - bit
10
Ring0
•
Hierarchical protection domains, often called protection rings, are a mechanism to protect data
and functionality from faults and malicious behavior
•
Ring0 is the level with the most privileges and interact most
directly with the physical memory
and CPU.
Privilege rings for the x86, along with their common uses
19.11.2007
Seminar Malware - bit
11
Modification History
• V1.0 (04/26/1998):
1.
Create the virus program.
2.
3.
4.
5.
6.
The virus modification IDT to get Ring0 privilege.
Virus code doesn’t reload into system.
Call IFSMgr_InstallFileSystemApiHook to hook file system.
Modifies entry point of IFSMgr_InstallFileApiHook.
When system opens existing PE file, the file will be infected, and the file doesn’t need to be
reinfected.
7. It is also infected, even the file is READ-ONLY.
8. When the file is infected, the modification date and time of the file also don’t be changed.
9. When my virus uses IFSMgr_Ring0_FileI0, it will not call previous FileSystemApiHook, it will
call the function that the IFS manager would normally call to implement this particular I/O
request.
10. The virus size is only 656 bytes.
19.11.2007
Seminar Malware - bit
12
Modification History
• V1.1(05/15/1998):
1.
2.
3.
4.
Especially, the file that be infected will increase it’s size.
Hook and modify structured exception handing.
when exception error occurs, our OS should be in Windows NT. So the virus will not
continue to run, it will jump to original application to run.
Use better algorithm, reduce virus code size.
The virus basic size is only 796 bytes
• V1.2(05/21/1998):
1.
2.
3.
19.11.2007
Kill all hard disk, and BIOS
Modify the bug of v1.1
The virus basic size is 1003 bytes.
Seminar Malware - bit
13
Modification History
• V1.3(05/24/1998):
1. Modify the bug that WinZip self-extractor occurs error. So when open WinZip self2.
extractor => doesn’t infect it.
The virus basic size is 1010 bytes.
• V1.4(05/31/1998):
1.
2.
3.
4.
19.11.2007
Full modify the bug: WinZip self-extractor occurs error.
Change the date of killing computers.
Modify virus version copyright.
The virus basic size is 1019 bytes.
Seminar Malware - bit
14
Other Variations
• CIH.110664
–
This is a minor, fairly recent variation.
• CIH.110007
–
–
–
The CIH got a new look.
Scanning the security holes in host OS.
The version caused:
•
•
•
Ip conflicts.
Font removal
System Netbios Conflicts
• According to astalavista group
–
–
19.11.2007
the virus can infect network systems because many anti-virus software are unaware of this
type of virus.
it actually does not harm a system, but prompt conflicts on port 139 of the windows systems
Seminar Malware - bit
15
Coping With Malicious Software
• Undecidability Of Virus Detection:
–
Fact is a number of real-world problems that would be nice to be able to solve are not
solvable.
• Halting Problem(Alan Turing – 1963):
–
–
–
–
–
19.11.2007
The halting problem is a decision problem about properties of computer programs on a fixed
Turing-complete model of computation.
The answer in form “yes” or “no”.
It can be represented as a set: k := { (i,x) | program i will eventually halt if run with input x}.
Difficulty: lies in the requirement that the decision procedure must work for all programs and
inputs.
Obviously it can not be!
Seminar Malware - bit
16
Halting Problem:
• Three examples:
–
While(true)
{ x = x+1};
// doesn’t halt, it goes on forever in an infinite loop.
Printf(“hallo world”);
// halts very quick, and regardless of its input.
function findTwinPrimeAbove(int N)
int p = N
loop
if p is prime and p + 2 is prime then
return
else p = p + 1
// in depending on N it can halt or doesn’t (matter of time and capacity).
19.11.2007
Seminar Malware - bit
17
Halting Problem:
• Question: relation between halting problem & virus detection?
–
Unfortunate consequence in the theory of secure computing :
The same applies to testing whether or not an arbitrary program is infected with an
arbitrary virus.
–
Adleman (Leonard Max Adleman , 1945) proved:
If an algorithm exists that can prove the presence of viruses in general case -> exists an
algorithm that solves the halting problem
(Reductio ad absurdum - proof by contradiction)
• Regardless of this fundamental limitation to virus detection, methods
are needed to identify viruses since hackers continue to write and
release new viruses.
19.11.2007
Seminar Malware - bit
18
Virus Identification & Obfuscation
• Several challenges surrounding the design of robust computer
viruses and designing algorithms to detect viruses.
• String matching:
–
–
–
19.11.2007
Is used by antivirus programs to identify virus strains.
Also a method that is use by viruses to identify themselves.
Viral self-identification is necessary to prevent overpopulation and to prevent
A host being infected several of times.
Development of string matching antiviral programs lead to the development of
polymorphic viruses.
Polymorphic viruses: viruses, which are specifically designed to foil string matching
programs.
Seminar Malware - bit
19
Virus String Matching
• By definition, a virus spreads by copying a possibly altered version
of itself to other programs.
• An unavoidable problem in designing such viruses: possibility of
multiple infection.
Problem: infecting the same program so many times end up that the user notice a suspicious
loss in disk space.
• How does a virus know if it already infected a given program?
–
–
19.11.2007
Implies that viruses need an algorithm for identifying whether or not a given executable is
already infected.
The same decision problem that antiviral software faces while analyzing the same
executable.
Seminar Malware - bit
20
Virus String Matching
• First method: A viral detection algorithm is therefore a mixed
blessing for both parties:
1.
2.
Virus writer: prevents the virus from multiple infecting, minimizes the chances of being
discovered. But, it gives a detection algorithm to antiviral analyst, when the virus is found.
Antiviral analyst: lowers the chance that a user will find the virus due to unexplained loss of
disk space. But once found it has the benefit of identifying in the wild.
• Maybe primitive but very dangerous
–
•
Viruses that are indiscriminate about the executables they infect are very dangerous since
they have the potential to bring down host systems by their replication alone.
Second method: slow the rate of infection
–
19.11.2007
Prevents a virus from being discovered right away, without including a self-detection
mechanism.
Seminar Malware - bit
21
Pattern Matching
• Idea: take a string of bytes from the virus that does not change from
generation to generation and use it to find other instances of the
virus.
• Why does it work?
–
Simplest viruses copy themselves to host applications without significantly altering
themselves.
• Antiviral programs called scanners perform this scanning process.
• The approach is not flawless
– This method sometimes produces false positive results.
– For instance by a complicated copy-protection operations that contain a large
amount of binary data.
– New patches for programs.
19.11.2007
Seminar Malware - bit
22
Countermeasure to Scanners
• Design the virus so that it dose not contain any of the strings
contained in the database.
• Very effective, the scanner is not capable to find the virus, if the
needed search string is included in the list of search strings.
• Consequently, scanners are not very proactive in identifying viruses.
• Only proactive, when a new virus reuses the code of other virus, or
a trivial modification of it.
• A practical alternative: find a way to modify its own code sequence.
–
19.11.2007
Polymorphic viruses or evolutionary viruses.
Seminar Malware - bit
23
Obfuscation
• Simple Obfuscation method
Program
Program
Virus
=>easy detection:
• signature matching
• Very successful against the first
gen-viruses.
19.11.2007
Seminar Malware - bit
24
Polymorphic Viruses
• Numerous polymorphic viruses in the wild.
• For example the tremor hat almost 6,000,000,000 forms.
• A polymorphic virus consists of two parts:
–
–
Header
Body
• When dormant, body remains in encrypted form.
–
when activated, header is the first section of code to receive control from the operating
system.
• Functionality:
–
19.11.2007
the header decrypts the body in memory .Once the body is decrypted the header transfers
control to the body. The body performs the normal viral operations.
When the body is finished sends control to the host program.
Seminar Malware - bit
25
Polymorphic Viruses
Control sent
to virus
1
Decrypts body
Host program
Decryption header
Control
flows
naturally to
body after
decryption
2
3
Main body of virus in
encrypted form
4
Control sent to
host program
Typical polymorphic virus
19.11.2007
Seminar Malware - bit
26
Obfuscation
• Encrypted virus body + morphed decryption routine.
Infected
Program
the decrypted body performs the viral
operation
=> Detection: heuristic detection
*****************
*****************
19.11.2007
Seminar Malware - bit
27
Metamorphic Virus
• Metamorphic: reprogramming or infecting executable of different
OS.
• can reprogram itself:
–
–
do it by translating its own code into a temporary representation, edit the temporary
representation of itself, and then write itself back to normal code again.
Metamorphic engine undergoes the changes.
• used by some viruses when they are about to infect new files, as the
result is that the “children” will never look like their “parents”.
• Pattern recognition can be avoided again.
• Metamorphic code is more effective than polymorphic code.
–
19.11.2007
This is because most anti-virus software will try to search for known virus-code even during the
execution of the code.
Seminar Malware - bit
28
Obfuscation
•
Metamorphic viruses
–
Morph the whole virus body.
Infected
Program
Virus
=> Detection method
?
19.11.2007
Seminar Malware - bit
29
Example
Virus Code
(from Chernobyl CIH 1.4)
19.11.2007
Morphed virus Code
(from Chernobyl CIH 1.4)
Seminar Malware - bit
30
Metamorphic Virus
• Metamorphic code can also mean that a virus is capable of infecting
executables from two or more different operating systems.
–
Windows and GNU/Linux or even different computer architectures.
• Often, the virus does this by carrying several viruses with itself.
–
The beginning of the virus is then coded so that it translates to correct machine-code for all
of the platforms that it is supposed to execute in.
• It is possible in theory for a metamorphic virus to rewrite the
temporary representation of itself into another set of instructions,
intended for another computer architecture.
–
The API would also have to be changed.
• API (application programming interface):
– source code interface that an operating system or library provides to support
requests for services to be made of it by computer programs.
19.11.2007
Seminar Malware - bit
31
Smart Virus Scanner
•
Better virus detection tool
–
–
Analyze the program structure ( instead of signature matching).
Check for irrelevant instructions.
• What are irrelevant instructions?
–
–
NOPs
Control flow instructions that do not change the control flow.
•
–
–
E.g. jump/branches to the next instructions.
Instruction that modify dead (are not in use) register.
Sequence of instructions which do not modify the architectural state
•
E.g. add
ebx, 1
sub
ebx, 1
• Check whether viral properties are present in a program
–
–
–
•
E.g. program writes a executable.
E.g. program monitors as executables are loaded into memory and changes them.
E.g. program behaves just like virus xyz.
Check if the program exhibits those properties.
–
19.11.2007
If yes => is infected
Seminar Malware - bit
32
Heuristic Virus Detection
• Abnormal program behavior
• Viruses perform actions that are not typical of normal programs.
–
Result: there are several heuristics that can be used to detect them.
• Virus replicates by definition.
–
Word processors, web browsers and e-mail program does not replicate.
• Exception: patches
–
Patches are programs that add or overwrite code to a program on the machine.
• Check for code abnormalities.
–
19.11.2007
Unusual program entry points and unusual program behavior as self-replicating code.
Seminar Malware - bit
33
Detecting Abnormal Program
Behavior
• PEAT (portable executable analysis toolkit):
–
Designed to detect malware that has been added to programs, after they have been
compiled.
• Interrupts:
– Application programs access operating system routines using software
interrupts.
– E.g. keystroke from the keyboard.
– The program places various parameters in CPU registers and then execute a
software interrupt instruction (interrupt handler).
– CPU (temporarily) suspends the operation and look up the address of the
operating system routine for that interrupt in the interrupt vector table.
19.11.2007
Seminar Malware - bit
34
Interrupts
Interrupt table
Int 12
ROM OS
handler
Int 13
Int 14
Int 15
…
Int 19
Int 20
OS
handler
Int 21
Int 22
19.11.2007
Operating system software interrupt handling
Seminar Malware - bit
35
Interrupt Patching
• It’s a very effective way to modify the operating system service
routines to be more suspicious of the applications that call them.
• Interrupt patching
– Standard systems programming technique to add such functionality.
Int 12
•
Two advantages:
1.
can monitor the activities.
ROM OS
handler
Int 13
Int 14
Int 15
…
heuristic
activity
monitor
Int 19
Int 20
OS
handler
Int 21
Int 22
19.11.2007
Seminar Malware - bit
36
Interrupt patching
•
Two advantages:
1.
2.
19.11.2007
can monitor the activities.
Know the data flow, so I can control the interrupt.
Seminar Malware - bit
37
Interrupt Patching
•
Implementation in MIPS:
– EPC
•
•
32- bit register
Contains the address of corresponding instruction
– Cause
•
•
32-bit register
Contains the result of the exception.
–
–
Undefined instruction:0
Arithmetic overflow: 1
– Control signals
•
•
•
•
EPSWrite
Cause Write
IntCause: 1-bit control signal for the content of the lowest bit.
Exception address: (c 000 0000)hex address of exception handler.
•
To patch interrupt, an interrupt handler is loaded into memory in a
persistent and non-relocatable block (register).
•
When the handler finishes executing it sends control to the address that
was originally contained in the interrupt table.
19.11.2007
Seminar Malware - bit
38
Actual State of Affairs
• Visualizing executable viruses using self-organizing maps.
–
Each virus has it’s own character and can’t hide it through SOMs.
–
Like DNA , it’s an unique generic code.
• SOMs can figure out the family without knowing it’s signature.
• Aim:
–
–
design the SOM in a way that neurons will flag the presence of peculiar patterns in Windows
executable files
and that the position of the active neurons will reflect the position of potentially malicious
content in the file.
• Expectation:
–
19.11.2007
files infected by viruses of the same family => similar pattern in files.
Seminar Malware - bit
39
Actual State of Affairs
19.11.2007
Seminar Malware - bit
40
Summary
•
•
•
•
•
•
Originally CIH, Chernobyl because of the payload trigger date.
One of the most widely circulated viruses.
Only for DOS-base operating systems.
Hardware destructive (similar to Aragon).
Propagation through different software within a short time.
Most scanner can detect it but cannot completely clean infected
files.
• Only way to get rid of CIH is to replace infected files with copes of
untouched originals.
• Dual BIOS a security measures, the back up BIOS activates
automatically.
19.11.2007
Seminar Malware - bit
41
Summary
• There different variations of the virus still in the wild.
• Undecidability of virus detection, halting problem.
• Methods needed to identify viruses
– String/pattern matching
– Polymorphic viruses
– Metamorphic viruses
• Smart virus scanner
–
–
–
–
19.11.2007
Check for irrelevant instructions.
Check whether viral properties are present in a program.
Detecting abnormal program behavior.
• Interrupt patching, monitoring activities.
Visualizing viruses using self-organizing maps.
Seminar Malware - bit
42
References
[1] . Malicious cryptography exposing cryptovirology, Dr. Moti Yung, ISBN: 0-7645-4975-8
Published by wiley publishing, Inc., Indianapolis, Indiana.
[2]. www.f-secure.com, F-Secure Corporation
[3]. Virus Scanning as Model Checking, Mihai Christodorescu, University of Wisconsin,
Madison
[4]. Computer organization & design, the hardware/software interface. David A. Patterson
and John L. Hennessy. Second edition, Morgan Kaufmann Publishers.
ISBN: L-55860-428-b.
[5]. Visualizing Windows Executable Viruses Using Self-Organizing Maps, InSeon Yoo,
Telecommunications, Networks and Security Research Group, Department of
Informatics, University of Fribourg.
[6]. www.geot.com.
[7]. http://www.mirrors.wiretapped.net/security/info/textfiles/DOJ/DoJ5-08.txt
19.11.2007
Seminar Malware - bit
43
