Download - Virus Encyption
![Page 1: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/1.jpg)
Virus Encyption
CS 450Joshua Bostic
![Page 2: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/2.jpg)
topics
Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses.
![Page 3: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/3.jpg)
Why encrypt the code?
The ability of a virus to change it's code/form is known as polymorphism.
Changing the code prevents anti-virus programs from matching the encryped virus to well known patterns for that virus.
![Page 4: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/4.jpg)
How to find viruses
If you find the code to decrypt the virus then you can remove the virus.
The solution is to make the decrypt code polymorphic as well.
To do this the virus can scatter different parts of it's code around by using jumps.
![Page 5: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/5.jpg)
Repositioning of code
Program code
Portion of virus code and a jump to end of program code
Remainder of virus code
![Page 6: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/6.jpg)
So now what?
Encrypted polymorphic viruses are capable of fooling anti-virus for only so long.
After enough versions of the decryption code are seen virus scanners can detect in general what a virus will look like.
This is done thanks to heuristics.
![Page 7: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/7.jpg)
Heuristics
Emulation and analysis. Emulation tests the questionable code in a
virtual machine. If the code acts in a malicious way it's considered a virus.
Analysis views the code and determines its intent.
Benefit: can find unknown variants. Con: can take a long time and can produce
false positives.
![Page 8: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/8.jpg)
Spreading
Speed of mutation can also be controlled. Encryption changes with every new infection,
but this can be changed by how fast the mutation is.
If the mutation is slow then it makes it harder to determine what different combinations of the code are still the same virus.
![Page 9: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/9.jpg)
Current example
Virut virus Infects .exe and .src files. Each time it spreads it mutates. Opens a backdoor and connects to an
internet relay chat server. This allows someone to remotely download malware onto the computer.
![Page 10: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/10.jpg)
Early examples The dark avenger was one of the first
polymorphic viruses. First noticed in the early 1990's. Would add extra code to .com and .exe files
in MS-DOS. When the infected program ran 16 times the
virus would randomly overwrite a section of the hard drive.
Was created in Bulgaria, but the creater is still unknown.
![Page 11: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/11.jpg)
Inventor of polymorphism
Fred Cohen invented polymorphism for viruses.
Also credited with being the first to define the term computer virus.
Currently works on virus defense techniques.
![Page 12: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/12.jpg)
Other uses for encryption
virus can cause files to be encrypted. One virus that is known to do this is gpcode. Gpcode encrypts some of your data and then
offers to decrypt your data once you've paid a ransom.
Gpcode uses 1024 bit RSA encryption. Encrypts files that end with doc, txt, pdf, xls,
jpg, png, and others.
![Page 13: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/13.jpg)
Work arounds
Kaspersky labs (anti-virus company) suggests using photorec to recover the encrypted data.
Photorec is freeware. Only problem is that if you turned the
computer off after your computer was infected then photorec won't work.
![Page 14: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/14.jpg)
Full fixes
Currently there is no known fix to the problem.
Kaspersky is trying to find the proper key to decrypt the files, but nothing prevents the creater from changing the key.
Kaspersky is also trying to find a solution to the virus as well.
![Page 15: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/15.jpg)
Conclusion
Use of encryption with polymorphism. Effects of polymorphism. Virus encryption.
![Page 16: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/16.jpg)
Questions?
![Page 17: Virus Encyption](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813676550346895d9e0585/html5/thumbnails/17.jpg)
resources
http://vx.netlux.org/lib/static/vdat/tumisc76.htm
Security in Computing http://vx.org.ua/lib/static/vdat/ephearto.htm http://www.infoworld.com/d/security-central/ka
spersky-workaround-encryption-virus-comes-catch-465
http://voices.washingtonpost.com/securityfix/2008/06/ransomware_encrypts_victim_fil.html
http://www.cgsecurity.org/wiki/PhotoRec http://all.net/resume/bio.html http://it.toolbox.com/wiki/index.php/
Metamorphic_Code