telecommunications networking ii lecture 41f viruses and worms
TRANSCRIPT
Telecommunications Networking II
Lecture 41f
Viruses and Worms
Viruses (and Worms)references:
William Stallings-Cryptography and Network Security Chapter 15.2
Viruses and Worms
• Virus: “A program that can “infect” other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs” (ref: Stallings p504)
• Worm “Network worm programs use network connections to pass from system to system” (ref: Stalling p504)
Viruses and Worms
• Virus: extraneous executable code that attaches itself to a file or an application, and that can reproduce itself to infect other files or applications
• Worm: a stand-alone executable program that can replicate itself, and that can utilize system resources to spread to multiple systems
Simple Virus Structure (ref Stalling p 506)
Program V:=
{goto main;1234567;
subroutine infect executable := {loop: file := get random executable file if (first-line-of-file = 1234567) then goto loop else prepend V to file;} main: main-program := {infect-executable; goto next;}
next:
}
Viruses and Worms
• The simple virus (prior slide)postpends or prepends a fixed executable set of instructions to a file or application
• Changes the size of the file
Viruses and Worms
• If we know how long a file is supposed to be, then we can detect the infection by noting the mismatch between the length of the infected file and the length of an un-infected file.
• However, it is relatively easy to defeat the above detection method…e.g., by compressing the original file
Compression Virus (Stalling p 507)
1. Compress next victim file
2. Prepend virus code to compressed victim file
…..
3. Execute virus code (infect new files, etc.)
4. Decompress current victim file file
5. Run, decompressed file
Viruses and Worms
• Parasite virus: Attaches itself to an executable file; replicates and infects another file when the executable file is executed
• Memory-resident virus: lodges in main memory and infects every program that executes
• Boot sector virus:
Viruses and Worms
• Polymorphic virus: transforms (morphs) itself every time it replicates..to avoid detection of its signature
• Macro virus: infects documents (non-executable + macros) that are opened using Microsoft Word or other Office applications; and which can, iteratively, infect other documents, delete files, etc.
Polymorphic Viruses
• Polymorphic viruses attempt to hide themselves from virus signature detection by changing (morphing) themselves every time they replicate
Polymorphic Viruses• Change with each new infection
• Are (for example) comprised of two parts– A decryptor– An encrypted virus file
• Both the decryptor and the encrypted file change each time the virus replicates…so that neither one has a fixed signature
Infected application
Decryptor
Encrypted virusfile
App. 1
How does it work1?
Decryptor
Encrypted virusfile
App. 1
Infected app.
Decryptor
App. 1
Mutator EngineVirus version xyz
Executing
1
1. The decryptor executable will decrypt the encrypted virus file
How does it work2?
App. 1
Decryptor
Mutator Engine
New Decryptor
Decryptor
Encryptedvirus file
Decryptor
Encrypted virus file
App. 2
2
3
4
2. Virus1 finds the victim(App.2)3. Mutator Engine creates a new Decryptor, a new virus file, and encrypts the new virus file4. Virus2 is prepended to App. 2
Virus version xyz+1
Mutator Engine
Virus version xyz
“The Black Baron’s” Tutorial (http://www.pins.co.uk/upages/probertm/vx_poly.htm)
MOV SI,jumbled_data; Point to the jumbled data MOV CX,10 ; Ten bytes to decrypt
main_loop: XOR BYTE PTR [SI],55 ; (unscramble) a byte INC SI ; Next byte LOOP main_loop ; Loop for the 9 remaining bytes
In other words: encrypt by XOR’ing 55 with each byte of the virus file; and decrypt by XOR’ing 55 again
ultra-simple decryptor
“The Black Baron’s” Tutorial
MOV CX,10 MOV SI,jumbled_datamain_loop: XOR BYTE PTR [SI],55 INC SI LOOP main_loop
Permuted ultra-simple decryptor
“The Black Baron’s” Tutorial
MOV CX,10 NOP NOP MOV SI,jumbled_data NOPmain_loop: NOP NOP XOR BYTE PTR [SI],55 NOP INC SI NOP NOP NOP NOP LOOP main_loop
NOP’s addedto Decryptor
“The Black Baron’s” Tutorial MOV DX,10 ;Real part of the decryptor! MOV SI,1234 ;junk AND AX,[SI+1234] ;junk CLD ;junk MOV DI,jumbled_data ;Real part of the decryptor! TEST [SI+1234],BL ;junk OR AL,CL ;junkmain_loop: ADD SI,SI ;junk instruction, real loop! XOR AX,1234 ;junk XOR BYTE PTR [DI],55 ;Real part of the decryptor! SUB SI,123 ;junk INC DI ;Real part of the decryptor! TEST DX,1234 ;junk AND AL,[BP+1234] ;junk DEC DX ;Real part of the decryptor! NOP ;junk XOR AX,DX ;junk SBB AX,[SI+1234] ;junk AND DX,DX ;Real part of the decryptor! JNZ main_loop ;Real part of the decryptor!
Junk added toDecrpytor
Detecting Virusesref: Stalling pp 510-514
• Look for a known virus signature
• Heuristic methods: look for structures in a file that look like they may be associated with a virus (e.g., an decryption loop)
• Checksums (easily defeated using compression and de-compression techniques or by changing the checksum)
• Digital signatures
Virus Signature Detection
Example:
20,000 files to checkx30,000 virus signatures to test against= 600,000,000 tests to perform
@ 1 test per microsecond => 10 minutes to perform the virus check
Heuristic
Intuitive: e.g., seems like it might work
Plausible: seems to make sense
Not proven: but, then again, its hard to say how effective it will be
Example: Stock analysts present heuristic arguments to support their predictions
Detecting Viruses ref: Stalling pp 510-514
• Identify viruses by the actions they cause
• Pre-execute all programs in an emulator (I.e., interpret the instructions one at a time, under control of the virus detection engine) to observe such things as decryption processes and the signatures of decrypted viruses