Your SlideShare is downloading. ×
Slides
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
204
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Development of high-level language viruses under Windows Breno Dario & Ulisses Rocha µCon security conference 2008
  • 2. File Infection
    • File infection overview
    • Overwriting
    • Prepending
    • PE Infection
    • Source File Infection
  • 3. File Infection
    • Most used technique for
    • file infection in HLL-viruses
    • Just reading/writing operations
    • Deal with abstract .exe files instead of PE structure
    • Can be implemented in almost all languages
    • Prepend-like
  • 4. File Infection
    • Prepend-like (dirty side)
    • Infected files get bigger, so the user may notice
    • Tiny executables should be avoided for stealth reasons
  • 5.
    • Alternate Data Streams (ADS)
    File Infection
    • Requires to be running at least one hard drive with the NT file system
    • (NTFS), and luckily most systems do these days.
    • Compatibility with the Macintosh Hierarchical File System (HFS).
    • Files stored on a HFS consist of two parts (known as forks).
    • Data fork and Resource fork.
    • Windows systems using NTFS stores Macintosh resource forks in a hidden
    • NTFS stream.
    • Information stored on resource fork does not alter in any way the original file
    • (eg. Last modified date or file size).
  • 6. File Infection
    • Prepend + ADS for stealth
    • Hide virus body in the resource fork
    • Infect file with a tiny executable instead of the entire virus
    • Traveling problems
  • 7.
    • Spreading
  • 8. Spreading
    • Search Mechanism
    • In-Memory Strategies
        • Direct Action
        • Memory-Resident
        • Temporary Memory-Resident
    • How to Spreading (Most common mechanisms)
        • E-mail
        • Shared Folders
        • P2P Folders
        • USB Watcher
  • 9. Spreading
    • Registry Shell Spawning
      • Temporary Memory-Resident
      • Relies on the operating system
    • How do you know which are EXE targets ?
      • Windows ® registry
    • HKEY_CLASSES_ROOTexefileshellopencommand
    • "%1" %*
    • What does that ?
      • "%1" will be replaced by the EXE's filename (with full path)
      • %* will be replaced by it's parameters .
  • 10. Spreading
    • Example
      • File Name: test.exe
      • Path: C:windows
      • Command Line:
      • "C:windows est.exe" -arg1 -arg2
    • Use that feature
      • Change the registry entry to:
      • "C:WindowsSystem32virus.exe" "%1" %*
      • Command Line:
      • "C:windowssystem32virus.exe" "C:windows est.exe" -arg1 -arg2
    • "our virus will be executed EVERY TIME an EXE file is started."
  • 11. Registry Shell Spawning
  • 12.
    • Self Protection
  • 13. Process Hiding
    • API Hooking ( Fashion Way )
    • Intercepts messages of hooked process
    • TaskManager retrieves information about the list of processes running calling the function NtQuerySystemInformation on ntdll
    • The goal is to intercept calls of NtQuerySystemInformation made by taskManager and drop the information of our evil process before it reach taskManager’s process
    • Some times avoided because of its complexity
    • For this technique we need to inject a dll into target process memory space
    • So as a payload the virus must carry in a dll
  • 14. Process Hiding
    • Naming to svchost ( Dirty Way )
    • All we need to do is name our evil executable file to svchost.exe
    • There is always more than one svchost process running so our virus will stay unnoticed by the user
    • Some says its a lame technique but the true is its very effective
    • Its widely used cause there is no implementation needed
  • 15. Fucking AVs
    • AV Killer
    • AV Killer does the dirty job of takig AVs out of orbit
    • The first thing we need to implement an AV Killer is a list of AV’s process names
    • The virus loops thru the running processes list looking for specific names and kill them
    • The technique can be dangerous if is misused
  • 16.
    • Advanced Code Evolution Techniques
  • 17. Evolution of Code
    • Encrypted Viruses
    • Oligomorphic Viruses
    • Polymorphic Viruses
    • Metamorphic Viruses
    Evolution of Code
  • 18. Evolution of Code
    • Evolution baby evolution!!!
    • Antivirus defense techniques
        • Signatures Verification
        • Heuristic Analysis
  • 19. Evolution of Code
    • First method implemented
    • Encrypted
  • 20. Evolution of Code
    • Encrypted Perl Virus
  • 21. Evolution of Code
    • Evolved form of Encrypted Viruses
    • Semi-polymorphics
    • Multiple decription patterns
    • Has the hability of hide in a random way
    • Oligomorphic
  • 22. Evolution of Code
    • Oligomorphic Perl Virus
  • 23. Evolution of Code
    • Polymorphic
      • Next step of oligomorphics techniques evolution
      • Oligmorphics X Polymorphics
    • Techniques
      • Junk instructions
      • Permutation
      • Entry Point Obfuscation
  • 24. Evolution of Code
    • Natural Polymorphics evolution
    • Polymorphics X Metamorphics
    • Black Box
    • Metamorphic
  • 25. References
    • 29a labs ( vx.netlux.org/29a )
    • Ready Rangers Liberation Front ( vx.netlux.org/rrlf )
    • DoomRiderz ( vx.netlux.org/doomriderz )
    • EOF-PROJECT ( www.eof-project.net )
    • VX Heavens ( vx.netlux.org )

×