Development of high-level language viruses under Windows Breno Dario & Ulisses Rocha µCon  security conference 2008
File Infection <ul><li>File infection overview </li></ul><ul><li>Overwriting </li></ul><ul><li>Prepending </li></ul><ul><l...
File Infection <ul><li>Most used technique for </li></ul><ul><li>file infection in HLL-viruses </li></ul><ul><li>Just read...
File Infection <ul><li>Prepend-like (dirty side) </li></ul><ul><li>Infected files get bigger, so the user may notice  </li...
<ul><li>Alternate Data Streams (ADS) </li></ul>File Infection <ul><li>Requires  to be running at least one hard drive with...
File Infection <ul><li>Prepend + ADS for stealth </li></ul><ul><li>Hide virus body in the resource fork </li></ul><ul><li>...
<ul><li>Spreading </li></ul>
Spreading <ul><li>Search Mechanism </li></ul><ul><li>In-Memory Strategies </li></ul><ul><ul><ul><li>Direct Action </li></u...
Spreading <ul><li>Registry Shell Spawning </li></ul><ul><ul><li>Temporary Memory-Resident </li></ul></ul><ul><ul><li>Relie...
Spreading <ul><li>Example </li></ul><ul><ul><li>File Name: test.exe </li></ul></ul><ul><ul><li>Path: C:windows </li></ul><...
Registry Shell Spawning
<ul><li>Self Protection </li></ul>
Process Hiding <ul><li>API Hooking ( Fashion Way ) </li></ul><ul><li>Intercepts messages of hooked process </li></ul><ul><...
Process Hiding <ul><li>Naming to svchost ( Dirty Way ) </li></ul><ul><li>All we need to do is name our evil executable fil...
Fucking AVs <ul><li>AV Killer </li></ul><ul><li>AV Killer does the dirty job of takig AVs out of orbit </li></ul><ul><li>T...
<ul><li>Advanced Code Evolution Techniques </li></ul>
Evolution of Code <ul><li>Encrypted Viruses </li></ul><ul><li>Oligomorphic Viruses </li></ul><ul><li>Polymorphic Viruses <...
Evolution of Code <ul><li>Evolution baby evolution!!! </li></ul><ul><li>Antivirus defense techniques </li></ul><ul><ul><ul...
Evolution of Code <ul><li>First method implemented </li></ul><ul><li>Encrypted </li></ul>
Evolution of Code <ul><li>Encrypted Perl Virus </li></ul>
Evolution of Code <ul><li>Evolved form of Encrypted Viruses </li></ul><ul><li>Semi-polymorphics </li></ul><ul><li>Multiple...
Evolution of Code <ul><li>Oligomorphic Perl Virus </li></ul>
Evolution of Code <ul><li>Polymorphic </li></ul><ul><ul><li>Next step of oligomorphics techniques evolution  </li></ul></u...
Evolution of Code <ul><li>Natural Polymorphics evolution </li></ul><ul><li>Polymorphics X Metamorphics </li></ul><ul><li>B...
References <ul><li>29a labs ( vx.netlux.org/29a ) </li></ul><ul><li>Ready Rangers Liberation Front ( vx.netlux.org/rrlf ) ...
Upcoming SlideShare
Loading in...5
×

Slides

216

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
216
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Slides

  1. 1. Development of high-level language viruses under Windows Breno Dario & Ulisses Rocha µCon security conference 2008
  2. 2. File Infection <ul><li>File infection overview </li></ul><ul><li>Overwriting </li></ul><ul><li>Prepending </li></ul><ul><li>PE Infection </li></ul><ul><li>Source File Infection </li></ul>
  3. 3. File Infection <ul><li>Most used technique for </li></ul><ul><li>file infection in HLL-viruses </li></ul><ul><li>Just reading/writing operations </li></ul><ul><li>Deal with abstract .exe files instead of PE structure </li></ul><ul><li>Can be implemented in almost all languages </li></ul><ul><li>Prepend-like </li></ul>
  4. 4. File Infection <ul><li>Prepend-like (dirty side) </li></ul><ul><li>Infected files get bigger, so the user may notice </li></ul><ul><li>Tiny executables should be avoided for stealth reasons </li></ul>
  5. 5. <ul><li>Alternate Data Streams (ADS) </li></ul>File Infection <ul><li>Requires to be running at least one hard drive with the NT file system </li></ul><ul><li>(NTFS), and luckily most systems do these days. </li></ul><ul><li>Compatibility with the Macintosh Hierarchical File System (HFS). </li></ul><ul><li>Files stored on a HFS consist of two parts (known as forks). </li></ul><ul><li>Data fork and Resource fork. </li></ul><ul><li>Windows systems using NTFS stores Macintosh resource forks in a hidden </li></ul><ul><li>NTFS stream. </li></ul><ul><li>Information stored on resource fork does not alter in any way the original file </li></ul><ul><li>(eg. Last modified date or file size). </li></ul>
  6. 6. File Infection <ul><li>Prepend + ADS for stealth </li></ul><ul><li>Hide virus body in the resource fork </li></ul><ul><li>Infect file with a tiny executable instead of the entire virus </li></ul><ul><li>Traveling problems </li></ul>
  7. 7. <ul><li>Spreading </li></ul>
  8. 8. Spreading <ul><li>Search Mechanism </li></ul><ul><li>In-Memory Strategies </li></ul><ul><ul><ul><li>Direct Action </li></ul></ul></ul><ul><ul><ul><li>Memory-Resident </li></ul></ul></ul><ul><ul><ul><li>Temporary Memory-Resident </li></ul></ul></ul><ul><li>How to Spreading (Most common mechanisms) </li></ul><ul><ul><ul><li>E-mail </li></ul></ul></ul><ul><ul><ul><li>Shared Folders </li></ul></ul></ul><ul><ul><ul><li>P2P Folders </li></ul></ul></ul><ul><ul><ul><li>USB Watcher </li></ul></ul></ul>
  9. 9. Spreading <ul><li>Registry Shell Spawning </li></ul><ul><ul><li>Temporary Memory-Resident </li></ul></ul><ul><ul><li>Relies on the operating system </li></ul></ul><ul><li>How do you know which are EXE targets ? </li></ul><ul><ul><li>Windows ® registry </li></ul></ul><ul><li>HKEY_CLASSES_ROOTexefileshellopencommand </li></ul><ul><li>&quot;%1&quot; %* </li></ul><ul><li>What does that ? </li></ul><ul><ul><li>&quot;%1&quot; will be replaced by the EXE's filename (with full path) </li></ul></ul><ul><ul><li>%* will be replaced by it's parameters . </li></ul></ul>
  10. 10. Spreading <ul><li>Example </li></ul><ul><ul><li>File Name: test.exe </li></ul></ul><ul><ul><li>Path: C:windows </li></ul></ul><ul><ul><li>Command Line: </li></ul></ul><ul><ul><li>&quot;C:windows est.exe&quot; -arg1 -arg2 </li></ul></ul><ul><li>Use that feature </li></ul><ul><ul><li>Change the registry entry to: </li></ul></ul><ul><ul><li>&quot;C:WindowsSystem32virus.exe&quot; &quot;%1&quot; %* </li></ul></ul><ul><ul><li>Command Line: </li></ul></ul><ul><ul><li>&quot;C:windowssystem32virus.exe&quot; &quot;C:windows est.exe&quot; -arg1 -arg2 </li></ul></ul><ul><li> &quot;our virus will be executed EVERY TIME an EXE file is started.&quot; </li></ul>
  11. 11. Registry Shell Spawning
  12. 12. <ul><li>Self Protection </li></ul>
  13. 13. Process Hiding <ul><li>API Hooking ( Fashion Way ) </li></ul><ul><li>Intercepts messages of hooked process </li></ul><ul><li>TaskManager retrieves information about the list of processes running calling the function NtQuerySystemInformation on ntdll </li></ul><ul><li>The goal is to intercept calls of NtQuerySystemInformation made by taskManager and drop the information of our evil process before it reach taskManager’s process </li></ul><ul><li>Some times avoided because of its complexity </li></ul><ul><li>For this technique we need to inject a dll into target process memory space </li></ul><ul><li>So as a payload the virus must carry in a dll </li></ul>
  14. 14. Process Hiding <ul><li>Naming to svchost ( Dirty Way ) </li></ul><ul><li>All we need to do is name our evil executable file to svchost.exe </li></ul><ul><li>There is always more than one svchost process running so our virus will stay unnoticed by the user </li></ul><ul><li>Some says its a lame technique but the true is its very effective </li></ul><ul><li>Its widely used cause there is no implementation needed </li></ul>
  15. 15. Fucking AVs <ul><li>AV Killer </li></ul><ul><li>AV Killer does the dirty job of takig AVs out of orbit </li></ul><ul><li>The first thing we need to implement an AV Killer is a list of AV’s process names </li></ul><ul><li>The virus loops thru the running processes list looking for specific names and kill them </li></ul><ul><li>The technique can be dangerous if is misused </li></ul>
  16. 16. <ul><li>Advanced Code Evolution Techniques </li></ul>
  17. 17. Evolution of Code <ul><li>Encrypted Viruses </li></ul><ul><li>Oligomorphic Viruses </li></ul><ul><li>Polymorphic Viruses </li></ul><ul><li>Metamorphic Viruses </li></ul>Evolution of Code
  18. 18. Evolution of Code <ul><li>Evolution baby evolution!!! </li></ul><ul><li>Antivirus defense techniques </li></ul><ul><ul><ul><li>Signatures Verification </li></ul></ul></ul><ul><ul><ul><li>Heuristic Analysis </li></ul></ul></ul>
  19. 19. Evolution of Code <ul><li>First method implemented </li></ul><ul><li>Encrypted </li></ul>
  20. 20. Evolution of Code <ul><li>Encrypted Perl Virus </li></ul>
  21. 21. Evolution of Code <ul><li>Evolved form of Encrypted Viruses </li></ul><ul><li>Semi-polymorphics </li></ul><ul><li>Multiple decription patterns </li></ul><ul><li>Has the hability of hide in a random way </li></ul><ul><li>Oligomorphic </li></ul>
  22. 22. Evolution of Code <ul><li>Oligomorphic Perl Virus </li></ul>
  23. 23. Evolution of Code <ul><li>Polymorphic </li></ul><ul><ul><li>Next step of oligomorphics techniques evolution </li></ul></ul><ul><ul><li>Oligmorphics X Polymorphics </li></ul></ul><ul><li>Techniques </li></ul><ul><ul><li>Junk instructions </li></ul></ul><ul><ul><li>Permutation </li></ul></ul><ul><ul><li>Entry Point Obfuscation </li></ul></ul>
  24. 24. Evolution of Code <ul><li>Natural Polymorphics evolution </li></ul><ul><li>Polymorphics X Metamorphics </li></ul><ul><li>Black Box </li></ul><ul><li>Metamorphic </li></ul>
  25. 25. References <ul><li>29a labs ( vx.netlux.org/29a ) </li></ul><ul><li>Ready Rangers Liberation Front ( vx.netlux.org/rrlf ) </li></ul><ul><li>DoomRiderz ( vx.netlux.org/doomriderz ) </li></ul><ul><li>EOF-PROJECT ( www.eof-project.net ) </li></ul><ul><li>VX Heavens ( vx.netlux.org ) </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×