Viruses and Anti-Viruses
Upcoming SlideShare
Loading in...5
×
 

Viruses and Anti-Viruses

on

  • 6,970 views

Viruses, Anti-virus and Anti-anti-virus Techniques .

Viruses, Anti-virus and Anti-anti-virus Techniques .
Timid Virus Example with it's assembly code

Statistics

Views

Total Views
6,970
Views on SlideShare
3,361
Embed Views
3,609

Actions

Likes
7
Downloads
374
Comments
3

22 Embeds 3,609

http://catmobi.appzmobile.co.za 2453
http://localhost 580
http://www.catmobi.appzmobile.co.za 194
http://www.ustudy.in 163
http://121.243.14.240 59
http://54.199.46.24 32
http://192.168.10.158 24
http://ustudy.in 23
http://catsubject.genesiswebdesign.co.za 21
http://www.slideshare.net 15
http://catmobi.appzmobile.co.za. 10
http://54.248.232.122 6
http://111.93.164.240 6
http://www.linkedin.com 5
http://192.168.10.45 5
https://bb.csueastbay.edu 4
http://learn.andong.ac.kr 2
http://appzmobile.co.za 2
http://192.168.10.237 2
http://blendedschools.blackboard.com 1
http://www.appzmobile.co.za 1
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • i need a copy of this presentation.please send it to elhamjamalian@yahoo.com
    Are you sure you want to
    Your message goes here
    Processing…
  • i appreciate your passion please send me a copy of this presentation at rastippu11@yahoo.com
    Are you sure you want to
    Your message goes here
    Processing…
  • i need copy of this presentation. Please send it to aryans14@yahoo.com. i want to present it in my institution.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Viruses and Anti-Viruses Viruses and Anti-Viruses Presentation Transcript

  •  
  • Plan of talk
    • Kinds of malware
    • Anti-Virus Technologies
    • Anti-Anti-Virus Techniques
    • Example Timid Virus
    • Code Explanation
  • Kinds of malware
    • Worms
    • Spyware
    • Trojan horses
    • Adware
  • Worms
    • A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.
  • Worm Propagation Leverage Network Connectivity
  • Spyware
    • Spyware is computer software that collects personal information about users without their informed consent. The term Spyware, is often used interchangeably with adware and malware.
    • Personal information is secretly recorded with a variety of techniques, including logging keystrokes, recording Internet web browsing history , and scanning documents on the computer's hard disk. It can cause theft of passwords and financial details to the merely annoying recording Internet search history for targeted advertising . Spyware may collect different types of information. Some variants attempt to track the websites a user visits and then send this information to an advertising agency . More malicious variants attempt to intercept passwords or credit card numbers as a user enters them into a web form or other applications.
  • Trojan horses
    • A Trojan horse is a program that unlike a virus contains or installs a malicious program (sometimes called the payload or 'trojan'). The term is derived from the classical myth of the Trojan Horse. Trojan horses may appear to be useful or interesting programs (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.
    • The famous usage in hacking.
  • Trojan Leverages gullible users
  • Adware
    • Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.
  • The functional logic of a virus
    • Search for a file to infect.
    • Open the file to see if it is infected.
    • If infected, search for another file.
    • Else, infect the file.
    • Return control to the host program.
  • Virus Virus – Needs a host V
  • Virus Propagation Leverage User Connectivity
  • Detection Technologies
    • Static Anti-Virus (AV) Scanners
      • Signature-based
        • Strings
        • Regular expressions
      • Static behavior analyzer
    • Dynamic AV Scanners
        • Behavior Monitors
  • Virus (Malware) Identification Anti-Virus Signature Virus Form - A Antivirus scanners use extracted patterns, or “signatures” to identify known malware. Signature
  • Static Signature
    • Hex strings from virus variants
      • 67 33 74 20 73 38 6D 35 20 76 37 61
      • 67 36 74 20 73 32 6D 37 20 76 38 61
      • 67 39 74 20 73 37 6D 33 20 76 36 61
    • Hex string for detecting virus
      • 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61
      • ?? = wildcard
  • Static Signature Ex:- 8BEF 33C0 BF ?? ???? ?? 03 FDB9 ?? 0A 0000 8A85 ???? ???? 3007 47E2 FBEB
  • Dynamic Signature
    • Monitor a running program to detect malicious behavior
    • For example, if an application opens another executable for write access, the blocker might display a warning asking for the user's permission to grant the write access , we will discuss the anti of that anti virus later.
  • Attacking Integrity Checkers
    • Intercept open() system call
      • Open a non-infected backup of the file instead
    • Restore system to original state after attack
    • Infect system before checksums are computed
  • Attacking static signature - Metamorphism Virus Form - C M M Virus Virus Form - A Form - B
    • Metamorphic malware change as it propagates
    • Creates multiple variants of itself
  • Metamorphism Example mov [ebp - 3], eax push ecx mov ecx,ebp add ecx,33 push esi mov esi,ecx sub esi,34 mov [esi-2],eax pop esi pop ecx push ecx mov ecx, ebp push eax mov eax, 33 add ecx, eax pop eax push esi mov esi, ecx push edx mov edx, 34 sub esi, edx pop edx mov [esi - 2], eax pop esi pop ecx push ecx mov ecx, [ebp + 10] mov ecx, ebp push eax add eax, 2342 mov eax, 33 add ecx, eax pop eax mov eax, esi push eax mov esi, ecx push edx xor edx, 778f mov edx, 34 sub esi, edx pop edx mov [esi-2], eax pop esi pop ecx push ecx mov ecx,ebp add ecx,33 mov [ecx-36],eax pop ecx
  • Attacking static signature- Metamorphism Anti-Virus Signature Virus Form - C M M Virus Virus Form - A Form - B Too many signatures challenge the AV Scanner Using different signatures for most variants cannot scale.
  • Attacking Behavior Monitors
    • Some viruses can wait patiently until write access to the object is granted. These viruses are called slow infectors. Such viruses typically wait until the user makes a copy of an executable object; the virus (which is already loaded in memory) will be able to infect the target in the file cache before the file is created on the disk. Slow infectors attack behavior blockers effectively
  • “ Undo” Metamorphism mov [ebp - 3], eax push ecx mov ecx,ebp add ecx,33 push esi mov esi,ecx sub esi,34 mov [esi-2],eax pop esi pop ecx push ecx mov ecx, ebp push eax mov eax, 33 add ecx, eax pop eax push esi mov esi, ecx push edx mov edx, 34 sub esi, edx pop edx mov [esi - 2], eax pop esi pop ecx push ecx mov ecx, [ebp + 10] mov ecx, ebp push eax add eax, 2342 mov eax, 33 add ecx, eax pop eax mov eax, esi push eax mov esi, ecx push edx xor edx, 778f mov edx, 34 sub esi, edx pop edx mov [esi-2], eax pop esi pop ecx push ecx mov ecx,ebp add ecx,33 mov [ecx-36],eax pop ecx
  • Detecting Metamorphism
    • Behavior Monitors
      • Run suspect program in an emulator ( code emulation )
        • Analyze behavior while running
      • Look for changes in file structure
        • Some viruses modify files in a consistent way
      • Disassemble and look for virus-like instructions
  • Code Emulation
    • Code emulation is an extremely powerful virus detection technique. A virtual machine is implemented to simulate the CPU and memory management systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the scanner, and no actual virus code is executed by the real processor.
  • Virus Phylogeny [email_address] W32/Bagle.j@mm [email_address] W32/Klez.i@MM W32/NetSky.B [email_address] [email_address] [email_address] [email_address] W32/Bagle.a@mm [email_address] W32/Klez.f@MM W32/Bagle.ao@mm W32/Bagle.u@mm W32/Klez.e@MM W32.NetSky.D W32.NetSky.B W32.NetSky.A W32/Bugbear.17916intd W32/NetSky.A ??
  • Virus Phylogeny [email_address] [email_address] [email_address] [email_address] [email_address] [email_address] W32/Bagle.a@mm W32/Bagle.j@mm [email_address] W32/Klez.i@MM W32/Klez.f@MM W32/Bagle.aq@mm W32/Bagle.u@mm W32/Klez.e@MM W32.NetSky.D W32.NetSky.B W32.NetSky.A W32/Bugbear.17916intd W32/NetSky.B W32/NetSky.A ?? ?? Symantec McAfee
  • Deobfuscator of Calls NORMAL CALL L0: call L5 L1: … L2: … L3: … L4: … L5: <proc> L6: … Call Obfsucations to prevent static analysis OBFUSCATED CALL L0a: push L1 L0b: push L5 L0c: ret L1: … L2: … L3: … L4: … L5: <proc> L6: …
  • DOC: Deobfuscator of Calls DOC
  • Timid
    • Our example of malware
  • What Timid Virus do
    • Timid is a file infecting virus. It does not become memory resident. It infects .COM files, including COMMAND.COM . Timid appears to be an escaped research virus, and is now found in the public domain.
    • Each time a file infected with Timid is executed, the Timid virus infects the first uninfected .COM file in the current directory. If no uninfected .COM files exist in the current directory, a system hang occurs.
    • The string &quot;VI&quot; , is located in the fourth and fifth byte of infected files. Together with a jump (E9h) instruction located at the beginning of the infected file, it forms the infection marker used by the virus to determine if the file was previously infected.
  • Overwriting Viruses
  • Overwriting Viruses
  • Overwriting Viruses
  • Overwriting Viruses
  • Difference Between .COM and .EXE files
    • A .COM file is a direct image of how the program will look in main memory, A .COM file is limited to 64K or 100H for all segments combined, but a .EXE file can have as many segments as your linker will handle and be as large as RAM can take.
    • The actual file extension doesn't matter.
    • In EXE files we create the stack segment , but in the COM files it creates the stack automatically .
  • Difference Between .COM and .EXE files
  • How to Write a .COM program
    • Program Size
    • maximum 64K (including 256-byte PSP)
    • data, stack, and code in one (64k) segment
    • stack segment in a COM program is automatically Generated
    • Initialization for COM Program
    • All four segment registers are automatically initialized with PSP address
    • Addressing begins at address 100H after .CODE directive, need the directive:
    • ORG 100H
  • How to assemble it
  • Example of .COM code
    • MAIN SEGMENT BYTE
    • ASSUME CS:MAIN,DS:MAIN,SS:NOTHING
    • ORG 100H
    • START:
    • FINISH:
    • mov ah,4CH
    • mov al,0
    • int 21H
    • MAIN ENDS
    • END START
  • A.BAT file
    • A .BAT file is a file that contains a sequence, or batch, of commands . Batch files are useful for storing sets of commands that are always executed together because you can simply enter the name of the batch file instead of entering each command individually.
  •  
  • TIMID The Host of our Virus TIMID
  • labels
  • Host
    • Start of the virus
    • Jumping to the call of the first instruction of the code
  • virus
    • label for first byte of code to use it in our program.
  • VIRUS_START
    • call GET_START
    • this is a trick to determine the location of the start of this program
  • GET_START
    • Save the @virus
    • Set the DTA
    • Search for a file
    • Exit if not fount
    • Infect if found
    • Display the name of infected file
  • EXIT_VIRUS
    • Restore the DTA of the virus
    • Return to the host to terminate the virus
  • START_CODE
    • Five bytes of the program to save the original 5 bytes from the host
    • It full with NOPs
  • FIND_FILE
    • Find The file to infect in the current directory.
    • And the FF_LOOP label is on it.
  • FF_LOOP
    • Loop of searching about the file that can be infected
    • Returns NZ if there isn’t any file to infect
    • It calls the FILE_OK to check if the file can be infected
  • FF_DONE
    • Return to the GET_START label in the two cases of finding a file or not to infect
  • FILE_OK
    • Determine if the file is already infected or if it’s size will be more than 64 kb to make sure that we can use it .
    • If the file is ok save the first five bytes in the START_IMAGE to use it
  • FOK_NZEND
    • Return NZ if we will not infect that file we found
  • FOK_ZEND
    • Return Z if the file is ok and we can infect it .
  • INFECT
    • The code of infecting that appends the virus to the Host and put the signature ‘VI’ to it and jump ‘ E9’.
  • FINAL
    • label for last byte of code to use it in our program.
  • Summary
    • Malware kinds
      • Virus, worms, Trojans, adware, spyware, etc.
    • Anti-Virus Technologies
      • Static, Dynamic Scanners
      • AV Process
    • Anti-AV Techniques
      • Transform, Hide
    • Research Results
      • Undo transformation
      • Detect obfuscation
      • Create phylogeny
    • Code explanation