The document discusses different types of malware like worms, spyware, Trojan horses, and adware. It then describes how antivirus technologies use static and dynamic signatures to detect malware. Some techniques viruses use to evade detection like metamorphism and slow infection are also covered. An example Timid virus code is provided to demonstrate overwriting virus behavior.

2. Plan of talk Kinds of malware Anti-Virus Technologies Anti-Anti-Virus Techniques Example Timid Virus Code Explanation

3. Kinds of malware Worms Spyware Trojan horses Adware

4. Worms A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.

5. Worm Propagation Leverage Network Connectivity

6. Spyware Spyware is computer software that collects personal information about users without their informed consent. The term Spyware, is often used interchangeably with adware and malware. Personal information is secretly recorded with a variety of techniques, including logging keystrokes, recording Internet web browsing history , and scanning documents on the computer's hard disk. It can cause theft of passwords and financial details to the merely annoying recording Internet search history for targeted advertising . Spyware may collect different types of information. Some variants attempt to track the websites a user visits and then send this information to an advertising agency . More malicious variants attempt to intercept passwords or credit card numbers as a user enters them into a web form or other applications.

7. Trojan horses A Trojan horse is a program that unlike a virus contains or installs a malicious program (sometimes called the payload or 'trojan'). The term is derived from the classical myth of the Trojan Horse. Trojan horses may appear to be useful or interesting programs (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. The famous usage in hacking.

8. Trojan Leverages gullible users

9. Adware Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.

10. The functional logic of a virus Search for a file to infect. Open the file to see if it is infected. If infected, search for another file. Else, infect the file. Return control to the host program.

11. Virus Virus – Needs a host V

12. Virus Propagation Leverage User Connectivity

14. Detection Technologies Static Anti-Virus (AV) Scanners Signature-based Strings Regular expressions Static behavior analyzer Dynamic AV Scanners Behavior Monitors

15. Virus (Malware) Identification Anti-Virus Signature Virus Form - A Antivirus scanners use extracted patterns, or “signatures” to identify known malware. Signature

16. Static Signature Hex strings from virus variants 67 33 74 20 73 38 6D 35 20 76 37 61 67 36 74 20 73 32 6D 37 20 76 38 61 67 39 74 20 73 37 6D 33 20 76 36 61 Hex string for detecting virus 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 ?? = wildcard

17. Static Signature Ex:- 8BEF 33C0 BF ?? ???? ?? 03 FDB9 ?? 0A 0000 8A85 ???? ???? 3007 47E2 FBEB

18. Dynamic Signature Monitor a running program to detect malicious behavior For example, if an application opens another executable for write access, the blocker might display a warning asking for the user's permission to grant the write access , we will discuss the anti of that anti virus later.

20. Attacking Integrity Checkers Intercept open() system call Open a non-infected backup of the file instead Restore system to original state after attack Infect system before checksums are computed

21. Attacking static signature - Metamorphism Virus Form - C M M Virus Virus Form - A Form - B Metamorphic malware change as it propagates Creates multiple variants of itself

22. Metamorphism Example mov [ebp - 3], eax push ecx mov ecx,ebp add ecx,33 push esi mov esi,ecx sub esi,34 mov [esi-2],eax pop esi pop ecx push ecx mov ecx, ebp push eax mov eax, 33 add ecx, eax pop eax push esi mov esi, ecx push edx mov edx, 34 sub esi, edx pop edx mov [esi - 2], eax pop esi pop ecx push ecx mov ecx, [ebp + 10] mov ecx, ebp push eax add eax, 2342 mov eax, 33 add ecx, eax pop eax mov eax, esi push eax mov esi, ecx push edx xor edx, 778f mov edx, 34 sub esi, edx pop edx mov [esi-2], eax pop esi pop ecx push ecx mov ecx,ebp add ecx,33 mov [ecx-36],eax pop ecx

23. Attacking static signature- Metamorphism Anti-Virus Signature Virus Form - C M M Virus Virus Form - A Form - B Too many signatures challenge the AV Scanner Using different signatures for most variants cannot scale.

24. Attacking Behavior Monitors Some viruses can wait patiently until write access to the object is granted. These viruses are called slow infectors. Such viruses typically wait until the user makes a copy of an executable object; the virus (which is already loaded in memory) will be able to infect the target in the file cache before the file is created on the disk. Slow infectors attack behavior blockers effectively

26. “ Undo” Metamorphism mov [ebp - 3], eax push ecx mov ecx,ebp add ecx,33 push esi mov esi,ecx sub esi,34 mov [esi-2],eax pop esi pop ecx push ecx mov ecx, ebp push eax mov eax, 33 add ecx, eax pop eax push esi mov esi, ecx push edx mov edx, 34 sub esi, edx pop edx mov [esi - 2], eax pop esi pop ecx push ecx mov ecx, [ebp + 10] mov ecx, ebp push eax add eax, 2342 mov eax, 33 add ecx, eax pop eax mov eax, esi push eax mov esi, ecx push edx xor edx, 778f mov edx, 34 sub esi, edx pop edx mov [esi-2], eax pop esi pop ecx push ecx mov ecx,ebp add ecx,33 mov [ecx-36],eax pop ecx

27. Detecting Metamorphism Behavior Monitors Run suspect program in an emulator ( code emulation ) Analyze behavior while running Look for changes in file structure Some viruses modify files in a consistent way Disassemble and look for virus-like instructions

28. Code Emulation Code emulation is an extremely powerful virus detection technique. A virtual machine is implemented to simulate the CPU and memory management systems to mimic the code execution. Thus malicious code is simulated in the virtual machine of the scanner, and no actual virus code is executed by the real processor.

29. Virus Phylogeny [email_address] W32/Bagle.j@mm [email_address] W32/Klez.i@MM W32/NetSky.B [email_address] [email_address] [email_address] [email_address] W32/Bagle.a@mm [email_address] W32/Klez.f@MM W32/Bagle.ao@mm W32/Bagle.u@mm W32/Klez.e@MM W32.NetSky.D W32.NetSky.B W32.NetSky.A W32/Bugbear.17916intd W32/NetSky.A ??

30. Virus Phylogeny [email_address] [email_address] [email_address] [email_address] [email_address] [email_address] W32/Bagle.a@mm W32/Bagle.j@mm [email_address] W32/Klez.i@MM W32/Klez.f@MM W32/Bagle.aq@mm W32/Bagle.u@mm W32/Klez.e@MM W32.NetSky.D W32.NetSky.B W32.NetSky.A W32/Bugbear.17916intd W32/NetSky.B W32/NetSky.A ?? ?? Symantec McAfee

31. Deobfuscator of Calls NORMAL CALL L0: call L5 L1: … L2: … L3: … L4: … L5: <proc> L6: … Call Obfsucations to prevent static analysis OBFUSCATED CALL L0a: push L1 L0b: push L5 L0c: ret L1: … L2: … L3: … L4: … L5: <proc> L6: …

32. DOC: Deobfuscator of Calls DOC

34. Timid Our example of malware

35. What Timid Virus do Timid is a file infecting virus. It does not become memory resident. It infects .COM files, including COMMAND.COM . Timid appears to be an escaped research virus, and is now found in the public domain. Each time a file infected with Timid is executed, the Timid virus infects the first uninfected .COM file in the current directory. If no uninfected .COM files exist in the current directory, a system hang occurs. The string &quot;VI&quot; , is located in the fourth and fifth byte of infected files. Together with a jump (E9h) instruction located at the beginning of the infected file, it forms the infection marker used by the virus to determine if the file was previously infected.

36. Overwriting Viruses

37. Overwriting Viruses

38. Overwriting Viruses

39. Overwriting Viruses

40. Difference Between .COM and .EXE files A .COM file is a direct image of how the program will look in main memory, A .COM file is limited to 64K or 100H for all segments combined, but a .EXE file can have as many segments as your linker will handle and be as large as RAM can take. The actual file extension doesn't matter. In EXE files we create the stack segment , but in the COM files it creates the stack automatically .

41. Difference Between .COM and .EXE files

42. How to Write a .COM program Program Size maximum 64K (including 256-byte PSP) data, stack, and code in one (64k) segment stack segment in a COM program is automatically Generated Initialization for COM Program All four segment registers are automatically initialized with PSP address Addressing begins at address 100H after .CODE directive, need the directive: ORG 100H

43. How to assemble it

44. Example of .COM code MAIN SEGMENT BYTE ASSUME CS:MAIN,DS:MAIN,SS:NOTHING ORG 100H START: FINISH: mov ah,4CH mov al,0 int 21H MAIN ENDS END START

45. A.BAT file A .BAT file is a file that contains a sequence, or batch, of commands . Batch files are useful for storing sets of commands that are always executed together because you can simply enter the name of the batch file instead of entering each command individually.

47. TIMID The Host of our Virus TIMID

48. labels

49. Host Start of the virus Jumping to the call of the first instruction of the code

50. virus label for first byte of code to use it in our program.

51. VIRUS_START call GET_START this is a trick to determine the location of the start of this program

52. GET_START Save the @virus Set the DTA Search for a file Exit if not fount Infect if found Display the name of infected file

53. EXIT_VIRUS Restore the DTA of the virus Return to the host to terminate the virus

54. START_CODE Five bytes of the program to save the original 5 bytes from the host It full with NOPs

55. FIND_FILE Find The file to infect in the current directory. And the FF_LOOP label is on it.

56. FF_LOOP Loop of searching about the file that can be infected Returns NZ if there isn’t any file to infect It calls the FILE_OK to check if the file can be infected

57. FF_DONE Return to the GET_START label in the two cases of finding a file or not to infect

58. FILE_OK Determine if the file is already infected or if it’s size will be more than 64 kb to make sure that we can use it . If the file is ok save the first five bytes in the START_IMAGE to use it

59. FOK_NZEND Return NZ if we will not infect that file we found

60. FOK_ZEND Return Z if the file is ok and we can infect it .

61. INFECT The code of infecting that appends the virus to the Host and put the signature ‘VI’ to it and jump ‘ E9’.

62. FINAL label for last byte of code to use it in our program.

64. Summary Malware kinds Virus, worms, Trojans, adware, spyware, etc. Anti-Virus Technologies Static, Dynamic Scanners AV Process Anti-AV Techniques Transform, Hide Research Results Undo transformation Detect obfuscation Create phylogeny Code explanation