Stealth Virus
slidesharekv
1,989 views
31 slides
Apr 22, 2008
Slide 1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
About This Presentation
explore the world of stealth virus & the mechanisms they use to conceal themselves in our systems
Slide Content
Stealth Virus
Would you believe if I say this is not
entirely true?
entirely true?
So lets explore the world of stealth
virus & the mechanisms they use to
conceal themselves in our systems
virus & the mechanisms they use to
conceal themselves in our systems
What is a virus?
• A virus is a computer program that was written to
purposely damage computer systems .
• Initially it was a hobby, later research, now a profession.
• Frederick Cohen coined the term 'Virus'.
• Cohen's definition of virus: "A virus is a program that is able
to infect other programs by modifying them to include a
possibly evolved copy of itself.”
• A piece of code to be called a virus should be able to
replicate itself. Along with this it can cause damage the
computer.
• A virus is a computer program that was written to
purposely damage computer systems .
• Initially it was a hobby, later research, now a profession.
• Frederick Cohen coined the term 'Virus'.
• Cohen's definition of virus: "A virus is a program that is able
to infect other programs by modifying them to include a
possibly evolved copy of itself.”
• A piece of code to be called a virus should be able to
replicate itself. Along with this it can cause damage the
computer.
Generic Structure of a Virus
The Replicator The Concealer
The Bomb
Controls the spread of the virus to other files
Keeps the virus from being detected
Executes when the activation conditions are
satisfied. Often called Payload . IT is optional
The Replicator The Concealer
The Bomb
Controls the spread of the virus to other files
Keeps the virus from being detected
Executes when the activation conditions are
satisfied. Often called Payload . IT is optional
How Virus Replicates?
P1 P2
V1 V2
Uninfected File
Virus
P1 P2 P1
V1 P2 P1
V1 P2 P1 V2
Infected File
P1 P2
V1 V2
Uninfected File
Virus
P1 P2 P1
V1 P2 P1
V1 P2 P1 V2
Infected File
Pre-stealth
9Tunneling Viruses
9Armored Viruses
9Aggressive Retroviruses
9Tunneling Viruses
9Armored Viruses
9Aggressive Retroviruses
Tunneling Viruses
• Tunneling viruses attempt to be the first on a call chain of
interrupts, installing themselves in front of other resident
applications.
• In this way, control gets to the virus first, and the virus
proceeds to execute the original handler to bypass
antivirus monitoring programs.
• A virus examines these system entry points (tunnels). It can
tunnel or trace back along the program associated with
system call.
• E.g.: Eddie virus
• Tunneling viruses attempt to be the first on a call chain of
interrupts, installing themselves in front of other resident
applications.
• In this way, control gets to the virus first, and the virus
proceeds to execute the original handler to bypass
antivirus monitoring programs.
• A virus examines these system entry points (tunnels). It can
tunnel or trace back along the program associated with
system call.
• E.g.: Eddie virus
Armored Viruses
• Authors of armored viruses want to be sure that the virus
code is even more difficult for scanners to detect.
• Even if the scanners use techniques such as heuristics that
can pinpoint previously unknown computer viruses.
• Furthermore, if a virus sample is obtained by any means, its
author wants to make the analysis of the virus code as
difficult as possible to furt her delay rapid response to the
virus attack.
• The primary goal is to confuse the analyzer. Commonly
used techniques are Encrypted Data, Obfuscated Code.
• E.g.: W32/Blaster worm.
• Authors of armored viruses want to be sure that the virus
code is even more difficult for scanners to detect.
• Even if the scanners use techniques such as heuristics that
can pinpoint previously unknown computer viruses.
• Furthermore, if a virus sample is obtained by any means, its
author wants to make the analysis of the virus code as
difficult as possible to furt her delay rapid response to the
virus attack.
• The primary goal is to confuse the analyzer. Commonly
used techniques are Encrypted Data, Obfuscated Code.
• E.g.: W32/Blaster worm.
Aggressive Retroviruses
• A retrovirus is a computer virus that specifically tries to
bypass or hinder the operation of an antivirus, personal
firewall, or other security programs.
• There are many possible ways for an attacker to achieve
this because most Windows users work with their
computers as a user with administrative privileges.
• This gives computer viruses the potential to kill the
processes and files that belong to antivirus software or to
disable the antivirus programs.
• E.g.: Disabling AutoProtect.
• A retrovirus is a computer virus that specifically tries to
bypass or hinder the operation of an antivirus, personal
firewall, or other security programs.
• There are many possible ways for an attacker to achieve
this because most Windows users work with their
computers as a user with administrative privileges.
• This gives computer viruses the potential to kill the
processes and files that belong to antivirus software or to
disable the antivirus programs.
• E.g.: Disabling AutoProtect.
Size Stealth
Infected File
• Most viruses are detected
because of the increase in
the host's file size.
• In a Size Stealth virus the
size of the file remains
same even after infection.
• Size Stealth is a method
which can hide your true
file size.
+
=
VIRUS
UNINFECTED FILE
1000 bytes
100 bytes
1000 bytes
How is it possible?
Infected File
• Most viruses are detected
because of the increase in
the host's file size.
• In a Size Stealth virus the
size of the file remains
same even after infection.
• Size Stealth is a method
which can hide your true
file size.
+
=
VIRUS
UNINFECTED FILE
1000 bytes
100 bytes
1000 bytes
How is it possible?
Method 1
• The DOS operating system has 2 methods for searching files: one
via FCB (11h/12h) and the othe r with file handles (4Eh/4Fh).
• So, we have to hide the files from both, FCB and file handles. E.g.:
Respect!
• The Respect hides by making an handler on INT 21h which can trap
– 4Bh : For executing the infected or virus file
– 11h, 12h : Search files using FCB
– 4Eh, 4Fh : Search Files via File Handles
– 57h : Get or set file date and time
• The DOS operating system has 2 methods for searching files: one
via FCB (11h/12h) and the othe r with file handles (4Eh/4Fh).
• So, we have to hide the files from both, FCB and file handles. E.g.:
Respect!
• The Respect hides by making an handler on INT 21h which can trap
– 4Bh : For executing the infected or virus file
– 11h, 12h : Search files using FCB
– 4Eh, 4Fh : Search Files via File Handles
– 57h : Get or set file date and time
How do we know that a file is infected?
•Virus could "mark" file in some way. E.g.: 4th byte is equal to xx.
But this hits both Virus size and speed. Also it cannot hide.
•A file's date in 90's was someth ing like 04-28-96. 04 is the month,
28 the day of the month and (19)96 the year. The virus used to
add 100 to years so that date wo uld be (20)06. The user still saw
that as 04-28-96. E.g.: Respect!
•The seconds field in the date wo uld be set to a particular date
•The virus would alter dates on the fly. If the 57h function is
requested by a program, virus ha ndler will trap the request first.
Then check if the specified file is in fected with our virus. If yes
subtract 100 years, and put the new value in memory. So the
virus has started hiding.
•Virus could "mark" file in some way. E.g.: 4th byte is equal to xx.
But this hits both Virus size and speed. Also it cannot hide.
•A file's date in 90's was someth ing like 04-28-96. 04 is the month,
28 the day of the month and (19)96 the year. The virus used to
add 100 to years so that date wo uld be (20)06. The user still saw
that as 04-28-96. E.g.: Respect!
•The seconds field in the date wo uld be set to a particular date
•The virus would alter dates on the fly. If the 57h function is
requested by a program, virus ha ndler will trap the request first.
Then check if the specified file is in fected with our virus. If yes
subtract 100 years, and put the new value in memory. So the
virus has started hiding.
Method 2
• A virus might intercept system calls which examine the
contents or attributes of infected files.
• The results of these calls must be altered to correspond to
the file's original state.
• For example, a stealth virus might remove the virus code
from an executable when it is read (rather than executed)
so that an anti-virus software package will examine the
original, uninfected host program.
• E.g.: Skywalker
• A virus might intercept system calls which examine the
contents or attributes of infected files.
• The results of these calls must be altered to correspond to
the file's original state.
• For example, a stealth virus might remove the virus code
from an executable when it is read (rather than executed)
so that an anti-virus software package will examine the
original, uninfected host program.
• E.g.: Skywalker
Skywalker infects
• Important offsets :
™Offset 0Dh : File Time Packed. Used to check if the file is infected by
virus.
™Offset 11h : File Size. Subtract th e size of the virus from thisvalue.
™Offset 20h : File Name. To see if the file if being opened is a COM or
EXE file.
• Steps followed by Skywalker to infect: 1. Intercept the open calls (3Dh and 6Ch). Fake an INT 21h to get the file handle.
2. Check the file's time (offset 0Dh) to see if the file is infected (marked) with virus.
3. If file is infected subtract the size of our virus from offset 11h (file size).
• Important offsets :
™Offset 0Dh : File Time Packed. Used to check if the file is infected by
virus.
™Offset 11h : File Size. Subtract th e size of the virus from thisvalue.
™Offset 20h : File Name. To see if the file if being opened is a COM or
EXE file.
• Steps followed by Skywalker to infect: 1. Intercept the open calls (3Dh and 6Ch). Fake an INT 21h to get the file handle.
2. Check the file's time (offset 0Dh) to see if the file is infected (marked) with virus.
3. If file is infected subtract the size of our virus from offset 11h (file size).
Full Stealth
• The full stealth on disk method co nsists of disinfecting on open
and reinfectingon close.
• In order to make full stealth virus writers intercept the open and
the close functions.
• So, when the AV software or the user will try to open the file to
view its content, they disinfect the file or to put it simpler,
remove the virus from file.
• This way, the file will be clean and no one will suspect that our
virus is active in memory.
• And then, when the file gets closed it will be reinfected.
• E.g.: Paranoid
• The full stealth on disk method co nsists of disinfecting on open
and reinfectingon close.
• In order to make full stealth virus writers intercept the open and
the close functions.
• So, when the AV software or the user will try to open the file to
view its content, they disinfect the file or to put it simpler,
remove the virus from file.
• This way, the file will be clean and no one will suspect that our
virus is active in memory.
• And then, when the file gets closed it will be reinfected.
• E.g.: Paranoid
Disinfect on Open
• Fake a INT 21h call to intercept the 3Dh & 6Ch function
• Check if the file that is being opened is a COM or EXE
• Open file for reading and writing
• Check whether file is infected or not
• If not infected exit
• Save the file's time & date
• Read the original bytes in memory
• Write the original code
• Restore file size
• Subtract the length of our virus
• Restore original year
• Truncate the file
• Close the file
• Fake a INT 21h call to intercept the 3Dh & 6Ch function
• Check if the file that is being opened is a COM or EXE
• Open file for reading and writing
• Check whether file is infected or not
• If not infected exit
• Save the file's time & date
• Read the original bytes in memory
• Write the original code
• Restore file size
• Subtract the length of our virus
• Restore original year
• Truncate the file
• Close the file
Reinfecton close
• Fake an INT 21h call to intercept the 3Eh function
• Check if infected
• IF the file is infected close the file
• Save file time, date & size
• Write the virus to host
• Set old file's time/date
• Mark the file for stealth
• Fake an INT 21h call to intercept the 3Eh function
• Check if infected
• IF the file is infected close the file
• Save file time, date & size
• Write the virus to host
• Set old file's time/date
• Mark the file for stealth
Redirection Stealth
• Also known as "true full stealth" or as "full stealth in
memory", this technique is one of the best file related
stealth methods ever known.
• To redirect something means to change its direction.
• In conclusion, this redirects al l the reads to infected bytes
to uninfected ones.
• Hence the name "redirection stealth".
• Also known as "true full stealth" or as "full stealth in
memory", this technique is one of the best file related
stealth methods ever known.
• To redirect something means to change its direction.
• In conclusion, this redirects al l the reads to infected bytes
to uninfected ones.
• Hence the name "redirection stealth".
Encrypted Viruses
• One of the easiest ways to hide the functionality of the virus
code was encryption. The first known virus that implemented
encryption was Cascade on DOS.
• How to make life difficult
• Multiple layers of encryption are used.
• The start of decryptoris obfuscated.
• The attacker can decide not to store the key for encryption
anywhere in the virus. Instead, the virus uses brute force
to decrypt itself.
• The direction of the loop can change.
• There is only one decryption loop, but it uses multiple keys
to decrypt each encrypted piece of information on the top
of the others.
• One of the easiest ways to hide the functionality of the virus
code was encryption. The first known virus that implemented
encryption was Cascade on DOS.
• How to make life difficult
• Multiple layers of encryption are used.
• The start of decryptoris obfuscated.
• The attacker can decide not to store the key for encryption
anywhere in the virus. Instead, the virus uses brute force
to decrypt itself.
• The direction of the loop can change.
• There is only one decryption loop, but it uses multiple keys
to decrypt each encrypted piece of information on the top
of the others.
The Decryptorof the Cascade Virus lea si, Start ; position to decrypt
(dynamically set)
mov sp, 0682 ; length of encrypted body (1666
bytes)
Decrypt:
xor [si],si ; decryption key/counter 1
xor [si],sp ; decryption key/counter 2
inc si ; increment one counter
dec sp ; decrement the other
jnz Decrypt ; loop until all bytes are
decrypted
Start: ; Encrypted/Decrypted Virus Body
(dynamically set)
mov sp, 0682 ; length of encrypted body (1666
bytes)
Decrypt:
xor [si],si ; decryption key/counter 1
xor [si],sp ; decryption key/counter 2
inc si ; increment one counter
dec sp ; decrement the other
jnz Decrypt ; loop until all bytes are
decrypted
Start: ; Encrypted/Decrypted Virus Body
OligomorphicViruses
• A virus is said to be oligomor phic if it is capable of mutating
its decryptoronly slightly.
• They change their decryptorsin new generations. The
simplest technique to change the decryptorsis to use a set of
decryptorsinstead of a single one.
• The first known virus to use this technique was Whale.
• W95/Memorial had the ability to build 96 different decryptor
patterns. Thus the detection of the virus based on the
decryptorscode was an impractical solution
• A virus is said to be oligomor phic if it is capable of mutating
its decryptoronly slightly.
• They change their decryptorsin new generations. The
simplest technique to change the decryptorsis to use a set of
decryptorsinstead of a single one.
• The first known virus to use this technique was Whale.
• W95/Memorial had the ability to build 96 different decryptor
patterns. Thus the detection of the virus based on the
decryptorscode was an impractical solution
Polymorphic Viruses
• Polymorphic viruses can mutate their decryptorsto a high
number of different instances that can take millions of
different forms.
• The first known polymorphic virus, 1260, was written in the
U.S. by Mark Washburn in 1990.
• 1260 is an effective polymorphic engine that generates a
high variety of decryptors.
• Polymorphic viruses can mutate their decryptorsto a high
number of different instances that can take millions of
different forms.
• The first known polymorphic virus, 1260, was written in the
U.S. by Mark Washburn in 1990.
• 1260 is an effective polymorphic engine that generates a
high variety of decryptors.
The Dark Avenger Mutation Engine • For novice virus writers, it was difficult to write a
polymorphic virus.
• However, more advanced virus writers came to their
rescue.
• The MtE engine was released as an object that could be
linked to any simple virus.
• The first version MtE was released during the summer of
1991, later followed by another version in early 1992.
polymorphic virus.
• However, more advanced virus writers came to their
rescue.
• The MtE engine was released as an object that could be
linked to any simple virus.
• The first version MtE was released during the summer of
1991, later followed by another version in early 1992.
The parameters to the engine include the following: •A work segment
• A pointer to the code to encrypt
• Length of the virus body
• Base of the decryptor
• Entry-point address of the host
• Target location of encrypted code
• Size of decryptor(tiny, small, medium, or large)
• Bit field of registers not to use • MtE'simpact on antivirus software was clear. Most AV
engines had to go through a painful rearchitectingto
introduce a virtual machine for the use of the scanning
engine.
• A pointer to the code to encrypt
• Length of the virus body
• Base of the decryptor
• Entry-point address of the host
• Target location of encrypted code
• Size of decryptor(tiny, small, medium, or large)
• Bit field of registers not to use • MtE'simpact on antivirus software was clear. Most AV
engines had to go through a painful rearchitectingto
introduce a virtual machine for the use of the scanning
engine.
Metamorphic Viruses
• Metamorphic viruses do not have a decryptoror a constant
virus body but are able to crea te new generations that look
different.
• They do not use a data area filled with string constants but have
one single-code body that carries data as code.
• Metamorphic computer viruses have the ability to change their
shape by themselves from one form to another, but they usually
avoid generating instances that are very close to their parent
shape.
• Can be very detrimental on operating systems like LINUX since
the compiler is available by default.
• Universities face a major threat by metamorphic viruses than
industries
• Metamorphic viruses do not have a decryptoror a constant
virus body but are able to crea te new generations that look
different.
• They do not use a data area filled with string constants but have
one single-code body that carries data as code.
• Metamorphic computer viruses have the ability to change their
shape by themselves from one form to another, but they usually
avoid generating instances that are very close to their parent
shape.
• Can be very detrimental on operating systems like LINUX since
the compiler is available by default.
• Universities face a major threat by metamorphic viruses than
industries
Conclusion
• The virus of tomorrow is not just binary thread that is
periled by Antivirus software. They are going to explore
new concealment strategies. Probably there might be virii
sitting in servers for years doing nasty things and go
unnoticed.
• They will pose bigger & tougher challenges to the antivirus
researchers. They are going to keep them awake for nights
analyzing strands of virus or even exploring where these
strands are hidden.
• The virus of tomorrow is not just binary thread that is
periled by Antivirus software. They are going to explore
new concealment strategies. Probably there might be virii
sitting in servers for years doing nasty things and go
unnoticed.
• They will pose bigger & tougher challenges to the antivirus
researchers. They are going to keep them awake for nights
analyzing strands of virus or even exploring where these
strands are hidden.
Questions ?
Thank You!
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,989
- Slides 31
- Favorites 4
- Age 6443 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
37 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
40 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
37 views
14
Fertility awareness methods for women in the society
Isaiah47
34 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
32 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
35 views