AntiAntiVirus AntiAntiVirus All viruses selfreplicate Antiantivirus means its openly hostile to AV Antiantivirus techniques Aggressively attack AV software Make analysis of virus difficult ID: 274238
Download Presentation The PPT/PDF document "Chapter 5" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Chapter 5
Anti-Anti-VirusSlide2
Anti-Anti-Virus
All viruses self-replicate
Anti-anti-virus means it’s “openly hostile” to AV
Anti-anti-virus techniques?
Aggressively attack AV software
Make analysis of virus difficult
Try to avoid being detected using knowledge of how AV worksSlide3
Anti-Virus Virus?
Anti-anti-virus versus “anti-virus virus”
What the … ?
This chapter is about anti-anti virus
Aside: What is an anti-virus virus?
Virus attacks other viruses, or
AV software that propagates virally, or
Software that drops a virus, then offers to remove it for a feeSlide4
Retroviruses
Also known as “anti-antivirus viruses”
Virus with active defense
What techniques are used?
Kill AV (and related) processes
Virus lists active processes
Kills things like Avgw.exe, Scan32.exe, Navw32.exe, Regedit.exe, Zonealarm.exe
Might also do this for processes run at startupSlide5
Retroviruses
Example: Ganda virus
Kills running AV-like processes
Examines processes run at startup
If it appears to be AV-related…
…replace 1
st
instruction with “return”
Stealthier?
Starve AV software by lowering priority
Prevent AV software from connecting to company database, etc.Slide6
Entry Point Obfuscation
Viruses often hijack usual entry point
But this is fairly obvious
Set entry point at random location?
Probably not a good idea --- why?
Find calls to ExitProcess API?
Used by Simile and Ganda
Look for known code sequences?
Compilers produce stereotypical codeSlide7
Anti-Emulation
Recall that emulation is used for AV
How can virus defeat emulation?
Outlast
Outsmart
Overextend
AV solution to 2 & 3 is better emulator
Of course, this comes at a price…Slide8
Anti-Emulation: Outlast
How to “outlast” an emulator?
Lots of (disguised) do-nothing code
Only be malicious, say, 1/10
th
of time
Then AV might mark code as safe
Subsequently, virus has a free hand
Entry point obfuscation
Emulator might assume virus will appear early in execution of infected codeSlide9
Anti-Emulation: Outsmart
Try to counter dynamic heuristics
Example: In some cases, decryption is a good dynamic heuristic
To counter this, virus could…
Spread decryption throughout code, not all in one loop
Then emulator might never reach its “decryption” thresholdSlide10
Anti-Emulation: Overextend
How to push emulator to the limit?
Use undocumented instructions
If not handled correctly, it’s emulated
Bugs in CPU
If handled correctly, it’s emulated
Exhaust or abuse memory
Check for differences between system calls, e.g., check “time” twice
Emulator might return fixed valueSlide11
Anti-Emulation: Overextend
How to push emulator to the limit?
Import obscure libraries
Use external resources, e.g., web page
Almost impossible to emulate external stuff
Emulator-specific checks
E.g., a known interface to outsideSlide12
Armoring
“Armor” virus --- make analysis more difficult
Two types of techniques used:
Anti-debugging
Examples?
Anti-disassembly
Examples?Slide13
Anti-Debugging
Look for inserted breakpoints
Like error detection/correction
Look for single-stepping
Interrupt pushed onto stack after every instruction… so push then immediately pop, or
Time the execution, or
Dynamically modify next instruction, since processors usually pre-fetch
Last 2 also anti-emulation techniquesSlide14
Anti-Debugging
If all else fails, ask:
IsDebuggerPresent()
In Linux, request to trace a process more than once fails
How can virus take advantage of this?Slide15
Anti-Debugging
Speaking of threads…
Interlocking and deadlocking threads
Only small part of code appears
Different parts each time
Fairly strong for anti-debugging
Improved software activation using multithreading
Could be even more effective if combined with encrypted code
Project, anyone?Slide16
Anti-Disassembly
Anti-
disassemblymentarianism
?
Goals
Disassembly cannot be automated
Code not available until it executes
For 1, one idea is to mix code and data
Once mixed, separating is unsolvableSlide17
Anti-Disassembly
Mixing code and data can result in
false disassembly
Disassemblers not so easily confused…Slide18
Anti-Disassembly
How to make code unavailable for static analysis?
Dynamically generate code at runtime
Self-modifying code
A red flag for heuristic analysis
Use the environment to “construct” code at runtime
How’s that?Slide19
Anti-Disassembly
Constructed code?
Hash stuff and extract “code” bits…
Perhaps combine with buffer overflow?
Project, anyone?Slide20
Anti-Disassembly
Encrypted code
Decrypt in parts as needed
Flush plaintext when done
Combine with anti-debugging
Watch for MiM type of attacks
My startup company did all of this
Might do similar things with threads
Intentionally “delicate” timing Slide21
Tunneling
Virus traces system functions it uses
To be sure they “go to” the right place
If not, code is being monitored
How to trace code?
Static heuristic or emulation
Just like the AV stuff…
Can’t tunnel into kernel on modern OS
But still might be useful techniqueSlide22
Tunneling
AV software can hide from tunneling if it’s installed in the kernel
Unless virus is in the kernel too…
But, virus in kernel would be bad for lots and lots of other reasonsSlide23
Integrity Checker Attacks
How to avoid integrity check?
Integrity check can detect any change
Stealth virus might hide
But only from weak integrity check
Infect when legitimate change to file
In one infamous case…
Delete integrity check database and all checksums recomputedSlide24
Avoidance
Hide in places not searched
Possibilities include
USB key
Some types of files
New type of packer
Etc.
Pretty lame?