Chapter 6

Malicious Software
 Outline

1. Types of Malicious Software (Malware) 179

2. Propagation–Infected Content–Viruses 182
3. Propagation–Vulnerability Exploit–Worms 188
4. Propagation–Social Engineering–SPAM E-mail, Trojans 195
5. Payload–System Corruption 197
6. Payload–Attack Agent–Zombie, Bots 199
7. Payload–Information Theft–Keyloggers, Phishing, Spyware 201
8. Payload–Stealthing–Backdoors, Rootkits 202
9. Countermeasures 206Types of Malicious Software (Malware)
10. Propagation–Infected Content–Viruses
 Learning objectives

1. Describe three broad mechanisms malware uses to propagate

2. Understand the basic operations of viruses, worms, trojans

3. Describe 4 categories of malware payloads

4. Understand the different threats posed by bots, spyware,

rootkits

5. Describe some malware countermeasures

6. Describe three locations for malware detection mecahnisms

Malware targeting Android has a taste for
Gingerbread and Ice Cream Sandwich
http://www.kaspersky.com/about/news/virus/2012/Malware_targeting_Android_has_a_taste_for_Ginger
bread_and_Ice_Cream_Sandwich

 Distribution of the malware detected by

Android OS version, Q3 2012
 FBI Issues Android Malware Warning
http://www.point2security.com/author.asp?section_id=2078&doc_id=252710&goback=%2Egde_1797372_
member_176667825

1. The IC3 has been made aware of various malware attacking Android
operating systems for mobile devices.

2. Some of the latest known versions of this type of malware are Loozfon
and FinFisher

3. Loozfon, which has been spotted by malware makers in a multitude

of variants, steals information by luring would-be victims to click on
an infected advertising link, loading the malware on the mobile
device, and grabbing contact information.

4. Finfisher spyware can take over and remotely control the device and
monitor a user's whereabouts. This exploit is propagated over the
Internet or through text messages.
 Malware

[NIST05] defines malware as:

“a program that is inserted into a system, usually
covertly, with the intent of compromising the
confidentiality, integrity, or availability of the
victim’s data, applications, or operating system
or otherwise annoying or disrupting the victim.”
Malware Terminology
 Name Description

Adware Advertising that is integrated into software. It can

result in pop-up ads or redirection of a browser to a
commercial site.
Attack Kit tools for generating new malware automatically using a
variety of supplied propagation and payload
mechanisms
Auto-rooter tools used to break into new machines remotely.

Backdoor Any mechanisms that bypasses a normal security

(trapdoor) check; it may allow unauthorized access to
functionality in a program, or onto a compromised
system.
Downloaders Code that installs other items on a machine that is
under attack. It is normally included in the malware
code first inserted on to a compromised system to then
import a larger malware package.
 Name Description

Drive-by- An attack using code in a compromised web site that

Download exploits a browser vulnerability to attack a client
system when the site is viewed.
Exploits Code specific to a single vulnerability or set of
vulnerabilities.
Flooders Used to generate a large volume of data to attack
(DoS client) networked computer systems, by carrying out some
form of denial-of-service (DoS) attack.
Keyloggers Captures keystrokes on a compromised system.
Logic bomb Code inserted into malware by an intruder. A logic
bomb lies dormant until a predefined condition is met;
the code then triggers an unauthorized act.
Name Description
Macro Virus A type of virus that uses macro or scripting code,
typically embedded in a document, and triggered
when the document is viewed or edited, to run and
replicate itself into other such documents.
Mobile code Software (e.g., script, macro, or other portable
instruction) that can be shipped unchanged to a
heterogeneous collection of platforms and execute
with identical semantics.
Rootkit Set of hacker tools used after attacker has broken
into a computer system and gained root-level
access.
Spammer Used to send large volumes of unwanted e-mail.
programs
Name Description
Spyware Software that collects information from a computer
and transmits it to another system by monitoring
keystrokes, screen data and/or network traffic; or
by scanning files on the system for sensitive
information.
Trojan horse A computer program that appears to have a useful
function, but also has a hidden and potentially
malicious function that evades security
mechanisms, sometimes by exploiting legitimate
authorizations of a system entity that invokes the
Trojan horse program.
Virus Malware that, when executed, tries to replicate
itself into other executable machine or script code;
when it succeeds the code is said to be infected.
When the infected code is executed, the virus also
executes.
Name Description
Worm A computer program that can run independently
and can propagate a complete working version of
itself onto other hosts on a network, usually by
exploiting software vulnerabilities in the target
system.
Zombie, bot Program activated on an infected machine that is
activated to launch attacks on other machines.
Macro Virus A type of virus that uses macro or scripting code,
typically embedded in a document, and triggered
when the document is viewed or edited, to run and
replicate itself into other such documents.
Mobile code Software (e.g., script, macro, or other portable
instruction) that can be shipped unchanged to a
heterogeneous collection of platforms and execute
with identical semantics.
Source: Vadim Kotov and Fabio Massacci. 2013. Anatomy of exploit
kits: preliminary analysis of exploit kits as software artefacts.
(ESSoS'13),. Springer-Verlag, Berlin, Heidelberg,
 Classification of Malware

classified into two

also classified by:
broad categories:

1. Based first on how it spreads or those that need a host program

propagates to reach the desired (parasitic code such as viruses)
targets
those that are independent, self-
contained programs (worms,
2. then on the actions or payloads it trojans, and bots)
performs once a target is reached

malware that does not replicate

(trojans and spam e-mail)

malware that does replicate

(viruses and worms)
 Types of Malicious Software
(Malware)

Propagation mechanisms include:

• infection of existing content by viruses that is subsequently spread to
other systems
• exploit of software vulnerabilities by worms or drive-by-
downloads to allow the malware to replicate
• social engineering attacks that convince users to bypass
security mechanisms to install Trojans or to respond to phishing attacks

Payload actions performed by malware once it

reaches a target system can include:
• corruption of system or data files
• theft of service/make the system a zombie agent of attack as
part of a botnet
• theft of information from the system/keylogging
• stealthing/hiding its presence on the system
 Malware evolution

1. A blended attack uses multiple methods of infection

or propagation, to maximize the speed of contagion
and the severity of the attack.

2. Some malware even support an update mechanism

that allows it to change the range of propagation
and payload mechanisms utilized once it is
deployed.
 Viruses

 Piece of software that infects programs

 modifies them to include a copy of the virus
 replicates and goes on to infect other content
 easily spread through network environments

 When attached to an executable program a virus

can do anything that the program is permitted to
do
 executes secretly when the host program is run

 Specific to operating system and hardware

 takes advantage of their details and weaknesses
 Main reason, viruses dominated the malware scene , pc’s
lack user authentication and access control
 Virus: Components

Infection mechanism

• means by which a virus spreads or propagates

• also referred to as the infection vector

Trigger

• event or condition that determines when the payload is activated or

delivered
• sometimes known as a logic bomb

Payload

• what the virus does (besides spreading)

• may involve damage or benign but noticeable activity
 Virus Phases

Dormant phase Triggering phase

• virus is idle
• will eventually be
activated by some
event
• not all viruses have
this stage
• virus is activated to
perform the
function for which it
was intended
• can be caused by a
variety of system
events

Propagation phase Execution phase

• virus places a copy of itself into other
programs or into certain system areas • function is
on the disk performed
• may not be identical to the propagating • may be harmless
version or damaging
• each infected program will now contain
a clone of the virus which will itself enter
a propagation phase
Virus Structure
Compression Virus Logic
Operation for Figure 6.2
 Virus Classifications
classification by
classification by target
concealment strategy
 boot sector infector
 infects a master boot record or  encrypted virus
boot record and spreads when a  a portion of the virus creates a
system is booted from the disk random encryption key and
containing the virus encrypts the remainder of the
virus
 file infector  stealth virus
 infects files that the operating  a form of virus explicitly designed
system or shell considers to be to hide itself from detection by
executable anti-virus software
 macro virus  polymorphic virus
 infects files with macro or  a virus that mutates with every
scripting code that is interpreted infection
by an application  metamorphic virus
 multipartite virus  a virus that mutates and rewrites
itself completely at each iteration
 infects files in multiple ways and may change behavior as well
as appearance
 Obfuscation-based classification of viruses

OBFUSCATION
Self
TECHNIQUES
Encryption/decryption
Polymorphism
Metamorphism

Armoring

Tunneling
Stealth
 Obfuscation techniques
1. Self-encryption and decryption:
 the objective is to hide the virus code from direct examination.
 Such viruses may use several layers of encryption, or choose the
cryptographic key randomly at each encryption,
 making each instance of the virus appear different from the
others. The first virus of this type is Cascade.1701.
2. Polymorphism:
 This is an improved form of encryption.
 The decryption code is made more robust. An example is the
1260 virus.
3. Metamorphism:
 Instead of hiding its content via encryption, a polymorphic virus
changes its body content.
 Metamorphic viruses create a new generation of viruses that
look different from their creators.
 Code alteration may include adding unneeded instructions, or
modifying the sequencing of the different parts of the code.
 Obfuscation techniques
4. Stealth:
 Tries to conceal the occurrence of an infection.
 Manipulate the data returned to a function call.
 For example,
 it will manipulate the system call requesting the listing of
files on a machine by altering the size of the infected file.
 The displayed file size would correspond to the size of the
original file, not the infected one.
 Examples include: Brain, Read Stealth, and
Number_of_the_Beast.
5. Armoring:
 Aims at preventing human expert and automated tools
from analysing its code.
 The basic methods used by armoured viruses are to make
more difficult tasks such as disassembly and debugging.
 Obfuscation techniques
 Tunnelling:
 Installs itself in the lower layers of the operating system
 as to be able to take control of the interrupt handler,
modifying it so that control is first passed to the virus in
the event of a system call or interrupt.
 The virus can defeat any attempt of monitoring activity.
 One of the first tunnelling viruses is the Eddie virus or
Dark_Avenger.1800.A.
 Polymorphic viruses

1. Most Anti -virus software identify the viruses and

malwares by signature-based scanning

2. Signatures: small strings specific to a given virus code

3. if the virus related signatures were found a virus would be

discovered To avoid detection, virus can change some
instructions in new generation and cheat the signature
scanning.

4. Polymorphic viruses exploit this concept.

5. When infecting a new victim, the virus modifies some

pieces of its body to look dissimilar.
 Encrypted viruses

1. Encrypted viruses have two key parts:

 the encrypted body of the virus,
 and a small decryption code piece
2. When the infected program code gets to run,,
 Decryption loop executes and decrypts the main
body of the virus.
 Then, it moves the control to the virus body.
3. Decryption loop may calculate the checksum to
make sure that the virus code is not tampered,
4. But the decryptor should be as small as possible
to avoid detection by the anti-virus software,
 Metamorphic viruses
1. “Metamorphics are body-polymorphics.”

2. Because metamorphic viruses are not encrypted, they do not

require decryptor.

3. Metamorphic virus is similar to polymorphic virus in aspect of

making use of an obfuscation engine.

4. Metamorphic virus mutate all of its body, rather it changes the

code of decryption loop.

5. All possible techniques applicable by polymorphic virus to

produce new decryptor can be used by a metamorphic virus on
whole virus code to create a new instance.
 Macro/Scripting Code Viruses

 very common in mid-1990s

 platform independent
 infect documents (not executable portions of code)
 easily spread

 exploit macro capability of MS Office applications

 more recent releases of products include protection

 various anti-virus programs have been developed so these

are no longer the predominant virus threat
 Worms
 program that actively seeks out more machines to infect and each
infected machine serves as an automated launching pad for attacks on
other machines
 exploits software vulnerabilities in client or server programs

 can use network connections to spread from system to system

 spreads through shared media (USB drives, CD, DVD data disks)

 e-mail worms spread in macro or script code included in attachments

and instant messenger file transfers
 upon activation the worm may replicate and propagate again

 usually carries some form of payload

 first known implementation was done in Xerox Palo Alto Labs in the
early 1980s
 Worm Replication
electronic mail or instant • worm e-mails a copy of itself to other systems
messenger facility • sends itself as an attachment via an instant message service

• creates a copy of itself or infects a file as a virus on removable

file sharing media

remote execution • worm executes a copy of itself on another system

capability

remote file access or • worm uses a remote file access or transfer service to copy
transfer capability itself from one system to the other

• worm logs onto a remote system as a user and then uses

remote login capability commands to copy itself from one system to the other
 Target discovery used by worms
1. Probes Random IP addresses.
 Generate a high volume internet traffic.
2. Hit-list: precompiled list of potential vulnerable machines.
 Slow process over a long period of time to avoid detection
 Each machine on the list is assigned with a portion of the
list to scan
3. Topological (uses information contained on an infected
machine to find more hosts to scan)
4. Local subnet
 If host can be infected behind a firewall, the host will look
for tragets in its own LAN
 ( uses the subnet address structure to find hosts protected
by firewalls)
Worm Propagation Model
 Morris Worm
 earliest significant worm infection
 released by Robert Morris in 1988
 designed to spread on UNIX systems
 attempted to crack local password file to use login/password
to logon to other systems
 exploited a bug in the finger protocol which reports the
whereabouts of a remote user
 exploited a trapdoor in the debug option of the remote
process that receives and sends mail
 successful attacks achieved communication with the
operating system command interpreter
 sent interpreter a bootstrap program to copy worm over
 Recent Worm Attacks
Melissa 1998 e-mail worm
first to include virus, worm and Trojan in one package
Code Red July 2001 exploited Microsoft IIS bug
probes random IP addresses
consumes significant Internet capacity when active
Code Red II August 2001 also targeted Microsoft IIS
installs a backdoor for access
Nimda September 2001 had worm, virus and mobile code characteristics
spread using e-mail, Windows shares, Web servers, Web clients,
backdoors
SQL Slammer Early 2003 exploited a buffer overflow vulnerability in SQL server
compact and spread rapidly
Sobig.F Late 2003 exploited open proxy servers to turn infected machines into spam
engines
Mydoom 2004 mass-mailing e-mail worm
installed a backdoor in infected machines
Warezov 2006 creates executables in system directories
sends itself as an e-mail attachment
can disable security related products
Conficker November 2008 exploits a Windows buffer overflow vulnerability
(Downadup) most widespread infection since SQL Slammer
Stuxnet 2010 restricted rate of spread to reduce chance of detection
targeted industrial control systems
 Melissa:

1. e-mail worm that appeared in 1998

2. 1st of a new generation of malware that included
aspects of virus, worm, and Trojan in one package
3. Used a Microsoft Word macro embedded in an
attachment.
4. macro is activated when e-mail attachment is opened
a. it sends itself to everyone on the mailing list in the
user’s e-mail package, propagating as a worm;
b. local damage on the user’s system, including disabling
some security tools, and also copying itself into other
documents, propagating as a virus
c. if a trigger time was seen, it displayed a Simpson quote
as its payload.
 Melissa:

1. More powerful version in 1999.

2. could be activated merely by opening an e-mail that

contains the virus, rather than by opening an
attachment.

3. The virus uses the Visual Basic scripting language

supported by the e-mail package.

4. Propagates itself as soon as it is activated (either by

opening an e-mail attachment or by opening the e-
mail) to all of the e-mail addresses known to the
infected host
Worm Technology

multiplatform

multi-exploit

ultrafast
spreading
polymorphic

metamorphic
 Worm technology

1. Multiplatform:
 Newer worms: not limited to Windows machines but can
attack a variety of platforms, UNIX;
 Exploit macro or scripting languages supported in
popular document types.

2. Multi-exploit:
 Penetrate systems in a variety of ways,
 using exploits against Web servers, browsers, e-mail, file
sharing, and other network-based applications; or via
shared media.
 Worm technology

3. Ultrafast spreading:
 Exploit various techniques to optimize the rate of spread
of a worm
 to maximize its likelihood of locating as many vulnerable
machines as possible in a short time period.

4. Polymorphic:
 To evade detection, skip past filters, and foil real-time
analysis,
 Each copy of the worm has new code generated on the fly
using functionally equivalent instructions and encryption
techniques.
 Worm technology
5. Metamorphic:
 In addition to changing their appearance,
 have a repertoire of behavior patterns that are unleashed
at different stages of propagation.

6. Transport vehicles:
 worms can rapidly compromise a large number of systems,
 they are ideal for spreading a wide variety of malicious
payloads,
 such as distributed denial-of-service bots, rootkits, spam
e-mail generators, and spyware.
 Worm technology

7. Zero-day exploit :
 To achieve maximum surprise and distribution,
 a worm should exploit an unknown vulnerability that is
only discovered by the general network community
when the worm is launched.
 Mobile Code

 programs that can be shipped unchanged to a variety of

platforms

 transmitted from a remote system to a local system and then

executed on the local system

 often acts as a mechanism for a virus, worm, or Trojan horse

 takes advantage of vulnerabilities to perform it own exploits

 popular vehicles include Java applets, ActiveX, JavaScript and

VBScript
 Mobile Phone Worms

 first discovery was Cabir worm in 2004

 then Lasco and CommWarrior in 2005

 communicate through Bluetooth wireless connections or MMS

 target is the smartphone

 can completely disable the phone, delete data on the phone, or

force the device to send costly messages

 CommWarrior replicates by means of Bluetooth to other

phones, sends itself as an MMS file to contacts and as an auto
reply to incoming text messages
 Drive-By-Downloads

 exploits browser vulnerabilities to download and install

malware on the system when the user views a Web page
controlled by the attacker

 in most cases does not actively propagate

 spreads when users visit the malicious Web page

 Social Engineering
 “tricking” users to assist in the compromise of their own
systems

mobile phone
spam Trojan horse
trojans
unsolicited bulk
program or utility
e-mail first appeared in
containing harmful
2004 (Skuller)
hidden code
significant carrier
of malware
used to accomplish
functions that the target is the
used for phishing attacker could not smartphone
attacks accomplish directly
 Payload
System Corruption
 data destruction
 Chernobyl virus
 first seen in 1998
 Windows 95 and 98 virus
 infects executable files and corrupts the entire file system when a
trigger date is reached
 Klez
 mass mailing worm infecting Windows 95 to XP systems
 on trigger date causes files on the hard drive to become empty
 ransomware
 encrypts the user’s data and demands payment in order to access
the key needed to recover the information
 PC Cyborg Trojan (1989)
 Gpcode Trojan (2006)
 Payload
System Corruption

 real-world damage
 causes damage to physical equipment
 Chernobyl virus rewrites BIOS code
 Stuxnet worm
 targets specific industrial control system software
 there are concerns about using sophisticated targeted malware
for industrial sabotage

 logic bomb
 code embedded in the malware that is set to “explode” when
certain conditions are met
 Payload – Attack Agents
Bots
 takes over another Internet attached computer and uses that
computer to launch or manage attacks
 botnet - collection of bots capable of acting in a coordinated
manner
 uses:
 distributed denial-of-service (DDoS) attacks
 spamming
 sniffing traffic
 keylogging
 spreading new malware
 installing advertisement add-ons and browser helper objects
(BHOs)
 attacking IRC chat networks- clone attack DDOS of an IRC
network.
 manipulating online polls/games
 Remote Control Facility

 distinguishes a bot from a worm

 worm propagates itself and activates itself
 bot is initially controlled from some central facility

 typical means of implementing the remote control facility is on

an IRC server
 bots join a specific channel on this server and treat incoming
messages as commands

 more recent botnets use covert communication channels

via protocols such as HTTP
 distributed control mechanisms use peer-to-peer protocols
to avoid a single point of failure
 Payload – Information Theft
Keyloggers and Spyware

keylogger
• captures keystrokes to allow attacker to monitor sensitive
information
• typically uses some form of filtering mechanism that only returns
information close to keywords (“login”, “password”)
spyware
• subverts the compromised machine to allow monitoring of a wide
range of activity on the system
• monitoring history and content of browsing activity
• redirecting certain Web page requests to fake sites
• dynamically modifying data exchanged between the browser and
certain Web sites of interest
 Payload – Information Theft
Phishing
 exploits social engineering to
leverage the user’s trust by  spear-phishing
masquerading as
communication from a trusted  recipients are carefully
source researched by the
attacker
 include a URL in a spam e-
mail that links to a fake  e-mail is crafted to
Web site that mimics the specifically suit its
login page of a banking, recipient, often quoting a
gaming, or similar site range of information
to convince them of its
 suggests that urgent
authenticity
action is required by the
user to authenticate their
account
 attacker exploits the
account using the
captured credentials
 Payload – Stealthing
Backdoor

 also known as a trapdoor

 secret entry point into a program allowing the attacker to

gain access and bypass the security access procedures

 maintenance hook is a backdoor used by programmers to

debug and test programs

 difficult to implement operating system

controls for backdoors in applications
 Payload - Stealthing
Rootkit
 set of hidden programs installed on a system to
maintain covert access to that system
 hides by subverting the mechanisms that
monitor and report on the processes, files, and
registries on a computer
 gives administrator (or root) privileges to
attacker
 can add or change programs and files, monitor
processes, send and receive network traffic, and get
backdoor access on demand
Rootkit Classification Characteristics

memory
persistent user mode
based

virtual
external
kernel mode machine
mode
based
 Rootkit classifications
1. Persistent:
 Activates each time the system boots.
 The rootkit must :
I. store code in a persistent store, such as the registry or file
system,
II. and configure a method by which the code executes without
user intervention.
 easier to detect, as the copy in persistent storage can be
scanned.
2. Memory based:
 Has no persistent code and therefore cannot survive a reboot.
 However, because it is only in memory, it can be harder to detect.
 Rootkit classifications
3. User mode:
 Intercepts calls to APIs and modifies returned
results.
 For example, when an application performs a
directory listing, the return results don’t include
entries identifying the files associated with the
rootkit.

4. Kernel mode:
 Can intercept calls to native APIs in kernel mode.
 Can also hide the presence of a malware process by
removing it from the kernel’s list of active processes.
 Rootkit classifications
5. Virtual machine based:
 This type of rootkit installs a lightweight virtual machine
monitor,
 then runs the operating system in a virtual machine above it.
 can then transparently intercept and modify states and
events occurring in the virtualized system.

6. External mode:
 The malware is located outside the normal operation mode
of the targeted system, in BIOS or system management
mode, where it can directly access hardware.
 New generation rootkits

1. The next generation of rootkits moved down a layer,

2. making changes inside the kernel
3. and co-existing with the operating systems code,
4. making their detection much harder.
5. Any “anti-virus” program would now be subject to the
same “low-level” modifications that the rootkit uses to
hide its presence.
6. However, methods were developed to detect these
changes.
 Kernel mode rootkits
1. Programs operating at the user level
interact with the kernel through system
calls.
2. System calls: primary target of kernel-
level rootkits
3. Example: the implementation of system
calls in Linux.
4. In Linux, each system call is assigned a
unique syscall number .
 Kernel mode rootkits
1. When a user-mode process executes a
system call, the process refers to the
system call by this number.
2. The kernel maintains a system call table
with one entry per system call routine;
3. Each entry contains a pointer to the
corresponding routine.
4. The syscall number serves as an index
into the system call table.
 Changing system calls

Modifying
system calls

Modify system
Modify the Redirect the
call table
system call table system call table
targets
 Modify the system call table

1. The attacker modifies selected syscall

addresses stored in the system call table.
2. This enables the rootkit to direct a system
call away from the legitimate routine to the
rootkit’s replacement.
 Modify system call table targets

1. The attacker overwrites selected legitimate

system call routines with malicious code.
2. The system call table is not changed.
 Redirect the system call table

1. The attacker redirects references to the

entire system call table to a new table in a
new kernel memory location.
System Call Table Modification
VMBR- Virtual machine based rootkit
Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, and Jacob R. Lorch. Subvirt: Implementing malware with
virtual machines. In SP '06: Proceedings of the 2006 IEEE Symposium,on Security and Privacy (S&P'06), pages 314{327, Washington, DC,
USA, 2006. IEEE Computer Society.

1. Rootkits : new weapon of malicious users - Very

promising future
2. King and Chen : SubVirt project VMBR
3. a virtual machine monitor (VMM) is installed underneath
an existing operating system
4. VMM is used and use to run arbitrary malicious software.
5. (VMBR), which has more control than current malware
6. It also supports general purpose functionality.
 VMBR- Virtual machine based rootkit

7. This VMBR can hide all its state and activity from intrusion
detection systems running in the infected OS and
applications.

8. VMBR can be implemented on current hardware

9. and can be used to implement several malicious services.

10.VMBR is diffcult to detect and remove.

11. Why? VMBR state cannot be accessed by software
running on the hosted operating system.
Blue Pill Rootkit 100% undetectable malware
http://invisiblethingslab.com/itl/Welcome.html

 The idea behind Blue Pill is simple

1. Your operating system swallows the Blue Pill
2. it awakes inside the Matrix controlled by the ultra thin4
Blue Pill hypervisor.
3. This all happens on-the-fly (i.e. without restarting the
system)
4. there is no performance penalty
5. all the devices, like graphics card, are fully accessible to the
operating system,
6. which is now executing inside virtual machine.
7. This is all possible thanks to the latest virtualization
technology from AMD called SVM/Pacica"
 Virtual machine rootkits
Joanna Rutkowska. www.invisiblethings.org, 2006
 More about advanced
polymorphic viruses
1. The first anti-viruses appeared in the late 80’s
2. Simple binary scanning programs looking for known virus
signatures.
3. Virus writers reacted: designed code that would mutate its
binary form on each replication.
4. In 1988 encryption was used by virus writers
5. In 1990 the first polymorphic viruses appeared. They could
mutate their code as well as their decryption method.
6. Antiviruses reacted letting viruses decrypt themselves and
then only scanning the decrypted code looking for any known
signature.
7. In 1997, virus writers counter reacted by producing the first
metamorphic viruses which mutate their code in its decrypted
form.
1. The first virus encrypting its code, CASCADE, appeared in
2. 1988. Yet its decryption method remained unchanged from one
3. replication to another and thus it was not really a polymorphic
4. virus per se. In 1990 however, the first family of polymorphic
5. viruses appeared: the CHAMELEON viruses (or V2P) which
6. were developped by Mark Washburn, were based on the
7. CASCADE and VIENNA viruses and mutated the code of their
8. decryption method (fig. 2).
Polymorphic virus
Metamorphic virus
Simple virus replication
 Encrypted virus replication

There is a weakness in this scheme. What is it?

The decryptor (D) is constant and behind

the encryption the body of the virus remains constant too.
1. Descriptor remains constant
2. to solve this problem, the polymorphic virus use different
methods to change the code of its decryptor, from generation to
generation.
3. This type of virus still has a constant but encrypted body and a
decryptor,
4. but each time the decryptor would change shape so that no
search string can be extracted from its code,
5. thus antivirus scanners cannot detect it using search strings.
Polymorphic virus
Metamorphic virus
 Malware Countermeasure
Approaches
 ideal solution to the threat of malware is prevention

four main elements of prevention:

• policy
• awareness
• vulnerability mitigation
• threat mitigation

 if prevention fails, technical mechanisms can be used to

support the following threat mitigation options:
 detection
 identification
 removal
 Generations of Anti-Virus Software
first generation: simple scanners
• requires a malware signature to identify the malware
• limited to the detection of known malware

second generation: heuristic scanners

• uses heuristic rules to search for probable malware instances
• another approach is integrity checking

third generation: activity traps

• memory-resident programs that identify malware by its actions
rather than its structure in an infected program

fourth generation: full-featured protection

• packages consisting of a variety of anti-virus techniques used in
conjunction
• include scanning and activity trap components and access control
capability
 First generation= string scanning
http://computervirus.uw.hu/ch11lev1sec1.html

1. the simplest approach

2. It uses an extracted sequence of bytes (strings) that is typical of the
virus but not likely to be found in clean programs.
3. The sequences extracted from computer viruses are then organized
in databases,
4. which the virus scanning engines use to search predefined areas of
files and system areas systematically to detect the viruses in the
limited time allowed for the scanning.
5. Indeed, one of the most challenging tasks of the antivirus scanning
engine is to use this limited time (typically no more than a couple of
seconds per file) wisely enough to succeed.
 Example of possible virus signature
A code snippet of the Stoned virus loaded to IDA

0400 B801 020E 07BB 0002 33C9 8BD1 419C

 Wildcards= allow simple scanners to skip bytes or byte ranges

 Example: 0400 B801 020E 07BB ??02 %3 33C9

8BD1 419C
1. Try to match 04 and if found continue.
2. Try to match 00 and if found continue.
3. Try to match B8 and if found continue.
4. Try to match 01 and if found continue.
5. Try to match 02 and if found continue.
6. Try to match 0E and if found continue.
7. Try to match 07 and if found continue.
8. Try to match BB and if found continue.
9. Ignore this byte.
 Wildcards= allow simple scanners to skip bytes or byte ranges

 Example: 0400 B801 020E 07BB ??02 %3 33C9

8BD1 419C
10. Try to match 02 and if found continue.
11. Try to match 33 in any of the following 3
positions and if matched continue.
12. Try to match C9 and if found continue.
13. Try to match 8B and if found continue.
14. Try to match D1 and if found continue.
15. Try to match 41 and if found continue.
16. Try to match 9C and if found report
infection
 Mismatches

 Mismatches allow N number of bytes in a string to be of

arbitrary value, regardless of their position.

 The string 11 22 33 44 55 66 77 88 with mismatch value 3,

would match the following strings:

1. A3 11 22 33 C9 44 55 66 0A 77 88

2. 11 34 22 33 C4 44 55 66 67 77 88

3. 11 22 33 44 D4 DD E5 55 66 77 88
 Generic detection

1. When more than one variants of a virus are discovered,

2. the variants are compared to find a common string in

their code.

3. This technique uses one common string to detect several

or all known variants of a family of viruses.

4. Usually, this technique makes use of wildcards and

mismatches.
 Generic Decryption (GD)

 enables the anti-virus program to easily detect complex

polymorphic viruses and other malware while
maintaining fast scanning speeds
 executable files are run through a GD scanner which
contains the following elements:
 CPU emulator
 virus signature scanner
 emulation control module

 the most difficult design issue with a GD scanner is to

determine how long to run each interpretation
 Top and tail detection

1. Scans only the 1rst and the last 2, 4, or 8KB of a file

2. good way to make virus detection much faster.

3. optimize scanning speed by reducing the number of disk

reads.

4. Popular technique with with eary computer viruses

5. because they were prefixed, or appended.

Entry-point and fixed-point scanning-make scanning faster

1. Use entry-point of objects, which are made

available in the headers of objects such as
executable files.
2. The entry-point is a common target for
viruses,
3. so entry-point scanners focuses on that
position and typically have a single position
to mask their scan string.
Entry-point and fixed-point scanning-make scanning faster

4. Fixed-point scanning is used when the entry point

does not have enough good strings.
5. The scanner sets a start position M and then
match each
6. string at positions M +x bytes away from this
fixed point.
7. Typically, x is zero so the number of
computations is reduced and also the disk I/O is
reduced.
 Second generation scanners

1. Why a 2nd generation?

2. simple string matching was no longer enough to detect

the more advanced computer viruses .

3. Also, exact and nearly exact identification were

introduced,

4. the scanning process became more reliable

 Smart scanners
1. Computer virus mutator kits appeared
2. The mutation kits worked with assembly code and
tried to insert junk instructions such as do-nothing
NOP instructions, into the source code.
3. The recompiled virus looked very different from its
original because many offsets could change in the
virus.
 Smart scanners

4. Smart scanning skipped instructions like

NOP in the host program and did not store
such instructions in the virus signature.
5. An effort was made to select an area of the
virus body that had no references to data or
other subroutines. This enhanced the
likelihood of detecting a closely related
variant of the virus.
 Skeleton detection (invented by Eugene Kaspersky)

1. Useful in detecting macro virus families.

2. Rather than selecting a simple string or a checksum of the set
of macros, the scanner:
 parses the macro statements line to line
 and drops all nonessential statements,
 as well as the aforementioned white spaces.

3. The result is a skeleton of the macro body that has only

essential macro code that commonly appear in macro viruses.
4. The scanner uses this information to detect the viruses,
enhancing variant detection of the same family.
 Near exact identification

1. Nearly exact identification uses different methods to

detect viruses more accurately.

2. One method is to use two strings, double string

detection, instead of just one. If both strings are found,
the virus is nearly exact identified

3. disinfection more safe as the identified virus is less likely

to be a variant of the original { which needs a different
disinfection method.
 Nearly exact identifed

 The following secondary string could be selected from offset 0x7CFC

our example detect Stoned nearly exactly:

 0700 BA80 00CD 13EB 4990 B903 00BA 0001

 0400 B801 020E 07BB 0002 33C9 8BD1 419C

 The scanner can detect a Stoned variant if one string is detected and
refuse disinfection of the virus because it could be a possibly
unknown variant that would not be disinfected correctly.

 Whenever both strings are found, the virus is nearly exactly

identified. It could be still a virus variant, but at least the repair of the
virus is more likely to be proper
 Nearly exact identification
 Two other techniques:
1. The use of checksum ranges selected from a virus body
 A checksum of the bytes of a targeted area in a virus body
is calculated.
 allows for longer areas of the virus body to be selected for
better accuracy, without overloading the antivirus
database.
2. Eugene Kaspersky invented the KAV algorithm which
does not any search strings,
 but uses two cryptographic checksums
 which are calculated at two preset positions and length
within an object.
 Exact identification

1. only method to guarantee precise identification of virus

variants

2. usually combined with first generation techniques.

3. It can also differentiate precisely between different

variants of the same virus.
 Exact identification

1. Unlike nearly exact identification, exact identification

uses as many ranges as necessary to calculate a checksum
of all constant bits of the virus body.

2. this level of accuracy is reached by eliminating , the

variable bytes of the virus body to create a map of all
constant bytes.

3. Constant data bytes can be used in the map, but variable

data can hurt the checksum.
 Algorithimic scanning

1. The term algorithmic scanning is a bit misleading but

nonetheless widely used.
2. Whenever the standard algorithm of the scanner cannot
deal with a virus, new detection code must be introduced
to implement a virus-specific detection algorithm.
3. This is called algorithmic scanning, but virus-specific
detection algorithm could be a better term. Early
implementation of algorithmic scanning was simply a set
of hard-coded detection routines that were typically
released with the core engine code
 Algorithmic scanning

1. modern algorithmic scanning is implemented as a Java-

like p-code (portable code) using a virtual machine.

2. Norton AntiVirus uses this technique.

3. The advantage : detection routines are highly portable.

4. The disadvantage of such scanners is the relatively slow

code execution, compared to real run-time code
Algorithmic scanning: filtering

1. The filtering technique is increasingly used in second-generation

scanners.

2. The idea: viruses typically infect only a subset of known object types.

3. The scanner has and edge or advantage.

 For example, boot virus signatures can be limited to boot sectors,
 DOS EXE signatures to their own types, and so on.

4. Thus an extra flag field of the string (or detection routine) can be used
to indicate whether or not the signature in question is expected to
appear in the object being scanned.

5. This reduces the number of string matches the scanner must perform.
 Algorithmic scanning relies strongly on good filters.
 Because such detections are more expensive in terms of CPU
resources.
 Generally, A filter is virus-specific:
a) the type of the executable,
b) the identifier marks of the virus in the header of the scanned object,
c) suspicious code section characteristics or code section names, and
so on.
 BUT some viruses are too sophisticated for such type of filtering.
 Problem with algorithmic viruses

1. speed issues , slowing down of the machine

2. A the detection of evolutionary viruses (such as encrypted

and polymorphic viruses).

3. Evolutionary viruses only occasionally can be detected

with scan strings using wildcards.
Host-Based Behavior-Blocking Software

 integrates with the operating system of a host computer

and monitors program behavior in real time for malicious
action
 blocks potentially malicious actions before they have a chance
to affect the system
 blocks software in real time so it has an advantage over anti-
virus detection techniques such as fingerprinting or heuristics

limitations
• because malicious code must run on the target machine
before all its behaviors can be identified, it can cause
harm before it has been detected and blocked
 Perimeter Scanning Approaches
 anti-virus software typically
included in e-mail and Web
proxy services running on
an organization’s firewall
and IDS
 may also be included in the
traffic analysis component
of an IDS
 may include intrusion
prevention measures,
blocking the flow of any
suspicious traffic
 approach is limited to
scanning malware
ingress egress
monitors monitors
located at the egress
located at the border point of individual
between the LANs as well as at the
enterprise network border between the
and the Internet enterprise network
and the Internet
one technique is to monitors outgoing
traffic for signs of
look for incoming
traffic to unused scanning or other
local IP addresses suspicious behavior
two types of monitoring software
 Worm Countermeasures

 considerable overlap in techniques for dealing with viruses and

worms
 once a worm is resident on a machine anti-virus software can be
used to detect and possibly remove it
 perimeter network activity and usage monitoring can form the
basis of a worm defense
 worm defense approaches include:
 signature-based worm scan filtering
 filter-based worm containment
 payload-classification-based worm containment
 threshold random walk (TRW) scan detection
 rate limiting
 rate halting
Digital Immune System
Worm Countermeasure Architecture
 Summary
 types of malicious software (malware)  payload – attack agent
 bots
 terminology for malicious software
 remote control facility
 viruses – infected content  payload – information theft
 infection mechanism, trigger, payload
 credential theft, keyloggers,
 dormant, propagation, triggering, and spyware
execution phases
 phishing, identity theft
 boot sector infector, file infector, macro
virus, and multipartite virus  payload – stealthing
 encrypted, stealth, polymorphic, and  backdoor/trapdoor
metamorphic viruses  rootkit
 worms – vulnerability exploit  kernel mode rootkits
 replicates via remote systems  virtual machine/external rootkits
 e-mail, file sharing, remote execution,  countermeasures
remote file access, remote login capability
 prevention
 scanning/fingerprinting
 detection, identification, removal
 spam e-mail/trojans – social engineering  host based scanners/behavior
blocking software
 payload – system corruption  digital immune system
 data destruction, real world damage
 ramsomware, logic bomb