Post on 09-Jun-2015
transcript
Development of high-level language viruses under Windows
Breno Dario & Ulisses Rocha
µCon security conference 2008
File Infection
File infection overview Overwriting
Prepending
PE Infection
Source File Infection
File Infection
Most used technique forfile infection in HLL-viruses
Just reading/writing operations
Deal with abstract .exe files instead of PE structure
Can be implemented in almost all languages
Prepend-like
Prepend-like (dirty side)
File Infection
Infected files get bigger, so the user may notice
Tiny executables should be avoided for stealth reasons
Alternate Data Streams (ADS)
File Infection
Requires to be running at least one hard drive with the NT file system (NTFS), and luckily most systems do these days.
Compatibility with the Macintosh Hierarchical File System (HFS).
Files stored on a HFS consist of two parts (known as forks).
Data fork and Resource fork.
Windows systems using NTFS stores Macintosh resource forks in a hidden NTFS stream.
Information stored on resource fork does not alter in any way the original file (eg. Last modified date or file size).
File Infection
Prepend + ADS for stealth Hide virus body in the resource fork
Infect file with a tiny executable instead of the entire virus
Traveling problems
Spreading
Spreading Search Mechanism
In-Memory Strategies Direct Action Memory-Resident Temporary Memory-Resident
How to Spreading (Most common mechanisms) E-mail Shared Folders P2P Folders USB Watcher
Spreading
Registry Shell Spawning Temporary Memory-Resident Relies on the operating system
How do you know which are EXE targets ? Windows ® registry
HKEY_CLASSES_ROOT\exefile\shell\open\command
"%1" %*
What does that ? "%1" will be replaced by the EXE's filename (with full path) %* will be replaced by it's parameters.
Spreading Example
File Name: test.exe Path: C:\windows\ Command Line:
"C:\windows\test.exe" -arg1 -arg2
Use that feature Change the registry entry to:
"C:\Windows\System32\virus.exe" "%1" %*
Command Line:
"C:\windows\system32\virus.exe" "C:\windows\test.exe" -arg1 -arg2
"our virus will be executed EVERY TIME an EXE file is started."
Registry Shell Spawning
Self Protection
Process Hiding
API Hooking ( Fashion Way ) Intercepts messages of hooked process
TaskManager retrieves information about the list of processes running calling the function NtQuerySystemInformation on ntdll
The goal is to intercept calls of NtQuerySystemInformation made by taskManager and drop the information of our evil process before it reach taskManager’s process
Some times avoided because of its complexity
For this technique we need to inject a dll into target process memory space
So as a payload the virus must carry in a dll
Process Hiding
Naming to svchost ( Dirty Way )
All we need to do is name our evil executable file to svchost.exe
There is always more than one svchost process running so our virus will stay unnoticed by the user
Some says its a lame technique but the true is its very effective
Its widely used cause there is no implementation needed
Fucking AVs
AV Killer AV Killer does the dirty job of takig AVs out of orbit
The first thing we need to implement an AV Killer is a list of AV’s process names
The virus loops thru the running processes list looking for specific names and kill them
The technique can be dangerous if is misused
Advanced Code Evolution Techniques
Evolution of Code
Encrypted Viruses
Oligomorphic Viruses
Polymorphic Viruses
Metamorphic Viruses
Evolution of Code
Evolution of Code
Evolution baby evolution!!!
Antivirus defense techniques Signatures Verification Heuristic Analysis
Evolution of Code
First method implemented
Encrypted
Evolution of Code
Encrypted Perl Virus
Evolution of Code
Evolved form of Encrypted Viruses Semi-polymorphics Multiple decription patterns Has the hability of hide in a random way
Oligomorphic
Evolution of Code Oligomorphic Perl Virus
Evolution of Code
Polymorphic Next step of oligomorphics techniques evolution Oligmorphics X Polymorphics
Techniques Junk instructions Permutation Entry Point Obfuscation
Evolution of Code
Natural Polymorphics evolution Polymorphics X Metamorphics Black Box
Metamorphic
References
29a labs ( vx.netlux.org/29a )
Ready Rangers Liberation Front ( vx.netlux.org/rrlf )
DoomRiderz ( vx.netlux.org/doomriderz )
EOF-PROJECT ( www.eof-project.net )
VX Heavens ( vx.netlux.org )