Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction - PowerPoint PPT Presentation

Hunting for Metamorphic By Péter Ször and Peter Ferrie

Introduction ● Polymorphic virus engines resulted in stronger virus scanners. ● Paper focuses on how virus creators have challenged virus scanners over the past decade.

Evolution of Code: 32-bit Encrypted Viruses ● Cascade ○ One of the first DOS viruses that used encryption. ○ Starts with constant decryptor that's followed by decrypted virus body. ○ Method appeared in early 32bit Windows viruses, and is also used in more recent viruses. ● Code pattern for decryption is unique enough that detection is possible without decrypting virus body and infected code can easily be repaired.

Evolution of Code: 32-bit Oligomorphic Viruses ● Oligomorphic viruses change decryptors. ● Detection through decryptor's code became more challenging. ● Dealt with virus by dynamic decryption of code that is encrypted.

Evolution of Code: 32-bit Polymorphic Viruses ● Polymorphic viruses are able to create new decryptors that use different encryption methods to encrypt the constant part of the virus body. ● To make the AV scanner's job more difficult, entry point obscuring techniques were used in combination with 32- bit polymorphism.. Generations of a polymorphic virus.

Evolution of Code: 32-bit Metamorphic Viruses ● Polymorphic viruses take time to create and sometimes are not seen in the wild because of bugs. ● Researchers could find a method fo detecting such viruses between minutes and a few days. ● Low number of efficient external polymorphic engines. ● Metamorphic viruses: ○ No decryptor ○ No constant virus body ○ Able to change how they look and behave Virus body changes in different generations of metamorphic virus

Evolution of Code: Simple Metamorphic Viruses ● In 1998, Win95/Regswap virus was created. ○ Register usage exchange ○ Virus body uses the same code but different registers.

Evolution of Code: Complex Metamorphic Viruses ● In 2000, Win32/Evol virus appeared. ○ Capable of running on any major Win32 platform. ○ Capable of inserting garbage between core instructions.

Evolution of Code: Complex Metamorphic Viruses ● In 2000, variations of Win95/Zperm appeared using method from Ply DOS virus. ○ Jump instructions inserted into code ○ Points to a new instruction of the virus ○ Creates new mutations by removing and adding jump and garbage instructions ○ Cannot be detected by search strings in the files or in memory.

Evolution of Code: Complex Metamorphic Viruses ● In 2000, Win95/Bistro was created ○ Based on sources of Zperm virus and RPME (Real Permutating Engine, available for other virus writers to create new metamorphic viruses). ○ Uses a random code block insertion engine ○ Generates millions of iterations to challenge code emulator's speed.

Evolution of Code: Advanced Metamorphic Viruses Engines ● Win95/Zmist, virus, created by Zombie ○ Entry Point-Obscuring metamorphic virus ○ Randomly uses additional polymorphic decryptor ○ Supports code integration ○ Randomly inserts jump instructions after every single instruction of the code section

Evolution of Code: Advanced Metamorphic Viruses Engines ● Zmist, virus, created by Zombie ○ Entry Point-Obscuring metamorphic virus ○ Randomly uses additional polymorphic decryptor ○ Supports code integration ○ Randomly inserts jump instructions after every single instruction of the code section ● Initialization ○ Doesn't alter host entry point ○ Merges with existing code ● Direct Action Infection ○ Checks to see if there's at least 16MB of physical memory ○ Then allocates memory blocks, permutates virus body, recursive search for .exe files

Evolution of Code: Advanced Metamorphic Viruses Engines ● Permutation ○ Slow ○ Consists of instruction replacement ● Infection of Portable Executable Files ○ File must be <448 KB ○ Begin with "MZ" ○ Portable Executable file ● "Islands" of code are integrated into random locations in host linked together by jumps.

Metamorphic Virus Detection ● Geometric Detection ○ Based on changes to the file structure ● DisassemblingTechniques ○ Separates instructions to look for garbage instructions that has been inserted by a virus. ○ CMP AX, "ZM" ● Use of Emulators for Tracing ○ Allows virus to execute freely in an environment it cannot escape

Possible Future Virus Developments ● More metamorphic engines will be written in the future. ● Viruses that are able to communicate with each other. ○ Export engine of virus to another virus or worm ○ Exchange trigger routines

Conclusion ● Metamorphic viruses are becoming more prevalent and must be taken seriously. ● Metamorphic viruses continue to evolve and become a very great challenge for antivirus researchers.