Understanding Anti-Anti-Virus Techniques and Retroviruses
Explore the world of anti-anti-virus techniques including Retroviruses and Entry Point Obfuscation. Learn about the methods used by viruses to evade detection and damage anti-virus software. Discover how Retroviruses like Ganda virus operate stealthily to hinder anti-virus programs. Delve into strategies like Anti-Emulation and Entry Point Obfuscation employed by malicious software to outsmart and outlast emulators and security programs.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Chapter 5 Anti-Anti-Virus
Anti-Anti-Virus All viruses self-replicate Anti-anti-virus means it s openly hostile to AV Anti-anti-virus techniques? o Aggressively attack AV software o Make analysis of virus difficult o Try to avoid being detected using knowledge of how AV works
Anti-Virus Virus? Anti-anti-virus versus anti-virus virus o What the ? This chapter is about anti-anti virus Aside: What is an anti-virus virus? o Virus attacks other viruses, or o AV software that propagates virally, or o Software that drops a virus, then offers to remove it for a fee
Retroviruses Also known as anti-antivirus viruses Virus with active defense What techniques are used? Kill AV (and related) processes o Virus lists active processes o Kills things like Avgw.exe, Scan32.exe, Navw32.exe, Regedit.exe, Zonealarm.exe o Might also do this for processes run at startup
Retroviruses Example: Ganda virus Kills running AV-like processes Examines processes run at startup o If it appears to be AV-related o replace 1stinstruction with return Stealthier? o Starve AV software by lowering priority o Prevent AV software from connecting to company database, etc.
Entry Point Obfuscation Viruses often hijack usual entry point o But this is fairly obvious Set entry point at random location? o Probably not a good idea --- why? Find calls to ExitProcess API? o Used by Simile and Ganda Look for known code sequences? o Compilers produce stereotypical code
Anti-Emulation Recall that emulation is used for AV How can virus defeat emulation? 1. Outlast 2. Outsmart 3. Overextend AV solution to 2 & 3 is better emulator o Of course, this comes at a price
Anti-Emulation: Outlast How to outlast an emulator? 1. Lots of (disguised) do-nothing code 2. Only be malicious, say, 1/10thof time o Then AV might mark code as safe o Subsequently, virus has a free hand 3. Entry point obfuscation o Emulator might assume virus will appear early in execution of infected code
Anti-Emulation: Outsmart Try to counter dynamic heuristics Example: In some cases, decryption is a good dynamic heuristic To counter this, virus could o Spread decryption throughout code, not all in one loop o Then emulator might never reach its decryption threshold
Anti-Emulation: Overextend How to push emulator to the limit? 1. Use undocumented instructions o If not handled correctly, it s emulated 2. Bugs in CPU o If handled correctly, it s emulated 3. Exhaust or abuse memory 4. Check for differences between system calls, e.g., check time twice o Emulator might return fixed value
Anti-Emulation: Overextend How to push emulator to the limit? 5. Import obscure libraries 6. Use external resources, e.g., web page o Almost impossible to emulate external stuff 7. Emulator-specific checks o E.g., a known interface to outside
Armoring Armor virus --- make analysis more difficult Two types of techniques used: 1. Anti-debugging o Examples? 2. Anti-disassembly o Examples?
Anti-Debugging Look for inserted breakpoints o Like error detection/correction Look for single-stepping o Interrupt pushed onto stack after every instruction so push then immediately pop, or o Time the execution, or o Dynamically modify next instruction, since processors usually pre-fetch Last 2 also anti-emulation techniques
Anti-Debugging If all else fails, ask: o IsDebuggerPresent() In Linux, request to trace a process more than once fails o How can virus take advantage of this?
Anti-Debugging Speaking of threads Interlocking and deadlocking threads o Only small part of code appears o Different parts each time Fairly strong for anti-debugging o Improved software activation using multithreading Could be even more effective if combined with encrypted code o Project, anyone?
Anti-Disassembly Anti-disassemblymentarianism? Goals 1. Disassembly cannot be automated 2. Code not available until it executes For 1, one idea is to mix code and data o Once mixed, separating is unsolvable
Anti-Disassembly Mixing code and data can result in false disassembly Disassemblers not so easily confused
Anti-Disassembly How to make code unavailable for static analysis? 1. Dynamically generate code at runtime 2. Self-modifying code o A red flag for heuristic analysis 3. Use the environment to construct code at runtime o How s that?
Anti-Disassembly Constructed code? Hash stuff and extract code bits o Perhaps combine with buffer overflow? o Project, anyone?
Anti-Disassembly Encrypted code o Decrypt in parts as needed o Flush plaintext when done o Combine with anti-debugging o Watch for MiM type of attacks My startup company did all of this Might do similar things with threads o Intentionally delicate timing
Tunneling Virus traces system functions it uses o To be sure they go to the right place o If not, code is being monitored How to trace code? o Static heuristic or emulation o Just like the AV stuff Can t tunnel into kernel on modern OS o But still might be useful technique
Tunneling AV software can hide from tunneling if it s installed in the kernel o Unless virus is in the kernel too But, virus in kernel would be bad for lots and lots of other reasons
Integrity Checker Attacks How to avoid integrity check? o Integrity check can detect any change Stealth virus might hide o But only from weak integrity check Infect when legitimate change to file In one infamous case o Delete integrity check database and all checksums recomputed
Avoidance Hide in places not searched Possibilities include o USB key o Some types of files o New type of packer o Etc. Pretty lame?