hunting for metamorphic
play

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction - PowerPoint PPT Presentation

Dec 22, 2023 •268 likes •446 views

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus engines resulted in stronger virus scanners. Paper focuses on how virus creators have challenged virus scanners over the past decade. Evolution of

  1. Hunting for Metamorphic By Péter Ször and Peter Ferrie

  2. Introduction ● Polymorphic virus engines resulted in stronger virus scanners. ● Paper focuses on how virus creators have challenged virus scanners over the past decade.

  3. Evolution of Code: 32-bit Encrypted Viruses ● Cascade ○ One of the first DOS viruses that used encryption. ○ Starts with constant decryptor that's followed by decrypted virus body. ○ Method appeared in early 32bit Windows viruses, and is also used in more recent viruses. ● Code pattern for decryption is unique enough that detection is possible without decrypting virus body and infected code can easily be repaired.

  4. Evolution of Code: 32-bit Oligomorphic Viruses ● Oligomorphic viruses change decryptors. ● Detection through decryptor's code became more challenging. ● Dealt with virus by dynamic decryption of code that is encrypted.

  5. Evolution of Code: 32-bit Polymorphic Viruses ● Polymorphic viruses are able to create new decryptors that use different encryption methods to encrypt the constant part of the virus body. ● To make the AV scanner's job more difficult, entry point obscuring techniques were used in combination with 32- bit polymorphism.. Generations of a polymorphic virus.

  6. Evolution of Code: 32-bit Metamorphic Viruses ● Polymorphic viruses take time to create and sometimes are not seen in the wild because of bugs. ● Researchers could find a method fo detecting such viruses between minutes and a few days. ● Low number of efficient external polymorphic engines. ● Metamorphic viruses: ○ No decryptor ○ No constant virus body ○ Able to change how they look and behave Virus body changes in different generations of metamorphic virus

  7. Evolution of Code: Simple Metamorphic Viruses ● In 1998, Win95/Regswap virus was created. ○ Register usage exchange ○ Virus body uses the same code but different registers.

  8. Evolution of Code: Complex Metamorphic Viruses ● In 2000, Win32/Evol virus appeared. ○ Capable of running on any major Win32 platform. ○ Capable of inserting garbage between core instructions.

  9. Evolution of Code: Complex Metamorphic Viruses ● In 2000, variations of Win95/Zperm appeared using method from Ply DOS virus. ○ Jump instructions inserted into code ○ Points to a new instruction of the virus ○ Creates new mutations by removing and adding jump and garbage instructions ○ Cannot be detected by search strings in the files or in memory.

  10. Evolution of Code: Complex Metamorphic Viruses ● In 2000, Win95/Bistro was created ○ Based on sources of Zperm virus and RPME (Real Permutating Engine, available for other virus writers to create new metamorphic viruses). ○ Uses a random code block insertion engine ○ Generates millions of iterations to challenge code emulator's speed.

  11. Evolution of Code: Advanced Metamorphic Viruses Engines ● Win95/Zmist, virus, created by Zombie ○ Entry Point-Obscuring metamorphic virus ○ Randomly uses additional polymorphic decryptor ○ Supports code integration ○ Randomly inserts jump instructions after every single instruction of the code section

  12. Evolution of Code: Advanced Metamorphic Viruses Engines ● Zmist, virus, created by Zombie ○ Entry Point-Obscuring metamorphic virus ○ Randomly uses additional polymorphic decryptor ○ Supports code integration ○ Randomly inserts jump instructions after every single instruction of the code section ● Initialization ○ Doesn't alter host entry point ○ Merges with existing code ● Direct Action Infection ○ Checks to see if there's at least 16MB of physical memory ○ Then allocates memory blocks, permutates virus body, recursive search for .exe files

  13. Evolution of Code: Advanced Metamorphic Viruses Engines ● Permutation ○ Slow ○ Consists of instruction replacement ● Infection of Portable Executable Files ○ File must be <448 KB ○ Begin with "MZ" ○ Portable Executable file ● "Islands" of code are integrated into random locations in host linked together by jumps.

  14. Metamorphic Virus Detection ● Geometric Detection ○ Based on changes to the file structure ● DisassemblingTechniques ○ Separates instructions to look for garbage instructions that has been inserted by a virus. ○ CMP AX, "ZM" ● Use of Emulators for Tracing ○ Allows virus to execute freely in an environment it cannot escape

  15. Possible Future Virus Developments ● More metamorphic engines will be written in the future. ● Viruses that are able to communicate with each other. ○ Export engine of virus to another virus or worm ○ Exchange trigger routines

  16. Conclusion ● Metamorphic viruses are becoming more prevalent and must be taken seriously. ● Metamorphic viruses continue to evolve and become a very great challenge for antivirus researchers.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition

Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition

Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition Metamorphic rock is the result of the transformation of an existing rock type, the protolith ( parent rock ) , in a process called metamorphism, which means

804 views • 23 slides
The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / REcon 2016 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl The Remote Metamorphic Engine xor eax, 0

683 views • 50 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4

Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4

Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4 Objectives Metamorphism changes one kind of rock into another kind of rock. Several ways that heat and pressure change rocks. Metamorphic

277 views • 16 slides
Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

TABAKOV TROPHY HUNTING Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in Catalonia that the hunting area of El Vedat is situated, only 45mn of Barcelona. The territory extends on more than 3000 ha of

385 views • 10 slides
RUXCON Courtesy of google images Metamorphic template with

RUXCON Courtesy of google images Metamorphic template with

Oct, 2016 Senior Malware Scientist ,Trend Micro spark@trendmicro.com RUXCON Courtesy of google images Metamorphic template with parameters #1 Original Code

701 views • 43 slides
Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in popularity; Several Youtube channels (THLR.NO, EuLRH) have attracted a considerable number of followers; A riflescope is a must-have ; Often

649 views • 11 slides
Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting in the mountains No need to overstretch the neck while using it Can be used without a tripod The user simply puts the scope on the top of

229 views • 9 slides
THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach &amp; 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations ~whoami

363 views • 32 slides
Metamorphic rocks What is metamorphism? Process by which a rock in a solid state experiences a

Metamorphic rocks What is metamorphism? Process by which a rock in a solid state experiences a

FUNDAMENTALS OF EARTH SCIENCE I FALL SEMESTER 2018 Metamorphic rocks What is metamorphism? Process by which a rock in a solid state experiences a transformation of one or a combination of the following characteristics: Chemical

557 views • 31 slides
MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan

MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan

Introduction System Architecture Evaluations References MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan Huynh, Wu-chang Feng { akshay, buithai, letien, nhhuyng, wuchang } @cs.pdx.edu Portland

913 views • 57 slides
A Revisit of the Integration of Metamorphic Testing and Test Suite Based Automated Program

A Revisit of the Integration of Metamorphic Testing and Test Suite Based Automated Program

A Revisit of the Integration of Metamorphic Testing and Test Suite Based Automated Program Repair Mingyue Jiang 1,2, Tsong Yueh Chen 2, Fei-Ching Kuo 2, Zuohua Ding 1, Eun-Hye Choi 3, Osamu Mizuno 4 1 Zhejiang Sci-Tech University,

465 views • 19 slides
Quantitative Texture Analysis of shells, Palm Canyon mylonites, natural ice, metamorphic

Quantitative Texture Analysis of shells, Palm Canyon mylonites, natural ice, metamorphic

Quantitative Texture Analysis of shells, Palm Canyon mylonites, natural ice, metamorphic amphibolites and SCT-microquartz D. Chateigner - Laboratoire de Cristallographie et Sciences des Matriaux (CRISMAT) - Ecole Nationale Suprieure

943 views • 49 slides
Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Malware

838 views • 67 slides
Converting Scripts into Reproducible Workflow Research Objects Lucas A. M. C. Carvalho, Khalid

Converting Scripts into Reproducible Workflow Research Objects Lucas A. M. C. Carvalho, Khalid

Converting Scripts into Reproducible Workflow Research Objects Lucas A. M. C. Carvalho, Khalid Belhajjame, Claudia Bauzer Medeiros lucas.carvalho@ic.unicamp.br Baltimore, Maryland, USA October 23-26, 2016 Background and Motivation

745 views • 43 slides
Overview of a C Program Programming with C CSCI 112, Spring 2015 Patrick Donnelly Montana State

Overview of a C Program Programming with C CSCI 112, Spring 2015 Patrick Donnelly Montana State

Overview of a C Program Programming with C CSCI 112, Spring 2015 Patrick Donnelly Montana State University C Language Components Preprocessor Directives Comments The main function Variable Declarations and Data Types

777 views • 42 slides
FIGHT WITH LINUX Firmy@XDSEC https://github.com/firmianay firmianay@gmail.com 1 OVERVIEW

FIGHT WITH LINUX Firmy@XDSEC https://github.com/firmianay firmianay@gmail.com 1 OVERVIEW

FIGHT WITH LINUX Firmy@XDSEC https://github.com/firmianay firmianay@gmail.com 1 OVERVIEW Linux Reverse Engineering Reverse Engineering on Linux What? Why? How? 2 OVERVIEW Linux Reverse Engineering Reverse

1.02k views • 59 slides
Peer to Peer Networks and Security Kostya Kortchinsky CERT RENATER

Peer to Peer Networks and Security Kostya Kortchinsky CERT RENATER

Peer to Peer Networks and Security Kostya Kortchinsky CERT RENATER Kostya.Kortchinsky@renater.fr 23/06/2003 Kostya Kortchinsky - RENATER 1 Agenda Some Figures Security Issues Viruses, trojans, and other malware

757 views • 33 slides
Inventing Managerial Inventing Managerial Information: Information: Systems Men and the

Inventing Managerial Inventing Managerial Information: Information: Systems Men and the

Inventing Managerial Inventing Managerial Information: Information: Systems Men and the Computer 1957- -67 67 Systems Men and the Computer 1957 Tom Haigh thaigh@sas.upenn.edu 1 My Topic: My Topic: Managerial Information

558 views • 41 slides
Executive Office of Public Safety and Security Department of Criminal Justice Information

Executive Office of Public Safety and Security Department of Criminal Justice Information

Executive Office of Public Safety and Security Department of Criminal Justice Information Services CORI Training October 20, 2020 What is the Department of Criminal Justice Information Services (DCJIS)? DCJIS is the Massachusetts agency

529 views • 16 slides
OFFICE HOURS ESG-CV Reporting Prepared: September 15,2020 Call in If you are having audio

OFFICE HOURS ESG-CV Reporting Prepared: September 15,2020 Call in If you are having audio

OFFICE HOURS ESG-CV Reporting Prepared: September 15,2020 Call in If you are having audio difficulty using your computer, please call in using one of the following phone numbers: US Toll free +1-855-797-9485 US Toll +1-415-655-0002 Access

561 views • 17 slides

More recommend