Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction - - PowerPoint PPT Presentation

hunting for metamorphic
SMART_READER_LITE
LIVE PREVIEW

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction - - PowerPoint PPT Presentation

Dec 22, 2023 268 likes •449 views

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus engines resulted in stronger virus scanners. Paper focuses on how virus creators have challenged virus scanners over the past decade. Evolution of

slide-1
SLIDE 1

Hunting for Metamorphic

By Péter Ször and Peter Ferrie

slide-2
SLIDE 2

Introduction

  • Polymorphic virus engines resulted in stronger virus

scanners.

  • Paper focuses on how virus creators have challenged virus

scanners over the past decade.

slide-3
SLIDE 3

Evolution of Code: 32-bit Encrypted Viruses

  • Cascade

○ One of the first DOS viruses that used encryption. ○ Starts with constant decryptor that's followed by decrypted virus body. ○ Method appeared in early 32bit Windows viruses, and is also used in more recent viruses.

  • Code pattern for decryption is unique enough that

detection is possible without decrypting virus body and infected code can easily be repaired.

slide-4
SLIDE 4

Evolution of Code: 32-bit Oligomorphic Viruses

  • Oligomorphic viruses change decryptors.
  • Detection through decryptor's code became

more challenging.

  • Dealt with virus by dynamic decryption of

code that is encrypted.

slide-5
SLIDE 5

Evolution of Code: 32-bit Polymorphic Viruses

  • Polymorphic viruses are able

to create new decryptors that use different encryption methods to encrypt the constant part of the virus body.

  • To make the AV scanner's

job more difficult, entry point

  • bscuring techniques were

used in combination with 32- bit polymorphism..

Generations of a polymorphic virus.

slide-6
SLIDE 6

Evolution of Code: 32-bit Metamorphic Viruses

  • Polymorphic viruses take time to create and

sometimes are not seen in the wild because of bugs.

  • Researchers could find a method fo detecting

such viruses between minutes and a few days.

  • Low number of efficient external polymorphic

engines.

  • Metamorphic viruses:

○ No decryptor ○ No constant virus body ○ Able to change how they look and behave

Virus body changes in different generations of metamorphic virus

slide-7
SLIDE 7

Evolution of Code: Simple Metamorphic Viruses

  • In 1998, Win95/Regswap virus was created.

○ Register usage exchange ○ Virus body uses the same code but different registers.

slide-8
SLIDE 8
  • In 2000, Win32/Evol virus appeared.

○ Capable of running on any major Win32 platform. ○ Capable of inserting garbage between core instructions. Evolution of Code: Complex Metamorphic Viruses

slide-9
SLIDE 9
  • In 2000, variations of Win95/Zperm appeared using method from Ply DOS

virus. ○ Jump instructions inserted into code ○ Points to a new instruction of the virus ○ Creates new mutations by removing and adding jump and garbage instructions ○ Cannot be detected by search strings in the files or in memory.

Evolution of Code: Complex Metamorphic Viruses

slide-10
SLIDE 10

Evolution of Code: Complex Metamorphic Viruses

  • In 2000, Win95/Bistro was created

○ Based on sources of Zperm virus and RPME (Real

Permutating Engine, available for other virus writers to create new metamorphic viruses).

○ Uses a random code block insertion engine ○ Generates millions of iterations to challenge code

emulator's speed.

slide-11
SLIDE 11
  • Win95/Zmist, virus, created by Zombie

○ Entry Point-Obscuring metamorphic virus ○ Randomly uses additional polymorphic decryptor ○ Supports code integration ○ Randomly inserts jump instructions after every single instruction of the code section

Evolution of Code: Advanced Metamorphic Viruses Engines

slide-12
SLIDE 12
  • Zmist, virus, created by Zombie

○ Entry Point-Obscuring metamorphic virus ○ Randomly uses additional polymorphic decryptor ○ Supports code integration ○ Randomly inserts jump instructions after every single instruction of the code section

  • Initialization

○ Doesn't alter host entry point ○ Merges with existing code

  • Direct Action Infection

○ Checks to see if there's at least 16MB of physical memory ○ Then allocates memory blocks, permutates virus body, recursive search for .exe files

Evolution of Code: Advanced Metamorphic Viruses Engines

slide-13
SLIDE 13
  • Permutation

○ Slow ○ Consists of instruction replacement

  • Infection of Portable Executable Files

○ File must be <448 KB ○ Begin with "MZ" ○ Portable Executable file

  • "Islands" of code are integrated into random locations in host linked

together by jumps.

Evolution of Code: Advanced Metamorphic Viruses Engines

slide-14
SLIDE 14
  • Geometric Detection

○ Based on changes to the file structure

  • DisassemblingTechniques

○ Separates instructions to look for garbage instructions that has been inserted by a virus. ○ CMP AX, "ZM"

  • Use of Emulators for Tracing

○ Allows virus to execute freely in an environment it cannot escape

Metamorphic Virus Detection

slide-15
SLIDE 15

Possible Future Virus Developments

  • More metamorphic engines will be written in

the future.

  • Viruses that are able to communicate with

each other.

○ Export engine of virus to another virus or worm ○ Exchange trigger routines

slide-16
SLIDE 16

Conclusion

  • Metamorphic viruses are becoming more

prevalent and must be taken seriously.

  • Metamorphic viruses continue to evolve and

become a very great challenge for antivirus researchers.