0wning-Antivirus1[1]

8/8/2019 0wning-Antivirus1[1]

1/33

A GROUP PRESENTATION

ON

ANTI-VIRUS


2/33

VIRUS?

VIRUS:VITAL INPUT RESOURCE UNDER

SIEZE

Malicious program that causeinstability in the computer.

Reasons that for creating such

programs-:

*Criminal intent

*Anti-establishment

*Motivationsetc.


3/33

VIRUS?

Some popular viruses-:

Yankee doodle

Friday the 13th

System32

Dark avenger

Brain

Scoresetc.


4/33

ANTIVIRUS?

These are programs that

protect & remove viruses

from an infected system.Mainly used to remove

malware such as virus, worms

& trojan horses.Prevent & remove

adware,spyware& other form

of malware.


5/33

How Does Antivirus

work? Signature vs. Behavior

Pattern-matching-:Searches for

unknown and malicious patterns.

*Zero day threats:-Malware whosesignature does not exist. These

threats are removed by heuristic

approach.

Heuristic Approach:-Identifies newviruses or variants by looking for

malicious code Slight variations of

such codes).


6/33

How Does Antivirus

work?

Sandbox:-Files are kept in sandbox so

that they can be analyzed for

malicious actions.


7/33

How Does AntiVirus

work? Common Core Components

IO filters

Format Engines


8/33

How Does AntiVirus

work? Standard Features

Updates

Multi-Threat detection


9/33

How Does AntiVirus

work? Common Configurations

Scan level

Scan sizes

Scan Method


10/33

Uses Of Antivirus

Anti- Virus is of great use:-

Scans all your systems for evidence ofthe virus .

Disconnect any infected systems

immediately from the

network

Restore the infected systems from a

clean backup


11/33

Code Coverage Core

Utilities Read

Easy to spot

Closest audit point to un-trusted

input

Usually wrapped & buffered

Some truncate length


12/33

Code Coverage Core

Utilities Allocation

Any calculations to length are

interesting

Usually wrapped

Some check 4 zero

Some add to length for internal

headers

Some wrappers will truncate length


13/33

Code Coverage Constructs

Conversions

String/Number

Byte Ordering


14/33


Checksum, CRC, etc.

Easy to spot (ror, xor, etc. in a

loop)

Gives un-trusted input context


15/33


Inherited File Structures &

Commonly Grouped Processors

Are annoying to trace, due to

indirection

Can reveal more subtle unchecked

copies

Ex: Is MZ -> Is PE -> Is UPX


16/33

Audit Points -

Inefficiencies Engine vs. Product differences

Can be an issue when engine is

stricter than the product

Ex: Recent Multi-vendor zip issues


17/33

Audit Points -

Inefficiencies Default Scan Levels

Can be an issue when product does not

require multiple extractions

Ex: Packed and SFX


18/33

Audit Points -

Inefficiencies

File Size Limitations

Small archives can contain large

files


19/33

Audit Points -

Inefficiencies

Format Collisions

Files conforming to multiple formats

may be used to trick state and evade

detection


20/33

O-Day Detection

Generally very minimal

capabilities

Measure virus propagation by

number of infected customers.

Evasion?

Write a new virus.


21/33

Audit Points Memory

Corruption

Inconsistent Checks

Length type mismatches can be abused

to bypass checks, wrap allocations,

and overflow copiesNegative offsets can be abused to

bypass checks and overflow copies


22/33

Audit Points Memory

Corruption

Wrappers

Allocators that modify length

Reads that truncate length (reduces

chance of access violation onoverflow on negative copies)


23/33

Audit Points Memory

Corruption

Error-Prone Formats:

32 bit fields

Interesting to examine sign and any

calculations Ex: PECOFF Packed & SFX, Archives


24/33

Audit Points Memory

Corruption

String Based Formats

These can be hard to implement correctly

StringToNumber conversions are

interesting

Ex: TNEF, MIME, PDF


25/33

Audit Methodology

Identify Utility Functions

Naming these will aid in tracing

input later

Ex: Wrappers, FileIO, Allocations


26/33

Audit Methodology

Trace Un-trusted Input

Examine data that influences:

Allocations

Copies

Structure members

Initializations are easy to spot

Use is less easy binary search for

offset


27/33

Audit Methodology

Reverse File Format Processors

Track class member offsets and sizes

Will reveal more subtle bugs


28/33

Audit Results

Symantec

Unchecked offset reconstructing UPX

PE header

Can be triggered by providing anegative offset to prior heap chunk

containing MZ header with crafted PE

header

Heap overflow with no characterrestrictions


29/33

Audit Results

McAfee

Improperly checked file name and path

strlen in LHA level 1 header

Signature in .dat to detect formalformed LHA file

Can be triggered my supplying a

malformed LHA file, that also

conforms to the PECOFF formatStack overflow with ascii character

restrictions


30/33

Audit Results

TrendMicro

Improperly checked filename strlen in

ARJ header

Doesnt overflow the next chunksheader, but does corrupt various

pointers, which results in the

address of the filename being written

to an arbitrary destination

Kernel Heap overflow with ascii

character restrictions


31/33

Audit Results

FSecure

Improperly checked filename strlen in

ARJ header

Standard heap overflow with asciicharacter restrictions


32/33

Future Points of Interest

Large Files

Signed Checks

Type Truncation

Integer Overflows/Wraps/Underflows

Ida Examples


33/33

Future Points of Interest

New Formats

Formats implemented due to bugs

Formats implemented due to wide use

Product Administration

0wning-Antivirus1[1]

Documents