8/8/2019 0wning-Antivirus1[1]
1/33
A GROUP PRESENTATION
ON
ANTI-VIRUS
8/8/2019 0wning-Antivirus1[1]
2/33
VIRUS?
VIRUS:VITAL INPUT RESOURCE UNDER
SIEZE
Malicious program that causeinstability in the computer.
Reasons that for creating such
programs-:
*Criminal intent
*Anti-establishment
*Motivationsetc.
8/8/2019 0wning-Antivirus1[1]
3/33
VIRUS?
Some popular viruses-:
Yankee doodle
Friday the 13th
System32
Dark avenger
Brain
Scoresetc.
8/8/2019 0wning-Antivirus1[1]
4/33
ANTIVIRUS?
These are programs that
protect & remove viruses
from an infected system.Mainly used to remove
malware such as virus, worms
& trojan horses.Prevent & remove
adware,spyware& other form
of malware.
8/8/2019 0wning-Antivirus1[1]
5/33
How Does Antivirus
work? Signature vs. Behavior
Pattern-matching-:Searches for
unknown and malicious patterns.
*Zero day threats:-Malware whosesignature does not exist. These
threats are removed by heuristic
approach.
Heuristic Approach:-Identifies newviruses or variants by looking for
malicious code Slight variations of
such codes).
8/8/2019 0wning-Antivirus1[1]
6/33
How Does Antivirus
work?
Sandbox:-Files are kept in sandbox so
that they can be analyzed for
malicious actions.
8/8/2019 0wning-Antivirus1[1]
7/33
How Does AntiVirus
work? Common Core Components
IO filters
Format Engines
8/8/2019 0wning-Antivirus1[1]
8/33
How Does AntiVirus
work? Standard Features
Updates
Multi-Threat detection
8/8/2019 0wning-Antivirus1[1]
9/33
How Does AntiVirus
work? Common Configurations
Scan level
Scan sizes
Scan Method
8/8/2019 0wning-Antivirus1[1]
10/33
Uses Of Antivirus
Anti- Virus is of great use:-
Scans all your systems for evidence ofthe virus .
Disconnect any infected systems
immediately from the
network
Restore the infected systems from a
clean backup
8/8/2019 0wning-Antivirus1[1]
11/33
Code Coverage Core
Utilities Read
Easy to spot
Closest audit point to un-trusted
input
Usually wrapped & buffered
Some truncate length
8/8/2019 0wning-Antivirus1[1]
12/33
Code Coverage Core
Utilities Allocation
Any calculations to length are
interesting
Usually wrapped
Some check 4 zero
Some add to length for internal
headers
Some wrappers will truncate length
8/8/2019 0wning-Antivirus1[1]
13/33
Code Coverage Constructs
Conversions
String/Number
Byte Ordering
8/8/2019 0wning-Antivirus1[1]
14/33
Code Coverage Constructs
Checksum, CRC, etc.
Easy to spot (ror, xor, etc. in a
loop)
Gives un-trusted input context
8/8/2019 0wning-Antivirus1[1]
15/33
Code Coverage Constructs
Inherited File Structures &
Commonly Grouped Processors
Are annoying to trace, due to
indirection
Can reveal more subtle unchecked
copies
Ex: Is MZ -> Is PE -> Is UPX
8/8/2019 0wning-Antivirus1[1]
16/33
Audit Points -
Inefficiencies Engine vs. Product differences
Can be an issue when engine is
stricter than the product
Ex: Recent Multi-vendor zip issues
8/8/2019 0wning-Antivirus1[1]
17/33
Audit Points -
Inefficiencies Default Scan Levels
Can be an issue when product does not
require multiple extractions
Ex: Packed and SFX
8/8/2019 0wning-Antivirus1[1]
18/33
Audit Points -
Inefficiencies
File Size Limitations
Small archives can contain large
files
8/8/2019 0wning-Antivirus1[1]
19/33
Audit Points -
Inefficiencies
Format Collisions
Files conforming to multiple formats
may be used to trick state and evade
detection
8/8/2019 0wning-Antivirus1[1]
20/33
O-Day Detection
Generally very minimal
capabilities
Measure virus propagation by
number of infected customers.
Evasion?
Write a new virus.
8/8/2019 0wning-Antivirus1[1]
21/33
Audit Points Memory
Corruption
Inconsistent Checks
Length type mismatches can be abused
to bypass checks, wrap allocations,
and overflow copiesNegative offsets can be abused to
bypass checks and overflow copies
8/8/2019 0wning-Antivirus1[1]
22/33
Audit Points Memory
Corruption
Wrappers
Allocators that modify length
Reads that truncate length (reduces
chance of access violation onoverflow on negative copies)
8/8/2019 0wning-Antivirus1[1]
23/33
Audit Points Memory
Corruption
Error-Prone Formats:
32 bit fields
Interesting to examine sign and any
calculations Ex: PECOFF Packed & SFX, Archives
8/8/2019 0wning-Antivirus1[1]
24/33
Audit Points Memory
Corruption
String Based Formats
These can be hard to implement correctly
StringToNumber conversions are
interesting
Ex: TNEF, MIME, PDF
8/8/2019 0wning-Antivirus1[1]
25/33
Audit Methodology
Identify Utility Functions
Naming these will aid in tracing
input later
Ex: Wrappers, FileIO, Allocations
8/8/2019 0wning-Antivirus1[1]
26/33
Audit Methodology
Trace Un-trusted Input
Examine data that influences:
Allocations
Copies
Structure members
Initializations are easy to spot
Use is less easy binary search for
offset
8/8/2019 0wning-Antivirus1[1]
27/33
Audit Methodology
Reverse File Format Processors
Track class member offsets and sizes
Will reveal more subtle bugs
8/8/2019 0wning-Antivirus1[1]
28/33
Audit Results
Symantec
Unchecked offset reconstructing UPX
PE header
Can be triggered by providing anegative offset to prior heap chunk
containing MZ header with crafted PE
header
Heap overflow with no characterrestrictions
8/8/2019 0wning-Antivirus1[1]
29/33
Audit Results
McAfee
Improperly checked file name and path
strlen in LHA level 1 header
Signature in .dat to detect formalformed LHA file
Can be triggered my supplying a
malformed LHA file, that also
conforms to the PECOFF formatStack overflow with ascii character
restrictions
8/8/2019 0wning-Antivirus1[1]
30/33
Audit Results
TrendMicro
Improperly checked filename strlen in
ARJ header
Doesnt overflow the next chunksheader, but does corrupt various
pointers, which results in the
address of the filename being written
to an arbitrary destination
Kernel Heap overflow with ascii
character restrictions
8/8/2019 0wning-Antivirus1[1]
31/33
Audit Results
FSecure
Improperly checked filename strlen in
ARJ header
Standard heap overflow with asciicharacter restrictions
8/8/2019 0wning-Antivirus1[1]
32/33
Future Points of Interest
Large Files
Signed Checks
Type Truncation
Integer Overflows/Wraps/Underflows
Ida Examples
8/8/2019 0wning-Antivirus1[1]
33/33
Future Points of Interest
New Formats
Formats implemented due to bugs
Formats implemented due to wide use
Product Administration