Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus All viruses self-replicate Anti-anti-virus means it’s “openly hostile” to AV Anti-anti-virus techniques?

Chapter 5

Anti-Anti-Virus

Anti-Anti-Virus All viruses self-replicate Anti-anti-virus means it’s “openly

hostile” to AV Anti-anti-virus techniques?

o Aggressively attack AV softwareo Make analysis of virus difficulto Try to avoid being detected using

knowledge of how AV works

Anti-Virus Virus? Anti-anti-virus versus “anti-virus

virus”o What the … ?

This chapter is about anti-anti virus Aside: What is an anti-virus virus?

o Virus attacks other viruses, oro AV software that propagates virally, oro Software that drops a virus, then offers

to remove it for a fee

Retroviruses Also known as “anti-antivirus

viruses” Virus with active defense What techniques are used? Kill AV (and related) processes

o Virus lists active processeso Kills things like Avgw.exe, Scan32.exe,

Navw32.exe, Regedit.exe, Zonealarm.exe

o Might also do this for processes run at startup

Retroviruses

Example: Ganda virus Kills running AV-like processes Examines processes run at startup

o If it appears to be AV-related…o …replace 1st instruction with “return”

Stealthier?o Starve AV software by lowering priorityo Prevent AV software from connecting to

company database, etc.

Entry Point Obfuscation Viruses often hijack usual entry

pointo But this is fairly obvious

Set entry point at random location?o Probably not a good idea --- why?

Find calls to ExitProcess API?o Used by Simile and Ganda

Look for known code sequences?o Compilers produce stereotypical code

Anti-Emulation Recall that emulation is used for AV How can virus defeat emulation?

1. Outlast2. Outsmart3. Overextend

AV solution to 2 & 3 is better emulatoro Of course, this comes at a price…

Anti-Emulation: Outlast How to “outlast” an emulator?1. Lots of (disguised) do-nothing

code2. Only be malicious, say, 1/10th of

timeo Then AV might mark code as safeo Subsequently, virus has a free hand

3. Entry point obfuscationo Emulator might assume virus will

appear early in execution of infected code

Anti-Emulation: Outsmart Try to counter dynamic heuristics Example: In some cases,

decryption is a good dynamic heuristic

To counter this, virus could…o Spread decryption throughout code,

not all in one loopo Then emulator might never reach its

“decryption” threshold

Anti-Emulation: Overextend

How to push emulator to the limit?1. Use undocumented instructions

o If not handled correctly, it’s emulated

2. Bugs in CPUo If handled correctly, it’s emulated

3. Exhaust or abuse memory4. Check for differences between

system calls, e.g., check “time” twiceo Emulator might return fixed value

Anti-Emulation: Overextend

How to push emulator to the limit?5. Import obscure libraries6. Use external resources, e.g., web

pageo Almost impossible to emulate external

stuff

7. Emulator-specific checkso E.g., a known interface to outside

Armoring “Armor” virus --- make analysis

more difficult Two types of techniques used:1. Anti-debugging

o Examples?

2. Anti-disassemblyo Examples?

Anti-Debugging Look for inserted breakpoints

o Like error detection/correction Look for single-stepping

o Interrupt pushed onto stack after every instruction… so push then immediately pop, or

o Time the execution, oro Dynamically modify next instruction,

since processors usually pre-fetch Last 2 also anti-emulation

techniques

Anti-Debugging If all else fails, ask:

o IsDebuggerPresent() In Linux, request to trace a process

more than once failso How can virus take advantage of this?

Anti-Debugging Speaking of threads… Interlocking and deadlocking threads

o Only small part of code appearso Different parts each time

Fairly strong for anti-debuggingo Improved software activation using multithread

ing

Could be even more effective if combined with encrypted codeo Project, anyone?

Anti-Disassembly Anti-disassemblymentarianism? Goals

1. Disassembly cannot be automated2. Code not available until it executes

For 1, one idea is to mix code and datao Once mixed, separating is unsolvable

Anti-Disassembly Mixing code and data can result in

false disassembly

Disassemblers not so easily confused…

Anti-Disassembly How to make code unavailable for

static analysis?1. Dynamically generate code at

runtime2. Self-modifying code

o A red flag for heuristic analysis

3. Use the environment to “construct” code at runtimeo How’s that?

Anti-Disassembly Constructed code? Hash stuff and extract “code”

bits…o Perhaps combine with buffer overflow?o Project, anyone?

Anti-Disassembly Encrypted code

o Decrypt in parts as neededo Flush plaintext when doneo Combine with anti-debuggingo Watch for MiM type of attacks

My startup company did all of this Might do similar things with

threadso Intentionally “delicate” timing

Tunneling Virus traces system functions it

useso To be sure they “go to” the right placeo If not, code is being monitored

How to trace code?o Static heuristic or emulationo Just like the AV stuff…

Can’t tunnel into kernel on modern OSo But still might be useful technique

Tunneling AV software can hide from

tunneling if it’s installed in the kernelo Unless virus is in the kernel too…

But, virus in kernel would be bad for lots and lots of other reasons

Integrity Checker Attacks How to avoid integrity check?

o Integrity check can detect any change Stealth virus might hide

o But only from weak integrity check Infect when legitimate change to

file In one infamous case…

o Delete integrity check database and all checksums recomputed

Avoidance Hide in places not searched Possibilities include

o USB keyo Some types of fileso New type of packero Etc.

Pretty lame?