Slides

Development of high-level language viruses under Windows

Breno Dario & Ulisses Rocha

µCon security conference 2008

File Infection

File infection overview Overwriting

Prepending

PE Infection

Source File Infection

File Infection

Most used technique forfile infection in HLL-viruses

Just reading/writing operations

Deal with abstract .exe files instead of PE structure

Can be implemented in almost all languages

Prepend-like

Prepend-like (dirty side)

File Infection

Infected files get bigger, so the user may notice

Tiny executables should be avoided for stealth reasons

Alternate Data Streams (ADS)

File Infection

Requires to be running at least one hard drive with the NT file system (NTFS), and luckily most systems do these days.

Compatibility with the Macintosh Hierarchical File System (HFS).

Files stored on a HFS consist of two parts (known as forks).

Data fork and Resource fork.

Windows systems using NTFS stores Macintosh resource forks in a hidden NTFS stream.

Information stored on resource fork does not alter in any way the original file (eg. Last modified date or file size).

File Infection

Prepend + ADS for stealth Hide virus body in the resource fork

Infect file with a tiny executable instead of the entire virus

Traveling problems

Spreading

Spreading Search Mechanism

In-Memory Strategies Direct Action Memory-Resident Temporary Memory-Resident

How to Spreading (Most common mechanisms) E-mail Shared Folders P2P Folders USB Watcher

Spreading

Registry Shell Spawning Temporary Memory-Resident Relies on the operating system

How do you know which are EXE targets ? Windows ® registry

HKEY_CLASSES_ROOT\exefile\shell\open\command

"%1" %*

What does that ? "%1" will be replaced by the EXE's filename (with full path) %* will be replaced by it's parameters.

Spreading Example

File Name: test.exe Path: C:\windows\ Command Line:

"C:\windows\test.exe" -arg1 -arg2

Use that feature Change the registry entry to:

"C:\Windows\System32\virus.exe" "%1" %*

Command Line:

"C:\windows\system32\virus.exe" "C:\windows\test.exe" -arg1 -arg2

"our virus will be executed EVERY TIME an EXE file is started."

Registry Shell Spawning

Self Protection

Process Hiding

API Hooking ( Fashion Way ) Intercepts messages of hooked process

TaskManager retrieves information about the list of processes running calling the function NtQuerySystemInformation on ntdll

The goal is to intercept calls of NtQuerySystemInformation made by taskManager and drop the information of our evil process before it reach taskManager’s process

Some times avoided because of its complexity

For this technique we need to inject a dll into target process memory space

So as a payload the virus must carry in a dll

Process Hiding

Naming to svchost ( Dirty Way )

All we need to do is name our evil executable file to svchost.exe

There is always more than one svchost process running so our virus will stay unnoticed by the user

Some says its a lame technique but the true is its very effective

Its widely used cause there is no implementation needed

Fucking AVs

AV Killer AV Killer does the dirty job of takig AVs out of orbit

The first thing we need to implement an AV Killer is a list of AV’s process names

The virus loops thru the running processes list looking for specific names and kill them

The technique can be dangerous if is misused

Advanced Code Evolution Techniques

Evolution of Code

Encrypted Viruses

Oligomorphic Viruses

Polymorphic Viruses

Metamorphic Viruses

Evolution of Code

Evolution of Code

Evolution baby evolution!!!

Antivirus defense techniques Signatures Verification Heuristic Analysis

Evolution of Code

First method implemented

Encrypted

Evolution of Code

Encrypted Perl Virus

Evolution of Code

Evolved form of Encrypted Viruses Semi-polymorphics Multiple decription patterns Has the hability of hide in a random way

Oligomorphic

Evolution of Code Oligomorphic Perl Virus

Evolution of Code

Polymorphic Next step of oligomorphics techniques evolution Oligmorphics X Polymorphics

Techniques Junk instructions Permutation Entry Point Obfuscation

Evolution of Code

Natural Polymorphics evolution Polymorphics X Metamorphics Black Box

Metamorphic

References

29a labs ( vx.netlux.org/29a )

Ready Rangers Liberation Front ( vx.netlux.org/rrlf )

DoomRiderz ( vx.netlux.org/doomriderz )

EOF-PROJECT ( www.eof-project.net )

VX Heavens ( vx.netlux.org )