dr. miguel Ángel oros hernÁndez 7. ingeniería inversa de software malicioso
TRANSCRIPT
Ingeniería inversa de software malicioso
1. Tipo de software malicioso
2. Usos del software malicioso
3. Vulnerabilidades del software malicioso
Malicious software or malware
Any program that works againts the interests of the system’s user or owner
Company CEO: Software for reporting all kinds of usage statistics and web-browsing habits malware
Reversing is the strongest weapon against creators of malware
Antivirus researchers Analyze the lastest
malicious programs Determine just how
dangerous they are Lear their weaknesses
so that effective antivirus programs can be developed
Tipos de software malicioso
Viruses
Worms
Trojan Horses
Backdoors
Mobile Code
Adware/Spyware
Tipos de software maliciosoViruses
Self-replicating programs that usually have a malicious intent
Effects Delete valuable information Freeze the computer Display annoying messages
Typically attach themselves to executable program files
Slowly duplicate themselves into many executable files on the infected system
Tipos de software maliciosoworms
Similar to a virusA self-replicating
malicious programReplication process
Propagation: Internet, email
Does not require direct human interaction
Takes advantage of certain operating system or vulnerabilities
Tipos de sofware maliciosotrojan horses
General idea: an innocent artifact openly delivered throught the front door
Artifacts used Bening program Video clip Image
Examples “A Great
Picture.jpg .exe”
Tipos de software maliciosobackdoors
Creates access channel that the attacker can use for connecting, controlling, spying, or otherwise interacting with the victim’s system
Tipos de software maliciosoMobile Code
A class of benign programs
Are executed on a large number of system without being installed by end users
Some are design to create a more active Web-browsing experience
Actions: download and launch a programa on the end user’s system
Mobile code: Java scripts, Java applets
Tipos de software maliciosoAdware/Spyware
Adware Programs that force
unsolicited advertising on end users
Gathers various statistics
Distracting, annoying, reduction of performance and robustness
Tipos de software maliciosoSticky Software
Not offer an uninstall program
It is possible to install registry keys that instruct Windows to always launch the malware as soon as the system is started
Tipos de software maliciosoFuturo sofware malicioso
Information-stealing (kleptographic) wormsPrograms that could
potentially spread like any other worm
Locate valuable data on an infected system and steal it
Use: public key and private key
Attackers could actually blackmail their victims
Usos del software malicioso
Gains some kind of financial reward by spreading the programs
Certain psychological urges or by childish desires to beat the system
Backdoor access
Denial-of-Service (DoS) Attacks
Vandalism
Resource Theft
Information Theft
Vulnerabilidades del software malicioso
It runs on untrusted platforms
Therefore, it is vulnerable to reversing
Once the code is decrypted, the code and behaviour can be analyzed
Identification of malicious programs: use unique signatures
The antivirus program maintains a database of virus signatures
Unique identification for every known malware program
Polymorphism
thwarts signature-based identification programs by randomly encoding or encrypting the program code
Vulnerabilidades del software malicioso
weakness
1. Scanning for virus signatures in memory (searching unencrypted form)
2. The decryption code is static
Metamorphism
Next logial step after polymorphism
Instead of encrypting the program’s body and making slight alterations in the decryption engine, it is possible to alter the entire program each tiem it is replicated
Each version of the malware can look radically different from any other versions
Use of a powerful code analysis engine: metamorphic engine
Vulnerabilidades del software maliciosoalgunas de las alteraciones aplicadas automáticamente a un programa
Instruction and Register Selection
Instruction Ordering
Reversing conditionsInstead of a using a statement that checks whether two operands are equal, check whether they are unequal
Garbage insertion
Function order