METAMORPHIC VIRUSNGUYEN LE VAN

2

OUTLINE

1.Introduction

2.Metamorphic techniques

3.Metamorphic virus detection

4.Conclusions

5.Bibliography

3

INTRODUCTION

• Virus

“A program that can infect other programs by modifying them to include a possibly evolved copy of itself”

- Fred Cohen(1987)

• Typical structure of computer virus Infect-executable Do-damage (payload) Trigger-pulled

4

INTRODUCTION

• Types of computer viruses Boot sector virus File infecting virus Memory resident virus Macro virus

Basic virus Polymorphic virus Metamorphic virus

5

INTRODUCTION

• Replication Basic virus

Polymorphic virus

Metamorphic virus

6

INTRODUCTION

Metamorphic viruses transform their code as they propagate

The main goal of metamorphism is to change the appearance of the virus while keeping its functionality.

To achieve this, metamorphic viruses use several metamorphic transformations, such as register usage exchange, code permutation, code expansion, code shrinking, and garbage code insertion

7

METAMORPHIC TECHNIQUES (BASIC)

o Garbage code insertion

o Register usage exchange

o Permutation techniques

o Insertion of jump instructions

o Instruction replacement

o Host code mutation

o Code integration

8

GARBAGE CODE INSERTION

The Win32/Evol virus – July 2000Win95/Bistro virus – October 2000

9

REGISTER USAGE EXCHANGE

Win95/Regswap virus – Vecna - 1998

10

PERMUTATION TECHNIQUES

• Dividing the code into frames, and then position the frames randomly and connect them by branch instructions to maintain the process flow

• The Win32/Ghost virus – May 2000

11

INSERTION OF JUMP INSTRUCTION

Win95/Zperm virus – June 2000

• Create new generations is inserting jump instructions within its code

12

INSTRUCTION REPLACEMENT

• Replace some of their instructions with other equivalent instructions.

• The types of instruction replacement include: reversing of branch conditions register moves replaced by push/pop sequences alternative opcode encoding xor/sub and or/test interchanging

• Other techniques: Host code mutation Code integration

13

METAMORPHIC VIRUS DETECTION

o Geometric detection

o Wildcard string and haft-byte scanning

o Code disassembling

o Using emulators

o Code transformation detection

o Subroutine depermutation

o Using regular expression and DFA

14

GEOMETRIC DETECTION

• Geometric detection is based on modifications that a virus has made to the file structure.

• The data section of a file is increased by at least 32KB when it is infected by an encrypted version of the virus, the file might be reported as being infected if the virtual size of its data section is at least 32KB larger than its physical size.

15

WILDCARD STRING & HALF BYTE SCANNING

• It is obvious that there exist many common opcodes that are constant to all generations of the Regswap virus. This makes the extraction of usable search strings using wildcards possible.

16

USING EMULATORS

• Code emulation implements a virtual machine to simulate the CPU and memory management system and executes malicious code inside the virtual machine.

• Antivirus scanners can run code inside an emulator and examine it periodically or when interesting instructions are executed.

17

CODE TRANFORMATIONS

• Code transformation is a method for undoing the previous transformations done by the virus.

• Code transformation is used to convert mutated instructions into their simplest form, where the combinations of instructions are transformed to an equivalent but simple form. After the transformation common code exhibited by the virus can be identified.

18

CONCLUSIONS

19

BIBLIOGRAPHY

[1] F. Cohen. Computer viruses: theory and experiments. Comput. Secur., 6(1):22–35, 1987.

[2] Peter Szor. The Art of Computer Virus Research and Defense. Addison Wesley Professional, 1 edition, February 2005.

[3] Rodelio G. Finones and Richard t. Fernandez. Solving the metamorphic puzzle. Virus Bulletin, pages 14–19, March 2006.

[Video] 10 Devastating Computer Viruses

20

THANK YOU!