Metamorphic Virus Analysis and Detection, Hacking and IT E-Book Dump Release
[ Pobierz całość w formacie PDF ]Metamorphic Virus: Analysis and
Detection
Evgenios Konstantinou
Supervisor: Dr. Stephen Wolthusen
Technical Report
RHUL-MA-2008-02
15 January 2008
Royal Holloway
University of London
Department of Mathematics
Royal Holloway, University of London
Egham, Surrey TW20 0EX, England
Abstract
Metamorphic viruses transform their code as they propagate, thus evading
detection by static signature-based virus scanners, while keeping their func-
tionality. They use code obfuscation techniques to challenge deeper static
analysis and can also beat dynamic analyzers, such as emulators, by altering
their behavior. To achieve this, metamorphic viruses use several metamor-
phic transformations, including register renaming, code permutation, code
expansion, code shrinking, and garbage code insertion. In this thesis, an
in-depth analysis of metamorphic viruses is presented, along with the tech-
niques they use to transform their code to new generations. In order to give
a better understanding of metamorphic viruses, a general discussion on ma-
licious code and detection techniques is given rst. Then, the description of
several techniques to detect metamorphic viruses is given. A fair number of
papers on metamorphic viruses exists in the literature, but no one is a com-
plete discussion of all metamorphic techniques and detection methods. This
thesis aims at a complete discussion of all metamorphic techniques used by
virus writers so far, and all detection techniques implemented in antivirus
products or still experimental. It accomplishes this by an in-depth research
on malware and metamorphic viruses, through the existing literature. Due
to space and time limitations, an exhaustive discussion was not possible in
this thesis.
Contents
1
Introduction
1
1.1
Motivation
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2
Outline
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
1.3
Final Remarks
. . . . . . . . . . . . . . . . . . . . . . . . . .
2
2
Introduction to Malicious Software
4
2.1
Viruses
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.2
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
2.3
Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
2.4
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
2.5
Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
3
Virus Detection Mechanisms
14
3.1
First-Generation Scanners . . . . . . . . . . . . . . . . . . . .
14
3.1.1
String Scanning . . . . . . . . . . . . . . . . . . . . . .
14
3.1.2
Wildcards . . . . . . . . . . . . . . . . . . . . . . . . .
15
3.1.3
Mismatches . . . . . . . . . . . . . . . . . . . . . . . .
15
3.1.4
Generic Detection
. . . . . . . . . . . . . . . . . . . .
15
3.1.5
Bookmarks
. . . . . . . . . . . . . . . . . . . . . . . .
15
3.1.6
Top-and-Tail Scanning . . . . . . . . . . . . . . . . . .
16
3.1.7
Entry-Point and Fixed-Point Scanning . . . . . . . . .
16
3.2
Second-Generation Scanners . . . . . . . . . . . . . . . . . . .
16
3.2.1
Smart Scanning . . . . . . . . . . . . . . . . . . . . . .
16
3.2.2
Skeleton Detection . . . . . . . . . . . . . . . . . . . .
17
3.2.3
Nearly Exact Identication
. . . . . . . . . . . . . . .
17
3.2.4
Exact Identication
. . . . . . . . . . . . . . . . . . .
17
3.2.5
Heuristics Analysis . . . . . . . . . . . . . . . . . . . .
17
3.3
Algorithmic Scanning Methods
. . . . . . . . . . . . . . . . .
18
3.3.1
Filtering . . . . . . . . . . . . . . . . . . . . . . . . . .
19
3.3.2
Static Decryptor Detection
. . . . . . . . . . . . . . .
19
3.3.3
X-RAY Scanning . . . . . . . . . . . . . . . . . . . . .
19
3.4
Code Emulation
. . . . . . . . . . . . . . . . . . . . . . . . .
20
3.4.1
Dynamic Decryptor Detection . . . . . . . . . . . . . .
22
1
4
Advanced Code Evolution Techniques
23
4.1
Encrypted Viruses
. . . . . . . . . . . . . . . . . . . . . . . .
23
4.2
Oligomorphic Viruses
. . . . . . . . . . . . . . . . . . . . . .
26
4.3
Polymorphic Viruses . . . . . . . . . . . . . . . . . . . . . . .
28
4.3.1
The 1260 virus
. . . . . . . . . . . . . . . . . . . . . .
28
4.3.2
The Dark Avenger Mutation Engine (MtE)
. . . . . .
29
4.3.3
Polymorphic Viruses for Windows
. . . . . . . . . . .
30
5
Metamorphic Viruses
33
5.1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
5.2
The Metamorphic Virus . . . . . . . . . . . . . . . . . . . . .
34
5.2.1
A formal denition . . . . . . . . . . . . . . . . . . . .
35
5.2.2
Anatomy of a Metamorphic Virus
. . . . . . . . . . .
36
5.2.3
The Metamorphic Virus According to a Virus Writer .
37
5.3
Metamorphic Techniques . . . . . . . . . . . . . . . . . . . . .
38
5.3.1
Garbage Code Insertion
. . . . . . . . . . . . . . . . .
38
5.3.2
Register usage exchange . . . . . . . . . . . . . . . . .
39
5.3.3
Permutation Techniques . . . . . . . . . . . . . . . . .
40
5.3.4
Insertion of Jump Instructions
. . . . . . . . . . . . .
40
5.3.5
Instruction Replacement . . . . . . . . . . . . . . . . .
42
5.3.6
Host Code Mutation . . . . . . . . . . . . . . . . . . .
43
5.3.7
Code Integration . . . . . . . . . . . . . . . . . . . . .
43
5.4
Advanced Metamorphic Viruses . . . . . . . . . . . . . . . . .
44
5.4.1
Win95/Zmist . . . . . . . . . . . . . . . . . . . . . . .
44
5.4.2 fWin32, Linuxg/Simile
. . . . . . . . . . . . . . . . .
47
5.5
The Virus Evolution: A Simple Comparison . . . . . . . . . .
51
6
Metamorphic Virus Detection
54
6.1
The Weakness of Metamorphic Viruses . . . . . . . . . . . . .
54
6.2
Geometric Detection . . . . . . . . . . . . . . . . . . . . . . .
55
6.3
Wildcard String and Half-Byte Scanning . . . . . . . . . . . .
56
6.4
Code Disassembling
. . . . . . . . . . . . . . . . . . . . . . .
56
6.5
Using Emulators
. . . . . . . . . . . . . . . . . . . . . . . . .
57
6.5.1
Using Negative and Positive Features
. . . . . . . . .
58
6.5.2
Using Emulator-Based Heuristics . . . . . . . . . . . .
59
6.5.3
Dummy Loops Detection
. . . . . . . . . . . . . . . .
60
6.5.4
Stack Decryption Detection . . . . . . . . . . . . . . .
60
6.6
Code Transformation Detection . . . . . . . . . . . . . . . . .
61
6.7
Subroutine Depermutation . . . . . . . . . . . . . . . . . . . .
63
6.8
Using Regular Expressions and DFA
. . . . . . . . . . . . . .
63
6.9
Experimental Detection Techniques . . . . . . . . . . . . . . .
67
6.9.1
Detection Using Engine Signature
. . . . . . . . . . .
67
6.9.2
Detection Using Redundancy Control Strategy
. . . .
70
6.9.3
Detection Using Control-Flow Graph Matching . . . .
71
2
6.9.4
Detection Using Algebraic Specication
. . . . . . . .
73
6.9.5
Hidden Markov Models
. . . . . . . . . . . . . . . . .
74
6.9.6
Zeroing Transformation
. . . . . . . . . . . . . . . . .
76
7
Conclusions and the Future
79
7.1
Current Trends in Malware
. . . . . . . . . . . . . . . . . . .
79
7.2
Trends in Metamorphic Malware
. . . . . . . . . . . . . . . .
81
7.3
Future Work
. . . . . . . . . . . . . . . . . . . . . . . . . . .
83
Bibliography
84
3
[ Pobierz całość w formacie PDF ]
Tematy
- Strona poczÄ…tkowa
- McMahon Barbara - Wesołych Świąt, E-book PL, Romans, McMahon Barbara
- Michael Gerber - Barry Trotter 01 - Barry Trotter i bezczelna parodia, E-BOOK Wydawnictwa
- Micro JAVA Gamme Development, e-book, JAVA
- Miller Library; Animal Rights & Animal Welfare Subject Guide, E-book, do posegregowania
- Milion otwartych drzwi - John Barnes e-book, Fantastyka, fantasy
- Merton ; Social Theory & Social Structure--The Sociology Of Knowledge, E-book, do posegregowania
- Między Dźwiną a Wilią. Wspomnienia żołnierza Armii Krajowej Ziemi Wileńskiej Mieczysław Potocki e-book, Literatura faktu
- Mediacja w sprawach cywilnych w amerykańskim systemie prawnym - zastosowanie w Europie i w Polsce Gmurzyńska Ewa e-book, E-booki
- Milion w zasiegu reki Poradnik zarzadzania finansami eBooki milzas, e-book, wydawnictwo onepress
- Medziugorje Miejsca święte 14 praca zbiorowa E-BOOK, Turystyka, mapy, atlasy
- zanotowane.pl
- doc.pisz.pl
- pdf.pisz.pl
- duke08.opx.pl