Analysis and Detection of Metamorphic Viruses

Analysis and Detection of metamorphic computer vir customsChapter 1 portal 1.1 MotivationMetamorphic Vir use of goods and servicess argon real special type of computer computer computer computer computer viruses which develop ability to reconstruct into alto abbreviateher rising offspring which is completely una resembling than the p atomic number 18nt Main object to use these techniques to redo it egotism is to distract perception by Antivirus Softw atomic number 18. Although for the m being virtually well known metamorphous viruses atomic number 18 detectable, just now it is predicted that in future we might face problem of similar viruses those would be able of changing their appellation and perpetrate malicious tasks. Our objective in this thesis is to bring rough an in-depth analysis of metamorphic codification, and evaluate close to(prenominal) best practices for detection of metamorphic viruses.1.2 OutlineThis document has been divided into fiv e chapters inaugural 2 chapters be for introductory purpose it provides basic focussing near viruses in Chapter 2 we have tried to pay off most details about virus evolution how metamorphic viruses came into existence. Chapter 3 includes detailed data about metamorphic virus, evening gown interp soakation, Core components of Architecture and some explanations from a virus generator about metamorphic viruses. Chapter 3 deals with some of techniques which are being utilize by metamorphic viruses and what advantages these viruses have using those techniques. Chapter 4 contains polar type of detection methodologies used to detect metamorphic viruses. It excessively contains sample write in write in code from assorted metamorphic viruses for their have got comparison.Chapter 2 Computer Virus Introduction 2.1 IntroductionThe term Virus was first described by Dr. Fred Cohan in his PHD thesis during 19861 although divergent type of computer malware where already exited that time yet the term was particularisedally introduced by Dr. Fred. Thats wherefore in may research papers he is considered the give of Virus Research 2. According to his formal definition as virusA program that crumb infect former(a) programs by modifying them to include a peradventure evolved copy of itself1Based on this definition we have interpreted some pseudo code of Virus V from his research 25.program virus=1234567subroutine infect-executable=loopfile = start out-random-executable-fileif first-line-of-file = 1234567 then goto loopprepend virus to filesubroutine do- handicap=whatever damage is to be donesubroutine trigger-pulled=return true if some condition holds of import-program=infect-executableif trigger-pulled then do-damagegoto nextnextThis is a typical role model of a computer virus, we screw divide this virus into three study parts first subroutine which is infect-executable it tries to look for and executable file or any opposite orient file which it wants to infect it contains a loop which tried to append the virus re mains to with the cigaret file. minute of arc subroutine do-damage is the virus code its self for which virus has been written this is called virus payload upon instruction execution it performs some damage to the agreement. The third subroutine trigger-pulled is some correct of trigger to consummate the virus code it could be some condition ground on date or system or file. Main code of virus is that once the condition is met we it should append itself to the tail end file and perform something.If we evaluate this definition novel viruses after partnot be considered as virus because on that check are several different type of viruses which are not performing any harm much(prenominal) as Co-Virus, their main tar attain is to assist the original virus by performing such(prenominal) tasks so the execution of original virus could be performed without being detected. stopcock Szor has redefined th is definition 2 asA computer virus is a program that algorithmicly and explicitly copies a possibly evolved version of itself.This definition is also self explanatory, as the author suggest it recursively and explicitly search for the target files and then infect them with virus code to bring in possible copies. As we are all awake(predicate) virus is special kind of malware which al miens gets a exploiter attention to propagate such as either he access the infracted file or tries to execute infected files. Grimes26 append this definition with beef sector information and other methodologies as Viruses are not limited to file infections scarce.2.1.1 Different oddball of MalwareIn this section we go away try to establish some type of malware which like virus exactly they are not virus. This section is for information purpose only. Viruses its self could be of different kind based on their practise we can define their category, such as boot sector virus, File contagion Viru s or some of advanced Macro Viruses which are used inside Microsoft Office documents to automatize the lick. Basically all virus follow the same process of infection which is described by Dr. Fred Cohen in V Sample Virus. We impart define some of advanced code armoring techniques in Section 2.2.2.1.1.1 TrojansTrojans are very famed backdoor malware some time they are not considered as virus as their main objective is to let assailant gain access to the target machine without getting noticed by the user. Their main objective is not only to gain access except it could be executing some sort of malicious code. Origin of their name is from Greek History where a giant horse was construct to gain access inside the castle and transport soldiers through that horse. akin technique is used with Trojans they tricked users by displaying something on screen and behind it is doing something else. Trojan does not infect files or attach their code to other files usually they contain some s ort to joiner utility which help users to embed their code or act inside the Trojan. Trojans can used to gain access to infected systems, mounting share drives or pitiful net recreate traffic through Denial of Services attacks. Some famous examples of Trojans are Netbus, Subseven, Deep pharynx ,Beast etc.Some remote administration Trojans can have their client side which can be used to communicate to the infected computer. Above image is Client side of Beast Trojan which can perform so legion(predicate) operations on the target machine once it is connected.2.1.1.2 Spyware and AdwareSpyware are very common problem of todays internet user. They are used to get information about users and monitor their activity with or without his familiarity. Till now antivirus companies are unable to define detection and removal of spyware software because thither are some famous companies who are selling spyware software to monitor user activities and they are getting legal support to protect spyware from getting removed by antivirus. With spyware it is sort of possible that without user knowledge they transport all user information and activities to some monitoring email minimal brain dysfunctionress. There is some sort of spyware which are only used to get all mainstay press events by users whatever he is typing or writing in email or entering password. It will be enter and based on the software prunetings it can be sent to email or saved on disk.Adware are slightly different than malware they collect information about users internet activity and based on that they tries to display target advertisement to the users or install some software on users system which displays casteless advertisement to the user.2.1.1.3 RootkitsRoot kits are specially crafted virus their main objective is to gain administrative take access on the target system. Usually they contain some virus or script to execute the malicious code on target machine, enable root level access for the at tacker and overcloud the process, allowing attacker full access to machine without getting noticed. Detailed information about root kits is beyond the topic. Based on their functionality we can enunciate that they hijack the target system and monitor all system calls. They are now capable of patching kernel also so attacker can get higher level of permissions.Security researchers have demonstrated a naked as a jaybird technology called Blue-Pill27 which has helped them creating a tops(predicate) root kit without getting any performance degradation or system restart. They have used virtualization support inside processor to run in a virtual machine mode.2.1.1.4 WormsWorms are considered as the near advanced version of malware unlike virus they do not require any user interaction to propagate, only when like virus they can replicate their code by infecting other target files. They can be combined with Trojan horses to execute on target machine. But unlike virus they are always de pendent on some software for their execution without that specific software they cannot perform their actions. These try to exploit vulnerabilities of software or operating system to perform malicious actions. Love frustrate is one of famous worm example it used Microsoft Emailing software to distribute its copies. CodeRed and Nimda are some other examples which used Microsoft protocols to distribute and infect other systems.2.2 Virus EvolutionViruses are evolved throughout the time thats why today we are relations with the nigh advanced type of viruses of all time. Most of time researchers are challenged by the virus writers to detect their created virus and create vaccine for it. In the following section we will describe some of the techniques which are used by virus to satisfy the main objective of Virus writer that is Make Virus Completely Undetectable. From time to time they have used different techniques in this section we will discuss those techniques and how those techniq ues pasturaged toward metamorphic viruses.2.2.1 EncryptionEncryption is the main sources of information hiding. It has been used some centuries the same way virus writers are using encryption to avoid detection by antivirus. A falllineryptor is attached with the main virus code to decryp the virus body and performs the action.lea si, blend in position to decode (dynamically set)mov sp, 0682 length of encrypted body (1666 bytes) rewritexor si,si decryption key/counter 1xor si,sp decryption key/counter 2inc si increment one counterdec sp decrement the otherjnz rewrite loop until all bytes are decrypted issue Encrypted/Decrypted Virus BodyThe above code is from 5 for rain shower Virus. In the same article the author has suggested four major reasons why some virus writer will use encryptionPrevention against code analysis With encryption it becomes quite backbreaking to destroy the virus code and examining the code for ways which can be quite interesting for the vi rus researchers. For example if individual is performing specific operations such as calling INT 26H or calling specific Crypto API. By using encryption users will bet get an idea about what are the intentions of users because most of file contents will be encrypted and it is quite possible it may contain some argufy Code also.Making disassembling more(prenominal)(prenominal) difficult Virus writers can used encryption not only to make it difficult they can also us to make this process more time eat and difficult they can include more toss code inside or wrong instruction so the researchers will not be able to perform static analysis of code and get some confusing idea about the code itself.Making virus temper proof Same like real life business products some virus writers do not want their virus code to be used by others with their name or generate new variant from their code because it is quite possible someone will decrypt virus and again generate another virus by modifying the code. This is also some sort of prevention from reverse railway locomotiveering the virus.Avoid detection This is the union objective of virus write to evade detection by Anti Virus software, based on time to time new techniques have been developed in following section we will discuss some of these techniques how they use encryption.Mostly the virus contains the decryptor within their code this had helped the Virus researchers to detect viruses based on their decryption signature. But this method is not very successful as it may raise an exclusion in case some other software tries to use similar methodologies to decrypt data. As time evolved they have developed some new interesting techniques. Most of time in assembly they use simply XOR ing operations help then in decrypting virus code. For example in above code of Cascade Virus it is using XOR to decrypt distributively byte of virus code unless all body is decrypted. With XOR they have some advantage first of all it is ver y simple operating and second XOR ing the same set twice yields the first determine this operating can help them in decryption and making it more confusing during static code analysis. Peter Szor has described some of these strategies which can be used to make process of encryption and decryption more difficult 2-Chapter7, according to himVirus Writers are not require to store decryption key inside the virus body some advanced virus such as RDA.Fighter generate their decryption key upon execution. This technique is called Random Key Decryption. They use brute military method to generate key during run-time. These Viruses are very hard to detect.It is under control by the attacker how he wants to modify the flow of decryption algorithm, it can be forward or backward or it is also possible to have denary loops inside a single body. Or multiple layers of encryption. countenance most important ingredient is the key size which can make decryption process more difficult based on th e key length. Obfuscation is another factor involved in it. In Metamorphic Viruses Similie.D was one of the virus which used non-linear encryption and decrypts the virus body in semi-random order and most important thing is that it access the encrypted put of virus body only once.3There is another factor involved in virus encryption such as virus is encrypted with very strong algorithm such as IDEA virus 9 which contains several decryptors. Main source of interest is that it is quite cushy to detect virus and remove it but it is extremely difficult to repair the infected file as on second layer of IDEA it uses RDA for key generation.Microsoft Crypto API is part of Windows operating system. This can also be used for malicious purpose, Virus writers can use Crypto API to encrypt data with some secret key or call their API through virus code to perform encryption. It is also difficult to detect this because other program such as Internet Explorer also uses this API to encrypt transmi ssion over ripe channel.There is another variation in decryption which was demonstrated by W95/Silcer Virus that the first portion of virus which is already decrypted force Windows Loader to relocate infected software images once they are penalise loaded in to memory. For the purpose of decryption the virus itself transfers relocation information.There are other possibilities such as some virus use file name as their decryption key in such case if file name is modified virus cannot execute and there is possibility we will not be able to recover that file after infection. Other methods such as it can use decryptor code itself as decryption key it help them in such condition if someone is analyzing code or virus execution is under a debugger it will raise an exception.2.2.2 OligomorphismWith encrypted virus it is quite possible to find the decryption mechanism to challenge this situation virus writers implemented a new technique to create multiple decryptors and use them randomly wh ile they are infecting other files. Major contrariety between Encryption and Oligomorphism is that in encryption is uses same decryptor for encryption purpose while in oligomorphic virus have multiple decryptors and they can use any of them during the process. Whale Virus was first of this kind to use multiple decryptors. W95/Memorial7 is one of very famous examples of oligomprphic viruses it uses 96 different type of decryptors.mov ebp,00405000h select basemov ecx,0550h this many byteslea esi,ebp+0000002E offset of Start chalk up ecx,ebp+00000029 plus this many bytesmov al,ebp+0000002D pick the first keyDecryptnop junknop junkxor esi,al decrypt a byteinc esi next bytenop junkinc al slide the keydec ecx are there any more bytes to decrypt?jnz Decrypt until all bytes are decryptedjmp Start decryption done, execute body Data areaStart encrypted/decrypted virus bodySliding key feature can also be noted as with this feature it is quite possible to convince operating inst ructions for decryptor. If we get other instance of same virus it has brusk variations there is a little change in loop instruction Another Variant of W95 Memorialmov ecx,0550h this many bytesmov ebp,013BC000h select baselea esi,ebp+0000002E offset of Startadd ecx,ebp+00000029 plus this many bytesmov al,ebp+0000002D pick the first keyDecryptnop junknop junkxor esi,al decrypt a byteinc esi next bytenop junkinc al slide the keyloop Decrypt until all bytes are decryptedjmp Start Decryption done, execute body Data areaStart Encrypted/decrypted virus body. It has been mentioned 2 that a virus is only called Oligomorphic if it can mutate its decryptor slightly. Detecting Oligomorphic virus is extremely difficult because as they have random decryptors it is quite possible that our virus detecting mechanism will not able to detect if there are quite large number of decryptors.2.2.3 polymorphismThe term Polymorphism came from Greek origin Poly means multiple and morphi means f orms. We can say that these types of viruses can take multiple forms. They are much advanced than their ancestors like Oligomorphic virus they rely on mutating their decryptor in such a way so it generates number of variation of same virus. Core of their operation is their engine which helps them in mutating. For individually infection their version engine generates a completely new instruction set for decrypter. This process help them in generating a completely new virus having exact functionality as their parents but the sequence of instruction is entirely different from others28.Antivirus software are challenged by their method as every time a new file is infected it generated a new encryption code and decryptor so those software who are relying on virus decryptor signature will not be able to detect those viruses as new offspring are completely different in decryptors signature. Research has already shown that it is possible for a mutation engine to generate several million di fferent type of decryptor code for new viruses 28.Dark conversion railway locomotive is one of very famous example of polymorphic virus following code has been taken from 2.mov bp,A16C This Block initializes BP to Start-deltamov cl,03 (delta is 0x0D2B in this example)ror bp,clmov cx,bpmov bp,856Eor bp,740Fmov si,bpmov bp,3B92add bp,sixor bp,cxsub bp,B10C Huh finally BP is set, but remains an obfuscated pointer to encrypted bodyDecryptmov bx,bp+0D2B pick next word (first time at Start)add bx,9D64 decrypt itxchg bp+0D2B,bx put decrypted value to placemov bx,8F31 this immobilize increments BP by 2sub bx,bpmov bp,8F33sub bp,bx and controls the length of decryptionjnz Decrypt are all bytes decrypted?Start encrypted/decrypted virus bodyIdea behind making a code engine was that in beginning virus writing was very difficult and time consuming so the undergo virus writers helped novice in virus generating by giving them code mutation engine with little modification they can use this engine within their own virus code and it can perform same operations.Based on the virus type and engine capabilities it can enhance the virus functionality there are several viruses which can use Microsoft CryptoAPI in their polymorphic operations. Marburg is also one of very famous polymorphic virus which has entirely different mechanism in file infection. till now we could look at that infection method if polymorphic virus could be same just decryptor is changing but that virus introduced some of new methodologies like key length in encryption could be different and all(prenominal) file which it is infecting is using different encryption mechanism.8Start Encrypted/Decrypted Virus body is placed hereRoutine-6dec esi decrement loop counterretRoutine-3mov esi,439FE661h set loop counter in ESIretRoutine-4xor byte ptr edi,6F decrypt with a constant byteretRoutine-5add edi,0001h point to next byte to decryptretDecryptor_Startcall Routine-1 set EDI to Startcall Routine-3 se t loop counterDecryptcall Routine-4 decryptcall Routine-5 get nextcall Routine-6 decrement loop registercmp esi,439FD271h is everything decrypted?jnz Decrypt not yet, continue to decryptjmp Start jump to decrypted startRoutine-1call Routine-2 Call to POP trickRoutine-2 protrude edisub edi,143Ah EDI points to StartretThere are examples of other viruses which shows that2.2.4 MetamorphismAfter all these evolution in virus, now we are dealing with one of the most advanced version of these viruses. Polymorphic viruses were really challenging to detect and remove from system, but it was just a matter of time Researchers tried to build solutions against polymorphic viruses. Viruses writer tired to work on something really amazing a virus which would be able to rebuild itself with same functionality but entirely different from the parent. This proposed solution was first implemented in W32/Apparition, If it finds a compiler in some machine it tries to rebuild itself into completely new shape. Following code has been taken from 2 two different variants of W95/Regswap . This virus was first of its kind to implement metamorphism in shifting registers.a.)5A pop edxBF04000000 mov edi,0004h8BF5 mov esi,ebpB80C000000 mov eax,000Ch81C288000000 add edx,0088h8B1A mov ebx,edx899C8618110000 mov esi+eax*4+00001118,ebxb.)58 pop eaxBB04000000 mov ebx,0004h8BD5 mov edx,ebpBF0C000000 mov edi,000Ch81C088000000 add eax,0088h8B30 mov esi,eax89B4BA18110000 mov edx+edi*4+00001118,esiAlthough till now there is no big incident reported due to metamorphism as normal computers do not contain such utilities like compilers or scripting support to rebuild virus but this situation could be very dangerous for Linux machine where scripting languages and compilers are enabled by default. approaching versions of Microsoft Windows are also having support of .Net and MSIL which is capable of generating such virus very easily MSIL/Gastropod is one of famous example of metamorphic virus. In upcom ing section we will describe main architecture of metamorphic viruses.Chapter 3 Metamorphic Virus ArchitectureThe idea behind metamorphic legacies came from the same biological look that the parents are mutating and generating new offsprings which are entirely different than their parents but they are performing the same actions as their parents were doing. Virus Writers have adopted the same idea and implemented in the form of metamorphic virus. situation of any virus relies in its power to bypass the Antivirus Scanner and perform actions. Usually constants in their virus body, specific register allocation, patterns or heuristics scanning are some of the common ways to detect a virus.Metamorphic Viruses are one of those kinds which are capable of transforming their code into new generation, these viruses are capable of changing their syntax but their semantics remain same throughout generations. Polymorphic viruses were difficult to detect but their main weakness was their decryp tion mechanism once researchers found their decryption methodology and add this as a signature to antivirus products through this they were able to detect full generation of polymorphic virus but in case of metamorphic virus this approach fails because the syntax of code and mechanism of operation is entirely different throughout generations. They are considered as shape shifters 2 because each generation is entirely different than each other.Metamorphic engines are by and large buggy, this could be our luck that till now there is no perfect metamorphic engine available. It has been reported that metamorphism has been used as a mean of software security the same way it has been used in viruses to for their protection. They can be used stand alone by which they are self generating viruses and capable of performing actions on target system or they could take help from the surrounding purlieu in downloading some plug-in form internet or generating their new copies.Metamorphic viruses are capable of changing arrangement of their instruction. This ability gives them ability to generate new undetectable virus for examples if a virus contains n number of subroutines it will generate n different type of generations. In case of BADBoy Virus it has 8 subroutines and it is capable of rearranging its subroutines it can generate 8 = 40320 type of different virus. This grows if number of subroutine increases inside the Virus Body.Above image is a code module of Badboy Virus in file it just admit to take care of Entery Point whereregardless of where it is located remaining subroutines are access through jump instructions throughout the code.Zperm is another exam of metamorphic virus the above code sample is from Zperm virus which shows its rearrangement of code.3.1 Formal DefinitionThis formal definition is presented in 13 according to this definition let P(d,p) represented as a function which is going to be computed by a program P in the current environment (d,p) in this case p represents programs stored on computer and d represents data processed. D(d,p) and S(p) are two recursive functions , T(d,p) is a trigger and is an injury condition and I(d,p) is considered as injury condition.In Case of this we can say that pair (v,v) are recursive functions and( v and v) are metamorphic virus if all conditions X(v,v) satisfies.Where T(d,p) ,I(d,p),S(d,p) is entirely different than T(d,p) ,I(d,p),S(d,p). Based on that we can say that v and v are metamorphic virus and they are performing same actions. Polymorphic Virus share their kernel but in metamorphic virus each virus has its own kernel.3.2 Core ArchitectureIn this section we will discuss major components of metamorphic virus, although there are several other components already explained but architecture represented in 10 is considered as best. According to original author they have divided metamorphic virus in to two categories close-world or open-world. Open World are those who integrate with executin g environment and perform some actions such are download some spyware etc. Here we will describe functional architecture of closed(a) world viruses. Most of them perform binary transformation.3.2.1 Locate Own CodeThe virus must be able to locate its code from inside the infected file or its own body each time it is transforming into new form or infecting a new file, metamorphic virus which are infecting other files and use them as their carrier must be capable of locating their code from inside the infected file. Mostly in file they use some predefined location of their startup code this location is mostly constant and remains contestant throughout the other generations. There are only few incidents when Engine tries to put dynamic locations.3.2.2 Decode erst the code of virus is located by metamorphic engine it tries to obtain some sort of blue print information about how to transform. Although this is one of the drawback of metamorphic virus that within them self it they contain their architecture about how they are getting transformed. This information is very overcritical because this information is further encoded inside body of new virus. This whole can also retrieve information about flags, bit-vectors, markers, hints which will help in building new viruses. There is a drawback of this approach as it is required by the virus engine itself so virus write cannot obfuscate this area.3.2.3 AnalyzeOnce the core information is gathered there is other information which is very critical for proper execution of metamorphic virus. Without this information transformation cannot be performed. Metamorphic engine must have information about the register liveliness. If it is not available from Decode phase the engine must be capable of constructing it via def-use analysis. meet Flow Graph is also required by transformation phase because this will help in the rewriting logic and flow of the program.Control Flow graph is required in case if the malware itself is capa ble of generating the code which can shrink or grow in new generations and also it is required to process the control flow logic which is further transformed into code. In the following code it has gather its main idea about code what it is required to perform and it is further transforming it to simplified instructions.1)mov esi+4, 9mov esi+4, 6add esi+4, 32)mov ebp+8, ecxpush eaxmov eax, ecxmov ebp+8, eaxpop eax3)push 4mov eax, 4push eax4)push eaxpush eaxmov eax, 2Bh3.2.4 transfigureThis unit is most important area of virus as it is capable of generating new virus. Most of virus logic resides here. This unit generate new instruction blocks semantically which are exactly same like its code but syntax is a bit different. Here some sort of obfuscation is also performed, metamorphic engine tries to rename registers , inserts NOP and garbage instructions and reorder the execution of block.Following code block has been taken from their examples in 10.1)mov eax, 10mov eax, 5add eax,52)m ov eax, 5sub eax, 10mov eax, 1add eax, 2sub eax, 83)mov eax, 5add eax, 5mov eax, 104)cmp eax, 5ja L1cmp eax, 2je L2cmp eax, 5jb L3L1 mov ebx, 3jmp L4L2 mov ebx, 10jmp L4L3 mov ebx, 10jmp L4L4cmp eax, 5ja L1cmp eax, 5jb L2L1 mov ebx, 3jmp L3L2 mov ebx, 10jmp L3L33.2.5 AttachAttach unit it only available in those viruses which infect files and use them as source of replication. Transform unit not only transforms own code but also the code of target file, where it sets some entry point to virus main routine. During the attachment process it also shuffle the code