1 / 35

Stanford, 16MAR99

Deep Inside an AntiVirus Engine Network Associates, Inc. Jimmy Kuo Director, AV Research cjkuo@alumni.caltech.edu. Stanford, 16MAR99. Agenda. Short description of viruses Environments Purposes of an antivirus engine Detection technologies Virus removal technologies Wrap-up. Viruses

mandar
Télécharger la présentation

Stanford, 16MAR99

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deep Inside anAntiVirus EngineNetwork Associates, Inc.Jimmy KuoDirector, AV Researchcjkuo@alumni.caltech.edu Stanford, 16MAR99

  2. Agenda Short description of viruses Environments Purposes of an antivirus engine Detection technologies Virus removal technologies Wrap-up

  3. Viruses Replicate!

  4. Virus Types File Viruses Com, Exe (DLL, VxD), Bat, Sys, mIRC, Html Boot Viruses Boot Sector Master Boot Records Macro Viruses Word, Excel, PowerPoint, Access Multipartite

  5. 40000 Virus growth through the years: *Dr Solomon’s count of viruses and trojans

  6. Environment Determination PC OLE2 files Compressed files Self-extracting files .BAT files, mIRC script, VB Script UNIX filesystems

  7. Protocols FTP HTTP SNMP SMTP NNTP TCP/IP Mime, uuencode, SSL, PGP

  8. Purpose We deal with users with problems on their computer, problems they do not know how to handle. 1. Relieve the panic. 2. Understand the problem. 3. Resolve what the user understands to be the problem.

  9. McAfee (NAI) Mantra 1. Detect all viruses. 2. The program is running on a clean machine. 3. Don’t give them a reason not to use your product.

  10. The Technology

  11. Signature Search Data organization • In memory • On disk Only things essential to detection are stored in memory. Names, repair information, virus information all stored on disk.

  12. Signature Organization, Case 0 All strings kept in memory. All strings of the same type. Method died out when viruses neared 1000.

  13. Signature Organization, Case 1 Split into virus types: Boot viruses, File viruses (Algorithmic detection, CRC detection), Macro viruses. Boot virus strings swapped to disk. Pull it in only if target file looks like a boot image. (55AA signature) CRCs used for those viruses that don’t change. Keep verification information on disk.

  14. Signature Organization, Case 2 All detection strings kept in memory. • Sorted into separate bins. • Only the particular bin that could contain the virus string is stored in low memory. • All else stored in EMS or XMS. Virus removal information and names stored on disk.

  15. Signature Organization, Case 3 All detection strings stored in memory. Some are classed as “not necessary for the average user” and not used unless specifically requested. All verification information stored on disk (or EMS or XMS if available). Strings sorted into groups which have common start characteristics.

  16. Signature Search Algorithms Needs to be “front end fast.” If there’s a virus, it can take longer. But most things are not viruses, so it should be as quick as possible to determine that the target is not there. No time allowed for front end setup. So, quick and simple wins out.

  17. Code Tracers Simplified emulation, but faster. Static emulation. Only have to know instruction length and flow transfer statements.

  18. Code Tracing, Case 1 Given a target COM file, For specific cases of known flow transfers (jmp, call, push/ret, minor variations of such), Get to a fixed location, start searching for viruses here. Problem cases: polymorphic entry code

  19. Code Tracing, Case 2 Given a target COM file, Trace code path through all available paths, until out of buffer. Remember opcodes. Use in opcode string matching. First time out of buffer, trace again. Remember opcodes again. Problem cases: Appending virus, appended to a small host.

  20. Code Tracing, Case 3 Given a target COM file, Organize your virus database according to the different types of entry code. Search against only those viruses that use that type of entry code. This is the current technique we’re using.

  21. Emulators Intel 80x86, primarily 8086. Now 80386 also needed. Portable. Apple emulation.

  22. Emulator Problems Prefetch queue length. How much of the environment do you include in the emulation? The “perfect” emulator takes too much time and memory. Result: Emulate situations required for known viruses. Needs upgrading to match reality.

  23. Code Matrix Matrix of opcode digraphs. Map the set of opcodes gathered from code trace onto the opcode digraphs of known viruses. If it does not match, it cannot be that virus. Add digraph matrices together to save memory space.

  24. Special Case Code • Loop detection. • Likely to need decrypting (emulate) • Probability distribution (a particular virus uses Rotates much too often). • Polymorphic viruses too difficult to handle otherwise.

  25. OLE2 Files (Macro Viruses) An OLE2 file is a filesystem in a file. It’s a proprietary format belonging to Microsoft. Cracking the OLE2 format was easy. Next comes the Word document stream, the Excel spreadsheet stream, WordBasic, Visual Basic, ...

  26. Other Macro Virus Issues Word6 macro encryption/protection is a single byte XOR. Key is available in document. Office97 macro protection is GUI only. Actual code is not encrypted at all. Excel95 password protection is almost trivial. Uses 16 byte XOR key with minor on-the-fly calculations.

  27. Other Macro Virus Issues... Office97 password protection against Open uses MD5. [Yuk!] PowerPoint97 streams stored as GZIP compressed data streams. WordBasic is tokenized language. VisualBasic is p-code. But there’s a separate compressed code body for “Edit.”

  28. Still More Macro Virus Issues VisualBasic5 now supported across other applications! Soon, we’ll have to crack other file formats, not just OLE2. VisualBasic6 coming out in next few months. Things can up-convert, some can downconvert. Emulators for all these languages!

  29. Virus Removal Must have “sufficient” variant determination. • Bytes to cut. • Where from. • Where to retrieve original information. • Where did the virus replace/take that original info from? Virus removal database does not need to stay in memory.

  30. Varient Determination Variant determination. • Different sizes. • Different CRC values over different ranges. • String found at different position. • The specific variant does something unique. Need to know this for user information.

  31. Side Effect Removal Virus Payloads affect: • Registry • Added instructions in files. (AUTOEXEC.BAT) • Additional files dropped. • Things added to WIN.INI. • “Bad sector” repair. • Anything software can do.

  32. Speed Issues Memory management. Memory, hard disk, floppy. 640K memory, XMS, EMS, 32-bit memory, memory swapping. Clean machine.

  33. Final Thought • Compare what was covered in this presentation against an access control package. • Project: The following files are allowed to be executed by this set of people. AND NOTHING ELSE!

  34. Questions & Answers

  35. Your Partner Against the Virus Problem

More Related