170 likes | 248 Vues
Explore the history, uses, and challenges of virus encryption with polymorphism, including detection methods, spreading tactics, and real-life examples. Learn about the implications, workarounds, and ongoing efforts to combat these threats.
 
                
                E N D
CS 450 Joshua Bostic Virus Encyption
topics • Encryption as a deterent to virus scans. • History of polymorphic viruses. • Use of encryption by viruses.
Why encrypt the code? • The ability of a virus to change it's code/form is known as polymorphism. • Changing the code prevents anti-virus programs from matching the encryped virus to well known patterns for that virus.
How to find viruses • If you find the code to decrypt the virus then you can remove the virus. • The solution is to make the decrypt code polymorphic as well. • To do this the virus can scatter different parts of it's code around by using jumps.
Repositioning of code Remainder of virus code Portion of virus code and a jump to end of program code Program code
So now what? • Encrypted polymorphic viruses are capable of fooling anti-virus for only so long. • After enough versions of the decryption code are seen virus scanners can detect in general what a virus will look like. • This is done thanks to heuristics.
Heuristics • Emulation and analysis. • Emulation tests the questionable code in a virtual machine. If the code acts in a malicious way it's considered a virus. • Analysis views the code and determines its intent. • Benefit: can find unknown variants. • Con: can take a long time and can produce false positives.
Spreading • Speed of mutation can also be controlled. • Encryption changes with every new infection, but this can be changed by how fast the mutation is. • If the mutation is slow then it makes it harder to determine what different combinations of the code are still the same virus.
Current example • Virut virus • Infects .exe and .src files. • Each time it spreads it mutates. • Opens a backdoor and connects to an internet relay chat server. This allows someone to remotely download malware onto the computer.
Early examples • The dark avenger was one of the first polymorphic viruses. • First noticed in the early 1990's. • Would add extra code to .com and .exe files in MS-DOS. • When the infected program ran 16 times the virus would randomly overwrite a section of the hard drive. • Was created in Bulgaria, but the creater is still unknown.
Inventor of polymorphism • Fred Cohen invented polymorphism for viruses. • Also credited with being the first to define the term computer virus. • Currently works on virus defense techniques.
Other uses for encryption • virus can cause files to be encrypted. • One virus that is known to do this is gpcode. • Gpcode encrypts some of your data and then offers to decrypt your data once you've paid a ransom. • Gpcode uses 1024 bit RSA encryption. • Encrypts files that end with doc, txt, pdf, xls, jpg, png, and others.
Work arounds • Kaspersky labs (anti-virus company) suggests using photorec to recover the encrypted data. • Photorec is freeware. • Only problem is that if you turned the computer off after your computer was infected then photorec won't work.
Full fixes • Currently there is no known fix to the problem. • Kaspersky is trying to find the proper key to decrypt the files, but nothing prevents the creater from changing the key. • Kaspersky is also trying to find a solution to the virus as well.
Conclusion • Use of encryption with polymorphism. • Effects of polymorphism. • Virus encryption.
resources • http://vx.netlux.org/lib/static/vdat/tumisc76.htm • Security in Computing • http://vx.org.ua/lib/static/vdat/ephearto.htm • http://www.infoworld.com/d/security-central/kaspersky-workaround-encryption-virus-comes-catch-465 • http://voices.washingtonpost.com/securityfix/2008/06/ransomware_encrypts_victim_fil.html • http://www.cgsecurity.org/wiki/PhotoRec • http://all.net/resume/bio.html • http://it.toolbox.com/wiki/index.php/Metamorphic_Code