03-05-2014, 10:58 AM
Virus vs Anti-Virus: The Arms Race
Virus vs Anti-Virus.ppt (Size: 148.5 KB / Downloads: 162)
Viruses
A virus is “a program that can ‘infect other programs by modifying them to include a possibly evolved copy of itself.” - Fred Cohen
Fred Cohen seems to have been the first to define the term virus, but the concept had been discussed earlier and there were some viruses out in the wild before he began his research.
Link to virus history
Example of a virus
In his 1984 Turing award acceptance speech to the ACM, Ken Thompson related the story of how he modified the C compiler to insert a backdoor into the UNIX login program and to insert his modifications into any C compiler compiled using his modified compiler.
Slick—no trace of the backdoor remains in any source code!
Viruses example
The WM.Nuclear Microsoft Word macro virus infects Word documents during opening, saving, and printing by adding a set of macros to them. On April 5th it attempts to overwrite critical system files, and it occaisonally adds the text "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!" to the current document. (Information from Symantec’s security bulletin.)
Malware terminology
We found a web site listing 56 different terms related to viruses and malware, including:
backdoor
boot sector viruses
Encrypted virus
Hoax
Micro virus
…
Virus statistics
More statistics from the same site
A few hundred are for Javascript, Hypercard, Perl, and other scripting languages. Few of these can spread beyond a few machines without active support of the users
150 are for the Atari
31 are native to the Macintosh, and only two of them are known to exist anymore
2 or 3 are viruses native to OS/2
Making matters worse…
Virus payloads may not trigger immediately. If a virus has few detectable side effects, it could spread without notice and become widespread before the payload is triggered.
Question: is it possible that there are viruses in the wild today that have infected large numbers of systems but have gone unnoticed because they have few if any side effects and have not yet triggered their destructive payloads?
Partitioning
If we can’t isolate systems and users from each other completely, maybe we can erect partitions to limit the spread of malware.
It was thought that the Bell-LaPadula model might help limit the spread of viruses, but Cohen reports that “viruses demonstrated the ability to cross users boundaries and move from a given security level to a higher security level.”
Bad news about partitioning
Transitivity is a problem:
“If there is a path from user A to user B, and there is a path from user B to user C, then there is a path from user A to user C with the witting or unwitting cooperation of user B.” – Cohen
The military uses a category system in which users can only access information needed for their current duties. But, some users have simultaneous access to multiple categories…
Detection
If we can’t limit the spread of a virus, maybe we can find it and quarantine infected files…
Unfortunately, no general algorithm for detecting virus behavior is possible.
Cohen argues this by proposing a virus that infects only when the detection algorithm thinks it isn’t a virus.
Anti-virus programs must make do with more limited solutions, such as scanning for a virus signature.
x86 binary obfuscation
If you create unused regions in the executable and fill them with garbage bytes, the variable-length nature of the x86 instruction set can cause disassemblers to think that the legitimate instructions following the garbage are in fact operands.
You can use a conditional branch instruction to do an unconditional jump—disassemblers assume no garbage bytes at the target address or following the branch instruction.
AV tool resistance to obfuscation
Christodorescu and Jha claim “the state of the art for malware detectors is dismal!”
They propose a testing technique and then use it to show that the tested virus scanners were not generally able to identify the sampled viruses when they were obfuscated by code reordering or encapsulation.