Detecting macro viruses- A TRIZ based analysis

Transcription

1 Detecting Macro Viruses A TRIZ Based Analysis Umakant Mishra Bangalore, India umakant@trizsite.tk Contents 1. Introduction to macro virus What is macro virus History of macro virus Characteristics of macro viruses Methods of detecting viruses Problems in detecting macro viruses Large number of new viruses created with high variation Signature scanning is not very effective in detecting macro virus Integrity checking is not useful for macro viruses All macros are not viruses Infected macros may still be useful Inventions on detecting and removing macro viruses System, Apparatus and Method for the Detection and Removal of Viruses in Macros (Patent ) Method and apparatus for protecting data files on a computer from virus infection (Patent ) Computer virus screening (Patent ) Method and apparatus for detecting a macro computer virus using static analysis (Patent ) Generic detection and elimination of marco viruses Summary...12 Reference: Introduction to macro virus There are different types of viruses, such as, boot sector viruses, macro viruses, worms, trojans horses etc. Although all of them are malware, their behaviors are different and their patterns of infection and transmission are also different. A macro virus is programmed in scripting languages and generally infects document files like Microsoft office documents, Lotus suite documents and similar files. Electronic copy available at:

2 1.1 What is macro virus A macro is a series of instructions, such as, menu selections, keystrokes and/or commands that are recorded and assigned a name or a key. Macros are generally triggered by pressing the key or by calling the macro name. But macros can also be arranged to execute automatically without any user input. Some macros are embedded within application data files to remain hidden. The macro viruses reside in macros and use macro instructions to perform unintended and sometimes damaging actions. As the macros reside in documents the macro viruses are document-based. They generally reside in word processing documents, spreadsheets and presentation files. The macro virus attacks a document by inserting a copy of itself into the file. Macro viruses can be stored in files with any extension and can spread via file transfer or even by . As the documents are now being widely shared through networks and over the Internet, the document-based viruses have become more prevalent. The macro viruses reside in data files without knowledge of the user and may execute upon some user actions or even without manual triggering by the user. 1.2 History of macro virus Macro virus is a recent type of virus written in the macro language like Visual Basic for Applications (VBA) used for programming macros in Office Suite applications. Any type of document that supports scripting languages can be susceptible to macro virus. In march 1999, a macro virus, known as the Melissa virus rapidly spread to millions of computer systems worldwide, causing hundreds of millions of dollars in lost productivity and snarling computer networks with large volumes of traffic. Macro viruses, such as the Melissa virus, operate by exploiting macro operations that often appear within documents used by applications, such as word processors like MS Word, which support macro operations. When the user opens a MS Word file infected by Melissa virus, the macro operations within the Word document will create 50 copies of an message and send to the addresses retrieved from the address book on the infected computer system. Similarly, Word Prank Macro virus or Concept virus infects all documents created by Microsoft Word program by inserting a copy of itself into the file. Electronic copy available at:

3 1.3 Characteristics of macro viruses # Macro viruses are written in macro languages like VBA, which is relatively easy to learn. Hence, a large number of new macro viruses are created on every day. # A macro virus resides in documents like word processing or spreadsheet. They don t reside in executable files. # A macro virus may act like an ordinary macro such as accessing files, sending s etc. It s not easy to determine whether a macro is suspicious or not. # The macro virus can infect a document, which the user has edited and saved using the application, and thinks to be genuine. The infection takes place without the user s knowledge. # Integrity checking does not work for macro viruses, as the susceptible files are documents which are edited by users. Heuristic scanning and emulation techniques are most effective to detect macro viruses. 1.4 Methods of detecting viruses There are several methods of detecting viruses. As the characteristics of different viruses are different all of them cannot be detected by one single method. Some of the important methods of virus detection are the following: Signature scanning The most common method of detecting virus is signature scanning. This method is useful for about 80% of viruses. This is implemented by scanning each file for extracted bytes or signatures form the virus. But signature scanning is useless for new viruses whose signatures are not known. Integrity checking Integrity checking is the fastest method of virus detection. The method checks a file with its backup copy (or checks its current checksum with a previously stored checksum) to detect any changes in between. This method works for system files that are generally not changed during the normal operation of a computer. But this method does not work for data files which are generally updated by users. Heuristic scanning Heuristic scanning does not scan for specific virus signatures but scans for virus-like codes. The scope of this method is larger as it can detect new and unknown viruses. Some heuristic methods use simulation and more complicated mechanism. 2. Problems in detecting macro viruses The macro viruses are easy to create but difficult to detect. Even for a virus scanner it is difficult to decide which macro is a virus and which macro is not, as a user macro may also create files, send s and do all such activities that a macro virus can do. Some of the important problems in detecting macro viruses are as follows.

4 2.1 Large number of new viruses created with high variation There are a large number of computer users who know how to use macro programming languages. So a large number of new macro viruses with high variation are created on every day. It may take long time to scan all possible means of detecting macro viruses. Ideal Final Result: # Macro programming languages should not allow creating macro viruses. # The documents should have built in defense for Macro viruses. Possible solutions: Apply only those tests, which detect macro viruses and don t apply the tests that are intended for detecting file or other viruses. 2.2 Signature scanning is not very effective in detecting macro virus Although signature scanning can detect macro viruses, it is not very effective as there are numerous new viruses with unknown signatures. Even if a comprehensive signature scanner were available, it would quickly become obsolete because of the ongoing generation and production of new, unknown macro viruses. Another problem with macro viruses is that they escape from the executable file scanners since they typically do not reside in executable files. They avoid detection since they can be hidden or embedded within data files. Ideal Final Result: # Ideally the computer should not allow macro viruses to enter. Possible solutions: Creating / extracting signatures directly on the client s machine. Using other methods of virus detection such as heuristic scanning. 2.3 Integrity checking is not useful for macro viruses The method of integrity checking is not useful for macro viruses as the files which are susceptible to macro viruses are generally the document files which are frequently modified by users. Hence, keeping hash values or snapshots for each of these modifications is not possible. 2.4 All macros are not viruses It is not easy to determine whether a macro is suspicious or not. For example, a macro operation that writes to a file may not be suspect by itself. But if a macro operation writes to a system configuration file then it may be considered as suspect. Besides, all suspicious macros may not be infected. Just analyzing which file it is writing to is not enough to take a decision. More analysis is required to determine a macro infection as otherwise it would result in false positives.

5 Ideal Final Result: # The uninfected macros should have some special characteristic that makes them easily differentiated from the infected macros. Possible solutions: Patent (detailed below) suggests checking the macros against three databases, viz., the database containing signatures of known viruses, database containing signatures of certified commercial macros and database containing local user created macros. 2.5 Infected macros may still be useful In some cases an infected file may be useful as it may still be doing some useful operation. Hence, just deleting the infected file along with the macro, or even deleting the infected macro may not be an attractive solution, as the infected macros may include useful legitimate operations that the user may want to retain. Ideal Final Result: # Remove the viruses from macros without deleting macros or host documents. Possible solutions: Detach the macros from documents, remove viruses from macros and then attach clean macros to documents (Patent ). 3. Inventions on detecting and removing macro viruses 3.1 System, Apparatus and Method for the Detection and Removal of Viruses in Macros (Patent ) Conventional virus detection techniques look for specific known viruses which are not effective for detecting macro viruses because the creation of new macro viruses are generally very fast. Similarly the conventional method of treating infected files, such as deleting.exe files, is also not suitable for treating macro viruses. There is a need to selectively remove viruses, particularly unknown viruses, from macros to provide a clean, corrected file, which can be subsequently used. System, apparatus and method for the detection and removal of viruses in macros (Patent ) Patent (invented by Chen, et al.) proposed a method which operates by scanning through a document looking for suspect macro operations.

6 The invention includes a macro locating and decoding module, a macro virus scanning module, a macro treating module, a file correcting module and a virus information module (Principle-40: Composite). The macro locating and decoding module determines whether a targeted file includes a macro. If a macro is found, it is decoded and stored in the data buffer (Principle-2: Taking out). Then the scanning module accesses the decoded macro and scans it to determine whether it includes any viruses. First the decoded macro is scanned for known viruses. If a known virus is found then the macro is flagged as infected. If a known virus is not detected the scanning module determines whether the decoded macro includes an unknown virus by checking whether the decoded macro includes a combination of suspect instructions. Then the macro-treating module locates the suspect instructions in the decoded macro using the comparison data and removes the suspect instructions to produce a cleaned or sanitized macro (Principle-2: Taking out). Finally the file-correcting module accesses the targeted file with infected macro and replaces the infected macro with the treated macro produced by the macro-treating module (Principle-5: Merging). A TRIZ based analysis: Although the scanning for viruses was known to the prior art, this invention makes it specific for the macro viruses as the method of treating macro viruses is different from treating other viruses. The invention first detaches the macro from the file (Principle-2: Taking out) then detaches the virus from the macro (Principle-2: Taking out) and finally joins the treated macro to the file (Principle-5: Merging). The invention provides a comprehensive solution using four interlinked modules (Principle-40: Composite).

7 3.2 Method and apparatus for protecting data files on a computer from virus infection (Patent ) In order to protect MS Word documents from macro viruses, Microsoft released a patch called scanprot.dot. Once installed the patch could trap certain open file events and examine whether the file is opened for possible virus infection. But the patch program suffered from the inherent disadvantage of being separate from the word processing program. For instance, if the patch program is not installed in a machine, it could become infected with the virus and result in spreading virus to other machines. Apart from that the patch program could not detect all types of external open file events as some of these events cannot be trapped by an external program like the patch program. There is a need to solve this problem. Method and apparatus for protecting data files on a computer from virus infection (Patent ) Patent (invented by Walsh, et al., assignee Microsoft Corporation, Sep 1999) discloses a virus protection system that is implemented as an internal component of an executable program, such as, MS Word application. This invented virus protection system is integrated with the Word processing program, such as, MS Word, and capable of trapping all file open events whether external (though file menu-> open) or internal (by an internal code layer). (Principle-5: Merging). The method first detects the open file event and then conducts an enquiry to determine whether the file contains a virus. If the file is detected as infected then it informs the user about the possible danger. If the file is unlikely to contain the virus the file is opened in response to the open file event.

8 In case an infection is detected, the method offers several options to the user viz., (1) open the document in safe mode, (2) proceed with normal opening of the document, (3) cancel document opening. If the user selects to open the document in safe mode then the document is opened without loading any attached macros or customizations (Principle-2: Taking out, Principle-39: Calm). While saving this document it is saved in save as mode instead of overwriting the existing file (Principle-26: Copy). The new method has the advantage that (1) the user need not download and install the patch program separately, (2) the integral solution can detect all types of file open event, whether internal or external, (3) can also detect open file events for files on remote servers. 3.3 Computer virus screening (Patent ) There is an inevitable time lag between a virus being released and its being identified. Secondly, the end users may be slow in updating their system with the latest virus signatures. This scenario becomes worse for macro viruses as they are very large in number and increasing at a fast pace. There is a need to treat the macro viruses without waiting for obtaining updated virus signatures. Computer virus screening (Patent ) Patent (invented by Hypponen, assignee Data Fellows Oyj, June 2003) discloses a method of detecting macro viruses based on the expected virus properties. The invention checks the macros against three databases, the first database containing the signatures of known viruses, the second database containing the signatures of known and certified commercial macros and a third database containing the known and certified local macro signatures (user created macros). If the signature of the macro is found in first database or not found in the second or third database then the user is given an alert (Principle-7: Nested doll). As it is not possible to detect all new macro viruses accurately, the method suspects all macros, which are not known to be either commercial macros or certified local macros, to be macro viruses (Principle-16: Partial or Excessive Action).

9 In the event the macro has a signature corresponding to a signature contained in the first database the anti-virus program takes the appropriate steps to heal the file. However if the signature of the macro is not found in the first database it is not given a clean cheat. If the signature is not found in the second and third database, it is suspected as a virus and the user is alerted. 3.4 Method and apparatus for detecting a macro computer virus using static analysis (Patent ) The macro virus is growing very fast in number. Although there are various techniques of detecting computer viruses like emulation and pattern matching etc. they are either time consuming or unable to detect new viruses. Therefore, there is a need for a method to detect new macro viruses without the time consuming processing involved in emulation.

10 Method and apparatus for detecting a macro computer virus using static analysis (Patent ) Patent (invented by Ko, assignee Networks Associates Technology, Feb 2004) proposes a method of detecting macro virus by statically analyzing macro operations within a document. The method first locates the macro operations within the document, and then performs a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations. Next, the system compares the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations. If suspected, the system informs a user about the suspect macro operations. Note that it is possible to perform static analysis on macro viruses, because unlike other viruses that are propagated in executable code form, macro viruses are propagated in source code form, which is more amenable to static analysis than executable code. The flow chart below illustrates the operations involved in static analysis. First, a token analyzer converts macro operations into tokens. Then those tokens are fed into a parser that parses the tokens into intermediate form (Principle-1: Segmentation, Principle-28: Mechanics Substitution). Next, analyzer retrieves profile information about suspect macro operations from profile database and then performs flow analysis (including a control flow analysis and a data flow analysis) on the macro operations. This flow analysis determines the values for variables within the macro operations. Then the analyzer compares the macro operations against a profile containing information about suspect macro operations. According to the invention, when an infection is detected the system informs the user about the infection, and waits for a response from the user specifying the action to be taken on that document (Principle-23: Feedback). Based on the user response the system then either deletes the document or cleans the document to remove the suspect macro operations.

11 Generic detection and elimination of marco viruses The signature scanning method is capable of detecting only publicly identified macro viruses. Besides this method generally takes a long time to (i) gather a sample and send it to an anti-virus research center (ii) to develop a definition and (iii) to distribute the definition to the general public. The other method, known as heuristics method, can scan for newly developed macro viruses by searching strings of bytes that are indicative of viral behavior. The current heuristics are good at detecting new viruses that are variants of known viruses, but not so good at detecting new viruses that are not variants of known viruses. There is a need for a heuristics method which is capable of identifying both publicly identified macro viruses and publicly unidentified macro viruses, and capable of eliminating the macro viruses that are detected. Generic detection and elimination of marco viruses (Patent ) Patent (invented by Chi, assignee Symantec Corporation, Aug 2006) discloses a heuristics method of detecting both publicly identified macro viruses and publicly unidentified macro viruses. According to the invention, a detection module analyses the code to determine whether the macro contains instructions to be moved to a global environment and to be copied to a local document. When these two conditions are satisfied the detection module declares that a macro virus is present within the code. The invention couples a repair module with the detection module for deleting the malicious code. Alternatively if the user is willing to allow a longer time, the detection module can be made to handle string concatenation operators, proxied variable names, program calls and/or substituted object names.

12 The present invention uses heuristics that can determine effectively whether any given code contains a macro virus or not. It detects the macro viruses by scanning their generic behaviors, i.e., moving the code to the global environment (to be used by the application for all documents) and then copying the code to a local environment (to be used for a specific document). Thus it provides a generic method of detection and repairing for all kinds of macro viruses (Principle-6: Universality). 4. Summary A macro virus is programmed in scripting languages like VBA and can reside in documents like word processing or spreadsheet. Macro viruses are created in large numbers, as it is easy to create macro viruses. They spread at a high speed through s and sharing of documents through Internet. Signature scanning can detect macro viruses. But this method is not very effective as there are plenty of new macro viruses created on every day whose signatures are yet to be updated in the signature database. Integrity checking does not work for detecting macro viruses, as comparing checksums is not possible for document files, which are usually modified by users on a regular basis. A heuristic scanning is most effective to detect macro viruses of all types, old and new. The heuristic technique does not require exact signatures of known viruses. It just examines a target program and analyzes its code to determine if the code appears virus-like. It is difficult to differentiate a genuine macro and a virus macro as both of them do similar type of jobs. Suspecting a macro to be virus just because it is writing to a file may result in false positives. It is necessary to improve the emulation method, like statically analyzing macro operations within a document, to save system resources and detect macro viruses more effectively. Reference: 1. US Patent , System, Apparatus and Method for the Detection and Removal of Viruses in Macros, Inventor- Chen, et al., Assignee-, March US Patent , Method and apparatus for protecting data files on a computer from virus infection, Inventor- Walsh, et al., Assignee- Microsoft Corporation, Sep US Patent , Computer virus screening, Inventor- Hypponen, assignee Data Fellows Oyj, June US Patent , Computer virus screening, Inventor- Hypponen, assignee Data Fellows Oyj, June 2003

13 5. US Patent , Method and apparatus for detecting a macro computer virus using static analysis, Inventor- Ko, assignee Networks Associates Technology, Feb US Patent , Generic detection and elimination of marco viruses, Inventor- Chi, assignee Symantec Corporation, Aug Umakant Mishra, Solving Virus Problems by Anti-Virus Developers- A TRIZ Perspective, trizsite journal, March 2007, 8. Umakant Mishra, Overcoming limitations of Signature scanning- Applying TRIZ to Improve Anti-Virus Programs, trizsite journal, April 2007, 9. Umakant Mishra, The Revised 40 Principles for Software Inventions, trizsite journal, July 2006, US Patent and Trademark Office (USPTO) site,