Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Agenda Overview W32/Xpaj analysis Overview of a virtual machine Software protection trends W32/Winemmem analysis W32/Induc analysis Future trends

Overview Reported parasitic viruses ITW (2003-2010) Reported number of infections (2003-2010)

Traditional anti-virus defense strategy Detection methods: X-Ray, Behavioral analysis, Heuristic-based scanning, Wildcards + pattern matching. Main disinfection components: The place of the malicious code, The decryption keys places, The decryption algorithm, The place of the original code, The original entry point. Simple detection algorithm: Check for presence of malicious properties, Identify the entry point and locate virus decryptor, Apply generic decryption and heuristic templates, "See through" the encryption by emulating the code, Identify virus body code sequences and detect parasitic code.

W32/Xpaj analysis Code integration, Anti-heuristics tricks, Virtual Machine, File infection and Payload.

W32/Xpaj challenges The ability to recognize virus decryptor, which is randomly spread in the original code, The ability to recognize malicious code which does not modify the properties of the infected program.

Code Integration Overwritten subroutine Original File Infected File Virus Code Redirection to virus decryptor

Code Integration Original File Infected File Subroutine A Subroutine B Subroutine C Call Subroutine B Original code Virus code Virus body Overwritten instructions, VM byte code Legend VM handlers Subroutine B VM dispatcher Hijacked call Encrypted Virus Body Stolen Bytes VM Byte Code

Anti-heuristics tricks Suspicious characteristics / marks of infection: - Suspicious section characteristics and alignment, - Incorrect virtual size in PE header, - Code execution starts in the last section, - Abnormal cavities between section boundaries, - Possible "gap" between sections, - Suspicious code redirection (cross-section jumps), - Unusual imports.

Virtual Machine Main functions: 1) Implements virus decryptor, 2) Decrypts the virus body, 3) Complicates the static analysis of the virus decryptor 4) Conceals VM performance implications.

Virus Decryptor 1) Spread across the code section, 2) Implemented in a stack based VM, 3) Converted to a byte code, 4) Interpreted by the VM dispatcher.

Virtual Machine handlers W32/Xpaj VM Handlers (each VM handler executes a small code stub to compute the right value depending on the current operation type).

Software Protection Trends Encryption Polymorphism/Metamorphism Packers Obfuscators Anti-debugging tricks Anti-emulation tricks

Enter the Virtual Machine Represent a significantly harder software protection that proves extremely resilient to reverse engineering. Driven by the commercial software protection industry. VMProtect ASProtect SVKP Themida Code Virtualizer Starforce Vary from the simple (older VMProtect) to the complex (Themida).

Virtual Machine - Overview Fetch-Decode-Execute responsible for retrieving and executing a virtual instruction. Context represents the internal state of the virtual machine Handlers native machine code responsible for carrying out the logic of each virtual instruction. Bytecode the instructions that the virtual machine will interpret.

Fetch - Decode - Execute

VMProtect Opcode Handlers

Virtual Machine Based Obfuscation Randomly generated opcodes Junk opcodes Multiple opcodes to perform the same action Obfuscated handlers Encrypted bytecode Obfuscated fetch-decode-execute loop Obfuscation applied to bytecode itself Multiple Virtual Machine instances Multiple Virtual Machine architectures (RISC, CISC, etc)

Virtual Machine Analysis Techniques By hand Locate bytecode, context, handlers What is the architecture of the VM Blackbox analysis easily identify overall behavior of the sample Custom disassembler when possible, greatly simplifies understanding the the VM Deobfuscation of the implementation and handlers Tool assisted deobfuscation (Metasm) Apply deobfuscation or decryption to handlers Generate equivalent native code Rewrite the binary, replacing the VM with native code

File infection and Payload Infects Win32 PE files (exe, dll, sys, scr, etc.), Downloads position independent code (plugins), Increases the virtual size of the section containing the virus body by 150KB, Accepts only digitally signed payloads and commands, Uses sophisticated domain-generation algorithm to create and query the list of random domains, Sends information from the infected system to C&C server (OS version, Service Pack, IP, etc.)

W32/Winemmem analysis Package Infection and Integrity Check Bypass, EP hijacking, System DLLs infection, On-the-fly physical file modifications.

W32/Winemmem device driver No modifications to system kernel structures, Bypassing shared violation error for running processes, MmFlushImageSection() - destroys the image section and returns any used pages to the free list.

W32/Induc The virus copies following malicious code into SysConst.pas file, part of Delphi installation, Renames the existing SysConst.dcu to SysConst.bak, A new SysConst.dcu file is created by compiling the malicious SysConst.pas, The original SysConst.pas file is then deleted. Any file that is subsequently compiled with Delphi will have the viral code included in it::

Future trends Monetary gain, Viruses are not loud, ubiquitous and destructive anymore, Bots harvesting, Intense use of polymorphic techniques aimed at circumventing the current AV scanners, VM based obfuscators avoid detection and increase the effort needed to analyze the malware sample.