Ripped by AaLl86 THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE By Peter Szor Publisher: Addison Wesley Professional Pub Date: February 03, 2005 ISBN: 0-321-30454-3 Pages: 744 Table of Contents • Index • Sym ant ec's chief ant ivirus researcher has writ t en t he definit ive guide t o cont em porary virus t hreat s, defense t echniques, and analysis t ools Unlike m ost books on com put er viruses, Th e Ar t of Com pu t e r Vir u s Re se a r ch a n d D e fe n se is a reference writ t en st rict ly for whit e hat s: I T and securit y professionals responsible for prot ect ing t heir organizat ions against m alware Pet er Szor syst em at ically covers everyt hing you need t o know, including virus behavior and classificat ion, prot ect ion st rat egies, ant ivirus and worm - blocking t echniques, and m uch m ore Szor present s t he st at e- of- t he- art in bot h m alware and prot ect ion, providing t he full t echnical det ail t hat professionals need t o handle increasingly com plex at t acks Along t he way, he provides ext ensive inform at ion on code m et am orphism and ot her em erging t echniques, so you can ant icipat e and prepare for fut ure t hreat s Szor also offers t he m ost t horough and pract ical prim er on virus analysis ever publishedaddressing everyt hing from creat ing your own personal laborat ory t o aut om at ing t he analysis process This book's coverage includes Discovering how m alicious code at t acks on a variet y of plat form s Classifying m alware st rat egies for infect ion, in- m em ory operat ion, self- prot ect ion, payload delivery, exploit at ion, and m ore I dent ifying and responding t o code obfuscat ion t hreat s: encrypt ed, polym orphic, and m et am orphic Mast ering em pirical m et hods for analyzing m alicious codeand what t o wit h what you learn Reverse- engineering m alicious code wit h disassem blers, debuggers, em ulat ors, and virt ual m achines I m plem ent ing t echnical defenses: scanning, code em ulat ion, disinfect ion, inoculat ion, int egrit y checking, sandboxing, honeypot s, behavior blocking, and m uch m ore Using worm blocking, host - based int rusion prevent ion, and net worklevel defense st rat egies Copyright Many of t he designat ions used by m anufact urers and sellers t o dist inguish t heir product s are claim ed as t radem arks Where t hose designat ions appear in t his book, and t he publisher was aware of a t radem ark claim , t he designat ions have been print ed wit h init ial capit al let t ers or in all capit als The aut hor and publisher have t aken care in t he preparat ion of t his book, but m ake no expressed or im plied warrant y of any kind and assum e no responsibilit y for errors or om issions No liabilit y is assum ed for incident al or consequent ial dam ages in connect ion wit h or arising out of t he use of t he inform at ion or program s cont ained herein Sym ant ec Press Publisher: Linda McCart hy Edit or in Chief: Karen Get t m an Acquisit ions Edit or: Jessica Goldst ein Cover Designer: Alan Clem ent s Managing Edit or: Gina Kanouse Senior Proj ect Edit or: Krist y Hart Copy Edit or: Christ al Andry I ndexers: Cheryl Lenser and Larry Sweazy Com posit or: St ickm an St udio Manufact uring Buyer: Dan Uhrig The publisher offers excellent discount s on t his book when ordered in quant it y for bulk purchases or special sales, which m ay include elect ronic versions and/ or cust om covers and cont ent part icular t o your business, t raining goals, m arket ing focus, and branding int erest s For m ore inform at ion, please cont act : U S Corporat e and Governm ent Sales ( 800) 382- 3419 corpsales@pearsont echgroup.com For sales out side t he U S., please cont act : I nt ernat ional Sales int ernat ional@pearsoned.com Visit us on t he Web: www.awprofessional.com Library of Congress Num ber: 2004114972 Copyright © 2005 Sym ant ec Corporat ion All right s reserved Print ed in t he Unit ed St at es of Am erica This publicat ion is prot ect ed by copyright , and perm ission m ust be obt ained from t he publisher prior t o any prohibit ed reproduct ion, st orage in a ret rieval syst em , or t ransm ission in any form or by any m eans, elect ronic, m echanical, phot ocopying, recording, or likewise For inform at ion regarding perm issions, writ e t o: Pearson Educat ion, I nc Right s and Cont ract s Depart m ent One Lake St reet Upper Saddle River, NJ 07458 Text print ed in t he Unit ed St at es on recycled paper at Phoenix BookTech in Hagerst own, Maryland First print ing, February, 2005 Dedication t o Nat alia About the Author Pet er Szor is a world renowned com put er virus and securit y researcher He has been act ively conduct ing research on com put er viruses for m ore t han 15 years, and he focused on t he subj ect of com put er viruses and virus prot ect ion in his diplom a work in 1991 Over t he years, Pet er has been fort unat e t o work wit h t he best - known ant ivirus product s, such as AVP, F- PROT, and Sym ant ec Nort on Ant iVirus Originally, he built his own ant ivirus program , Past eur, from 1990 t o 1995, in Hungary Parallel t o his int erest in com put er ant ivirus developm ent , Pet er also has years of experience in fault - t olerant and secured financial t ransact ion syst em s developm ent He was invit ed t o j oin t he Com put er Ant ivirus Researchers Organizat ion ( CARO) in 1997 Pet er is on t he advisory board of Virus Bullet in Magazine and a founding m em ber of t he Ant iVirus Em ergency Discussion ( AVED) net work He has been wit h Sym ant ec for over five years as a chief researcher in Sant a Monica, California Pet er has aut hored over 70 art icles and papers on t he subj ect of com put er viruses and securit y for m agazines such as Virus Bullet in , Chip, Source, Windows NT Magazine, and I nform at ion Securit y Bullet in, am ong ot hers He is a frequent speaker at conferences, including Virus Bullet in, EI CAR, I CSA, and RSA and has given invit ed t alks at such securit y conferences as t he USENI X Securit y Sym posium Pet er is passionat e about sharing his research result s and educat ing ot hers about com put er viruses and securit y issues Who Should Read This Book Over t he last t wo decades, several publicat ions appeared on t he subj ect of com put er viruses, but only a few have been writ t en by professionals ( " insiders" ) of com put er virus research Alt hough m any books exist t hat discuss t he com put er virus problem , t hey usually t arget a novice audience and are sim ply not t oo int erest ing for t he t echnical professionals There are only a few works t hat have no worries going int o t he t echnical det ails, necessary t o underst and, t o effect ively defend against com put er viruses Part of t he problem is t hat exist ing books have lit t leif anyinform at ion about t he current com plexit y of com put er viruses For exam ple, t hey lack serious t echnical inform at ion on fast - spreading com put er worm s t hat exploit vulnerabilit ies t o invade t arget syst em s, or t hey not discuss recent code evolut ion t echniques such as code m et am orphism I f you want ed t o get all t he inform at ion I have in t his book, you would need t o spend a lot of t im e reading art icles and papers t hat are oft en hidden som ewhere deep inside com put er virus and securit y conference proceedings, and perhaps you would need t o dig int o m alicious code for years t o ext ract t he relevant det ails I believe t hat t his book is m ost useful for I T and securit y professionals who fight against com put er viruses on a daily basis Nowadays, syst em adm inist rat ors as well as individual hom e users oft en need t o deal wit h com put er worm s and ot her m alicious program s on t heir net works Unfort unat ely, securit y courses have very lit t le t raining on com put er virus prot ect ion, and t he general public knows very lit t le about how t o analyze and defend t heir net work from such at t acks To m ake t hings m ore difficult , com put er virus analysis t echniques have not been discussed in any exist ing works in sufficient lengt h before I also t hink t hat , for anybody int erest ed in inform at ion securit y, being aware of what t he com put er virus writ ers have " achieved" so far is an im port ant t hing t o know For years, com put er virus researchers used t o be " file" or " infect ed obj ect " orient ed To t he cont rary, securit y professionals were excit ed about suspicious event s only on t he net work level I n addit ion, t hreat s such as CodeRed worm appeared t o inj ect t heir code int o t he m em ory of vulnerable processes over t he net work, but did not " infect " obj ect s on t he disk Today, it is im port ant t o underst and all of t hese m aj or perspect ivest he file ( st orage) , in- m em ory, and net work viewsand correlat e t he event s using m alicious code analysis t echniques During t he years, I have t rained m any com put er virus and securit y analyst s t o effect ively analyze and respond t o m alicious code t hreat s I n t his book, I have included inform at ion about anyt hing t hat I ever had t o deal wit h For exam ple, I have relevant exam ples of ancient t hreat s, such as 8bit viruses on t he Com m odore 64 You will see t hat t echniques such as st ealt h t echnology appeared in t he earliest com put er viruses, and on a variet y of plat form s Thus, you will be able t o realize t hat current root kit s not represent anyt hing new! You will find sufficient coverage on 32- bit Windows worm t hreat s wit h in- dept h exploit discussions, as well as 64- bit viruses and " pocket m onst ers" on m obile devices All along t he way, m y goal is t o illust rat e how old t echniques " reincarnat e" in new t hreat s and dem onst rat e up- t o- dat e at t acks wit h j ust enough t echnical det ails I am sure t hat m any of you are int erest ed in j oining t he fight against m alicious code, and perhaps, j ust like m e, som e of you will becom e invent ors of defense t echniques All of you should, however, be aware of t he pit falls and t he challenges of t his field! That is what t his book is all about What I Cover The purpose of t his book is t o dem onst rat e t he current st at e of t he art of com put er virus and ant ivirus developm ent s and t o t each you t he m et hodology of com put er virus analysis and prot ect ion I discuss infect ion t echniques of com put er viruses from all possible perspect ives: file ( on st orage) , in- m em ory, and net work I classify and t ell you all about t he dirt y lit t le t ricks of com put er viruses t hat bad guys developed over t he last t wo decades and t ell you what has been done t o deal wit h com plexit ies such as code polym orphism and exploit s The easiest way t o read t his book is, well, t o read it from chapt er t o chapt er However, som e of t he at t ack chapt ers have cont ent t hat can be m ore relevant aft er underst anding t echniques present ed in t he defense chapt ers I f you feel t hat any of t he chapt ers are not your t ast e, or are t oo difficult or lengt hy, you can always j um p t o t he next chapt er I am sure t hat everybody will find som e part s of t his book very difficult and ot her part s very sim ple, depending on individual experience I expect m y readers t o be fam iliar wit h t echnology and som e level of program m ing There are so m any t hings discussed in t his book t hat it is sim ply im possible t o cover everyt hing in sufficient lengt h However, you will know exact ly what you m ight need t o learn from elsewhere t o be absolut ely successful against m alicious t hreat s To help you, I have creat ed an ext ensive reference list for each chapt er t hat leads you t o t he necessary background inform at ion I ndeed, t his book could easily have been over 1,000 pages However, as you can t ell, I am not Shakespeare My knowledge of com put er viruses is great , not m y English Most likely, you would have no benefit of m y work if t his were t he ot her way around What I Do Not Cover I not cover Troj an horse program s or backdoors in great lengt h This book is prim arily about self- replicat ing m alicious code There are plent y of great books available on regular m alicious program s, but not on com put er viruses I not present any virus code in t he book t hat you could direct ly use t o build anot her virus This book is not a " virus writ ing" class My underst anding, however, is t hat t he bad guys already know about m ost of t he t echniques t hat I discuss in t his book So, t he good guys need t o learn m ore and st art t o t hink ( but not act ) like a real at t acker t o develop t heir defense! I nt erest ingly, m any universit ies at t em pt t o t each com put er virus research courses by offering classes on writ ing viruses Would it really help if a st udent could writ e a virus t o infect m illions of syst em s around t he world? Will such st udent s know m ore about how t o develop defense bet t er? Sim ply, t he answer is no… I nst ead, classes should focus on t he analysis of exist ing m alicious t hreat s There are so m any t hreat s out t here wait ing for som ebody t o underst and t hem and som et hing against t hem Of course, t he knowledge of com put er viruses is like t he " Force" in St ar Wars Depending on t he user of t he " Force," t he knowledge can t urn t o good or evil I cannot force you t o st ay away from t he " Dark Side," but I urge you t o so Acknowledgments First , I would like t o t hank m y wife Nat alia for encouraging m y work for over 15 years! I also t hank her for accept ing t he lost t im e on all t he weekends t hat we could have spent t oget her while I was working on t his book I would like t o t hank everybody who m ade t his book possible This book grew out of a series of art icles and papers on com put er viruses, several of which I have co- aut hored wit h ot her researchers over t he years Therefore, I could never adequat ely t hank Eric Chien, Pet er Ferrie, Bruce McCorkendale, and Frederic Perriot for t heir excellent cont ribut ions t o Chapt er and Chapt er 10 This book could not be writ t en wit hout t he help of m any friends, great ant ivirus researchers, and colleagues First and forem ost , I would like t o t hank Dr Vesselin Bont chev for educat ing m e in t he t erm inology of m alicious program s for m any years while we worked t oget her Vesselin is fam ous ( " infam ous?" ) for his religious accuracy in t he subj ect m at t er, and he great ly influenced and support ed m y research A big t hank you needs t o go t o t he following people who encouraged m e t o writ e t his book, educat ed m e in t he subj ect , and influenced m y research over t he years: Oliver Beke, Zolt an Hornak, Frans Veldm an, Eugene Kaspersky, I st van Farm osi, Jim Bat es, Dr Frederick Cohen, Fridrik Skulason, David Ferbrache, Dr Klaus Brunnst ein, Mikko Hypponen, Dr St eve Whit e, and Dr Alan Solom on I owe a huge t hanks t o m y t echnical reviewers: Dr Vesselin Bont chev, Pet er Ferrie, Nick Fit zGerald, Halvar Flake, Mikko Hypponen, Dr Jose Nazario, and Jason V Miller Your encouragem ent s, crit icism s, insight s, and reviews of early handbook m anuscript s were sim ply invaluable I need t o t hank Janos Kis and Zsolt Szoboszlay for providing m e access t o in- t he- wild virus code for analysis, in t he days when t he BBS was t he cent er of t he com put ing universe I also need t o t hank Gunt er May for t he great est present t hat an east European kid could get a C64 A big t hanks t o everybody at Sym ant ec, especially t o Linda A McCart hy and Vincent Weafer, who great ly encouraged m e t o writ e t his book I would also like t o t hank Nancy Conner and Chris Andry for t heir out st anding edit orial work Wit hout t heir help, t his proj ect sim ply would never have finished I also owe a huge t hanks t o Jessica Goldst ein, Krist y Hart , and Christ y Hackerd for helping m e wit h t he publishing process all t he way A big t hanks t o all past and present m em bers of t he Com put er Ant ivirus Researchers Organizat ion ( CARO) , VFORUM, and t he Ant iVirus Em ergency Discussion ( AVED) List for all t he excit ing discussions on com put er viruses and ot her m alicious program s and defense syst em s I would like t o t hank everybody at Virus Bullet in for publishing m y art icles and papers int ernat ionally for alm ost a decade and for let t ing m e use t hat m at erial in t his book Last but not least , I t hank m y t eacher parent s and grandparent s for t he ext " hom e educat ion" in m at h, physics, m usic, and hist ory Contact Information I f you find errors or have suggest ions for clarificat ion or m at erial you would like t o see in a fut ure edit ion, I would love t o hear from you I am planning t o int roduce clarificat ions, possible correct ions, and new inform at ion relevant t o t he cont ent of t his work on m y Web sit e While I t hink we have found m ost of t he problem s ( especially in t hose paragraphs t hat were writ t en lat e at night or bet ween virus and securit y em ergencies) , I believe t hat no such work of t his com plexit y and size can exist wit hout som e m inor nit s Nonet heless, I m ade all t he effort s t o provide you wit h " t rust wort hy" inform at ion according t o t he best of m y research knowledge Pet er Szor, Sant a Monica, CA pszor@acm org ht t p: / / www.pet erszor.com worm st art code locat ed at st ep Figu r e Th e m e m or y la you t a n d t r ol flow du r in g a W it t y w or m a t t a ck [View full size image] N ot e Be ext rem ely caut ious when you analyze com put er worm s in a debugger because break- point inst ruct ions like 0xCC opcodes m ight be insert ed int o t he code flow of t he replicas A good pract ice is t o t hrow away t he result s of all replicas aft er such analysis 15.4.4.9 Virus Analysis on Steroids Finally, we arrive at t he discussion of m y favorit e t ool I ndeed, you can hardly find a bet t er t ool t hat suit s your analysis needs t han t he one t hat you design and build yourself We built Virus Analysis Toolkit ( VAT) t o sim plify m any difficult analysis t asks, such as exact ident ificat ion, m anual definit ion creat ion, and polym orphic virus analysis We built VAT ( shown in Figure 15.25 ) at Dat a Fellows ( now called F- Secure) in 1997 I n it s underlying concept , VAT is sim ilar in it s capabilit ies t o expert syst em s 15 ( I need t o give huge credit t o Jukka Kohonen for his excellent skills in UI developm ent t hat enabled t he re- creat ion of m y vision of t he t ool 100% ) Figu r e 5 VAT w it h a W / Zm ist - in fe ct e d file loa de d in t o t h e e m u la t or [View full size image] The heart of VAT is a powerful code em ulat or I t can underst and different file form at s, so it can easily load files such as COM, EXE, PE, and so on Just as in a debugger, you can t race t he execut ion of program s, but t he virus code has no way t o infect your syst em because it runs in t he soft ware- em ulat ed environm ent Because everyt hing is virt ualized, difficult ant idebugging t ricks are handled easily in VAT For exam ple, t he em ulat or support s except ion handling, so it can bypass m any t ricks unnot iceably One of t he basic advant ages of VAT is t hat you can place break point s anywhere Norm ally, you need t o t race a polym orphic decrypt or in a debugger unt il it decrypt s enough code ( at least one byt e) where you wish t o put a break point Not so in VAT because t he em ulat or does not need an I NT 3- based break point Figure 15.25 shows a W95/ Zm ist - infect ed applicat ion loaded int o VAT for em ulat ion As explained in Chapt er , " Advanced Code Evolut ion Techniques and Com put er Virus Generat or Kit s," Zm ist int egrat es it self int o t he code flow of t he host code Figure 15.25 shows how t he polym orphic decrypt or of Zm ist st art s wit h a PUSH inst ruct ion right aft er a condit ional j um p of t he host code I can set t he inst ruct ion point er ( EI P) direct ly t o t hat locat ion and let t he code execut e in VAT VAT can t rack all changed byt es in t he virt ual m em ory and show t hem highlight ed in red This is very useful for seeing decrypt ed code VAT aut om at ically st ops and offers a break point when suspicious code snippet s are execut ed, such as a CALL t o a POP inst ruct ion t ypical in viruses I t also st ops t he em ulat ion whenever decrypt ed code is execut ed in t he virt ual m achine Thus, I can sim ply run t he virus wit hin t he em ulat or and wait unt il it decrypt s it self for m e Figure 15.26 shows a decrypt ed area of t he m et am orphic virus body of Zm ist under a layer of encrypt ion You can not ice t he m et am orphic code by reading t he code carefully For exam ple, you can see a MOV EDX, EDX inst ruct ion in Figure 15.26/ , which is one of m any garbage inst ruct ions insert ed int o t he code flow At t his point in t he disassem bly, you can see a t ricky MZ com parison obfuscat ed wit h a NEG inst ruct ion I n Figure 15.26/ , you also can see som e ot her garbage inst ruct ions, such as MOV EDI , EDI , and a push EDXpop EDX pair Check t he code carefully around t he Mist fall sign, and you can see how t his signat ure of t he m et am orphic engine is placed on t he st ack in decrypt ed form , signaling t he st art of t he m et am orphic engine I ndeed, Zm ist is current ly am ong t he hardest viruses t o det ect The great difficult y of t he virus det ect ion arises not only because t he virus uses polym orphic and m et am orphic code, but because t here are also hidden charact erist ics of t hese engines For exam ple, t he m et am orphic engine uses garbage code insert ion and an equivalent inst ruct ion generat or The t rick is t hat t he garbage code can be m ut at ed int o inst ruct ion t hat produces t he equivalent result when execut ed To cont rol t he growt h of t he virus body, a garbage collect or is used; however, t he garbage collect or will not recognize all form s of t he m et am orphic garbage inst ruct ions This feat ure ( a possible bug?) int roduces unexpect ed code growt h t hat will look unnat ural at first glance, but it is really " generat ed" by t he st range int eract ion of t he m et am orphic engine rout ines VAT can open several applicat ions in parallel and run em ulat ion inst ances m ult it hreaded This is very useful because aft er each em ulat ed and decrypt ed inst ance, individual copies of t he virus bodies can be com pared t o each ot her using VAT com m ands This can highlight t he sim ilar code in t he virus body in t he different inst ances and great ly help t o obt ain exact ident ificat ion Of course, m et am orphic viruses can easily at t ack such com parisons, but even highly polym orphic viruses can be com pared using t his opt ion VAT also can save t he decrypt ed code from t he virt ual m achine's m em ory back t o a file, such as a PE im age This is a very useful feat ure because t he decrypt ed binary can be loaded quickly int o an I DA session for furt her analysis and com m ent ing I nt erest ingly, em ulat ion- based debugging is gaining popularit y I t ried t o encourage t he developers of I DA t o build such an em ulat or years ago, but I was unsuccessful To m y surprise, an I DA user, Chris Eagle, built an I DA plug- in called ida- x86em u 16 wit h support for som e of t he m ost com m on I nt el CPU inst ruct ions Alt hough t his em ulat or is st ill som ewhat lim it ed, I suggest you look int o it because it is dist ribut ed as a GNU proj ect and dem onst rat es Windows API em ulat ion Alt hough t he x86- em u plug- in does not support feat ures such as float ing point unit , and MMX inst ruct ion set as of yet , it dem onst rat es t he basis of t he idea of em ulat ion- based analysis Current ly t here is no support t o run t he code unt il a break- point condit ion because Chris considered it a dangerous operat ion due t o som e lim it at ions You can t ry t o use t his em ulat or t o t race UPX and ot her sim ilar packers in I DA, j ust like I in VAT I hope you will find it as an excit ing experience as I do! 15.5 Maintaining a Malicious Code Collection My space is running out for discussion of t he m alicious code analysis process, but I need t o t alk about one m ore very im port ant subj ect : virus collect ion m aint enance I t is ext rem ely im port ant t o save your analysis for fut ure reference Malicious code needs t o be classified int o fam ilies, and t his process can be m ore efficient if you have saved old analyses of m alicious code and it s sam ples A good read on collect ion m aint enance is a paper by Vesselin Bont chev 17 , which I st rongly recom m end Good AV det ect ion and repair, heurist ics, and generic det ect ion cannot be developed wit hout a well- m aint ained collect ion 15.6 Automated Analysis: The Digital Immune System I n t he previous sect ions, I det ailed t he basic principles of m anual m alicious code analysis This chapt er would not be com plet e wit hout a discussion of aut om at ed code analysis t echniques, such as t he Digit al I m m une Syst em operat ed by Sym ant ec DI S was developed by I BM Research st art ing around 1995 18 There are t hree m aj or analyzer com ponent s of t he syst em , support ing DOS viruses, m acro viruses, and Win32 viruses DI S support s aut om at ed definit ion delivery t o newly em erging t hreat s via t he I nt ernet , end- t oend Figure 15.27 shows a high- level dat a flow of DI S Figu r e A h igh - le ve l vie w of t h e D igit a l I m m u n e Syst e m [View full size image] There are a num ber of input s t o t he syst em from t he cust om er side t o t he vendor side via t he clust er of cust om er gat eways Obviously, t here are a num ber of firewalls built in on bot h t he cust om er side and t he vendor side, but t hese are not shown t o sim plify t he pict ure19 The syst em developed by I BM can handle close t o 100,000 subm issions per day The input t o t he syst em is a suspicious sam ple, such as a possibly infect ed file, which is collect ed by heurist ics built int o ant ivirus client s The out put is a definit ion t hat is delivered t o t he client who subm it t ed t he suspicious obj ect for analysis Several client s can com m unicat e wit h a quarant ine server at corporat e cust om er sides The quarant ine server synchronizes definit ions wit h t he vendor and pushes t he new definit ions t o t he client s I ndividual end users also can subm it subm issions t o t he syst em via t heir built - in AV quarant ine int erface Suspicious sam ples also can be delivered from at t ack quarant ine honeypot syst em s The aut om at ed analysis cent er processes t he subm ission and creat es definit ions t hat can be used t o det ect and disinfect new t hreat s Alt ernat ively, subm issions are referred t o m anual analysis, which is handled by a group of researchers The heart of t he aut om at ed analysis cent er is based on t he use of an aut om at ed com put er virus replicat ion syst em I n lat e 1993, Ferenc Leit old and I realized t he need for a syst em t o replicat e com put er viruses aut om at ically When we at t em pt ed t o creat e a collect ion of properly replicat ed sam ples from a large collect ion of virus- infect ed sam ple set s, we observed t hat com put er virus replicat ion is sim ply t he m ost t im e- consum ing operat ion in t he process of com put er virus analysis20 A replicat or syst em can run a virus in a cont rolled way unt il it infect s new obj ect s, such as goat files The infect ed obj ect s are collect ed aut om at ically and st ored for fut ure analysis This kind of cont rolled replicat ion syst em was also developed by Marko Helenius at t he Universit y of Tam pere for t he purpose of aut om at ed ant ivirus t est ing 21 On t he ot her hand, I BM built on t he groundwork of replicat ion syst em s t hat used virt ual m achines, such as Bochs ( ht t p: / / bochs.sourceforge.net) , in m odified form s using t he principles of generic disinfect ion I BM researchers realized t hat heurist ic generic disinfect ion ( discussed in Chapt er 11 " Ant ivirus Defense Techniques," ) was essent ial t o achieving aut om at ed definit ion generat ion The principle of generic disinfect ion is sim ple: I f you know how t o disinfect an obj ect , you can det ect and disinfect t he virus in an aut om at ed way Figure 15.28 shows t he process of aut om at ed virus det ect ion and repair definit ion generat ion The input of t he syst em is a sam ple of m alicious code The out put is eit her an aut om at ed definit ion or a referral t o m anual analysis, which result s in a definit ion if needed Figu r e Th e a u t om a t e d de fin it ion - ge n e r a t ion pr oce ss in D I S I n t he first st ep, t he sam ple arrives at a Threat Classifier m odule 22 I n t his st ep, t he filt ering process t akes place first , analyzing t he form at of t he possibly m alicious code and referring it accordingly t o a cont roller m odule Unrecognized obj ect s go t o m anual analysis The filt ering process involves st eps t hat were previously discussed as part of t he m anual analysis process I t is im port ant t o underst and t hat m ult iple analysis processes can t ake place sim ult aneously I n t he second st ep, a replicat ion cont roller runs a num ber of replicat ion sessions The replicat or fires up a set of virt ual m achines, or alt ernat ively, real syst em s t o t est replicat e com put er viruses For exam ple, docum ent s cont aining m acros are loaded int o an environm ent in which Microsoft Office product s are available The replicat ion process uses m odules loaded int o t he syst em t hat run t he viruses The virt ual m achines run m onit oring t ools t hat t rack file and Regist ry changes, as well as net work act ivit y, and save such inform at ion for furt her analysis The replicat or loads and runs m ore t han one environm ent by st art ing wit h a clean st at e each t im e unt il a predefined num ber of st eps or unt il t he virus is successfully replicat ed I f insufficient inform at ion is collect ed about t he com put er virus in any of t he t est environm ent s, t he cont roller sends t he sam ples t o m anual analysis Ot herwise, t he cont roller passes inform at ion t o t he analyzer m odule I n t urn, t he analyzer checks t he dat a, such as t he infect ed goat files, and at t em pt s t o ext ract det ect ion st rings23 from t hem ( or uses alt ernat ive m et hods) I f t his st ep fails, for exam ple if t he virus is m et am orphic, t he replicat ed sam ple set will be forwarded t o m anual analysis I f t he analyzer can creat e definit ions t o det ect and disinfect t he virus, it passes t he definit ion t o a builder m odule The builder t akes t he source code of t he definit ion and com piles it t o new binary definit ions At t his point , a t em porary nam e is assigned t o t he new viral t hreat aut om at ically The t em porary nam e is lat er changed based on classificat ion by a researcher Finally, t he builder passes t he com piled definit ions t o a t est er m odule The t est er m odule doublechecks t he correct ness of definit ion and t est s it for false posit ives I f a problem is det ect ed in any of t he previous st eps, t he sam ple set is forwarded t o m anual analysis Ot herwise, t he definit ion is ready and is forwarded t o t he definit ion server and t hen t o t he syst em t hat subm it t ed t he sam ple For exam ple, t he W32/ Swen.A@m m worm was aut om at ically handled by DI S as Worm Aut om at AHB There is not hing m ore fascinat ing when t here are no hum ans required t o respond t o an out break References Jeffrey O Kephart , Gregory B Sorkin, Mort on Swim m er, and St eve R Whit e , " Blueprint for a Com put er I m m une Syst em ," Virus Bullet in Conference, 1997, pp 159- 173 I an Whalley , privat e com m unicat ion, 2000 Raj eev Nagar , Windows NT File Syst em I nt ernals, O'Reilly & Associat es, Sebast opol, CA, 1996, I SBN: 1- 56592- 249- Ralf Brown and Jim Kyle , PC I nt errupt s, Addison- Wesley, Reading, Massachuset t s, 1991, I SBN: 0- 201- 57797- File Form at s I nform at ion, www.wot sit org I an Whalley , " An Environm ent for Cont rolled Worm Replicat ion and Analysis ( or: I nt ernet inna- Box) ," Virus Bullet in Conference, 2000, pp 77- 100 Nm ap ( " Net work Mapper") , ht t p: / / www.insecure.org/ nm ap/ Cost in Raiu , privat e com m unicat ion, 2004 Eugene Suslikov , HI EW, ht t p: / / www.serj e.net / sen/ 10 Mat t Piet rek's hom e page, ht t p: / / www.wheat y.net 11 Neil J Rubenking , " St ay I n Cont rol," PC Magazine, ht t p: / / www.pcm ag.com / art icle2/ 0,1759,25475,00.asp 12 Joe Wells , Docum ent at ion of t he Sm art - Goat Files, 1993 13 Pavel Baudis , privat e com m unicat ion, 1997 14 Ed Skoudis wit h Lenny Zelt ser , Malware: Fight ing Malicious Code, Prent ice Hall, Upper Saddle River, New Jersey, 2004, I SBN: 0- 13- 101405- 15 Dr Klaus Brunnst ein, Sim one Fischer- Hubner, and Mort on Swim m er , " Concept s of an Expert Syst em for Com put er Virus Det ect ion," I FI P TC- 11, 1991 16 Chris Eagle , I DA- X86em u, ht t p: / / sourceforge.net / proj ect s/ ida- x86em u 17 Vesselin Bont chev , " Analysis and Maint enance of a Clean Virus Library," Virus Bullet in Conference, 1993, pp 77- 89 18 Jeffrey O Kephart , Gregory B Sorkin, William C Arnold, David M Chess, Gerald J Tesauro, and St eve R Whit e , " Biologically I nspired Defenses Against Com put er Viruses," I JCAI , August 1995, pp 985- 996 19 Jean- Michel Boulay , privat e com m unicat ion, 2004 20 Ferenc Leit old , " Aut om at ic Virus Analyser Syst em ," Virus Bullet in Conference, 1995, pp 99108 21 Marko Helenius , " Aut om at ic and Cont rolled Virus Code Execut ion Syst em ," EI CAR, 1995, pp T3, 13- 21 22 St eve R Whit e, Mort on Swim m er, Edward J Pring, William C Arnold, David M Chess, and John F Morar , " Anat om y of a Com m ercial- Grade I m m une Syst em ," Virus Bullet in Conference, 1999, pp 203228 23 Jeffrey O Kephart and William C Arnold , " Aut om at ic Ext ract ion of Com put er Virus Signat ures," Virus Bullet in Conference, 1994, pp 178- 184 Chapter 16 Conclusion " I not like t o collect m y own paint ings I know what is m issing from each of t hem ! " Endre Szasz Our j ourney in com put er virus research is com ing t o an end Unfort unat ely, a num ber of t opics could not be discussed in det ail because of space lim it at ions Writ ing t his book was a m aj or t ask, and t he process was exhaust ing During 2004, com put er worm at t acks increased dram at ically, pressuring Sym ant ec Securit y Response and com put er virus researchers around t he world At t he sam e t im e, I have spent all m y weekends during t he last 12 m ont hs working on t his book, and it was m y fascinat ion wit h t he t opic t hat kept m e going I ndeed, t here are no vacat ions in securit y, but I definit ely need one! When I finished t he first 10 chapt ers, I realized how m uch m ore I could say about at t acks, but discussing at t acks any furt her would have left no space for defense m et hods The num ber of at t acks is overwhelm ing, as I believe t he balance of at t ack and defense coverage of t his book dem onst rat es I hope t hat you have found t his book valuable and int erest ing I also hope t hat you will cont inue t o show int erest in com put er viruses and j oin t he fight against t hem Perhaps you will roll out your own ant ivirus soft ware one day Really, it is up t o you nowyou know t he st at e of t he art in com put er virus and defense t echniques Just as you cannot becom e an art ist j ust by going t o a m useum , you cannot becom e a m ast er of com put er virus defense by reading even a dozen books on t he subj ect What you need is t o pract ice t he art I n t his book, I at t em pt ed t o offer useful inform at ion according t o m y best knowledge Many books dealing wit h t he subj ect of m alicious code or com put er viruses discuss im port ant com put er virus t echniques only in appendices, oft en wit h a large num ber of t echnical errors So- called " wellknown fact s" about com put er viruses and securit y are oft en based on anecdot es unrelat ed t o t echnical realit ies So if you are fam iliar wit h som e of t hese " fact s," you will find som e cont radict ing inform at ion in several chapt ers of t his book I believe t hat securit y research m ust evolve in exact ly t he sam e way as any ot her science I n science, it is t ypical t o quest ion a " known fact " I n doing exact ly t hat , I found fairly im port ant det ails t hat have led t o new realizat ions, ult im at ely cont ribut ing t o t he evolut ion of t he art I encourage you t o t he sam e! I appreciat e your at t ent ion and t he t im e t hat you have spent reading t his book I hope t hat you will be able t o help less experienced people deal wit h com put er viruses and securit y issues in t he fut ure The rest of t his chapt er offers references t o useful Web sit es, discussions, and inform at ion relat ed t o com put er viruses and securit y I wish you good luck wit h your fight against com put er viruses, and I hope t o m eet you at one of t he conferences or on t he Net ! Further Reading This short sect ion list s a few sit es you can use t o st ay up t o dat e on com put er virus and securit y inform at ion Because virus writ ers and ot her m alicious hackers are cont inuously invent ing new at t acks, you m ust cont inuously educat e yourself about new t rends Information on Security and Early Warnings Read inform at ion about new com put er viruses, m alicious code, adware, and spyware at t acks at Sym ant ec Securit y Response, locat ed at ht t p: / / securit yresponse.sym ant ec.com Read Securit y Focus at ht t p: / / www.securit yfocus.com You will find m uch useful and up- t odat e inform at ion on securit y and daily pract ice You can also access t he valuable BugTraq m ailing list at t his locat ion t o st ay current wit h plat form and product vulnerabilit ies and relat ed inform at ion Read t he I nt ernet securit y inform at ion post ed on CERT at ht t p: / / www.cert org Visit t he SANS I nst it ut e's Reading Room regularly at ht t p: / / www.sans.org/ rr Read t he NTBUGTRAQ archives at ht t p: / / www.nt bugt raq.com You can also subscribe t o t he m ailing list at t his locat ion Consider j oining AVI EWS, organized by AVI EN, t o get m ore inform at ion about com put er viruses and prot ect your organizat ion bet t er from such at t acks You can find t heir sit e at ht t p: / / www.aviews.net Security Updates Keep yourself and your com put er up t o dat e! Look for inform at ion about Microsoft product updat es at t he following places: Search Microsoft Securit y Bullet ins at ht t p: / / www.m icrosoft com / t echnet / securit y/ current dl.aspx Read t he m ost recent securit y updat es at ht t p: / / www.m icrosoft com / securit y/ bullet in/ default m spx Use t he Windows Updat e at ht t p: / / www.windowsupdat e.com t o deliver crit ical securit y updat es t o your syst em Readand uset he page wit h crit ical I nt ernet Explorer updat es at ht t p: / / www.m icrosoft com / windows/ ie/ downloads/ default m spx Find updat es for Office product s at ht t p: / / office.m icrosoft com / hom e/ default aspx Computer Worm Outbreak Statistics You can read m ore on t he spread of com put er worm s here: CAI DA offers worm out break inform at ion, such as t he spread of t he Slam m er and Wit t y worm s, at ht t p: / / www.caida.org/ analysis/ securit y You will also find analysis based on t he use of " net work t elescopes." Computer Virus Research Papers Fred Cohen's sit e at ht t p: / / all.net cont ains int erest ing art icles and papers on com put er viruses and securit y Vesselin Bont chev's hom e page, wit h a num ber of scient ific papers on com put er viruses at ht t p: / / www.people.frisk- soft ware.com / ~ bont chev/ index.ht m l Prof Eugene Spafford's hom e page, wit h a num ber of int erest ing papers on com put er viruses, et hics, and securit y is locat ed at ht t p: / / cerias.purdue.edu/ hom es/ spaf Read m ore research and whit e papers on com put er viruses via references collect ed by Kurt Wism er This com prehensive list includes references t o t he work of over 100 leading com put er virus researchers You can find t his page at ht t p: / / m em bers.t ripod.com / ~ k_wism er/ papers.ht m Contact Information for Antivirus Vendors Table 16.1 list s cont act inform at ion for ant ivirus vendors in alphabet ical order Ta ble Com m on Ce r t ifie d An t ivir u s Soft w a r e Ve n dor s Ve n dor W e b Sit e ALWI L Soft ware ht t p: / / www.avast com Aut hent ium ( " Com m and Soft ware" ) ht t p: / / www.aut hent ium com Cat Com put er Services ht t p: / / www.quickheal.com Com put er Associat es ht t p: / / www.ca.com / et rust Cybersoft ht t p: / / www.cyber.com DialogueScience ht t p: / / www.dials.ru ESET Soft ware ht t p: / / www.nod32.com F- Secure ( " Dat a Fellows" ) ht t p: / / www.f- secure.com Freedom I nt ernet Securit y ht t p: / / www.freedom net Frisk Soft ware ht t p: / / www.f- prot com GFI MailSecurit y ht t p: / / www.gfi.com / m ailsecurit y Ve n dor W e b Sit e GeCAD ( Acquired by Microsoft Corporat ion) ht t p: / / www.ravant ivirus.com Grisoft ht t p: / / www.grisoft com H+ BEDV Dat ent echnik ht t p: / / www.ant ivir.de HAURI ht t p: / / www.hauri.co.kr Hacksoft ht t p: / / www.hacksoft com pe Hiwire Com put er & Securit y ht t p: / / www.hiwire.com sg/ ant ivirus/ index.ht m I karus ht t p: / / www.ikarus.at Kaspersky Labs ht t p: / / www.kaspersky.com Leprechaun Soft ware ht t p: / / www.leprechaun.com au MKS ht t p: / / www.m ks.com pl MessageLabs ht t p: / / www.m essagelabs.com MicroWorld Soft ware ht t p: / / www.m icroworldt echnologies.com Net work Associat es ht t p: / / www.nai.com Norm an Dat a Defense Syst em s ht t p: / / www.norm an.com / no Panda Soft ware ht t p: / / www.pandasoft ware.com Per Syst em s ht t p: / / www.perant ivirus.com Port cullis Com put er Securit y ht t p: / / www.port cullis- securit y.com Proland Soft ware ht t p: / / www.pspl.com Reflex Magnet ics ht t p: / / www.reflex- m agnet ics.co.uk Safet ynet ht t p: / / www.safe.net Soft ware Appliance Com pany ht t p: / / www.soft appco.com Soft win ht t p: / / www.bit defender.com Sophos ht t p: / / www.sophos.com St iller Research ht t p: / / www.st iller.com Sybari Soft ware ht t p: / / www.sybari.ws Sym ant ec Corporat ion ht t p: / / www.sym ant ec.com Trend Micro I ncorporat ed ht t p: / / www.t rendm icro.com VirusBust er Lt d ht t p: / / www.virusbust er.hu/ en Antivirus Testers and Related Sites I n t his sect ion, I present inform at ion about ant ivirus t est s and relat ed sit es Please not e t hat each of t hese independent sit es uses a very different t est m et hodology Virus Bullet in's sit e is at ht t p: / / www.virusbt n.com Here you can read AV com parisons, find inform at ion about VB 100% - cert ified product s, and get independent ant ivirus advice You can find t he m ost recent version of t he VGrep t ool on t his sit e as well There is also an archive of past issues wit h t he best com put er virus analyses available You also can purchase a subscript ion t o t he m agazine, which is current ly A3195 for one year The m ost recent independent ant ivirus t est s of t he Universit y of Ham burg's Virus Test Cent er ( VTC) are at ht t p: / / agn- www.inform at ik.uni- ham burg.de/ vt c The VTC is led by Prof Dr Klaus Brunnst ein AV- Test org also produces independent ant ivirus t est s, a proj ect of t he Universit y of Magdeburg in cooperat ion wit h AV- Test Gm bH of Andreas Marx You can find t his sit e at ht t p: / / www.av- t est org I CSA Labs, a division of TruSecure Corporat ion, also perform s Ant i- Virus Cert ificat ions and issues I CSA Labs Cert ificat ions You can find t heir hom e page at ht t p: / / www.icsalabs.org/ ht m l/ com m unit ies/ ant ivirus Alt hough EI CAR ( European I nst it ut e for Com put er Ant ivirus Research) does not perform t est s direct ly, it provides t he eicar.com file for ant ivirus t est ing This file cont ains code t hat is encoded in a large st ring so it can be cut and past ed t o a file t o t est your ant ivirus soft ware's abilit y t o det ect a virus wit hout using an act ual virus for t he t ask This file is det ect ed by m ost ant ivirus program s under nam es sim ilar t o EI CAR_Test _File Unfort unat ely, t he original EI CAR t est file was abused by virus writ ers because t he first specificat ion of t he t est file did not present form alized crit eria of what needed t o be det ect ed exact ly and what should not Therefore, som e viruses, such as bat ch and script m alware, included t he st ring in t hem selves t o m islead users int o t hinking t hat t he file cont aining t he virus was harm less The exact specificat ions of t he EI CAR t est file have been updat ed recent ly, and ant ivirus product developers are advised t o follow t he det ect ion according t o t he new specificat ions at ht t p: / / www.eicar.org/ ant i_virus_t est _file.ht m SC Magazine also perform s securit y product evaluat ions via West Coast Labs' Checkm ark Cert ificat ion You can find t heir sit e at ht t p: / / west coast labs.org The WildList Organizat ion I nt ernat ional has produced t he Wildlist of Com put er Viruses every m ont h since 1993, based on report s collect ed worldwide The Wildlist is used by several ant ivirus cert ificat ions You can find t he Wildlist at ht t p: / / www.wildlist org The Virus Research Unit of t he Universit y of Tam pere in Finland has been inact ive for som e t im e However, it is expect ed t o resum e perform ing ant ivirus t est s, led by Dr Marko Helenius You can find it s sit e at ht t p: / / www.ut a.fi/ lait okset / virus Anot her new ant ivirus cert ificat ion program has been im plem ent ed by Dr Leit old Ferenc in Hungary, locat ed at ht t p: / / www.checkvir.com Andreas Clem ent i is also im plem ent ing a new cert ificat ion program , which is available for product s t hat use t heir own engine only .. .THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE By Peter Szor Publisher: Addison Wesley Professional Pub Date: February 03, 2005 ISBN: 0-321-30454-3 Pages: 744 Table of Contents •... of com put er virus and ant ivirus developm ent s and t o t each you t he m et hodology of com put er virus analysis and prot ect ion I discuss infect ion t echniques of com put er viruses from... aware of t he pit falls and t he challenges of t his field! That is what t his book is all about What I Cover The purpose of t his book is t o dem onst rat e t he current st at e of t he art of