|
 

|


|


 VIRUS?
VIRUS:VITAL INPUT RESOURCE UNDER
SIEZE
² Malicious program that cause
instability in the computer.
² Reasons that for creating such
programs-:
*Criminal intent
*Anti-establishment
*Motivations«etc.
 VIRUS?
²Some popular viruses-:
‡Yankee doodle
‡Friday the 13th
‡System32
‡Dark avenger
‡Brain
‡Scores«etc.
 ANTIVIRUS?
²These are programs that
protect & remove viruses
from an infected system.
‡Mainly used to remove
malware such as virus, worms
& trojan horses.
‡Prevent & remove
adware,spyware& other form
of malware.
 Ëow Does Antivirus
work?
² Signature vs. Behavior
‡ Pattern-matching-:Searches for
unknown and malicious patterns.
*Zero day threats:-Malware whose
signature does not exist. These
threats are removed by heuristic
approach.
Ëeuristic Approach:-Identifies new
viruses or variants by looking for
malicious code Slight variations of
such codes).
Ëow Does Antivirus
work?
‡ Sandbox:-Files are kept in sandbox so
that they can be analyzed for
malicious actions.
 Ëow Does AntiVirus
work?
² Common Core Components
‡ IO filters
‡ Format Engines
 Ëow Does AntiVirus
work?
² Standard Features
‡ Updates
‡ Multi-Threat detection
 Ëow Does AntiVirus
work?
² Common Configurations
‡ Scan level
‡ Scan sizes
‡ Scan Method
 Uses Of Antivirus
² Anti- Virus is of great use:-

‡ Scans all your systems for evidence of

the virus .

‡ Disconnect any infected systems

immediately from the
‡ network

‡ Restore the infected systems from a

clean backup
 Code Coverage ² Core
Utilities
² Read
‡ Easy to spot
‡ Closest audit point to un-trusted
input
‡ Usually wrapped & buffered
‡ Some truncate length
 Code Coverage ² Core
Utilities
² Allocation
‡ Any calculations to length are
interesting
‡ Usually wrapped
‡ Some check 4 zero
‡ Some add to length for internal
headers
‡ Some wrappers will truncate length
Code Coverage ²Constructs
² Conversions
‡ String/Number
‡ Byte Ordering
Code Coverage ²Constructs
² Checksum, CRC, etc.
‡ Easy to spot (ror, xor, etc. in a
loop)
‡ Gives un-trusted input context
Code Coverage ²Constructs
² Inherited File Structures &
Commonly Grouped Processors
‡ Are annoying to trace, due to
indirection
‡ Can reveal more subtle unchecked
copies
‡ Ex: Is MZ -> Is PE -> Is UPX
 Audit Points -
Inefficiencies
² Engine vs. Product differences
‡ Can be an issue when engine is
stricter than the product
‡ Ex: Recent Multi-vendor zip issues
 Audit Points -
Inefficiencies
² Default Scan Levels
‡ Can be an issue when product does not
require multiple extractions
‡ Ex: Packed and SFX
 Audit Points -
Inefficiencies
² File Size Limitations
‡ Small archives can contain large
files
 Audit Points -
Inefficiencies
² Format Collisions
‡ Files conforming to multiple formats
may be used to trick state and evade
detection
 O-Day Detection
‡ Generally very minimal
capabilities
² Measure virus propagation by
number of infected customers.
‡ Evasion?
² Write a new virus.
 Audit Points ² Memory
Corruption
² Inconsistent Checks
‡ Length type mismatches can be abused
to bypass checks, wrap allocations,
and overflow copies
‡ Negative offsets can be abused to
bypass checks and overflow copies
 Audit Points ² Memory
Corruption
² Wrappers
‡ Allocators that modify length
‡ Reads that truncate length (reduces
chance of access violation on
overflow on negative copies)
 Audit Points ² Memory
Corruption
² Error-Prone Formats:
‡ 32 bit fields
² Interesting to examine sign and any
calculations
² Ex: PECOFF ² Packed & SFX, Archives
Audit Points ² Memory
Corruption
‡ String Based Formats
² These can be hard to implement correctly
² StringToNumber conversions are
interesting
² Ex: TNEF, MIME, PDF
 Audit Methodology
² Identify Utility Functions
‡ Naming these will aid in tracing
input later
‡ Ex: Wrappers, FileIO, Allocations
 Audit Methodology
² Trace Un-trusted Input
‡ Examine data that influences:
² Allocations
² Copies
‡ Structure members
² Initializations are easy to spot
² Use is less easy ² binary search for
offset
 Audit Methodology
² Reverse File Format Processors
‡ Track class member offsets and sizes
‡ Will reveal more subtle bugs
 Audit Results
² Symantec
‡ Unchecked offset reconstructing UPX
PE header
‡ Can be triggered by providing a
negative offset to prior heap chunk
containing MZ header with crafted PE
header
‡ Ëeap overflow with no character
restrictions
 Audit Results
² McAfee
‡ Improperly checked file name and path
strlen in LËA level 1 header
‡ Signature in .dat to detect for
malformed LËA file
‡ Can be triggered my supplying a
malformed LËA file, that also
conforms to the PECOFF format
‡ Stack overflow with ascii character
restrictions
 Audit Results
² TrendMicro
‡ Improperly checked filename strlen in
ARJ header
‡ Doesn·t overflow the next chunk·s
header, but does corrupt various
pointers, which results in the
address of the filename being written
to an arbitrary destination
‡ Kernel Ëeap overflow with ascii
character restrictions
 Audit Results
² FSecure
‡ Improperly checked filename strlen in
ARJ header
‡ Standard heap overflow with ascii
character restrictions
Future Points of Interest
² Large Files
‡ Signed Checks
‡ Type Truncation
‡ Integer Overflows/Wraps/Underflows
‡ Ida Examples
Future Points of Interest
² New Formats
‡ Formats implemented due to bugs
‡ Formats implemented due to wide use
² Product Administration