close

Вход

Забыли?

вход по аккаунту

?

Virus Encryption

код для вставкиСкачать
Virus Encyption
CS 450
Joshua Bostic
topics
пЃ¬
Encryption as a deterent to virus scans.
пЃ¬
History of polymorphic viruses.
пЃ¬
Use of encryption by viruses.
Why encrypt the code?
пЃ¬
пЃ¬
The ability of a virus to change it's code/form
is known as polymorphism.
Changing the code prevents anti-virus
programs from matching the encryped virus
to well known patterns for that virus.
How to find viruses
пЃ¬
пЃ¬
пЃ¬
If you find the code to decrypt the virus then
you can remove the virus.
The solution is to make the decrypt code
polymorphic as well.
To do this the virus can scatter different parts
of it's code around by using jumps.
Repositioning of code
Remainder of virus code
Portion of virus code and a jump to end of program code
Program code
So now what?
пЃ¬
пЃ¬
пЃ¬
Encrypted polymorphic viruses are capable of
fooling anti-virus for only so long.
After enough versions of the decryption code
are seen virus scanners can detect in general
what a virus will look like.
This is done thanks to heuristics.
Heuristics
пЃ¬
пЃ¬
пЃ¬
пЃ¬
пЃ¬
Emulation and analysis.
Emulation tests the questionable code in a
virtual machine. If the code acts in a
malicious way it's considered a virus.
Analysis views the code and determines its
intent.
Benefit: can find unknown variants.
Con: can take a long time and can produce
false positives.
Spreading
пЃ¬
пЃ¬
пЃ¬
Speed of mutation can also be controlled.
Encryption changes with every new infection,
but this can be changed by how fast the
mutation is.
If the mutation is slow then it makes it harder
to determine what different combinations of
the code are still the same virus.
Current example
пЃ¬
Virut virus
пЃ¬
Infects .exe and .src files.
пЃ¬
Each time it spreads it mutates.
пЃ¬
Opens a backdoor and connects to an
internet relay chat server. This allows
someone to remotely download malware onto
the computer.
Early examples
пЃ¬
пЃ¬
пЃ¬
пЃ¬
пЃ¬
The dark avenger was one of the first
polymorphic viruses.
First noticed in the early 1990's.
Would add extra code to .com and .exe files
in MS-DOS.
When the infected program ran 16 times the
virus would randomly overwrite a section of
the hard drive.
Was created in Bulgaria, but the creater is still
unknown.
Inventor of polymorphism
пЃ¬
пЃ¬
пЃ¬
Fred Cohen invented polymorphism for
viruses.
Also credited with being the first to define the
term computer virus.
Currently works on virus defense techniques.
Other uses for encryption
пЃ¬
virus can cause files to be encrypted.
пЃ¬
One virus that is known to do this is gpcode.
пЃ¬
пЃ¬
пЃ¬
Gpcode encrypts some of your data and then
offers to decrypt your data once you've paid a
ransom.
Gpcode uses 1024 bit RSA encryption.
Encrypts files that end with doc, txt, pdf, xls,
jpg, png, and others.
Work arounds
пЃ¬
пЃ¬
пЃ¬
Kaspersky labs (anti-virus company)
suggests using photorec to recover the
encrypted data.
Photorec is freeware.
Only problem is that if you turned the
computer off after your computer was
infected then photorec won't work.
Full fixes
пЃ¬
пЃ¬
пЃ¬
Currently there is no known fix to the
problem.
Kaspersky is trying to find the proper key to
decrypt the files, but nothing prevents the
creater from changing the key.
Kaspersky is also trying to find a solution to
the virus as well.
Conclusion
пЃ¬
Use of encryption with polymorphism.
пЃ¬
Effects of polymorphism.
пЃ¬
Virus encryption.
Questions?
resources
пЃ¬
http://vx.netlux.org/lib/static/vdat/tumisc76.ht
m
пЃ¬
Security in Computing
пЃ¬
http://vx.org.ua/lib/static/vdat/ephearto.htm
пЃ¬
пЃ¬
пЃ¬
http://www.infoworld.com/d/securitycentral/kaspersky-workaround-encryptionvirus-comes-catch-465
http://voices.washingtonpost.com/securityfix/2
008/06/ransomware_encrypts_victim_fil.html
http://www.cgsecurity.org/wiki/PhotoRec
Документ
Категория
Презентации
Просмотров
12
Размер файла
391 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа