McAfee AV Presentation 10/95
Download
Report
Transcript McAfee AV Presentation 10/95
Who’s watching your network
Deep Inside an
AntiVirus Engine
Network Associates, Inc.
Jimmy Kuo
Director, AV Research
[email protected]
Stanford, 16MAR99
Who’s watching your network
Agenda
Short description of viruses
Environments
Purposes of an antivirus engine
Detection technologies
Virus removal technologies
Wrap-up
Who’s watching your network
Viruses
Replicate!
Who’s watching your network
Virus Types
File Viruses
Com, Exe (DLL, VxD), Bat, Sys, mIRC, Html
Boot Viruses
Boot Sector
Master Boot Records
Macro Viruses
Word, Excel, PowerPoint, Access
Multipartite
Who’s watching your network
40000
Virus growth through the years:
40000
35000
30000
25000
20000
15000
10000
5000
0
1990 1991 1992 1993 1994 1995 1996 1997 1998
*Dr Solomon’s count of viruses and trojans
Who’s watching your network
Environment Determination
PC
OLE2 files
Compressed files
Self-extracting files
.BAT files, mIRC script, VB Script
UNIX filesystems
Who’s watching your network
Protocols
FTP
HTTP
SNMP
SMTP
NNTP
TCP/IP
Mime, uuencode, SSL, PGP
Who’s watching your network
Purpose
We deal with users with problems on their
computer, problems they do not know
how to handle.
1. Relieve the panic.
2. Understand the problem.
3. Resolve what the user understands to
be the problem.
Who’s watching your network
McAfee (NAI) Mantra
1. Detect all viruses.
2. The program is running on a clean
machine.
3. Don’t give them a reason not to use
your product.
Who’s watching your network
The Technology
Who’s watching your network
Signature Search
Data organization
– In memory
– On disk
Only things essential to detection are
stored in memory. Names, repair
information, virus information all stored
on disk.
Who’s watching your network
Signature Organization, Case 0
All strings kept in memory.
All strings of the same type.
Method died out when viruses neared
1000.
Who’s watching your network
Signature Organization, Case 1
Split into virus types: Boot viruses, File
viruses (Algorithmic detection, CRC
detection), Macro viruses.
Boot virus strings swapped to disk. Pull it
in only if target file looks like a boot
image. (55AA signature)
CRCs used for those viruses that don’t
change. Keep verification information
on disk.
Who’s watching your network
Signature Organization, Case 2
All detection strings kept in memory.
• Sorted into separate bins.
• Only the particular bin that could contain
the virus string is stored in low memory.
• All else stored in EMS or XMS.
Virus removal information and names
stored on disk.
Who’s watching your network
Signature Organization, Case 3
All detection strings stored in memory.
Some are classed as “not necessary for
the average user” and not used unless
specifically requested.
All verification information stored on disk
(or EMS or XMS if available).
Strings sorted into groups which have
common start characteristics.
Who’s watching your network
Signature Search Algorithms
Needs to be “front end fast.” If there’s a
virus, it can take longer. But most things
are not viruses, so it should be as quick
as possible to determine that the target
is not there.
No time allowed for front end setup.
So, quick and simple wins out.
Who’s watching your network
Code Tracers
Simplified emulation, but faster.
Static emulation.
Only have to know instruction length and
flow transfer statements.
Who’s watching your network
Code Tracing, Case 1
Given a target COM file,
For specific cases of known flow transfers
(jmp, call, push/ret, minor variations of
such),
Get to a fixed location, start searching for
viruses here.
Problem cases: polymorphic entry code
Who’s watching your network
Code Tracing, Case 2
Given a target COM file,
Trace code path through all available
paths, until out of buffer. Remember
opcodes. Use in opcode string matching.
First time out of buffer, trace again.
Remember opcodes again.
Problem cases: Appending virus,
appended to a small host.
Who’s watching your network
Code Tracing, Case 3
Given a target COM file,
Organize your virus database according to
the different types of entry code.
Search against only those viruses that use
that type of entry code.
This is the current technique we’re using.
Who’s watching your network
Emulators
Intel 80x86, primarily 8086.
Now 80386 also needed.
Portable.
Apple emulation.
Who’s watching your network
Emulator Problems
Prefetch queue length.
How much of the environment do you
include in the emulation?
The “perfect” emulator takes too much
time and memory.
Result: Emulate situations required for
known viruses. Needs upgrading to
match reality.
Who’s watching your network
Code Matrix
Matrix of opcode digraphs.
Map the set of opcodes gathered from
code trace onto the opcode digraphs of
known viruses. If it does not match, it
cannot be that virus.
Add digraph matrices together to save
memory space.
Who’s watching your network
Special Case Code
• Loop detection.
– Likely to need decrypting (emulate)
• Probability distribution (a particular
virus uses Rotates much too often).
• Polymorphic viruses too difficult to
handle otherwise.
Who’s watching your network
OLE2 Files (Macro Viruses)
An OLE2 file is a filesystem in a file.
It’s a proprietary format belonging to
Microsoft.
Cracking the OLE2 format was easy. Next
comes the Word document stream, the
Excel spreadsheet stream, WordBasic,
Visual Basic, ...
Who’s watching your network
Other Macro Virus Issues
Word6 macro encryption/protection is a
single byte XOR. Key is available in
document.
Office97 macro protection is GUI only.
Actual code is not encrypted at all.
Excel95 password protection is almost
trivial. Uses 16 byte XOR key with minor
on-the-fly calculations.
Who’s watching your network
Other Macro Virus Issues...
Office97 password protection against
Open uses MD5. [Yuk!]
PowerPoint97 streams stored as GZIP
compressed data streams.
WordBasic is tokenized language.
VisualBasic is p-code. But there’s a
separate compressed code body for
“Edit.”
Who’s watching your network
Still More Macro Virus Issues
VisualBasic5 now supported across other
applications! Soon, we’ll have to crack
other file formats, not just OLE2.
VisualBasic6 coming out in next few
months.
Things can up-convert, some can
downconvert.
Emulators for all these languages!
Who’s watching your network
Virus Removal
Must have “sufficient” variant
determination.
– Bytes to cut.
– Where from.
– Where to retrieve original information.
– Where did the virus replace/take that original info
from?
Virus removal database does not need to
stay in memory.
Who’s watching your network
Varient Determination
Variant determination.
– Different sizes.
– Different CRC values over different ranges.
– String found at different position.
– The specific variant does something unique. Need
to know this for user information.
Who’s watching your network
Side Effect Removal
Virus Payloads affect:
– Registry
– Added instructions in files. (AUTOEXEC.BAT)
– Additional files dropped.
– Things added to WIN.INI.
– “Bad sector” repair.
– Anything software can do.
Who’s watching your network
Speed Issues
Memory management.
Memory, hard disk, floppy.
640K memory, XMS, EMS, 32-bit memory,
memory swapping.
Clean machine.
Who’s watching your network
Final Thought
Compare what was covered in this
presentation against an access control
package.
Project: The following files are allowed
to be executed by this set of people.
AND NOTHING ELSE!
Who’s watching your network
Questions & Answers
Your Partner
Against the Virus Problem