Advanced Polymorphic Techniques.pdf - adamas.ai
12.07.2015 Views
Share Embed Flag

Advanced Polymorphic Techniques.pdf - adamas.ai

Advanced Polymorphic Techniques.pdf - adamas.ai

Advanced Polymorphic Techniques.pdf - adamas.ai

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
download.adamas.ai

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

PROCEEDINGS OF WORLD ACADEMY OF SCIENCE, ENGINEERING AND TECHNOLOGY VOLUME 25 NOVEMBER 2007 ISSN 1307-6884• Branching technique;• Pseudo-Random Index Decryption (PRIDE);• Metamorphic techniques:– Dead code insertion;– Instruction modification;– Random modification and permutation of registers;– Code permutation;– Mutation of the memory access profile.B. Polymorphism in METAPHOR1) Encryption techniques: First let’s describe the miscellaneousencryption techniques which are commonly used inpolymorphic viruses (see [15] for some more det<strong>ai</strong>ls and forexamples).a) Basic encryption: The most simple ones, as wellas the most common ones, use a mere XOR (as shown inthe example), ADD or SUB encryption, with a key which israndomly generated on each replication and which is storedinside the virus data or directly inside the decryption method.The following code is a basic example of such an encryption:mov esi, offset enc_code_start; start of encrypted codemov edi, esi ; start of decrypted codemov ecx, (offset enc_code_end -offset enc_code_start) / 4 ; size in dwordsmov ebx, 6B3C728Ah ; encryption keystart:lodsd; load a dword in eaxxor eax, ebx ; decrypt itstosd; save itloop startend:jmpenc_code_startb) Sliding key encryption: One drawback of the previoustechnique is that, once the key has been chosen, each characteris encrypted in a unique way. Thus the sliding key encryptionupdates the key as the decryption progresses, either in a fixedway or for instance with the last encrypted character. Forinstance, the previous code could be modified in the followingway:...xoradd...eax, ebxebx, eaxc) Flow encryption: This method uses a key to generate akeystream of the same size as the data to encrypt. For instancethe generation of this pseudo-random keystream might useone or several linear feedback shift registers (LFSR, seesection III-D1). Some basic implementations simply duplicateas much as needed the input key. The previous code can beeasily adapted to this technique, in the case of a single register(lfsr_init initializes the register, and lfsr_next shiftsthe 32bits register, thus generating a new key):d) Encryption with permutation: The input data is simplypermutated. Permutation can occur on the scale of the wholedata, of chunks of bytes (of fixed or variable length), or evenof each byte (with the ROR instruction for instance).e) Multiple encryption: Several encryption techniquesare sequentially applied.f) Random key encryption: The data is encrypted with arandom key which is not stored for future decryption. Uponexecution, the key (as well as the encryption technique) canonly be recovered by brute force attack or cryptanalysis. Thistechnique disables any code emulation analysis. The size ofthe key space (and possibly its properties) allows to controlover the decryption time. This technique was introduced byDarkMan in 1999 in his RANDOM DECODING ALGORITHMENGINE (RDAE), which implemented several encryptiontechniques without storing the key: only the code’s CRC32checksum was stored. These techniques are det<strong>ai</strong>led in [2],[7].g) Code-dependent encryption: The binary code itself isused as the encryption key, or a combination of the code anda random key. This technique was usually used to ensurethat the code had not been modified – during an antiviralanalysis (where the code could be patched to disable someanti-debugging techniques).Upon decryption, the virus needs access to the decryptionkey(s). This key is usually directly stored in the program:inside the decryption procedure, inside the virus data or simplyrelated to the host program (for instance the key can be thehost’s filename). The case of RDA is different since the keyis retrieved by brute force. However other scenarios existwhere the key isn’t stored in the code but is inferred fromthe environment. This technique is called environmental keygeneration [16]. Here are some examples:• The key is forged from the local environment. For instance,the key is the hard disk serial number, combinedwith some random value stored in the code, etc.• The key depends on activation factors. For instance, itdepends on the current date and will only be valid duringsome predetermined period. In consequence, the virusitself will be disabled outside the valid periods.• The key is stored on a web server, a news server, etc.The most advanced implementation of this technique is theproof of concept BRADLEY virus [4]. It uses several encryptionlayers, whose keys are retrieved from the environment.The interest of such viruses from their writer’s point of view,is that they can restrict the activity of their virus geographicallyas well as temporally. Filiol also shows in [4] that, if the keyis unknown during the analysis, the cryptanalysis’s complexityis exponential (in BRADLEY’s case).As for METAPHOR, it encrypts its code with an initial...probability of 15/16 and uses an encryption method (withmov ebx, 6B3C728Ahcall lfsr_init ; init the register from the key random key) of type XOR, ADD or SUB.start:lodsdHowever, METAPHOR’s decryption method is much morecall lfsr_next ; ebx := 4 new bytes from keystreamxor eax, ebxinteresting. It uses techniques that The Mental Driller had alreadyimplemented into the TUAREG engine (TAMELESS UN-...PWASET VOLUME 25 NOVEMBER 2007 ISSN 1307-6884 403 © 2007 WASET.ORG

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!