Virus vs Anti-Virus: The Arms Race Patrick Graydon Qiuhua Cao Outline  Viruses  Anti-Viruses  Discussion Viruses  A virus is “a program that can ‘infect other programs by modifying them to include a possibly evolved copy of itself.” - Fred Cohen  Fred Cohen seems to have been the first to define the term virus, but the concept had been discussed earlier and there were some viruses out in the wild before he began his research.  Link to virus history Example of a virus  In his 1984 Turing award acceptance speech to the ACM, Ken Thompson related the story of how he modified the C compiler to insert a backdoor into the UNIX login program and to insert his modifications into any C compiler compiled using his modified compiler.  Slick—no trace of the backdoor remains in any source code! Viruses example  The WM.Nuclear Microsoft Word macro virus infects Word documents during opening, saving, and printing by adding a set of macros to them. On April 5th it attempts to overwrite critical system files, and it occaisonally adds the text "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!" to the current document. (Information from Symantec’s security bulletin.) Worms are not viruses  The VBS.SST@mm “Anna Kournikova” malware is a worm, not a virus, because it e- mails copies of itself but does not infect any other documents. (Information about VBS.SST@mm from Symantec’s security bulletin.) Malware terminology  We found a web site listing 56 different terms related to viruses and malware, including:  backdoor  boot sector viruses  Encrypted virus  Hoax  Micro virus  … Virus statistics  Here are some statistics from 2000 we found on the web:  Over 85% of all the known viruses are for Microsoft platforms (nearly all the self-propagating worms are as well)  Slightly less than 52,000 are viruses for DOS/Windows/NT platforms - about 6000 of these are Word macro viruses - about 150-200 of these are known to be widespread "in the wild" - in 1999, approximately 650 new viruses were reported each month (more than 20 a day) Virus statistics  More statistics from the same site  A few hundred are for Javascript, Hypercard, Perl, and other scripting languages. Few of these can spread beyond a few machines without active support of the users  150 are for the Atari  31 are native to the Macintosh, and only two of them are known to exist anymore  2 or 3 are viruses native to OS/2 Virus statistics (cont’d)  More statistics from the same site  About 5 are for Linux/Unix/etc, but none have been found in quantity "in the wild", nor would they be likely to spread very far if they were "loose"  None are for BeOS, ErOS, or other small- population systems.  Question: can we reduce the risk of getting a virus infection by not using Microsoft products? [...]... versions) – at link Virus- Scan-Software Arming the virus writers  If virus author knew what the anti -virus programs look for, he or she could design a virus that they wouldn’t find…  Example: in the early 90s there were a few MS-DOS 'stealth' viruses that could interrupt a virus- scanning program's attempt to read the boot record and show it a clean versions rather than what was really there     See... of the Stealth_boot virus "Frodo.4096" virus, first Stealth virus “Beast.512" Stealth virus, less than a year after Frodo.4096 More on this at Virus- Scan-Software Extracting signatures  Christodorescu and Jha report on a technique for extracting the signature used by a given antivirus program  Basically they obfuscate parts of the program and determine what has to remain unobfuscated for the antivirus... mechanism Detection of a virus detector by its appearance Detection of a virus detector by its behavior Detection of an evolution of a known viral detector Detection by signature  Rather than implement a general solution, virus scanners look for virus signatures  These signatures could be as small as a few bytes or as large as the entire virus code  If a virus scanner uses the whole virus code as a signature,...  Word documents can contain macro viruses such as WM.Nuclear Detection  If we can’t limit the spread of a virus, maybe we can find it and quarantine infected files…  Unfortunately, no general algorithm for detecting virus behavior is possible   Cohen argues this by proposing a virus that infects only when the detection algorithm thinks it isn’t a virus Anti -virus programs must make do with more... 25h 5m to release an updated signature file in response to the W32/Sober.C worm attack The arms race  In order to make it hard for virus scanners to detect their vurises, virus writers can add morphing behavior to their creations:  “A polymorphic virus ‘morphs’ itself in order to evade detection … Metamorphic viruses attempt to evade heuristic detection techniques by using more complex obfuscations.”... Cohen argues that no general solution for proving the equivalence of two programs is possible  His argument follows the same form as his argument against a general algorithm for virus detection: he proposes a virus in which two different infection instances will behave differently when a watching antivirus program believes they are the same Morphing  A virus may morph itself by:     Encrypting part... } More about viruses   Viruses aren’t necessarily hard to write  Cohen reports that his first virus took only 8 hours for an experienced programmer to write Viruses aren’t necessarily big  Cohen reports on a UNIX shell script virus that was only 7 lines long Viruses aren’t necessarily malware  Cohen describes a hypothetical virus that compresses executables to conserve disk space Viruses can be... we mix the Biba and Bell-LaPadula models, we find that the resulting isolationism secures us from viruses, but doesn’t permit any user to write programs that can be used throughout the system.” – Cohen Bad news about partitioning   Transitivity is a problem:  “If there is a path from user A to user B, and there is a path from user B to user C, then there is a path from user A to user C with the witting... of the program and determine what has to remain unobfuscated for the antivirus program to find the virus   FYI there is a typo in the paper: the conditions on the loop in the SignatureExtraction function cause it to never execute… They say it “was successful in many cases.” Binary obfuscation techniques  The goal of binary obfuscation is to make it difficult to obtain an assembly-language description... variants of a virus  However, if a virus uses a very small signature, it may incorrectly infections that aren’t there Updated signatures  Anti -virus companies must release new signatures each time a new virus is discovered  A virus s spread is unimpeded for a while…  According to Andreas Marx of AV-Test.org, it took Symantec 25h 5m to release an updated signature file in response to the W32/Sober.C . Virus vs Anti -Virus: The Arms Race Patrick Graydon Qiuhua Cao Outline  Viruses  Anti-Viruses  Discussion Viruses  A virus is “a. the term virus, but the concept had been discussed earlier and there were some viruses out in the wild before he began his research.  Link to virus history