Metamorphic viruses and Code checksumming

2007-01-19T05:07:00.001-08:00

What is code checksumming?

Code checksumming or self-checksumming application is a program that calculates checksum (e.g. by using MD5, on of SHA family functions or even CRC) of code (or/and data) or part of code, to verify it's integrity.

When we consider application security, this is quite useless 'protection' and most crackers will deal with it easily.

Moreover, Wurster, van Oorschot and Somayaji described general attack on self-checksumming applications tampering resistance. They achieved it by using malicious (or altered or crafted as you prefer) OS with Harvard architecture (yes, von Neumann is not the only architecture ;)), where executed code and data are separated.

However, Giffin, Christodorescu and Kruger proposed self-checksumming via SMC (self-modifying-code) in order to bypass Wurster et al. attack. They achive it simply by altering code right before its execution and checking if the code really changed (von Neumann model) or not (Harvard).

Metamorphic viruses?

What is metamorphic virus?

A metamorphic virus is like a 49cc motorbike with a space shuttle fuel deposit (if you can handle such vision :).

The Mental Driller from 29a

As the saying goes, a picture is worth a thousand words. The T-1000 model of Terminator 2 is the easiest possible analogy to use. Zmist integrates itself into the code section of the infected application, as the T-1000 model can hide itself on the floor.

excerpt from Hunting for Metamorphic by Péter Ször and Peter Ferrie

Now, those two quotes were quite vivid. I am referring here to fully metamorphic viruses like Zmist presented to (A)V community by Z0mbie and Metaphor (a.k.a. Simile) presented by The Mental Driller.

Metamorphic virus is a one, that has the ability to:

possibly decipher,

analyze it's own code during run time,

(possibly cipher and) reorder instruction flow,

integrate with the host (victim) program.

Metamorphic viruses usually use EPO (Entry Point Obfuscation) and other anti-AV software techniques.

Metamorphic viruses, are current state-of-the-art of computer software. Writing metamorphic virus requires lot of persistence, broad knowledge and high programming skills. That's why there are only few metamorphic viruses.

As you've probably guessed already distinguishing between program infected with metamorphic virus and 'clean' one is very hard to do. It's very irresponsible to rely upon heuristics and string-based signatures are usually totally useless. It is probably possible to recognize infected file by using some code statistics, but in case of mail-servers this method would be slow and inefficient.

Synthesis and conclusion

This two topics were introduced from one simple reason. Although metamorphic viruses are really complicated ones. Probably no virus till this time (well in fact I haven't heard about any, but it doesn't mean such a virus couldn't exist) analyze host code in order to 'understand' hosts functionality.

Code-checksumming is useless scheme when it comes to subject of software cracking, but it could save users time, and therefore money.

That's why I think software vendors should use software self-checking.

BTW: Most AV products does self-checking (not necessarily code-checksumming, there are other methods). Other software vendors also should...

see you anytime (soon?)

GiM

Metamorphic viruses and Code checksumming

What is code checksumming?

Metamorphic viruses?

Synthesis and conclusion