ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ßÜ Û ÛßßßÛ Ûßßßß ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ º º ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ßÜ Û Û Û ÛÜÜÜÜ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ º º ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ßÜ Û ÛßßßÛ Û ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ º º ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ßÛ Û Û ÜÜÜÜÛ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ º Vaginal and Anal Secretions Newsletter #0043 º ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ º Date Released : [07/01/92] Author: The Smurfs (PROBE-X) º ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ º Mutation Engine Report º ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ Hello everyone, following report is provided for your information. More tests are being conducted and results will be posted soon. ----------------------------------------------------------------------- 22 Jun 92 Mutation Engine Report Copyright (c) 1992 by VDS Advanced Research Group All Rights Reserved P.O. Box 9393 Baltimore, MD 21228 (410) 247-7117 prepared by Tarkan Yetiser This report is provided to satisfy the curiosity of the public. We were approached by some third parties to perform an analysis on MtE. We would like to share the results of our analysis with everyone. If you find an error or inaccuracy in this report, please feel free to contact us. All constructive criticism is welcome. TABLE of CONTENTS I. Mutation Engine and Viruses. . . . . . . . . . . . . . . . . . . 1 II. How to Catch Viruses and MtE-based Viruses . . . . . . . . . . 2 III. Mutation Types and Detection Algorithms. . . . . . . . . . . . 3 IV. Live Tests and Results . . . . . . . . . . . . . . . . . . . . 5 A. Comments on Test Results . . . . . . . . . . . . . . . 5 V. A Simple Message . . . . . . . . . . . . . . . . . . . . . . . 6 I. Mutation Engine and Viruses We have analyzed the so-called MtE (Mutation Engine by a "Dark Avenger" from Bulgaria), and sample viruses based on it; namely, Pogue and Dedicated. We have also conducted tests to examine what kind of a potential this miscreant has, and collected empirical data on how popular scanners deal with the MtE. We have also implemented a little program (CatchMTE) that can recognize MtE-based code using an algorithmic technique. The program in executable form is available free of charge as a service to the public. Due to possible misuse, the source code and a more detailed (at the opcode and bit-mask level) analysis with decryptor samples and algorithms necessary to detect MtE will be made available in a limited fashion. Under no circumstances, actual virus samples will be provided; except the missed samples can be sent to known anti-viral product developers who wish to enhance their programs. For those who are not familiar with the MtE, some preliminary info will be presented first: MtE is NOT a virus per se, but an object module that can be linked into a virus to give it polymorphic capabilities. MtE expects to be called as a routine that can encrypt a certain portion of code and can generate a suitable decryption routine. It uses a random number generator to vary each mutation so that it will not be possible to recognize the new variant by using simple scanning techniques. The random number generator is not part of the MtE object module. A sample pseudo-random number generator is included with the archive Dark Avenger distributes. A virus writer could also supply his own random number generator. Though all this may sound ordinary, MtE got so much attention not because it is just another encryptive virus but because it can provide even simple viruses with a feature that makes it difficult to scan for them. MtE is just like a library routine that you link into your virus and call when needed. It is a little over 2K in an object module named MTE.OBJ. A person who calls himself "Dark Avenger" claims to have developed MtE, and distributes it by uploading to BBSes in Bulgaria. The archive contains a fairly detailed documentation on how to use MtE, and even includes a demonstration virus, a non-resident COM infector known as "Dedicated". Shortly after MtE made its appearance, a modified copy of this virus called "Fear" is also seen. Why this person is engaged in such potentially harmful activity, or how he/she gets away with it is not something we know about. Curious individuals who would like to learn more about the history of virus production in Bulgaria and other social as well as technical issues are invited to read an excellent paper written by anti-virus researcher Mr. Vesselin Bontchev of Virus Testing Center, University of Hamburg. The paper is titled "Bulgarian Virus Factory", and it is available via anonymous FTP. It provides insight into some of the cultural aspects of the virus underground in Bulgaria. Mr. Bontchev's contribution to anti-virus research is much appreciated; otherwise, we probably would have never known what goes on inside the Bulgarian virus factories. II. How to Catch Viruses and MtE-based Viruses Scanning for many known viruses is usually a trivial task. You disassemble a sample, extract a sequence of bytes that would exist in each infected executable object, put it into a pattern matching engine, and then look for that pattern in executable objects that that virus is known to target. This method proved to be quite useful in fighting many viruses seen in the wild. Assuming a carefully chosen scan string, you can find the virus easily without too many false positives. Not so for polymorphic viruses. These viruses try to defeat common scanning methods. They keep their body encrypted to defy analysis, and encrypt the new copy inserted into an executable object using a different key so that it will "look" as if a different virus infection has occurred. However, even these viruses require a plaintext code that will decrypt the rest of the virus. Scanners can use strings extracted from the plaintext portion of the virus to identify them. It is usually necessary to include wildcard bytes (don't-care bytes) to be able to deal with the varying parts of the decryption routine. Naturally, false alarms are more likely to occur. MtE is more advanced than such viruses seen before. We would like to emphasize that the contents of each mutation and the corresponding decryption routine MtE generates is far too variable to extract a simple (or even wildcard) scan string. It is necessary to analyze the MtE itself as well as many sample mutations. After that, certain characteristics of the code MtE generates can be used as telltale signs to detect its presence. Avoiding false positives while maintaining 100% detection ratio is quite difficult. Armed with an 80x86 instruction set guide (we used Turbo Assembler 3.0 Quick Reference Guide), and a good disassembler (we used Mr. Zandt's DIS86 available via anonymous FTP), and a few known viruses based on MtE (Pogue and Dedicated with payload removed), we analyzed the MtE code, and the mutations generated. Tests were conducted on a 40Mhz 386 with a 100 meg HD and MS-DOS 5.0, and a 4.77Mhz IBM/XT with a 30 meg HD and PC-DOS 3.3 installed. A simple program that generated decoys (small, fully functional programs) was used to create a large number of samples. In the case of Pogue, the virus was allowed to remain resident and infect each decoy program as it is created. Since the Dedicated virus is not resident, it was necessary to create decoys first and then infect them by running the virus (infects in the current directory). After the tests, we archived the samples and stored them on floppy diskettes, and removed them from the hard drives of the test machines. In the Intel 80x86 architecture, it is possible to express a computation in very dissimilar ways. This is possible because certain registers can be substituted in place of another one and still achieve the same result. For example, you can index an array by using SI, DI, BP or BX registers. Or you could XOR a certain value at a given memory location by loading that value in AX, BX, CX or DX first, and performing the XOR on that register, and then putting the result back into memory, etc. Even other possibilities exist. When stepping through elements in an array, you can increment the index register by ADDing to it, INCing it, or ADDing and then SUBtracting from it. It should be clear that such flexibility helps MtE significantly. Of course, variability is something string scanners do not handle too well, since there are many combinations to search for. MtE goes even further than that. The size of the decryption routine is also variable, making it infeasible to assume certain things that would hold for many polymorphic viruses. It also sets up a lengthy sequence of redundant instructions before the decryptor enters the decryption loop. For over 90% of the mutations, MtE generates a convoluted 16-bit XOR-type encryption; however, in many cases it uses indirect ways to apply the XOR mask to a memory value. For example, it computes the mask, and then gets the value to be decrypted into a register, applies the mask and put the result back into that memory location. Besides, memory access is done using many different instructions such as MOV and XCHG. There are also many redundant instructions peppered freely throughout the decryptor. In some cases (5.5%), MtE generates a decryptor with a null effect. The decryptor does not actually decrypt anything, and the virus code is in plaintext. The frequency of such cases seems to depend on the random number generator. It is funny to note that some popular scanners misidentify such extreme cases where the virus is not even encrypted. To handle these mutations, it is sufficient to extract a signature from the MtE itself. It is also possible to extract one from known MtE-based viruses and identify the virus directly. At any rate, a scan string from MtE itself should be used in case a future virus creates a plaintext variant. We must also mention that even these plaintext mutations contained a fully working copy of MtE. They successfully propagated and generated encrypted mutations in future generations. MtE appears to generate correct code in all cases. The deviation between new generations started using plaintext parents and new generations started using encrypted parents was negligible. III. Mutation Types and Detection Algorithms MtE generates 4 "types" of mutations. They are as follows: 1. Double-reference (detectable using Method-1) ( ~ 91.0% ) 2. SUB-NEG (detectable using Method-2) ( ~ 2.0% ) 3. Single-reference (detectable using Method-3) ( ~ 1.5% ) 4. Plaintext or no-reference ( ~ 5.5% ) By implementing three algorithms and one scan string for the plain mutations, it is possible to recognize MtE-based viruses while keeping false positives to an acceptable level. We have one such program that achieved 100% hit rate during our tests. Some others also claim 100% hit rate; and we have tested them as well. A more detailed analysis of mutation types is not made public due to possible misuse of such information. IV. Live Tests and Results Test #1 Base Virus Name: Dedicated SCAN 91 F-PROT 2.04 CatchMTE 1.0 by Name (1) 67 69 60 as MtE (2) 933 931 940 misidentified -0 -0 N/A missed -0 -0 -0 Hit Rate 100% 100% 100% (1) SCAN91 --> [Mut], F-PROT 2.04 --> Dedicated, CatchMTE --> Dedicated (2) SCAN91 --> [DAME], F-PROT 2.04 --> MtE, CatchMTE --> MtE-based Test #2 Base Virus Name: Pogue SCAN 91 F-PROT 2.04 CatchMTE 1.0 by Name (1) 0 0 56 as MtE (2) 935 936 944 misidentified (3) -65 -61 N/A missed -0 -3 -0 Hit Rate 93.5% 93.6% 100% (1) SCAN91 --> N/A, F-PROT 2.04 --> N/A, CatchMTE --> Pogue (2) SCAN91 --> [DAME], F-PROT 2.04 --> MtE, CatchMTE --> MtE-based (3) SCAN91 --> [7S], F-PROT 2.04 --> Gotcha, CatchMTE --> N/A A. Comments on Test Results It seems that both F-PROT 2.04 and SCAN 91 misidentify some Pogue mutations that are in plaintext. F-PROT "quickscan" missed ALL mutations. You are advised to use SECURE scan mode of this product. The extra speed comes with 0% hit rate on MtE-based viruses! F-PROT 2.04 missed three encrypted Pogue mutations. We examined these samples and found them to be of Type-3, and detectable using Method-3. The samples worked as expected. One of those three that were missed was called "suspicious" and guessed to be a variant of the Gotcha virus. We can only speculate that F-PROT lacks Method-3 detection algorithm and uses a heuristic in such cases. Surprisingly, Virx 2.3 missed one of these same mutations. Due to annoying user interface, we were unable to include Virx 2.3 in our full test suite. It should be noted that misidentification of 6% of Pogue mutations is a little alarming. All these misidentified mutations were found to be working and capable of generating new mutations. V. A Simple Message It is dangerous to assume that scanning is adequate since there are some products that can detect MtE-based viruses 100% of the time. We identified at least two ways to make MtE less predictable. Of course, such information will not be disseminated. However, considering the availability of MtE to the hackers all around the world, and the "glory" Dark Avenger will enjoy due to media hype, it's only a matter of time such improvements will be discovered by irresponsible individuals. Besides, this may start a new trend among virus writers to create things like MtE. Keeping up with new virus signatures was hard enough (though manageable), but keeping up with many mutation engines is not going to be trivial. Unfortunately, locking up these "mutant engineers" is not a practical solution, and not even legally possible in many parts of the world. The message is clear. The first line of defense against viruses is NOT using scanners. Although they proved to be very useful, you are highly encouraged to consider other approaches such as integrity checkers as a first line of defense. Even the less sophisticated integrity checkers have a better chance to catch mutating viruses, long before their developers get a chance to analyze the virus samples. The reason is that viruses have a tendency to modify existing code to propagate in most cases. Their spread can be controlled using a non-virus-specific solution that concentrates on the main characteristic of most viruses. Such an approach is not only more cost-effective but also more secure. If your company still relies on a virus scanner to protect its PC- based computing resources against viruses, you are walking on thin ice. - ------------------------------------------------------------- Regards, Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 (410) 247-7117 Baltimore, MD 21228 e-mail: tyetiser@ssw02.ab.umd.edu --------------------------------------------------------- Response: > It seems that both F-PROT 2.04 and SCAN 91 misidentify some >Pogue mutations that are in plaintext. F-PROT "quickscan" missed >ALL mutations. You are advised to use SECURE scan mode of this >product. The extra speed comes with 0% hit rate on MtE-based >viruses! True, but Keep in mind that Quick scan is a very primitive "single-point" scanner - it is fast, but if a virus cannot be found with a single string, located a fixed offset from the entry point, Quick will not find it. Actually, I will probably drop Quick scan in the near future, as the speed of my secure scan has been steadily improving, and it is now almost as fast as Quick scan on certain machines. >F-PROT 2.04 missed three encrypted Pogue mutations. We >examined these samples and found them to be of Type-3, and >detectable using Method-3. The samples worked as expected. One of >those three that were missed was called "suspicious" and guessed to >be a variant of the Gotcha virus. It did not guess. Pogue IS a variant of Gotcha, just with MtE added. My scanner simply picked up the Gotcha signature, probably that part of the virus was not encrypted. This is also the reason the "non-encrypted" samples are identified as Gotcha-variants. > We can only speculate that F-PROT >lacks Method-3 detection algorithm and uses a heuristic in such >cases. Well, you may speculate, of course, but you are wrong :-) I have what you call a "Method-3", but I guess it is simply not perfect - I would have to look at those three samples, to determine where the flaw is - I simply am not going to disassemble the MtE! - I did spend two days on it, and that is far too much when 3 new viruses arrive every day.... PS: The heuristics are only used if specifically requested, and will never report a particular virus, just the presence of virus-like code... - -frisk ÄÄÄÍÍÍÍÍ[ VaS DiSTRiBuTioN SiTeS ]ÍÍÍÍÍÄÄÄ ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º BBS Name Number Baud Sysop Title º ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ º LiVe WiRE BBS (313)464-1470 14.4 Studmuffin World HQ º º PoT BBS (313)462-1906 24oo Phreak_Accident World HQ º º TcH BBS (713)373-4031 14.4 One Meg Cacher Dist. #1 º º Floating Pancreas (305)551-0311 14.4 Majestic Cockster Dist. #2 º º Phantasm III (313)884-2617 14.4 Scavenger Dist. #3 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ