TRAYECTORIA ACADEMICA EN LA UNIVERSIDAD - ELECCION DE ESTUDIOS UNIVERSITARIOS

ELECCION DE ESTUDIOS UNIVERSITARIOS

6.6 TRAYECTORIA ACADEMICA EN LA UNIVERSIDAD

Anti-antiviral techniques which have been developed for various computer infections fairly well illustrate the general issue behind the term security23.

Deﬁnition 40 Security: a set of measures and techniques designed to pro-

tect a system against malicious actions, whose inner nature aims is to adapt to the protection that are put up to those malicious actions.

23_{As for the term “}_safety_{” (or sometimes “}_reliability_{”) it usually refers to technical mea-}

sures designed to ﬁght against non malicious attacks, such as device breakdowns, trans- mission noise... These incidents are ruled by statistical laws which do not vary when a protection is set.

In the context of antiviral protection, it is quite logical that viruses, worms or any other malware use techniques to prevent or disable opposing func- tionalities installed by antiviral software or ﬁrewalls. Two main techniques can be put forward:

• Stealth techniques.- a set of techniques aiming at convincing the user, the operating system and antiviral programs that there is no malicious code in the machine. The virus whose aim is to escape monitoring and detection, may hide itself into key sectors (sectors allegedly considered as defective, areas which are not used by operating systems), may modify the ﬁle allocation table, functions or software resources in order to mirror the image of an uninfected, sound system. All this is generally, among other techniques, performed by hooking interrupts or Windows APIs24. In some cases, viruses can completely or partially remove them- selves once the ﬁnal payload has been triggered, thus reducing the risk of detection (this is especially important when it comes to combined viruses: an illustrative example is provided in Chapter 13).

• Polymorphism.- As antiviral programs are mainly based on the search for viral signatures (scanning techniques), polymorphic techniques aim at making analysis of files only by their appearance far more difficult. The basic principle is to keep the code vary constantly, from viral copy to viral copy in order to avoid any fixed components that could be exploited by the antiviral program to identify the virus (a set of instructions, specific character strings). Polymorphic techniques are rather difficult to imple- ment and manage. We will consider the two following main techniques (a number of complex variants exist however):

– Code rewriting into an equivalent code. As a trivial but illustrative example in C programming language25

if(flag) infection(); else charge_finale();

may be rewritten into an equivalent structure yet under a diﬀerent code (form)

(flag)?infection():charge_finale();

24_{Application Programming Interface}_{(API for short) are software modules that give ac-}

cess to informations or functions that are directly embedded within the operating system at a very low (system) level.

25_{This example has sense only as far as source code viruses are concerned, since the}

compiler produces the same binary code. It is used as a pedagogic example. Of course, any modiﬁcation of the code is valid only if the antiviral analysis focus on a code with a similar nature and form.

Let us consider another example written in assembly language: loc_401010:

cmp ecx, 0

jz short loc_40101C sub byte ptr [eax], 30h inc eax

dec ecx

jmp short loc_401010 may be equivalently rewritten as: loc_401010:

cmp ecx, 0

jz short loc_40101C

add byte ptr [eax], <random value> sub byte ptr [eax], 30h

sub byte ptr [eax], <same random value>

inc eax

dec ecx

jmp short loc_401010

If the ﬁrst variant of the code constitutes the signature which is scanned for, the second one therefore will not be detected.

Similarly, one can rewrite the code by inserting random instructions into random locations without creating any eﬀect. In the previous code, the or eax, eax instruction or the add eax 0, when inserted after the inc eax instruction modiﬁes the code but it still produce the same result.

These simple examples designed for this book to facilitate the reader’s understanding, may become far more complex to such a point that any code analysis, especially those performed by antiviral programs is bound to fail (proper code analysis, heuristic analysis or code em- ulation). For instance, the majority of instructions contained inbios binary code is precisely designed to circumvent any code analysis26. 26_{In this particular case, as in many other cases, the essential purpose is to protect}

software from piracy or intellectual theft. These code protection techniques involve: · obfuscation techniques (multiplication of code instructions in order order to fool and/or

complicate code analysis, see [23] for pedagogic examples; another trick is to make code reading and understanding as diﬃcult as possible ; for the latter case, the reader may consider the C programming language andwww.ioccc.org for more details),

– Applying basic encryption techniques to all or part of the virus or worm code. Generally, those encryption techniques consist of masking with a constant byte value (by means of XOR) every code byte. A valid encryption technique would imply the use of a static key that would eventually constitute a real signature (or infection marker) when ill- implemented. However, modern encryption systems (as an example, like RC4 [131]) oﬀer good prospects as far as anti-antiviral protection is concerned. Recently, the W32/Sobig.F worm apparently used a more sophisticated encryption system, which proved to be more dif- ﬁcult to break (cryptanalyze) than the basic encryption systems used up to now.

The viral code starts with an unencrypted procedure whose function is to decipher the main body of the virus before it is executed. During each infection process (code duplication), both the decryption procedure (since it is unencrypted, it may be therefore used by the antiviral program as a possible signature) and the respective encryption procedure will have to be changed. However, it must be granted that in most cases, the encryption procedure remains unchanged. Only some highly sophisticated viruses manage to modify the encryption procedure signiﬁcantly after each infection.

As an illustrative example, let us consider the case of the Kelaino

worm (this example is derived from the excellent paper written by N. Brulez [22], that the reader is urged to read for further details). A part of this code (the section containing data) is encrypted by using a simple modulo 2 addition (XOR) with the 30Hconstant value. Let us precise that this type of encryption does not oﬀer much security when it is subject to analysis. Here is the code before it is deciphered: DATA:00402799 aVvqajprXSsuqrp db ’v~CjPR{~CRPl ~Cp~C~C^~Cn=:jPP}’ DATA:00402799 db ’=:}y}u]~Cj Pa^‘=:s~C]jP_k=:PPPP’ DATA:00402799 db ’PPPP~CmR]]]] m~‘‘‘‘‘‘e‘artubus^hrbhfs‘‘R=:]’ DATA:00402799 db ’~CjPc=:]}} · compression techniques, · encryption.

It is rather surprising to notice that code protection techniques which have been imag- ined by virus writers, have since been used by software programmers and publishers to protect their software from piracy. The best example and probably the most famous one is that of theWhalevirus. An illustrative example is presented in [24].

]~CjP~~C=:]jPa=:]}’ ...

Once the code has been deciphered, we get :

DATA:00402799 aFromKelainoKel db ’From: "Kelaino" <[email protected]>’,0Dh,0Ah DATA:00402799 db ’Subject: Slave Message’,0Dh,0Ah DATA:00402799 db ’MIME-Version: 1.0’,0Dh,0Ah DATA:00402799 db ’Content-Type: multipart/mixed;’,0Dh,0Ah DATA:00402799 db ’ boundary= "----=_NextPart_000_0005_01BDE2EC.8B286C00"’ DATA:00402799 db 0Dh,0Ah

Here is the decryption procedure at the beginning of the viral code (a few comments lines have been added by N. Brulez):

00401000 start proc near

00401000 mov ecx, addr_end_data

; ECX = Address of end of data

00401005 sub ecx, addr_beg_data

; ECX = 402D5D - 402000 = size of data

0040100B mov eax, 402000h

; EAX = Address of start of data 00401010

00401010 decrypt_loop:

; CODE XREF: start+1A^Yj

00401010 cmp ecx, 0

; ECX is a counter

00401013 jz short decrypt_end

; while ecx != 0 go on

00401015 sub byte ptr [eax], 30h

; substract byte 30h to byte pointed by EAX

00401018 inc eax

; go on with the next byte do decrypt

00401019 dec ecx

; decrement counter

; go on while ECX is not equal to 0

Apart from the two anti-antiviral techniques we have just described, others, which are rather more active can be used such as:

• techniques that make antiviral programs dormant (this can be done by toggling the antiviral program into the static mode, or by modifying the ﬁltering rules on ﬁrewalls, among other possibilities). As an example,

the W32/Klez.Hworm attempts to disable or kill fifty different antivirus software both by killing their process and by erasing files used by some of these processes. As for W32/Bugbear-A, its purpose was to defeat in the same way a hundred antiviral programs (antivirus software, firewalls, Trojan cleaners);

• some try to disturb or saturate antiviral programs, in a very aggressive way, in order to prevent them from working properly;

• some downright uninstall antivirus software.

In document Factores contexuales que influyen en la, repitencia y deserción de los estudiantes que cursan el núcleo temático “cuidado de enfermería a la persona en situación de urgencias, quirúrgicas y salud ocupacional” del programa de enfermería de la universidad d (página 107-124)