--ntl--
Guest
|
 Posted: Sun Dec 19, 2004 1:33 pm Post subject: Code Permutation -- Unpacking Methods / Signature Strength |
 |
|
Recently, z0mbie's good 'ol code permutation tool was rediscovered by Aphex and, subsequently, discussed in several underground boards.
1. How does it work?
Taken from the description:
________________________________________________
CODE PERVERTOR
release 1.00
Lets imagine next thing.
We wrote a virus which partially permutates all code it can find - in the CODE sections, binary files, etc. Sure, it will be too hard to perform such thing in all meaning of permutation, but its easy to replace some instructions or instruction groups with their equivalents of the same length. What will be achieved performing that hard task?
- EXECUTABLE FILES will be changed
- PACKED executables & packer checksums will be changed
- TROJANs & their checksums will be changed
(tested on some trojans - all became undetectable)
- VIRUSES & their checksums will be changed
So, IDA will not understand standard libraries. Antiviruses will be unable to detect most of objects processed with such mutation.
Of course probablity of meeting of two viruses on the same PC is low. But anyway there are also lots of packers/trojans.
_______________________________________________
Taken from the configuration file:
_______________________________________________
; ---------------------------------------------------------------------------
; CODE PERVERTOR 2.xx data file
; (x) 2000 Z0MBiE
; ---------------------------------------------------------------------------
; - this file consists of parts, and each part consists of two bitmasks.
; - source bitmask is prefixed with '-' character, and destination with '+'.
; '$' character terminates each two bitmasks.
; - if there are two masks may be applied to one opcode, and -a option
; selected, first mask will be used.
; - opcode conversion possible from first mask into second one,
; but not vise versa.
; - all characters from 'a' to 'z' are copied from first mask to second one,
; but if in the second bitmask any character is in uppercase, value
; will be reversed.
; ***WARNING***:
; each character (such as 'a') means ONE bit, so if first source opcode
; is 0000aaaa, then only 00000000 and 00001111 opcodes will be processed.
- 100010s1 11abcdef ; mov r1, r2
+ 100010S1 11defabc
$
; FIXED!
- 00xyz0s1 11abcdef ; ttt r1, r2 (ADD,ADC,AND,OR,SUB,SBB,XOR,CMP)
+ 00xyz0S1 11defabc
$
- 10001011 11abcdef ; mov r1, r2
+ 01010def ; push r2
01011abc ; pop r1
$
- 10001001 11abcdef ; mov r1, r2
+ 01010abc ; push r2
01011def ; pop r1
$
- 001100sw 11abcabc ; xor r, r
+ 001010sw 11abcabc ; sub r, r
$
- 001010sw 11abcabc ; sub r, r
+ 001100sw 11abcabc ; xor r, r
$
- 000010sw 11abcabc ; or r, r
+ 1000010w 11abcabc ; test r, r
$
- 1000010w 11abcabc ; test r, r
+ 0000100w 11abcabc ; or r, r
$
- 10001011 11100101 ; mov esp, ebp
01011101 ; pop ebp
+ 10010000 ; nop
11001001 ; leave
10010000 ; nop
$
- 10000011 11001abc ; or r, -1
11111111
+ 00110011 11abcabc ; xor r, r
01001abc ; dec r
$
- 01100100 01100111 ; mov r, fs:[0]
10001011 00abc110
00000000 00000000
+ 00110011 11abcabc ; xor r, r
10010000 ; nop
01100100 10001011 ; mov r, fs:[r]
00abcabc
$
- 1101000w 11xyzabc ; ttt r, 1 (ROL,ROR,RCL,RCR,SHL/SHA,SHR,SAR)
1101000w 11xyzabc ; ttt r, 1
+ 10010000 ; nop
1100000w 11xyzabc ; ttt r, 2
00000010
$
_______________________________________________
2. DIY Test & Results
The following samples are variants of harmless Bionet 3.18 & Bionet 4.00.04 trojans (no working , visible server). They were scanned with BOClean, Dr. Web, Ewido, Kaspersky, NOD32 and TDS-3.
Bionet 3.18, standard sample, uncompressed
detected by: every scanner
not detected by: -
Bionet 4, standard sample, uncompressed
detected by: every scanner
not detected by: -
Bionet 3.18, uncompressed, perverted (variant 2)
detected by: BOClean, Dr. Web, Ewido, NOD32, TDS-3
not detected by: Kaspersky
Bionet 4, uncompressed, perverted (variant 2)
detected by: BOClean, Dr. Web, NOD32, TDS-3
not detected by: Ewido, Kaspersky
Bionet 3.18, standard sample, compressed /w UPX
detected by: every scanner
not detected by: -
Bionet 3.18, compressed /w UPX, then perverted (variant 1)
detected by: BOClean, Ewido, NOD32, TDS-3
not detected by: Dr. Web, Kaspersky
Bionet 3.18, compressed /w UPX, then perverted (variant 2)
detected by: BOClean, Ewido, NOD32, TDS-3
not detected by: Dr. Web, Kaspersky
Bionet 3.18, perverted (variant 2), then compressed /w UPX
detected by: BOClean, Dr. Web, Ewido, NOD32, TDS-3
not detected by: Kaspersky
Bionet 3.18, perverted (variant 2), then compressed /w UPX, then perverted again (variant 2)
detected by: BOClean, Ewido, NOD32, TDS-3
not detected by: Dr. Web, Kaspersky
Bionet 3.18, compressed /w UPX, then perverted (variant 3)
detected by: BOClean, Ewido, NOD32, TDS-3
not detected by: Dr. Web, Kaspersky
Bionet 3.18, compressed /w Petite 2.2
detected by: BOClean, Dr. Web, Ewido (on access/mem scan), Kasperky, NOD32, TDS-3
not detected by: Ewido (on demand)
Bionet 3.18, compressed /w Petite 2.2, then perverted (variant 2)
detected by: BOClean, Ewido (on access/mem scan), NOD32, TDS-3
not detected by: Dr. Web, Ewido (on demand), Kaspersky
3. Analysis of Results
a) Kaspersky
Kaspersky uses a static, signature-based unpacking engine. The unpacking engine is extremely powerful since it supports hundreds of different packers and crypters. However, it is also extremely vulnerable to code permutation.
The same applies to Kaspersky's single-point scanning technique in connection with the use of code-based signatures (i.e., the code permutation vulnerability does not merely apply to Kasperky's unpacking engine but also to the main scan engine which is responsible for the detection of uncompressed samples).
b) Dr. Web
It seems that Dr. Web's also uses a static unpacking engine and, therefore, is affected in the same manner like Kaspersky.
The signatures used by Dr. Web for the detection of the Bionet trojan seem to be resistent to code permutation. However, we also performed internal tests with trojans like Lithium 1.03. Because Dr. Web did not detect permutated variants of other trojans we conclude that Dr. Web is partially affected by this vulnerability.
c) Ewido
Ewido uses a generic unpacking engine that is less vulnerable to code permutation. On the other hand, Ewido's generic unpacking engine is less powerful than Kaspersky's static one (i.e., there are many compressors like Petite that are not (yet?) supported by Ewido). Fortunately, Ewido also supports memory scanning.
Like Kaspersky, Ewido's scan engine uses code-based signatures. In the light of the fact that Ewido claimed (and still claims?) to use "fuzzy", patch-proof signatures we expected that Ewido would be able to resolve the permutations and, therefore, be resistant to code permutation. However, the non-detected Bionet 4 sample and our internal tests with other samples (like Lithium 1.03 and Aphex FTP) show that Ewido's "fuzzy" code-based signatures are almost as vulnerable as Kaspersky's code based signatures.
d) NOD32
Not too bad ... the term "advanced heuristics" does not seem to be a mere marketing gag. It will require a more indepth analysis in order to figure out how NOD32 exactly works.
e) BOClean & TDS-3
BOClean & TDS-3 do not rely on code-based signatures and, therefore, these scanners are not affected by the code permutation vulnerability. In other words, signatures that are based on text strings are sometimes, but not always inferior.
4. Conclusion:
Probably, a good AT scanner should use different types of signatures, e.g., code-based signatures, signatures based on text strings and also signatures taken from the resource section (i.e., a file section that frequently remains uncompressed).
Nautilus, the Pervert. |
|
