FILE DISINFECTION FRAMEWORK: STRIKING BACK AT POLYMORPHIC VIRUSES

"Invincibility lies in the defense; the possibility of victory in the attack." – Sun Tzu

Polymorphic viruses make up an ever-increasing percentage of daily malware collections. The sophistication of these attacks significantly exceeds the capabilities of existing classification and handling solutions. The situation goes from bad to worse when we attempt the most complicated part of incident response, file disinfection and remediation.

To combat this problem we've created a new open source project, the File Disinfection Framework (FDF), built on top of a new generation of TitanEngine and tailored specifically to aid in solving these hard problems. FDF combines both static analysis and emulation to enable users to rapidly switch between modes of operation to use the best features of each approach. Highly advanced static functions are hidden behind a simple and easy-to-use program interface that enables the broad range of capabilities that are required for decryption, decompression and disinfection. Their complement is a set of functions that enable quick and very customizable emulation. For the first time, analysts will have the ability to truly see and control everything that happens inside the emulated environment. They can run high level code inside the context of the emulated process to influence objects and files and direct the execution flow.

File disinfection framework features:

  • Static analysis functionality that has the ability to view, modify and build on-the-fly PE32/PE32+ files, fields and tables. A large number of embedded decompression routines is included along with systems that dynamically define static structures and build polymorphic decrypters.
  • Highly advanced PE32/PE32+ file validation and repair functionality that completely solves the issues brought up by our last year's BlackHat presentation titled "Constant insecurity: Things you didn't know about PE file format". These functions accurately detect and identify all purposely-malformed PE files that break current security tools or evade detection. In addition, if the file is damaged (as usually happens during virus infections) and deemed repairable, it is automatically repaired to maximize the number of remediated files.
  • Integrated hash database functionality that helps to resolved the otherwise unsolvable problem of reverting function name hashes back to their original names. This custom database is easily extended to add even more libraries and functions to its known hash lists.
  • A truly unique x86 emulator written from scratch that supports the following Windows features

    • Multiple processes in parallel each in a separate emulated OS
    • Vital Windows structures: PEB, TEB (with multiple threads) and SEH
    • x86 assembly code execution with support for FPU and MMX instructions
    • Windows objects such as handles, mutexes and environment variables
    • Hundreds of standard Windows APIs that can easily be extended by the user
    • Dynamically build libraries that mirror the application requirements
    • The entire file system with customizable drives
    • Interface which matches the standard Windows debug API
    • Use of emulated APIs which are directly exposed to user
  • User can call standard Windows APIs inside the context of an emulated process. For example the user can dynamically create a new DLL file inside the virtual file system and load it into the context of an emulated process by calling LoadLibrary equivalent. Every emulated API is exposed to the user and therefore usable with the option of hooking any API one or more times.

    • Advanced breakpoint logic which includes breakpoints on specific instruction groups and specific instruction behavior such as read or write to a specific part of the memory
    • Seamless switching between emulation and static analysis
  • Specific functionally designed to disinfect files infected with polymorphic viruses such as Virut and Sality with examples that show its use.

  • Tools to aid in writing disinfection routines such as automatic binary profiling with search for the presence and location of the virus stub.

File disinfection framework has been developed under the cyber fast track program run by DARPA and built on top of the new generation of TitanEngine. It's an open source cross platform x86-x64 library that enables its user to unpack, disinfect and build PE32/PE32+ files. These and all Emulation components of the new major release of this framework have been designed to be presented as a BlackHat exclusive. This talk will be followed by the public release of the source code along with whitepapers that outline possible use case scenario for this technology.

Presented by