Design and Implementation of The FiltroMatic - PowerPoint PPT Presentation

About This Presentation
Title:

Design and Implementation of The FiltroMatic

Description:

Design and Implementation of The FiltroMatic Presented By: Lord Viper Scorpion D4 C0rrupt0r The Dark Stallion of Chaos Master of Terror Why Worry About Macro Viruses? – PowerPoint PPT presentation

Number of Views:117
Avg rating:3.0/5.0
Slides: 15
Provided by: ITCL3
Category:

less

Transcript and Presenter's Notes

Title: Design and Implementation of The FiltroMatic


1
Design and Implementation of The FiltroMatic
  • Presented By
  • Lord Viper Scorpion
  • D4 C0rrupt0r
  • The Dark Stallion of Chaos
  • Master of Terror

2
Why Worry About Macro Viruses?
  • There are a lot of maladjusted individuals with
    no better way to deal with their frustration with
    society
  • Microsoft allows macros way too many privileges,
    and this is really easy to exploit
  • Macro viruses cause a lot of damage
  • 12.1B in 1999, according to Computer Economics
  • Melissa alone caused 80 million in damage

3
Why are Current Methods Ineffective and How can
we Improve Them?
  • Commercial anti-virus programs only check for
    fingerprints of known viruses
  • We propose a generalized macro filter that looks
    for viruses based on the content of the code
  • How does one determine if code is bad or not?

4
VBA Background
  • What is VBA and how is it used?
  • General purpose scripting language for Office
    applications
  • Used to automate repetitive tasks, format
    documents
  • Where does it derive its functionality?
  • From Application object libraries
  • From the Windows API, .DLLs on the host system
  • So whats the problem?
  • A VBA macro has the same privileges on the host
    as a native executable

5
Dealing with Microsofts Lack of Foresight
  • How can we compensate for the security
    vulnerabilities introduced by VBA?
  • By scanning macros for code that is clearly
    malicious
  • By alerting the user of possible misuse of code
    that could go either way
  • By trying to identify malicious macros without
    flagging legitimate ones

6
Designing a Macro Filter
  • Background Research
  • Learned VBA mechanisms
  • Reviewed known malicious macros
  • Compiled a list of VBA functions common to macro
    viruses
  • Reviewed legitimate macros to determine where
    gray areas exist

7
Example of VBA Malcode
  • From the Friends macro virus
  • Open C\autoexec.bat For Append As 1
  • Print 1, _at_echo off
  • Print 1, c\dos\fast.com
  • Close 1

8
Another Example of VBA Malcode
  • From Galicia Kalidade macro virus
  • If EdicinBuscarEncontrado() ltgt 0 Then
  • FijarAtributos "C\IO.SYS",0
  • FijarAtributos "C\MSDOS.SYS",0
  • Kill "C\IO.SYS"
  • Kill "C\MSDOS.SYS"

9
Yet Another VBA Malcode Example
  • From the Atom macro virus
  • Sub MAIN
  • On Error Goto KillError
  • If Day(Now()) 13 And Month(Now() 12) Then
  • Kill .
  • End If
  • KillError
  • End Sub

10
Yes, You Guessed It Another VBA Virus Example
  • From the Retro macro virus
  • If Not Y Then
  • F WindowName()
  • S F "Puritan MacroCopy S,
    "GlobalPuritan"
  • S F "Rtr MacroCopy S, "GlobalRetro"
  • S F "FSAB MacroCopy S,
    "GlobalFileSaveAs"
  • S F "FSAB MacroCopy S, "GlobalFSAB"
  • S F "AOB MacroCopy S, "GlobalAOB
  • End If

11
Implementation of our Filter
  • We chose to implement it as a Java library that
    developers could integrate into their
    applications.
  • Implementation consists of MacroScanner,
    MalCodeItem, MalCodeList, Report, and ReportItem.
  • Tailored scanner to minimize false positives.
  • What weaknesses does our method have?

12
Sample of Scanning Results for Malicious Macros
13
Sample of Scanning Results for Legitimate Macros
14
Conclusions
  • Macro viruses tend to use the same mechanisms to
    spread and attack
  • Our filter takes advantage of these similarities
    to detect known and unknown macro viruses
Write a Comment
User Comments (0)
About PowerShow.com