Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 1 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 1 of 16
`
`EXHIBIT F
`EXHIBIT F
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 2 of 16
`
`
`
`Exhibit 3
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 3 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 3 of 16
`SORUS BULLETIN CONF
`SEMBER [995 «78
`
`DYNASUC DETECTION AND CLASSIFICATION OF
`COMPUTER VIRUSES USING GENERAL BEHAVIOUR
`PATTERNS
`
`Adarton Swarree
`
`ee
`Virus Test Center, University of Haralurg. Odenwaldst, 9, 26243 Ham
`burs Germany
`i
`Tel e449 404 GN4T Fax 40-418 4
`
`Boudouin Le Charlier and 4 bdelaziz Mownyi
`
`.
`
`FLLUNDP.Institut d Informatique, University ofNamur, Belen
`
`exail blegtinfofindp ac.be/ amox
`Anto.tundp-ac. be
`
`
`
`ABSTRACT
`
`
`
`toaly havetees develspedto speadup thisprowess,rangingi mpreseraans Which idertiypreviousty-
`jassifiedHlesto progianis thalsénerare detection data. Sameavitl vinsproduceshave bullt-in meéchanisins
`inaneon feurisics. which enable thentdetechuimewa viewses, Cayorninaely all these tots have
`
`fintidions.
`>
`See teepencge tater aan bt
`8? ERE
`
`to mouliar Wes
`we wills
`in thispaner,
`eaeofdatahueyththeenriss:
`
`
`
`Eanand:SpeecutecriesfouEGE
`generalrules
`SelesEOE.
`|
`
` i
`
`INTROTHICTION
`
`
`Virus resdarchiers midst cope with manythotisands ofauspected files each month, but the problem is net ap
`
`mauch themumberofnewvirusesGwhnchnumberperhapsafevehundred andgrowsata nowrlyaxyXponentia|
`rated aa the nuniberoffilesthe researcherreceives and must anaives~ the olut. Qutetperktaps ne hundred
`files, only one may actually contain.a newvirus. Linfortunately, there are no shortcuts E
`fie has to he
`proces
`
`
`
`SO LUOS VisiBulletin Li2) TheGusdrant, binges, Ontardshice. ON:433S,» Regis,
`
`Pak thisfabless
`be reproduce!
`5
`dom apy fon
`
`
`
`JNPR-FNJN2902900477273
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 4 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 4 of 16
`de SWEMMER DYMAMIC DETECTIONANEY CLASSIFICATION OF COMPUTER VIRUSES...
`
`
`exquiring speciahsts,
`all brute forex manual analysis,
`re standard method of sortingout sucki
`
`
`
`it
`remove previously -classifiedles and viruses to ulillies which extract strings from infected files thataid in
`athe viruses. However, none ofthe achations are sats
`¢ Clearly, racre advancedtools are
`
`5ometoolshavebeendevelopedttohelpcopewiththeproblem,rangingfromprogramewhichideattyand
`
`
`
`aper, the concept ofdynamic analysis as appliedto witases 18 disGussed, This is based on amidea
`VIBES Firus fitrusion Detection ExpertSysiemj, comed atthe Virus Test Center [BFHS91]. The
`
`ten will comprise ofa PE emulation and an LOES-like expertsystem. Itshould be capable of detecting
`viral behavionr wading a serofa prionniles, asshovwnin the preliminary work done with Dr. Fischer-
`
`
`Hubner. Furthermore, advanced rules will helprin class
`the detected vir,
`
`
`‘The presen! version. ofVIDES is only ofinterest to virusresearchers: itis not designedtobeapractical
`
`
`
`
`
`
`avetere for the end-neer - its demands on procesaing pewer and hardware plationm-are too high. However, i
`
`unknownviruses rapidty and provide detection and classification mtormation to the
`can be used to went
`
`
`researcher. [alan serves aa.a prototype for the future application of iu
`Hirusion detecticn technologyi
`detecting malicious software underfuture operazing system, such a6 O8/2, MS-Windows NT and 9S,
`Lana, Solaris, ete:
`
`ERssone)
`
`
`He current state-dfthe art in ardi-wirus
`organized as follows:
`Section 2 presents
`‘The rest afthe paper is
`
`
`we
`Section 4 discussesthe architectare of the PC
`technology oto.3 desembes 4 genervirus detecuon rule:
`
`
`auditing svstem: Section & shows howthe expert systern ASAD is used to analyse the activity data collected
`by the PC emulator: and finally, Section 6 contains some conalucdingremarks.
`
`o-3
`
`CURRENTSTATE OF THE ART
`
`Forthe purpose ofdishussian itwill be necessaryto deline the termcommuter Vira.
`
`24
`
`TERMS
`
`
`‘Phere is still no untversally-acreed definition fora cornpuiter virus. Whatis miss:
`neisa description which
`
`
`
`is still genera] enourh to account tor al possible umplementations ofeainputer virus
`An ationwas
`
`“ing delinition gor a computer virue is the result of discussion mcomp.surus (Wirus-L) derived From
`
`trade in [SwiOS) whichistheresultetsmanyyears ofeapenenes with virases nthe Virus Test Center. The
`
`
`Defi
`
`A Computer Viras is a rownne or a program taitcan ‘infect otherne
`ais Io modifving them
`
`oF their environment such thar a call to an infected programimplies a call te a passibly evolved,
`Rrncdonall, similar, cope of the virus,
`
`
`
`
`A rhore formal, tut lens aseful,Cefralion of#Sommpusee
`Zome? ne Gata =
`
`elmnition, it vas
`We taik ofthe infected Mlegs the 7
`
`
`gras, such asthe bank
`or MasterBoot Sector. whereas Fle:Vatuusesinfectexecutable §i as such a EXE
`
`UMMdies. Foran ine
`depth discussion afthe properties ofviruses, ploase refertyliterature such as: [Hrut2), (SKO4ST[CobO4] or
`
`
`
`
`
`be Sound in
`
`2
`
`{Cohss) Using the farmal
`
`Pera? ].
`
`SPOTAe:
`
`
`
`
`
`ft
`
`Today, asitis feehagomy cani bedayssided |into nye onoakestheyve
`
`
`
`ASVANCES 1 technoloes thisrenee
`eS HOolonger¢endrel vidmmaeny of the modern ani-virus
`
`
`
`products, Tins type of technologyis knownto us as 2
`The latter attempts to detects virusa
`abacrving attribtites characteristic of all viruses, For instance, integrity checkers detect viruses by checkitig
`for modifications inexecutable files: a characteristic of many(although not all) virases.
`
`
`
`Ro and the generic
`nbe detected, Duc to
`
`
`
`t. EN SHS T im any Jorn
`
`
`> teprad
`
`JNPR-FNJN2902900477274
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 5 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 5 of 16
`
`VIRUS BULLETIN COMPERENCE SEPTEMBER 1995 © 77
`
`22
`
`VIRDUSSPECIFICDETECTION
`
`Virus specific detection is byfar the most popular type ofvirus protection used on PCs. Information
`fromthe virus analysis is used in the so-called scammer to detect Ht. Usually,a scanneruses.a database.cf
`virus dentification mformation which enable it to detect all viruses previouslyanalysed.
`
`Thetermscanner has become increasingly incorrectterminology. The temacomes fromm lexvical scanner, Le.
`a pattern matching tool. Traditionally scanners have been just that, The information extracted fromviruses
`were strings which were representative ofthat partioniar vines. This means that the string. has to:
`
`» differ significantly from all other viruses, and
`
`@ scene.
`
`a differsignificantly fromstrings found in bonafide anti-virus programs.
`:ding such strings was the entite artofanti-virus program writing until polymorphic viruses appeared on
`Pnorvpies viruses were the firstminor challenge to string searching methods. The bodv ofthe virus was
`erypted in the host file, and could not be sought, due to its variable nature. However, the bady was
`prvependel bya deeryptor-loader which mustbe inplain text(unencrypted codey otherwise itwould not be
`executable. This decryptorcan snl be detected using strings, even Wit becomes difficultto differentiate
`between viruses,
`
`Polymorphic viruses are the obvious next step in avoiding detection. Here, the decrypter is implemented
`ia variable manner, so that pattern. matching becomes impossible or verydifficult. Early polymorphic
`viruses were Hentified usinga set ofpattems (strings with variable elements). Moreover, simple virus
`detection techniques are made unreliable by the appearance ofthe so-called Mfitation Engines such as
`Mig and TPE (Trident Polymorphic Engine), These are object Hbrary modules generating variable
`implementations ofthe virus decryptor. They can easily be linked with viruses to produce highly
`polymorphic infectors. Scanning techniques are further complicated by the fact that the resulting wiruses
`do nothave any scan strings in common even iftheir structure remains constant. Whea polymorphic
`technologyimproved, statistical analysis of the opcodes was used,
`
`Recently, the best of the scanners have shifted course from merely detecting viruses to attempiing to
`ify the sinus. This is often done withadded strings, perhaps position dependent, or checksums, overthe
`
`invariant part ofthe wirus. To support this, many anti-vitus products. have implemented machine-code
`enmulators so that the virus’ own decryptor can be used to decrypt the virus. Using these enhancernents, the
`positive identification ofeven polymorphic viruses poses no problem.
`
`The next shitt many scammers are presently experiencing is awayfron known virus only detection to
`detection ofunknown viruses.
`The method of choice is heuristics. Heuristics are built into an anti-virus
`product.in anattempt to deduce whether a file is infeeted ot not. This ismast often done by looking far a
`pattern ofceriain code fragments that occur most often in viruses and hopefully notin bondtide programs.
`Heuristics analysis. suffers froma moderate to high false-positive rate. Of course, 2 manifacturer of a
`heuristic scanner will improve the heuristics both to avoid falsepositives and still find all newviruses, but
`both cannot be achieved completely. Usually, a heuristic scanner will contain a “traditional’ pattern-rmatching
`component, so that viruses van be identified by-name.
`
`23 GENERIC VIRUS DETECTION
`
`Computer viruses must replicate to be viruses. This means that a virus must be observable byits mechanisne
`of replication.
`
` ENCE €2995 Virus Bulletin Lid, 2? The Quadrant, Abingdon, Oxfordshire, OR ISSYVS, Encland,
`Tel, +44 (QVIIS SS5139. Noo part of this publication. may be seproduced, stored in 2 retrieval system, or iransmitied im arotorn
`
`ai
`the prior writien permission of the publishers.
`
`JNPR-FNJN2902900477275
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 6 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 6 of 16
`
`78 ~ SWIMMER: DYNAMIC DETECTIONAND CLASSIFICATIONOF COMPUTER VIRUSES...
`
`(in fortunately, it 1s notas easy 10 Observe the replication as it may seem. DOS, in i various flavours,
`provides ho processisolation, oreven protectionofthe operating system from programs, This means that
`any monitoring programcan be circumvented by a virus which has been programmed to do so. There used ta
`be roasy anti-virus programs which would try to monitor sysiem activity for viruses, but werenot proof
`against all viruses. This problemJed to the demise ofmanysuch prograrns.. Later in the paper, we shall
`discuss how we avoidedtheproblem when mmplementing VIDES.
`
`A more caramon approach ie to detect symptoms ofthe infection such as file modifications. Thisrype of
`program is usually called an inesrity checker or checksummer.
`
`When prosraims are installed on the PC, checksums are caloulated over the entire Me, or over portions of the
`file. These checksums are thet used fo verity thatthe programs have not been modified, The shortcomingof
`this methodis that the integrity checker can detect a modification inthefile, but cannot determine whether
`the modification is due toa-virus or not. A legitiviaie modification io, for instance, the data area of3
`program will cause the same alarm as-a virns infection.
`
`Another problemis virus technology aimed specifically against anti-virus products.Advances instealth and
`tunnelling technologyhave. made updates necessary. There have also been directattacks avainst
`particular mtegrity checkers, rendering them useless. Again, the lack: ofsupport trom the operating
`system makes the prevention ofsuch attacks very difficult. As a consequence, the acceptance of such
`nroduczsts low.
`
`The non-specific nature of the detection has little appeal for many of the users. Even generic repair
`facilities iff the anti-virus products do not help, despite these methodseffectively rendering identification
`urmecessary. The problem is partly understandable. The user is concerned with his data. Merely
`disinfecting the programs is not enough i data has been manipulated. Only ifthe virus has been
`identified and analyzed can ‘the user determineif his data wae threatened.
`
`Gerierie virus detection technology should notbe disniissed. [tis just ag valid as virus-specific technology.
`The problems so far have stemmed from the permissiveness. ofthe underlying operating system, DOS, and
`from the limits inthe programs, Both problems can be addressed.
`
`3
`
`DYNAMIC DETECTION RULES
`
`Before we can aitempt to detect a virus using ASAX, we need to model the virus attack strategy, This is
`then translated into RUSSEL. the rule-based language which ASAD uses to identify the virus attack.
`
`34
`
`REPRESENTING INFECTION PATTERNS USING STATE TRANSITION DIAGRAMS
`
`State transition diayramis are erminenily suitablefor representing vires infection scenarios, Ja thisraodel of
`representation, we distinguish two basic components: anode ina state transition diagrain represents senie
`aspects of the computing systemstate. Arcsrepresents actions performed bya program in execution,
`
`Gi’en afcurtrent) state x, the action a takes the systemfromthestate sto the states2¢-shown in Figure
`The infection process played bya virus can be viewed as.a sequence ofactions which drivesthe system
`from an initial clearstate to.a final infectiousstate. where some files are infected. In order to get a.cornplete
`deseription of the actual scenars, a state 1s adorned bv a set of assertions, characterizingthe objects as
`affected by-actions,
`
`
`
`Figure 1> State wansition. diagraia
`
`
`
`
`99SViniss Bulletin Led,21 The Guadrant, Abingdon, Oxfordshire OXT43VS, England.
`Tel +44 (Q)}235 355
`
`s publication mav be reproduced, storgd in 4 retrieval.
`system, or transmitter
`
`the publishers.
`without the prior wnitien permission: o
`
`JNPR-FNJN2902900477276
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 7 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 7 of 16
`
`VIRUS BULLETIN CONFERENCE, SEPTEMBER [O95 -° 79
`
`
`in practice,
`we onlyrepresent those actions relevant to the infection scenario. Ag a result, many possible
`actions mayaccurbetween adjacent states. butare notrecordedbecause they do notentail amadification in
`the current state, in terms ofauditing, irrelevant audit records mayhe present in the sequenceofaudit
`records representing the infection signature,
`
`For the sake of siraplicity, discussion ofthe generic detection rules aré based on the state transition
`diagrams described above.
`
`3.2
`
`BUILDING THE RULES
`
`VIDES uses three types ofdetection rules: genenc detecuan rules, virus specific rules, other miles. As its
`name implies, generic rules are used to detect all viruses which-use a knownattack pattern. For this. models
`of virus behaviour are needed for the target aystem (in our case MS-DOS). Virus-specific mulesuse
`information from a previous analysis to detect that specific virus, or direct variants. These rules are similar
`to vinas-specific detection programs, except for the fact that they analvzethe dynamic behaviour ofthe virus
`instead ofits code. Finally, there are the “other niles” for gleaning other information front the virus which
`can be used in its classification.
`
`We will not go into the virus-specific rales or the ‘other’ rudes, concentrating mstead on the seneric rtlés.
`
`in developing ageneric rule for detecting vinises, weneed-to have a model forthe virus attack. No one
`model wil do, because MS-DOS viruses can use. choose from many cHective strategies. This is
`compounded by tke diversity of executable fle types for MS-DOS. Fortunately forus, the maiaritv of
`viruses have chosen one particular strategy, and infect only two types ofexecutable files. This means that
`we van detect most viruses with very few rales. On the other hand. avirus which usesen unknownatiack
`Stratcay will not be detected. Forthis reagan, the prototype analysis system contains an auxularystatic
`analvsis camponentto detect such problems.
`
`In thefollowing, we will developa generic rule which detects file infectors that modifvthe file directly to
`vain control over that file. We will concentrate on COMfile infectors. EXE fle infectars are detected in an
`analogous way.
`
`We uvust make two assumptions about the behaviour ofDO'S viruses to help us buildthe rule.
`
`Assumption i:
`
`4flle:pifectingvirus modifies the hastfile in such a waythat t gains control overthe
`hostfile when the hostfile is ran.
`
`This is 4 specific version ofthe virus definition (Def1}. However, it dagsn't specify whenthevirus gains
`contral over the host file,
`
`fhe virus ia aninjectedfile receives contval overtheple befave the original host
`Assumption Z:
`program.
`
`Thatis, when the infected fle is mm, the virus is nun before the host program.
`
`Discussion: ifthe virus.never gains control overthe hast file, it would not fulfil the definition ofa virus.
`This observation leads ic Assumption |. However, there is no reason (ar the definition} whythe viras must
`vain control before the host does.
`
`We make an additional assumpuon that the-virus does’gain contra! before the hostprogram does, The reason
`ave do this isto avoid very blatant false positives. However, t'should be noted that Assumption 2 does not
`result from the virus definition, and will causé some viruses to be missed, Fof these Cases, other mules are
`used.
`
`CES199S Virus Balletin Ltd, 31 TheChdrant, Abingdon, Ontondshive, ON 1439'S, Enotand.
`
`
`post of this publication mav be reproduced, stewed ina retrieval system, or transmitted im any form
`
`the poor wrifleh permission of the publishers.
`without
`
`JNPR-FNJN2902900477277
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 8 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 8 of 16
`
`EG > SWAPAMERS DYNAMIC DETECHOM AND CLASSIFICATIONGF COMPUTER VIRLBES..
`
`3.2
`
`$ENDING OOM FILE INFECTIONS
`
`With respéotio assumptions | and 2, we ate bakine-for peo possible infection strategies:
`
`ssther
`
`itead of ¥
`
`other
`
`of Or Wntes |
`
`See
`
`other
`yoad or writes |
`
`
`Pisure 2. Generic rulefor idenafving COMfile injectors
`
` laning oft
`
`
`
`fora write to thed
`i Thesdrus is overnaiting. Therefore, we are looking
`without a previousread to the same looation. Otherreads andwritesars pernuited.
`
`2 The virusis son-overucioig, We expect to seeareadto BOF, then awrite to BOF. Before, m
`
`between, and afierthese two events, other readsand WHIRSare permutied,
`
`The assumption it both casesia thatthewrite te BOF cauaes the
`
`virus he gain control on excoution,
`
`in the case of a non-overwriting virus, we assurae thet the virus first readsthe original code at BOFand
`
`then replaces it with ifs awncode, usually asuspto fhe virus body. In mostcases,
`the number ofbytes. read
`
`
`
`
`
`
`
`wil be the same.as the nuraber of vies
`written, bul we cannolassume dns. In the opse ofan. oversviting
`
`virus, the code is notread (and saved scanewhered, but overeri
`
`
`Otherreads and writes are not actually relevant to the detection of the virus. Thevvan be logged and used in
`venerating vires specific rules,
`
`
`the file,
`
` The rule is initiated by the opening ofa file Onmeses 3 CONST tile). Thecule is terminated bv aclose of
`
`
`
`actual iifection to occur. Welook forthe readBOP followed bythe wre BOForthe write BOFvoathout
`where this does not have to be done by thevirus itself fe betweenthese neo events, we expect the
`the read. Other administrative operations, lke travkong the file poertion, are also done bvthe rule. This is
`
`shown in the siete transi
`tion diagram of Firure 2.
`
`eet
`Some viruses obuse twoblemis for the mle byclosingthe file after a first set of operanone, This is handled
`ce
`emiechatiany whick waits fox a possible open event on the same file frotn the virus. in order that
`
`loos not alavddiree ilefiniiehoand clog up the rule mernory, there area mumiber of terminating
`
`
` GMAGIYS, Enviand.
`
`POSS Virus Paulistin bed, 31 The Cradrant, Abingtonsaiordatd
`or Trassnutiod da any fork
`Tel +44 UNU2IS SAShe °
`ation may be repokkuiced, stored in a reirievs
`
`
`without
`the priar swittes pert
`
`JNPR-FNJN2902900477278
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 9 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 9 of 16
`
`VIRUS BULTE IN CONFERENCE SEPTEMBER 1995 + G1
`
`events..Infig. 2, peogien 1s abstracted ay a transition element, whereasiis implementation 19 as a-separate
`male.
`
`MS-DOS provides hyo reethods ofaccessing files. The most common method uses file handles Access
`
`lsinefile control biocks (FCB) wes provided far compatibility to CP/M, and is rarely used, even by
`viruses, However, because itis used, weneed a separate ruleto handle this method. The basie rule stays the
`same, but intenial handling of the data isdifferent.
`
`We could avoid this problemby abstracting the audit data‘to. give usa generic viewofthe svstem events,
`
`This way. wécould reduce the number of audit records to only relevant higher-level records by using a
`filter. After that, processing becornes simpler as the problems of reopens and handle/FCB use disappear.
`This method also allows us to applythe niles.on rian-MS-DOS systems which provide similar file handling,
`
`
`Asamatier of fact, ASAitself is the logical choice to act as the filter. The first A SAX system reads the
`raw audit trul, converts it into veneric data, and pipes its output as a NADF file for further processing. (see
`Section 5). Using ASAXasa filter allows us to reduce the compleaity afmaintaming such a system while
`not sacrificing any power,
`
`4
`
`PC AUDITING
`
`The prerequisite for using an ditrusion Detection (1D) system like ASAis an audit systent which securely
`collects system activitydata. In addition, integrity of the 1D system uselfmast not be compromised: this
`means that the audit data retrieval, analysis and archiving must be secured against corruption by viruses,
`Moreover, the [Dsystern must not be prevented from reporting (raising alarms, updating virus information
`databases} the results ofsuch analysis. DOS neither provides such’aservice, nor makes the mnplementation
`of such a service easy. ts total lack of security mechanisms means that the collection of data can be
`subveried. Eyenif the collection can be secured, the data 1s opento manipulation istared on the same
`raachine.
`
`For the prototype oPVIDES, we were. not bound to a real-world implementation, so we exploredvarious
`allemative possibilities. The experience gained bythe use. ofsuch a systern will not benefit DOS users, but
`should be applicable to users ofvarious ereerging 32-bitoperating aysternis which offer DOS support,
`
`We have made several atternpts to build a satisfactory audit system: these are described hereafter,
`
`41
`
`DOSEINTERRUPTS
`
`All DOS services are provided to application programs vig interrupts, which can be described as indexed
`iitéisegment calls. Primarily, interrupt Ox21 is used. The requested service is entered into the AH
`register and its parameters are entered into fhe other registers, Whenthe service is finished. it returns
`contro! te the calling pragtamand provides its results in registers or in buffers,
`
`Theveryfirst implementation ofan auditing system was a filter which was placed before DOS Servives and
`registered all calls to DOS functions. This was done very early ontogether with Dr. Fischer-Hulbner, to
`prove the feasibiliey ofthe VIDES concept. italso dernonstrated the limits which DOS imposes onthe
`inaplementation ofsuch an auditing system:it did not ran reliably, aud could be subverted by tunnelling
`VIFLses,
`
`This implementation was soon scrapped, but i did prove that the premuse was correct: viruzes could be
`found using ID technology. This was perhaps the finst suchatrial that had been done [BFHS91],
`
`(CE G1995 Virus Bulletin Ltd, 21 TheQuadrant, Abinedon, Oxfordshire, OX143 VS, England.
`
`part of fhis publication may “be reproduced, stored in a retricval system, or wanseaitied in-asy form
`
`
`JNPR-FNJN2902900477279
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 10 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 10 of 16
`oe
`82 + SWIMMER: DYNAMIC DETECTION AND CLASSIFICATION OF COMPUTER VIRUSES...
`
`42
`
`‘VEIRFUAL 8086 MACHINE
`
`‘The Inte iAPX 386 introducedthe so-called virtual 8086 machine mode. A protected mode operating system
`canecreate manyvirtual 2086 machines in whiehtasks can run completely isolated fromeach other and fom
`the operating system. Each task ‘sees’ only ts own environment. Operating systems suck Ob/2 use these
`constructs to provide @ full DOS environment forDOS proerams..Al calls to the maachine (via the BIOS
`interface or direct port access) and DOSare redirectedto the host operating system (O3/2 in this case) for
`processing.
`
`This mechanism canalso be used to monitor the activity in DOS session, Because all interrupts are being
`redirected to the native operating system, the native operating system can record the activity securelyand
`enobtrusrely.
`
`Care has to be taken in the implernentation ofthe virtual 8086 machine. The DOS windows in OS/2 have
`been shown in testsat the VTC to be too permissive. In the course of 4 cornprehensive test including the
`entire collection.offile viruses, many ofthe viruses running under a DOS window managed to harmvital
`paris ofthe system. One problem was that O3/2 files could be manipulated directly from within the DOS
`gession. However, this didnotexplain the corruption ofthe rushing opérating systent.
`
`Even thouzh using a virtual 8086 machine was the original method ofchoice, such experiments showed that
`the complexityof building a safe implementation would be difficult. 4 more secure methad was sought for
`the protetype.
`
`43 HARDWARE SUPPORT
`
`Hardware debugging systems, such as the Periscope IV may be used to monitor system events. closelym
`real ime. This isachieved by acard fitted betweenthe CPU and the motherboard. and which can-set break
`points on various.types ofeventa.on the PC's bus. The card is connected to a receiving card in a second PC
`which is used to control the debugeing session.
`
`Monitoring system behaviour oma DOS machine can be accornplished by capturing the Interrupt x21
`directly, or by setting 3 break point in the resident DOS kemel. Special memory areas can be monitored by
`setting a. break condition on access to those areas.
`
`The monitoring is completely unobtrusive, Le. ihe programwill not notice a difference between ninning
`with or without the debugger, When an event is triggered, the PC is stoppedwhile the controlling PC is
`processing the data. [f the controlline PCis fast enough, the ume delay should be nearlynemlieible,
`
`A hardware solution using the Periscape [is complicated bythe problemofautomating the processes
`necessary to test larve mumbers of viruses on different operanng systema When such a solunen is
`implemented,itwill offer the possibility oftesting viruses on other PC operating systerns which require full
`iAPX 386 compatibility.
`
`44
`
`8686 EMULATION
`
`The sohution which was finally chosen was the sofiware emulauon ofthe086 processor. An emulation is a
`program which accepts the entire instruction set of a processor as input, and interprets the binary code as the
`original processor would. All other elements of the machine miuat be tnplemented oremblated, e.g. the
`various ports. To simplify and quickenthe emulation, the BIOS Code ( Basic Input Output Systeot - the
`interface betweenthe operating system and the hardware) can be replaced with special ernulationhooks, so
`that the complicated machine access can be sidpped.as long as all accesa to those services are routed via the
`BIUS. Inthe case of a graphics adapter, the entire hacdware must be emulated. whereas disk access can be
`handled with hooks im thé BIOS.
`
`
`
`#
`
`
`CEES O95 Virus Bulletin Lid, 23 Fie Quadrant, Abineden, Gsvfordshire GN T43 VS, England,
` Tel
`
`
`$4 (QH238 388135,
`1
`part of this publication may he reproduced, sicred in a retuevel system, orciamsmited in ey. fonn
`without tne. prior
`written permission. of the publishers.
`
`JNPR-FNJN2902900477280
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 11 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 11 of 16
`
`GRUBOLLETIN CONFERENCE. SEPTEMBER F995
`
`
`
` semulstion gives us all the advant
`
`Ofthe hardware soiation phisthe
`
`
`
`
`
`
`rOuTam funmingS ihe ental
`ed bythe ennilation when mecreapeabletiprot
`8530
`itain pseudo realtime with res
`
`
`
`mynParca ME OY
`
`he emulation ave bere st
`
`
`
`he timiedn the emulation can alse be stopped.
`as Peet
`
`PaCCES
`
`
`tothe hostmachine atall. Thisis!
`emulation is “sate’ asthe rannine virus has nic
`taract machine’ s memory is being controlledentirely by the emulation, and file accesses are directed toa
`virtual disk, stored asa disk imagefle.
`
`“She maior problem with using anemulationis its lackofqeeed. Evenon fastplationn, the summing speed
`wonkymarg sally fasterthan an onemal Pc
`
`45 ACTIVITY DATA FORMAT
`
`
`Audit revords
` Pinerasion Detection Dean?
`
`
`ODieet,
`3. However, due 1 the wary
`Exceplion-Condigan,aoe
`Time-Giamp=
`
`Which
`“et
`eraadel¢
`
`
`
`handied in DOS, this patterns slhiahty modified to collectuseful availanly ateributes, Por ivstanec, the code
`nt ofa pracess ig chosen instead ofthe common process identifler In mom ocstiag mmadi-user
`
`OPCLAlINY SvStenns.
`
`The audi record attributes of records as cublected by the PC emulatorhave the following meaning: code
`seginent is the address inmemoryofthe executable image of the program: funtion number is the nernber
`ofthe POS function requested by the program: ave(J isa hist ofregister/memory values used in the
`
`calitoaDOSfiction: ret (J isa Hat of register/memory values as returned by the function call:
`
`
`
`
`sthe type ofthe record: SiarrYimie and EnilTime are the ttime stump ofaction start and end
`
`eee The tinal formar for an MS-DOSaudit record is
`7
`Spode
`segment,
`Re PAYDE
`
`
`
`StartfTime, &ad Unw,fenton number, are tj, rep © 3>
`
`2 @
`
`Fiepyia virus figure 3) £acery
`
`$6 ACTIVITY DATA COLLECTION
`
`The audit svetem was integrated into an existing PC emulation bypenehooke inte the module for
`
`
`
`processingall opcodes corresponding with theevents (acefig, 4. The
`reprinsarily calls tothe DOS
`functions. This wasimplemented is auchaway, that Stealth and ronnellingHnisea could notcicumventthe
`
`
`
`Yin a setrieval :
`
`
`SEE, OT TRsRerTAS
`fs way foes
`
`
`
`JNPR-FNJN2902900477281
`
`

`

`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 12 of 16
`Case 3:17-cv-05659-WHA Document 410-6 Filed 03/28/19 Page 12 of 16
`
`Ad. + SMIAUMER: DYNAMIC DE TECHON AND CLASSHCATONOF COMPUTER VIRUSES.
`
`
`mechanism. A separate module recewes notification ofthe event and pushesall parameters on io astack,
`Whe the DOS call returns. iheparameters are popped from-the-stack and senttc the:audit trail with the
`
`return: values.
`
`~auciit
`
`
`cpu
`[etreneeeeereereee Weenierrraemnmmnrnnmnmmamananensanatanaeeed
`hardy‘var
`
`St
`
`
`i
`
`
`
`Figured4: Modules in Pasdara
`
`
`
`
`ingernally, the audit trail comulies to acanonical format which is also ASAX’s native format This is very
`wenerce, and allows most types ofrecords to he implemenited,
`An example ofan audittrailis:printed in Figure 3. This isa duran readable repentOemation ofthe binary
`OP tle. Phe example is fram an audit trail ofthe Vienna virus, Che text representatundoes not
`craply exactiy with the binary version. Some ofthe less umpartant fields are raising sothatthe audi
`
`2,
`
`
`
`TE
`
`ord becomes clearer and shorter.
`
`Ty the next section, we showhwthe activity data produced by the emulator is analysed using ASA.
`
`47 USING RUSSEL TO DETECT INFECTION SCENARIOS
`
`
`languane can be used effectively to detect-an infection scenaris.
`in this section, we shawhowthe RUSSEL
`
`
`We firstmode] the nection os astute tras
`on diagram, then bnefly show hawthis diagramcan be
`
`
`translatedikke RASSEL miles,
`
`
`Rack state m the diagramis represented by 4 rale describingnol ont: the current state, hat also the seagence
`of previous statis leading to if, The actual parameters ofthe current rule encodeall therelevantinformaiton
`
`
`cobleceedin previously-visited states. A ‘transition in the diagramis represented bythe rule-triwering
`
`
`mechanism ofthe RUSSE
`as described m section
`4. The actual parameters ofthe current mule are
`
`eorpured from the
`data tens
`ad
`bythe current aud
`rdandfrornthe pararncters ofthe currerd
`pod, lnc-new cule represends thenawcurrent etgte mthe tranériian diaerarm.
`mule. Cinecetr,
`.
`
`veryfirst achwe rule af the be
`tn particular, the
`scummng ofthe detection provess as no actual parameters,
`
`singe #0 informationis contained in the initial state tone canargue that the iniiiel state contains this
`
`
`erion: systemis clean. That is then represented byan empty list ofparameters), As an example, t