Armored doors, security entrance, surveillance cameras, and biometric iris recognition: the Loria1 High Security Laboratory (LHS) in Nancy (northeastern France) is a fortress where six million computer virusesFermerProgram capable of infecting another computer software by altering it so that it can in turn reproduce. Although viruses were not malicious at first, today most carry malware and can disrupt at to varying degrees the operation of the infected computer. They spread via computer networks or  peripheral devices such as USB drives, etc. are locked away. This collection of the worst "nasties" from the webosphere, caught online by LHS researchers, includes malwareFermerDeliberately malicious software developed to harm a and infect a computer system without the consent of its user. that hacks into our data, destroys our software programs or hard drives, and even forces our computers to unleash torrents of spamFermerUnsolicited email. Generally sent in bulk for advertising purpose. to paralyze the servers of a competitor or enemy site. What is the point of collecting these super-villains? To analyze them in depth, and develop tools for detecting their "mutants," i.e., slightly modified variants stemming from the same root, but that have not yet caused enough damage to be listed and included in antivirus programs on the market. "In general, these software programs only detect viruses they are already familiar with," points out Jean-Yves Marion, director of the LHS. "This is why their developers pay close attention to research results, in order to improve their programs." All the more so as there are many more attacks today than ten or twenty years ago. The 1980s, when geeks cracked systems for the beauty of it, are long gone...

Ever more sophisticated viruses

"There is no more room for amateurism," continues the researcher. "Most attacks are motivated by profit or espionage, and are carried out by criminal groups or governmental organizations that spend months developing elaborate viruses." In November 2014 for instance, the antivirus software developer Symantec revealed the existence of Regin. For at least six years, through computers and GSM smartphones, this program had been stealing passwords and taking screenshots in the IT network of the EU headquarters, but also in the research centers, airline companies, and communication networks of a number of European countries, as well as of Russia, Saudi Arabia, Mexico, etc. Regin is so extraordinary and complex (it apparently required four people working full-time for a year), that experts believe it could only have originated from a governmental organization.2

LHS researchers use a virtual telescope, connected to the Internet via classic ADSL cable to simulate the presence of vulnerable computers and spark attacks they can then capture.

LHS researchers use a virtual telescope, connected to the Internet via classic ADSL cable to simulate the presence of vulnerable computers and spark attacks they can then capture.

KAKSONEN/INRIA

KAKSONEN/INRIA

Share

Share

How can fake unwary computers be displayed online? It essentially comes down to sending signaling messages. When, at its node junction, the Internet protocol periodically asks connected machines "hey you, who are you?" the virtual telescope generates false responses, such as: "I'm a Mac navigating without an anti-virus program" or "I'm a PC running on such and such operating system"—the carefully chosen system of course being a basic version with many flaws.

Once captured, the malware is put through the wringer of the Gorilla software program, the laboratory's secret weapon. "Like any anti-virus programs on the market, the objective is to find a signature that is unique to the malware and that will help identify it," explains Marion. "For us, the signature of malware is its complete structure." In short, a sketch of the culprit's overall "silhouette." The result is that it is now possible to find the suspect if the malware developers make slight modifications to produce a mutant.
 

3D graph of the structure of a computer virus (in the background: Alexandre Boeglin and Frederick Beck from the Madynes team).

3D graph of the structure of a computer virus (in the background: Alexandre Boeglin and Frederick Beck from the Madynes team).

KAKSONEN/INRIA

KAKSONEN/INRIA

Share

Share

Flushing out malware, a can of worms

"To extract the structure of a malicious program, it is necessary to look at the list of instructions that make it up, in assembly code (i.e., the language of the machine)," explains Fabrice Sabatier, from the Carbone team at the LHS. According to their nature (performing a calculation, repeating a certain action, asking the user to enter data, etc.), these instructions are then given a geometric form as symbol. These forms are then relayed by nodes representing the "conditional jumps," in other words the famous "if-then-else" propositions that give the order to execute such and such an action according to a condition. These representations are fairly common in information technology. "Yet a program is made up of millions of nodes!" the researcher continues. The beauty of the method resides in rules of simplification, in deleting this node but not another, or such set of instructions that are deemed not very characteristic, in order to obtain a sketch or "graph" of only a few thousand to a few hundred thousand nodes (see video below).

3D Graph of malware by CNRS
In this video: a 3D graph is created from malware code.

Identifying different functionalities, lost among thousands of lines of code, is a central issue in fundamental research in computer science, for there is no algorithm able to confirm with certainty that two programs do the same thing (this is called undecidability, a mathematical demonstration first performed by Alan Turing). "For that matter, analyzing viruses raises questions that are just as fundamental, such as what, in the end, is a malicious program?" continues Marion. How is it possible to distinguish it from an ordinary program that operates in a way that is not always justifiable? What differentiates it from your favorite online game application when the latter tries to determine your geolocation? Or when it tries to send your information to a third party, as a famous bird game was accused of doing last year?5 Researchers must, eventually, define in what contexts certain functionalities are suspect, and in what other contexts they are not...

Should we worry in the future about new generations of viruses with revolutionary natures and structures? "Innovation in computer virology mostly lies in how to protect malware by 'disguising' it," Marion points out. There are the mutants mentioned earlier, but also the encryption of a virus code or the zipping or re-zipping it up to a hundred times within another program, in order to hide it and thereby avoid anti-virus analysis. With regard to dissimulation, there is worse still: certain malware programs change themselves during their execution on a PC, with hidden functionalities triggered in waves, which can erase themselves along the way, or never activate themselves at all!

Objective: to guarantee the digital security of citizens

Of course Google and other members of GAFAFermerAcronym formed from the initials of the Internet giants Google, Apple, Facebook and Amazon. are also keeping an eye on things. For that matter, the US search engine has an even more impressive malware collection than that of the LHS, with 300 to 400 million samples, even if they are also teeming with duplicates, whether mutants or not, which swell the figure. "In addition to these private actors, public research plays a crucial role, notably in the field of virology, which is little developed in France and Europe," insists the director of the LHS, France's leading platform for academic research dedicated to computer security. 

"In parallel to the actions put in place by companies motivated by commercial interests, public research should provide solutions to guarantee the digital security of citizens, seek out the weaknesses of commercially-available resources, and inform the general public, who is then free to use them or not," stresses the researcher. This salutary process can also prompt developers or web providers to quickly offer corrective patches. An edifying example shook the Web last June: a demonstration on Logjam, conducted by researchers from Loria, highlighted a major flaw in the https protocol, which secures Internet connections. Not to mention the fact that the fully-connected world that we are preparing will give hackers more and more targets. "Before being developed on a large scale, the Wi-Fi connected pacemaker, autonomous car, pulse-reading bracelet or electronic voting devices will require a number of guarantees," advises Marion. Whom will we choose to entrust with this responsibility?

Related articles: 
Logjam: The Flaw that Threatens the Internet
Could the Future of Democracy be Digital?