Index [ptgmedia.pearsoncmg.com] · 2009. 6. 9. · INDEX 679 history of, 367-368 blocking buffer...
Transcript of Index [ptgmedia.pearsoncmg.com] · 2009. 6. 9. · INDEX 679 history of, 367-368 blocking buffer...
IndexSymbols
@m (computer virus naming conventions), 42@mm (computer virus naming
conventions), 42@mm worms (mass-mailer worms), 293 Tunes (virus), 923APA3A (virus), 11616-bit Windows
EPO (entry-point obscuring) viruses,147-150
NE viruses, 6032-bit address spaces. See virtual memory
systems (Windows NT)32-bit polymorphic viruses, 264-26832-bit Windows. See Win3264-bit platforms, kernel mode scanning on,
530-53164-bit Windows, PE viruses, 61911 attacks, 3081260 virus, self-protection technique, 261-262
AABAP viruses, 89ABAP/Rivpas (virus), 89
accesscontext-based access control (CBAC), 586counterattacks, 596Dumaru (worm), 640early warning systems, 598firewalls, 588-589honeypot systems, 593-594network intrusion detection system
(NIDS), 591-592router access lists, 585-587worm behavior patterns, 598-608
accidentally destructive payload viruses, 297ACG (Amazing Code Generator) virus,
270, 277code emulation, 463-464disassembling, 463heuristics, 465self-protection technique, 253
Acrobat, PDF viruses, 90ActionScript viruses, 91activation methods. See payload activationactive instructions, tracking, 454active pages, patching code in, 522ActiveX controls
rights verification, 388safe-for-scripting, 388-389, 417-419
675
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 675
Address Resolution Protocol (ARP) requests, 595
address-book worms, 319address spaces
process randomization, 570return-to-LIBC attacks, 569-573upper 2G of address space (memory
scanning), 527user address space of processes
(scanning), 523virtual address spaces (Windows NT),
501-505addresses
GOT/IAT page attributes, 574virtual, translation of, 500
AddressOfEntryPoint field (PE header), 164Adleman, Leonard, 18ADM (worm), avoiding buffer overflow
attacks, 413administration
memory, 498-499Virtual Memory Manager, 503
Admiral Bailey (virus writer), IVP (InstantVirus Production Kit), 292
Adobe Acrobat, PDF viruses, 90Adore (rootkit), 36adware, definition of, 38AIDS Information Diskette (Trojan horse),
31, 305Alcopaul (virus writer), W32/Sand.12300
virus, 140alerts, DeepSight, 598algorithmic detection, metamorphic
viruses, 271algorithmic scanning methods, 441-443
filtering, 443-444static decryptor detection, 444-446X-RAY method, 446-451
algorithms, Boyer-Moore, 431Aliz (worm), 644ALS/Burstead (virus), 92
altering module, 592Amazing Code Generator (ACG) virus. See
ACG virusAmiPro viruses, 94-95Amoeba (infection technique), 140analysis, malicious code analysis
techniques, 612architecture guides, 615collection maintenance, 661dedicated system installation, 612, 615Digital Immune System, 661-664disassemblers, 626-632dynamic analysis techniques, 634-655knowledge bases, 615-616process of, 618-625unpacking, 625Virus Analysis Toolkit (VAT), 656-659VMWARE, 616-617
Anarchy.6093 (virus), 112ANIMAL (game), 17Anna Kournikova virus, 35, 292ANSI.SYS drivers, reconfiguring key
functions, 90-91Anthrax (virus), 210Anti-AVP (virus), self-protection
technique, 248ANTI-VIR.DAT file (antivirus program), 248AntiCMOS (virus), 306antidebugging techniques (armored viruses),
226-234antidisassembly techniques (armored
viruses), 220-226antiemulation techniques (armored viruses),
242-247AntiEXE (virus), somewhat destructive
payload viruses, 300antigoat techniques (armored viruses), 247antiheuristics techniques (armored viruses),
234-242AntiPascal (virus), 302
INDEX
676
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 676
antivirus defense techniques, 426-427antivirus programs. See also disinfection
methods“Are you there?” calls, 199behavior-blocking programs, 19disabling with retroviruses, 247-249half-cooked repairs, 136history of, 27-28integrity checker programs, 19modeling virus infections, 11-12scanning, 252testers, 672vendor contact information, 670versus computer security companies,
366-367antivirus viruses, 357API hooking (infection technique), 150-151API strings, 241-242APIs, control transfer, 246AplS/Simpsons@mm (worm), 90APM/Greenstripe (virus), 95appending viruses (infection technique),
132-133, 174-175, 240-241AppleScript viruses, 90applications
algorithmic scanning methods. Seealgorithmic scanning methods
antivirus defense techniques, 426-427code emulation. See code emulationdisinfection methods, 474-477first-generation antivirus scanners. See
first-generation antivirus scannersheuristic analysis, 467-474metamorphic virus detection. See
metamorphic virus detectionrights verification, 388second-generation antivirus scanners.
See second-generation antivirus scanners
architecture dependency. See computer architecture dependency
architecture guides, malicious code analysistechniques, 615
archive format dependency, 100“Are you there?” calls (self-detection
technique), 198arenas (sections of memory), 498armored viruses, 220
antidebugging techniques, 226-234antidisassembly techniques, 220-226antiemulation techniques, 242-247antigoat techniques, 247antiheuristics techniques, 234-242
ARP (Address Resolution Protocol) requests, 595
“Art of the Fugue” (Bach), 5art versus science, 4ASPACK (run-time packer), 625Atkinson, Bill, 91attachment inserters (worm infections), 334attacks. See also blended attacks; buffer
overflow attacks; viruses; worm blockingtechniques
against memory scanning, 532-533algorithmic scanning methods. See
algorithmic scanning methodsantivirus defense techniques, 426-427code emulation. See code emulationcode injection attacks, 341-342, 543dictionary attacks, 324DoS (denial of service) attacks,
306-308, 539e-mail worm attacks, 333-334executable code-based attacks, 339file parsing attacks, 319-320first-generation antivirus scanners. See
first-generation antivirus scannersfuture, 575-578heuristic analysis, 467-474injected code detection, 557-562instant messaging attacks, 333Linux/Slapper, 647metamorphic virus detection. See
metamorphic virus detectionnetwork share enumeration, 324-326
INDEX
677
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 677
network-level defense strategies. See net-work-level defense strategies
NNTP attacks, 338password-capturing attacks, 325peer-to-peer network attacks, 332-333phishing attacks, 308-309remote login-based attacks, 341return-to-LIBC, 543, 569-573second-generation antivirus scanners.
See second-generation antivirus scanners
shell code-based attacks, 342-344SMTP proxy-based attacks, 334-335SMTP-based attacks, 335-338stack smashing, 546vampire attacks, 358
attributes, GOT/IAT page, 574authenticated updates (worm infections),
346-351auto-rooters, definition of, 34AutoLisp viruses, 92-93automata. See cellular automata;
self-replicating systemsautomated analysis, Digital Immune System,
661-664automated exploit discovery, 578AUTORUN.INF file viruses, 97AV-Test.org, 672AVP (antivirus software), 248Azusa (virus), infection technique, 125
BB0/S0 (virus writer), W32/Aldebera virus, 139Bach, Johann Sebastian (“Art of the Fugue”), 5Back Orifice (backdoor system), 331backdoor features in worms, 309-311backdoor-based updates (worm infections), 351backdoor-compromised systems (worm
infections), 331-332backdoors, definition of, 32backward decryption, 230BAD, marking sectors as, 128
Badboy (virus), self-protection technique,260, 271
Badtrans (worm), 366BAT/Batalia (virus), 82BAT/Hexvir (virus), 82BAT/Mumu (virus), 83
weak passwords, 324BAT/Polybat (virus), 82BAT/Ramble (virus dropper), 96BAT/Zipbat (virus), 82BATCH viruses, 82BATVIR (virus), 82Beast (virus), 112behavior blockers, definition of, 19, 209behavior patterns (worms), 598-608Belcebu, Billy (virus writer), 233beneficial viruses, 357Benny (virus writer)
W2K/Installer virus, 137W32/Donut virus, 99W32/HIV virus, 59W32/Press virus, 78
Bergroth, Ismo, 496BHP (virus), 57-58binary viruses
computer architecture dependency, 52CPU dependency, 53-54operating system dependency, 55
BIND (Berkeley Internet name domain)servers, Linux/ADM worm, 397
BioWall project Web site, 12Bizatch (virus), 61Black Baron (virus writer), 448black boxing, 624black-box testing, 634BlackIce firewall, 646blank passwords, danger of, 324Blaster (worm). See W32/Blaster (worm)blended attacks. See also buffer overflow
attacksdanger of, 366-367defined, 366
INDEX
678
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 678
INDEX
679
history of, 367-368blocking
buffer overflow attacks (worms). Seebuffer overflow attacks (worms)
Microsoft SQL Server exploits, 559-560scripts, 539-541self-sending code blocking, 563-565shellcode, 558-562SMTP, 539-541W32/Blaster (worm) exploits, 561W32/CodeRed (worm), 542, 560-561,
564-565W32/Slammer (worm), 542-564W32/Welchia (worm) exploits, 562
blocking mode, 592Bluetooth and wireless mobile worms,
359-361Bochs, 663Bontchev, Vesselin, 39, 61, 74-75, 349, 447,
633, 661bookmarks, first-generation antivirus
scanners, 433-434boot sector viruses. See boot virusesboot strap loader, 122
replacement of, 124-125boot viruses, 122-124
computer architecture dependency, 52DBR (DOS BOOT record) infection
techniques, 126-129encryption, 303-304hooking INT 13h (interrupt handler),
191-193installation, 197interrupt hooking, 188MBR (master boot record) infection
techniques, 124-126over networks, 129in Windows 95, 129
Borland Quattro spreadsheet program, 187Brain (virus), 52, 122, 197, 200, 497
attack by Denzuko virus, 127competition between viruses, 357read stealth viruses, 203
break pointsdetecting, 227removing, 233stopping, 454
broadcast segmentation technique, 353Brown, Ralf, 615Brunner, John (Shockwave Rider), 29brute-force decryption, RDA viruses, 245, 256BSD/Scalper (worm), 327, 353, 401, 406, 543.bss section (PE files), 167buffer overflow attacks (worms), 538-542
avoiding, 413-414blocking, 543-544code reviews, 544CodeRed worm, 398-401compiler-level solutions, 545-552definition of, 368-369first-generation buffer overflows, 369-371kernel-mode extensions, 554-556Linux/ADM worm, 397-398Linux/Slapper worm, 401-407Morris worm, 367, 395-397opreating system-level solutions, 552-554program shepherding, 556script/SMTP blocking, 539-542second-generation buffer overflows,
371-378subsystem extensions, 554third-generation buffer overflows,
378-394W32/Blaster worm, 410-413W32/Slammer worm, 407-410
Buffer Security Check feature, 552BugTraq databases, 598Bumblebee (virus writer), W32/RainSong
virus, 152Burger, Ralf (virus writer), Virdem virus, 135Burglar.1150.A (virus), system modification
attacks, 391Burks, Arthur, 6Butler, Max, 397
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 679
CCabanas. See W32/Cabanas (virus)cache bypass vulnerability, W32/Blebla
worm, 419cache viruses. See disk cache virusescalc.exe, 619CALL-to-POP trick, 240-241calls, system tracing, 647-648canonicalization, 385-386captures
Linux/Slapper (worm), 600-602network traffic, 643W32/Blaster (worm), 598-600W32/Sasser.D (worm), 603W32/Slammer (worm), 607-608W32/Welchia (worm), 605
CARO (Computer Antivirus ResearchersOrganization), 38
Cascade (virus), 24-26, 53, 59nondestructive payload viruses, 298self-protection technique, 230, 253X-RAY scanning, 447
cavity viruses (infection technique), 136-137CBAC (context-based access control), 586CC hack, 104CEF file format, 111cell phones, worms on, 359-361cellular automata (CA) computer architec-
ture, 6. See also self-replicating systemsEdward Fredkin structures, 7-8game of Life (Conway), 8-12
chain letters, definition of, 37Characteristics field (PE header), 164check bytes. See bookmarkschecksum
API strings, 242CRC checksum, 248detecting break points, 227recalculation, 239as self-protection technique, 224-225
Checksum field (PE header), 165Cheeba (virus), self-protection technique, 257
Cheese (worm), 315, 318Chess, Dave, 26, 277Cheswick, Bill, 593Chi, Darren, 75CHRISTMA EXEC worm, 78-79Cisco routers. See routersclassic parasitic viruses (infection technique),
135-136cleaning goat files, 639Clementi, Andreas, 673cluster prepender infection method, 57cluster viruses, file system dependency, 56-58cluster-level stealth viruses, 207-208CMOS viruses, 306Codd, E.F., 6code
in active pages, patching, 522injected code detection, 557-562malicious code analysis techniques. See
malicious code analysis techniquesquick examination during computer
virus analysis, 621self-sending code blocking, 563-565versus data in von Neumann machines, 5
code builders (infection technique), 155-156code confusion. See obfuscated codecode emulation, 451-454
antiemulation techniques (armoredviruses), 242-247
dynamic decryptor detection, 459-461encrypted/polymorphic virus detection,
455-458metamorphic virus detection, 463-466
code emulation-based tunneling, 219code evolution, 252-253code injection attacks, 341-342, 398-401, 543code integration viruses (infection
technique), 155, 278-281code propagation techniques (worms), 338
code injection attacks, 341-342executable code-based attacks, 339HTML-based mail, 340
INDEX
680
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 680
links to Web sites or proxies, 339-340remote login-based attacks, 341shell code-based attacks, 342-344
code redirection, 469code reviews, buffer overflow attacks
(worms), 544code sections
naming, 469packing, 237PE entry points, 468random entry point, 237-238sizes in header, 241writeable flag, 238
CodeGreen (antiworm). See W32/CodeGreen(antiworm)
CodeRed (worm). See W32/CodeRed (worm)CodeRed_II (worm), 310, 520Cohen, Frederick, 18, 302
definition of computer viruses, 18-20history of antivirus programs, 27
Coke. See W32/Coke (virus)collection (viruses) maintenance, 661COM viruses, 59combined attacks. See blended attacksCommander_Bomber (virus), infection
technique, 142-143companion viruses (infection technique),
18, 176competition between viruses, 357-358compiler alignment areas, recycling, 238compiler dependency, 108-109compiler-level solutions, buffer overflow
attacks (worms), 545-546Microsoft Visual .NET, 2003 (7.0 & 7.1),
549-552ProPolice, 548-549StackGuard, 546-548
compressing viruses (infection technique),139-140
file system dependency, 59
compressionPE file-infection techniques, 235run-time packers, 625as self-protection technique, 225-226
Computer Antivirus ResearchersOrganization (CARO), 38
computer architecture dependency, 52-53computer security companies versus
antivirus programs, 366-367computer simulations of nature. See
nature-simulation gamescomputer virus analysis, process of, 618-624computer virus research. See virus researchcomputer viruses. See virusescomputer worms. See wormscomputers, modeling virus infections, 11-12connections, worm blocking techniques,
574-575. See also network-level defensestrategies
construction kits. See virus construction kitscontagion worms, 576context-based access control (CBAC), 586control transfer with APIs, 246Conway, John Horton (game of Life), 8-12cookies, security_cookie values, 550cooperation between viruses, 354-357coprocessor instructions, 242-243copy-protection software, extra disk
sectors, 127copycat worms. See worm blocking
techniquesCore War (game), 12-16, 534Core Wars instructures (1994 revision), 14Corel Script viruses, 95corruption of macro viruses, 69-71counterattacks, 596CPU dependency, 53-54CPU instructions, undocumented, 245CPUs, Win32 platform support, 159
INDEX
681
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 681
CR0 control registers, 529CRC checksums, 248CreateFile( ) API, 232-233CreateProcess( ) API, 559Creeper (virus), 17cross-platform binary viruses, 52Cruncher (virus), infection technique, 139Crypto API, 257cryptographic detection, 446cryptography, AIDS TROJAN DISK Trojan
horse, 31Cryptor (virus), 232Csakany, Antal, 11CSC/CSV (virus), 95CSC/PVT (virus), 95
D-d command (UPX), 625Dark Angel (virus writer), PS-MPC virus
construction kit, 290Dark Avenger (virus writer), 26-27
Commander_Bomber virus, 142-143MtE (mutation engine), 262-264Number_Of_The_Beast virus, 193self-protection technique, 220
Darkman (virus writer), 137Darkness (virus), 88DarkParanoid (virus), memory scanning
attacks, 532Dark_Avenger.1800.A (virus), 218, 303Darth_Vader (virus), 197
infection technique, 137system buffer viruses, 209
Darwin (game), 12data diddler viruses, 302-303Data Fellows, 613Data Rescue’s IDA. See IDA (disassembler).data section (PE files), 167data stealing viruses, 308-311data versus code in von Neumann machines, 5date and time dependency, 98
DBR (DOS BOOT record), infection techniques, 126-129
DCL viruses, 79-80DDoS (distributed denial of service)
attacks, 36de Wit, Jan, 35deactivation of filter driver viruses, 527-529dead virus code, reviving, 127DEBUG command, 25, 367debug interfaces, tracing with, 219debug registers, clearing, 232.debug section (PE files), 168debugger dependency, 106-108debugging, 648-651, 655
antidebugging techniques (armoredviruses), 226-234
DEC/VMS systems, DCL viruses, 79-80deception, e-mail worm attacks, 333-334decoders, packets, 591decryption. See also encryption
backward decryption, 230disassemblers, 626-632nonlinear decryption, 256RDA viruses, 245with stack pointer (SP), 230
decryptorsdynamic detection, 459-461static detection, 444-446tracking, 454
dedicated virus analysis systemsinstallation of, 612-615VMWARE, 616-617
DeepSight alerts, 598Demon Emperor (virus writer), Hare virus,
129, 255denial of service (DoS) attacks, 35,
306-308, 539against Windows Update Web site, 413
Denzuko (virus)competition between viruses, 357infection technique, 127
INDEX
682
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 682
dependenciesarchive format dependency, 100compiler and linker dependency, 108-109computer architecture dependency, 52-53CPU dependency, 53-54date and time dependency, 98debugger dependency, 106-108device translator layer dependency,
109-112embedded object insertion dependency,
112-113extension dependency, 101-102file format dependency, 59-66file system dependency, 56-59host size dependency, 105-106interpreted environment dependency,
66-98JIT dependency, 99-100language dependency of macro viruses,
71-72multipartite viruses, 115-116network protocol dependency, 102operating system dependency, 55operating system version dependency,
55-56platform dependency of macro viruses,
73-74Registry-dependent viruses, 93-94resource dependency, 104-105self-contained environment dependency,
113-115source code dependency, 102-104vulnerability dependency, 98
destructive payload viruseshighly destructive payloads, 301-306somewhat destructive payloads, 300-301
detection. See also first-generation antivirusscanners; second-generation antivirusscanners
active viruses in memory, 497cryptographic, 446direct library function invocations,
571-573dynamic decryptor, 459-461
engines, 592geometric, 461-462injected code, 557
shellcode blocking, 558-562network intrusion detection system
(NIDS), 584, 591-592static decryptor, 444-446threads, 518-521
device driver viruses, 65device translator layer dependency, 109-112[<devolution>] (computer virus naming
conventions), 41devolution of macro viruses, 74-75Dewdney, A.K., 13dialers, definition of, 33dictionary attacks, 324Digital Immune System, 661-664Digital Millennium Copyright Act
(DMCA), 596DIR-II (virus), 56direct library function invocations, detection
of, 571-573direct-action viruses, 186directories, page (memory), 500directory stealth viruses, 200-203dirty memory pages, 455disassemblers, 624
antidisassembly techniques (armoredviruses), 220-226
malicious code analysis techniques, 626-632
metamorphic virus detection, 462-463discovery of automated exploits, 578disinfection methods, 474-475. See also
antivirus programs; memory scanninggeneric decryptors, 477standard, 475-477
disk access with port I/O, 219disk cache viruses, 209-210Disk Killer (virus), 128, 303Dispatch routine of DeactivatorDrivers, 529
INDEX
683
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 683
distributed denial of service (DDoS) attacks, 36
divide-by-zero exceptions, 229DLL viruses, 62-63DLLs
disinfecting, 523linking to executables, 168-171
DMCA (Digital Millennium Copyright Act), 596
Donut (virus). See W32/Donut (virus)Doomed (game), 113Doomjuice (worm). See W32/Doomjuice
(worm)DOS
cluster and sector-level stealth viruses,207-208
COM viruses, 59EPO (entry-point obscuring) viruses,
145-147EXE viruses, 60full-stealth viruses, 205-206interrupt hooking, 188-196memory-resident viruses, 196-199metamorphic viruses, 270system buffer viruses, 209TSR (Terminate-and-Stay-Resident)
programs, 187undocumented interrupt (Int, 21h/52h
function), 498DoS (denial of service) attacks, 35,
306-308, 539against Windows Update Web site, 413
DOS BOOT record (DBR), infection techniques, 126-129
DOS stub in PE header, 162“double extensions,” 81down-conversion of macro viruses, 71downloaders, definition of, 33Doxtor L (virus writer), W32/Idele virus, 153DR. DR. STROBE & PAPA HACKER (virus
writers), 57Dream (virus), 89
driver-list scanning, detecting debuggers, 230drivers
filter, 427, 527-529kernel-mode, 503lists of, 527
droppers, definition of, 33-34Dukakis (virus), 91-92Dumaru (worm), 635, 640dumps
PEDUMP, 645strings, 623-624
Dustbin, 619Dwarf (Core War warrior program), 14-15dynamic analysis techniques, 634-655dynamic decryptor detection, 459-461dynamic heuristics, 234dynamic link library viruses, 62-63dynamically allocated memory. See heaps
Ee-mail
executable code-based attacks, 339HTML-based mail, 340worm infections, 333-334
e-mail addressesharvesting, 319-324parsing files for, 320
e-mail attachment inserters (worm infections), 334
early warning systems, 598, 669Easter eggs, definition of, 30ecophagy, 7.edata section (PE files), 167Eddie (virus), 218, 303Eddie-2 (virus), 200EICAR (European Institute for Computer
Antivirus Research), 672ELF viruses, 64-65Elk Cloner (virus), 17, 52EMACS viruses, 87embedded decryptor (infection technique),
141-142
INDEX
684
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 684
embedded decryptor and virus body (infection technique), 142-143
embedded object insertion dependency, 112-113
emulation. See code emulationencoding URLs, 385-386encrypted viruses, 253-258encryption, 221-222, 303-305. See also
decryptionof host file headers, 236Linux/Slapper worm, 406virus detection, 455-458W95/Marburg virus, 632X-RAY algorithmic scanning method,
446-451entry points
obfuscation, 233random entry points in code section,
237-238entry-point obscuring viruses (infection
technique), 145-155, 237, 443, 459W32/Simile virus, 282
entry-point scanning, first-generationantivirus scanners, 435-436
enumerationnetwork enumeration attacks, 393-394of network shares, 324-326processes, 517
environments of malicious code, 50-52archive format dependency, 100compiler and linker dependency, 108-109computer architecture dependency, 52-53CPU dependency, 53-54date and time dependency, 98debugger dependency, 106-108device translator layer dependency,
109-112embedded object insertion dependency,
112-113extension dependency, 101-102file format dependency, 59-66file system dependency, 56-59host size dependency, 105-106
interpreted environment dependency,66-98
JIT dependency, 99-100multipartite viruses, 115-116network protocol dependency, 102operating system dependency, 55operating system version dependency,
55-56resource dependency, 104-105self-contained environment dependency,
113-115source code dependency, 102-104vulnerability dependency, 98
EPO viruses. See entry-point obscuringviruses (infection technique)
error detection and correction withHamming code, 233
ESC sequences, reconfiguring, 90-91Etap.D (virus), 53, 64ETG (executable trash generator) engine, 280Ethereal
Linux/Slapper (worm), 601W32/Aliz@mm (worm) captures, 644W32/Blaster worm, 599W32/Sasser.D (worm), 603
ethics of using virus construction kits, 293Etoh, Hiroaki, 548European Institute for Computer Antivirus
Research (EICAR), 672Evol (virus). See W32/Evol (virus)evolution
macro viruses, 74-75virus code, 252-253
exact identification, 439-441Excel viruses. See macro virusesexception handlers, 232
CodeRed worm, 400-401exception-handler validation, 565-569exceptions
generating, 229structured exception handling, 243-244
EXE viruses, 60
INDEX
685
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 685
Exebug (virus), 123execode, macro viruses, 75-76executable code-based attacks, 339executable trash generator (ETG) engine, 280executables, linking DLLs to, 168-171executed images (Win32 viruses), 512-514ExecuteOnly attribute (Novell NetWare),
attacks via, 389-393execution, random execution logic, 244-245execution environments. See environments of
malicious codeexecve( ) function, 647exploits. See also blended attacks;
vulnerability dependencyautomated discovery, 578definition of, 33W32/Slammer (worm), 607-608
export table (PE files), 171-172exporting functions, 171-172extended access lists, 586Extended Memory Specification (XMS), 198extended tiny encryption algorithm
(XTEA), 346extension dependency, 101-102extensions
kernel-mode, 554-556subsystems, 554
extra disk sectors, formatting, 126-128
FF-PROT (antivirus program), 195, 438,
441, 451F1 key, Help file viruses, 89false positives, signatures, 608<family_name> (computer virus naming
conventions), 40FAT file systems, cluster viruses, 56-58Father Christmas (worm), 79-80, 102FC (File Compare), 622Ferenc, Leitold, 673Ferrie, Peter, 75, 154
File Compare tool, 645file extension dependency, 101-102file format dependency, 59-66file formats, obfuscation, 233file infection techniques. See infection
techniquesFile Monitor log, 635file parsing attacks, 319-320file stealth viruses, 207-208file structure infection, Win32, 239file system dependency, 56-59file systems, filter drivers, 427file viruses, hooking INT 21h (interrupt
handler), 193-196FileAlignment field (PE header), 165files
goat (natural infection testing), 637-638IDA command script (IDC), 631images, scanning, 517monitoring, 635-637
Filler (virus), 127, 198, 302filter driver virus deactivation (memory
scanning), 527-529filtering
algorithmic scanning methods, 443-444drivers, 427as process of computer virus analysis,
619-621fingerd program, Morris worm attack
against, 395fingerprinting worm targets, 326-330Finnpoly (virus), 53firewalls, 588-589, 646first-generation antivirus scanners, 428
bookmarks, 433-434entry-point scanning, 435-436fixed-point scanning, 435-436generic detection, 432hashing, 432-433hyperfast disk access, 436mismatches, 432string scanning, 428-430
INDEX
686
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 686
top-and-tail scanning, 435wildcards, 430-431
first-generation buffer overflows, 369-371first-generation Windows 95 viruses, 172-173FitzGerald, Nick, 39fixed-point scanning, first-generation
antivirus scanners, 435-436flags, suspicious combinations of, 471Flash ActionScript viruses, 91Flash BIOS viruses, 305-306Flip (virus), somewhat destructive payload
viruses, 300flirt signatures, 628flooders, definition of, 35Ford, Richard, 74Form (virus), infection technique, 128format specifiers, 379format string attacks, 378-384formatting extra sectors, 126-128formula macros, 77FPU instructions, 242-243fractionated cavity viruses (infection
technique), 137-139, 177Franvir. See W32/Franvir (virus)Fredkin, Edward (self-replicating structures),
7-8free( ) function, 647FreeBSD/Scalper (worm), shellcode
blocking, 558Freitas, Robert A., Jr., 7Frodo (virus)
hook table, 205-206interrupt hooking, 193-195self-protection technique, 218
full-stealth viruses, 193, 205-206, 497function call-hooking (infection technique),
151-152function pointer overflows, 377-378functions
direct library invocation detection, 571-573
execve( ), 647exporting, 171-172free( ), 647GetProcAddress( ), 522, 645KiUserExceptionDispatcher( ), 566LoadLibrary( ), 645malloc( ), 647NTDLL, 524NtOpenThread( ), 519Object Manager, 527OpenThread( ), 519run-time library (RTL), 545VirtualAlloc( ), 510VirtualProtectEx( ), 522Windows NT for kernel-mode memory
scanning, 525future worm attacks, 575-578
GG2 (virus construction kit), 290Game Maker (programming environment), 113Game Maker Language (GML), 113-114games. See nature-simulation gamesGames with Computers (Csakany and Vajda), 11Gaobot (worm). See W32/Gaobot.AJS (worm)generic decryptors, 477generic detection, first-generation antivirus
scanners, 432generic disinfection methods, 474-475
generic decryptors, 477standard, 475-477
GenVir (virus construction kit), 289geometric detection, 461-462germs, definition of, 32-33GetProcAddress( ) function, 522, 645ghost positive, definition of, 207Ghostball (virus), 115Gigabyte (virus writer)
Darkness virus, 88JIT-dependent viruses, 99Logic worm, 83-85
INDEX
687
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 687
Ginger (virus), 198infection technique, 126self-protection technique, 248
“glider” starting structure (game of Life), 10global offset table (GOT), 570
page attributes, 574GML (Game Maker Language), 113-114goat files
antigoat techniques (armored viruses), 247natural infection testing, 637-638
GoldBug (virus), 198Good Times hoax, 37GOT (global offset table), 570
page attributes, 574Gömb (virus), nondestructive payload
viruses, 299Green, Andy, 347GriYo (virus writer), 27
symbiosis project, 356W32/CTX and W32/Dengue viruses, 150W32/Parvo worm, 321W95/HPS and W95/Marburg viruses, 264
.<group_name> (computer virus naming conventions), 41
Gryaznov, Dmitry, 257, 619
Hhackers, 12half-cooked repairs, definition of, 136Hamming, Richard, 233Hamming code, error detection and
correction, 233Happy99 (worm), 29, 62, 314, 350
e-mail address harvesting, 322-323NNTP attacks, 338nondestructive payload viruses, 299
hard-coded API addresses, 172-173hardware destroying viruses, 305-306hardware-level stealth viruses, 208-209Hare (virus)
infection technique, 129self-protection technique, 255
harvesting e-mail addresses (worms), 319-324hashing, first-generation antivirus scanners,
432-433header, PE files, 162-165header infection viruses (infection
technique), 173heap management, 384-385heap overflows, 373-374
compiler-level solutions, 546exploiting, 375-376Linux/Slapper worm, 401-407
heapsdefinition of, 373exception-handler validation, 568
Helenius, Marko, 663, 673Help file viruses, 89heuristic analysis
of 32-bit Windows viruses, 467-472antiheuristics techniques (armored
viruses), 234-242code emulation, 465-466using neural networks, 472-474
Heyne, Frank, 637hidden window procedure (Win32
viruses), 512HIEW tool, 621, 633, 639High Memory Area (HMA), 198high-interaction honeypot systems, 593highly destructive payload viruses, 301-306history
antivirus programs, 27-28blended attacks, 367-368computer viruses, 17-18self-replicating systems, 4-16Win32 viruses, 157
hit list method. See IP addresses, scanninghive, definition of, 93HLP/Demo (virus), 89HMA (High Memory Area), 198hoaxes, definition of, 37holes in memory, 197Honeyd, 595
INDEX
688
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 688
honeypot systems, 593-594hook table for Frodo virus, 205-206hooking
API hooking (infection technique), 150-151
function call-hooking (infection technique), 151-152
IAT (import address table), 201-203interrupts, 188-196, 226
host application mutation (metamorphicviruses), 276-277
host file headers, encryption, 236host size dependency, 105-106host-based intrusion prevention techniques,
538-542buffer overflow attacks
blocking, 543-544code reviews, 544compiler-level solutions, 545-552kernel-mode extensions, 554-556opreating system-level solutions,
552-554program shepherding, 556subsystem extensions, 554
script/SMTP blocking, 539-542HTML files, WebTV worms, 86-87HTML viruses, 97-98HTML-based mail, 340HybrisF (virus). See W32/HybrisF (virus)HyperCard, HyperTalk viruses, 91-92hyperfast disk access, first-generation
antivirus scanners, 436HyperTalk viruses, 91-92Hypervisor (virus), 310Hypponen, Mikko, 326, 349, 496
IIAT (import address table), 161, 522
hooking, 201-203page attributes, 574patches, 469
IBM Antivirus, mismatches, 432IBM systems, REXX viruses, 78-79
ICA, harvesting e-mail addresses using, 322ICMP (Internet control message protocol), 643ICSA Labs, 672IDA command script (IDC) files, 631IDA disassemblers, 221, 428, 626-632.idata section (PE files), 167IDC (IDA command script) files, 631IDEA (virus)
nondestructive payload viruses, 299self-protection technique, 256
IDEA.6155 (virus), self-protection technique, 248
IDT, entering kernel mode on Windows 9x,228-229
“Igor’s problem,” 74IIS Web servers, W32/Nimda.A@mm worm,
414-415ImageBase field (PE header), 164images, scanning, 517IMP (Core War warrior program), 14Implant (virus), 264import address table (IAT), 161, 522
hooking, 201-203page attributes, 574patches, 469
import table (PE files), 168-171import table-replacing (infection
technique), 153imports by ordinal, 240, 469“in the wild” viruses, 26in-memory injectors over networks, 215in-memory residency strategies. See memory
residency strategiesInCtrl tool, 637indirection, layers of, 501INETINFO.EXE process, 520INF/Vxer (virus), 96INF/Zox (virus), 102infection propagator of worms, 315-316, 331
backdoor-compromised systems, 331-332e-mail attachment inserters, 334e-mail attacks, 333-334
INDEX
689
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 689
instant messaging attacks, 333NNTP attacks, 338peer-to-peer network attacks, 332-333SMTP proxy-based attacks, 334-335SMTP-based attacks, 335-338
infection techniquesAmoeba, 140appending viruses, 132-133, 174-175boot viruses, 122-129cavity viruses, 136-137classic parasitic viruses, 135-136code builders, 155-156companion viruses, 176compressing viruses, 139-140embedded decryptor, 141-142embedded decryptor and virus body,
142-143entry-point obscuring viruses, 145-155first-generation Windows 95 viruses,
172-173fractionated cavity viruses, 137-139, 177header infection viruses, 173KERNEL32.DLL infection, 175-176lfanew field modification, 178obfuscated tricky jump, 143-144overwriting viruses, 130-131PE (portable executable) file format, 160-
172, 235prepending viruses, 133-135, 174random overwriting viruses, 131-132system loader comparison between
Windows 95 and Windows NT, 181-183
VxD-based viruses, 178-180W32/Simile virus, 284-285W95/Zmist virus, 278-280Win32 viruses, growth of, 181
infectionsgoat files, 639natural testing, 637-638
<infective_length> (computer virus namingconventions), 41
Infis (virus). See {W2K, WNT}/Infis (virus)information query class, 11, 527
INI file viruses, 97initialization, W95/Zmist virus, 278injected code detection, 557
shellcode blocking, 558-562injectors
definition of, 34in-memory injectors over networks, 215
input validation attacks, 385MIME types, 387-388, 414-415URL encoding, 385-386
installation script viruses, 96installing
dedicated virus analysis systems, 612-615memory-resident viruses under DOS,
196-198instant messaging viruses, 83, 333Instant Virus Production Kit (IVP), 292instruction tracing (infection technique), 153INT 13h (interrupt handler), hooking, 188,
191-193INT 21h (interrupt handler), hooking with
file viruses, 193-196integrity checker programs, 19Intel, sysenter, 525Intel Architecture Software Manuals, 615intended debugger-dependent viruses, 108intended viruses, 20interactions between viruses, 354
competition, 357-358cooperation, 354-357sexual reproduction, 359SWCP (simple worm communication
protocol), 359interactive disassembler (IDA), 428intercept mode, 5871nternal (virus writer)
HTML viruses, 98installation script viruses, 96
Internet control message protocol (ICMP), 643Internet Explorer, MIME types, 387-388Internet Relay Chat (IRC) worms, 83, 333interpreted environment dependency, 66-98
INDEX
690
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 690
interrupt handlers, memory scanning for, 218Interrupt Request Packets (IRPs), 529Interrupt Spy tool, 392, 647interrupt vector table (IVT), 188-189, 227interrupts
calling with INT 1 and INT 3 228divide-by-zero exceptions, 229entering kernel mode on Windows 9x,
228-229generating exceptions, 229hooking, 188-196, 226in polymorphic decryptors, 246undocumented DOS interrupts
(Int 21h/52h), 498intrusion. See NIDSInvader (virus), 26invalidation, exception frame pointers, 568IP addresses, scanning, 326-330IRC (Internet Relay Chat) worms, 83, 333IRPs (Interrupt Request Packets), 529IsDebuggerPresent( ) API, 229ISO images, infecting, 59IVP (Instant Virus Production Kit), 292IVT (interrupt vector table), 188-189, 227
Jjacky (virus writer), 85Jacky Qwerty (virus writer), 27
W32/Cabanas virus, 157W32/Redemption virus, 139
JellyScript, WebTV worms, 86-87Jerusalem (virus), 136, 197, 497Jiskefet. See OS2/Jiskefet (virus)JIT dependency, 99-100joke programs, definition of, 37JPEG files, W32/Perrun virus, 116JS/Kak (virus), 417JS/Spida (worm), remote login-based
attacks, 341JScript viruses, 85Junkie (virus), 115
KKaspersky, Eugene, 242, 349, 437-438,
447-448, 451KAV (antivirus program), 438, 442Kefi (virus writer), PHP/Feast virus, 88Kelsey, John, 347kernel mode
debuggers, 648drivers, 503entering on Windows 9x, 228-229extensions, buffer overflow attacks
(worms), 554-556viruses in, 212-215
kernel modification, W32/Bolzano virus, 415-417
KERNEL32.DLLchecksum recalculation, 239hard-coded pointers to, 470imports, 469-470inconsistency, 471infection of, 175-176
kernels, memory scanning, 52364-bit platforms, 530-531classes of context, 526filter driver virus deactivation, 527-529read-only memory, 529upper 2G of address space, 527user address space of processes, 523Windows NT functions, 525Windows NT service API entry
points, 524key functions, reconfiguring, 90-91keyboard, disabling, 231-232keyloggers, definition of, 36Khafir, Masouf, 264Kinematic Self-Replicating Machines (Freitas
and Merkle), 7kits, definition of, 34KiUserExceptionDispatcher( ) function, 566knowledge bases, malicious code analysis
techniques, 615-616known plain-text attacks, 449
INDEX
691
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 691
KOH (virus), 304Krishna (virus), infection technique, 129Krukov, Andrew, 75
LL0phtCrack (password cracking program), 326LADS (tool), 637Langton, Christopher G., 6language dependency of macro viruses, 71-72large scale damage due to worms, 577layers of indirection, 501LE (linear executable) file format, 160Leapfrog (virus), infection technique, 144Lehigh (virus), 137, 198Leitold, Ferenc, 662Lexotan engine, 463lfanew field modification (infection
technique), 178LFM (virus), 91LIB viruses, 66libraries
direct function invocation detection, 571-573
return-toLIBC attacks, 569-573Libsafe (subsystem extension), 554Life (game), 8-12life-cycle manager of worms, 316-317linear executable (LE) file format, 160linker dependency, 108-109linking DLLs to executables, 168-171links to Web sites or proxies, 339-340Linux, ELF viruses, 64Linux/ADM (worm)
detailed description of, 397-398shellcode blocking, 558
Linux/Cheese (worm), 315, 318Linux/Jac.8759 (virus), 64Linux/Lion (antiworm), 318Linux/Slapper (worm), 64, 98, 108, 315, 538,
543, 647blocking buffer overflow attacks,
548-549
capturing, 600-602detailed description of, 401-407DoS attack, 308e-mail address harvesting, 323GOT and IAT page attributes, 574heap overflows, 376peer-to-peer network control, 352-354predefined class table for network
scanning, 326-329shellcode blocking, 558shellcode-based attacks, 344worm blocking techniques, 557
Liston, Tom, 596lists, router access, 585-587Litchfield, David, 408, 559LMF (lunar manufacturing facility), 7LNK viruses, 94loaded DLLs, disinfecting, 523LoadLibrary( ) function, 645:<locale_specifier> (computer virus naming
conventions), 42logging module, 592logic bombs, definition of, 30Logic worm, 83-85Logo language, Super Logo viruses, 83-85logs, File Monitor, 635long loops, 247Lorez. See W95/Lorez (virus)Lotus 1-2-3 macro viruses, 96Lotus Word Pro viruses, 94LoveLetter. See VBS/LoveLetter.A@mm (worm)low-interaction honeypot systems, 593Lucifer (virus), infection technique, 128Ludwig, Mark, 304lunar manufacturing facility (LMF), 7LWP/Spenty (virus), 94LX viruses, 60-61
MMa, Albert, 13MAC OS X shell scripts, 81Machine field (PE header), 163
INDEX
692
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 692
Macintosh platformMAC OS X shell scripts, 81resource-dependent viruses, 104-105
Macro Identification and ResemblanceAnalyzer (MIRA), 620
macro viruses, 66-69, 157corruption, 69-71evolution and devolution, 74-75formula macros, 77infecting user macros, 77language dependency, 71-72Lotus 1-2-3, 96Lotus Word Pro, 94multipartite infection strategy, 76naming conventions, 41platform dependency, 73-74source code, p-code, execode, 75-76up-conversion and down-conversion, 71XML, 77
Magic field (PE header), 164Magistr (virus). See W32/Magistr (virus)mailers
definition of, 29naming conventions, 42
maintenance, virus collection, 661malicious code analysis techniques, 612. See
also computer virusesarchitecture guides, 615collection maintenance, 661dedicated system installation, 612-615Digital Immune System, 661-664disassemblers, 626-632dynamic analysis techniques, 634-655knowledge bases, 615-616process of, 618-624unpacking, 625Virus Analysis Toolkit (VAT), 656, 659VMWARE, 616-617
malloc( ) function, 647malware. See computer viruses<malware_type>:// (computer virus naming
conventions), 40
managementmemory, 498-499Virtual Memory Manager, 503
MapInfo viruses, 88-89MARS (Memory Array Redcode Simulator), 12Martin, Edwin, 9Marx, Andreas, 672mass-mailer worms (@mm worms)
definition of, 29naming conventions, 42
matching patterns, 628mathematical model for computer viruses, 18MBR (master boot record), 122, 301
infection techniques, 124-126McAfee SCAN (antivirus program), 248MCB (memory control block), 197-198MDEF viruses, 105Memorial. See W95/Memorial (virus)memory
buffer overflow attacks. See buffer overflow attacks
dirty memory pages, 455dynamically allocated memory. See
heapsmanagement, 499read-only kernel, 529video memory, checking, 232VMM memory area, 471
Memory Array Redcode Simulator (MARS), 12memory control block (MCB), 197-198Memory Manager, paging, 515-517memory residency strategies. See also
memory-resident virusesdirect-action viruses, 186in-memory injectors over networks, 215kernel mode, viruses in, 212-215processes, viruses in, 211-212swapping viruses, 211temporary memory-resident viruses,
210-211memory scanning, 497-498
attacks, 532-533detecting debuggers, 230
INDEX
693
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 693
disinfection, 517-523for interrupt handler, 218in kernel mode. See kernels, memory
scanningpaging, 515-517in user mode. See user mode, memory
scanningWindows NT virtual memory system,
499-505memory-resident viruses, 186-187
disk cache and system buffer viruses,209-210
installation under DOS, 196-198interrupt hooking, 188-196self-detection techniques, 198-199stealth viruses, 199-209
Mental Driller (virus writer), 27W32/Simile virus, 281W32/Simile.D virus, 53W95/Drill virus, 224
Merkle, Ralph C., 7Merry Xmas (virus), 92metamorphic virus detection, 461
code emulation, 463-466disassembling techniques, 462-463geometric detection, 461-462
metamorphic viruses, 20, 269-270complex permutation techniques,
273-275host application mutation, 276-277MSIL metamorphic viruses, 286-288simple permutation techniques, 270-272W32/Simile virus, 281-286W95/Zmist virus, 277-281
metamorphic worms, 576-577MetaPHOR (virus engine), 281MICE (Core War warrior program), 13Michelangelo (virus), 301Microsoft .NET. See .NETMicrosoft IIS servers, W32/Nimda.A@mm
worm, 414-415Microsoft Security Bulletin MS03-007, 545
Microsoft SQL Server 2000exploits, blocking, 559-560W32/Slammer worm, 407
Microsoft Visual .NET 2003 (7.0 & 7.1), 549-552
Microsoft Xbox, security vulnerabilities, 347MIME types, 387-388
W32/Badtrans.B@mm worm, 414W32/Nimda.A@mm worm, 414-415
MIRA (Macro Identification andResemblance Analyzer), 620
mIRC, instant messaging viruses, 83mismatches, first-generation antivirus
scanners, 432Mistfall engine, 278mitigation, return-to-LIBC attacks, 569-573mixed techniques. See blended attacksMMX instructions, 243mobile phones, worms on, 359-361modeling virus infections, 11-12
mathematical model, 18modification to files (tracking), 635-637<modifiers> (computer virus naming
conventions), 41modules
altering, 592logging, 592
Mole virus. See W32/IKX (virus)monitoring
files, 635-637malicious code, 634-655ports, 641processes, 641registries, 640threads, 641
Monxla (virus), 211Morris (worm), 32, 315, 318, 538, 543
avoiding buffer overflow attacks, 413, 547
copycat Linux/ADM worm, 397-398detailed description of, 395-397history of blended attacks, 367-368
INDEX
694
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 694
shellcode blocking, 558weak passwords, 324
Morris, Robert, Sr. (Core War), 12Mosquitos game, logic bomb in, 30MPB/Kynel (virus), 88Mr. Sandman (virus writer), 349
Anti-AVP virus, 248MSAV (antivirus program), 247MSIL metamorphic viruses, 286-288MSIL/Gastropod (virus), 99
self-protection technique, 269, 286-288MSIL/Impanate (virus), 100, 288MtE (mutation engine), 262-264
static decryptor detection, 446multipartite infection strategy, macro
viruses, 76multipartite viruses, 115-116multiple PE headers, 469multiple virus sections, 235-236multiple-fork support (NTFS), 58multithreaded viruses, 246Murkry (virus writer), 27, 242
infection technique, 138mutation engine (MtE), 262-264
static decryptor detection, 446mutation. See corruptionMuttik, Igor, 74-75
metamorphic viruses, 269MX queries and SMTP-based worm
attacks, 338Mydoom (virus). See W32/Mydoom (worm)Myname. See OS2/Myname (virus)
Nnaming conventions
computer viruses, 38-39@m, 42@mm, 42[<devolution>], 41<family_name>, 40.<group_name>, 41<infective_length>, 41
:<locale_specifier>, 42<malware_type>://, 40<modifiers>, 41#<packer>, 42<platform>/, 40-46<variant>, 41!<vendor-specific_comment>, 42
native viruses, 63-64native Windows NT viruses, 496, 512natural infection testing, 637-638natural infections, 600nature-simulation games, 5
Core War, 12-16Edward Fredkin structures, 7-8game of Life (Conway), 8-12John von Neumann theory, 5-7
Navrhar (virus). See W95/Navrhar (virus)NC (NetCat) tool, 593, 642NCAs (Nexus Agents), 534NE viruses, 60nearly-exact identification, 437-438NEAT (WebTV worm), 86Neat (worm), 911 attacks, 308Nebbett, Gary, 616Needham, Roger, 346.NET
JIT-dependent viruses, 99-100W32/Donut virus, 143-145
NET$DOS.SYS file, boot viruses in, 129NetCat (NC) tool, 593, 642network enumeration attacks, 393-394network injectors, definition of, 34network intrusion detection system (NIDS),
584, 591-592network protocol dependency, 102network scanning, 326-330network share enumeration attacks, 324-326network-level defense strategies, 584
counterattacks, 596early warning systems, 598firewalls, 588-589honeypot systems, 593-594
INDEX
695
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 695
network intrusion detection system(NIDS), 584, 591-592
router access lists, 585-587worm behavior patterns, 598-608
networksboot viruses, 129in-memory injectors over networks, 215peer-to-peer network attacks, 332-333,
352-354ports, monitoring, 641traffic, capturing, 643
neural networks, heuristic analysis using,472-474
Nexiv_Der (virus), 146-147, 153Nexus Agents (NCAs), 534NGSCB (Next Generation Secure Computing
Base), 534NGVCK (Next Generation Virus Creation
Kit), 291NIDS (network intrusion detection system),
584, 591-592Nimda. See W32/Nimda (worm)NNTP attacks, worm infections, 338NNTP-based e-mail address collection,
320-321no-payload viruses, 296-297NoKernel (virus), 219non-TSR viruses, 497nondestructive payload viruses, 297-300nonexecutable (NX) pages, 534, 579nonlinear decryption, 256nonstateful firewalls, 588normal COM, definition of, 132Norton AntiVirus (antivirus program), 442Norton, Peter (Programmer’s Guide to the
IBM PC), 25NOTEPAD.EXE
STR streams, 636W32/Parvo (virus) inside, 511
Novell NetWare ExecuteOnly attribute,attacks via, 389-393
Nowhere Man (virus construction kit
writer), 289NTDLL functions, 524NTFS file systems
compression viruses, 59stream viruses, 58-59
NtOpenThread( ) function, 519NtQueryInformationThread( ) API, 519NtQuerySystemInformation( ) (NtQSI),
506-507NtQueryVirtualMemory( ) API, 524NumberOfSections field (PE header), 164Number_Of_The_Beast (virus), 193, 207NX (nonexecutable) pages, 534, 579
Oobfuscated code, 222-224obfuscated entry points, 233obfuscated file formats, 233obfuscated tricky jump (infection technique),
143-144object code viruses, 66Object Manager functions, 527objects (network enumeration), 394octopus (worm), definition of, 29off-by-one buffer overflows, 371-373OLE2 files, macro viruses, 67-68oligomorphic viruses, 259-260Olivia (virus), infection technique, 145-146OllyDBG tool, 648Omud (virus), infection technique, 132on-access antivirus scanners, 426. See also
scannerson-demand antivirus scanners, 426. See also
scannersOne_Half (virus), 277, 304
infection technique, 141opcode mixing-based code confusion,
223-224OpenSSL, vulnerabilities in, 401OpenThread( ) function, 519operating system dependency, 55
INDEX
696
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 696
operating system version dependency, 55-56operating systems, buffer overflow attacks
(worms), 552-554. See also names of specificoperating systems
ordinal-based imports, 240, 469original boot sector, 128-129OS/2
LX viruses, 60-61NE viruses, 60
OS2/Jiskefet (virus), 61OS2/Myname (virus), 60outbreak statistics (worm), 670outgoing e-mail messages, harvesting e-mail
addresses using, 322-323overflows. See buffer overflow attacksOvermars, Mark, 113overwriting viruses (infection technique),
130-131, 301-302
Pp-code, macro viruses, 75-76packed code sections, 237#<packer> (computer virus naming
conventions), 42packers. See compressionpackets, decoders, 591PAE (Physical Address Extension), 500page directories (memory), 500page directory entries (PDEs), 500page frames (memory), 500page table entry (PTE), 555page tables (memory), 500PAGE_READONLY access, 522paging, memory scanning and, 515-517Palm platform, resource-dependent
viruses, 105Palm/Phage (virus), 105parasitic viruses. See classic parasitic viruses
(infection technique)parsing files for e-mail addresses, 319-320partition table (PT) entries, 122
changing, 125-126partitions, definition of, 122password cracking, Morris worm, 367password handling, vulnerabilities, 324password protection, 249password-capturing attacks, 325
definition of, 32passwords, security problems, 324-326Pasteur (antivirus program), 26, 436patching
code in active pages, 522import address table (IAT), 469
Pathogen (virus), X-RAY scanning, 448patterns
of computer viruses, 630matching, 628worm behavior, 598-608
PaX (kernel mode extension), 554-556payload activation
accidentally destructive payload viruses, 297
highly destructive payload viruses, 301-306
no-payload viruses, 296-297nondestructive payload viruses, 297-300somewhat destructive payload viruses,
300-301types of, 296W32/Simile virus, 285-286of worms, 318
PDEs (page directory entries), 500PDF viruses, 90PDF/Yourde (virus), 90PE (portable executable) file format,
158-160, 513entry points, 468infection by W95/Zmist virus, 279-280infection techniques, 160-172, 235Windows CE, 110
PE headeravoiding infection, 240code section sizes, 241infection, 469
INDEX
697
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 697
multiple headers, 469SizeOfCode field, 471virtual size, 468
PE viruses, 61-64PEDUMP, 622, 645PeElf (virus). See {W32, Linux}/Peelf (virus)peer-to-peer network attacks, worm
infections, 332-333, 352-354Linux/Slapper worm, 406-407
PEID tools, 626Pentium II processors, sysenter, 525Perl viruses, 86permutation
complex permutation techniques (metamorphic viruses), 273-275
simple permutation techniques (metamorphic viruses), 270-272
W95/Zmist virus, 279Perriot, Frederic, 282, 317, 647personal firewalls. See firewallsPhager (virus), 101Phalcon-Skism Mass Produced Code
Generator (PS-MPC), 290phishing attacks, 308-309
definition of, 35phones, wireless mobile worms, 359-361PHP viruses, 88PHP/Caracula (virus), 88PHP/Feast (virus), 88Physical Address Extension (PAE), 500Pietrek, Matt, 616PIF viruses, 94Pile, Christopher (virus writer), 448Ping Pong (virus), 54pings, W32/Welchia (worm), 605<platform>/ (computer virus naming
conventions), 40list of officially recognized names, 42-46
platform dependency of macro viruses, 73-74platform support for Win32, 158-160
Playgame (virus), nondestructive payload
viruses, 299Ply (virus), self-protection technique, 253Pobresito (virus), 92Polimer.512.A (virus), 134polymorphic decryptors
interrupts in, 246W32/Simile virus, 282-283
polymorphic viruses, 26132-bit polymorphic viruses, 264-2681260 virus, 261-262macro viruses, 76MtE (mutation engine), 262-264PHP viruses, 88
polymorphic worms, 576-577polymorphism, virus detection, 455-458Popp, Joseph, 31port 80 (HTTP), NetCat, 594port I/O, disk access, 219portable executable. See PE (portable
executable) file formatports, monitoring, 641PPE (Prizzy polymorphic engine), 243predefined class table (network scanning),
326-329prefetch-queue attacks, 230-231prepending viruses (infection technique),
133-135, 174, 236preprocessors, network intrusion detection
system (NIDS), 591printers, targeted by worms, 324private pages, Win32 viruses that
allocate, 510Prizzy (virus writer), W32/Crypto virus, 257Prizzy polymorphic engine (PPE), 243process address space randomization, 570processes
computer virus analysis, 618-624context (memory scanning), 526enumerating, 517memory scanning, 507-508monitoring, 641terminating, 518
INDEX
698
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 698
user address space of (scanning), 523viruses in, 211-212
PROCESS_TERMINATE access, 518PROCESS_VM_OPERATION access, 522profiles, tracking decryptors, 454program shepherding, buffer overflow
attacks (worms), 556Programmer’s Guide to the IBM PC (Norton), 25propagation (worms). See code propagation
techniques (worms)ProPolice, 548-549Provos, Niels, 595proxy firewalls, 588PS-MPC (Phalcon-Skism Mass-Produced
Code Generator), 290PSD (virus), 621pseudo-decryption loops, 460PSMPC generators, 34PT (partition table) entries, 122
changing, 125-126PTE (page table entry), 555Python viruses, 87
QQ the misanthrope (virus writer)
BAT/Ramble virus dropper, 96GoldBug virus, 198memory allocation techniques, 198
Qark (virus writer), 306QAZ (virus), 309Qpa (virus), infection technique, 136Quantum (virus writer), 27, 61Queeg (virus), X-RAY scanning, 448-450quick examinations, process of computer
virus analysis, 619
Rrabbit (worm), definition of, 29Radai, Yisrael, 302Raiu, Costin, 75Rajaat (virus writer), 78Ralf Brown Interrupt List, 190
Ramble (virus), 96Ramdhani, Denny Yanuar (virus writer), 127Ramen (worm), 315random decryption algorithm (RDA) viruses,
237, 245, 256random entry points in code section, 237-238random execution logic, 244-245random overwriting viruses (infection
technique), 131-132randomization, process address space, 570randomized network scanning, 329-330Raptor (firewall), 590Ratter (virus writer)
W32/Kick virus, 65WinCE/Duts.1520 virus, 109
RDA (random decryption algorithm) viruses,237, 245, 256
RDA.Fighter (virus), 256RDTSC instruction, 283read stealth viruses, 203-205read-only kernel memory, 529ReadProcessMemory( ) API, 505-506real permutating engine (RPME), 274Reaper (antivirus program), 17recalculating checksum, 239reconfiguring key functions, 90-91recycling compiler alignment areas, 238Redcode language, 12-15refiltering drivers (DeactivatorDriver), 529registries, monitoring, 640Registry keys
detecting debuggers, 229macro viruses, 74
Registry-dependent viruses, 93-94Regmon tool, 640regular disinfection methods, 474-477relative virtual address (RVA), 161.reloc section (PE files), 167relocation cavity viruses (infection
technique), 137remote control of worms, 316, 351-352
peer-to-peer network control, 352-354
INDEX
699
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 699
remote login-based attacks, 341RemoteExplorer virus. See WNT/RemEx (virus)renaming sections, 239replication. See self-replicating systems;
worm blocking techniquesRepus. See W95/Repus (virus)requests
Address Resolution Protocol (ARP), 595pings, capturing W32/Welchia (worm),
605research honeypots, 596research papers (virus), 670resident viruses. See memory-resident virusesresource dependency, 104-105resources, early warning/up-to-date security
information, 669retroviruses, 11, 247-249, 300retroworms, 576return-to-LIBC attacks, 543, 569-573reviving dead virus code, 127REXX viruses, 78-79Riordan, Roger, 433Ripper (virus), 303Ritchie, Dennis (Core War), 12rootkits, definition of, 36routers, access lists, 585-587Rowe, Mark, 360roy g biv (virus writer), 27
Ginger virus, 198MSIL/Impanate virus, 100, 288W32/Chiton virus, 63, 154W64/Rugrat.3344 virus, 62
RPME (real permutating engine), 274.rsrc section (PE files), 167RT Fishel (virus writer), Ginger virus, 198RTL (run-time library) functions, 545Rugrat. See W64/Rugrat.3344 (virus)run-time code injection attacks. See code
injection attacksrun-time library (RTL) functions, 545
run-time packers, 625Russel, Ryan, 594RVA (relative virtual address), 161
SSadmind (worm), 315safe-for-scripting ActiveX controls, 388-389
VBS/BubbleBoy worm, 417-418W32/Blebla worm, 418-419
Sandman (virus writer), 27, 299SAP, ABAP viruses, 89saving
files locally, W32/Blebla worm, 418-419original boot sector at end of disk,
128-129SC Magazine, 672scanners, 252
algorithmic scanning methods, 441-443filtering, 443-444static decryptor detection, 444-446X-RAY method, 446-451
code emulation, 451-454dynamic decryptor detection, 459-461encrypted/polymorphic virus detec-
tion, 455-458disinfection methods, 474-475
generic decryptors, 477standard, 475-477
first-generation antivirus, 428bookmarks, 433-434entry-point scanning, 435-436fixed-point scanning, 435-436generic detection, 432hashing, 432-433hyperfast disk access, 436mismatches, 432string scanning, 428-430top-and-tail scanning, 435wildcards, 430-431
heuristic analysisof 32-bit Windows viruses, 467-472using neural networks viruses,
472-474
INDEX
700
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 700
second-generation antivirus, 437exact identification, 439-441nearly-exact identification, 437-438skeleton detection, 437smart scanning, 437
scanningfile images, 517IP addresses, 326-330memory. See memory scanning
SCANPROC.EXE, 515Schneier, Bruce, 347science versus art, 4script viruses, REXX viruses, 78-79scripts, blocking, 539-542search engines, harvesting e-mail addresses
using, 321searching VOOGLE, 621second-generation antivirus scanners, 437
exact identification, 439-441nearly-exact identification, 437-438skeleton detection, 437smart scanning, 437
second-generation buffer overflows, 371-378definition of, 369
section table (PE files), 165-168SectionAlignment field (PE header), 165sections
code sectionsnaming, 469sizes in header, 241
gaps between, 468packed code sections, 237PE files, 161random entry points, 237-238renaming, 239shifting, 236slack area infections, 236suspeicious characteristics, 468writeable flag, 238
sector-level stealth viruses, 207-208sectors
formatting extra, 126-128marking as BAD, 128
securityexploits. See blended attacksinformation of, 669updates, 669
buffer overflow attacks (worms), 544-545
security_cookie values, 550seeding, definition of, 34SEH (structured exception handling),
243-244, 565self-contained environment dependency,
113-115self-detection techniques, memory-resident
viruses, 198-199self-modifying code. See obfuscated codeself-protection techniques (of viruses)
armored viruses. See armored virusesencrypted viruses, 253-258metamorphic viruses. See metamorphic
virusesoligomorphic viruses, 259-260polymorphic viruses, 261-268retroviruses, 247-249tunneling viruses, 218-220virus construction kits, 288-293
self-replicating systems, history of, 4Core War, 12-16Edward Fredkin structures, 7-8game of Life (Conway), 8-12John von Neumann theory, 5-7
self-sending code blocking, 563-565self-tracking of worms, 318semistealth viruses, 200-203sending, self-sending code blocking, 563-565sendmail, Morris worm, 367service viruses, native Windows NT, 512SETI, use by computer worms, 318sexual reproduction of viruses, 359SH/Renepo.A (worm), 81shape heuristic, 461share-level password vulnerability, 324sharepoints (network enumeration), 394
INDEX
701
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 701
shell scripts, 80-81shellcode, blocking, 558-562shellcode-based attacks, 342-344, 543Shifter (virus), 66shifting sections, 236Shockwave Rider (Brunner), 29“Shooter” starting structure (game of Life),
9-10Short Message Service (SMS), 30Sieben, Na’ndor, 13signatures, 608
flirt, 628Simile virus. See {W32, Linux}/Simile (virus)Simile.D (virus). See {W32, Linux}/Simile.D
(virus)simple worm communication protocol
(SWCP), 359Simulated “Metamorphic” Encryption
Generator (SMEG), 448simulations of nature. See nature-simulation
gamessingle-layer classifiers with thresholds, 473single-stepping, detecting, 227Sircam (worm)
e-mail address harvesting, 320SMTP-based attacks, 335
SizeOfCode field (PE header), 164, 471SizeOfImage field (PE header), 165, 468skeleton detection, 437Skrenta, Rich (Elk Cloner virus), 17Skulason, Fridrik, 39, 115, 438slack area infections, 236Slammer (worm). See W32/Slammer (worm)Slapper (worm). See Linux/Slapper (worm)Sma. See W95/Sma (virus)smart scanning, 437SMEG (Simulated “Metamorphic”
Encryption Generator), 448-450SMS (Short Message Service), 30SMTP, blocking, 539-542
SMTP proxy-based attacks, worm infections,334-335
SMTP spam relay, use by computer worms, 318
SMTP-based attacks, worm infections, 335-338, 643
SnakeByte (virus writer)NGVCK (virus construction kit), 291Perl viruses, 86
sniffing traffic, 643SoftIce Debugger (antivirus program), 527SoftICE tool, 648Solaris on SPARC, 553-554Solaris/Sadmind (virus), 98, 543Solomon, Alan, 37, 39, 200, 293somewhat destructive payload viruses,
300-301source code, macro viruses, 75-76source code dependency, 102-104source spoofing, 587Sourcer (disassembler), 221SP (stack pointer), decryption with, 230spammer programs, definition of, 35Spanska (virus writer), 27, 350
Happy99 worm, 62IDEA viruses, 256, 299self-protection technique, 245, 248
spoofing source, 587spyware, definition of, 38SQL Server 2000, W32/Slammer worm, 407ssnetlib.dll, W32/Slammer worm, 408stack buffer overflows, 369-370
causes of, 371CodeRed worm, 398-401exploiting, 370Linux/ADM worm, 397-398Morris worm, 395-397W32/Blaster worm, 410-413W32/Slammer worm, 407-410
stack pointer (SP), decryption with, 230stack smashing, 546
INDEX
702
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 702
stack state, checking, 227stack-based overflow attacks, compiler-level
solutions, 546StackGuard, 546-548stacks
definition of, 91exception-handler validation, 568return-to-LIBC attacks, 569-573
standard access lists, 586standard disinfection, 475-477Starship (virus), 126, 198stateful firewall solutions, 588static decryptor detection, algorithmic
scanning methods, 444-446static heuristics, 234stealing data. See data stealing virusesstealth viruses, 199-200
cluster and sector-level stealth viruses,207-208
full-stealth viruses, 205-206hardware-level stealth viruses, 208-209read stealth viruses, 203-205semistealth viruses, 200-203
Stoll, Clifford, 593Stoned (virus), 24-25
accidentally destructive payload viruses, 297
bookmarks, 433exact identification, 439-440infection technique, 124-126interrupt hooking, 192-193nearly exact identification, 437string scanning, 429-430
stopping break points, 454Stormbringer (virus writer), Shifter virus, 66Strack, Stefan, 13Strange (virus), 208stream viruses, file system dependency,
58-59Strike (virus), infection technique, 128string scanning, 428-430
stringsAPI strings, 241-242dumps, 623-624mismatches, first-generation antivirus
scanners, 432wildcards, first-generation antivirus
scanners, 430-431structured exception handling (SEH),
243-244, 565structures, self-replicating, 7-8Struss, J. (virus construction kit writer), 289Stupid (virus), 196submissions, worm-blocking, 541subsystems
extensions, buffer overflow attacks(worms), 554
Win32 viruses, 508-511super fast infectors, 56Super Logo viruses, 83-85Suslikov, Eugene, 633swapping viruses, 211SWCP (simple worm communication
protocol), 359Symantec Security Response, 540Symboot, 619SymbOS/Cabir (worm), 359-361sysenter, 525system buffer viruses, 209-210system call tracing, 647-648System File Checker feature
(Windows 2000/XP), 417system loader, Windows 95 versus
Windows NT, 181-183system modification attacks, 389
Novell NetWare ExecuteOnly attribute,389-393
W32/Bolzano virus, 415-417system rights, memory scanning, 507-508
INDEX
703
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 703
Ttarget locator of worms, 315, 319
e-mail address harvesting, 319-324IP address scanning, 326-330network share enumeration, 324-326
TBCLEAN (antivirus program), 248TBSCAN (antivirus program), 433, 436, 447TCL viruses, 87-88TCP (virus writer), 248TCP-based attacks versus UDP-based
attacks, 539TechnoRat (virus writer), 255temporary memory-resident viruses, 210-211Tentacle_II. See W16/Tentacle_II (virus)Tequila (virus), 26, 115
infection technique, 126self-protection technique, 248, 257X-RAY scanning, 447
Terminate-and-Stay-Resident (TSR) programs, 187
TerminateProcess( ) API, 518termination
processes, 518threads, 518-521
testers, antivirus software, 672testing
black-box, 634natural infection, 637-638
.text section (PE files), 167third-generation buffer overflows, 378-394
definition of, 369Thomson, Ken, 104Thomson, Roger, 594thread information block (TIB), 232, 565thread local storage (TLS) data directory, 154threads
monitoring, 641terminating, 518-521W32/Niko.5178 (virus), 514
THREAD_TERMINATE access, 519-520TIB (thread information block), 232, 565tiny viruses, definition of, 130
TLBs (translation look-aside buffers), 555TLS (thread local storage) data directory, 154TLSDEMO program, 154top-and-tail scanning, first-generation
antivirus scanners, 435TPE (Trident Polymorphic Engine), 264Töltögetö (virus), 127, 302tracing
code emulation-based tunneling, 219with debug interfaces, 219system calls, 647-648
trackingactive instructions, 454decryptors, 454malicious code, 634-655
traffic, sniffing, 643translation of virtual addresses, 500translation look-aside buffers (TLBs), 555trapdoors. See backdoorsTremor (virus), 198, 497Trident Polymorphic Engine (TPE), 264triggers, definition of, 133Trivial (virus), infection technique, 130Trojan horses
definition of, 31-32source code Trojans, 104
troubleshootingconnections, worm blocking techniques,
574-575debugging, 648-655
TruSecure Corporation, 672TSR (Terminate-and-Stay-Resident) pro-
grams, 187tunneling viruses, 218
code emulation, 219disk access with port I/O, 219memory scanning for interrupt
handler, 218tracing with debug interfaces, 219undocumented functions, 219-220
Turbo Debugger, 229, 649Turing Machine, 5
INDEX
704
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 704
UUDP-based attacks versus TCP-based
attacks, 539Ulam, Stanislaw, 6UMB (upper memory block), 198undocumented CPU instructions, 245undocumented functions, virus
self-protection techniques, 219-220Unicode strings. See stringsUniversity of Hamburg’s Virus Test Center
(VTC), 672University of Magdeburg, 672UNIX
ELF viruses, 64-65shell scripts, 80-81shellcode blocking, 558-562
unknown entry points (infection technique),154-155
unpacking, malicious code analysis techniques, 625
up-conversion of macro viruses, 71update interface of worms, 316, 345-346
authenticated updates, 346-351backdoor-based updates, 351
updates, security, 669buffer overflow attacks (worms), 544-545
upper 2G of address space (memory scanning), 527
upper memory block (UMB), 198UPX (run-time packer), 625URL encoding, 385-386user address space of processes,
scanning, 523user macros, infecting, 77user mode
debuggers, 648memory scanning in, 505-506
executed images (Win32 viruses), 512-514
hidden window procedure (Win32viruses), 512
native Windows NT service viruses, 512
NtQuerySystemInformation( )(NtQSI), 506-507
processes/rights, 507-508Win32 viruses, 508-511
viruses in processes, 211-212user mode rootkits, definition of, 31, 36UTF-8 encoding, 385-386
VV.T. (virus writer), Darth_Vader virus, 197V2Px (virus), self-protection technique, 226Vacsina (virus), 26, 132Vajda, Ferenc, 11validation
application rights verification, 388exception-handler, 565-569input validation attacks, 385-388, 414-415
ValleZ (virus writer), W32/Zelly virus, 255vampire attacks, 358vampire warriors (Core War game), 16van Wyk, Ken, 137<variant> (computer virus naming
conventions), 41Varicella (virus), self-protection
technique, 248VAT (Virus Analysis Toolkit), 613, 656–659VAX/VMS systems, DCL viruses, 79-80VBA document macros, 112-113VBS/Bubbleboy (worm)
detailed description of, 417-418HTML-based mail, 340safe-for-scripting ActiveX controls, 389
VBS/LoveLetter.A@mm (worm), 29, 81, 314, 538
infection technique, 130script blocking, 539
VBS/VBSWG.J (Anna Kournikova virus), 35.See also Anna Kournikova virus
VBScript viruses, 81-82VCL (Virus Creation Laboratory), 34, 289-290
INDEX
705
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 705
VCL.428 (virus), 186VCS (Virus Construction Set), 289Vecna (virus writer), 27
W32/Borm worm, 332W32/Coke virus, 255W32/HybrisF virus, 139, 248W95/Fabi virus, 107W95/Regswap virus, 270
Veldman, Frans, 264, 433, 447Velvet (virus), self-protection technique, 229!<vendor-specific_comment> (computer virus
naming conventions), 42vendors, antivirus software (contact
information), 670VET (antivirus program), 433VGrep, 619video memory, checking, 232Vienna (virus), 26, 132, 186, 200VIM viruses, 87Virdem (virus), 59, 135, 186VIRKILL (antivirus program), 436VIROCRK (decryption tool), 451virtual address spaces, 501-505virtual addresses, translation of, 500virtual debuggers, 649virtual machine manager (VMM), 179, 471virtual machines, 451-458, 465Virtual Memory Manager, 503virtual memory systems (Windows NT),
499-505VirtualAlloc( ) function, 510VirtualProtectEx( ) function, 522VirtualQueryEx( ) API, 524VirtualRoot (Trojan horse), 310Virus Analysis Toolkit (VAT), 656, 659Virus Bulletin Web site, 672virus construction kits, 288
ethics of using, 293GenVir, 289list of, 291-292NGVCK, 291PS-MPC, 290
VCL (Virus Creation Laboratory), 34,289-290
VCS (Virus Construction Set), 289Virus Construction Set (VCS), 289Virus Creation Laboratory (VCL), 34, 289-290virus generators, definition of, 34Virus Patrol (antivirus service), 320virus research
art versus science, 4author’s start in, 24-26common patterns, 26-27
Virus Research Unit of the University ofTampere in Finland, 673
virus throttling, 575viruses
antivirus defense techniques, 426-427code evolution, 252-253definition of, 18-20, 28history of, 17-18interactions, 354
competition, 357-358cooperation, 354-357sexual reproduction, 359SWCP (simple worm communication
protocol), 359modeling virus infections, 11-12naming conventions, 38-39
[<devolution>], 41<family_name>, 40.<group_name>, 41<infective_length>, 41:<locale_specifier>, 42<malware_type>://, 40<modifiers>, 41#<packer>, 42<platform>/, 40-46<variant>, 41@m, 42@mm, 42!<vendor-specific_comment>, 42
retro viruses, 11terminology, 28-36versus worms, 314
INDEX
706
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 706
Visual .NET 2003 (Microsoft), 549-552VLAD (virus writer), 53
W95/Boza virus, 61VM. See virtual machinesVMM (virtual machine manager), 179, 471VMWARE, 613-617, 642von Neumann, John, 4-7von Neumann, Nicholas, 5VOOGLE, 621VPN (virtual private network). See
network-level defense strategiesVTC (University of Hamburg’s Virus Test
Center), 672vulnerability dependency, 98. See also
blended attacksVxD-based viruses (infection technique), 65,
178-180VxDs, LE (linear executable) file format, 160Vyssotsky, Victor (Core War), 12
WW2K/Installer (virus), 137{W2K, WNT}/Infis (virus), 65, 213-215W16/Tentacle_II (virus), 60, 147-150W16/Winvir (virus), 60W32/Aldebera (virus), 139W32/Aliz (worm), 337, 643W32/Aplore (worm), 340W32/Apparition (virus), 269W32/Badtrans.B@mm (worm), 414W32/Beagle (worm), 100
backdoor-based updates, 351cooperation with viruses, 356self-protection technique, 249, 258
W32/Beagle.T (worm), 340W32/Blaster (worm), 315, 98
capturing, 598-600competition between worms, 358detailed description of, 410-413DoS attack, 306-307exploits, blocking, 561return-to-LIBC attacks, 571
self-protection technique, 225shell code-based attacks, 343
W32/Blebla (worm), 418-419W32/Bobax (worm), 318W32/Bolzano (virus)
detailed description of, 415-417system modification attacks, 389
W32/Borm (worm)backdoor-compromised systems, 331-332cooperation with viruses, 356
W32/Brid@mm (worm), 539W32/Bugbear (worm), 311
network share enumeration, 324SMTP worm blocking, 539
W32/Bymer (worm), 318W32/Cabanas (virus), 157, 201-203
infection technique, 144, 175, 183self-protection technique, 232, 243
W32/Cabanas.3014.A (virus), 510W32/Chiton (virus), 63-64
infection technique, 154memory scanning attacks, 533self-protection technique, 256-258
W32/Choke (worm), 333W32/Cholera (worm, 356W32/CodeGreen (antiworm), 318, 357-358W32/CodeRed (worm), 98, 215, 315, 318, 366,
496, 517, 520, 538, 542avoiding buffer overflow attacks, 413blocking, 564-565code injection attacks, 342, 543competition between worms, 357-358computer security versus antivirus pro-
grams, 366detailed description of, 398-401DoS attack, 307exception-handler validation, 568exploits, blocking, 560-561history of blended attacks, 368return-to-LIBC attacks, 570self-sending code blocking, 563stack buffer overflows, 370system modification attacks, 389
INDEX
707
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 707
virus throttling, 575W32/CodeRed_II (worm), 310, 520W32/Coke (virus), 76, 255, 266W32/Crypto (virus), 257, 305W32/CTX (virus), 628
cooperation with W32/Cholera worm, 356
infection technique, 137, 150W32/Dabber (worm), 358W32/Dengue (virus)
dynamic decryptor detection, 459infection technique, 150self-protection technique, 241
W32/Donut (virus), 99infection technique, 143-144naming, 145
W32/Doomjuice (worm)backdoor-based updates, 351cooperation with viruses, 356
W32/Elkern (virus), 532W32/Evol (virus)
code emulation, 464self-protection technique, 273
W32/ExploreZip (worm), 538self-protection technique, 235SMTP worm blocking, 541SMTP-based attacks, 335
W32/Franvir (virus), 113-115W32/Funlove (virus), 416, 427
blocking, 579cooperation with worms, 356network enumeration attacks, 324, 394
W32/Gaobot.AJS (worm)competition between worms, 358memory scanning attacks, 533
W32/Ghost (virus), 271W32/Gobi (virus)
filtering, 443self-protection technique, 247
W32/Harrier (virus), 255W32/Heathen.12888 (virus), 73W32/Heretic (virus), 522W32/Heretic.1986.A (virus), 512-513
W32/HIV (virus), 59W32/HLLP.Cramb (virus), 236W32/HLLP.Sharpei (virus), 99W32/HLLW.Bymer (virus), 394W32/HLLW.Lovgate@mm (worm), 539W32/HLLW.Qaz.A (worm), 309W32/Holar@mm (worm), 539W32/Hybris (worm), 577W32/HybrisF (virus)
infection technique, 139self-protection technique, 248
W32/Hyd (worm), 318, 334W32/Idele (virus), 153W32/IKX (virus), 236, 241W32/Infynca (virus), 229W32/Kick (virus), 65W32/Klez (worm), 538
infection technique, 136MIME header exploits, 414SMTP worm blocking, 539-541
W32/Klez.H (worm), 320W32/Kriz (virus), 239-240W32/Leaves (worm), 332W32/Legacy (virus), 243{W32, Linux}/Peelf (virus), 52, 286{W32, Linux}/Simile (virus), 258, 281-286{W32, Linux}/Simile.D (virus), 53, 64,
256, 576W32/Lespaul@mm (worm), 342W32/Lirva@mm (worm), 539W32/Lovegate@mm (worm), 533W32/Maax (worm), 333W32/Magistr (virus)
e-mail address harvesting, 319heuristics, 466SMTP-based attacks, 336
W32/Mimail.I@mm (phishing attack), 309W32/Mydoom (worm)
backdoor-based updates, 351cooperation with worms, 356e-mail address harvesting, 320self-protection technique, 249
INDEX
708
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 708
SMTP-based attacks with MX queries, 338
W32/Mydoom.A@mm (worm), 540W32/Mydoom.M@mm (worm), 321W32/Niko.5178 (virus), 513-514W32/Nimda (worm), 97, 311, 314, 366, 538
backdoor-compromised systems, 332SMTP worm blocking, 539SMTP-based attacks, 335
W32/Nimda.A@mm (worm), 29, 414-415W32/Opaserv (worm), 318
network enumeration attacks, 394password handling, 324
W32/Parvo (worm), 518e-mail address harvesting, 321e-mail worm attacks, 334
W32/Parvo.13857 (virus), 510-511W32/Perenast (virus)
infection technique, 153self-protection technique, 237
W32/Perrun (virus), 116W32/Press (virus), 78W32/PrettyPark (worm), 93W32/Qint@mm (worm), 257W32/RainSong (virus), 152W32/Redemption (virus), 139W32/Resure (virus), 235W32/Sand.12300 (virus), 140W32/Sasser (worm), 358W32/Sasser.D (worm), 603W32/Semisoft (virus), 518W32/Serot (worm), 319W32/SKA (worm), 299, 314, 538. See also
Happy99 wormW32/SKA.A (worm), 29, 62, 522W32/Slammer (worm), 215, 316, 496,
538-539, 542blocking, 564capturing, 607-608code injection attacks, 341detailed description of, 407-410DoS attack, 306
randomized network scanning, 329-330self-sending code blocking, 563virus throttling, 575worm blocking techniques, 557
W32/Smorph (Trojan), 277W32/Sobig (worm)
e-mail address harvesting, 321SMTP worm blocking, 539
W32/Subit (virus), 102-103W32/Taripox@mm (worm), 334W32/Tendoolf (worm), 351W32/Thorin (virus), 243W32/Toal@mm (worm), 322{W32, W97M}/Beast.41472.A (virus), 112, 512W32/Wangy (worm), 324W32/Welchia (worm), 98
backdoor-based updates, 351capturing, 605competition between worms, 358exploits, blocking, 562network scanning and fingerprinting, 330shell code-based attacks, 344
W32/Welchia.A (worm), 316-317W32/Witty (worm), 34, 302, 316
large-scale damage, 578self-sending code blocking, 565
W32/Yaha@mm (worm), 539W32/Yourde (virus), 90W32/Zelly (virus)
infection technique, 175self-protection technique, 255
W64/Rugrat.3344 (virus), 62, 580W64/Shruggle (virus), 62W95/Aldabera (virus), 237W95/Anxiety (virus), 166, 174, 179W95/Babylonia (worm), 345-346, 349W95/Bistro (virus), 275W95/Boza (virus), 55, 61, 157, 166, 171, 174
heuristic analysis, 468infection technique, 182
W95/Boza.A (virus), 172-173W95/Cerebrus (virus), 178
INDEX
709
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 709
W95/Champ.5447.B (virus), 244W95/CIH (virus), 213, 305, 613
infection technique, 137, 177, 180large-scale damage, 577self-protection technique, 228, 232, 240
W95/Darkmil (virus), 246W95/Drill (virus), 281
self-protection technique, 224, 246, 256X-RAY scanning, 448
W95/Fabi (virus), 107-108W95/Fabi.9608 (virus), 455W95/Fix2001 (worm), 221-222W95/Fono (virus), 256W95/Haiku (virus), 299W95/Harry (virus), 174, 179W95/Henky (virus), 156W95/HPS (virus), 201
heuristic analysis, 467self-protection technique, 264somewhat destructive payload
viruses, 300W95/Hybris (worm), 346-351, 538W95/Invir (virus), 236, 244W95/Kala.7620 (virus), 246W95/Lorez (virus), 62, 176W95/Mad (virus)
static decryptor detection, 445X-RAY scanning, 446
W95/Marburg (virus), 632goat files, 639heuristic analysis, 467infection technique, 175nondestructive payload viruses, 298self-protection technique, 225, 230, 264
W95/MarkJ.8 (virus), 471W95/Memorial (virus), 115-116
heuristic analysis, 468infection technique, 178, 183self-protection technique, 259
W95/MTX (virus), 249W95/Murkry (virus)
infection technique, 173self-protection technique, 240
W95/Navrhar (virus), 76, 160, 180W95/Opera (virus), 65W95/Orez (virus), 238W95/Padania (virus), 237W95/Perenast (virus), 99W95/Prizzy (virus), 243W95/Puron (virus), 463W95/Regswap (virus), 270W95/Repus (virus), 210W95/Resur (virus), 257W95/Silcer (virus), 257W95/SillyWR (virus), 240W95/SK (virus), 89, 199, 277
self-protection technique, 230, 238-239X-RAY scanning, 451
W95/Sma (virus), 204-205W95/Spawn.4096 (virus), 176W95/SST.951 (virus), 229W95/Vulcano (virus)
infection technique, 137self-protection technique, 245
W95/WG (virus), 65W95/Zmist (virus), 106, 576
disassembling, 463filtering, 444geometric detection, 461infection technique, 155-156self-protection technique, 277-281Virus Analysis Toolkit (VAT), 658
W95/Zmorph (virus), 272W95/Zperm (virus), 274, 279W97M/Coke (virus), 255W97M/Fabi.9608 (virus), 455W97M/Groov.A (worm), 318W97M/Heathen.12888 (virus), 73W97M/Killboot.A (virus), 68W97M/Melissa@mm (worm), 314, 538
e-mail address harvesting, 319e-mail worm attacks, 334
W97M/Pri.Q (virus), 620W98/Yobe (virus), 223Wagner, David, 347
INDEX
710
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 710
Walker, John (ANIMAL game), 17Wangsaw, Mintardjo, 13WANK (worm), 297Warhol (worm), 326warnings, information of, 669Washburn, Mark (virus writer), 261watch mode, 587Watson and Crick, 6Wazzu virus. See WM/Wazzu.A (virus)weak passwords, danger of, 324Web sites
BioWall project, 12links to, 339-340
WebTV worms, 86-87weeding as process of computer virus
analysis, 621Wendell, Chip, 13Whale (virus writer), MSIL/Gastropod virus,
99, 269Whale (virus), 51
memory scanning attacks, 532self-protection technique, 230-231, 259
Wheeler, David, 346White, Steve, 51, 277Whitehouse, Ollie, 360whitepapers (virus), 670wildcards, first-generation antivirus
scanners, 430-431WildList Organization International, 673Win/RedTeam (worm), 314
e-mail attachment inserters, 334Win32
appending viruses, 174-175companion viruses, 176EPO (entry-point obscuring) viruses,
150-153exception handlers, 232file structure infection, 239first-generation Windows 95 viruses,
172-173fractionated cavity viruses, 177function calls, macro viruses, 73
generating exceptions, 229growth of viruses for, 181header infection viruses, 173heuristic analysis of viruses, 467-472history of viruses on, 157IsDebuggerPresent( ) API, 229KERNEL32.DLL infection, 175-176lfanew field modification, 178PE (portable executable) file format,
infection techniques, 160-172PE viruses, 61-64platform support for, 158-160prepending viruses, 174viruses, 508-511VxD-based viruses, 178-180
Win32/Beast.41472.A (virus), 112Win32/Niko (virus), 519Win32s, Win32 platform support, 158Win64, 61, 160WinCE/Duts.1520 (virus), 109WinDBG tool, 649Windows. See also 16-bit Windows; Win32
AUTORUN.INF file viruses, 97device driver viruses, 65EPO (entry-point obscuring) viruses,
147-153Help file viruses, 89INI file viruses, 97installation script viruses, 96LNK viruses, 94memory-resident viruses, self-detection
techniques, 198-199metamorphic viruses, 270NE viruses, 60PE viruses, 61-64PIF viruses, 94read stealth viruses, 204-205Registry-dependent viruses, 93-94system buffer viruses, 210VBScript viruses, 81-82viruses in kernel mode, 212-215
Windows 2000, Win32 platform support, 158Windows 2003 Server, Win32 platform
support, 158
INDEX
711
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 711
Windows 95appending viruses, 174-175boot viruses, 129companion viruses, 176first-generation viruses, 172-173fractionated cavity viruses, 177header infection viruses, 173history of Win32 viruses, 157KERNEL32.DLL infection, 175-176LE (linear executable) file format, 160lfanew field modification, 178prepending viruses, 174system loader comparison with
Windows NT, 181-183VxD-based viruses, 178-180Win32 platform support, 158
Windows 95 System Programming Secrets, 616Windows 98/ME, Win32 platform
support, 158Windows 9x, kernel mode, 228-229Windows CE
device translator layer dependent viruses, 109-112
Win32 platform support, 158Windows NT
class of context (memory scanning), 526executed images (Win32 viruses), 512-514filter driver virus deactivation (memory
scanning), 527-529functions (memory scanning), 525hidden window procedure (Win32
viruses), 512memory scanning
and paging, 515-517processes/rights, 507-508
native viruses, 496service API entry points (memory
scanning), 524service viruses, 512system loader comparison with
Windows, 95, 181-183upper 2G of address space (memory
scanning), 527virtual memory system, 499-505
Win32 platform support, 158Win32 viruses, 508-511
Windows Update Web site, DoS attackagainst, 413
Windows XP, Win32 platform support, 158WinNT/RemEx (virus), 496Winvir. See W16/Winvir (virus)wireless mobile worms, 359-361WM/Cap.A (virus), 72, 157WM/Concept (virus), 296WM/Concept.A (virus), 67WM/DMV (virus), 67WM/Hot.A (virus), 73WM/Npad (virus), 70WM/ShareFun (worm), 314WM/Wazzu.A (virus), 301WNT/RemEx (virus), 512, 518WNT/Stream (virus), 58Word Pro viruses, 94Word viruses. See macro virusesWordSwap (virus), 260, 303worm blocking techniques, 538-542, 557
buffer overflow attacksblocking, 543-544code reviews, 544compiler-level solutions, 545-552kernel-mode extensions, 554-556opreating system-level solutions,
552-554program shepherding, 556subsystem extensions, 554
connections, 574-575exception-handler validation, 565-569GOT/IAT page attributes, 574injected code detection, 557-562return-to-LIBC attacks, 569-573script/SMTP blocking, 539-542self-sending code blocking, 563-565
wormsbackdoor features, 309-311behavior patterns, 598-608code propagation techniques, 338
INDEX
712
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 712
code injection attacks, 341-342executable code-based attacks, 339HTML-based mail, 340links to Web sites or proxies, 339-340remote login-based attacks, 341shell code-based attacks, 342-344
competition between, 357-358cooperation with viruses, 354-357definition of, 29-30, 314-315future attacks, 575-578outbreak statistics, 670structure of, 315
infection propagator, 315-316, 331-338life-cycle manager, 316-317payload activation, 318remote control, 316, 351-354self-tracking, 318target locator, 315, 319-330update interface, 316, 345-351
SWCP (simple worm communicationprotocol), 359
versus computer viruses, 314wireless mobile worms, 359-361
writeable flag, 238WS2_32!sentto( ) API, 564
XX-RAY method, algorithmic scanning
methods, 446-451X97M/Jini.A (virus), 76Xbox, security vulnerabilities, 347XF/Paix (virus), 77XM/Laroux (virus), 67XML, macro viruses, 77Xmorfic (virus writer), 88XMS (Extended Memory Specification), 198XTEA (extended tiny encryption
algorithm), 346
YYankee_Doodle (virus), 26, 54, 157, 219, 233
ZZachary, William B., 7Zafi.A (worm), 320Zbikowski, Mark, 60zero bytes, 433Zhengxi (virus writer), 100, 248, 348
heuristic analysis, 472infection technique, 152
Zmist virus. See W95/Zmist (virus)Zombie (virus writer), 27, 349
ETG (executable trash generator) engine, 280
ISO image infection, 59W95/Zmist virus, 155, 277W95/Zperm virus, 279
zoo viruses, 26Zox. See INF/Zox (virus)
INDEX
713
Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 713