Index [ptgmedia.pearsoncmg.com] · 2009. 6. 9. · INDEX 679 history of, 367-368 blocking buffer...

IndexSymbols

@m (computer virus naming conventions), 42@mm (computer virus naming

conventions), 42@mm worms (mass-mailer worms), 293 Tunes (virus), 923APA3A (virus), 11616-bit Windows

EPO (entry-point obscuring) viruses,147-150

NE viruses, 6032-bit address spaces. See virtual memory

systems (Windows NT)32-bit polymorphic viruses, 264-26832-bit Windows. See Win3264-bit platforms, kernel mode scanning on,

530-53164-bit Windows, PE viruses, 61911 attacks, 3081260 virus, self-protection technique, 261-262

AABAP viruses, 89ABAP/Rivpas (virus), 89

accesscontext-based access control (CBAC), 586counterattacks, 596Dumaru (worm), 640early warning systems, 598firewalls, 588-589honeypot systems, 593-594network intrusion detection system

(NIDS), 591-592router access lists, 585-587worm behavior patterns, 598-608

accidentally destructive payload viruses, 297ACG (Amazing Code Generator) virus,

270, 277code emulation, 463-464disassembling, 463heuristics, 465self-protection technique, 253

Acrobat, PDF viruses, 90ActionScript viruses, 91activation methods. See payload activationactive instructions, tracking, 454active pages, patching code in, 522ActiveX controls

rights verification, 388safe-for-scripting, 388-389, 417-419

675

Szor_Index_ver6.qxd 1/7/05 1:59 PM Page 675

Address Resolution Protocol (ARP) requests, 595

address-book worms, 319address spaces

process randomization, 570return-to-LIBC attacks, 569-573upper 2G of address space (memory

scanning), 527user address space of processes

(scanning), 523virtual address spaces (Windows NT),

501-505addresses

GOT/IAT page attributes, 574virtual, translation of, 500

AddressOfEntryPoint field (PE header), 164Adleman, Leonard, 18ADM (worm), avoiding buffer overflow

attacks, 413administration

memory, 498-499Virtual Memory Manager, 503

Admiral Bailey (virus writer), IVP (InstantVirus Production Kit), 292

Adobe Acrobat, PDF viruses, 90Adore (rootkit), 36adware, definition of, 38AIDS Information Diskette (Trojan horse),

31, 305Alcopaul (virus writer), W32/Sand.12300

virus, 140alerts, DeepSight, 598algorithmic detection, metamorphic

viruses, 271algorithmic scanning methods, 441-443

filtering, 443-444static decryptor detection, 444-446X-RAY method, 446-451

algorithms, Boyer-Moore, 431Aliz (worm), 644ALS/Burstead (virus), 92

altering module, 592Amazing Code Generator (ACG) virus. See

ACG virusAmiPro viruses, 94-95Amoeba (infection technique), 140analysis, malicious code analysis

techniques, 612architecture guides, 615collection maintenance, 661dedicated system installation, 612, 615Digital Immune System, 661-664disassemblers, 626-632dynamic analysis techniques, 634-655knowledge bases, 615-616process of, 618-625unpacking, 625Virus Analysis Toolkit (VAT), 656-659VMWARE, 616-617

Anarchy.6093 (virus), 112ANIMAL (game), 17Anna Kournikova virus, 35, 292ANSI.SYS drivers, reconfiguring key

functions, 90-91Anthrax (virus), 210Anti-AVP (virus), self-protection

technique, 248ANTI-VIR.DAT file (antivirus program), 248AntiCMOS (virus), 306antidebugging techniques (armored viruses),

226-234antidisassembly techniques (armored

viruses), 220-226antiemulation techniques (armored viruses),

242-247AntiEXE (virus), somewhat destructive

payload viruses, 300antigoat techniques (armored viruses), 247antiheuristics techniques (armored viruses),

234-242AntiPascal (virus), 302

INDEX

676


antivirus defense techniques, 426-427antivirus programs. See also disinfection

methods“Are you there?” calls, 199behavior-blocking programs, 19disabling with retroviruses, 247-249half-cooked repairs, 136history of, 27-28integrity checker programs, 19modeling virus infections, 11-12scanning, 252testers, 672vendor contact information, 670versus computer security companies,

366-367antivirus viruses, 357API hooking (infection technique), 150-151API strings, 241-242APIs, control transfer, 246AplS/Simpsons@mm (worm), 90APM/Greenstripe (virus), 95appending viruses (infection technique),

132-133, 174-175, 240-241AppleScript viruses, 90applications

algorithmic scanning methods. Seealgorithmic scanning methods

antivirus defense techniques, 426-427code emulation. See code emulationdisinfection methods, 474-477first-generation antivirus scanners. See

first-generation antivirus scannersheuristic analysis, 467-474metamorphic virus detection. See

metamorphic virus detectionrights verification, 388second-generation antivirus scanners.

See second-generation antivirus scanners

architecture dependency. See computer architecture dependency

architecture guides, malicious code analysistechniques, 615

archive format dependency, 100“Are you there?” calls (self-detection

technique), 198arenas (sections of memory), 498armored viruses, 220

antidebugging techniques, 226-234antidisassembly techniques, 220-226antiemulation techniques, 242-247antigoat techniques, 247antiheuristics techniques, 234-242

ARP (Address Resolution Protocol) requests, 595

“Art of the Fugue” (Bach), 5art versus science, 4ASPACK (run-time packer), 625Atkinson, Bill, 91attachment inserters (worm infections), 334attacks. See also blended attacks; buffer

overflow attacks; viruses; worm blockingtechniques

against memory scanning, 532-533algorithmic scanning methods. See

algorithmic scanning methodsantivirus defense techniques, 426-427code emulation. See code emulationcode injection attacks, 341-342, 543dictionary attacks, 324DoS (denial of service) attacks,

306-308, 539e-mail worm attacks, 333-334executable code-based attacks, 339file parsing attacks, 319-320first-generation antivirus scanners. See

first-generation antivirus scannersfuture, 575-578heuristic analysis, 467-474injected code detection, 557-562instant messaging attacks, 333Linux/Slapper, 647metamorphic virus detection. See

metamorphic virus detectionnetwork share enumeration, 324-326

INDEX

677


network-level defense strategies. See net-work-level defense strategies

NNTP attacks, 338password-capturing attacks, 325peer-to-peer network attacks, 332-333phishing attacks, 308-309remote login-based attacks, 341return-to-LIBC, 543, 569-573second-generation antivirus scanners.

See second-generation antivirus scanners

shell code-based attacks, 342-344SMTP proxy-based attacks, 334-335SMTP-based attacks, 335-338stack smashing, 546vampire attacks, 358

attributes, GOT/IAT page, 574authenticated updates (worm infections),

346-351auto-rooters, definition of, 34AutoLisp viruses, 92-93automata. See cellular automata;

self-replicating systemsautomated analysis, Digital Immune System,

661-664automated exploit discovery, 578AUTORUN.INF file viruses, 97AV-Test.org, 672AVP (antivirus software), 248Azusa (virus), infection technique, 125

BB0/S0 (virus writer), W32/Aldebera virus, 139Bach, Johann Sebastian (“Art of the Fugue”), 5Back Orifice (backdoor system), 331backdoor features in worms, 309-311backdoor-based updates (worm infections), 351backdoor-compromised systems (worm

infections), 331-332backdoors, definition of, 32backward decryption, 230BAD, marking sectors as, 128

Badboy (virus), self-protection technique,260, 271

Badtrans (worm), 366BAT/Batalia (virus), 82BAT/Hexvir (virus), 82BAT/Mumu (virus), 83

weak passwords, 324BAT/Polybat (virus), 82BAT/Ramble (virus dropper), 96BAT/Zipbat (virus), 82BATCH viruses, 82BATVIR (virus), 82Beast (virus), 112behavior blockers, definition of, 19, 209behavior patterns (worms), 598-608Belcebu, Billy (virus writer), 233beneficial viruses, 357Benny (virus writer)

W2K/Installer virus, 137W32/Donut virus, 99W32/HIV virus, 59W32/Press virus, 78

Bergroth, Ismo, 496BHP (virus), 57-58binary viruses

computer architecture dependency, 52CPU dependency, 53-54operating system dependency, 55

BIND (Berkeley Internet name domain)servers, Linux/ADM worm, 397

BioWall project Web site, 12Bizatch (virus), 61Black Baron (virus writer), 448black boxing, 624black-box testing, 634BlackIce firewall, 646blank passwords, danger of, 324Blaster (worm). See W32/Blaster (worm)blended attacks. See also buffer overflow

attacksdanger of, 366-367defined, 366

INDEX

678


INDEX

679

history of, 367-368blocking

buffer overflow attacks (worms). Seebuffer overflow attacks (worms)

Microsoft SQL Server exploits, 559-560scripts, 539-541self-sending code blocking, 563-565shellcode, 558-562SMTP, 539-541W32/Blaster (worm) exploits, 561W32/CodeRed (worm), 542, 560-561,

564-565W32/Slammer (worm), 542-564W32/Welchia (worm) exploits, 562

blocking mode, 592Bluetooth and wireless mobile worms,

359-361Bochs, 663Bontchev, Vesselin, 39, 61, 74-75, 349, 447,

633, 661bookmarks, first-generation antivirus

scanners, 433-434boot sector viruses. See boot virusesboot strap loader, 122

replacement of, 124-125boot viruses, 122-124

computer architecture dependency, 52DBR (DOS BOOT record) infection

techniques, 126-129encryption, 303-304hooking INT 13h (interrupt handler),

191-193installation, 197interrupt hooking, 188MBR (master boot record) infection

techniques, 124-126over networks, 129in Windows 95, 129

Borland Quattro spreadsheet program, 187Brain (virus), 52, 122, 197, 200, 497

attack by Denzuko virus, 127competition between viruses, 357read stealth viruses, 203

break pointsdetecting, 227removing, 233stopping, 454

broadcast segmentation technique, 353Brown, Ralf, 615Brunner, John (Shockwave Rider), 29brute-force decryption, RDA viruses, 245, 256BSD/Scalper (worm), 327, 353, 401, 406, 543.bss section (PE files), 167buffer overflow attacks (worms), 538-542

avoiding, 413-414blocking, 543-544code reviews, 544CodeRed worm, 398-401compiler-level solutions, 545-552definition of, 368-369first-generation buffer overflows, 369-371kernel-mode extensions, 554-556Linux/ADM worm, 397-398Linux/Slapper worm, 401-407Morris worm, 367, 395-397opreating system-level solutions, 552-554program shepherding, 556script/SMTP blocking, 539-542second-generation buffer overflows,

371-378subsystem extensions, 554third-generation buffer overflows,

378-394W32/Blaster worm, 410-413W32/Slammer worm, 407-410

Buffer Security Check feature, 552BugTraq databases, 598Bumblebee (virus writer), W32/RainSong

virus, 152Burger, Ralf (virus writer), Virdem virus, 135Burglar.1150.A (virus), system modification

attacks, 391Burks, Arthur, 6Butler, Max, 397


CCabanas. See W32/Cabanas (virus)cache bypass vulnerability, W32/Blebla

worm, 419cache viruses. See disk cache virusescalc.exe, 619CALL-to-POP trick, 240-241calls, system tracing, 647-648canonicalization, 385-386captures

Linux/Slapper (worm), 600-602network traffic, 643W32/Blaster (worm), 598-600W32/Sasser.D (worm), 603W32/Slammer (worm), 607-608W32/Welchia (worm), 605

CARO (Computer Antivirus ResearchersOrganization), 38

Cascade (virus), 24-26, 53, 59nondestructive payload viruses, 298self-protection technique, 230, 253X-RAY scanning, 447

cavity viruses (infection technique), 136-137CBAC (context-based access control), 586CC hack, 104CEF file format, 111cell phones, worms on, 359-361cellular automata (CA) computer architec-

ture, 6. See also self-replicating systemsEdward Fredkin structures, 7-8game of Life (Conway), 8-12

chain letters, definition of, 37Characteristics field (PE header), 164check bytes. See bookmarkschecksum

API strings, 242CRC checksum, 248detecting break points, 227recalculation, 239as self-protection technique, 224-225

Checksum field (PE header), 165Cheeba (virus), self-protection technique, 257

Cheese (worm), 315, 318Chess, Dave, 26, 277Cheswick, Bill, 593Chi, Darren, 75CHRISTMA EXEC worm, 78-79Cisco routers. See routersclassic parasitic viruses (infection technique),

135-136cleaning goat files, 639Clementi, Andreas, 673cluster prepender infection method, 57cluster viruses, file system dependency, 56-58cluster-level stealth viruses, 207-208CMOS viruses, 306Codd, E.F., 6code

in active pages, patching, 522injected code detection, 557-562malicious code analysis techniques. See

malicious code analysis techniquesquick examination during computer

virus analysis, 621self-sending code blocking, 563-565versus data in von Neumann machines, 5

code builders (infection technique), 155-156code confusion. See obfuscated codecode emulation, 451-454

antiemulation techniques (armoredviruses), 242-247

dynamic decryptor detection, 459-461encrypted/polymorphic virus detection,

455-458metamorphic virus detection, 463-466

code emulation-based tunneling, 219code evolution, 252-253code injection attacks, 341-342, 398-401, 543code integration viruses (infection

technique), 155, 278-281code propagation techniques (worms), 338

code injection attacks, 341-342executable code-based attacks, 339HTML-based mail, 340

INDEX

680

Szor_Index_ver6.qxd 1/7/05 1:59 PM 80

links to Web sites or proxies, 339-340remote login-based attacks, 341shell code-based attacks, 342-344

code redirection, 469code reviews, buffer overflow attacks

(worms), 544code sections

naming, 469packing, 237PE entry points, 468random entry point, 237-238sizes in header, 241writeable flag, 238

CodeGreen (antiworm). See W32/CodeGreen(antiworm)

CodeRed (worm). See W32/CodeRed (worm)CodeRed_II (worm), 310, 520Cohen, Frederick, 18, 302

definition of computer viruses, 18-20history of antivirus programs, 27

Coke. See W32/Coke (virus)collection (viruses) maintenance, 661COM viruses, 59combined attacks. See blended attacksCommander_Bomber (virus), infection

technique, 142-143companion viruses (infection technique),

18, 176competition between viruses, 357-358compiler alignment areas, recycling, 238compiler dependency, 108-109compiler-level solutions, buffer overflow

attacks (worms), 545-546Microsoft Visual .NET, 2003 (7.0 & 7.1),

549-552ProPolice, 548-549StackGuard, 546-548

compressing viruses (infection technique),139-140

file system dependency, 59

compressionPE file-infection techniques, 235run-time packers, 625as self-protection technique, 225-226

Computer Antivirus ResearchersOrganization (CARO), 38

computer architecture dependency, 52-53computer security companies versus

antivirus programs, 366-367computer simulations of nature. See

nature-simulation gamescomputer virus analysis, process of, 618-624computer virus research. See virus researchcomputer viruses. See virusescomputer worms. See wormscomputers, modeling virus infections, 11-12connections, worm blocking techniques,

574-575. See also network-level defensestrategies

construction kits. See virus construction kitscontagion worms, 576context-based access control (CBAC), 586control transfer with APIs, 246Conway, John Horton (game of Life), 8-12cookies, security_cookie values, 550cooperation between viruses, 354-357coprocessor instructions, 242-243copy-protection software, extra disk

sectors, 127copycat worms. See worm blocking

techniquesCore War (game), 12-16, 534Core Wars instructures (1994 revision), 14Corel Script viruses, 95corruption of macro viruses, 69-71counterattacks, 596CPU dependency, 53-54CPU instructions, undocumented, 245CPUs, Win32 platform support, 159

INDEX

681


CR0 control registers, 529CRC checksums, 248CreateFile( ) API, 232-233CreateProcess( ) API, 559Creeper (virus), 17cross-platform binary viruses, 52Cruncher (virus), infection technique, 139Crypto API, 257cryptographic detection, 446cryptography, AIDS TROJAN DISK Trojan

horse, 31Cryptor (virus), 232Csakany, Antal, 11CSC/CSV (virus), 95CSC/PVT (virus), 95

D-d command (UPX), 625Dark Angel (virus writer), PS-MPC virus

construction kit, 290Dark Avenger (virus writer), 26-27

Commander_Bomber virus, 142-143MtE (mutation engine), 262-264Number_Of_The_Beast virus, 193self-protection technique, 220

Darkman (virus writer), 137Darkness (virus), 88DarkParanoid (virus), memory scanning

attacks, 532Dark_Avenger.1800.A (virus), 218, 303Darth_Vader (virus), 197

infection technique, 137system buffer viruses, 209

Darwin (game), 12data diddler viruses, 302-303Data Fellows, 613Data Rescue’s IDA. See IDA (disassembler).data section (PE files), 167data stealing viruses, 308-311data versus code in von Neumann machines, 5date and time dependency, 98

DBR (DOS BOOT record), infection techniques, 126-129

DCL viruses, 79-80DDoS (distributed denial of service)

attacks, 36de Wit, Jan, 35deactivation of filter driver viruses, 527-529dead virus code, reviving, 127DEBUG command, 25, 367debug interfaces, tracing with, 219debug registers, clearing, 232.debug section (PE files), 168debugger dependency, 106-108debugging, 648-651, 655

antidebugging techniques (armoredviruses), 226-234

DEC/VMS systems, DCL viruses, 79-80deception, e-mail worm attacks, 333-334decoders, packets, 591decryption. See also encryption

backward decryption, 230disassemblers, 626-632nonlinear decryption, 256RDA viruses, 245with stack pointer (SP), 230

decryptorsdynamic detection, 459-461static detection, 444-446tracking, 454

dedicated virus analysis systemsinstallation of, 612-615VMWARE, 616-617

DeepSight alerts, 598Demon Emperor (virus writer), Hare virus,

129, 255denial of service (DoS) attacks, 35,

306-308, 539against Windows Update Web site, 413

Denzuko (virus)competition between viruses, 357infection technique, 127

INDEX

682


dependenciesarchive format dependency, 100compiler and linker dependency, 108-109computer architecture dependency, 52-53CPU dependency, 53-54date and time dependency, 98debugger dependency, 106-108device translator layer dependency,

109-112embedded object insertion dependency,

112-113extension dependency, 101-102file format dependency, 59-66file system dependency, 56-59host size dependency, 105-106interpreted environment dependency,

66-98JIT dependency, 99-100language dependency of macro viruses,

71-72multipartite viruses, 115-116network protocol dependency, 102operating system dependency, 55operating system version dependency,

55-56platform dependency of macro viruses,

73-74Registry-dependent viruses, 93-94resource dependency, 104-105self-contained environment dependency,

113-115source code dependency, 102-104vulnerability dependency, 98

destructive payload viruseshighly destructive payloads, 301-306somewhat destructive payloads, 300-301

detection. See also first-generation antivirusscanners; second-generation antivirusscanners

active viruses in memory, 497cryptographic, 446direct library function invocations,

571-573dynamic decryptor, 459-461

engines, 592geometric, 461-462injected code, 557

shellcode blocking, 558-562network intrusion detection system

(NIDS), 584, 591-592static decryptor, 444-446threads, 518-521

device driver viruses, 65device translator layer dependency, 109-112[<devolution>] (computer virus naming

conventions), 41devolution of macro viruses, 74-75Dewdney, A.K., 13dialers, definition of, 33dictionary attacks, 324Digital Immune System, 661-664Digital Millennium Copyright Act

(DMCA), 596DIR-II (virus), 56direct library function invocations, detection

of, 571-573direct-action viruses, 186directories, page (memory), 500directory stealth viruses, 200-203dirty memory pages, 455disassemblers, 624

antidisassembly techniques (armoredviruses), 220-226

malicious code analysis techniques, 626-632

metamorphic virus detection, 462-463discovery of automated exploits, 578disinfection methods, 474-475. See also

antivirus programs; memory scanninggeneric decryptors, 477standard, 475-477

disk access with port I/O, 219disk cache viruses, 209-210Disk Killer (virus), 128, 303Dispatch routine of DeactivatorDrivers, 529

INDEX

683


distributed denial of service (DDoS) attacks, 36

divide-by-zero exceptions, 229DLL viruses, 62-63DLLs

disinfecting, 523linking to executables, 168-171

DMCA (Digital Millennium Copyright Act), 596

Donut (virus). See W32/Donut (virus)Doomed (game), 113Doomjuice (worm). See W32/Doomjuice

(worm)DOS

cluster and sector-level stealth viruses,207-208

COM viruses, 59EPO (entry-point obscuring) viruses,

145-147EXE viruses, 60full-stealth viruses, 205-206interrupt hooking, 188-196memory-resident viruses, 196-199metamorphic viruses, 270system buffer viruses, 209TSR (Terminate-and-Stay-Resident)

programs, 187undocumented interrupt (Int, 21h/52h

function), 498DoS (denial of service) attacks, 35,

306-308, 539against Windows Update Web site, 413

DOS BOOT record (DBR), infection techniques, 126-129

DOS stub in PE header, 162“double extensions,” 81down-conversion of macro viruses, 71downloaders, definition of, 33Doxtor L (virus writer), W32/Idele virus, 153DR. DR. STROBE & PAPA HACKER (virus

writers), 57Dream (virus), 89

driver-list scanning, detecting debuggers, 230drivers

filter, 427, 527-529kernel-mode, 503lists of, 527

droppers, definition of, 33-34Dukakis (virus), 91-92Dumaru (worm), 635, 640dumps

PEDUMP, 645strings, 623-624

Dustbin, 619Dwarf (Core War warrior program), 14-15dynamic analysis techniques, 634-655dynamic decryptor detection, 459-461dynamic heuristics, 234dynamic link library viruses, 62-63dynamically allocated memory. See heaps

Ee-mail

executable code-based attacks, 339HTML-based mail, 340worm infections, 333-334

e-mail addressesharvesting, 319-324parsing files for, 320

e-mail attachment inserters (worm infections), 334

early warning systems, 598, 669Easter eggs, definition of, 30ecophagy, 7.edata section (PE files), 167Eddie (virus), 218, 303Eddie-2 (virus), 200EICAR (European Institute for Computer

Antivirus Research), 672ELF viruses, 64-65Elk Cloner (virus), 17, 52EMACS viruses, 87embedded decryptor (infection technique),

141-142

INDEX

684


embedded decryptor and virus body (infection technique), 142-143

embedded object insertion dependency, 112-113

emulation. See code emulationencoding URLs, 385-386encrypted viruses, 253-258encryption, 221-222, 303-305. See also

decryptionof host file headers, 236Linux/Slapper worm, 406virus detection, 455-458W95/Marburg virus, 632X-RAY algorithmic scanning method,

446-451entry points

obfuscation, 233random entry points in code section,

237-238entry-point obscuring viruses (infection

technique), 145-155, 237, 443, 459W32/Simile virus, 282

entry-point scanning, first-generationantivirus scanners, 435-436

enumerationnetwork enumeration attacks, 393-394of network shares, 324-326processes, 517

environments of malicious code, 50-52archive format dependency, 100compiler and linker dependency, 108-109computer architecture dependency, 52-53CPU dependency, 53-54date and time dependency, 98debugger dependency, 106-108device translator layer dependency,

109-112embedded object insertion dependency,

112-113extension dependency, 101-102file format dependency, 59-66file system dependency, 56-59host size dependency, 105-106

interpreted environment dependency,66-98

JIT dependency, 99-100multipartite viruses, 115-116network protocol dependency, 102operating system dependency, 55operating system version dependency,

55-56resource dependency, 104-105self-contained environment dependency,

113-115source code dependency, 102-104vulnerability dependency, 98

EPO viruses. See entry-point obscuringviruses (infection technique)

error detection and correction withHamming code, 233

ESC sequences, reconfiguring, 90-91Etap.D (virus), 53, 64ETG (executable trash generator) engine, 280Ethereal

Linux/Slapper (worm), 601W32/Aliz@mm (worm) captures, 644W32/Blaster worm, 599W32/Sasser.D (worm), 603

ethics of using virus construction kits, 293Etoh, Hiroaki, 548European Institute for Computer Antivirus

Research (EICAR), 672Evol (virus). See W32/Evol (virus)evolution

macro viruses, 74-75virus code, 252-253

exact identification, 439-441Excel viruses. See macro virusesexception handlers, 232

CodeRed worm, 400-401exception-handler validation, 565-569exceptions

generating, 229structured exception handling, 243-244

EXE viruses, 60

INDEX

685


Exebug (virus), 123execode, macro viruses, 75-76executable code-based attacks, 339executable trash generator (ETG) engine, 280executables, linking DLLs to, 168-171executed images (Win32 viruses), 512-514ExecuteOnly attribute (Novell NetWare),

attacks via, 389-393execution, random execution logic, 244-245execution environments. See environments of

malicious codeexecve( ) function, 647exploits. See also blended attacks;

vulnerability dependencyautomated discovery, 578definition of, 33W32/Slammer (worm), 607-608

export table (PE files), 171-172exporting functions, 171-172extended access lists, 586Extended Memory Specification (XMS), 198extended tiny encryption algorithm

(XTEA), 346extension dependency, 101-102extensions

kernel-mode, 554-556subsystems, 554

extra disk sectors, formatting, 126-128

FF-PROT (antivirus program), 195, 438,

441, 451F1 key, Help file viruses, 89false positives, signatures, 608<family_name> (computer virus naming

conventions), 40FAT file systems, cluster viruses, 56-58Father Christmas (worm), 79-80, 102FC (File Compare), 622Ferenc, Leitold, 673Ferrie, Peter, 75, 154

File Compare tool, 645file extension dependency, 101-102file format dependency, 59-66file formats, obfuscation, 233file infection techniques. See infection

techniquesFile Monitor log, 635file parsing attacks, 319-320file stealth viruses, 207-208file structure infection, Win32, 239file system dependency, 56-59file systems, filter drivers, 427file viruses, hooking INT 21h (interrupt

handler), 193-196FileAlignment field (PE header), 165files

goat (natural infection testing), 637-638IDA command script (IDC), 631images, scanning, 517monitoring, 635-637

Filler (virus), 127, 198, 302filter driver virus deactivation (memory

scanning), 527-529filtering

algorithmic scanning methods, 443-444drivers, 427as process of computer virus analysis,

619-621fingerd program, Morris worm attack

against, 395fingerprinting worm targets, 326-330Finnpoly (virus), 53firewalls, 588-589, 646first-generation antivirus scanners, 428

bookmarks, 433-434entry-point scanning, 435-436fixed-point scanning, 435-436generic detection, 432hashing, 432-433hyperfast disk access, 436mismatches, 432string scanning, 428-430

INDEX

686


top-and-tail scanning, 435wildcards, 430-431

first-generation buffer overflows, 369-371first-generation Windows 95 viruses, 172-173FitzGerald, Nick, 39fixed-point scanning, first-generation

antivirus scanners, 435-436flags, suspicious combinations of, 471Flash ActionScript viruses, 91Flash BIOS viruses, 305-306Flip (virus), somewhat destructive payload

viruses, 300flirt signatures, 628flooders, definition of, 35Ford, Richard, 74Form (virus), infection technique, 128format specifiers, 379format string attacks, 378-384formatting extra sectors, 126-128formula macros, 77FPU instructions, 242-243fractionated cavity viruses (infection

technique), 137-139, 177Franvir. See W32/Franvir (virus)Fredkin, Edward (self-replicating structures),

7-8free( ) function, 647FreeBSD/Scalper (worm), shellcode

blocking, 558Freitas, Robert A., Jr., 7Frodo (virus)

hook table, 205-206interrupt hooking, 193-195self-protection technique, 218

full-stealth viruses, 193, 205-206, 497function call-hooking (infection technique),

151-152function pointer overflows, 377-378functions

direct library invocation detection, 571-573

execve( ), 647exporting, 171-172free( ), 647GetProcAddress( ), 522, 645KiUserExceptionDispatcher( ), 566LoadLibrary( ), 645malloc( ), 647NTDLL, 524NtOpenThread( ), 519Object Manager, 527OpenThread( ), 519run-time library (RTL), 545VirtualAlloc( ), 510VirtualProtectEx( ), 522Windows NT for kernel-mode memory

scanning, 525future worm attacks, 575-578

GG2 (virus construction kit), 290Game Maker (programming environment), 113Game Maker Language (GML), 113-114games. See nature-simulation gamesGames with Computers (Csakany and Vajda), 11Gaobot (worm). See W32/Gaobot.AJS (worm)generic decryptors, 477generic detection, first-generation antivirus

scanners, 432generic disinfection methods, 474-475

generic decryptors, 477standard, 475-477

GenVir (virus construction kit), 289geometric detection, 461-462germs, definition of, 32-33GetProcAddress( ) function, 522, 645ghost positive, definition of, 207Ghostball (virus), 115Gigabyte (virus writer)

Darkness virus, 88JIT-dependent viruses, 99Logic worm, 83-85

INDEX

687


Ginger (virus), 198infection technique, 126self-protection technique, 248

“glider” starting structure (game of Life), 10global offset table (GOT), 570

page attributes, 574GML (Game Maker Language), 113-114goat files

antigoat techniques (armored viruses), 247natural infection testing, 637-638

GoldBug (virus), 198Good Times hoax, 37GOT (global offset table), 570

page attributes, 574Gömb (virus), nondestructive payload

viruses, 299Green, Andy, 347GriYo (virus writer), 27

symbiosis project, 356W32/CTX and W32/Dengue viruses, 150W32/Parvo worm, 321W95/HPS and W95/Marburg viruses, 264

.<group_name> (computer virus naming conventions), 41

Gryaznov, Dmitry, 257, 619

Hhackers, 12half-cooked repairs, definition of, 136Hamming, Richard, 233Hamming code, error detection and

correction, 233Happy99 (worm), 29, 62, 314, 350

e-mail address harvesting, 322-323NNTP attacks, 338nondestructive payload viruses, 299

hard-coded API addresses, 172-173hardware destroying viruses, 305-306hardware-level stealth viruses, 208-209Hare (virus)

infection technique, 129self-protection technique, 255

harvesting e-mail addresses (worms), 319-324hashing, first-generation antivirus scanners,

432-433header, PE files, 162-165header infection viruses (infection

technique), 173heap management, 384-385heap overflows, 373-374

compiler-level solutions, 546exploiting, 375-376Linux/Slapper worm, 401-407

heapsdefinition of, 373exception-handler validation, 568

Helenius, Marko, 663, 673Help file viruses, 89heuristic analysis

of 32-bit Windows viruses, 467-472antiheuristics techniques (armored

viruses), 234-242code emulation, 465-466using neural networks, 472-474

Heyne, Frank, 637hidden window procedure (Win32

viruses), 512HIEW tool, 621, 633, 639High Memory Area (HMA), 198high-interaction honeypot systems, 593highly destructive payload viruses, 301-306history

antivirus programs, 27-28blended attacks, 367-368computer viruses, 17-18self-replicating systems, 4-16Win32 viruses, 157

hit list method. See IP addresses, scanninghive, definition of, 93HLP/Demo (virus), 89HMA (High Memory Area), 198hoaxes, definition of, 37holes in memory, 197Honeyd, 595

INDEX

688


honeypot systems, 593-594hook table for Frodo virus, 205-206hooking

API hooking (infection technique), 150-151

function call-hooking (infection technique), 151-152

IAT (import address table), 201-203interrupts, 188-196, 226

host application mutation (metamorphicviruses), 276-277

host file headers, encryption, 236host size dependency, 105-106host-based intrusion prevention techniques,

538-542buffer overflow attacks

blocking, 543-544code reviews, 544compiler-level solutions, 545-552kernel-mode extensions, 554-556opreating system-level solutions,

552-554program shepherding, 556subsystem extensions, 554

script/SMTP blocking, 539-542HTML files, WebTV worms, 86-87HTML viruses, 97-98HTML-based mail, 340HybrisF (virus). See W32/HybrisF (virus)HyperCard, HyperTalk viruses, 91-92hyperfast disk access, first-generation

antivirus scanners, 436HyperTalk viruses, 91-92Hypervisor (virus), 310Hypponen, Mikko, 326, 349, 496

IIAT (import address table), 161, 522

hooking, 201-203page attributes, 574patches, 469

IBM Antivirus, mismatches, 432IBM systems, REXX viruses, 78-79

ICA, harvesting e-mail addresses using, 322ICMP (Internet control message protocol), 643ICSA Labs, 672IDA command script (IDC) files, 631IDA disassemblers, 221, 428, 626-632.idata section (PE files), 167IDC (IDA command script) files, 631IDEA (virus)

nondestructive payload viruses, 299self-protection technique, 256

IDEA.6155 (virus), self-protection technique, 248

IDT, entering kernel mode on Windows 9x,228-229

“Igor’s problem,” 74IIS Web servers, W32/Nimda.A@mm worm,

414-415ImageBase field (PE header), 164images, scanning, 517IMP (Core War warrior program), 14Implant (virus), 264import address table (IAT), 161, 522

hooking, 201-203page attributes, 574patches, 469

import table (PE files), 168-171import table-replacing (infection

technique), 153imports by ordinal, 240, 469“in the wild” viruses, 26in-memory injectors over networks, 215in-memory residency strategies. See memory

residency strategiesInCtrl tool, 637indirection, layers of, 501INETINFO.EXE process, 520INF/Vxer (virus), 96INF/Zox (virus), 102infection propagator of worms, 315-316, 331

backdoor-compromised systems, 331-332e-mail attachment inserters, 334e-mail attacks, 333-334

INDEX

689


instant messaging attacks, 333NNTP attacks, 338peer-to-peer network attacks, 332-333SMTP proxy-based attacks, 334-335SMTP-based attacks, 335-338

infection techniquesAmoeba, 140appending viruses, 132-133, 174-175boot viruses, 122-129cavity viruses, 136-137classic parasitic viruses, 135-136code builders, 155-156companion viruses, 176compressing viruses, 139-140embedded decryptor, 141-142embedded decryptor and virus body,

142-143entry-point obscuring viruses, 145-155first-generation Windows 95 viruses,

172-173fractionated cavity viruses, 137-139, 177header infection viruses, 173KERNEL32.DLL infection, 175-176lfanew field modification, 178obfuscated tricky jump, 143-144overwriting viruses, 130-131PE (portable executable) file format, 160-

172, 235prepending viruses, 133-135, 174random overwriting viruses, 131-132system loader comparison between

Windows 95 and Windows NT, 181-183

VxD-based viruses, 178-180W32/Simile virus, 284-285W95/Zmist virus, 278-280Win32 viruses, growth of, 181

infectionsgoat files, 639natural testing, 637-638

<infective_length> (computer virus namingconventions), 41

Infis (virus). See {W2K, WNT}/Infis (virus)information query class, 11, 527

INI file viruses, 97initialization, W95/Zmist virus, 278injected code detection, 557

shellcode blocking, 558-562injectors

definition of, 34in-memory injectors over networks, 215

input validation attacks, 385MIME types, 387-388, 414-415URL encoding, 385-386

installation script viruses, 96installing

dedicated virus analysis systems, 612-615memory-resident viruses under DOS,

196-198instant messaging viruses, 83, 333Instant Virus Production Kit (IVP), 292instruction tracing (infection technique), 153INT 13h (interrupt handler), hooking, 188,

191-193INT 21h (interrupt handler), hooking with

file viruses, 193-196integrity checker programs, 19Intel, sysenter, 525Intel Architecture Software Manuals, 615intended debugger-dependent viruses, 108intended viruses, 20interactions between viruses, 354

competition, 357-358cooperation, 354-357sexual reproduction, 359SWCP (simple worm communication

protocol), 359interactive disassembler (IDA), 428intercept mode, 5871nternal (virus writer)

HTML viruses, 98installation script viruses, 96

Internet control message protocol (ICMP), 643Internet Explorer, MIME types, 387-388Internet Relay Chat (IRC) worms, 83, 333interpreted environment dependency, 66-98

INDEX

690


interrupt handlers, memory scanning for, 218Interrupt Request Packets (IRPs), 529Interrupt Spy tool, 392, 647interrupt vector table (IVT), 188-189, 227interrupts

calling with INT 1 and INT 3 228divide-by-zero exceptions, 229entering kernel mode on Windows 9x,

228-229generating exceptions, 229hooking, 188-196, 226in polymorphic decryptors, 246undocumented DOS interrupts

(Int 21h/52h), 498intrusion. See NIDSInvader (virus), 26invalidation, exception frame pointers, 568IP addresses, scanning, 326-330IRC (Internet Relay Chat) worms, 83, 333IRPs (Interrupt Request Packets), 529IsDebuggerPresent( ) API, 229ISO images, infecting, 59IVP (Instant Virus Production Kit), 292IVT (interrupt vector table), 188-189, 227

Jjacky (virus writer), 85Jacky Qwerty (virus writer), 27

W32/Cabanas virus, 157W32/Redemption virus, 139

JellyScript, WebTV worms, 86-87Jerusalem (virus), 136, 197, 497Jiskefet. See OS2/Jiskefet (virus)JIT dependency, 99-100joke programs, definition of, 37JPEG files, W32/Perrun virus, 116JS/Kak (virus), 417JS/Spida (worm), remote login-based

attacks, 341JScript viruses, 85Junkie (virus), 115

KKaspersky, Eugene, 242, 349, 437-438,

447-448, 451KAV (antivirus program), 438, 442Kefi (virus writer), PHP/Feast virus, 88Kelsey, John, 347kernel mode

debuggers, 648drivers, 503entering on Windows 9x, 228-229extensions, buffer overflow attacks

(worms), 554-556viruses in, 212-215

kernel modification, W32/Bolzano virus, 415-417

KERNEL32.DLLchecksum recalculation, 239hard-coded pointers to, 470imports, 469-470inconsistency, 471infection of, 175-176

kernels, memory scanning, 52364-bit platforms, 530-531classes of context, 526filter driver virus deactivation, 527-529read-only memory, 529upper 2G of address space, 527user address space of processes, 523Windows NT functions, 525Windows NT service API entry

points, 524key functions, reconfiguring, 90-91keyboard, disabling, 231-232keyloggers, definition of, 36Khafir, Masouf, 264Kinematic Self-Replicating Machines (Freitas

and Merkle), 7kits, definition of, 34KiUserExceptionDispatcher( ) function, 566knowledge bases, malicious code analysis

techniques, 615-616known plain-text attacks, 449

INDEX

691


KOH (virus), 304Krishna (virus), infection technique, 129Krukov, Andrew, 75

LL0phtCrack (password cracking program), 326LADS (tool), 637Langton, Christopher G., 6language dependency of macro viruses, 71-72large scale damage due to worms, 577layers of indirection, 501LE (linear executable) file format, 160Leapfrog (virus), infection technique, 144Lehigh (virus), 137, 198Leitold, Ferenc, 662Lexotan engine, 463lfanew field modification (infection

technique), 178LFM (virus), 91LIB viruses, 66libraries

direct function invocation detection, 571-573

return-toLIBC attacks, 569-573Libsafe (subsystem extension), 554Life (game), 8-12life-cycle manager of worms, 316-317linear executable (LE) file format, 160linker dependency, 108-109linking DLLs to executables, 168-171links to Web sites or proxies, 339-340Linux, ELF viruses, 64Linux/ADM (worm)

detailed description of, 397-398shellcode blocking, 558

Linux/Cheese (worm), 315, 318Linux/Jac.8759 (virus), 64Linux/Lion (antiworm), 318Linux/Slapper (worm), 64, 98, 108, 315, 538,

543, 647blocking buffer overflow attacks,

548-549

capturing, 600-602detailed description of, 401-407DoS attack, 308e-mail address harvesting, 323GOT and IAT page attributes, 574heap overflows, 376peer-to-peer network control, 352-354predefined class table for network

scanning, 326-329shellcode blocking, 558shellcode-based attacks, 344worm blocking techniques, 557

Liston, Tom, 596lists, router access, 585-587Litchfield, David, 408, 559LMF (lunar manufacturing facility), 7LNK viruses, 94loaded DLLs, disinfecting, 523LoadLibrary( ) function, 645:<locale_specifier> (computer virus naming

conventions), 42logging module, 592logic bombs, definition of, 30Logic worm, 83-85Logo language, Super Logo viruses, 83-85logs, File Monitor, 635long loops, 247Lorez. See W95/Lorez (virus)Lotus 1-2-3 macro viruses, 96Lotus Word Pro viruses, 94LoveLetter. See VBS/LoveLetter.A@mm (worm)low-interaction honeypot systems, 593Lucifer (virus), infection technique, 128Ludwig, Mark, 304lunar manufacturing facility (LMF), 7LWP/Spenty (virus), 94LX viruses, 60-61

MMa, Albert, 13MAC OS X shell scripts, 81Machine field (PE header), 163

INDEX

692


Macintosh platformMAC OS X shell scripts, 81resource-dependent viruses, 104-105

Macro Identification and ResemblanceAnalyzer (MIRA), 620

macro viruses, 66-69, 157corruption, 69-71evolution and devolution, 74-75formula macros, 77infecting user macros, 77language dependency, 71-72Lotus 1-2-3, 96Lotus Word Pro, 94multipartite infection strategy, 76naming conventions, 41platform dependency, 73-74source code, p-code, execode, 75-76up-conversion and down-conversion, 71XML, 77

Magic field (PE header), 164Magistr (virus). See W32/Magistr (virus)mailers

definition of, 29naming conventions, 42

maintenance, virus collection, 661malicious code analysis techniques, 612. See

also computer virusesarchitecture guides, 615collection maintenance, 661dedicated system installation, 612-615Digital Immune System, 661-664disassemblers, 626-632dynamic analysis techniques, 634-655knowledge bases, 615-616process of, 618-624unpacking, 625Virus Analysis Toolkit (VAT), 656, 659VMWARE, 616-617

malloc( ) function, 647malware. See computer viruses<malware_type>:// (computer virus naming

conventions), 40

managementmemory, 498-499Virtual Memory Manager, 503

MapInfo viruses, 88-89MARS (Memory Array Redcode Simulator), 12Martin, Edwin, 9Marx, Andreas, 672mass-mailer worms (@mm worms)

definition of, 29naming conventions, 42

matching patterns, 628mathematical model for computer viruses, 18MBR (master boot record), 122, 301

infection techniques, 124-126McAfee SCAN (antivirus program), 248MCB (memory control block), 197-198MDEF viruses, 105Memorial. See W95/Memorial (virus)memory

buffer overflow attacks. See buffer overflow attacks

dirty memory pages, 455dynamically allocated memory. See

heapsmanagement, 499read-only kernel, 529video memory, checking, 232VMM memory area, 471

Memory Array Redcode Simulator (MARS), 12memory control block (MCB), 197-198Memory Manager, paging, 515-517memory residency strategies. See also

memory-resident virusesdirect-action viruses, 186in-memory injectors over networks, 215kernel mode, viruses in, 212-215processes, viruses in, 211-212swapping viruses, 211temporary memory-resident viruses,

210-211memory scanning, 497-498

attacks, 532-533detecting debuggers, 230

INDEX

693


disinfection, 517-523for interrupt handler, 218in kernel mode. See kernels, memory

scanningpaging, 515-517in user mode. See user mode, memory

scanningWindows NT virtual memory system,

499-505memory-resident viruses, 186-187

disk cache and system buffer viruses,209-210

installation under DOS, 196-198interrupt hooking, 188-196self-detection techniques, 198-199stealth viruses, 199-209

Mental Driller (virus writer), 27W32/Simile virus, 281W32/Simile.D virus, 53W95/Drill virus, 224

Merkle, Ralph C., 7Merry Xmas (virus), 92metamorphic virus detection, 461

code emulation, 463-466disassembling techniques, 462-463geometric detection, 461-462

metamorphic viruses, 20, 269-270complex permutation techniques,

273-275host application mutation, 276-277MSIL metamorphic viruses, 286-288simple permutation techniques, 270-272W32/Simile virus, 281-286W95/Zmist virus, 277-281

metamorphic worms, 576-577MetaPHOR (virus engine), 281MICE (Core War warrior program), 13Michelangelo (virus), 301Microsoft .NET. See .NETMicrosoft IIS servers, W32/Nimda.A@mm

worm, 414-415Microsoft Security Bulletin MS03-007, 545

Microsoft SQL Server 2000exploits, blocking, 559-560W32/Slammer worm, 407

Microsoft Visual .NET 2003 (7.0 & 7.1), 549-552

Microsoft Xbox, security vulnerabilities, 347MIME types, 387-388

W32/Badtrans.B@mm worm, 414W32/Nimda.A@mm worm, 414-415

MIRA (Macro Identification andResemblance Analyzer), 620

mIRC, instant messaging viruses, 83mismatches, first-generation antivirus

scanners, 432Mistfall engine, 278mitigation, return-to-LIBC attacks, 569-573mixed techniques. See blended attacksMMX instructions, 243mobile phones, worms on, 359-361modeling virus infections, 11-12

mathematical model, 18modification to files (tracking), 635-637<modifiers> (computer virus naming

conventions), 41modules

altering, 592logging, 592

Mole virus. See W32/IKX (virus)monitoring

files, 635-637malicious code, 634-655ports, 641processes, 641registries, 640threads, 641

Monxla (virus), 211Morris (worm), 32, 315, 318, 538, 543

avoiding buffer overflow attacks, 413, 547

copycat Linux/ADM worm, 397-398detailed description of, 395-397history of blended attacks, 367-368

INDEX

694


shellcode blocking, 558weak passwords, 324

Morris, Robert, Sr. (Core War), 12Mosquitos game, logic bomb in, 30MPB/Kynel (virus), 88Mr. Sandman (virus writer), 349

Anti-AVP virus, 248MSAV (antivirus program), 247MSIL metamorphic viruses, 286-288MSIL/Gastropod (virus), 99

self-protection technique, 269, 286-288MSIL/Impanate (virus), 100, 288MtE (mutation engine), 262-264

static decryptor detection, 446multipartite infection strategy, macro

viruses, 76multipartite viruses, 115-116multiple PE headers, 469multiple virus sections, 235-236multiple-fork support (NTFS), 58multithreaded viruses, 246Murkry (virus writer), 27, 242

infection technique, 138mutation engine (MtE), 262-264

static decryptor detection, 446mutation. See corruptionMuttik, Igor, 74-75

metamorphic viruses, 269MX queries and SMTP-based worm

attacks, 338Mydoom (virus). See W32/Mydoom (worm)Myname. See OS2/Myname (virus)

Nnaming conventions

computer viruses, 38-39@m, 42@mm, 42[<devolution>], 41<family_name>, 40.<group_name>, 41<infective_length>, 41

:<locale_specifier>, 42<malware_type>://, 40<modifiers>, 41#<packer>, 42<platform>/, 40-46<variant>, 41!<vendor-specific_comment>, 42

native viruses, 63-64native Windows NT viruses, 496, 512natural infection testing, 637-638natural infections, 600nature-simulation games, 5

Core War, 12-16Edward Fredkin structures, 7-8game of Life (Conway), 8-12John von Neumann theory, 5-7

Navrhar (virus). See W95/Navrhar (virus)NC (NetCat) tool, 593, 642NCAs (Nexus Agents), 534NE viruses, 60nearly-exact identification, 437-438NEAT (WebTV worm), 86Neat (worm), 911 attacks, 308Nebbett, Gary, 616Needham, Roger, 346.NET

JIT-dependent viruses, 99-100W32/Donut virus, 143-145

NET$DOS.SYS file, boot viruses in, 129NetCat (NC) tool, 593, 642network enumeration attacks, 393-394network injectors, definition of, 34network intrusion detection system (NIDS),

584, 591-592network protocol dependency, 102network scanning, 326-330network share enumeration attacks, 324-326network-level defense strategies, 584

counterattacks, 596early warning systems, 598firewalls, 588-589honeypot systems, 593-594

INDEX

695


network intrusion detection system(NIDS), 584, 591-592

router access lists, 585-587worm behavior patterns, 598-608

networksboot viruses, 129in-memory injectors over networks, 215peer-to-peer network attacks, 332-333,

352-354ports, monitoring, 641traffic, capturing, 643

neural networks, heuristic analysis using,472-474

Nexiv_Der (virus), 146-147, 153Nexus Agents (NCAs), 534NGSCB (Next Generation Secure Computing

Base), 534NGVCK (Next Generation Virus Creation

Kit), 291NIDS (network intrusion detection system),

584, 591-592Nimda. See W32/Nimda (worm)NNTP attacks, worm infections, 338NNTP-based e-mail address collection,

320-321no-payload viruses, 296-297NoKernel (virus), 219non-TSR viruses, 497nondestructive payload viruses, 297-300nonexecutable (NX) pages, 534, 579nonlinear decryption, 256nonstateful firewalls, 588normal COM, definition of, 132Norton AntiVirus (antivirus program), 442Norton, Peter (Programmer’s Guide to the

IBM PC), 25NOTEPAD.EXE

STR streams, 636W32/Parvo (virus) inside, 511

Novell NetWare ExecuteOnly attribute,attacks via, 389-393

Nowhere Man (virus construction kit

writer), 289NTDLL functions, 524NTFS file systems

compression viruses, 59stream viruses, 58-59

NtOpenThread( ) function, 519NtQueryInformationThread( ) API, 519NtQuerySystemInformation( ) (NtQSI),

506-507NtQueryVirtualMemory( ) API, 524NumberOfSections field (PE header), 164Number_Of_The_Beast (virus), 193, 207NX (nonexecutable) pages, 534, 579

Oobfuscated code, 222-224obfuscated entry points, 233obfuscated file formats, 233obfuscated tricky jump (infection technique),

143-144object code viruses, 66Object Manager functions, 527objects (network enumeration), 394octopus (worm), definition of, 29off-by-one buffer overflows, 371-373OLE2 files, macro viruses, 67-68oligomorphic viruses, 259-260Olivia (virus), infection technique, 145-146OllyDBG tool, 648Omud (virus), infection technique, 132on-access antivirus scanners, 426. See also

scannerson-demand antivirus scanners, 426. See also

scannersOne_Half (virus), 277, 304

infection technique, 141opcode mixing-based code confusion,

223-224OpenSSL, vulnerabilities in, 401OpenThread( ) function, 519operating system dependency, 55

INDEX

696


operating system version dependency, 55-56operating systems, buffer overflow attacks

(worms), 552-554. See also names of specificoperating systems

ordinal-based imports, 240, 469original boot sector, 128-129OS/2

LX viruses, 60-61NE viruses, 60

OS2/Jiskefet (virus), 61OS2/Myname (virus), 60outbreak statistics (worm), 670outgoing e-mail messages, harvesting e-mail

addresses using, 322-323overflows. See buffer overflow attacksOvermars, Mark, 113overwriting viruses (infection technique),

130-131, 301-302

Pp-code, macro viruses, 75-76packed code sections, 237#<packer> (computer virus naming

conventions), 42packers. See compressionpackets, decoders, 591PAE (Physical Address Extension), 500page directories (memory), 500page directory entries (PDEs), 500page frames (memory), 500page table entry (PTE), 555page tables (memory), 500PAGE_READONLY access, 522paging, memory scanning and, 515-517Palm platform, resource-dependent

viruses, 105Palm/Phage (virus), 105parasitic viruses. See classic parasitic viruses

(infection technique)parsing files for e-mail addresses, 319-320partition table (PT) entries, 122

changing, 125-126partitions, definition of, 122password cracking, Morris worm, 367password handling, vulnerabilities, 324password protection, 249password-capturing attacks, 325

definition of, 32passwords, security problems, 324-326Pasteur (antivirus program), 26, 436patching

code in active pages, 522import address table (IAT), 469

Pathogen (virus), X-RAY scanning, 448patterns

of computer viruses, 630matching, 628worm behavior, 598-608

PaX (kernel mode extension), 554-556payload activation

accidentally destructive payload viruses, 297

highly destructive payload viruses, 301-306

no-payload viruses, 296-297nondestructive payload viruses, 297-300somewhat destructive payload viruses,

300-301types of, 296W32/Simile virus, 285-286of worms, 318

PDEs (page directory entries), 500PDF viruses, 90PDF/Yourde (virus), 90PE (portable executable) file format,

158-160, 513entry points, 468infection by W95/Zmist virus, 279-280infection techniques, 160-172, 235Windows CE, 110

PE headeravoiding infection, 240code section sizes, 241infection, 469

INDEX

697


multiple headers, 469SizeOfCode field, 471virtual size, 468

PE viruses, 61-64PEDUMP, 622, 645PeElf (virus). See {W32, Linux}/Peelf (virus)peer-to-peer network attacks, worm

infections, 332-333, 352-354Linux/Slapper worm, 406-407

PEID tools, 626Pentium II processors, sysenter, 525Perl viruses, 86permutation

complex permutation techniques (metamorphic viruses), 273-275

simple permutation techniques (metamorphic viruses), 270-272

W95/Zmist virus, 279Perriot, Frederic, 282, 317, 647personal firewalls. See firewallsPhager (virus), 101Phalcon-Skism Mass Produced Code

Generator (PS-MPC), 290phishing attacks, 308-309

definition of, 35phones, wireless mobile worms, 359-361PHP viruses, 88PHP/Caracula (virus), 88PHP/Feast (virus), 88Physical Address Extension (PAE), 500Pietrek, Matt, 616PIF viruses, 94Pile, Christopher (virus writer), 448Ping Pong (virus), 54pings, W32/Welchia (worm), 605<platform>/ (computer virus naming

conventions), 40list of officially recognized names, 42-46

platform dependency of macro viruses, 73-74platform support for Win32, 158-160

Playgame (virus), nondestructive payload

viruses, 299Ply (virus), self-protection technique, 253Pobresito (virus), 92Polimer.512.A (virus), 134polymorphic decryptors

interrupts in, 246W32/Simile virus, 282-283

polymorphic viruses, 26132-bit polymorphic viruses, 264-2681260 virus, 261-262macro viruses, 76MtE (mutation engine), 262-264PHP viruses, 88

polymorphic worms, 576-577polymorphism, virus detection, 455-458Popp, Joseph, 31port 80 (HTTP), NetCat, 594port I/O, disk access, 219portable executable. See PE (portable

executable) file formatports, monitoring, 641PPE (Prizzy polymorphic engine), 243predefined class table (network scanning),

326-329prefetch-queue attacks, 230-231prepending viruses (infection technique),

133-135, 174, 236preprocessors, network intrusion detection

system (NIDS), 591printers, targeted by worms, 324private pages, Win32 viruses that

allocate, 510Prizzy (virus writer), W32/Crypto virus, 257Prizzy polymorphic engine (PPE), 243process address space randomization, 570processes

computer virus analysis, 618-624context (memory scanning), 526enumerating, 517memory scanning, 507-508monitoring, 641terminating, 518

INDEX

698


user address space of (scanning), 523viruses in, 211-212

PROCESS_TERMINATE access, 518PROCESS_VM_OPERATION access, 522profiles, tracking decryptors, 454program shepherding, buffer overflow

attacks (worms), 556Programmer’s Guide to the IBM PC (Norton), 25propagation (worms). See code propagation

techniques (worms)ProPolice, 548-549Provos, Niels, 595proxy firewalls, 588PS-MPC (Phalcon-Skism Mass-Produced

Code Generator), 290PSD (virus), 621pseudo-decryption loops, 460PSMPC generators, 34PT (partition table) entries, 122

changing, 125-126PTE (page table entry), 555Python viruses, 87

QQ the misanthrope (virus writer)

BAT/Ramble virus dropper, 96GoldBug virus, 198memory allocation techniques, 198

Qark (virus writer), 306QAZ (virus), 309Qpa (virus), infection technique, 136Quantum (virus writer), 27, 61Queeg (virus), X-RAY scanning, 448-450quick examinations, process of computer

virus analysis, 619

Rrabbit (worm), definition of, 29Radai, Yisrael, 302Raiu, Costin, 75Rajaat (virus writer), 78Ralf Brown Interrupt List, 190

Ramble (virus), 96Ramdhani, Denny Yanuar (virus writer), 127Ramen (worm), 315random decryption algorithm (RDA) viruses,

237, 245, 256random entry points in code section, 237-238random execution logic, 244-245random overwriting viruses (infection

technique), 131-132randomization, process address space, 570randomized network scanning, 329-330Raptor (firewall), 590Ratter (virus writer)

W32/Kick virus, 65WinCE/Duts.1520 virus, 109

RDA (random decryption algorithm) viruses,237, 245, 256

RDA.Fighter (virus), 256RDTSC instruction, 283read stealth viruses, 203-205read-only kernel memory, 529ReadProcessMemory( ) API, 505-506real permutating engine (RPME), 274Reaper (antivirus program), 17recalculating checksum, 239reconfiguring key functions, 90-91recycling compiler alignment areas, 238Redcode language, 12-15refiltering drivers (DeactivatorDriver), 529registries, monitoring, 640Registry keys

detecting debuggers, 229macro viruses, 74

Registry-dependent viruses, 93-94Regmon tool, 640regular disinfection methods, 474-477relative virtual address (RVA), 161.reloc section (PE files), 167relocation cavity viruses (infection

technique), 137remote control of worms, 316, 351-352

peer-to-peer network control, 352-354

INDEX

699


remote login-based attacks, 341RemoteExplorer virus. See WNT/RemEx (virus)renaming sections, 239replication. See self-replicating systems;

worm blocking techniquesRepus. See W95/Repus (virus)requests

Address Resolution Protocol (ARP), 595pings, capturing W32/Welchia (worm),

605research honeypots, 596research papers (virus), 670resident viruses. See memory-resident virusesresource dependency, 104-105resources, early warning/up-to-date security

information, 669retroviruses, 11, 247-249, 300retroworms, 576return-to-LIBC attacks, 543, 569-573reviving dead virus code, 127REXX viruses, 78-79Riordan, Roger, 433Ripper (virus), 303Ritchie, Dennis (Core War), 12rootkits, definition of, 36routers, access lists, 585-587Rowe, Mark, 360roy g biv (virus writer), 27

Ginger virus, 198MSIL/Impanate virus, 100, 288W32/Chiton virus, 63, 154W64/Rugrat.3344 virus, 62

RPME (real permutating engine), 274.rsrc section (PE files), 167RT Fishel (virus writer), Ginger virus, 198RTL (run-time library) functions, 545Rugrat. See W64/Rugrat.3344 (virus)run-time code injection attacks. See code

injection attacksrun-time library (RTL) functions, 545

run-time packers, 625Russel, Ryan, 594RVA (relative virtual address), 161

SSadmind (worm), 315safe-for-scripting ActiveX controls, 388-389

VBS/BubbleBoy worm, 417-418W32/Blebla worm, 418-419

Sandman (virus writer), 27, 299SAP, ABAP viruses, 89saving

files locally, W32/Blebla worm, 418-419original boot sector at end of disk,

128-129SC Magazine, 672scanners, 252

algorithmic scanning methods, 441-443filtering, 443-444static decryptor detection, 444-446X-RAY method, 446-451

code emulation, 451-454dynamic decryptor detection, 459-461encrypted/polymorphic virus detec-

tion, 455-458disinfection methods, 474-475

generic decryptors, 477standard, 475-477

first-generation antivirus, 428bookmarks, 433-434entry-point scanning, 435-436fixed-point scanning, 435-436generic detection, 432hashing, 432-433hyperfast disk access, 436mismatches, 432string scanning, 428-430top-and-tail scanning, 435wildcards, 430-431

heuristic analysisof 32-bit Windows viruses, 467-472using neural networks viruses,

472-474

INDEX

700


second-generation antivirus, 437exact identification, 439-441nearly-exact identification, 437-438skeleton detection, 437smart scanning, 437

scanningfile images, 517IP addresses, 326-330memory. See memory scanning

SCANPROC.EXE, 515Schneier, Bruce, 347science versus art, 4script viruses, REXX viruses, 78-79scripts, blocking, 539-542search engines, harvesting e-mail addresses

using, 321searching VOOGLE, 621second-generation antivirus scanners, 437

exact identification, 439-441nearly-exact identification, 437-438skeleton detection, 437smart scanning, 437

second-generation buffer overflows, 371-378definition of, 369

section table (PE files), 165-168SectionAlignment field (PE header), 165sections

code sectionsnaming, 469sizes in header, 241

gaps between, 468packed code sections, 237PE files, 161random entry points, 237-238renaming, 239shifting, 236slack area infections, 236suspeicious characteristics, 468writeable flag, 238

sector-level stealth viruses, 207-208sectors

formatting extra, 126-128marking as BAD, 128

securityexploits. See blended attacksinformation of, 669updates, 669

buffer overflow attacks (worms), 544-545

security_cookie values, 550seeding, definition of, 34SEH (structured exception handling),

243-244, 565self-contained environment dependency,

113-115self-detection techniques, memory-resident

viruses, 198-199self-modifying code. See obfuscated codeself-protection techniques (of viruses)

armored viruses. See armored virusesencrypted viruses, 253-258metamorphic viruses. See metamorphic

virusesoligomorphic viruses, 259-260polymorphic viruses, 261-268retroviruses, 247-249tunneling viruses, 218-220virus construction kits, 288-293

self-replicating systems, history of, 4Core War, 12-16Edward Fredkin structures, 7-8game of Life (Conway), 8-12John von Neumann theory, 5-7

self-sending code blocking, 563-565self-tracking of worms, 318semistealth viruses, 200-203sending, self-sending code blocking, 563-565sendmail, Morris worm, 367service viruses, native Windows NT, 512SETI, use by computer worms, 318sexual reproduction of viruses, 359SH/Renepo.A (worm), 81shape heuristic, 461share-level password vulnerability, 324sharepoints (network enumeration), 394

INDEX

701


shell scripts, 80-81shellcode, blocking, 558-562shellcode-based attacks, 342-344, 543Shifter (virus), 66shifting sections, 236Shockwave Rider (Brunner), 29“Shooter” starting structure (game of Life),

9-10Short Message Service (SMS), 30Sieben, Na’ndor, 13signatures, 608

flirt, 628Simile virus. See {W32, Linux}/Simile (virus)Simile.D (virus). See {W32, Linux}/Simile.D

(virus)simple worm communication protocol

(SWCP), 359Simulated “Metamorphic” Encryption

Generator (SMEG), 448simulations of nature. See nature-simulation

gamessingle-layer classifiers with thresholds, 473single-stepping, detecting, 227Sircam (worm)

e-mail address harvesting, 320SMTP-based attacks, 335

SizeOfCode field (PE header), 164, 471SizeOfImage field (PE header), 165, 468skeleton detection, 437Skrenta, Rich (Elk Cloner virus), 17Skulason, Fridrik, 39, 115, 438slack area infections, 236Slammer (worm). See W32/Slammer (worm)Slapper (worm). See Linux/Slapper (worm)Sma. See W95/Sma (virus)smart scanning, 437SMEG (Simulated “Metamorphic”

Encryption Generator), 448-450SMS (Short Message Service), 30SMTP, blocking, 539-542

SMTP proxy-based attacks, worm infections,334-335

SMTP spam relay, use by computer worms, 318

SMTP-based attacks, worm infections, 335-338, 643

SnakeByte (virus writer)NGVCK (virus construction kit), 291Perl viruses, 86

sniffing traffic, 643SoftIce Debugger (antivirus program), 527SoftICE tool, 648Solaris on SPARC, 553-554Solaris/Sadmind (virus), 98, 543Solomon, Alan, 37, 39, 200, 293somewhat destructive payload viruses,

300-301source code, macro viruses, 75-76source code dependency, 102-104source spoofing, 587Sourcer (disassembler), 221SP (stack pointer), decryption with, 230spammer programs, definition of, 35Spanska (virus writer), 27, 350

Happy99 worm, 62IDEA viruses, 256, 299self-protection technique, 245, 248

spoofing source, 587spyware, definition of, 38SQL Server 2000, W32/Slammer worm, 407ssnetlib.dll, W32/Slammer worm, 408stack buffer overflows, 369-370

causes of, 371CodeRed worm, 398-401exploiting, 370Linux/ADM worm, 397-398Morris worm, 395-397W32/Blaster worm, 410-413W32/Slammer worm, 407-410

stack pointer (SP), decryption with, 230stack smashing, 546

INDEX

702


stack state, checking, 227stack-based overflow attacks, compiler-level

solutions, 546StackGuard, 546-548stacks

definition of, 91exception-handler validation, 568return-to-LIBC attacks, 569-573

standard access lists, 586standard disinfection, 475-477Starship (virus), 126, 198stateful firewall solutions, 588static decryptor detection, algorithmic

scanning methods, 444-446static heuristics, 234stealing data. See data stealing virusesstealth viruses, 199-200

cluster and sector-level stealth viruses,207-208

full-stealth viruses, 205-206hardware-level stealth viruses, 208-209read stealth viruses, 203-205semistealth viruses, 200-203

Stoll, Clifford, 593Stoned (virus), 24-25

accidentally destructive payload viruses, 297

bookmarks, 433exact identification, 439-440infection technique, 124-126interrupt hooking, 192-193nearly exact identification, 437string scanning, 429-430

stopping break points, 454Stormbringer (virus writer), Shifter virus, 66Strack, Stefan, 13Strange (virus), 208stream viruses, file system dependency,

58-59Strike (virus), infection technique, 128string scanning, 428-430

stringsAPI strings, 241-242dumps, 623-624mismatches, first-generation antivirus

scanners, 432wildcards, first-generation antivirus

scanners, 430-431structured exception handling (SEH),

243-244, 565structures, self-replicating, 7-8Struss, J. (virus construction kit writer), 289Stupid (virus), 196submissions, worm-blocking, 541subsystems

extensions, buffer overflow attacks(worms), 554

Win32 viruses, 508-511super fast infectors, 56Super Logo viruses, 83-85Suslikov, Eugene, 633swapping viruses, 211SWCP (simple worm communication

protocol), 359Symantec Security Response, 540Symboot, 619SymbOS/Cabir (worm), 359-361sysenter, 525system buffer viruses, 209-210system call tracing, 647-648System File Checker feature

(Windows 2000/XP), 417system loader, Windows 95 versus

Windows NT, 181-183system modification attacks, 389

Novell NetWare ExecuteOnly attribute,389-393

W32/Bolzano virus, 415-417system rights, memory scanning, 507-508

INDEX

703


Ttarget locator of worms, 315, 319

e-mail address harvesting, 319-324IP address scanning, 326-330network share enumeration, 324-326

TBCLEAN (antivirus program), 248TBSCAN (antivirus program), 433, 436, 447TCL viruses, 87-88TCP (virus writer), 248TCP-based attacks versus UDP-based

attacks, 539TechnoRat (virus writer), 255temporary memory-resident viruses, 210-211Tentacle_II. See W16/Tentacle_II (virus)Tequila (virus), 26, 115

infection technique, 126self-protection technique, 248, 257X-RAY scanning, 447

Terminate-and-Stay-Resident (TSR) programs, 187

TerminateProcess( ) API, 518termination

processes, 518threads, 518-521

testers, antivirus software, 672testing

black-box, 634natural infection, 637-638

.text section (PE files), 167third-generation buffer overflows, 378-394

definition of, 369Thomson, Ken, 104Thomson, Roger, 594thread information block (TIB), 232, 565thread local storage (TLS) data directory, 154threads

monitoring, 641terminating, 518-521W32/Niko.5178 (virus), 514

THREAD_TERMINATE access, 519-520TIB (thread information block), 232, 565tiny viruses, definition of, 130

TLBs (translation look-aside buffers), 555TLS (thread local storage) data directory, 154TLSDEMO program, 154top-and-tail scanning, first-generation

antivirus scanners, 435TPE (Trident Polymorphic Engine), 264Töltögetö (virus), 127, 302tracing

code emulation-based tunneling, 219with debug interfaces, 219system calls, 647-648

trackingactive instructions, 454decryptors, 454malicious code, 634-655

traffic, sniffing, 643translation of virtual addresses, 500translation look-aside buffers (TLBs), 555trapdoors. See backdoorsTremor (virus), 198, 497Trident Polymorphic Engine (TPE), 264triggers, definition of, 133Trivial (virus), infection technique, 130Trojan horses

definition of, 31-32source code Trojans, 104

troubleshootingconnections, worm blocking techniques,

574-575debugging, 648-655

TruSecure Corporation, 672TSR (Terminate-and-Stay-Resident) pro-

grams, 187tunneling viruses, 218

code emulation, 219disk access with port I/O, 219memory scanning for interrupt

handler, 218tracing with debug interfaces, 219undocumented functions, 219-220

Turbo Debugger, 229, 649Turing Machine, 5

INDEX

704


UUDP-based attacks versus TCP-based

attacks, 539Ulam, Stanislaw, 6UMB (upper memory block), 198undocumented CPU instructions, 245undocumented functions, virus

self-protection techniques, 219-220Unicode strings. See stringsUniversity of Hamburg’s Virus Test Center

(VTC), 672University of Magdeburg, 672UNIX

ELF viruses, 64-65shell scripts, 80-81shellcode blocking, 558-562

unknown entry points (infection technique),154-155

unpacking, malicious code analysis techniques, 625

up-conversion of macro viruses, 71update interface of worms, 316, 345-346

authenticated updates, 346-351backdoor-based updates, 351

updates, security, 669buffer overflow attacks (worms), 544-545

upper 2G of address space (memory scanning), 527

upper memory block (UMB), 198UPX (run-time packer), 625URL encoding, 385-386user address space of processes,

scanning, 523user macros, infecting, 77user mode

debuggers, 648memory scanning in, 505-506

executed images (Win32 viruses), 512-514

hidden window procedure (Win32viruses), 512

native Windows NT service viruses, 512

NtQuerySystemInformation( )(NtQSI), 506-507

processes/rights, 507-508Win32 viruses, 508-511

viruses in processes, 211-212user mode rootkits, definition of, 31, 36UTF-8 encoding, 385-386

VV.T. (virus writer), Darth_Vader virus, 197V2Px (virus), self-protection technique, 226Vacsina (virus), 26, 132Vajda, Ferenc, 11validation

application rights verification, 388exception-handler, 565-569input validation attacks, 385-388, 414-415

ValleZ (virus writer), W32/Zelly virus, 255vampire attacks, 358vampire warriors (Core War game), 16van Wyk, Ken, 137<variant> (computer virus naming

conventions), 41Varicella (virus), self-protection

technique, 248VAT (Virus Analysis Toolkit), 613, 656–659VAX/VMS systems, DCL viruses, 79-80VBA document macros, 112-113VBS/Bubbleboy (worm)

detailed description of, 417-418HTML-based mail, 340safe-for-scripting ActiveX controls, 389

VBS/LoveLetter.A@mm (worm), 29, 81, 314, 538

infection technique, 130script blocking, 539

VBS/VBSWG.J (Anna Kournikova virus), 35.See also Anna Kournikova virus

VBScript viruses, 81-82VCL (Virus Creation Laboratory), 34, 289-290

INDEX

705


VCL.428 (virus), 186VCS (Virus Construction Set), 289Vecna (virus writer), 27

W32/Borm worm, 332W32/Coke virus, 255W32/HybrisF virus, 139, 248W95/Fabi virus, 107W95/Regswap virus, 270

Veldman, Frans, 264, 433, 447Velvet (virus), self-protection technique, 229!<vendor-specific_comment> (computer virus

naming conventions), 42vendors, antivirus software (contact

information), 670VET (antivirus program), 433VGrep, 619video memory, checking, 232Vienna (virus), 26, 132, 186, 200VIM viruses, 87Virdem (virus), 59, 135, 186VIRKILL (antivirus program), 436VIROCRK (decryption tool), 451virtual address spaces, 501-505virtual addresses, translation of, 500virtual debuggers, 649virtual machine manager (VMM), 179, 471virtual machines, 451-458, 465Virtual Memory Manager, 503virtual memory systems (Windows NT),

499-505VirtualAlloc( ) function, 510VirtualProtectEx( ) function, 522VirtualQueryEx( ) API, 524VirtualRoot (Trojan horse), 310Virus Analysis Toolkit (VAT), 656, 659Virus Bulletin Web site, 672virus construction kits, 288

ethics of using, 293GenVir, 289list of, 291-292NGVCK, 291PS-MPC, 290

VCL (Virus Creation Laboratory), 34,289-290

VCS (Virus Construction Set), 289Virus Construction Set (VCS), 289Virus Creation Laboratory (VCL), 34, 289-290virus generators, definition of, 34Virus Patrol (antivirus service), 320virus research

art versus science, 4author’s start in, 24-26common patterns, 26-27

Virus Research Unit of the University ofTampere in Finland, 673

virus throttling, 575viruses

antivirus defense techniques, 426-427code evolution, 252-253definition of, 18-20, 28history of, 17-18interactions, 354

competition, 357-358cooperation, 354-357sexual reproduction, 359SWCP (simple worm communication

protocol), 359modeling virus infections, 11-12naming conventions, 38-39

[<devolution>], 41<family_name>, 40.<group_name>, 41<infective_length>, 41:<locale_specifier>, 42<malware_type>://, 40<modifiers>, 41#<packer>, 42<platform>/, 40-46<variant>, 41@m, 42@mm, 42!<vendor-specific_comment>, 42

retro viruses, 11terminology, 28-36versus worms, 314

INDEX

706


Visual .NET 2003 (Microsoft), 549-552VLAD (virus writer), 53

W95/Boza virus, 61VM. See virtual machinesVMM (virtual machine manager), 179, 471VMWARE, 613-617, 642von Neumann, John, 4-7von Neumann, Nicholas, 5VOOGLE, 621VPN (virtual private network). See

network-level defense strategiesVTC (University of Hamburg’s Virus Test

Center), 672vulnerability dependency, 98. See also

blended attacksVxD-based viruses (infection technique), 65,

178-180VxDs, LE (linear executable) file format, 160Vyssotsky, Victor (Core War), 12

WW2K/Installer (virus), 137{W2K, WNT}/Infis (virus), 65, 213-215W16/Tentacle_II (virus), 60, 147-150W16/Winvir (virus), 60W32/Aldebera (virus), 139W32/Aliz (worm), 337, 643W32/Aplore (worm), 340W32/Apparition (virus), 269W32/Badtrans.B@mm (worm), 414W32/Beagle (worm), 100

backdoor-based updates, 351cooperation with viruses, 356self-protection technique, 249, 258

W32/Beagle.T (worm), 340W32/Blaster (worm), 315, 98

capturing, 598-600competition between worms, 358detailed description of, 410-413DoS attack, 306-307exploits, blocking, 561return-to-LIBC attacks, 571

self-protection technique, 225shell code-based attacks, 343

W32/Blebla (worm), 418-419W32/Bobax (worm), 318W32/Bolzano (virus)

detailed description of, 415-417system modification attacks, 389

W32/Borm (worm)backdoor-compromised systems, 331-332cooperation with viruses, 356

W32/Brid@mm (worm), 539W32/Bugbear (worm), 311

network share enumeration, 324SMTP worm blocking, 539

W32/Bymer (worm), 318W32/Cabanas (virus), 157, 201-203

infection technique, 144, 175, 183self-protection technique, 232, 243

W32/Cabanas.3014.A (virus), 510W32/Chiton (virus), 63-64

infection technique, 154memory scanning attacks, 533self-protection technique, 256-258

W32/Choke (worm), 333W32/Cholera (worm, 356W32/CodeGreen (antiworm), 318, 357-358W32/CodeRed (worm), 98, 215, 315, 318, 366,

496, 517, 520, 538, 542avoiding buffer overflow attacks, 413blocking, 564-565code injection attacks, 342, 543competition between worms, 357-358computer security versus antivirus pro-

grams, 366detailed description of, 398-401DoS attack, 307exception-handler validation, 568exploits, blocking, 560-561history of blended attacks, 368return-to-LIBC attacks, 570self-sending code blocking, 563stack buffer overflows, 370system modification attacks, 389

INDEX

707


virus throttling, 575W32/CodeRed_II (worm), 310, 520W32/Coke (virus), 76, 255, 266W32/Crypto (virus), 257, 305W32/CTX (virus), 628

cooperation with W32/Cholera worm, 356

infection technique, 137, 150W32/Dabber (worm), 358W32/Dengue (virus)

dynamic decryptor detection, 459infection technique, 150self-protection technique, 241

W32/Donut (virus), 99infection technique, 143-144naming, 145

W32/Doomjuice (worm)backdoor-based updates, 351cooperation with viruses, 356

W32/Elkern (virus), 532W32/Evol (virus)

code emulation, 464self-protection technique, 273

W32/ExploreZip (worm), 538self-protection technique, 235SMTP worm blocking, 541SMTP-based attacks, 335

W32/Franvir (virus), 113-115W32/Funlove (virus), 416, 427

blocking, 579cooperation with worms, 356network enumeration attacks, 324, 394

W32/Gaobot.AJS (worm)competition between worms, 358memory scanning attacks, 533

W32/Ghost (virus), 271W32/Gobi (virus)

filtering, 443self-protection technique, 247

W32/Harrier (virus), 255W32/Heathen.12888 (virus), 73W32/Heretic (virus), 522W32/Heretic.1986.A (virus), 512-513

W32/HIV (virus), 59W32/HLLP.Cramb (virus), 236W32/HLLP.Sharpei (virus), 99W32/HLLW.Bymer (virus), 394W32/HLLW.Lovgate@mm (worm), 539W32/HLLW.Qaz.A (worm), 309W32/Holar@mm (worm), 539W32/Hybris (worm), 577W32/HybrisF (virus)


W32/Hyd (worm), 318, 334W32/Idele (virus), 153W32/IKX (virus), 236, 241W32/Infynca (virus), 229W32/Kick (virus), 65W32/Klez (worm), 538

infection technique, 136MIME header exploits, 414SMTP worm blocking, 539-541

W32/Klez.H (worm), 320W32/Kriz (virus), 239-240W32/Leaves (worm), 332W32/Legacy (virus), 243{W32, Linux}/Peelf (virus), 52, 286{W32, Linux}/Simile (virus), 258, 281-286{W32, Linux}/Simile.D (virus), 53, 64,

256, 576W32/Lespaul@mm (worm), 342W32/Lirva@mm (worm), 539W32/Lovegate@mm (worm), 533W32/Maax (worm), 333W32/Magistr (virus)

e-mail address harvesting, 319heuristics, 466SMTP-based attacks, 336

W32/Mimail.I@mm (phishing attack), 309W32/Mydoom (worm)

backdoor-based updates, 351cooperation with worms, 356e-mail address harvesting, 320self-protection technique, 249

INDEX

708


SMTP-based attacks with MX queries, 338

W32/Mydoom.A@mm (worm), 540W32/Mydoom.M@mm (worm), 321W32/Niko.5178 (virus), 513-514W32/Nimda (worm), 97, 311, 314, 366, 538

backdoor-compromised systems, 332SMTP worm blocking, 539SMTP-based attacks, 335

W32/Nimda.A@mm (worm), 29, 414-415W32/Opaserv (worm), 318

network enumeration attacks, 394password handling, 324

W32/Parvo (worm), 518e-mail address harvesting, 321e-mail worm attacks, 334

W32/Parvo.13857 (virus), 510-511W32/Perenast (virus)


W32/Perrun (virus), 116W32/Press (virus), 78W32/PrettyPark (worm), 93W32/Qint@mm (worm), 257W32/RainSong (virus), 152W32/Redemption (virus), 139W32/Resure (virus), 235W32/Sand.12300 (virus), 140W32/Sasser (worm), 358W32/Sasser.D (worm), 603W32/Semisoft (virus), 518W32/Serot (worm), 319W32/SKA (worm), 299, 314, 538. See also

Happy99 wormW32/SKA.A (worm), 29, 62, 522W32/Slammer (worm), 215, 316, 496,

538-539, 542blocking, 564capturing, 607-608code injection attacks, 341detailed description of, 407-410DoS attack, 306

randomized network scanning, 329-330self-sending code blocking, 563virus throttling, 575worm blocking techniques, 557

W32/Smorph (Trojan), 277W32/Sobig (worm)

e-mail address harvesting, 321SMTP worm blocking, 539

W32/Subit (virus), 102-103W32/Taripox@mm (worm), 334W32/Tendoolf (worm), 351W32/Thorin (virus), 243W32/Toal@mm (worm), 322{W32, W97M}/Beast.41472.A (virus), 112, 512W32/Wangy (worm), 324W32/Welchia (worm), 98

backdoor-based updates, 351capturing, 605competition between worms, 358exploits, blocking, 562network scanning and fingerprinting, 330shell code-based attacks, 344

W32/Welchia.A (worm), 316-317W32/Witty (worm), 34, 302, 316

large-scale damage, 578self-sending code blocking, 565

W32/Yaha@mm (worm), 539W32/Yourde (virus), 90W32/Zelly (virus)


W64/Rugrat.3344 (virus), 62, 580W64/Shruggle (virus), 62W95/Aldabera (virus), 237W95/Anxiety (virus), 166, 174, 179W95/Babylonia (worm), 345-346, 349W95/Bistro (virus), 275W95/Boza (virus), 55, 61, 157, 166, 171, 174

heuristic analysis, 468infection technique, 182

W95/Boza.A (virus), 172-173W95/Cerebrus (virus), 178

INDEX

709


W95/Champ.5447.B (virus), 244W95/CIH (virus), 213, 305, 613

infection technique, 137, 177, 180large-scale damage, 577self-protection technique, 228, 232, 240

W95/Darkmil (virus), 246W95/Drill (virus), 281

self-protection technique, 224, 246, 256X-RAY scanning, 448

W95/Fabi (virus), 107-108W95/Fabi.9608 (virus), 455W95/Fix2001 (worm), 221-222W95/Fono (virus), 256W95/Haiku (virus), 299W95/Harry (virus), 174, 179W95/Henky (virus), 156W95/HPS (virus), 201

heuristic analysis, 467self-protection technique, 264somewhat destructive payload

viruses, 300W95/Hybris (worm), 346-351, 538W95/Invir (virus), 236, 244W95/Kala.7620 (virus), 246W95/Lorez (virus), 62, 176W95/Mad (virus)

static decryptor detection, 445X-RAY scanning, 446

W95/Marburg (virus), 632goat files, 639heuristic analysis, 467infection technique, 175nondestructive payload viruses, 298self-protection technique, 225, 230, 264

W95/MarkJ.8 (virus), 471W95/Memorial (virus), 115-116

heuristic analysis, 468infection technique, 178, 183self-protection technique, 259

W95/MTX (virus), 249W95/Murkry (virus)


W95/Navrhar (virus), 76, 160, 180W95/Opera (virus), 65W95/Orez (virus), 238W95/Padania (virus), 237W95/Perenast (virus), 99W95/Prizzy (virus), 243W95/Puron (virus), 463W95/Regswap (virus), 270W95/Repus (virus), 210W95/Resur (virus), 257W95/Silcer (virus), 257W95/SillyWR (virus), 240W95/SK (virus), 89, 199, 277

self-protection technique, 230, 238-239X-RAY scanning, 451

W95/Sma (virus), 204-205W95/Spawn.4096 (virus), 176W95/SST.951 (virus), 229W95/Vulcano (virus)


W95/WG (virus), 65W95/Zmist (virus), 106, 576

disassembling, 463filtering, 444geometric detection, 461infection technique, 155-156self-protection technique, 277-281Virus Analysis Toolkit (VAT), 658

W95/Zmorph (virus), 272W95/Zperm (virus), 274, 279W97M/Coke (virus), 255W97M/Fabi.9608 (virus), 455W97M/Groov.A (worm), 318W97M/Heathen.12888 (virus), 73W97M/Killboot.A (virus), 68W97M/Melissa@mm (worm), 314, 538

e-mail address harvesting, 319e-mail worm attacks, 334

W97M/Pri.Q (virus), 620W98/Yobe (virus), 223Wagner, David, 347

INDEX

710


Walker, John (ANIMAL game), 17Wangsaw, Mintardjo, 13WANK (worm), 297Warhol (worm), 326warnings, information of, 669Washburn, Mark (virus writer), 261watch mode, 587Watson and Crick, 6Wazzu virus. See WM/Wazzu.A (virus)weak passwords, danger of, 324Web sites

BioWall project, 12links to, 339-340

WebTV worms, 86-87weeding as process of computer virus

analysis, 621Wendell, Chip, 13Whale (virus writer), MSIL/Gastropod virus,

99, 269Whale (virus), 51

memory scanning attacks, 532self-protection technique, 230-231, 259

Wheeler, David, 346White, Steve, 51, 277Whitehouse, Ollie, 360whitepapers (virus), 670wildcards, first-generation antivirus

scanners, 430-431WildList Organization International, 673Win/RedTeam (worm), 314

e-mail attachment inserters, 334Win32

appending viruses, 174-175companion viruses, 176EPO (entry-point obscuring) viruses,

150-153exception handlers, 232file structure infection, 239first-generation Windows 95 viruses,

172-173fractionated cavity viruses, 177function calls, macro viruses, 73

generating exceptions, 229growth of viruses for, 181header infection viruses, 173heuristic analysis of viruses, 467-472history of viruses on, 157IsDebuggerPresent( ) API, 229KERNEL32.DLL infection, 175-176lfanew field modification, 178PE (portable executable) file format,

infection techniques, 160-172PE viruses, 61-64platform support for, 158-160prepending viruses, 174viruses, 508-511VxD-based viruses, 178-180

Win32/Beast.41472.A (virus), 112Win32/Niko (virus), 519Win32s, Win32 platform support, 158Win64, 61, 160WinCE/Duts.1520 (virus), 109WinDBG tool, 649Windows. See also 16-bit Windows; Win32

AUTORUN.INF file viruses, 97device driver viruses, 65EPO (entry-point obscuring) viruses,

147-153Help file viruses, 89INI file viruses, 97installation script viruses, 96LNK viruses, 94memory-resident viruses, self-detection

techniques, 198-199metamorphic viruses, 270NE viruses, 60PE viruses, 61-64PIF viruses, 94read stealth viruses, 204-205Registry-dependent viruses, 93-94system buffer viruses, 210VBScript viruses, 81-82viruses in kernel mode, 212-215

Windows 2000, Win32 platform support, 158Windows 2003 Server, Win32 platform

support, 158

INDEX

711


Windows 95appending viruses, 174-175boot viruses, 129companion viruses, 176first-generation viruses, 172-173fractionated cavity viruses, 177header infection viruses, 173history of Win32 viruses, 157KERNEL32.DLL infection, 175-176LE (linear executable) file format, 160lfanew field modification, 178prepending viruses, 174system loader comparison with

Windows NT, 181-183VxD-based viruses, 178-180Win32 platform support, 158

Windows 95 System Programming Secrets, 616Windows 98/ME, Win32 platform

support, 158Windows 9x, kernel mode, 228-229Windows CE

device translator layer dependent viruses, 109-112

Win32 platform support, 158Windows NT

class of context (memory scanning), 526executed images (Win32 viruses), 512-514filter driver virus deactivation (memory

scanning), 527-529functions (memory scanning), 525hidden window procedure (Win32

viruses), 512memory scanning

and paging, 515-517processes/rights, 507-508

native viruses, 496service API entry points (memory

scanning), 524service viruses, 512system loader comparison with

Windows, 95, 181-183upper 2G of address space (memory

scanning), 527virtual memory system, 499-505

Win32 platform support, 158Win32 viruses, 508-511

Windows Update Web site, DoS attackagainst, 413

Windows XP, Win32 platform support, 158WinNT/RemEx (virus), 496Winvir. See W16/Winvir (virus)wireless mobile worms, 359-361WM/Cap.A (virus), 72, 157WM/Concept (virus), 296WM/Concept.A (virus), 67WM/DMV (virus), 67WM/Hot.A (virus), 73WM/Npad (virus), 70WM/ShareFun (worm), 314WM/Wazzu.A (virus), 301WNT/RemEx (virus), 512, 518WNT/Stream (virus), 58Word Pro viruses, 94Word viruses. See macro virusesWordSwap (virus), 260, 303worm blocking techniques, 538-542, 557

buffer overflow attacksblocking, 543-544code reviews, 544compiler-level solutions, 545-552kernel-mode extensions, 554-556opreating system-level solutions,

552-554program shepherding, 556subsystem extensions, 554

connections, 574-575exception-handler validation, 565-569GOT/IAT page attributes, 574injected code detection, 557-562return-to-LIBC attacks, 569-573script/SMTP blocking, 539-542self-sending code blocking, 563-565

wormsbackdoor features, 309-311behavior patterns, 598-608code propagation techniques, 338

INDEX

712


code injection attacks, 341-342executable code-based attacks, 339HTML-based mail, 340links to Web sites or proxies, 339-340remote login-based attacks, 341shell code-based attacks, 342-344

competition between, 357-358cooperation with viruses, 354-357definition of, 29-30, 314-315future attacks, 575-578outbreak statistics, 670structure of, 315

infection propagator, 315-316, 331-338life-cycle manager, 316-317payload activation, 318remote control, 316, 351-354self-tracking, 318target locator, 315, 319-330update interface, 316, 345-351

SWCP (simple worm communicationprotocol), 359

versus computer viruses, 314wireless mobile worms, 359-361

writeable flag, 238WS2_32!sentto( ) API, 564

XX-RAY method, algorithmic scanning

methods, 446-451X97M/Jini.A (virus), 76Xbox, security vulnerabilities, 347XF/Paix (virus), 77XM/Laroux (virus), 67XML, macro viruses, 77Xmorfic (virus writer), 88XMS (Extended Memory Specification), 198XTEA (extended tiny encryption

algorithm), 346

YYankee_Doodle (virus), 26, 54, 157, 219, 233

ZZachary, William B., 7Zafi.A (worm), 320Zbikowski, Mark, 60zero bytes, 433Zhengxi (virus writer), 100, 248, 348

heuristic analysis, 472infection technique, 152

Zmist virus. See W95/Zmist (virus)Zombie (virus writer), 27, 349

ETG (executable trash generator) engine, 280

ISO image infection, 59W95/Zmist virus, 155, 277W95/Zperm virus, 279

zoo viruses, 26Zox. See INF/Zox (virus)

INDEX

713


Index [ptgmedia.pearsoncmg.com] · 2009. 6. 9. · INDEX 679 history of, 367-368 blocking buffer...

Documents

Transcript of Index [ptgmedia.pearsoncmg.com] · 2009. 6. 9. · INDEX 679 history of, 367-368 blocking buffer...