Chapter 13: Malicious Code - PowerPoint PPT Presentation


PPT – Chapter 13: Malicious Code PowerPoint presentation | free to download - id: 15ee6-Yjc4Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Chapter 13: Malicious Code


LOVE LETTER VIRUS File ... LOVE LETTER send e-mail - spreadtoemail ... Mail.body = vbcrlf&'kindly check the attached LOVELETTER. coming from me. ... – PowerPoint PPT presentation

Number of Views:441
Avg rating:3.0/5.0
Slides: 74
Provided by: Staf84


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Chapter 13: Malicious Code

Chapter 13 Malicious Code A class of unwanted
software, often called Malware. 3 major
arrival scenarios Arrives with the help of the
user (opens a contaminated file). Arrives on its
own (a vulnerability or feature allows
execution) Is left behind after an adversary
breaks in. User assistance may be Unwitting
user didnt have a clue. Witting user knew
better, but did it anyway . Half-witting user
knew better, but took a chance.
Malicious Code Impact May be benign or
destructive. Why? Because malware typically
contains an executable and can do anything an
executable can do. Even if benign, consumes
resources (runs, replicates, occupies storage,
consumes cpu cycles, slows the system down).
Takes time effort to remove. Example is
happy.exe, presented a pretty happy new year
graphic message for 1999. Cant really be sure
they are benign - often dont know. If
destructive, is clearly a much more serious
Malicious Code The Threat is Growing Year
New OS Know Viruses Vulnerabilities 1998
262 40,000 1999 417 48,000 2000 1,090
55,000 2001 2,437 59,000 While viruses grow
rather linearly, new OS vulnerabilities are more
than doubling every year !!! Source
Computerworld, April 1, 2002, page 46.
Malicious Code Why is the threat
growing? Increased of products (e.g.,
wireless, PDAs, new OS versions). Better
delivery methods web expansion in the middle to
late 90s. Experience of malware developers
from an infant industry to highly experienced in
the past decade. Commitment of nation states to
information warfare. Do we really know who is
launching the attacks developing codes? Fast
spreading time to reach 1 in infected systems
Form virus (2-3 years), Concept macro virus (2-3
months), NIMDA (22 minutes).
Malicious Code - Taxonomy
Malicious Software (Malware)
Requires Host Program
Does Not Require Host Program
Logic Bombs
Trojan Horses
Do Not Replicate
Do Replicate
All very nice, but now we have blended threats
and other newcomers!
Malicious Code A New Category Hostile Java
applets code snippets that are executed by Java
to perform some function, often embedded in a web
page. May belong on the requires a host
program list. The host in this case is your
browser with Java enabled. The applet is
introduced to your system when you visit a web
page containing the applet. Two types
malicious and attack applets. Malicious are
in the wild and for the most part are annoying,
but can be serious can result in denial of
service and invasion of privacy. Attack applets
are not yet in the wild, but have been
extensively tested in lab settings. They attempt
to compromise the Java security model and break
through to your system.
  • Entrance Paths
  • Logic Bombs, Trojans, Viruses
  • Integral to or attached to an executable program,
  • macros that are enabled to be executed when
    a file is opened.
  • 2. Transported by media (e.g., floppy, tape,
    CD-ROM) OR arrive
  • over the network as attached or directly
    executable programs.
  • Worms, Bacteria
  • 1. Do not require a host program for transport.
  • 2. Arrive directly from the network capable of
  • Applets
  • Are part of a web page you visit.
  • If Java is enabled, the applet will execute and
    do its thing.

Virus Behavior Aptly named - behave like
biological viruses. 1. Typically small
programs. 2. Are attached, or attach themselves
to executable files (e.g., a program, a script,
or a command string). 3. Activate when the host
program is executed. 4. May be benign or
malignant (i.e., destructive). 5. Capable of
doing anything a program can do. 6. Generally
cannot infect a system from a non-executable
file. 7. Do not cause physical damage. 8. Can
also infect firmware (e.g., flash ROM in modems,
BIOS). 9. Typically activate on an event (e.g.,
when executed, on a date, after n re-boots, at
some random time). 10. Often replicate and
attempt to infect other files (e.g., Melissa).
Indications of a Virus 1. Computer runs
slow. 2. System runs out of free space. 3. File
sizes change. 4. Unexplained files appear on the
hard drive. 5. Unexplained behavior - CD-ROM
drawer opens and close on its own (a joke
virus). - Programs wont execute - Files wont
open - Characters missing from displays -
Obscene language appears on the display And
almost any other strange behavior you can imagine.
  • Flash Memory Viruses
  • Flash memory - writeable firmware. Found in
  • PCBIOS, Modems, Video cards, Printers, Routers,
  • Increasing use - allows changes to a hardware
    devices after
  • Manufacture.
  • Example uses of flash memory
  • 56k modem - two pre-standard designs - sold with
  • memory - when V.90 standard issued,
    downloadable upgrade.
  • 2. Routers - downloadable protocol changes,
    support new
  • protocols.
  • 3. Other devices bug, performance updates

Virus Types Companion - uses the execution
hierarchy (order) of the system. Parasitic -
attaches to a host program and executes when host
program executes. OS Structure - attaches to OS
components (e.g., boot blocks). Macro - infect
macro languages (e.g., Word, Excel). Polymorphic
- mutate with each infection. Stealth - attempt
to hide from detection. Jokes Hoaxes - Do
nothing but excite some users.
Companion Viruses Rely on the execution order of
a system (e.g., in Windows the order is .COM,
.EXE, and .BAT). User specifies execute WP
meaning WP.EXE. The OS will search for WP.COM,
then WP.EXE. If a virus exists called WP.COM -
it will execute first and often attach itself to
WP.EXE. Using common names has been an often
used technique to trick users into unwittingly
executing a virus program.
Typical Method of Infection Scenario Shows
before/after virus infection with a programmed
target of certain .EXE and .COM files
Before Infection
After Infection
Hdr IP
Hdr IP
Virus Jump
Virus Jump
Virus Wars - A Typical Scenario - .EXE File
MZ Signature Executable File CS IP are
pointers to the start of the program image Size
specifies the image size Program Load
Image Overlay data (e.g., buffer space)
File header
Virus must change size of the image. Respond by
storing the size somewhere else. Then virus
writer compresses the infected image to be the
same as before. Respond by using a digital
signature. On and on it goes!
Parasitic Viruses Enter a system already
attached to what appears to be a
legitimate executable file. In the preceding
example, a parasitic virus would enter a system
already attached to, for example, a .COM or .EXE
file as shown in the "after infection" case.
Once run, the virus code could seek out other
existing files with the same .COM or .EXE
extensions and infect them.
Operating System Structure Viruses Attach
themselves to executable parts of the OS
structure and/or insert themselves in unused OS
structures. These are prime targets since they
execute when the system boots. For
example Master Boot Record (MBR Partition
table) Unused sectors at beginning of the
disk Boot record File Allocation Table
(FAT) Directory record Bad sectors Unused tracks
at the end of the disk In Microsoft modify the
registry so the virus executes at startup.
Typical Bootstrap Process
On power-up, BIOS ROM holds program to test
basic h/w and identify boot device (e.g., floppy,
hard drive). BIOS program completes checks and
executes a set of simple load to memory
instructions to load a more robust loader (e.g.,
the initial loader)into primary memory. Once,
the initial loader is resident, control is
transferred to the starting location of the
initial loader. The initial loader identifies
the location of the operating system and loads
the resident parts of the OS to memory. When
loading completes, control is transferred to the
operating system (e.g., the null cli prompt
Execute H/W boot
Read S/W boot to RAM
Transfer Control to RAM
Find Load Operating Sys.
Transfer Control to OS
The process includes a number of validation tests
including simple signatures (not cryptographic),
such as a 2 Byte checksum.
Typical Bootstrap Process - Infected Boot Record
In an infected system, the initial loader is
replaced with an infected loader BIOS program
completes checks and and loads the
infected loader into primary memory. Once the
infected loader is resident control is
transferred to the starting location of the
virus. The virus loads 1st, makes changes it was
designed for (e.g., may erase its tracks, infect
the hard drive, etc.) and then transfers control
to the original loader. The OS then loads
normally and control is transferred to
the operating system (e.g., the null cli prompt
appears). At this point the virus is resident
and executable - it will execute and act
according to its design.
Execute H/W boot
Read S/W boot to RAM
Transfer Control to RAM
Virus loads
Find Load Operating Sys.
Transfer Control to OS
A Specific Infection - The Michelangelo Virus 1.
Infected diskette is placed in the A drive and
booted. 2. Diskette boot program loads the virus
into main memory. 3. Infects the hard drive by
moving the hard drive's original boot block to
another location on the disk, and installing
itself in the boot block. Every time a disk
is mounted on the system that disk is infected
as well. Part of the virus program reads the
system date. On March 6, the virus activates
and overwrites Any mounted diskette with random
characters, and hard disk sectors 1-17, heads
0-3, and tracks 0-255 (with random characters).

Letter is released from the Phillipines. Uses
Microsoft vbs scripting language (requires
Windows scripting host be installed before it
could run). Check My Computer, View, Options,
File Types look for VBScript. Infects
Microsoft Windows machines if the scripting host
is enabled. Infection is by e-mail, but can
also be via shared files, USENET news, and
Internet Relay Chat. E-mail Outlook users get
a message with subject line ILOVE YOU and a
body that reads kindly check the attached
LOVELETTER coming from me. It has an attachment
the return address will be a person known to the
  • LOVE LETTER VIRUS What it does or trys
  • Replaces certain files with a copy of itself.
  • Sends itself to other potential victims found
    in the previous
  • victims Outlook address book.
  • Modifies Explorers home page URL.
  • Modifies several registry keys.
  • Makes an Internet relay Chat script.
  • Sniffs passwords and attempts to mail them to
    an Internet
  • site.

LOVE LETTER VIRUS Program Structure
  • LOVE LETTER VIRUS File Replacement - listadriv
  • Main copies virus to multiple locations and calls
    the subroutines.
  • Searches for all drives and certain file
    extensions and takes the
  • following file-dependent actions
  • If file vbs or vbe (Visual basic), replace the
    file with a copy of
  • itself.
  • If file is js, jse, css, wsh, sct, or hta,
    replace the file with itself and
  • change the extension to vbs.
  • If file is jpg or jpeg, replace the file with
    itself and append a vbs
  • extension (abc.jpeg becomes abc.jpeg.vbs.
  • If file is mp3 or mp2, replace the file with
    itself and append a vbs
  • extension (abc.mp3 becomes abc.mp3.vbs) and
    mark as hidden.

  • LOVE LETTER send e-mail - spreadtoemail
  • Generates e-mail with sender current victim
    sends itself to every
  • entry in the local Outlook mailbox. Also tries to
    read the Exchange
  • servers mail directory and send itself to every
    address found there.
  • Set out Wscript.CreateObject(Outlook
  • Set mail out.Createitem(0)
  • Set mailaddress scriptto get user from address
  • Mail.Recipients.add(mailaddress)
  • Mail.Subject I LOVE YOU
  • Mail.body vbcrlfkindly check the attached
  • coming from me.
  • Mail.Attachments.Add(dirsystem\LOVE-LETTERE-FOR-
  • TXT.vbs)
  • Mail.send

  • LOVE LETTER VIRUS Home page - html
  • If the file \WinFAT32.exe does not
    exist, the worm
  • Set Explorer home page to one of four randomly
    selected pages.
  • These URLs all refer to locations that
    contain a file
  • WIN-BUGSFIX.exe contains code for cracking
    passwords on the
  • victims machine and mailing them to an ISP
    in the Phillipines
  • The worm also looks for this code in the
    Explorer download
  • directory and when it is found, it is added
    to the victims start
  • list of programs that run at startup
  • Finally, the Explorer start page is set to

  • LOVE LETTER VIRUS Registry changes -regruns
  • Creates registry entry
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
  • 32,dirsystem\MSKernel32.vbs
  • HKLM\Software\Microsoft\Windows\Current\Version\Ru
  • HKLM\Software\Microsoft\Windows\Current\Version\Ru
  • HKLU\Software\Microsoft\Windows Scripting
  • HKLU\Software\Microsoft\Internet
    Explorer\Main\Start Page
  • HKLU\Software\Microsoft\WAB\
  • This virus was widespread worldwide within a
    few hours.
  • Would have done more damage, except scripting was
    not enabled
  • on many systems.
  • Damage was mainly the cost of eradication.

Macro Viruses Very popular virus family that
relies on the use of executable macro languages
that can be embedded in documents - often to
create formatting for templates, etc. For
example, in Microsoft Word, anytime a template
file is opened, it is scanned for macros. If it
contains an AutoOpen, the Macro instructions are
immediately executed. If the AutoOpen Macro is
infected the user only has to open the file for
the virus to run. One of the things these viruses
often do is to update the global macro pool so
other documents that use the Macro pool will also
be infected.
Polymorphic Viruses - Multiple Versions Conventio
nal methods of virus eradication rely on
detecting the unique signature of a virus. In
order to make this more difficult, virus
developers often build viruses that contain
self-modifying code. Structures for these
viruses include The original virus A program
that encodes the original code A decoder to
recover the original virus A mutation engine
that changes the decoding routine (adding code
like LOOPS or NO OPERATION instructions) These
change the external signature of the code, do not
change the decoded result. Consequently, they
mask the virus from detection.
Stealth Viruses Infects a program and then
attempts to hide itself from detection by active
measures. Two types - Size stealth and read
stealth Size stealth attempt to 1) measure the
length of the good file, 2) infect it, and 3)
compress the infected file back to the length of
the original. Read stealth inserts the virus
code between the OS and all calls to read files
(e.g., by a virus scanner). On read, the virus
intercepts the call and returns an un-infected
file. The Stoned Monkey Master Boot Record virus
is a read stealth virus. These methods require
the virus to be memory resident so they
can intercept system I/O calls. Booting from a
known clean floppy and scanning will find these
infections (if they are known).
Stealth Virus - Hiding Places
Bacteria Do not require host programs, but
replicate and spread. In 1987, the IBM Christmas
Bacteria was launched in BitNet, a WAN for
university e-mail. It arrived as an e-mail
attachment. When opened, it rendered a Christmas
tree on the screen, replicated itself, and sent a
copy of itself to every mailbox on the users
local mail distribution list. It spread
so rapidly that BitNet had to be shut down for
several days. Sound familiar? Like perhaps,
Melissa? Melissa was uniformly labeled a virus -
since it used an e-mail message as the host - not
clear if there are any real bacteria.
Worms No requirement for a host program -
independently travels over the network, finding,
infecting, replicating, and moving on. No
requirement for a user to take any action -
infection happens! These capabilities are also
considered useful tools for Propagating useful
network information (e.g., configuration
files). Remote software distribution
installation (e.g., automatic downloads). There
are some requirements 1. An initial system to
act as the launch platform. 2. Access to a
network (typically via e-mail or IP address). 3.
Network services enabled (e.g., mail).
Worm - Methods Searches for other network
systems known to the original host. computer
(e.g., by e-mail or IP address). On ID -
establish a communications link to the remote
system. Attempts to exploit a software weakness.
On success, downloads a copy of the worm from
the attacking system. Process is repeated for
every successful intrusion. Spreads rapidly and
can easily monopolize the system and network.
The best known worm "Internet worm" Robert
Morris Attacked Unix BSD systems (e.g., Sun
3 VAX running BSD) Launched on 11/2/88 -
6000 systems Three-pronged attack Remote
Shell Sendmail fingerid
Remote Shell Attack Remote shell allows a user
to run a shell from a remote location. Attack
1 try to spawn remote shell (rsh) process,
try /usr/ucb/rsh, or /usr/bin/rsh,
or /bin/rsh If rsh enabled, establish a TCP/IP
connection back to the attacking machine, and
download the worm so it could be compiled, linked
and executed. When done disconnect.
Sendmail Attack Sendmail is a Unix mailer
designed to route mail in a network environment
using a mailer daemon (background process). When
enabled, the mailer listens on TCP Port 25 for
attempts to deliver mail by Simple Mail Transfer
Protocol (SMTP). On a successful TCP connection
attempt, the daemon makes the connection and
gets Sender Recipient Delivery
instructions, and Message contents Trouble
was, there was a debug option in the Sendmail
program that was not turned off.
Sendmail Attack The worm issued a DEBUG command
to the remote system, and a command string
instead of the user address. Such commands are
not allowed in normal mode, but OK in debug
so testers can determine mail is arriving at
remote locations without actually sending mail
or remotely logging in. If debug is turned on -
this made it easy to configure sendmail to
further testing --- However, this also allowed
the same actions as for rsh. This means a remote
user had user privileges on the system.
Fingerid Attack Fingerid is a utility that
allows a user to get information about other
network users. It is used to get full name or
login name of a user and whether they are logged
in, their telephone number, etc. It is a daemon
running in background to respond to requests. It
accepts remote connections, reads a single line,
and returns requested information. The exploit
overran the fingerid buffer by sending a special
536 byte string to fingerid causing the stack to
be overwritten such that the return was
corrupted and returned to a remote shell program
that proceeded to establish the TCP/IP
connection as before.
Sidebar Buffer Overflow Attacks Manipulates
the input buffer to allow the attacker to execute
arbitrary commands on the target
machine. Result of the poor programming practice
of not writing code that checks the bounds on an
input data string supplied to a program. When
receiving input, a program calls the input
routine and passes arguments specifying the
location of buffers for the input data. The
call passes the arguments and the return address
to the input routine and transfers control to
the input routine. The input routine pushes the
arguments and the return pointer on the stack,
then pushes the input data stream on the stack.
When complete, the input routine returns control
to the calling program specified in the return
Stack LIFO Architecture
Low Memory
Input variable 2
Input variable 1
Return Pointer
Call Arguments
Last-In, First-Out (LIFO) Items are pushed on
the Stack in order and popped Off the stack in
reverse order.
High Memory
Corrupting the Stack
Low Memory
Input variable 2
Executable code (e.g., a shell command)
New Pointer to executable code
Call Arguments
When return is executed, the Shell is run the
attacker then connects to the shell.
High Memory
Worm Code - Main Main collected information on
other computers known to this one by reading
public configuration files. It also ran system
utilities. This information formed the database
for further attacks. In each successful case
the worm attempted to hide its existence by
unlinking its binary, killing its parent process,
encrypting and reading its files into memory,
and deleting files created during
entry. Periodically it forked itself and killed
its parent so it had a continuously changing
process ID to help avoid detection. Every 12
hours it erased its own records of hosts it had
infected so they became eligible for infection
Worm Code - Main
It also reads and cracks local password files.
Password cracker UNIX passwords are stored in a
public file, but encrypted with a DES variant.
The algorithm is non-invertible However, Unix
allowed the encryption of password lists and
comparison to the password file without calling
an OS function (i.e., no log interception). Didn
t do anything exotic - just tried lists of
common words until it found an encrypted MATCH -
No encryption breakage Some sites reported 50 of
passwords were compromised. This gave the worm
access to additional accounts and more
possible destinations for mail and IP.
Worm - Impact Eventually contaminated over 6000
Unix systems. First fix was available within 12
hours of discovery. By 28 hours a method to stop
propagation was posted. Trouble was, there was
no structured response - all was ad hoc
and through the informal network of
colleagues. Resulted in establishment of DARPA
funded CERT "Computer Emergency Response Team"
at Carnegie Mellon University. Later DOE created
CIAC - Computer Incident Advisory Capability at
Lawrence Livermore National Laboratory.
Anti-Virus Web Sites http// http//w http// http//ww http// http//
http// http// ht
tp// http//
Fast Forward Sophistication Nimda Appeared
September 18, 2001. Affected Windows 95/98, ME,
NT4, 2000 clever version code. Combination
virus/worm it is not clear distinction is
useful any more. Serious impact to infected
systems. Side effect created large volumes of
Internet traffic at web servers known to the
Internet. Few sites escaped from Nimda.
Nimda Propagation Infection 4 modes
Sends email containing the worm to all addresses
found in the in-box and address book of the
Searches for vulnerable IIS servers, compromises
the server and down-loads the worm. Worm infects
web pages so other systems browsing the server
will also be infected.
Searches the Local Area Network for shared files
on servers or workstations and puts a hidden copy
of the worm on file shares. Opening documents in
these directories cause the worm to be executed.
Modifies .exe files on the victim so they include
the worm.
e-Mail Compromise Impacts Outlook and Outlook
Express. An e-mail arrives with an attachment
named readme.exe. On older un-patched systems,
the attachment is automatically executed when the
e-Mail is opened and readme.exe, the worm, is
executed. On patched or un-patched systems,
readme will execute if doubleclicked. The worm
then harvests e-mail address from the in-box and
address book of the infected system.
  • IIS (Microsoft Web Server) Compromise
  • Infected systems form IP addresses (some
    targeted, some random) and
  • attempts to compromise IIS servers with 4
    different attacks
  • Two scripts to exploit the root.exe back-door
    left by Code Red II or
  • Sadmind prior infections. If successful gives
    root privilege to the worm.
  • GET/scripts/root.exe?/cdir HTTP/1.0 404 210-
  • GET/MSADC/root.exe?/cdir HTTP/1.0 404 201 -
  • 2. Two more for Code Red II backdoors where the
    C and D drives
  • were mapped to IIS virtual folders allowing
    access to cmd.exe (Win
  • CLI with administrator privilege).
  • GET/c/winnt/system32/cmd.exe?/cdir HTTP/1.0 404
    218 - -
  • GET/d/winnt/system32/cmd.exe?/cdir HTTP/1.0 404
    218 - -

IIS (Microsoft Web Server) Compromise 3. Two
scripts to exploit the IIS/PWS Escaped Character
Decoding Command Execution vulnerability
. GET/_vti_bin/..255../..255../winnt/system32/cm
d.exe?/.. If un-patched, causes server to
decode the requested pathname twice. On decode
1, security is checked. If security is OK, the
second decode is not checked again. The first
script is legal and passes security, but the
second is not and allows the execution of
cmd.exe, the Windows command line
interpreter with administrator privilege. A
patch has been available for some time from
IIS (Microsoft Web Server) Compromise 4. 8
scripts to exploit the IIS/PWS Extended Unicode
Directory Traversal vulnerability (only 2 are
shown below) GET/scripts/..c11c../winnt/syste
m32/cmd.exe?/.. GET/scripts/..c02f../winnt/sys
tem32/cmd.exe?/.. If un-patched, IIS does not
validate the input correctly and allows
inappropriate directory access when the / and \
characters are encoded with their Unicode
equivalents. In the examples c11c is / and
c02f is \ in the Chinese Unicode character
set Note Unicode is the extended character
encoding standard used to represent letters and
symbols from all the languages in the world.
  • IIS (Microsoft Web Server) Compromise Summary
  • Exploit root.exe or cmd.exe backdoors left by
    Code Red II.
  • Exploit IIS Directory Traversal vulnerability
    allowing files to be
  • accessed if they reside on the same drive as the
    server web folders.
  • Exploit the IIS Escaped Character Decoding
  • execution vulnerability that allows files to be
    accessed and executed.
  • If successful, the worm uses the trivial file
    transfer protocol (tftp) to
  • connect back to the system originating the attack
    to download and
  • execute Admin.dll the main body of the worm.

Web Browser Compromise Users browsing the web
may encounter an IIS server that has
been compromised by the worm. One of the changes
the worm makes is to search an infected IIS
server for HTM, HTML, and ASP files and append a
java script to each file it finds. The script
attempts to download a readme.eml file to the
browser. If the browser is a vulnerable
version of Internet Explore, the eml
file Executes and infects the users system. The
code is, null,
resizableno, top6000, left6000)tml
Modifications to the Victim after
infection Searches for executable files on hard
drive, inserts itself into the executable and
runs whenever the executable runs.
Includes All files in registry application
path. SYSTEM.INI so it runs every time the
system boots. All folders containing .DOC files
so it runs when WORD or WordPad runs. All
folders containing HTM, HTML, or ASP files so it
runs when a browser opens one of these files.
On NT/2000 systems adds an account named guest
to the local administrators group, gives it a
blank password, and turns the account on. On
9x/ME systems, configures all local drives as
shared for user guest.
NIMDA Prevention Apply Microsoft patches to IIS
Servers. Check for Code Red II backdoors from
earlier infection. Patch Internet Explore to
eliminate automatic execution of embedded MIME
types. Disable Java script. Dont execute
attached e-mail files.
Trojan Horses Based on the well-known story by
Virgil in Aeneid, Book II. Appears to perform a
useful function, but contains code that
performs and unexpected, typically not useful,
possibly malicious function. Trojans
include Excel Easter Egg NetBus BackOrifice
Backnote The important thing is
these codes typically advertise themselves as
performing useful functions to get users to
download and execute them.
Excel Easter Egg Excel 97 contained a program
embedded inside the spreadsheet program the
program performed a very different, and
unexpected function. If the user pressed the F5
key and entered X97L97 , Then held
down ,Ctrl-Shft, and clicked on the wizard
chart Behold . A flight simulator appeared with
a rudimentary landscape that could be navigated
(flown over). If the user navigated to the
correct point, the names of the developers could
be observed. Rather a boring programbut
classical Trojan For others search Google on
Easter Eggs.
Netbus Aliases Netbus.153, Netbus.160,
Netbus.170 Distribution Typically e-mail, but
found in newsgroups as well. Function
Client-Server application that allows a remote
user to control a PC (Windows 95/98
NT). Server is installed on the victim in
Windows dir and executes when Windows
boots. It is stealthy - hides process name,
denies delete/rename access, can vary its
execution schedule remove itself. Client
(at hacker end) controls the system over TCP/IP
and allows many functions to be performed
- some really nasty.
Netbus Features Open/Close CD tray show BMP or
JPEG image, swap mouse buttons. Start an
application, play WAV file, point mouse to some
coordinate. Show a message box and allow the
victim to respond. Shutdown Windows, reboot,
logoff, power off. Send keystrokes to the active
application on the victim. Get a screenshot from
the victim, return system information. Upload
(push) any file to the victim. Change sound
volume, records sounds from the victims
microphone. Download and/or delete any file on
the victims system. Make clicking sounds every
time the victim presses a key. Block certain keys
on the victims system. ...
Back Orifice Alias BO, BOSniffer, CDC-BO,
BOSERVE, BOCLIENT, Ofrifice.srv Orifice.addon,
Hacktool. Distribution e-mail, newsgroups,
bulletin boards. Function Very similar to
Netbus (Netbus pre-dates back Orifice). One of
the aliases, BOSniffer, claims to be able to
detect Back Orifice, while in reality it is the
Back orifice application itself.
Backnote Aliases URLSnoop, PICTURE.EXE,
MANAGER.EXE Size 350kB Distributed e-mail
attachment and newsgroup postings. Function
Copy themselves to Windows dir NOTE.EXE.
Register themselves for execution when Windows
boots. On execution, gathers machine
information, including usernames
passwords. Copies information to an
encrypted .DAT file Attempts to e-mail the
file to
AOL Free - A Whole Series of Trojans At one time
AOL distributed AOL4FREE to Mac users. In early
1997, an e-mail went around saying AOL4FREE.COM
was a destructive virus. In March 1997, the
major anti-virus vendors declared AOL4FREE.COM a
virus hoax. In April 1997, a real virus named
AOL4FREE.COM was released - never spread very
far, but did the following C CD\ DELTREE /y .
Logic Bombs Program or block of code embedded in
a useful program. Scheduled to execute based on
some future event (time, day, if a certain user
account exists or a certain file exists - many
options). On e-day, the program executes,
usually with disastrous results. 1985 Insurance
Company example. Two days after an employee was
fired, the bomb went off. Deleted 168,000
employee records. Perpetrator was fined 11,800
and served 7 years probation.
Prevention Measures - Better than the
cure Perform regular backups of all important
files. Do not introduce new media (CD, floppy,
zip) to a system that has not been backed
up. Better, scan all media for viruses with a
current scanner. Do not open e-mail attachments,
download executables, etc. unless you are sure of
the source. For any software you import, scan it
before opening executing. Even some commercial
software distributions have been contaminated.
Virus Scanners - Scanning Remediation Scan the
entire system including memory disk
files. Detect the presence of a virus - if the
scanner knows the virus. Identifies the specific
virus infesting the system. Removes the
offending virus restoring the system. NOT ALWAYS
SUCCESSFUL - may not recognize or
remove. Then Restore from backups. Worst
case, re-format the hard drive, and Rebuild the
Virus Scanners - Early Years In the beginning,
there were few viruses. Respond by Get virus -
key point is to have a copy of the
virus. Examine it. Build recognizer and
dis-infector. Methods used were based on how
viruses infect. Used simple string scanning and
pattern recognition. Memory and secondary
storage locations including disk boot records
were scanned. Specific bit sequences were used to
identified specific viruses. Relied on known
lengths to identify and remove malicious
code. The volume of viruses have overwhelmed
these largely manual methods.
Virus Scanners - Simple Example of
Infection Adds itself to the end of an
executable (any one will do). Modifies the header
code to point at the virus (JUMP to virus). Saves
the beginning part of the file it changed (from
jump to real program to jump to virus). Entry
Point Legitimate program header VVVVVVV The
virus jump code Victim program The legitimate
program code Exit Original exit Virus The
virus action code Restore victim Virus code that
restores the victim so it executes JUMP Virus
return to repaired victim
Virus Scanners - Remediation 1. Find the virus
do a string search 2. Find original beginning of
victim After virus jump 3. Find size of virus -
look-up based on virus lab examination Fix
by Remove Jump, move original entry point to
jump. Truncate the file at original end of
victim by calculating from size. This
is Tedious To slow with virus population
expanding Easily defeated by adding superfluous
instructions to virus string during replication
(varying size)
Virus Scanners - Anti-Virus Developers Added
wild card scanner, looking only for special
signatures. Heuristic scanning rules to look for
generic behavior. Add integrity checks to
executables, test before execution. Trouble
was Signature database grew to be
cumbersome Scanning got slower and
intrusive Move has been to more generic
scanners, interception of suspicious behavior
(e.g., writing to master boot blocks).
Modern Scanners Memory resident - scan every
file on access On-line profile updates - to keep
database current Signature scanning - looking for
unique signatures Generic decryptors Operate
in single step instruction mode. Scan for
suspicious activity. Simulators - Emulate
instruction execution in a virtual mode - dont
actually execute the instruction on the real
machine, execute it in a protected sandbox
while observing behavior. Combine simulation and
signature analysis.
Combining Simulation Signatures - Virus
Signs 1. Encryption. A code decryptor is
found. 2. Attempts to Open an executable
file. 3. Suspicious file access (certain files
like system files). 4. Time/date event trigger
routines (time/date test). 5. Memory resident
code. 6. Interrupt hooks. 7. Undocumented
interrupt calls.
Combining Simulation Signatures - Virus Signs
(more) 8. Self-Relocation in memory, especially
if non-standard. 9. Programs that scan for
memory size. 10. File search code - search for
exe, com, bat files. 11. Strange memory
allocation. 12. Replication - the code
overwrites the start of other codes. 13.
Anti-debugging code. 14. Direct disk access -
not by OS call.
Combining Simulation Signatures - Virus Signs
(more) 15. Use of undocumented DOS
features. 16. Program checks for .exe, .com
extensions. 17. Program load trap. 18. Attempts
to perform BIOS access. Continuing effort on
part of the virus developers to void actions of
anti-virus community and by anti-virus community
to stay even with the virus developers. Very
much like the real world of biological viruses.
Summary Detect - based on samples of the virus
contributed to an anti-virus vendor for
action. Analysis I - vendor observes the code
and determines whether it is reliably detected
with existing signature and heuristics
capability. Analysis II - determine the method
to remove the virus by defining the entry point
length. Remediation - write dis-infecting code
for the specific virus. Distribution - update
profile, signature, and remediation library for
on-line distribution.