Development of highlevel language viruses under Windows

About This Presentation

Title:

Development of highlevel language viruses under Windows

Description:

1' will be replaced by the EXE's filename (with full path) ... Naming to svchost ( Dirty Way ) All we need to do is name our evil executable file to svchost.exe ... – PowerPoint PPT presentation

Number of Views:64

Avg rating:3.0/5.0

Slides: 26

Provided by: JR72

Category:

more less

Transcript and Presenter's Notes

Title: Development of highlevel language viruses under Windows

1
Development of high-level language viruses under
Windows
µCon security conference 2008

Breno Dario Ulisses Rocha

2
File Infection

File infection overview

Overwriting
Prepending

PE Infection
Source File Infection

3
File Infection

Prepend-like

Most used technique for
file infection in HLL-viruses
Just reading/writing operations
Deal with abstract .exe files instead of PE
structure
Can be implemented in almost all languages

4
File Infection

Prepend-like (dirty side)

Infected files get bigger, so the user may notice
Tiny executables should be avoided for stealth
reasons

5
File Infection

Alternate Data Streams (ADS)

Requires to be running at least one hard drive
with the NT file system
(NTFS), and luckily most systems do these
days.
Compatibility with the Macintosh Hierarchical
File System (HFS).
Files stored on a HFS consist of two parts
(known as forks).
Data fork and Resource fork.
Windows systems using NTFS stores Macintosh
resource forks in a hidden
NTFS stream.
Information stored on resource fork does not
alter in any way the original file
(eg. Last modified date or file size).

6
File Infection

Prepend ADS for stealth

Hide virus body in the resource fork
Infect file with a tiny executable instead of
the entire virus
Traveling problems

Spreading

8
Spreading

Search Mechanism
In-Memory Strategies
Direct Action
Memory-Resident
Temporary Memory-Resident
How to Spreading (Most common mechanisms)
E-mail
Shared Folders
P2P Folders
USB Watcher

9
Spreading

Registry Shell Spawning
Temporary Memory-Resident
Relies on the operating system
How do you know which are EXE targets ?
Windows registry
HKEY_CLASSES_ROOT\exefile\shell\open\comm
and
"1"
What does that ?
"1" will be replaced by the EXE's filename
(with full path)
will be replaced by it's parameters.

10
Spreading

Example
File Name test.exe
Path C\windows\
Command Line
"C\windows\test.exe" -arg1 -arg2
Use that feature
Change the registry entry to
"C\Windows\System32\virus.exe" "1"
Command Line
"C\windows\system32\virus.exe"
"C\windows\test.exe" -arg1 -arg2
"our virus will be executed
EVERY TIME an EXE file is started."

11
Registry Shell Spawning
12

Self Protection

13
Process Hiding

API Hooking ( Fashion Way )

Intercepts messages of hooked process
TaskManager retrieves information about the list
of processes running calling the function
NtQuerySystemInformation on ntdll
The goal is to intercept calls of
NtQuerySystemInformation made by taskManager and
drop the information of our evil process before
it reach taskManagers process
Some times avoided because of its complexity
For this technique we need to inject a dll into
target process memory space
So as a payload the virus must carry in a dll

14
Process Hiding

Naming to svchost ( Dirty Way )

All we need to do is name our evil executable
file to svchost.exe
There is always more than one svchost process
running so our virus will stay unnoticed by the
user
Some says its a lame technique but the true is
its very effective
Its widely used cause there is no implementation
needed

15
Fucking AVs

AV Killer

AV Killer does the dirty job of takig AVs out of
orbit
The first thing we need to implement an AV
Killer is a list of AVs process names
The virus loops thru the running processes list
looking for specific names and kill them
The technique can be dangerous if is misused