Malicious Software - SANS ©2001 2Objectives • Malicious code • Virus and hoax information • Virus types and methods • Organizational AV policy • Desktop anti-viral care and feeding At t
Trang 1Encryption and Exploits - SANS ©2001 1
Malicious Software
Security Essentials The SANS Institute
This course on Malicious Software is part of the SANS Security Essentials series
Picture this - the trade press is all abuzz with warnings of a new killer virus, Child of Chernobyl Recall that Chernobyl struck on April 26, 1999 In Korea alone, it affected as many as a million computers, causing more than $250 million in damages The boss has just come down with a magazine article in hand and has told you to drop everything You have three days to ensure the organization is ready before “Child of Chernobyl” day Is this real or a hoax? What do you do to find out? How do you meet the boss' demands to get anti-viral software installed and updated as needed? Stay tuned for answers to these questions and more…
Of course this course isn’t going to solve all your problems if you suddenly get hit and have no plan
of action or procedures in place So you are going to need to apply what you learn here
Trang 2Malicious Software - SANS ©2001 2
Objectives
• Malicious code
• Virus and hoax information
• Virus types and methods
• Organizational AV policy
• Desktop anti-viral care and feeding
At the completion of this course, the student will be familiar with these core concepts of anti-viral protection
What is malicious software? How does it spread? What are some of the characteristics of viruses?What is the difference between a virus and a hoax? Where can I go to get more information on them?Does my organization have an anti-viral policy? What does it say? Is it up-to-date?
What is anti-viral software?
What is involved in the care and feeding of desktop anti-viral software?
Trang 3Malicious Software - SANS ©2001 3
Malicious Software (Malware)
Malware is a generic term for a number of different types of malicious code - viruses, worms,
Trojan horses, and malicious applets First, we will define what these things are
A virus is a piece of parasitic code (or program) written specifically to execute on behalf of the user
without the user's permission (or knowledge) It is parasitic in that it attaches itself to files (or boot sectors) and then replicates, causing the spread to continue Some viruses do little more than replicate and serve as a nuisance; others can do serious damage, such as affecting programs or degrading system performance (the virus payload) Never assume that a virus is harmless and leave
it intact We will look at the various types of viruses in the slides to follow
A worm is a self-contained program (or set of programs), that is able to spread functional copies of itself to other computer systems (usually via a network) Host-computer worms are entirely
contained on their host computer Host-computer worms that delete from one host upon propagation
to a new host are called rabbits - they ‘hop’ around a network Some worms run in multiple parts
on many hosts These worms are called network worms A network worm with one coordinating segment and many client sub-segments is termed an octopus! Note: Malicious code is called a
worm when it requires no specific action on the part of the user to enable infection and propagation
It just spreads If the code requires the user to open an email or load a screen saver or take some other action, then it is called a virus
Trojan horses are programs with an intended action that is not documented or revealed Typically,
Trojan horses masquerade as some other harmless or trusted program A well-known Trojan horse
is Back Orifice
Malicious applets are applets that attack the local system of a web surfer and involve denial of
service, invasion of privacy, and annoyance Malicious applets are distinguished from attack
applets that exploit vulnerabilities in the implementation of the Java security model.
Trang 4Malicious Software - SANS ©2001 4
Virus Types
• File infectors / Program viruses
– Direct action – Memory resident – Cluster or File system virus
• Potential to spread over networks
Viruses are identified by the ways they infect computers Usually, a virus falls into one of the following three categories: Program viruses, boot record infectors, or macro viruses
For the next few slides, we will focus on program viruses A program virus gets activated when the
program is executed (or run) The virus is loaded into the computer memory and then proceeds to wreak havoc The results of the virus triggering may not be obvious immediately, as the virus may
have a built-in delay (an event-triggered virus) First signs of infection can include files being
saved with malformed or improper names
Program viruses are usually attached to files such as COM or EXE files, but can infect any
executable or interpretable file - overlays, drivers, system files, or binary files Examples also exist
of viruses that infect C source code, such that the compiled executable is infected!
Direct-action file infectors find one or more selected programs to infect each time the infected
program is run Resident viruses install to the system service area of RAM and infect new programs when they are run Cluster viruses infect program files indirectly by modifying file system
Trang 5Malicious Software - SANS ©2001 5
COM Program Infectors
Prepended virus Appended virus COM program
START
END
COMVIRUS
VIRUS
JUMP COM1
2
3
4
56
Now we’ll take a look at how program files are actually infected
COM file viruses attach themselves to their target in one of three ways - by prepending to the
beginning, by appending to the end, or by overwriting part of the file
A prepending virus gains control when the first instruction of the infected COM file is executed
The virus runs and then passes control to the original program Because of this, users may not notice anything different
An appending virus writes an instruction to jump at the first instruction in the file This jump will
take execution to the virus which later returns control to the COM program
Overwriting viruses simply write their code to the beginning of the file These viruses therefore
destroy the original program More sophisticated overwriting viruses will make a copy of the portion that they overwrite, which can later be executed - all in an effort to remain covert
Trang 6Malicious Software - SANS ©2001 6
EXE Program Infectors
Original EXE Program Infected EXE Program
CS IP
Executables consist of two parts - the header and the load image The header contains, among other things, a pointer that points to the first instruction to be executed in the load image The pointer (CS:IP) consists of a pair of values - the code segment (CS) and instruction pointer (IP) A header entry named SIZE stores the size of the load image
When the executable is infected, these header entries are altered CS:IP becomes VCS:VIP and now points to the start of the appended viral code SIZE increases to VSIZE and measures the size of the infected load image Running the infected program will cause a jump to the virus load image When completed, the viral code hands execution back to the original program
Trang 7Malicious Software - SANS ©2001 7
Virus Types (2)
• Boot record infectors
– Floppy boot record (FBR) – Master boot record (MBR) – DOS boot sector (DBS or PBR) – No network spreading potential
• Multipartite
– Potential to spread over networks
The next virus we'll review is the boot infector Every disk has a boot sector (regardless of whether
or not it is actually bootable) When a computer is powered up, it looks for boot information
according to a list provided by the computer BIOS If any of the media in the drives specified in the BIOS list have a boot sector virus, the infection will get transferred to the boot drive Once the infection is complete, the virus will get loaded into memory at startup From there, the virus can be spread to every disk that is read after startup Results of the infection can range from nuisance (if at all) to destruction of boot information, to a need for a complete format of the hard disk
Floppy disks contain a floppy boot record (FBR) which can harbor a virus If a system is booted from such a floppy, the virus will load and infect the hard disk Viruses on hard disks infect either the master boot record (MBR) or the Partition boot record (PBR) (sometimes called the DOS boot sector (DBS)) The MBR is the first place the BIOS looks when booting from a hard drive If a virus is present, it can seize control of the hardware before the operating system even sees the light
of day! PBR’s are executed after the bootstrap program in the MBR passes on control to the active partition Operating system files that are present on a partition are loaded according to instructions in the PBR Like the MBR infection, if a virus is present, it will be loaded before the operating system
Multipartite viruses are hybrids of boot infectors and program viruses When executed as a
program, boot sectors become infected, and vice versa - if multipartite-infected media are booted, program files get infected Multipartite viruses provide a mechanism by which boot-sector viruses can get around on networks (they travel as program files) Boot-sector viruses cannot, on their own, infect across networks This is because the network protocols do not support sector level operations
Trang 8Malicious Software - SANS ©2001 8
• High network spreading potential!
A macro virus is malicious code contained in a set of instructions that are included within an
application, such as a word processor or spreadsheet Unlike program viruses, which target
executables, macro viruses target data files Once the macro containing the infection is loaded onto your computer, it can infect other files (such as the normal.dot template for Microsoft Word) or cause itself to be propagated to other users automatically A typical example is the Melissa macro
It caused a document containing the macro to be mailed electronically to other email users
The activated macro virus is limited only by the capabilities of the ‘macro language’ being used Microsoft macros, written in Visual Basic, can access all host application features (e.g Word) and many OS features (Windows) For example, in Word or Excel, try opening <Tools-Macro-Visual Basic Editor> This opens a Visual Basic session enabling complex macro design Imagine the potential damage from commands such as open, kill (delete), or rmdir!
Macro viruses can spread as email attachments Users open an infected attachment, the virus reads the address book, and mails itself on For this reason, macro viruses have a huge potential to spread over networks
Trang 9Malicious Software - SANS ©2001 9
Virus Protection Techniques
• Stealthing
– virus attempts to hide or ‘cloak’ itself – hiding from anti-virus software
– read stealthing – size stealthing
• Need to scan memory to detect
To avoid detection, or being picked up during an anti-virus scan, sophisticated viruses employ techniques to cover their presence or tracks When active, the virus builds itself a “cloaking device”
Stealthing is achieved in a number of ways The virus, through being memory resident (or hooked
into system services), monitors system function calls When a system call is made, it is intercepted
by the virus and the virus tells a lie back to the system In this way the system is deceived
Read stealthing involves monitoring attempts to read or write infected files (e.g open, read, or
close) If an infected program file is opened and read, the virus might give back to the system information from a backed-up copy of the original file - the infection is invisible! Another form of read stealthing monitors direct access to disk sectors Even if low level calls are made to read the master boot record (e.g BIOS Interrupt 13), the virus will interject
Size stealthing viruses monitor calls to directory entries and other parts of the file system If the
operating system were to inquire as to the size of an infected file, the call is intercepted and a lie is told
Stealthing prevents or hinders detection by examining disks Anti-virus scanning software must therefore resort to scanning the system portions of RAM to detect these viruses
Trang 10Malicious Software - SANS ©2001 10
Virus Protection Techniques (2)
• Polymorphism
– poly = many, morph = form – encryption/decryption routines – mutation engines
• Makes a scanner’s job a lot harder
Now let's look at another protection technique - polymorphism Polymorphism literally means many
forms A polymorphic virus therefore has many and varying forms - very biological indeed If a
virus is continually changing the way it looks, the job of the anti-virus scanner is made a lot more difficult
Viral polymorphism is achieved by using a mechanism that varies the code used to decrypt, or unsheath, the virus into its active state The inactive virus is encrypted so that it cannot be easily detected by scanning for common strings (in fact, the code of the virus body will look like random data)
If the encryption and decryption routines did not change from virus to virus, then a scanner could detect the virus by detecting the decryption code Therefore, polymorphic viruses change their decryption routines on the fly These changes might be made by a mutation engine built into the virus that is linked to a random number generator Alternatively, some mechanism might exist to vary the sequence of instructions, or insert redundant instructions into the mutating routine The decryption routines still perform their functions, but the way they look is different
Trang 11Malicious Software - SANS ©2001 11
Other Virus Variations
– Fast and slow infectors – Companion viruses – Sparse infectors – Cavity viruses – Tunnelling viruses – Armored viruses – Retro viruses – “In the wild”
It is worthwhile taking a look at some other virus variations
Fast infectors are memory-resident program viruses that not only infect programs that are executed,
but also those that are opened or accessed The danger with this is the potential spread of infection before the virus is detected Imagine scanning (hence infecting!) 70% of all your files before you detect the fast infector
Slow infectors only infect files when they are created or modified This is an attempt to avoid the
integrity checking or file monitoring capabilities of anti-virus software A file changes when it is modified, so this is a good time for a virus to conceal its actions
Sparse infectors only infect occasionally (e.g 1 in 10 files accessed)
Cavity viruses write themselves to redundant or null constant portions of a program file In this
way, the file remains the same size and has the same function, but it is carrying the virus in a
‘cavity’
Tunneling viruses bypass activity monitoring software by directly accessing interrupt handlers on
hardware controllers For example, disks can be accessed by directly reading and writing the address and data buses
Armored viruses employ tricks to make analysis, such as tracing and disassembly, difficult.
Retro viruses are “anti-anti-virus” These viruses set out to attack or hinder the software that detects
them Retro viruses exist in nature, with the most infamous example being HIV, which attacks the human immune system
Finally, if a virus has been verified (by groups that track viruses) to have caused an infection in other
than a laboratory environment, it is described as 'in the wild' A virus that has not been observed in
Trang 12Malicious Software - SANS ©2001 12
ILOVEYOU Virus
• E-mail attachment
• Attempts to spread to Outlook
address book contacts
• Installs a password-grabbing
program
• Overwrites some files
Now let’s examine the structure and mode of action of a recent virus - the ILOVEYOU virus
On May 4, 2000, many computer users encountered mail with the subject stating, “ILOVEYOU” The mail body instructed users to “kindly check the attached LOVELETTER coming from me.” History now says that many did not resist the temptation
The attachment (named LOVE-LETTER-FOR-YOU.TXT.vbs), when opened, resulted in a script being run that spread the same message to all contacts in all of the victim’s address books
Typically, address books contain multiple entries This means the virus amplifies after each new infection
The ILOVEYOU virus has two distinct parts to its payload - installation of a password grabber and the overwriting of files
The password grabber is installed by changing the startup page of the local browser to a web page
Trang 13Malicious Software - SANS ©2001 13
A look at the virus code is instructive
The ILOVEYOU virus is written in VBScript, and will therefore run on systems that have the Windows Scripting Host (WSH) installed, or systems that interpret Visual Basic and have a Wscript library WSH is installed if you choose a standard installation of the operating system, or if you install Internet Explorer 4 or 5, or if you download WSH from Microsoft (Check <My Computer -View - Options - File Types> and look for VBScript or Windows Script Hosting components) An application that can be driven by a scripting engine is a scripting host
The code consists of five routines and some supplementary support functions The routines are: main(), regruns(), spreadtoemail(), html(), and listadriv() Each of these subroutines will be
examined in turn