VIRUS HUNTING

1
VIRUS HUNTING

• Presented by
• Pradeepa Chandramohan

2
Introduction

• Developers machine is much more prone to virus
  attacks than an average corporate user because
  developers access different servers and other
  remote machines.
• More security than anti-virus software is
  required.
  
• Most viruses today disable the anti-virus
  software as their first step in the activation.
  
• Anti-virus software are good at keeping us safe
  from known threats.
  
• To look out for viruses, it is necessary to think
  like a virus writer. A basic understanding of
  viruses and the most common areas through which
  they enter the system is required to deal with
  them.

3
Preparing to do battle

• Author writes the executable code.
• What is the authors intention Reformatting
  hard drive? Delete JPG files? Mail copies of
  itself to yourself and your contacts?
  
• Usually, a virus executable code is run in the
  direct method. Some user receives an e-mail
  attachment called Fun.exe or some equally
  appealing name. The virus is released when this
  code is run.
• Now-a-days less obvious techniques have been
  adopted.

4
What constitutes an Executable code?

• .exe, .cmd, .com are all examples of executable
  files.
  
• Word processing documents contain macros to
  perform customized tasks UNSAFE!!! Macros can
  run unsafe code.
  
• In general, executable code falls into three
  categories stand alone programs, code included
  within resources or libraries, and script or
  macro code executed by an interpreter of some
  kind.
• A stand alone program is any file that relies on
  the operating system for it to execute. To
  examine which of these are affected by virus we
  need to examine the windows registry.
• Launch the Registry Editor, regedit.exe and
  expand the HKEY_CLASSES_ROOT (HKCR) node, which
  is the Operating Systems repository for
  information on file associations and commands.
• Navigate down the tree until you locate the key
  named .exe. Select this node, its default value
  is exefile. This is a pointer to another key
  under HKCR (the exefile key).

5
What constitutes an Executable code? (Contd..)

• The exefile key contains a shell subkey where a
  file types available actions are defined. These
  are called verbs. For example, In a Word
  document, print is a verb.
• Expand the shell subkey for the exe file node to
  view available verbs for EXE files.
  
• The key to be considered is open. Expand this
  node and select its command subkey. Each verb has
  its own subkey and each of those keys inturn has
  its own command subkey. The default value in this
  subkey dictates what exactly happens when that
  verb is executed.
• Double clicking an icon executed the default
  verbs command (open for EXE files)
  
• open command verb has the value 1 . The
  path and the filename of the EXE file activated
  are substituted for the 1 parameter, while any
  switches or command line parameters that go along
  with it are passed through the parameter.
• All files like .com, .pif, .vbs, .cmd have a
  default open verb of 1.

6
Screensavers BEWARE!!!

• Default value of open verb for EXE file is 1
  and for SCR (Screensaver) file is 1 /S.
  
• The only difference between these two default
  verbs is the /S switch for the SCR file type.
  
• Intended purpose of screensavers open verb is
  to allow for testing a screensaver and the
  screensaver executable interprets the /S switch
  accordingly.
• A virus writer gives the application a .SCR
  extension and just ignores the /S switch passed
  to it when user invokes the program.
  
• Screensavers open verb is shown as Test in
  the context menu. User thinks he is just testing
  a screensaver, while actually activating a virus.
  This caption is stored in the default value for
  the open key. This should be changed to open and
  test. This way the user realizes that when they
  select that menu item, any executable code inside
  the screensaver is going to execute and is
  therefore harmful.

7
Libraries can be dangerous

• Executable code may be contained inside resources
  or component libraries of many different
  varieties.
  
• These file types include Dynamic Link Libraries
  (DLL), Control Panel Applets (CPL), various type
  libraries (TLB, OLB, etc), ActiveX Controls COM
  components (OCX, VBX, etc).
• Consider the following example
• rundll32.exe shell32.dll,OpenAs_RunDLL
  c\winnt\win.ini
  
• The OpenAs_RunDLL function exported from
  SHELL32.DLL accepts one parameter, a file name.
  
• When invoked, it displays the Open With Dialog
  Box. When OK is clicked after selecting an
  application, the filename passed as a parameter
  is opened in the target application.
• Two possible attacks can be expected. One would
  be to replace an existing DLL with a compromised
  version in which a particular functions
  functionality is modified.

8
Libraries can be dangerous (Contd..)

• This way, whenever the system invokes this
  function, instead of having the desired result,
  virus gets activated.
  
• Another approach would be to write a DLL from
  scratch and invoke its functions using
  RUNDLL32.EXE when needed.
  
• This is not quite straight forward but it is most
  likely to be accepted by an unsuspecting user or
  to be overlooked by an anti-virus program.

9
Scripts Macros

• Script code requires a script engine to interpret
  and run, but it can still be exploited.
  
• Macros contained in Microsoft office documents
  are the ones that are most frequently exploited.
  
• Windows Script Host (WSH) files, .js or .vbs
  files carry a default file association which
  causes them to be executed, when a user double
  clicks them.
• Solution would be to change the default action
  from open to edit to avoid any accidents.
  This can be done by using the Folder Options
  dialog box.

10
Registration files

• Files with REG extension (registration files)
  hold information to be integrated to the system
  registry.
  
• They carry a default verb of open with the
  caption Merge. If any registration file is
  double clicked, it dumps its contents directly
  into the system registry, without any
  confirmation.
• Solution would be to change the default verb for
  REG file from open to edit.

11
Scrap Objects

• Scrap objects (SHS SHB file extensions) are
  particularly risky. They can hide executable
  code, often overlooked by anti-virus software.
  
• Ensure that anti-virus program includes both file
  types. Usually either one is omitted.
  
• Another reason is that the SHS and SHB extension
  are always hidden by Explorer. So a virus writer
  could create a scrap object and add their own
  extension. For example, Funny.jpg while its
  actual filename is Funny.jpg.shs.
• Solution would be to delete the NeverShowExt
  registry value from both keys or select the
  Always show Exension option in the Folder
  Options Dialog Box.

12
Conclusion

• First step in dealing with virus is to understand
  them and to know where to untangle them from your
  system once it has been compromised.
  
• More sophisticated the virus, more aggressive
  they are towards anti-virus software.

13
THANK YOU