Virus, Trojans and Worms

1
Virus, Trojans and Worms

• By Jesse Pyeatt

2
Introduction

• Viruses, worms and Trojans can cause damage to
  computers.
• Shows us how vulnerable computers are and how
  much we rely on them.
• To prevent malicious code, it is necessary to
  understand how they work.

3
Malicious Code

• Functions are mutually exclusive but programmers
  combine methods to create more powerful code.
• Example Terrax.1069 resides in memory while
  renaming file names.

4
What are they?!?!?
5
Viruses

• Virus (n.) Code written with the express
  intention of replicating itself. A virus attempts
  to spread from computer to computer by attaching
  itself to a host program. It may damage hardware,
  software, or information.

6
Worms

• Worm (n.) A subclass of virus. A worm generally
  spreads without user action and distributes
  complete copies (possibly modified) of itself
  across networks. A worm can consume memory or
  network bandwidth, thus causing a computer to
  stop responding.
• Because worms don't need to travel via a "host"
  program or file, they can also tunnel into your
  system and allow somebody else to take control of
  your computer remotely. Recent examples of worms
  included the Sasser worm and the Blaster worm.

7
Trojans

• Trojan (n.) A computer program that appears to be
  useful but that actually does damage.
• Trojans spread when people are lured into opening
  a program because they think it comes from a
  legitimate source.

8
Focus of presentation

• The main focus on this presentation is the inner
  workings of a virus.
• There will be a brief overview on worms and
  Trojans.

9
Viruses
10
7 kinds of viruses

• Companion
• Executable Program
• Memory Resident
• Boot Sector
• Device Driver
• Macro
• Source Code

11
How does a virus work?

• Virus is dropped in a program using a Dropper.
• Software is installed onto a computer infecting
  target files.
• Virus lies dormant until it is triggered by the
  user, and event or timer therefore, executing
  its Payload.

12
Companion Viruses

• Not actually a virus
• Understand execution
• Program.com
• Program.exe
• Program.bat
• Most programs today have extension .exe.

13
Related Attacks

• Shortcut attacks
• Changes target of shortcut to point to virus
• Hide extension attacks
• Windows hides file extensions as default setting.
• Program.jpg.exe
• Appears as program.jpg

14
Executable Program Viruses

• Overwriting
• Overwrites executable program with itself
• Parasitic
• Attaches itself to other programs but allows
  original function.
• Cavity
• Hides itself in unused portions of segments (512
  Bytes). Exploits internal fragmentation.

15
Encryption, Compression

• Some viruses even compress the virus, encrypt the
  compressed virus along with the compressor,
  de-compressor and encryptor.
• It then pads out the unused memory with 0s to
  maintain the original size of the executable.

16
Memory Resident Viruses

• Hides
• at top of memory
• Among interrupt vectors.
• Can alter RAM bitmap to avoid being overwritten.
• Captures trap or interrupt vector
• Saves address to scratch variable
• Executes its own address
• Invokes real system call by jumping to saved trap
  address.

17
Boot Sector Viruses

• Copies true boot sector to safe place on disk
• Overwrites MBR to execute its own code.
• When finished, jumps to true boot sector and
  boots up the computer.
• Such viruses are very common.

18
Details

• Computer boots, virus loads into main memory.
• Machine in kernel mode, MMU off and no antivirus
  programs running. (exceptions. windows SP2)
• Boots operating machine but stays in memory

19
Control?

• Must gain control again after boot.
• Drivers load one at a time which creates a window
  for the virus.
• It captures all interrupt vectors it can. If
  the vector is overwritten,
• the virus just
• overwrites it again.
• The virus stores all the interrupts and keeps the
  system calls for itself

20
Additional

• Microsofts fdisk skips first track on disk.
• Good Place to hide on windows machines.
• Can also disguise itself as bad sectors.
• If root directory is large and fixed, can hide at
  end.

21
Device Driver Viruses

• Drivers are basically executable programs loaded
  every time the computer boots up.
• Are ran in kernel mode giving the virus a chance
  to capture a system call trap vector.
• If a driver is infected, the virus will be run
  every time the computer restarts.
• This would be ideal for a virus, however,
  extremely difficult to do.

22
Macro Viruses

• Used to group several commands to a keystroke.
• Attach to menu items.
• Use Visual Basic, a complete programming
  language.
• Arbitrary program, capable of deleting files.
• Attaches itself to open file and executes when a
  person opens the document.

23
Growing Problem

• Implementation is not as complicated as other
  viruses.
• Takes less skill to write code.
• Propagation through email.
• People ignore macro warnings.

24
Source Code Viruses

• Very portable.
• In a nutshell, find .c file, add
• include ltvirus.hgt
• and insert the function call
• run_virus()
• The program must parsed in order to find a place
  that syntactically allows function calls.
• Would not make sense to place
• After a Return call.
• In a comment.
• Inside a loop (may get noticed to easily.)
• As the string to a printf function.
• This is assuming the code is installed on the
  computer.
• If not, the full source must be include as an
  initialized character string such as a 32-bit
  hexadecimal integer

25
Polymorphic Virus

• X(ABc-4)
• Stage one
• MOV A,R1
• ADD B,R1
• ADD C,R1
• SUB 4,R1

26
Stage 2

• MOV A,R1
• NOP
• ADD B,R1
• NOP
• ADD C,R1
• NOP
• SUB 4,R1
• NOP
• MOV R1,X

• Engine adds in unnecessary lines called NOPs.

27
Stage 3

• MOV A,R1
• ADD 0,R1
• ADD B,R1
• OR R1,R1
• ADD C,R1
• SHL 0,R1
• SUB 4,R1
• JMP .1
• MOV R1,X

• The NOPs are exchanged with code that does not
  change the outcome of the program.

28
Stage 4

• MOV A,R1
• OR R1,R1
• ADD B,R1
• MOV R1,R5
• ADD C,R1
• SHL R1,0
• SUB 4,R1
• ADD R5, R5
• MOV R1,X
• MOV R5,Y

• Another mutation that is logically the same

29
Stage 5

• MOV A,R1
• TST R1
• ADD C,R1
• MOV R1,R5
• ADD B,R1
• CMP R2,R5
• SUB 4,R1
• JMP .1
• MOV R1,X
• MOV R5,Y

• This final code is the equivalent as the code on
  the first stage.
• This is very typical of a polymorphic virus and
  derives this code using a mutation engine.

30
Worms Trojans

• Target
• Propagation
• Activation
• Payload

• bootstrapping

31
Recent Viruses

• W32.Myfip.T
• Backdoor.Staprew
• Backdoor.Ranky.T
• Trojan.Lodmedud
• PWSteal.Botuk
• SymbOS.Dampig.A
• W32.Zellome_at_m

32
Conclusion

• We have a general understanding on how a virus
  works.
• What have we learned?
• Hackers have way too much time on their hands.
• Not all malicious code is bad.
• Brain (Pakistani)
• CRClean (anti Code Red)
• Most common virus are memory resident and macros
  (recently).

33
References

• Tanenbaum, Andrew S. Modern Operating Systems
  Prentice-Hall, Inc 2001
• Dennings, Peter J. Computers Under Attack ACM
  Press, New York, NY. 1990
• What are viruses, worms, and Trojans?
• http//www.microsoft.com/athome/security/viruses/v
  irus101.mspx
• How Computer Viruses Work
• http//www.howstuffworks.com/virus.htm
• VX Heavens
• http//vx.netlux.org/lib/aat00.html
• Security Response
• http//www.sarc.com/
• Images
• http//www.businessblogconsulting.com/images/troja
  ns.gif
• http//www.leave-me-alone.com/images/pe00222_.gif
• http//www.quarella.co.uk/img/virus.gif
• http//worms.puissance-nintendo.com/jeux/worms/ima
  ges/general/04.jpg
• http//www.geocities.com/vanfunwall2/Game/Misc/Wor
  ms.JPG

34
QUESTIONS????
35
THANK YOU