Viruses, Trojan Horses, and Worms

Oct 2012

Introduction
Propagation of malicious code Malicious indicates the potential to do damage. Usually classified by the type of propagation. Sometimes classified by
Platforms and mechanisms it requires to run
E.g. macro viruses.

Virus/Trojan/worm may not actually cause damages.

Oct 2012

Viruses
Program or piece of code that will reproduce itself. Sometimes perform a particular action. Definition from RFC 1135
A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.
Oct 2012

Worm
A worm is similar to a virus, but it does not locally reproduce. Propagates between systems only. Definition from RFC 1135
A worm is a program that can run independently, will consume the resources of its host from within in order to maintain itself and can propagate a complete working version of itself on to other Oct 2012 machines.

Macro Virus
Sometimes considered worms. Require a host program to process/run it in order for it to execute. Often written in VBA (Visual Basic for Application) for Word, Access, Excel, PowerPoint, and outlook etc. E.g. Melissa
5
Oct 2012

Trojan Horses
Code disguised as benign programs, but behave in an unexpected, usually malicious manner. User needs to be convinced to accept/run them. E.g. Pokemon worm, which will display animated pictures of bouncing Pikachu on your screen while it e-mails itself to everyone in your address book and prepares to delete every files.

Oct 2012

The Trojan horses initially appears as an e-mail with the title "Pikachu Pokemon" and the English message "Pikachu is your friend.

The above picture is what the users see when executing pokemon.exe (its attachment). What they dont see is the application e-mailing itself and deleting files from the system.

Oct 2012

Anatomy of a Virus
Two primary components
Propagation mechanism Payload

Propagation
Method by which the virus spreads itself. Old days: single PC, transferred to other hosts by ways of floppy diskettes.

Nowadays: internet.
Oct 2012

Types of Propagation Parasitic Propagates by being a parasite on other files. Attaching itself in some manner that still leaves the original file usable. .com and .exe files of MS-DOS Macro virus Boot sector infectors Copy themselves to the bootable portion of the hard (or floppy) disk.

The virus gain control when the system is booted.

Oct 2012

Normal boot procedure

It first goes through its usual POST
Power On Self Test

BIOS (Basic Input/Output System) does what is referred to a as bootstrap

Checking for a valid bootable disk

For a hard drive to be bootable, it must contain a Master Boot Record (MBR).
Chuck of code that lies at the beginning of the hard drive. Understand the partition table.

10

Oct 2012

The MBR code will look for a particular partition that is marked bootable (MSDOS fdisk: active), and then transfer control to the code. This code is known as the boot sector.

Viruses have two opportunities to take control.

Insert themselves into the MBR position
They can gain control under all situations At the expense of having to deal with reading and booting via the partition table.

11

Oct 2012

Insert themselves into the boot sector of a partition

Boot sector viruses tend to take the existing MBR or boot sector code, relocate it elsewhere, and then insert themselves into the record. When the system boots, they can do their things, and then transfer control to the relocated code that they replaced.

12

Oct 2012

Multi-partite
Refers to viruses that can use multiple means of infection, such as
MBR Boot sector Parasitic

13

Oct 2012

Payload
Refers to what the virus does (besides propagation) once executed.
Do nothing Do cute things Malicious damage such as delete your partition table.

Some viruses have a particular trigger.

Date Number of successful infections

14

Oct 2012

Smart viruses usually use infrequent trigger so that they have ample time to ensure they have properly propagated, before alerting the users.

15

Oct 2012

Example: Melissa
Melissa works by infecting the Document_Open() macro of Microsoft word. Run immediately when the user opens the word files.
Private Sub document_open() On Error Resume Next

16

Oct 2012

Example: .com Virus

A .com virus may be divided into three parts.
Replicator Concealer Bomb (payload)

17

Oct 2012

Replicator
Spread the virus.

The uninfected file

The virus code

Copy rest of the code at the end.

18

Oct 2012

Copy small portion of its code to the beginning of the file. Copy the second part of itself to the end of the file.

What do V1 and V2 do?

19

V1 transfers control of the program to V2.

Oct 2012

Bomb
Does all things to annoy the user. Some possible bombs
System slowdown
Easily handled by trapping an interrupt and causing a delay when it activates.

File deletion. Message Display. Killing/Replacing the partition table or boot sector of the hard drive.

20

Oct 2012

Anti-virus Techniques
Integrity/behavioral Checkers Use good OS Use virus scanner on computer and emailserver. Use virus scanner Do not open attachments to emails. Frequent backups.
21
Oct 2012

Reference
Kevin L. Poulsen, "Hack Proofing Your Network: Internet Tradecraft", Chapter 14, p.383 405 Dark Angels Phunky Virus Writing Guide http://www.sirkussystem.com/virus.html
Introduction Installment II: the replicator

22

Oct 2012