065 - Malware</h2> <P><script> function OpenWin(url, w, h) { if(!w) w = 400; if(!h) h = 300; window. open (url, "_new", "width=" + w + ",height=" + h + ",menubar=no,toobar=no,scrollbars=yes", true); } function Print() { window.focus(); if(window.print) { window.print(); window.setTimeout('window.close();',5000); } } </script><span></span><table width="100%" cellpadding="0" cellspacing="0" border="0"><tr valign="top"></tr></table><table width="100%" height="20" border="0" cellpadding="0" cellspacing="1"><tr></tr></table><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr valign="top"><td align="center"><table width="95%"><tr><td align="left"><table width="100%" border="0" cellspacing="0" cellpadding="2"><tr><td valign="top" height="5"><img src="/books/1/47/1/html/2/images/pixel.gif" width="1" height="5" alt="" border="0"></td></tr><tr><TD><b><font size="1" color ="#0000FF">Team-Fly<img border="0" src="/books/1/47/1/html/2/Fly-Logo.gif" width="81" height="25"></font></b></td><td valign="top" align="right"> </td></tr></table><hr size="1"><table width="100%" border="0" cellspacing="0" cellpadding="5"><tr><td valign="top" width="76" rowspan="4"><img src="/books/1/47/1/html/2/images/156592682X/malmobcode_xs.gif" width="76" height="100" border="0"></td><td valign="top">Malicious Mobile Code: Virus Protection for Windows<br>By Roger A. Grimes<br></td></tr><tr><td>Table of Contents</td></tr><tr><td></td></tr><tr><td valign="bottom"> Chapter 6. Trojans and Worms</td></tr></table><hr size ="1"><br><table width="100%" border="0" cellspacing="0" cellpadding ="0"><tr><td valign="top"> <H3 id="141540-939">6.5 Trojan Technology</h3> <P>Like the virus underground , Trojan writers also have a segment of their developers dedicated to helping Trojans escape detection and spread. </p> <H4>6.5.1 Stealth</h4> <P> Trojans are just beginning to pick up the stealth habits that viruses have long utilized in order to remain undiscovered. They are becoming encrypted and polymorphic, and are installing themselves in different ways to escape detection. A common routine, which I don't consider true stealth, is when a Trojan renames itself after a valid system file (i.e. <I>Explorer.EXE, Mdm.EXE, System32.VXD</i>). When I'm looking for signs of a Trojan, I'll initially bypass these types of files when doing my first inspection. Only after I've ruled out the strange -looking or unfamiliar names do I investigate the common system filenames. Some Trojans install themselves with names containing characters that won't display on a monitor. Their filenames will appear blank, except for the extension. When pulling up the Task Manager, a user might not notice a blank name . If a Trojan registers itself as a service in Windows 9x, the Task Manager will not show the bogus program. Other Trojans hook the Task Manager routine, and manipulate its query process so that it does not reveal the bad executable. Stealth definitely complicates Trojan and worm detection. If you do not know what is supposed to be running in memory in the first place, before the malware hits, it's much more difficult to diagnose a possible Trojan event. </p> <P><TABLE CELLSPACING="0" WIDTH="90%" BORDER="1"><TR><TD> <H2>Malware</h2> <P>Malware stands for malicious software and includes MMC and other sorts of nonmobile malicious software, such as keyloggers, flooders, and DoS programs. </p> </td></tr></table></p> <H4>6.5.2 Hiding as Source Code</h4> <P>Many Trojans transfer themselves as ASCII text source code on to the host machine where it is then compiled or interpreted to bypass malicious code scanners. The Trojan text source code is often stored inside of an archive (one file containing several compressed files) or script file. Most scanners do not scan text files, so the source code passes . Executable code or a batch file is included to assemble or interpret the code on the fly. The companion programs that assemble or link the source code into its runtime form are usually legitimate programs and will not be flagged by scanners either. Other Trojans use tools already available on most Windows PCs (<I>DEBUG.EXE or WSCRIPT.EXE </i>) to launch their programs. </p> <H4>6.5.3 Compressors</h4> <P>Antivirus companies scan for Trojans like they would for viruses, searching for an always present series of bytes to identify the virus. To complicate a scanner's job, Trojan writers can use over 60 different programs (called <I>compressors</i> or <I>packers</i>), which compress, archive, or encrypt the Trojan executable. The compressor takes the original file and changes its structure in such a way that it no longer resembles its original form. Information is saved so that the original file can be reconstituted at runtime. </p> <P>Some compressors allow the Trojan source code to be stored in text form (or object file) and they handle the job of compiling the program on the fly, creating the new executable, and then running it. As covered earlier, antivirus scanners are not built to detect uncompiled source code, so the Trojan can sneak past AV tools. Compressors have names like Shrink, Diet, Scrnch, Pack, Crunch, RJCrush, PE Diminisher, Vacuum, and Petite. In order for a scanner to be highly successful, it must be able to detect and uncompress all the different compressor types. Only a few antivirus products, like Kaspersky Anti-Virus (http://www.kaspersky.com) and<I> </i>Symantec's Norton AntiVirus (http://www. symantec .com)<I>,</i> have taken on the necessary work to detect and include decompressing routines for all the known Trojan compressors. As you might expect, the process of detecting (and uncompressing) dozens of packers can significantly slow down the file scanning process. Some scanners have taken the tactic that they will not scan any packed files by default, and instead try to scan the file as it unpacks. Each tactic has its pluses and minuses. </p> <H4>6.5.4 Binders</h4> <P> Binders are programs that mix a Trojan with a legitimate file to produce one executable. The resulting program can then be placed on the Internet, ready for a victim to pick up. Back Orifice was bound with the Whack-a-Mole program to make one of the most widely spread Trojans in history. Sophisticated binders can produce programs that write registry keys and automatically run setup programs upon execution. </p> <H4>6.5.5 Sweep Lists</h4> <P>A <I>sweep list</i> is an inventory of computers and their Internet IP addresses that can be used by malevolent hackers in automated hacking programs. Before I was familiar with the concept of sweep lists, I noticed that my firewall detected a lot of port scanning Trojans whenever my stepson was chatting on IRC. If he didn't use his computer for a few days, which is rare, the hack attempts would almost be zero. When he chatted, I would get dozens of alerts over the next few hours. I knew somehow that hackers were monitoring the IRC activity to know when our computers were online and when they were not. Further evidencing my suspicions, the IP addresses of the attacks were almost identical to the active IRC users on the channels my stepson frequented. </p> <P>In order for a back door or RAT to be useful, it must be found. Most Trojans broadcast their presence on the Internet on a predefined port number. Tools have been made that will probe all the machines in a range of IP addresses looking for that predefined port. If found, the IP address of the invaded machine is saved and made part of the <I>sweep list file</i>. The list can then be used to exploit victim machines. One of the most popular sweep lists run on IRC channels is called Rip. It is an IRC script file that uses a DNS routine to reveal all the IP addresses of all the users of a particular channel. While it doesn't look for a particular port number, IRC chatters are likely to be on the Internet a lot, which is inviting to hackers. Rip produces a text file format of found machines that can be directly imported into the Back Orifice or NetBus Trojans. </p> <H4>6.5.6 Script Trojans</h4> <P>A lot of the new Trojans and worms are created using Visual Basic. Windows 98, Windows NT, Office 2000, and later versions of Windows software include a new scripting engine called <I>Windows Scripting Host </i> (WSH). Microsoft intends WSH to be the default macro language of Windows, a feature Windows has long needed. WSH can be called from within Outlook or Outlook Express. Unfortunately, it has little security and allows malicious mobile code to manipulate a user's PC when all the user did was click on a web link or scripting file in an email or on a web site. While some of Microsoft's latest security patches close some known big holes, WSH remains a convenient way for worms and Trojans to spread. WSH will be thoroughly covered in Chapter 12. </p> </td></tr></table><hr size="1"><table width="100%" border="0" cellspacing="0" cellpadding="2"><tr><td valign="top" height="5"><img src="/books/1/47/1/html/2/images/pixel.gif" width="1" height="5" alt="" border="0"></td></tr><tr><TD><b><font size="1" color="#0000FF">Team-Fly<img border="0" src="/books/1/47/1/html/2/Fly-Logo.gif" width="81" height="25"></font></b></td><td valign="top" align="right"> </td></tr></table><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td valign="top" align="right">Top</td></tr></table>
