Common Viruses and Worms | Penetration Testing and Network Defense

< Day Day Up >

This section covers several of the more common and deadly viruses and worms in years past. New viruses and worms come out all the time, and this is by no means an exhaustive list. Some of these viruses and worms are a few years old. You might be wondering why these older viruses and worms are covered here if they do not pose as much of a threat today. Including coverage of these viruses and worms is important not just because of their notoriety, but also because of their ingenuity. All of the viruses and worms mentioned in this chapter broke the ground of how viruses and worms operate. Other viruses and worms are typically based off the techniques discussed in the sections that follow.

Specifically, this chapter addresses the following viruses and worms:

Chernobyl
I Love You
Melissa
BugBear
MyDoom
W32/Klez
Blaster
SQL Slammer
Sasser

Note

All of the viruses and worms mentioned are well-known. Therefore, good anti-virus software products can detect them. However, there is a rise in custom viruses that are being made by virus construction kits. These viruses do not have signatures because they are so new and are usually not as widespread. They can be just as deadly, however. Some popular virus construction kits include the following:

Windows Virus Creation Kit v1.0.0
The Smeg Virus Construction Kit
Rajaat's Tiny Flexible Mutator v1.1
Virus Creation Laboratory v1.0
Kefi's HTML Virus Construction Kit

New viruses and worms come out every month. This list is by no means exhaustive, and it does not detail only the most recent viruses. Instead, it is meant to introduce you to some of the more ingenious and deadlier viruses and worms that have shaped the way people think about protecting corporations against viruses.

Viruses and worms will continue to proliferate and infect computers. Now instant messaging and cell phone worms are becoming a threat. Any time new technologies are released, malicious hackers will attempt to exploit them through viruses and worms. Anti-virus software is not enough by itself because it does not protect against zero-day viruses (viruses for which no known signatures exist). You must also incorporate other measures, such as anomaly-based intruder detection systems.

Chernobyl

The Chernobyl virus is also known by the name W32.CIH.Spacefiller. (CIH stands for the creator's name, Chen Inghua.) This virus affected Windows 95/98 PCs. It does not pose much of a threat against the more popular XP systems today.

The Chernobyl virus is a time bomb virus. A time bomb virus or worm is a malware program that is set to go off at a specific time. For that reason, this virus might lay dormant on a system for a long time before someone realizes that he is infected.

It was named the Chernobyl virus because it was set to go off on April 26, 1999 (the anniversary of the Chernobyl nuclear reactor explosion). Its other name, W32.CIH.Spacefiller, describes what this deadly virus would do to a system. This was a spacefiller virus, which would destroy data on a hard drive by filling it with random "space" (essentially overwriting the disk with nothing).

What made this virus unique was its capability not only to erase data, but also to erase Flash memory. Not only would your hard drive be erased (along with the master boot record), rendering it useless, but the Chernobyl virus also would erase your Flash memory, thus damaging your motherboard. If your motherboard manufacturer did not have a means to recover from this attack, you would be forced to purchase a new motherboard.

I Love You

The "I Love You" worm goes by many names, including LoveLetter, veryfunny.vbs, protect.vbs, and virus_warning.vbs. This was a VBScript worm that spread through Microsoft Outlook clients and an Internet Relay Chat (IRC) program called mIRC. The operation of this worm is as follows:

1.	The worm begins by copying itself into the windows\system32 directory as mskernel.vbs and to the Windows directory as win32dll.vbs.
2.	Next, it replaces the home page of Internet Explorer. Upon launching Internet Explorer, WIN_BUGFIX.exe is downloaded and run. A registry entry is added to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run so that the worm is run upon the next boot.
3.	The worm checks whether a window called BAROK is running. If it is, the worm stops. If the window does not exist, the worm creates a program called WINFAT32.exe and creates an entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run so that the program is run upon the next boot.
4.	Internet Explorer has its default home page set to about:blank (giving a blank page). Having your home page unexpectedly come up blank is a key sign that you have been infected with this virus.
5.	Next, the registry entries HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Polices\Network\DisablePwdCaching are deleted.
6.	The worm creates a new window called BAROK and runs it in memory.
7.	When an internal timer expires, the worm loads the MPR.DLL library. It calls the WNetEnumCachedPasswords function and sends any cached passwords it finds to mailme@super.net.ph. The message body of this e-mail reads, "Kindly check the attached LOVELETTER coming from me." This e-mail is sent only once.
8.	The worm then goes out to all local and remote drives and erases all files it finds with the extension .js, .jse, .css, .wsh, .sct, .hta, .mp3, .mp2, .jpg, and .jpeg. It creates new files with the same name but with a .vbs extension. (.vbs is the extension for Visual Basic scripts, which are often used to spread viruses.)

The end result of this virus is that its victims would have their passwords sent to the virus owner and have several files deleted on their network.

Melissa

The Melissa virus was the first major Microsoft Word macro virus to make a significant impact on corporations. Named after a stripper in Florida who was a favorite of the virus creator, this virus was first found in a document that reportedly contained a list of passwords for pornographic websites called List.doc and was stored in List.zip. This document was posted repeatedly on the alt.sex newsgroup. This was a classic social engineering tactic, where unsuspecting victims were lured to opening this virus under the notion that they were gaining access to pornographic websites. (For more on social engineering, see Chapter 4, "Performing Social Engineering.")

This virus operates as follows:

1.	First, the virus deactivates Microsoft Word macro security.
2.	Next, it saves a new global template file.
3.	The virus then overwrites the first document it can find in its directory.
4.	If the minutes of the hour are the same as the day of the month, it inserts text into the current active document. An example is 12:10 PM on February 10 or 8:25 AM on November 25. The generated text reads: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here. WORD?Mellissa written by Kwyjibo Works in both Word 2000 and Word 97 Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You decide! Word -> Email \| Word 97 <-> Word 2000 ... it's a new age!' Note Melissa's creator went by the name Kwyjibo, which was a reference to an episode of the television show The Simpsons. In that episode, the lead character Bart Simpson is playing Scrabble and says, "K-W-Y-J-I-B-O Kwyjibo. Twenty-two points, plus triple-word-score, plus fifty-points for using all my letters. Game's over. I'm outta here."
5.	Melissa then reads the user's Outlook address book and sends the virus to the first 50 entries it finds. The e-mail message usually contains a subject line that reads "Important message from <user>" where <user> is the name of the person sending the e-mail.
6.	Melissa was not just an annoyance for end users. If a company that had 1000 employees were all infected with this virus, the employees would each send out 50 e-mails. This would equate to the generation of 50,000 e-mails. When you multiply this by the millions of people who were infected by this virus, you realize the significant increase in e-mail traffic within corporations and on the Internet. This equated to a substantial slowdown of data communications, preventing users from working.

BugBear

Also called W32/BugBear.A, this was a virus that enabled others to gain access to an infected system. What made the virus even more dangerous was that it had the capability to go out to network shares and infect other computers.

Like most viruses, BugBear was sent via e-mail. The virus took e-mail addresses from previous e-mail messages and the Outlook address book. The filename was random but usually contained key words like "news," "images," "resume," "music," and others that would catch the attention of an unsuspecting victim. The virus came with many different extensions including .scr, .pif, and .exe, but the execution of the virus was the same.

What made this virus damaging was that it was the first major virus to automatically execute if the e-mail message was just opened or viewed in the Microsoft Outlook preview pane. This meant that users did not even have to launch the executable; simply opening the e-mail message was enough to become infected.

Caution

For this reason, you should always turn off the Microsoft Outlook preview pane and never open e-mail messages that appear suspicious. Outlook 2003 is guarded from this type of attack because macros do not run from preview mode.

BugBear operates as follows:

1.	The virus creates three files with randomly generated filenames. The first is an .exe file that is located in the Windows startup folder. A registry entry is added to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. The second file, also an .exe file, is located in the Windows\System32 directory. These two files make up the virus. The third file, a .dll file, is copied to the Windows\System32 directory and is used as a keystroke logging tool to record information such as passwords and other sensitive information.
2.	The virus then terminates any anti-virus software or firewall program it finds running, such as Norton AntiVirus, Zone Alarm, or BlackICE.
3.	Next, BugBear records keystrokes using the .dll file it created and sends the information it gathers to 22 e-mail addresses that are hard-coded inside the virus.
4.	BugBear then opens port 36794 and listens to any commands from remote computers. A malicious hacker could use this port to come onto the computer and retrieve files and passwords, launch another attack, or delete files.

Note

Beware of virus hoaxes. One such hoax was the BugBear hoax, in which an e-mail was sent informing users how to remove the BugBear virus. The hoax advised people to delete the jdbgmgr.exe file, which had an icon of a teddy bear. Readers of this hoax often believed the advice and deleted this file. They thought they were deleting the BugBear virus, but they really were deleting Microsoft Debugger for Java. To read more about this hoax, visit the Microsoft knowledgebase article Q322993 at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993.

MyDoom

MyDoom, also called W32/MyDoom.A, WORM_MIMAIL.R, and W32.Novarg.A, is another mass e-mail worm that comes in the form of .bat, .cmd, .pif, .scr, .zip, or .exe files with a file size of 22,528 bytes. Similar to BugBear, this virus opens a backdoor for malicious hackers to gain access to infected systems. MyDoom opens TCP ports 3127 through 3198.

What made this virus deadly was not just the backdoor that it left open for malicious hackers to penetrate, but its use in launching distributed denial-of-service (DoS) attacks. All infected hosts were configured to simultaneously launch a DoS attack against the SCO Group website on February 1, 2004 at 16:09:18: UTC.

Tip

To see open ports on a Windows computer, go to the MS-DOS shell and type netstat an. This shows all listening ports. If you see TCP ports 3127 through 3198 listening, you have probably been infected with the MyDoom virus.

This virus has more than 35 different variants. Some variants have their own SMTP engine to launch e-mails, others target specific sites such as http://www.symantec.com in their DoS attacks, and still others are used to download viruses such as Backdoor.Nemog.B (W32.MyDoom.S variant).

W32/Klez

This worm goes by many names, including W32/Klez, Elkern, Klaz, Kletz, I-worm, Klez, and W95/Klez@mm. When this worm appeared, it was the most sophisticated of its kind to date. In many ways, it was a virus within a virus, for it not only executed the Klez worm, but it also unwrapped the Elkern virus. This vicious worm operates as follows:

1.	First, it copies itself to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run like other worms so that it is executed when the computer starts up.
2.	It then executes ten times per second. Because it executes so rapidly, it is hard for anti-virus software to remove it.
3.	Klez then attempts to close down anti-virus and firewall products. Tip Some personal firewalls such as Zone Alarm Pro detect whether anti-virus software has been shut down and alert you with a pop-up window. Because viruses are becoming smarter and finding ways to shut down anti-virus software programs, make sure you are running a hardened anti-virus software and a personal firewall system or host-based intrusion detection system (IDS) to detect whether any program attempts to shut down the antivirus software.
4.	Next, Klez copies the W32/Elkern virus to a randomly generated filename in the temp directory.
5.	Elkern is then copied to the Windows\System32 directory as wqk.dll on Windows 2000 and XP systems, or to the Windows\System directory as wqk.exe. This program runs in its own process to prevent it from being deleted unless Klez is deleted first.
6.	Klez then copies itself to the Windows\System32 directory as its own process so that it does not show as a program in the task list.
7.	Next, the worm sends an e-mail with itself as an attachment. It uses the Windows address book and takes as many addresses as it can until it fills up a 4-KB buffer. If the address book has less than 10 e-mail addresses, Klez generates up to 29 random e-mail addresses containing 3 to 9 letters, with a domain name of sina.com, hotmail.com, or yahoo.com.
8.	Unlike the previously discussed worms, Klez does not send the email with the From field as the infected host. Instead, Klez chooses a random e-mail address from your infected computer and uses that as the From field. Klez attempts to send it from an SMTP server of that address domain. For example, if it sends it from a Yahoo! account, it attempts to send it from smtp.yahoo.com. If this fails, it goes to HKEY_LOCAL_USER\Software\Microsoft\InternetAccountManager\Accounts to use any listed SMTP servers. This means that if you get an e-mail with the Klez virus attached, you had better be careful before blaming the sender listed in the From field. The e-mail message might not have been from the person listed in the From field. The subject line from this e-mail typically includes such casual phrases as "Hi," "Hello," "How are you?," "We Want Peace," or "Don't Cry." Later variants have become even more intelligent in their subject lines. They check the current date of the host and compare it to a list of dates to see if it is close to any holidays. They then send a message such as "have a nice April Fools Day" (if near April 1) or "happy good All Soul's Day" (if near November 2). One of the sneakier variants of this worm includes in the subject line a message saying that the e-mail message includes a W32/Elkern Removal Tool. Unsuspecting users who have heard of this worm then launch the attached file, not realizing that they just infected their computer.
9.	The Klez worm then looks for open shares, sends a copy of itself to each share, and attempts to launch itself. It tries this repeatedly in intervals between 30 minutes and 8 hours, depending on the variant.
10.	Klez was a deadly virus in its attempt to leave its victims unprotected by shutting down personal firewall and anti-virus software applications. Furthermore, Klez slowed down networks as it quickly spread through networks. Although one infected computer would not make a significant impact, having thousands of computers infected within an organization would result in networks coming to a halt as this worm spread itself across network shares, saturating network resources.

Blaster

Blaster (also known as MSBlast.A) is a DoS worm that attacks the windowsupdate.com domain. A catch-22 situation occurs with this worm, leaving users with little to defend themselves. The Microsoft windowsupdate.com domain contains the patch to fix the vulnerability that this worm exploits, but because it launches an attack against the Microsoft update site, users cannot get to it to download the patch.

The Blaster worm is a buffer overflow worm that attacks the Windows remote procedure call (RPC) function and uses it to infect other computers. The Blaster worm operates as follows:

1.	Like most viruses, it adds a registry entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run so that it is executed when Windows starts. It uses various filenames depending on the variant. Filenames include enbiei.exe, mslaugh.exe, mspatch.exe, teekids.exe, penis32.exe, and msblast.exe.
2.	Next, Blaster calculates the IP address of the subnet and sends data to the RPC port (TCP 135). If successful, it creates a hidden cmd.exe remote shell on TCP port 4444. It also listens on the UDP TFTP port 69 to send the virus to any host that requests it.
3.	If the month is August or if the date is after the 15th, Blaster launches a DoS attack on windowsupdate.com.

The worm contains the text:

"I just want to say LOVE YOU SAN!! billgates why do you make this possible? Stop making money and fix your software!"

SQL Slammer

This worm was first detected on January 25, 2003 (although rumors say it might have been around since January 20). According to an April 2, 2004 ZDNet article, more than 8 million computers were infected with this worm. In addition, this worm caused 5 of the 13 Internet root name servers to crash. This worm, also known by the names W32.Slammer and the Sapphire worm, doubled in size every 8.5 seconds.

This worm used UDP instead of TCP in its delivery. Because TCP communications require a three-way handshake, TCP-based applications are harder to spoof. However, UDP traffic is easy to spoof because it has no acknowledgements, windowing, or sequence numbers to keep track of.

The SQL Slammer worm sent itself to UDP port 1434, the port used by Microsoft SQL Server. It attempted to cause a buffer overflow in a function found in ssnetlib.dll, a dynamic library loaded with the SQLServer.exe executable installed with Microsoft SQL Server 2000 and with the Microsoft Desktop Engine (MSDE) 2000 that came with Microsoft Office 2000 and Office XP.

The file ssnetlib.dll contains a function to provide SQL Server registry access. It takes three strings and combines them to build the registry path:

SOFTWARE\Microsoft\MicrosoftSQLServer.
The instance name. To indicate the beginning of the instance name, the value 0x04 is prepended.
\MSSQLServer\CurrentVersion.

The SQL Slammer worm sends a packet but smashes the stack on the second string by sending more than the allowed value. The instance name is supposed to be a maximum of 16 bytes, but this is not checked. The new return pointer address is 0x42B0C9DC. (For more on the operation of buffer overflows, see Chapter 14, "Understanding and Attempting Buffer Overflows.")

The return address points to the JMP ESP instruction inside sqlsort.dll. It uses sqlsort.dll to make calls to the LoadLibrary() and GetProcAddress() functions. These functions help Slammer gain access to WS2_32.dll and kernel32.dll. These dynamic libraries help Slammer get the addresses of the Socket(), SendTo(), and GetTickCount() APIs, which replicate the worm.

Next, the worm is sent to UDP 1434 to random IP addresses. What is unique about this is that the worm is sent in an endless loop. This not only floods the network with the worm, but it also causes CPU utilization to peak. This results in thousands of more infected hosts while launching a self-inflicted DoS attack.

Sasser

The Sasser worm is a deadly worm discovered in 2004 that infects Windows 2000 and XP computers. Although it cannot infect older computers running Windows 95 and 98, it can still run on those computers to infect other computers.

The Sasser worm operates as follows:

1.	It begins by creating a file named Jobaka3l and copying itself to the Windows directory as aserve.exe. At the same time, Sasser adds itself to the Windows registry so that it runs at startup.
2.	Next, Sasser launches the Windows API called AbortSystemShutdown to make it difficult to shut down or reboot the computer.
3.	Sasser then starts an FTP server on the infected computer and listens on TCP port 5554.
4.	Sasser generates a random IP address and attempts to connect to the IP address on TCP port 445. The random IP address is typically generated as another IP address on the same network as the infected host.
5.	If the TCP connection on port 445 is successful, Sasser attempts to open a remote shell on TCP port 9996 and upload a script called cmd.ftp on the infected computer. Using the FTP server on the infected computer, Sasser downloads a copy of the worm and names it with a series of four or five random digits followed by _up.exe (for example, 42151_up.exe).
6.	Next, the Local Security Authority Service (lsass.exe) is crashed, causing Windows to shut down. A message appears on the screen stating that lsass.exe has terminated and the system will shut down. Cmd.ftp is deleted on the attacked computer, and a file called win.log is created, which lists the IP addresses of infected computers.

Sasser took an estimated 14 minutes to compromise 95 percent of all vulnerable computers in April 2004. You can stop Sasser by patching Windows computers, using firewalls that block port 445, or using anti-virus software. Unfortunately, too few people had these precautions in place at the time the worm was launched.

Sasser was not destructive to the individual hosts that were infected; instead, Sasser slowed down Internet communications as it spread exponentially. This impacted corporations relying on Internet communication for their business.

< Day Day Up >