Surviving Malicious Code

Malicious code refers to a broad category of software threats to your network and systems. These threats include viruses, Trojan horses, bombs, and worms. Your users depend on you to help keep them safe from harm and to repulse these attacks. When successful, these attacks can be devastating to systems, and they can spread through an entire network. One such incident involved the Melissa virus that effectively brought the entire Internet down for a few days back in March of 1999. This virus spread to millions of Outlook and Outlook Express users worldwide. Variants of this virus are still propagating through the Internet.

The following sections will briefly introduce you to the various types of malicious code you will encounter, including viruses, Trojan horses, logic bombs, and worms. I will also explain the importance of antivirus software.

Viruses

A virus is a piece of software designed to infect a computer system. The virus may do nothing more than reside on the computer. A virus may also damage the data on your hard disk, destroy your operating system, and possibly spread to other systems. Viruses get into your computer in one of three ways. They may enter your computer on a contaminated floppy or CD-ROM, through an e-mail, or as part of another program.

Viruses can be classified into one of several types. These types include boot virus, macro viruses, polymorphic, multipartite, armored, and phage virus. Each of these viruses will have a different attack strategy and different consequences.

Note 

Estimates for losses due to viruses exceeded $10 billion in 2001. These losses included funds as well as lost productivity.

The following section will introduce the symptoms of a virus infection, explain how a virus works, and describe the types of viruses you can expect to encounter and how they generally behave. We will also look at how a virus is transmitted through a network and look at a few hoaxes.

Symptoms of a Virus Infection

Many viruses will announce to you that you are infected as soon as they gain access to your system. These viruses may take control of your system and flash annoying messages on your screen or destroy your hard disk. When this occurs, you will know that you are a victim. Other viruses will cause your system to slow down, cause files to disappear from your computer, or take over your disk space.

You should look for some of the following symptoms when determining if a virus infection has occurred:

  • The programs on your system will start to load slower. This happens because the virus is spreading to other files in your system or is taking over system resources.

  • Unusual files appear on your hard drive, or files start to disappear from your system. Many viruses delete key files in your system to render it inoperable.

  • Program sizes change from the installed versions. This occurs because the virus is attaching itself to these programs on your disk.

  • Your browser, word processing application, or other software begins to exhibit unusual operating characteristics. Screens or menus may change.

  • The system mysteriously shuts itself down or starts itself up and does a great deal of unanticipated disk activity.

  • You mysteriously loose access to a disk drive or other system resources. The virus has changed the settings on a device to make it unusable.

  • Your system suddenly does not reboot or gives unexpected error messages during startup.

This list is by no means comprehensive.

How Viruses Work

A virus, in most cases, tries to accomplish one of two things. It tries to render your system inoperable, or it tries to spread to other systems. Many viruses will spread to other systems given the chance and then render your system unusable. This double whammy is very common with many of the newer viruses. If your system is infected, the virus may try to attach itself to every file in your system and spread each time you send a file or document to other users. Figure 2.15 shows a virus spreading from an infected system either through a network or by removable media. When you give this disk to another user or put it into another system, you then infect that system with a virus.

click to expand
Figure 2.15: Viruses spreading from an infected system using the network or removable media

Many newer viruses spread using e-mail. The infected system includes an attachment to any e-mail that you send to another user. The recipient opens this file thinking it is something you legitimately sent them. When they open the file, the virus infects the target system. This virus may then attach itself to all of the e-mails the newly infected system sends, which in turn infects the recipients of this e-mail. Figure 2.16 shows how a virus can spread from a single user to literally thousands of users in a very short amount of time using e-mail.

click to expand
Figure 2.16: An e-mail virus spreading geometrically to other users

Note 

The Melissa virus (which was actually a worm) spread itself to over 100,000 users in a relatively short period in May of 1999, according to CERT. One site received over 32,000 copies of the Melissa virus in a 45-minute period.

Types of Viruses

Viruses take many different forms. This section briefly introduces these forms and explains how they work. These are the most common types, but this is not a comprehensive list.

Polymorphic Virus

Polymorphic viruses change form in order to avoid detection. These types of viruses attack your system, display a message on your computer, and delete files on your system. The virus will attempt to hide from your antivirus software. Frequently, the virus will encrypt parts of itself to avoid detection. When the virus does this, it is referred to as mutation. The mutation process makes it hard for antivirus software to detect common characteristics of the virus. Figure 2.17 shows a polymorphic virus infecting disk files and changing its characteristics to avoid detection. In this example, the virus changes a signature to fool antivirus software.

click to expand
Figure 2.17: The polymorphic virus changing characteristics

Trojan Horse

A Trojan horse attaches itself to another file, such as a word processing document. Trojan horses may also arrive as part of an e-mail for a free game, software, or other file. When the Trojan horse activates and performs its task, it infects all of the word processing or template files. Consequently, every new file will carry the Trojan horse. The Trojan horse may not be visible because it masks itself inside of a legitimate program.

Stealth Virus

A stealth virus will attempt to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself in order to avoid detection. An infected file may report a file size different from what is actually present in order to avoid detection. Figure 2.18 shows a stealth virus attaching itself to the boot sector to avoid detection.

click to expand
Figure 2.18: A stealth virus hiding in a disk boot sector

Retrovirus

A retrovirus attacks or bypasses the antivirus software installed on a computer. You can consider a retrovirus as an anti-antivirus. Retroviruses can directly attack your antivirus software and potentially destroy the virus definition file of your antivirus software. Destroying this information without your knowledge would leave you with a false sense of security. The virus may also directly attack an antivirus program to create bypasses for the virus.

Multipartite Virus

A Multipartite virus attacks your system in multiple ways. A multipartite virus may attempt to infect your boot sector, infect all of your executable files, and destroy your applications files. The hope here is that you will not be able to correct all of the problems and will allow the infestation to continue. The multipartite virus in Figure 2.19 attacks your boot sector, infects applications files, and attacks your word documents.

click to expand
Figure 2.19: A Multipartite virus commencing an attack on a system

Armored Virus

An armored virus is designed to make itself difficult to detect or analyze. Armored viruses will cover themselves with "protective code" that stops debuggers or disassemblers from examining critical elements of the virus. The virus may be written in such a way that some aspects of the programming act as a decoy to distract analysis while the actual code hides in other areas in the program.

Companion Virus

A companion virus attaches itself to legitimate programs and then creates a program with a different file extension. This file may reside in the temporary directory of your system. When the user types the name of the legitimate program, the companion virus executes instead of the real program. This effectively hides the virus from the user. Many of the viruses that are used to attack Windows systems make changes to program pointers in the Registry so that it points to the infected program. The infected program may perform its dirty deed and then start the real program.

Note 

The W32/Sircam virus came on the scene in July of 2001. This virus placed itself in the temporary directory of Windows systems. The virus contained an e-mail program that searched the address book of the victim and mailed itself to everyone in the address book. The virus could also send certain files to people in the address book. One of my clients caught a virus that sent his company's financial statements to all of his contacts.

Phage Virus

A Phage virus modifies and alters other programs and databases. The virus infects all of these files. The only way to remove this virus is to reinstall the programs that are infected. If you miss even a single incident of this virus on the victim system, the process will start again and infect the system.

Macro Virus

A macro virus exploits the enhancements made to many application programs. Programs such as Word or Excel allow programmers to expand the capability of the application. Word for example, supports a mini-BASIC programming language that allows files to be manipulated automatically. These programs in the document are called macros. A macro can tell your word processor to spellcheck your document automatically when it opens. Macro viruses can infect all of the documents on your system and spread to other systems using mail or other methods. Macro viruses are the fastest growing exploitation today.

Virus Transmission in a Network

Upon infection, some viruses destroy the target system immediately. The saving grace of this is that the infection can be detected and can be corrected. Some viruses will not destroy or otherwise tamper with a system; they use the victim system as a carrier. The victim system then infects servers, file shares, and other resources with the virus. The carrier then infects the target system again. Until the carrier is identified and cleaned, the virus continues to harass systems in this network and spread.

Hoaxes

Network users have plenty of real viruses to worry about. Yet, some people find it entertaining to issue a few phony threats to keep people on their toes. Many phony virus hoaxes are going around. Some of the more popular hoaxes that have been passed around are the Good Time and the Irina viruses. Millions of users got e-mails about these two viruses and the symptoms sounded awful.

Both of these viruses claimed to do things that are impossible to accomplish with a virus. When you receive a virus warning, you can verify the authenticity by looking on the website of the antivirus software you use, or you go to several public systems. One of the more helpful sites to visit to get the status of the latest viruses is the CERT organization (www.cert.org). CERT monitors and tracks viruses and provides regular reports on this site.

Trojan Horses

A Trojan horse program operates in a similar manner to the Trojan horse virus introduced earlier. The major difference is in how the Trojan horse program actually enters the system. The Trojan horse program may be installed as part of an installation process. While a Trojan horse virus enters as a virus, the Trojan horse program enters as part of another process.

Trojan horses are programs that enter a system or network under the guise of another program. A Trojan horse may be included as an attachment or as part of an installation program. The Trojan horse could create a back door or replace a valid program during installation. The Trojan program would then accomplish its mission under the guise of another program. Trojan horses can be used to compromise the security of your system, and they can exist on a system for years before they are detected.

The best preventative measure for Trojan horses is not to allow them entry into your system. Immediately after you install a new software program or operating system, back it up. If you suspect a Trojan horse, you can reinstall the original programs. This should delete the Trojan horse. A port scan may reveal a Trojan horse on your system. If an application opens a TCP or IP port that is not supported in your network, you can track it down and determine which port is being used.

Logic Bombs

Logic bombs are programs or snippets of code that execute when a certain predefined event occurs. A bomb may send a note to an attacker when a user is logged on to the Internet and is using a word processor. This message informs the attacker that the user is ready for an attack. Figure 2.20 shows a logic bomb in operation. Notice that this bomb does not actually begin the attack, but tells the attacker that the victim has met the needed criteria or state for an attack to begin. Logic bombs may also be set to go off on a certain date or when a specified set of circumstances occurs.

click to expand
Figure 2.20: A logic bomb being initiated by a connection to the Internet and opening a word processing document

In the attack depicted in Figure 2.20, the logic bomb sends a message back to the attacking system that the logic bomb has loaded successfully. These systems can then be either used to initiate an attack such as a DDoS attack, or they can grant access at the time of the attacker's choosing.

Worms

A worm is different from a virus. Worms reproduce themselves, are self- contained, and do not need a host application to be transported. Many of the so-called viruses that have made the papers and media were, in actuality, worms and not viruses. However, it is possible for a worm to also contain or deliver a virus to a target system.

Worms by their nature and origin are supposed to propagate and will use whatever services they are capable of to do that. Early worms would fill up memory and breed inside the RAM of the target computer. Worms can use TCP/IP, e-mail, Internet services, or any number of possibilities.

The Melissa and ILOVEYOU viruses are also worms. They require existing Outlook or Outlook Express clients to carry the worm. The virus, when opened, self-propagates to other files and systems. A small organization in Seattle recently received a worm that sent over 6,000 e-mails by the time it was discovered. This happened over a two-day period. Each of those e-mails contained a copy of the worm. This company sent all of its customers, prospects, and vendors a copy of the worm. This worm was a well-known one. The problem occurred because the antivirus software definitions file was out of date on one of the workstations.

Antivirus Software

The primary method of preventing the propagation of malicious code involves the use of antivirus software. Antivirus software is an application that is installed on a system to protect and scan for viruses. There are over 60,000 known defined viruses, worms, bombs, and other malicious codes out there. New ones are being added all the time. Your antivirus software manufacturer will usually work very hard to keep the definition files current. A definition file is a file that contains all of the known viruses and countermeasures for a particular antivirus software product. You probably will not receive a virus that has not been seen by one of these companies. If you keep your virus definition files in your software up-to-date, you will probably not be overly vulnerable to attacks.

The second method of preventing viruses is education. Teach your users not to open suspicious files and to open only those files that they are reasonably sure are virus free. They need to scan every disk, e-mail, and document they have receive before they open them.

Most viruses have characteristics that are common to families of virus. Antivirus software looks for these characteristics or fingerprints to identify and neutralize viruses before you are impacted by them.

start sidebar
Real World Scenario: A Virus Out of Control

A large private university has over 30,000 students taking online classes. These students use a variety of systems and network connections. The instructors of this university are being routinely hit with the Klez32 virus. The Klez32, or specifically in this case the W32/Klez.mm virus, is a very well known and documented virus. It uses Outlook or Outlook Express to spread. It grabs a name randomly from the address book and uses that name in the header. The worm then uses a mini-mailer and mails the virus to all of the people in your address book. When one of these users opens the file, the worm attempts to disable your antivirus software and spread to other systems. This would open your system to an attack from other viruses, which might follow later.

You have been appointed to the IT department at this school, and you have been directed to solve this problem. What can you do about it?

The best solution here would be to install antivirus software that scans and blocks all e-mails that come through the school's servers. You would also want to inspect and notify all internal users of the system when they attempt to send a virus-infected document using the server.

These two steps, installing antivirus scanners on the external and internal connections and notifying unsuspecting senders, would greatly reduce the likelihood that the virus could attack either student or instructor computers.

end sidebar



CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net