Malicious Code | SSCP Study Guide and DVD Training System

Malicious code can be simply defined as code (programming language code) used or created in a malicious manner. Code is the nickname assigned to a program written in languages such as C, C++, Java, Fortran, and so on.

Malicious code is very interesting in that it comes in two strains:

Code made to fail on purpose
Code that can fail by accident

Sometimes, code that is not caught in the quality assurance (QA) process while being written can contain a back door that allows a programmer to manipulate systems or applications that nobody knows about. These holes in the system are used to evade some type of access control.

Exam Warning

Make sure you know what malware is, why it is deemed malicious, and all the various types that it comes in such as viruses, worms, back doors, and Trojans.

Malware is code that has been written specifically to be malicious. This type of code existed before the days of the Internet, however since the world has embraced the Internet it has become more common and able to spread more effectively. Malicious code is usually classified by the type of propagation (spreading) mechanism it employs, with a few exceptions regarding the particular platforms and mechanisms it requires to run (such as macro viruses, which require a host program to interpret them). Also note that even though the term malicious code is used, a virus, Trojan, or worm may not actually cause damage. In this context, malicious indicates the potential to do damage, rather than actually causing malice.

Head of the Class…
How to Recognize the Symptoms of an Infected System

Have you ever had the opportunity to look at a virus-infected operating system? If you have, then depending on what your system caught, the symptoms can be mischievous (like switching your icons around), to downright cruel… like watching your data disappear when your system will not boot up anymore because the hard drive has been reformatted. Now, before we look at some of the things you can look for, the most important step is the first one and that is to inquire either of yourself or the person running the system "What changed?" In other words, did you bring in a diskette from home and put it in the system? Did you perhaps download a screensaver? Here are some things to look for on your system after you have determined through questioning that it may be a malware-infected system:

System will not boot any longer to a prompt (possible bootstrap problem)
System hangs on booting up and will not load the operating system (OS)
System boots up, but is non-responsive and/or will not load any applications
System behaves erratically. One of the most common is to have a "haunted" effect like icons moving, CD-ROM trays opening, and abnormal system graphics

Although these are the most common, there are more symptoms and as malware becomes more advanced you will see even more infection-based symptoms in the future.

Other symptoms you may see are dialog boxes opening up when you boot up a system or perhaps a process running that you never saw before from the installed malware. These indicate the possibility that your system could be infected. Take for instance, a worm named W32.HLLW.Veedna.B, when it is installed on your system, it will add the following to the hard disk:

C:\Zephyr Song.mp3.scr
C:\XFiles.mp3.scr
C:\The Tuxedo.mp3.scr
C:\Tuxedo.mp3.scr
C:\Fire.mp3.scr
C:\XFiles.mpg.scr
C:\The Tuxedo.mpeg.scr
C:\Tuxedo.mpg.scr
C:\Reign of Fire.mpeg.scr
C:\Pentium 5.doc.scr
C:\Pentium 5.rtf.scr
C:\How to make viruses.txt.scr
C:\Playboy 9.mpeg.scr
C:\Setup.exe.scr
C:\vandEEd0.scr
C:\The Incredible Hulk.scr
C:\The Rock.scr

The details for this worm can be found on Symantec's research site at www.sarc.com. This is a great place to do research for malware. The link for this worm's detailed information is www.sarc.com/avcenter/venc/data/w32.hllw.veedna.b.html. It is important that you can identify through these altercations that your system may be infected with malware.

Viruses

Viruses are programs that are usually installed without the user's awareness and come in thousands of varieties. They can do anything from popping up a message that says "Hi!" to erasing the entire contents of a computer's hard disk. Viruses can replicate themselves, infecting other systems by writing themselves to any diskette that is used in the computer or sending themselves across the network. Often distributed as attachments to e-mail or as macros in word processing documents, viruses are easily spread. Some activate immediately on installation, and others lie dormant until a specific date or time or a particular system event triggers them. For more information, see the article How Computer Viruses Work at www.howstuffworks.com/virus.htm.

The proliferation of computer viruses has also led to the phenomenon of the virus hoax, which is a warning—generally circulated via e-mail or Web sites—about a virus that does not exist or that does not do what the warning claims it will do.

Real viruses, however, present a real threat to a network. Companies such as Symantec and McAfee make antivirus software that is aimed at detecting and removing virus programs. Because new viruses are created daily, it is important to download new virus definition files, which contain information required to detect each virus type, on a regular basis to ensure that the virus protection stays up to date.

The types of viruses include:

Boot Sector Viruses These are often transmitted via a diskette. The virus is written to the master boot record (MBR) on the hard disk, from which it is loaded into the computer's memory every time the system is booted.
Application or Program Viruses These are executable programs that, when run, infect a system. Viruses can also be attached to other, harmless programs and installed at the same time a desirable program is installed.
Macro Viruses These are embedded in documents (such as Microsoft Word documents) that can use macros, small applications, or "applets" that automate the performance of some task or sequence.

Viruses that are programmed to activate and destroy data or files on a certain date are called time bombs or logic bombs (more on this later in the chapter). One of the first of this type to gain worldwide attention was the Michelangelo virus in the early 1990s, which attempted to erase the hard disks of infected PCs on March 6, the birthday of the famous painter. A few years later, a disgruntled former employee of Omega Engineering planted a time bomb virus on the company's network that resulted in approximately 10 million dollars in losses and damages. He was convicted of the crime and sentenced to 41 months in prison.

The most dangerous aspect of computer viruses (as is true of their biological counterparts) is their ability to "mutate" into something else. Of course, this mutation does not happen spontaneously, but virus writers build on the code of others to make relatively benign viruses more destructive—and to avoid detection by antivirus software. Viruses that can mutate are called polymorphic viruses.

Viruses spread when the instructions (executable code) that run programs are exchanged from one computer to another. A virus can replicate by writing itself to floppy disks, hard drives, legitimate computer programs, or even across networks. The positive side of a virus is that a computer attached to an infected computer network or one that downloads an infected program does not necessarily become infected. Remember, the code has to be executed before a machine can become infected. On the downside of that scenario, chances are good that if a virus is downloaded and not executed, it probably contains the logic to trick the OS into running the viral program. Other viruses exist that have the ability to attach themselves to otherwise legitimate programs. This could occur when programs are created, opened, or even modified. When the program is run, so is the virus.

Numerous different types of viruses can modify or interfere with code. Unfortunately, developers can do little to prevent these attacks from occurring—they cannot write tighter code to protect against a virus. It simply is not possible. They can, however, detect modifications that have been made or perform a forensic investigation. They can also use encryption and other methods for protecting code from being accessed in the first place. The following are the six different categories of viruses:

Parasitic Parasitic viruses infect executable files or programs in the computer. This type of virus typically leaves the contents of the host file unchanged but appends to the host in such a way that the virus code is executed first.
Bootstrap Sector Bootstrap sector viruses live on the first portion of the hard disk, known as the boot sector (this also includes the floppy disk). This virus replaces either the programs that store information about the disk's contents or the programs that start the computer. This type of virus is most commonly spread via the physical exchange of floppy disks.
Multi-partite Multi-partite viruses combine the functionality of the parasitic virus and the bootstrap sector viruses by infecting either files or boot sectors.
Companion Instead of modifying an existing program, a companion virus creates a new program with the same name as an already existing legitimate program. It then tricks the OS into running the companion program.
Link Link viruses function by modifying the way the OS finds a program, tricking it into first running the virus and then the desired program. This virus is especially dangerous because entire directories can be infected. Any executable program accessed within the directory will trigger the virus.
Data File A data file virus can open, manipulate, and close data files. Data file viruses are written in macro languages and automatically execute when the legitimate program is opened.

In keeping with good security analysis practices, one of the most important things to do (besides implement an antivirus solution and keep it updated) is to set up a system where end users, clients, and workers can be updated on how to keep themselves safe. It is common practice as a security practitioner to perform end-user education, as the fact holds clear that the more educated users are about viruses, the better off they will be. Since viruses normally have to be invited into a system and executed, teaching users to not introduce viruses to a network is most helpful. A simple virus report can be created (as seen in Exercise 8.01) to disperse to end users and educate them on the latest viruses, what they look like, and how to prevent them from being opened or launched.

Exercise 8.01: Creating a Professional Virus Report

In this exercise, you will look at a simple layout for a virus report. In the future, if you are required to create your own virus report you should use the following as a template:

First, you should title and date the document. Titles may be elaborate as you like, however, it is better to keep titles simple, readable, and easily referable. Virus reports should also be created in a manner that makes them easy to scan over quickly.
Next, provide an overview of the report contents. It is best to alerti users to the level of risk described in the report in simple words that are easily digested (for example, telling users that the viruses described in the report are either low-, medium-, or high-risk viruses. This way, in the objective, they can make a clear determination on whether or not they want to read the report for safety or for general knowledge.
Next, list the viruses described within the report. You should cite the virus threats from multiple sources. In the following sample we have used Symantec, McAfee, and Trend Micro as sources for information relating to virus activity.
The next item needed for a virus report is a concise, informative, and easily readable virus description. Remember, in most cases your readers do not have an overly technical background.
Finally, the last item in the report should be the actions that you require the users to take, or the instructions you would like the users to follow, should anyone come into contact with any of the viruses described in the report.

Virus Monitor Report 12-30-02

Overview: There are no new medium or high-risk viruses reported by Symantec, Trend, or McAfee.

New low-risk viruses reported:

Symantec: W32.Opaserv.K.Worm (a.k.a. W32/Opaserv.worm.n [McAfee]), W32.HLLW.Zule, W32.Backzat.Worm, Backdoor.NetDevil.B, Backdoor.Cow
Trend Micro: Troj_Killboot.B,
McAfee: None

Virus Descriptions

W32.Opaserv.K.Worm is a network-aware worm that spreads across open network shares. This worm copies itself to the remote computer as a file named Mqbkup.exe. It is compressed with a PECompact packer. Before you follow the steps in this document, if you are running Windows 95/98/Me, download and install the Microsoft patch from www.microsoft.com/technet/security/bulletin/MS00-072.asp.

If you are on a network or have a full-time connection to the Internet (such as a DSL or cable modem) disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared files or folders, disable them. When you have finished the removal procedure, if you decide to re-enable file sharing, Symantec suggests that you do not share the root of drive C. Instead, share specific folders. These shared folders must be password-protected with a secure password. Do not use a blank password.

After W32.Opaserv.K.Worm deletes the files from the C: drive it displays this message:
```
NOTICE: Illegal Microsoft Windows license detected! You are in violation of the Digital Millennium Copyright Act! Your unauthorized license has been revoked. For more information, please call us at: 1-888-NOPIRACY If you are outside the USA, please look up the correct contact information on our website, at: www.bsa.org  Business Software Alliance Promoting a safe & legal online world.
```
W32.HLLW.Zule is a worm that spreads across the KaZaA file-sharing network by tricking KaZaA users into downloading and opening the program. It also uses IRC to distribute itself. W32.HLLW.Zule attempts to delete files and folders belonging to various security software products.
W32.Backzat.Worm is a worm that uses IRC to distribute itself. It attempts to delete security software from your computer. It is written in Microsoft Visual C++ and is packed with UPX. It attempts to delete all files in the following folders:

\PC-Cil~1

\ToolKit\FindVirus

\AntiVi~1

\VS95

\TBAVW95

\f-macro

\eSafen

\Progra~1\FindVirus

\Progra~1\FWIN32

\Progra~1\QuickH~1

\Progra~1\AntiVi~1

\Progra~1\Grisoft\AVG6

\Progra~1\ZoneLa~1

\Progra~1\TrendM~1

\Progra~1\McAfee\VirusScan

\Progra~1\PandaS~1

\Progra~1\Norton~2
Backdoor.NetDevil.B is a variant of Backdoor.NetDevil. This Trojan horse allows a hacker to remotely control the infected computer by opening port 905 for listening. Backdoor.NetDevil.B creates the following registry keys, each of which may contain multiple values:

HKEY_CLASS_ROOT\.dli

HKEY_CLASS_ROOT\dlifile

As a result, this allows a file that has the .dli extension to be executed as a .exe file. Next, the Trojan adds the value kernel32 <system>\Kernel.dli to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the Trojan runs each time that you start Windows.
Backdoor.Cow is a back door Trojan horse that allows a hacker to control the computer. By default it opens port 2001. The existence of the file Syswindow.exe is a sign of possible infection. It is written in the Delphi programming language and is packed with UPX.
Troj_Killboot.B is a destructive MS-DOS Trojan horsethat overwrites the MBR with zeroes resulting in the loss of data, leaving the infected system unable to boot properly. It uses DOS Interrupt 13h to carry out its destructive routine. This malware only works on systems running MS-DOS or has a MS-DOS command console, and is approximately 1,085 bytes in size.

For Additional Information

To look for more info on viruses reported by Symantec browse to www.symantec.com/avcenter/vinfodb.html, scroll down the page and click on the name of the virus.
To look for more info on viruses reported byTrend browse to www.trendmicro.com/vinfo, scroll down the page and click on the name of the virus.
To look for more information on viruses reported by McAfee browse to http://vil.nai.com/VIL/newly-discovered-viruses.asp, scroll down the page and click on the name of the virus.

Current Protection Against New Viruses

W32.Opaserv.K.Worm The current virus definition from Symantec protects against this virus. Users of other antivirus products should monitor for release of applicable definitions from their vendor.
W32.HLLW.Zule The current virus definition from Symantec protects against this virus. Users of other antivirus products should monitor for release of applicable definitions from their vendor.
W32.Backzat.Worm The current virus definition from Symantec protects against this virus. Users of other antivirus products should monitor for release of applicable definitions from their vendor.
Backdoor.NetDevil.B The current virus definition from Symantec protects against this virus. Users of other antivirus products should monitor for release of applicable definitions from their vendor.
Backdoor.Cow The current virus definition from Symantec protects against this virus. Users of other antivirus products should monitor for release of applicable definitions from their vendor.
Troj_Killboot.B The current virus definition from Trend protects against this virus. Users of other antivirus products should monitor for release of applicable definitions from their vendor.

Instructions

If you feel that any of this activity has occurred or that a virus may have affected your system, please contact the Help Desk at the number below. Thank you.

Logic Bombs

A logic bomb, also known as slag code, is code that is placed into a program that is designed to execute only after a specific set of conditions are met. These conditions can be anything from a lapse of time to the modification of data. A logic bomb can also be a time-delayed virus or worm. Antivirus products detect most known logic bombs but there have been cases where a malicious systems administrator or another employee with the required credentials have created and left behind a custom logic bomb that is triggered upon, among other things, the deletion of a user account.

Exam Warning

Remember that a logic bomb could be a time-delayed virus or worm.

Worms

A worm is a program that can travel across a network from one computer to another. Sometimes different parts of a worm run on different computers. Worms make multiple copies of themselves and spread throughout a network. The distinction between viruses and worms has become blurred. Originally the term worm was used to describe code that attacked multiuser systems (networks), whereas virus described programs that replicated on individual computers.

The primary purpose of the worm is to replicate. These programs were initially used for legitimate purposes in performing network management duties, but their ability to multiply quickly has been exploited by hackers who create malicious worms that replicate wildly and can also exploit OS weaknesses and perform other harmful actions.

Exam Warning

A virus is different than a worm. A virus usually will not self-replicate and must be activated by the person whose system becomes infected. A worm when launched, can be very destructive because it will replicate itself from system to system.

A worm is a self-replicating program that does not alter files but resides in active memory and duplicates itself by means of computer networks. Worms use the facilities of an OS that are meant to be automatic and invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, which then slows or halts other tasks. Some worms in existence not only are self-replicating but also contain a malicious payload. Worms can be transmitted in one of two ways, either by e-mail or through an Internet chat room. The most famous worm, the "I Love You" bug, originated in May 2000. The "I Love You" bug was first detected in Europe and then in the United States. The initial analysis on the bug quickly determines that it contained Visual Basic code that was sent as an e-mail attachment named Love-Letter-For-You.txt.vbs When a user clicked on the attachment, the virus used Microsoft Outlook to send itself to everyone in the user's address book. The virus then contacted one of four Web pages in the Philippines. From the contacted Web page, a Trojan horse was then downloaded, win-bugsfix.exe, which collected user names and passwords stored on the users' system. It then sent all of the user names and passwords to an e-mail address.

The bug quickly spread throughout the United States within 12 hours after the bug was first viewed in Europe. The "I Love You" bug bit an estimated one-half million computers.

Note

One of the first widely disseminated worm programs was the Internet Worm of 1988, which practically shut down the entire Internet. For a detailed paper on how it happened, see A Tour of the Worm at http://world.std.com/~franl/worm.html.

Trojan Horses

Trojan horse are programs that appear to be legitimate or innocent but actually do something else in addition to or instead of their ostensible purposes. As part of the pre-attack phase, a hacker can plant a Trojan horse program on a victim's computer that installs keystroke-logging programs to gather information for the main attack or that sets up the means by which the attacker will later get into the system. An infamous case of the latter was the Back Orifice Trojan horse, which was disguised as a component of some other innocuous software program and, once installed, created a back door into Windows 95/98 systems for attackers to take over control of the victim PC. For more information about Back Orifice, see www.nwinternet.com/~pchelp/bo/bobasics.htm.

Test Day Tip

Back Orifice, while commonly utilized as a remote control Trojan horse, can be a valid and useful network administration tool. When it was released, it was publicized as a replacement for tools like PCAnywhere, even though everyone knew what it was really used for. Make sure you remember that Back Orifice is in fact a Trojan horse and what a Trojan horse is defined as.

A Trojan horse closely resembles a virus, but is actually in a category of its own. The Trojan horse is often referred to as the most elementary form of malicious code; used in the same manner as it was in Homer's Iliad, it is a program in which malicious code is contained inside of what appears to be harmless data or programming. It is most often disguised as something fun, such as a cool game. The malicious program is hidden, and when called to perform its functionality, can actually ruin a hard disk.

Not all Trojan horses are malicious in content, but they can be, and the intent of the program is usually to cause as much damage as possible. One saving grace of a Trojan horse, if there is one, is that it does not propagate itself from one computer to another.

A common way to become the victim of a Trojan horse is for someone to send an e-mail with an attachment claiming to do something. It could be a screensaver or a computer game, or something as simple as a macro quiz. With the naked eye, it will most likely be transparent that anything has happened when the attachment is launched. The reality is that the Trojan horse has now been installed (or initialized) on the system. What makes this type of attack scary is that it contains the possibility that it may be a remote control program. After this attachment is launched, anyone who uses the Trojan horse as a remote server can now connect to that computer. Hackers have advanced tools for determining what systems are running remote control Trojan horses. After this specially designed port scanner finds the system, all of the files are open to the hacker. Three common Trojan horse remote control programs are Back Orifice, SubSeven, and NetBus.

Back Orifice consists of two key pieces:

A client application
A server application

The way Back Orifice works is that the client application runs on one machine and the server application runs on a different machine. The client application connects to another machine using the server application. However, the only way for the server application of Back Orifice to be installed on a machine is to be deliberately installed. This means the hacker either has to install the server application on the target machine or trick the user of the target machine into doing so. Hence, the reason why this server application is commonly disguised as a Trojan horse. After the server application has been installed, the client machine can transfer files to and from the target machine, execute an application on the target machine, restart or lock up the target machine, and log keystrokes from the target machine. All of these operations are of value to a hacker.

The server application is a single executable file, just over 122 kilobytes in size. The application creates a copy of itself in the Windows system directory and adds a value containing its filename to the Windows registry under the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The specific registry value that points to the server application is configurable. By doing so, the server application always starts whenever Windows starts, and therefore is always functioning. One additional benefit of Back Orifice is that the application will not appear in the Windows task list, rendering it invisible to the naked eye.

Lastly, note that there are multiple variants of each individual malware application. In other words, Back Orifice comes in other variants and they will behave differently. This should always be considered when dealing with malicious code.

Damage & Defense…
Back Orifice Limitations

The Back Orifice Trojan horse server application functions only in Windows 95 or Windows 98. The server application does not work in Windows NT. Additionally, the target machine (the machine hosting the server application) must have Transmission Control Protocol/Internet Protocol (TCP/IP) network capabilities.

The two most critical limitations to the Back Orifice Trojan horse are that the attacker must know the IP address of the target machine and that there cannot be a firewall between the target machine and the attacker. A firewall makes it virtually impossible for the two machines to communicate.

Please note that Back Orifice 2000 (BO2K) does not have these specific limitations so you can install newer versions of the Trojan horse on newer OSs like Windows 2000/NT. Another limitation is that once you download the Trojan horse to your system even if only for research, most antivirus programs will find it and eliminate it immediately making is hard to test or use on systems that are protected.

Another common remote control Trojan horse is named the SubSeven trojan. This Trojan horse is also sent as an e-mail attachment and after it is executed can display a customized message that is intended to mislead the victim. This particular program allows someone to have nearly full control of the victim's computer with the ability to delete folders and/or files. It also uses a function that displays something like a continuous screen cam, which allows the hacker to see screen shots of the victim's computer.

In August 2000, a new Trojan horse was discovered, known as the QAZ Trojan horse. This Trojan horse was used to hack into Microsoft's network and allowed hackers to access source code. This particular Trojan horse spreads within a network of shared computer systems, infecting the Notepad.exe file. What makes this Trojan horse so malicious is that it will open port 7597 on a network, allowing a hacker to gain access at a later time through the infected computer. QAZ Trojan horse was originally spread through e-mail and/or Internet relay chat (IRC) rooms; it eventually was spread through local area networks. If the user of an infected system opens Notepad, the virus is run. QAZ Trojan horse looks for individual systems that share a networked drive and then seek out the Windows folder and infect the Notepad.exe file on those systems. The first thing that QAZ Trojan does is to rename Notepad.exe to Note.com, and then the Trojan creates a virus-infected file named Notepad.exe. This new Notepad.exe has a length of 120,320 bytes. QAZ Trojan then rewrites the system registry to load itself every time the computer is booted. If a network administrator is monitoring open ports, he may notice unusual traffic on transmission control protocol (TCP) port 7597 if a hacker has connected to the infected computer.

Exam Warning

For the SSCP exam, concentrate on knowing why Trojan horses are so dangerous and the different types of Trojan horse threats.

Some of today's newer Trojan horses are especially nasty. Not only do they deliver the same payload as the other Trojan horses discussed here (such as remote control access for the hacker), but now these sneaky pieces of code are able to disable the security measures that are in place. This means that the SSCP practitioner must be ahead of the power curve with expanded knowledge on newer malware being distributed today. An example is the new Trojan horse called Backdoor.Beasty. When Backdoor.Beasty is executed, it reads its own configuration data and performs the following steps:

Terminates several security products and system monitor tools.
Copies itself to the %System% folder as Csvc.com.
Creates the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{AP042907-B967-10D8-9CBD-2672810A369E}.
Adds the following value to this registry key, which causes the Trojan horse to execute every time Windows starts: StubPath %system%\Com\csvc.com.
Inserts the file Lg.ttl into the %System% folder.
Adds the value "NeverShowExt" to the registry key HKEY_CLASS_ROOT\exefile

As a result, the extension of the *.exe files are never displayed.
Modifies the default value of the following registry key: HKEY_CLASS_ROOT\exefile\shell\open\command

This altercation causes the Trojan horse to execute every time an .EXE file is executed.
Logs the keyboard events.
Notifies the hacker through ICQ.
Listens on port 666 and waits for a command from the hacker.

These are only a few examples of the damage and inconvenience caused by various forms of malicious code. The following section includes a brief look at some of these attack types.

Note

Although Microsoft Office documents are not executable files themselves, they can contain macros, which are small programs that are embedded into the documents and can be used to spread malicious code. Thus, Microsoft Office documents should be treated as though they are executables unless running macros is disabled in the Microsoft Office program.

For more information about Trojan horses in general and links to specific fixes for Trojan attacks, see www.irchelp.org/irchelp/security/trojan.html