Problems..Problems..Problems...

Viruses, Trojans & Worms

2009-04-16T09:03:00.000-07:00

Someone Once Said:
"The Average Virus writer is above 14 years & below the age of 23 & the virus writers of some evil viruses suffer from social loneliness." Well, I do agree with the age thing, but not the social thing. Most virus creators do not create viruses with the aim of creating havoc or destroying computers. Just out of interest they create a virus & then send it to their friends, & like most email viruses of today, they spread like anything.

Viruses:

A virus is basically an executable file that is designed such that it is able to infect documents, has the ability to survive by replicating itself and is also able to avoid detection. Usually to avoid detection, a virus disguises itself as a legitimate program that a user would normally not suspect it to be a virus. Viruses are designed to corrupt or delete data on the hard-disk, i.e. is on the FAT.Viruses can be classified into the following categories:

Boot Sector Virus (MBR):

These viruses can be created without much difficulty & infect either the master boot record of the hard disk or floppy disk. The boot record program responsible for the booting of the operating system is replaced by the virus. The virus either copies the Master Boot Program to another part of the HDD or overwrites it. They infect a computer when it boots up or when it accesses the infected floppy disk in its drive.

Common Boot Sector Viruses: Michelangelo, Stone, etc...

How does a boot virus strike??

• The user copies an infected file to HDD or a FDD.
• When the infected file is executed, the virus is loaded into the memory.
• The virus copies the boot record program to another sector & puts a pointer to it on the boot sector.
• The virus then makes a copy of itself in the disk boot sector.
• The next time the computer boots from the disk the virus loads itself into the RAM or memory & starts infecting other files.MBR is the first sector of the HDD that contains the boot record & also the additional details like partition table, etc. If The MBR is corrupted, then OS will not be launched.
File or Program Viruses:

Some program are viruses in disguise & when executed they load the virus in the memory along with the program & perform predefined steps & infect the system. They infect program files with extensions like .EXE, .COM, .BIN, .DRV & .SYS. Some file viruses just replicate while others destroy the program being used at that time. Such viruses start replicating as soon as they are loaded into the memory. As file viruses also destroy the program currently being used, after removing the virus or disinfecting the system, the program that got corrupted too has to be repaired or reinstalled.

Some common File Viruses: Sunday, Cascade, etc.
Multipartite Viruses:

These viruses are the hybrid variety; they can be best defined as the cross between both Boot Viruses & File Viruses. They not only infect files but also infect the boot sector. They are more destructive are more difficult to remove. First of all, they infect program files & when the infected program is launched or run, the multipartite viruses start infecting the boot sector too.Now, the interesting thing about these viruses is the fact that they do not stop, once the boot sector is infected. After the boot sector is infected, when the system is booted, they load into the memory & start infecting other program files.

Some common examples: Invader, Flip, etc.
Stealth Viruses:

These viruses are stealthy in nature & use various methods to hide themselves to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection & hide from virus scanners. Some can also redirect the disk head to read another sector instead of the sector in which they reside. Some of these viruses like Whale conceal the increase in the length of the infected file & display the original length by reducing the size by the same amount as that of the increase, so as to avoid detection from the scanners.
Polymorphic Virus:

They are the most difficult viruses to detect. They have the ability to mutate implying that they change the viral code known as the signature each time they spread or infect. Thus, anti-viruses which look for specific virus codes are not able to detect such viruses.

How does a polymorphic virus strike?

a. The user copies an infected file to the disk.
b. When the infected file is run, it loads the virus into the memory or the RAM.
c. The new virus looks for a host & starts infecting other files on the disk.
d. The virus makes copies of itself on the disk.
e. The mutation engines on the new viruses generate a new unique encrypted code, which is developed due to a new unique algorithm.Thus it avoids being getting detected from checksum scanners.

What is a Viral Signature?

Basically, the signature can be defined as the specific fingerprint of a particular virus. It is a string of bytes taken from the code of the virus. Antiviral softwares maintain a database of known virus signatures & look for a match each time they scan for viruses. As we see a new virus almost everyday, this database of virus signatures has to be updated regularly.
Macro Viruses:

Macros allows a particular task that is performed by a user quite often to be repeated again & again by just clicking a play button. They are a set of automated instructions or tasks, which make work more efficient & fast for the users. Now beneath every MS Office Application, there is a VB Engine, which runs behind the scenes & can be used for advanced VB Coding.So macro viruses are viruses that consist of evil or viral macro VBA code that can create havoc in the computer it is executed. These viruses spread very quickly & some have random activation, as in their code can be included many of VB’s event handlers.

Macro viruses are not platform specific, i.e. a macro virus to infect a system, the document with the embedded evil macro has to open.

How Viruses infect the systems?

We discussed that stealth viruses & polymorphic viruses are difficult to detect… the question arises why? Let’s take the example of what most antivirus softwares do to detect a virus.Now, most antiviruses use a technique called as check-summing. You must know that an executable file cannot change (like a data file) unless the program is upgraded. So, the check-summer in the antivirus observes all the executable file size with the check-sum. So, as stealth virus reduces the size by the same amount as the increase, antiviruses, that use only check-summing methods are not able to detect them.

Polymorphic viruses on their part have the ability to mutate & change their known viral signatures & hide from signature based antiviruses, which compare the signature of executable files to the database of known viral signatures & thus cannot detect new viruses.
Thus check-summers can’t detect the stealth viruses whereas signature based virus scanners can’t detect the polymorphic viruses.

In comes the heuristic scanner which does not scan for viruses using signature based techniques, but uses a smarter way. It scans the drive for typical viral codes & behavior. But such scanners have a downside too; sometimes they give false alarms & declare an uninfected file to be a virus.

Windows does not include an anti-virus program. However, it includes several features that make it difficult for viruses to infect your computer. It does this by using the following features:

Blocking Direct Disk Access:Write on ROM BIOS using the port INT25h & INT26h
Recognizing MBR modifications:Deadlier Viruses try to modify or write to the MBR through INT13h chain.
Identifying Unknown Device Drivers:Windows maintains a list of all the real-mode device drivers that can be safely replaced with its own protected-mode drivers. Now, say, you add a new device driver, which uses the INT13h or INT21h chains. Then Windows checks to see if it is in the list of drivers that can be safely replaced. If not, then windows is programmed such that it would be able to access drives using only MS-DOS compatibility mode & not the normal protected mode.

Next : Trojans

Trojans

2008-05-31T22:41:00.000-07:00

Trojan Attacks:

A Trojan is a malicious program that, when installed on a system, can be used for nefarious purposes by an attacker. Tools that allow remote administration or access to a vulnerable system, RATs, are called Trojans. That means after a system has been infected with a Trojan, an attacker can control nearly all the hardware & software on the system by remote. Today, Trojans are highly sophisticated & provide attackers with many different features for remote control. Once a Trojan has been introduced to a system, not only does all the data becomes vulnerable to threat but there is a good chance that the compromised system can be used to set up an attack on some third - party system.

Most Trojans consists of two parts & their operation is fairly simple to follow. Using them invokes very little technical skill. The two parts are:

The Server Part :

This part of the Trojan opens up a preset port on the target computer, which listens for any connections to be initiated by the attackers. Obviously, it has to be installed on the victim’s computer through trickery or disguise.
The Client Part :

This part gives the attacker complete control over the target system. It is installed on the attacker’s system to connect the server part of the Trojan, which has been installed on the victim’s system.

Trojans are very hazardous tools that enable an attacker to cause great damage to the target system. Some of the most common malicious attacks that can be carried out by the use of Trojans are:

Trojans are most often used for stealing sensitive intellectual property (IP) data from the target corporations & playing pranks on hapless individuals. By installing a Trojan on a system, the attackers are able to access, delete, upload or download files from it. IP theft is not only very expensive but it also can be used to damage the good name of a corporation. This is because installation of a Trojan gives access to nearly all hardware & software on the system, it becomes open to all kinds of pranks, some of which are:

- Increase or decrease the volume when you are listening to music.
- Moving the mouse towards the right when you are trying to move it to the left.
- When you type ABC, the attacker may type XYZ.
- Open and close your DVD drive tray at intervals.
Many Trojans have built in logging capabilities. Today, there are innumerable Trojans available that also work as key loggers that record all the keystrokes made by the victim on the infected system. This means that key loggers record all the keys (in a predefined log file) that have been pressed on the target system. Such Trojans are useful for the following operations:

- Accessing the contents of confidential emails & documents.
- Recording passwords, credit card numbers, account, IDs, etc.
- Pilfering software programming code.
- Finding out vital information regarding tender price & future business plans.

Almost all Trojans have key logging facilities that can also record the name of the window where the particular data was typed. It is possible for an attacker to configure a Trojan so that automatically it will secretly email the log file to a preset email address, at regular intervals. It is even possible to configure an autodestruct feature into a Trojan, which will automatically get destroyed at a predefined data & time, leaving little evidence behind.
Nearly all Trojans can be used for malicious purposes. An attacker can easily run malicious commands on an infected system & delete important files or even re-format the entire HDD. Thus, Trojan can be used instead of viruses or worms.
An attacker can program Trojans in such a way that they use resources of target system & network to carry out attacks on predefined victim systems. This means the attacker can put in a Trojan that has been programmed to attack the target system at a pre-fixed time & date. The attack is so planned that the victim believes that his own system or network has carried out the attack, which can involve many legal implications for the corporation.

A Trojan attack can be executed by following the simple steps:

The most difficult part of executing a Trojan attack is installing the server part of the Trojan victim system. Some of the more common ways to do this are:

- Email: Sending the Trojan server file as an attachment to email addressed to the victim. The problem with this method is that most often, the victim may not open the infected attachment.
- Autorun CD-ROMs: Burn the Trojan onto a CD-Rom and then use the Autorun facility of the CD to automatically execute the Trojan, the moment the CD is inserted into the tray.
- Instant Messengers: It is also possible to send the Trojan server part disguised as a normal file over IRC or Instant Messenger. Attackers generally rename the Trojan so that it looks like a normal, legitimate file.
- Physical Access: Physical access to the victim system gives an opportunity to the attacker to install the Trojan server part manually.
- EXE Binders: These binders are devices that allow users to bind two .EXE files together into one file, in such a way that there is no effect of the working of either of the two files. So, the attacker binds or conceals the Trojan sever part inside a legitimate .EXE file. The container file is usually chosen to be irresistible to the victim, such as greeting cards, small games, etc.
The server part of the Trojan, once installed on the victim’s system, subsequently binds itself to a specific port on the victim system & listens for connections. Every Trojan listens for connections at a predefined specific port number, which is different for each Trojan.

For example, the Netbus Trojan listens for connections on the preset port 12345.
Next, it is necessary for the attacker to locate the IP address of the target system on which server part of the Trojan has been installed. This step enables the attacker to connect to the infected system & control it by remote.
Then, the attacker uses the client part of the Trojan tool, which is installed on his system to connect to the server part of the Trojan installed on the victim system. The attacker connects to the preset port number that the Trojan uses. After establishing the connection, the victim’s system lies open to the attacker to inflict any kind of damage.
Most often, after the Trojan has been installed in the target system, the attackers will install a backdoor on it to ensure easy access whenever they want to enter.

Detection Of Trojans:

Suspicious Open Ports: By using nestat-n command.
Monitoring Outgoing Traffic: What is more dangerous is that a Trojan covertly emails the logged passwords or recorded sensitive data to the attacker’s preset email address. Hence, by blocking all malicious outgoing emails, it is possible to guard against Trojans. The systems administrator should look for out illegal activity around the external mail servers, i.e. SMTP or Port 25. (Telnet Feature)
Detection Tools: Lockdown 2000, Preview, etc…
Start-up Files: In Registry or start-up folder.
System Files: The two system file, i.e. win.ini & system.ini have sections where all programs that are referenced get executed.
Batch Files: These two batch files, autoexec.bat & winstart.bat, also get executed everytime Windows boots and can, therefore, contain either malicious commands or references to malicious programs.

Counter-measures:

After a Trojan has been detected, the system administrator needs to remove it from the system. This can be done in the following manner:

There are many Trojan removal tools that can be downloaded & used to remove the most common Trojans. One should not only remove the Trojan, but also all the references to the Trojans from the start-up files.
Never accept or execute any file sent over email, chat, IRC, etc. However harmless or tempting the received file may seem, do not execute it. Also, do not experiment too much with Trojans because it is possible that the client part of the Trojan, installed on your system could turn out to be the server part, thus leaving your system open to attackers.
Because EXE allows an attacker to join two EXE files, the harmful Trojan files may be embedded inside a normal harmless .EXE file. This Trojan cannot be detected & only increases the file size by a certain number of bytes. Therefore, be careful & download software from the internet from the original developer’s website. Do not accept any .EXE files irrespective of whom you got it from.
A more effective countermeasure against Trojan activity is installing firewall on your system to monitor & log all port traffic. This enables you to detect & trace Trojan-exploiting attempts. In addition, no matter how tempting, you should never execute any file sent to you over email, chat, IRC, & the like. Always download software from the Internet only from the original developer’s website.

Next: Worms
Back: Viruses