COIS/FRSC 2750H Computer Crime and Forensics Fall 2011 Malware: Viruses, Worms etc.

Edited by Brian Hircock Fall 2010

L6

Reference Material
Primary sources of information contained in these slides are: Taylor, R.W. et al, Digital Crime and Digital Terrorism (2006) Jones, R., Internet Forensics (2006) Volonino, L. et al, Computer Forensics: Principles and Practices (2007) Wang, W., Steal This Computer Book 4.0: What they wont tell you about the internet (2006)

L6

First malware? - ANSI Bomb

In the DOS days, computers booted up by calling a program called ANSI.SYS Device driver However, you can remap the keys on the keyboard from this file Allow you to make shortcuts, macros But you could do things like have the computer erase whatever file the user was working on every time they pressed say e Or even worse plant a bomb Every time the user presses a certain key say c or C, the computer tries to reformat hard drive Before doing this the computer asks the user whether they really want to do this So you reprogram the keyboard so that N = Y and n = y Another precursor would be Core Wars in the 1960s

L6

Viral Infections
Used to spread through use floppy disks or BBS Now theyre primarily spread through Internet via Email Email attachments Downloadable files Web pages Newsgroups Peer to peer transfers Instant messaging And so on

L6

Cost
Survey of government, private industry and universities showed that 85% had a virus/worm problem in the last year Average virus outbreak took approximately 20 person days to recover and cost the company $10,000 (median) and $100,000 (average) Types of damage include Triggering disruptive events Bogging down email and network servers Deleting or modifying files Accessing and sharing private information System degradation Compromised security Damage to software and hardware

L6

How many viruses/worms are there?

Active viral programs are said to be in the wild Wildness is a measure of the extent to which the virus is spreading Number of viruses in the wild changes daily You can see the current wild list at http://www.wildlist.org/WildList/ Preliminary results from Symantec http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf In 2009, 75% of all enterprises experienced some form of cyber attack Symantec created 2,895,802 new malicious code signatures in 2009 (thats over 7,300 a day), a 71 percent increase over 2008 the 2009 figure represents 51 percent of all malicious code signatures ever created by Symantec. 2010 Report from Sophos

L6

Malware
Well take a quick look at Viruses Worms Trojan Horses Adware and Spyware Blended Threats

L6

Viruses
Overused term that has lost some of its original meaning Often used now as a synonym for malware Including viruses, worms, trojans etc. By definition a virus exists only to replicate itself Much like biological virus Need other files or resources to run and replicate themselves Harm often caused by bodys (computer's) reaction to virus, not by virus itself Four primary environments File virus Boot virus Macro virus Network virus

L6

File Virus
Use operating system (like Windows) to propagate Can infect any type of executable file Overwrite file with own code Easy to detect system stops working 3 main types of these Parasite Latch onto file (before, after or in middle of executable) and leave it operational Companion Clone target file so that virus runs rather than the .exe Link virus Modify fields of file system so that operating system runs virus rather than intended file

L6

Boot Virus
Attacks the boot sector of system, master boot record or change the system pointer to an active boot sector After power on and hardware tests, system loader routine reads first sector of boot record and passes control to the virus Rather than operating system starting, the virus runs

L6

10

Macro Virus
Takes advantage of macro language built into programs like MS Office Transfer themselves from one file to another and from one computer to another via file attachments or shared files When file is opened program calls infected macro and virus is run Can take control when user clicks on say File/Open, or File/Save or even when the user presses a certain key on the keyboard If using MS Word, can save itself as part of NORMAL.DOT file Then every .doc file is infected

L6

11

Network Virus
Make use of network protocols Can transfer its code to a remote workstation or network Can run own code or push users to run code on remote machines Generally a companion type of virus Do not alter existing files Infiltrate computer memory from network Calculate and record network addresses of other computers Send copies of themselves to other computers

L6

12

Starting Unauthorized Programs

L6

13

How anti-virus software works

Antivirus program detect viruses 2 ways Recognize the signature A unique string of bits, or the binary pattern, of a virus. Virus signature is like a fingerprint in that it can be used to detect and identify specific viruses. Compare files against database of known signatures Cannot detect new viruses because their signature isnt in database Need to get new virus to analyze By its behaviour Called heuristic analysis Notices virus trying to infect another file

L6

14

Infection Methods
Direct Infection Simplest method Every time user opens infected file or runs infected program virus spreads These are easy to detect Fast Infection Virus infects every file accessed by infected program If the infected program is your virus checker, itll infect every file in your system when you run a scan Slow Infection Virus only infects newly created files or files modified by a legitimate program Harder to detect Files are only accessed by legitimate programs like windows explorer

L6

15

Sparse Infection Spreads slowly and unpredictably RAM resident Infection Buries itself in RAM and any program or file opened is infected Spread by boot sector viruses

L6

16

Ways to avoid detection

Stealth Viruses are usually detected when they change the size, time and date stamps of infected files A stealth virus will try to avoid making these changes to infected files Boot sector viruses are always stealth viruses Like call forwarding When you boot the system the virus starts, then the virus loads a copy of the real boot sector Polymorphism Changes its signature every time it infects a file But it still must keep a small signature so the same file doesnt keep getting infected over and over Anti-virus developers can find these small signature with time One reason why you need to keep updating your virus database L6

17

Retaliators Attack anti-virus programs Either Modify anti-virus program so that it cant detect the virus Infect the anti-virus program itself Can be a race to see which finds the other first

L6

18

Worms
Piece of software that copies itself somewhere else Term taken from book Shockwave Rider (in book a tapeworm is a self-replicating piece of code Stand alone program It does not attach itself to or modify other files Unlike a virus Makes copies of itself from one drive to another or copies itself using email or another transport mechanism Can move very quickly Code Red Worm in 2001 infected over 250,000 machines in 9 hours

L6

19

Worms cont
Some worms may have built in DoS attacks, Web Site defacements, or some other surprise Just their propagation is in effect a DoS attack because of their drain on resources Scan traffic May crash routers Overload networks Tie up computer processing capability

L6

20

How worms spread

Spread through always on Internet connections 4 common ways to spread Email Worm searches for address book of email program and mails itself to everyone May be described as a graphic file, electronic greeting card, or text file (MyDoom worm) People are more likely to open these emails because they come from known people Once opened, the worm searches for that computers address book and so on

L6

21

IRC channels or instant messaging services IRC networks are groups of chatrooms Worm sends an enticing message to everyone in chat room If downloaded, the worm spreads Internet worms Scans other computers for open ports Or like the Santy worm they use a search engine Searched for people using the PHP Bulletin Board Dont waste time trying to infect computers that wont help it spread (like computers running Mac OS X) Malicious web pages Use ActiveX controls to pass worm onto visitors to web site Only effective on computers running Windows and using IE Firefox and Opera dont allow ActiveX to run

L6

22

Trojan Horse
An unauthorized program contained within a legitimate program that performs functions unknown to user Usually wait for a trigger event to occur date, message etc. Can Open back doors to system Allow someone to take control of computer Destroy files Send emails Display messages

L6

23

How do you get a Trojan Horse?

Email attachments Chat rooms File sharing Physical access to machine Web browser Port scanners to find open ports to install code themselves User is infected without doing anything Can be used by people other than the creator of the code Can sell lists of infected computers

L6

24

Remote Control Trojans

Self contained program waiting for commands issued from remote user Local user doesnt know what the computer is doing Most have auto start capabilities so the program starts whenever computer is booted Can join code to something like explorer.exe or modify system files or Windows Registry Has a server part and client part When user unwittingly runs Trojan, it becomes server Attacker then uses client to connect to the machine

L6

25

Backdoor Sub Seven Trojan

According to SANS, popular and widely used Trojan with multiple parts First is the Sub Seven server Allows attacker to connect to computer Editserver part Defines characteristics of infection Modify server, auto start techniques, alter victims system Determines whether to notify attacker when computer is online Port redirector and port scanner To find new targets Can do things like turn monitor on/off, open close CD drive, reverse mouse buttons, record images from attached video camera, record screen shots

L6

26

Types of Trojan Horses

Remote Access Trojans (RAT) Allow attackers to do more on machine than person sitting at machine Allow for access to files, passwords, etc. Server and client part Servers tend to be large programs (often a MB or more) Can use a back door to send server file Or use a binder program to join RAT to real program (typically game demos or trial versions) Password Sending Trojans Steals cached passwords and emails them to attacker

L6

27

Keyloggers Capture key strokes and email them to attacker periodically Some have on or off line option Destructive Destroy and delete files Can work like a logic bomb becomes active when certain conditions are met DoS or Mail Bomb Trojan Infect as many machines as possible and then have all machines bombard target with non-filterable emails Proxy/Wingate Trojan Turn victims computer into a zombie Can be used by attacker or whole world for illegal activities Software Detection Killers Attacks anti-virus/firewall programs Then attacker has free access to machine L6

28

To avoid worms and Trojan Horses

Eventually your computer will be attacked by one of these Need to detect and remove them and to prevent them from coming back Use an antivirus program free is OK For protection from RATs get a dedicated anti-Trojan Horse program Like Bo Clean, The Cleaner, Hacker Eliminator, TrojanHunter Need a firewall to block ports Download all operating system updates Consider not using popular software (Windows and Office) Use Linux, BSD, Macs, OpenOffice Dont use Windows Outlook or Outlook Express for email Use Thunderbird, Pegasus Mail or Eudora If you must use IRC, use Visual IRC, XIRCON or X-CHAT Disable Microsoft IM (Instant Messenger)

L6

29

Adware and Spyware

Usually delivered in email attachments, downloaded as part of another piece of software, or downloaded from a web site (possibly as a cookie) Adware does things like Redirects startup pages on your Internet browser Makes changes to browser Replaces search functions within browser Generates pop-up ads Spyware are programs that send information over the Internet to the programmers for marketing purposes without notification to the user Browsing habits Hardware and software in the system Often downloaded as part of other functional software

L6

30

Read the EULA

Often take advantage of fact that most users do not read the End User License Agreement (EULA) Or they make text so convoluted no one knows what it means Often very difficult to remove adware or spyware as program often makes complex changes to computer system Sometimes have to reformat hard drive and reinstall operating system

L6

31

Avoiding Adware and Spyware

If possible dont use Windows Most malicious code written against Windows Use a safe browser Firefox or Opera or even better use VMWare Player and Browser Appliance Creates a virtual computer in memory that runs Firefox under Ubuntu Linux Install a firewall Monitor your startup programs System Mechanic, Process Guard, MalWhere and Startup Manager display a list of startup programs Run anti spyware programs Problem is that spyware developers are making deals with anti spyware companies

L6

32

Blended Threats
Combine viruses, worms, Trojan Horses and other malicious code Effective because most security products cannot prevent the attack Just advise user after the fact Sometimes better to shut down network if theres an imminent threat and wait for patches and detection routines

L6

33

Why do people write viruses?

Why take the time to write and test code that will be destructive and harmful to someone that they dont know? Several possible reasons In the early days it was often for fun A challenge of the writers skill Viruses tended to be annoying, not destructive E.g. stoned virus For notoriety Increased reputation in underground virus community To get a job Virus writers are often hired by Internet security companies As part of your job Governments, terrorist groups, corporations are all capable of hiring virus writers to attack enemies Because they can and they most often get away with it

L6

34

Virus Hoaxes
Can be as costly or more costly than real viruses Time wasted trying to detect or remove virus e.g. Teddy Bear Hoax http://www.hoax-slayer.com/teddy-bear-virus-hoax.html Virus hoaxes: Contain a warning message about a virus Usually from an individual or company, but not cited source Warn not to read or download virus preaches salvation by deletion Describe the virus as having horrific powers Usually many words in caps and exclamation marks Urge the reader to forward the email Seek credibility by citing a credible source Claim the source says the virus is bad or has them worried Use baseless technical jargon

L6

35