You are on page 1of 26

Beating a Virus, and the (Trojan) Horse It Rode In On.

Written By: John M. Herron Illustrated (poorly) By: John M. Herron

• • • • • • Virus history 101 Virus tricks: How to defunct the defunct Virus examples, demo (yay!) How to detect an infection What do I do if I don’t want this virus? Quick (*QUICK*) overview on debugging viruses

In the beginning, man created the virus, and it was bad.
• The first computer virus
– Several stories
• Pakistani Brain Virus (1986): This is the first widely spread IBM Compatible virus. This is commonly mistaken for the first virus. • Apple Virus 1 (1981): Boot sector infecting virus. Possibly created for pirated games. • Animal (1975) (Univac): “Guess an animal” game. Copied to other users’ home directories when run.

Types of Malicious Code
• Virus
– – – – – – – – – – – – MBR Infector Boot Sector Infector File Infector Memory Resident Polymorphic Multi-Partite Macro Key loggers File Over-writer Companion ANSI Bomb Logic Bomb

• Worm
– These are beginning to merge with other techniques (virus, trojan, backdoor, etc).

• Spyware
– – – – HTTP Redirector HTTP Hi-jacker Data Miner Standard Exploit

• Trojan

Benefits of Computer Viruses:

(This page was intentionally left blank.)

Master Boot Record/Boot Sector Viruses
Boot sector virus (Apple Viruses 1,2,3, “Elk Cloner”), Pakistani Brain (x86)

File Infectors
• Overwriting virus • COM infector/EXE infector (Prepend/Append target file) • NewEXE/PE Infector

Memory Resident Virus
• Intercepts Interrupt Calls (modifies Vector address table (int13 memory address relocated to virus routine. Original int13 moved and called once virus is done)).

Evolved to Stealth Viruses
• Stealth viruses monitor for AV like activity and feed you false information. (Displays (freespace+virus_length), displays (memfree+virus_length), shows you original MBR upon request, not infected MBR).

More tricks (Polymorphic viruses)
• Modify their code with unimportant commands/data upon each infection. • (Commonly uses NOP, MOV DX,DX, any redundant assembly command (add ax,2, dec ax,2). • Makes creating virus signature much more difficult.

Trojan Horse
• A program disguised as something desirable, but has another program hidden inside of it. /bin/login WinXPfullCD_reallyworks!!.exe (17k)

Trojan Horse (Unix)

Trojan Horse (DOS/Windows)

• Plain .txt file with ANSI codes • Example ( ←[“d”;”del *.*”p ) • This lead to Macro viruses DEMO

Macro Viruses
• Written in VBA, VBS, etc. • Examples (Word, Excel, PowerPoint) Commonly uses “auto” macro’s in Microsoft Office products.

• Worms traditionally do not infect files. • Morris Worm (1988,Vax), Melissa, Calib • Some of the latest e-mail based worms have brought some of the fastest e-mail servers to their knees within hours of release. • *Worms are beginning to be integrated with more viral features. Most of the latest also support software updates.

Graphical Virus Payload Demo

Detecting an Infection
Signs to look for on an infected system:
– – – – – Decrease in system performance Unexpected increase in system activity Large amount of new files Unexplained decrease in free memory Unexplained decrease in free drive space*

Detecting an Infection
Virus “features” that tell you there is an infection: • Displays a message • Displays an animated visual effect • Plays a tune* • Adds text to infected files (name of virus or virus author’s alias).

How to throw this garbage away
• 1st Boot from a KNOWN CLEAN source • MBR virus (in DOS): “fdisk /mbr” • File infector: Restore file from original source/Use trusted Anti-Virus program • Worm: Remove suspect files (search for newly created files) • Trojan: Restore modified files with original clean files.

Problems When Removing Malicious Code
Automated backups can easily be infected with a virus. (This is a newly increased problem with Windows ME and XP’s backup automated ability.) Must be a clean boot device (how many removable disks did you use while you were infected?)

Problems When Removing Malicious Code
Cannot find/distinguish infected files Did not get all infected files removed

Virus Testing/Debugging
• Use a “sandbox” environment. (VirtualPC, VMWare, BOCHS, any environment emulator). • Create footprint of “clean” system load.
– *nix (Tripwire, AIDE, etc) – Windows (Tripwire, Winalysis, Regshot (for registry changes))

Virus Testing/Debugging
*Make sure system cannot get to live environment before tests

• Run suspect code. • Re-run analysis utilities to note any changes made to system. If virus is protected by compression or encryption agent, LordPE is a good tool to pull a program from RAM back to file on disk.

Debugging Malicious Code
(Requires knowledge of programming/assembly language)  OllyDbg is free debugger for Windows to step through a desired program.  Gdb in linux is a good, free debugger for watching each assembly command a program is running.  IDA (from DataRescue) (not free) is a good Disassembler if you want to reverse engineer a program to assembly.  SoftICE (not free) is a good realtime debugging agent where you can stop system operation at your will and begin debugging memory or running processes.

Debugging Malicious Code
• If studying a worm, setup virtual (or separated) network. • Sniff all traffic from victim PC. • If needed, redirect DNS queries to another fake computer (what does it send that computer?) • If IP, use router to redirect traffic to desired computer.

Got Questions?
Contact Information: John M. Herron