Kustom Machines and Connections

 

Viruses, worms, trojans, malware, rootkit, time bomb. Whatever they are called, these pieces of “rogue software” do primarily three things: (1) slow your computer, (2) destroy your computer, (3) force IT professionals to invent new expletives.

After seeing an influx of viruses come into the shop (especially several variants of the “smart virus” that has been running rampant as of late), we have decided that it was time to set up a test machine to observe and (hopefully) reverse engineer samples of malware that we have been able to extract from various sources.

Before diving headfirst into “abusing” our test machine, it is important to understand the general concepts of what viruses are, what they do, how they propagate, and how some can manage to remain undetected in the presence of even an “up to date” antiviral program.

Various “flavors” of malware operate in several general ways, depending on what kind they are. I will try to give a generalized description of the archetypes here:

VIRUS
Most commonly, anytime our computer gets “sick” we tend to automatically say that it has a “virus”. To be honest, that is not always the case. A true “virus” is a small piece of computer code that attaches itself to another file in order to replicate.

Various forms and infection schemes exist, however the common denominator is that a virus will (in some fashion) copy itself “into” another file or program. This is done so that whenever the file or program is called, the virus’s code is run at the same time. The virus itself will then execute unwanted changes (like elevated privileges or hiding system files) and try to replicate, depending on the schema.

WORMS
These buggers are quite different from a normal “virus”. These nasty pieces of software don’t need to attach to a file at all. They use networks and exploits within them and various operating systems in order to spread, leaving a copy anywhere possible. The main result is bottlenecking a network with repeated traffic. Sometimes though, a worm will also make modifications to the “host” machine. This section of code in the program will usually be referred to as a “payload”.

TROJANS
Like the horse used in the Trojan War, a trojan will generally rely on “human error” to get inside. This can be in the form of supposed “helper” programs or even counterfeit versions of software. This is a variant of what is known as “social engineering”. Social engineering is, simply put, performing some method in order to “trick” someone into either giving vital information (passwords) or performing a task (executing a file, opening the back door to the office) or giving access (allowed past security guards).

Trojans perform all sorts of nasty functions from stealing information and capturing key presses, to observing your screen and directly manipulating your computer. Overall, trojans are usually going to be some form of a “back door” to allow someone to use your system resources (including your peripherals) for whatever they want. This can range from purely prank-related controls (guilty.…sorry grandma) like opening and closing the CD tray to administrative functions (this was back in the days of dial-up and I was a teenager; there were obstacles) to taking full control of all system resources (which is why I had a painfully long password for it).

ROOTKIT
Rootkits are a blight. Period. Their big feature is to bury into your operating system and make changes to the core files (for most of you, that’s your Windows Registry). What makes them so evil is that they can subvert antivirus routines to prevent them from being detected. This level of access is then used to perform a multitude of functions dependent upon what the attacker is wanting.

If you’re lucky (?) you might have all sorts of things go haywire and you freak out, and you have a clean install and restore performed. If you’re (very) unlucky, keyloggers can be installed to capture your data input (credit card numbers, passwords, etc.) without realizing it until your system performance starts to really drag.

HYBRID
Nowadays, most of what is spreading around is going to be referred to (something like at least) as “hybrid”. This is because various malware have started to use combinations of all the aforementioned styles to become even nastier and harder to detect. A worm with a payload would be one example. A rootkit that also distributes copies of itself in all the blank space of a drive would be another.

The most important thing about any kind of malware is the fact that it is going to make changes to the system. What we are interested in is what specifically those changes are. Additionally, we want to observe these changes over a course of time. We also want to look at how it tries to spreads.

Changes to the system are going to be (in a Windows system) made in the registry. This database holds ALL of your configuration data in Windows. It’s pretty and it’s cute, and if you edit the wrong thing your computer dies. Not literally…but really close.

In addition to comparing changes to the registry, we also want to take note of any services and processes that appear for no reason. Along with running the virus through a debugger and (if successful) through a disassembler, we can potentially observe the growth of a virus inside the host machine in much a similar way as we test the effects of pathogens in lab “organisms”.

We have a dedicated machine almost ready to go. We have a couple of samples we got onto a DVD from a recent infection (oh, it’s nasty) and we are going to let them run rampant while we use diagnostic software to observe the effects. To show you this thing means business, here’s a couple of shots I took of what we got. The first one shows a blank start menu http://​www​.facebook​.com/​p​h​o​t​o​.​p​h​p​?​f​b​i​d​=​3​6​1​3​2​5​5​7​0​5​8​9​5​5​5​&​a​m​p​;​s​e​t​=​a​.​2​7​3​6​7​1​6​9​9​3​5​4​9​4​3​.​6​8​2​2​0​.​2​6​9​1​0​9​1​3​6​4​7​7​8​6​6​&​a​m​p​;​t​y​p​e​=​1​&​a​m​p​;​t​h​e​a​ter

That’s no fun. Nothing there. All the desktop shortcuts are gone. Just poof. If you suddenly have this and vocalize an expletive, it’s ok. This really does suck. But, this thing gets worse: http://​www​.facebook​.com/​p​h​o​t​o​.​p​h​p​?​f​b​i​d​=​3​6​1​3​2​5​9​5​3​9​2​2​8​5​0​&​a​m​p​;​s​e​t​=​a​.​2​7​3​6​7​1​6​9​9​3​5​4​9​4​3​.​6​8​2​2​0​.​2​6​9​1​0​9​1​3​6​4​7​7​8​6​6​&​a​m​p​;​t​y​p​e​=​1​&​a​m​p​;​t​h​e​a​ter

THAT is the Device Manager. It is now not managing much. It is now as useful as that one manager you hated at that one job. This thing has COMPLETELY hidden all the devices and even turned off usb support. Evil!

Malware is out there. Sometimes it’s easy to dodge a bug, such as when it’s attached to a web popup that says, “such and such antivir proggy says you have 15 go-gillian viruses! Click here to remove them!!” And hopefully, everyone out there will immediately just close the window and yell at the popup blocker for being lazy.

There are many methods to infecting a system, including obtaining physical access to the machine. The vast majority of infections are going to be via networks and the Internet, however. Common infectors are popups, email attachments, ad banners, and sometimes even inside of media. Some methods include redirecting network traffic to a false site in order to get a user to pick up an infection from clicking on a hyperlink.

Other methods include using batch files to perform various networking commands to find nodes on a network to get into. Again, performance of a network will be affected as the malware spreads. After getting in, the malware will execute dependent upon it’s coding. In the case of a trojan, it will wait for a user to open it. Other methods (such as a virus infecting another file) will include using “exploits” to force it’s way into operation.

One such exploit (that can occur by accident if a programmer isn’t careful as well) is called a “buffer overflow”. A buffer is a chunk of “space” in memory that a program will use to hold information up to a certain size. Should the software somehow put too much information into the buffer, it will start overwriting “adjacent memory”.

In the case of poor programming design, this can lead to all sorts of unexpected errors and can cause your computer to do some really funky stuff. In the case of malicious code, an attacker can use what is known as a “pointer” (a variable that “points” to the memory address of something else. Very useful, very dangerous) to force the operating system to read memory that contains instructions from the virus.

Many other exploits exist. This is why it’s important to make sure your antivirus software is up to date, and that you install any security updates that are available for your operating system. Vigilance and luck are needed to prevent viruses.