Welcome to the Security 1:1 series of articles
In Part 1 we start right off with Viruses and Worms - get to know the definitions and what differentiates them. Nowadays both terms are quite often used interchangeable but there are still differences between them. We look further more on the classifications and what are the characteristics of each types. We will have a bit historical look at both known and most devastating viruses and worms in the past.
I will provide you as well with references to Symantec write-ups about those threat where both in-depth characteristics and removal processes can be checked. Throughout the series I invite you as well to watch the youtube videos from Norton and Symantec channels introducing various types of threats and attacks - those are shown in really informative (sometimes as well funny) way and are very easy to understand.
The Security 1:1 series consist so far of following articles:
Virus - a malicious program able to inject its code into other programs/applications or data files. After successful code replication the targeted areas become "infected". By definition virus installation is done without user's consent and spreads in form of executable code transferred from one host to another.. Purpose of viruses is very often of a harmful nature - data deletion or corruption on the targeted host leading up to system in-operability in worst case scenario.
Viruses can spread pretty fast over network, shares or removable media. On many occasions the virus spread scenarios are connected with social engineering attacks, where end-users are tricked to execute malicious links or download malicious files, in some other cases malicious email attachments are being opened by end-users which ends in infection. Viruses as already mentioned have as well ability to inject the code in other legitimate executable files - when afterwards run by end-users - the virus code contained in the infected program is being executed simultaneously. Viruses can take avail of known OS security vulnerabilities that allow them to access the target host machines.
Video - Symantec Guide to Scary Internet Stuff: Pests on Your PC - Viruses, Trojans & Worms
Depending on virus "residence" we can classify viruses in following way:
- Resident Virus - virus that embeds itself in the memory on a target host. In such way it becomes activated every time the OS starts or executes a specific action.
- Non-resident Virus - when executed this type of virus actively seeks targets for infections - either on local, removable or network locations. Upon further infection it exits - this way is not residing in the memory any more.
- Boot sector Virus - virus that targets specifically a boot sector (MBR) on the host's hard drive. This type of viruses is being loaded to memory every time when an attempt is being made to boot from the infected drive - this kind of viruses loads well before the OS loads. Boot sector viruses were quite common in the 90s where the infection was spread mostly through the infected floppy disks left in the bootable drives.
- Macro Virus - virus written in macro language, embedded in Word, Excel, Outlook etc. documents. This type of viruses is being executed as soon as the document that contain it is opened - this corresponds to the macro execution within those documents that under normal circumstances is automatic.
A well-known example of a macro virus is Melissa (http://virus.wikia.com/wiki/Melissa) virus , very widespread in that time. The damage caused by it worldwide was estimated on over 1.1 billion dollars. The creator of the virus David L. Smith was sentenced in 2002 to 20 months in federal prison - the maximum sentence could have been much higher though but David agreed to cooperate with federal authorities on finding other virus and malware creators.
W97M.Melissa.A (also known as W97M.Mailissa) is macro virus that has a payload to email itself using MS Outlook. The subject of the e-mail is "Important Message From USERNAME". Melissa is a typical macro virus which has an unusual payload. When a user opens an infected document, the virus will attempt to e-mail a copy of this document to up to 50 other people, using Microsoft Outlook.
Another classification of viruses can result from their characteristics:
- File-infecting Virus (File-Infector) - classic form of virus. When the infected file is being executed the virus seeks out other files on the host and infects them with malicious code. The malicious code is being inserted either at the begging of the host file code (prepending virus); in the middle (mid-infector); or at the end (appending virus). A specific type of viruses called "cavity virus" can even injects the code in the gaps in the file structure itself. The start point of the file executions is changed to the start of the virus code to ensure that it is run when the file is executed - afterwards the control may or may not be passed on to the original program in turn. Depending on the infections routing the host file may become otherwise corrupted and completely non-functional. More sophisticated viral forms allow though the host program execution while trying to hide their presence completely (see polymorphic and metamorphic viruses).
- Polymorphic Virus - this kind of viruses can change its own signature every time it replicates and infects a new file in order to stay undetected from antivirus programs. Every new variation of the virus is being achieved by using different encryption method each time the virus file is being copied. This type of viruses is especially difficult in detection by any detection programs due to the number of variants - sometimes going in hundreds or even thousands.
- Metamorphic Virus - the virus is capable of changing its own code with each infection. The rewriting process may cause the infection to appear different each time but the functionality of the code remains the same. The metamorphic nature of this virus type makes it possible to infect executables from two or more different operating systems or even different computer architectures as well. The metamorphic viruses are ones of the most complex in build and very difficult to detect.
- Stealth Virus - memory resident virus that utilises various mechanisms to avoid detection. This avoidance can be achieved for example by removing itself from the infected files and placing a copy of itself in a different location. The virus can also maintain a clean copy of the infected files in order to provide it to the antivirus engine for scan, while the infected version still remains undetected. Furthermore the stealth viruses are actively working to conceal any traces of their activities and changes made to files.
|The first known full-stealth Virus was "Brain" (http://virus.wikia.com/wiki/Brain) - a type of boot infector. The virus monitors physical disk I/O and redirects any attempt on reading a Brain-infected boot sector to where the original disk sector is stored.
- Armored Virus - very complex type of virus designed to make it's examination much more difficult than in case of traditional viruses. By using various methods armored viruses can also protect itself from antivirus software by fooling it into believing that the virus location is somewhere else than real location - which of course makes the detection and removal process more difficult.
- Multipartite Virus - virus that attempts to attack both the file executables as well as the master boot record of the drive at the same time. This type may be tricky to remove as even when the file executable part is clean it can re-infect the system all over again from the boot sector if it wasn't cleaned as well.
- Camouflage Virus - virus type that is able to report as a harmless program to the antivirus software. In such cases where the virus has similar code to the legitimate non-infected files code the antivirus application is being tricked that is has to do with the legitimate program as well - this would work only but in case of basic signature based antivirus software. As nowadays antivirus solutions became more elaborate the camouflage viruses are quite rare and not a serious threat due to the ease of their detection.
- Companion Virus - unlike traditional viruses the companion virus does not modify any files but instead compromises the feature of DOS that allows executables with different extensions (here .exe and .com) to be run with different priorities. This way where user tries to execute the legitimate "program" without specifying the extension itself and expects program.exe to be run, the virus is run instead - with the program.com executable (as this one is first in the alphabetical order). Companion virus is an older type and became increasingly rare since introduction of Windows XP. Nowadays this kind of viruses can be still unintentionally run if the host machine does not have the option for "show file extensions" activated and user accidentally clicks the companion virus file.
- Cavity Virus - unlike tradition viruses the cavity virus does not attach itself to the end of the infected file but instead uses the empty spaces within the program files itself (that exists there for variety of reasons). This way the length of the program code is not being changed and the virus can more easily avoid detection. The injection of the virus in most cases is not impacting the functionality of the host file at all. The cavity viruses are quite rare though.
|One good example of cavity virus is "Lenigh" (http://virus.wikia.com/wiki/Lehigh) - early DOS cavity infector, that was specifically targeting command.com files and using unused portions of the file's code.
Worm - this malicious program category is exploiting operating system vulnerabilities to spread itself. In its design worm is quite similar to a virus - considered even its sub-class. Unlike the viruses though worms can reproduce/duplicate and spread by itself - during this process worm does not require to attach itself to any existing program or executable. In other words it does not require any interaction for reproduction process - this capability makes worm especially dangerous as they can spread and travel across network having a devastating effect on both the host machines, servers as well consuming network bandwidth. More invasive worms target to tunnel into the host system and from within to allow code execution or remote control from the attacker. Some worms can as well include a viral component that infects executable files.
The most common categorization of worms relies on the method how they spread:
- email worms: spread through email massages - especially through those with attachments
- internet worms: spread directly over the internet by exploiting access to open ports or system vulnerabilities
- network worms: spread over open, unprotected network shares
- multivector worms: having two or more various spread capabilities
Some of the most known and destructive worms (by dates):
Worm created by a student of computer university on Philippines. The worm was arriving in email inboxes with the simple subject of “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”. The final ‘vbs’ extension was hidden, leading unsuspecting users to think it was a text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with the user’s sender address. It also made a number of malicious changes to the user’s system. Symantec Security Response has identified 82 variants of this worm.
More than 45 million computers around the globe have supposedly been infected by various strains of the worm. The Ford Motor Company shut off its email system after being hit by the worm. Some others affected were Silicon Graphics, the Department of Defense (including the Pentagon), Daimler-Chrysler, The Motion Picture Association of America. Estimates of the worm's damage: over $10 billion.
Worm that targeted servers running the Microsoft IIS (Internet Information Server) Web Server. The worm propagates by installing itself into a random Web server using a known buffer overflow exploit, contained in the file Idq.dll. It contains the text string "Hacked by Chinese!", which is displayed on web pages that the worm infected. The original CodeRed had a payload that caused a Denial of Service (DoS) attack on the White House Web server. CodeRed II has a different payload that allows its creator to have full remote access to the Web server.
The reported cost of worm activities: $2 billion
One of the most destructive worms ever. The worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files. It was able to send over a million copies of itself within just a few hours of the outbreak. Sobig was the first of the spam botnet worms. While some worms, like Tanatos, dropped trojans on the computers they infected, Sobig was the first to turn computers into spam relays. The worm was stalling or completely crashing Internet gateways and email servers worldwide.
Total estimated damage costs of the worm: $37 billion.
Blaster Worm is a worm that propagates by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) affecting both Windows 2000 and Windows XP machines. Once a computer was infected, it displayed a message box indicating that the system would shut down in a couple of minutes. It has also a date triggered payload that launches a DDoS attack against windowsupdate.com.
The Blaster worm shut down CTX, the largest railroad system in the Eastern U.S., for hours, crippled the new Navy/Marine Corps intranet, shut down Air Canada's check-in system. Overall estimated damage caused by the worm: $320 million.
Sasser Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011. The worm was written by German Student of Computer Science. It spreads by scanning the randomly selected IP addresses for vulnerable systems. When a vulnerable system is found, a worm on the worm will send shell code to the target computer that attempts to exploit the LSASS buffer overflow vulnerability. Sasser was exploiting the same vulnerabilities used by Blaster - here as well Windows 2000 and XP affected. Sasser also displayed a notice indicating that the system was shutting down.
Security experts estimate that infected computers numbered in the millions. British Airways suffered delays when the worm hit Terminal Four at London's Heathrow Airport. Other affected companies were Sampo Bank in Finnland, Deutsche Post, Delta Airlines Estimated, British Coastguard, French Stock Exchange and the France Presse news agency. Damage costs caused by the worm estimated to: $500 million.
One of the most damaging email worms ever released. Worm was spreading as well through the file sharing systam Kazaa. Worm was arriving as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.
The impact of the worm was experienced worldwide as it was able to cause slowdowns of internet traffic. Estimated reported costs of the worm: $38 billion.
Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability MS08-067 (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways. It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.
It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.
It has an extremely large infection base – estimated to be between 10-15 million computers. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. From interesting facts it is to mention that the vulnerability that allowed Conficker to spread had been patched for a little over a month before the worm appeared. Still, millions of computers were not updated. Estimated damage cost of the worm: $9 billion.
Simple steps to protect yourself from the Conficker Worm
The Stuxnet computer worm is perhaps the most complicated piece of malicious software ever build.
The worm targets industrial control systems in order to take control of industrial facilities, such as power plants. The ultimate goal of Stuxnet is to sabotage such facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries. Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before. The majority of infections were found in Iran. While the attacker’s exact motives for doing so are unclear, it has been speculated that it could be for any number of reasons with the most probable intent being industrial espionage. Incredibly, Stuxnet exploits four zero-day vulnerabilities, which is unprecedented.
Stuxnet was the first piece of malware to exploit the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732) in order to spread. The worm drops a copy of itself as well as a link to that copy on a removable drive. When a removable drive is attached to a system and browsed with an application that can display icons, such as Windows Explorer, the link file runs the copy of the worm. Due to a design flaw in Windows, applications that can display icons can also inadvertently run code, and in Stuxnet’s case, code in the .lnk file points to a copy of the worm on the same removable drive. Furthermore, Stuxnet also exploits the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was notably used incredibly successfully by W32.Downadup (a.k.a Conficker), as well as the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073). The worm also attempts to spread by copying itself to network shares protected by weak passwords.
The Hackers Behind Stuxnet
Stuxnet 0.5: The Missing Link
Video - Stuxnet: How It Infects PLCs
Video - Stuxnet 0.5: The Missing Link