How viruses work
Davey Winder
|
Sep 18, 2007 11:38 AM
They will get past your security software. Know your enemy and protect yourself.
Ever felt like you’re fighting a losing battle? That sums up many people’s attitude to computing in the internet age: despite the best efforts of security vendors and software developers alike, malware not only exists, but continues to evolve and plague computer users.
Why does malware continue to thrive? The patronising answer would be that newbie users are behaving like amateurs and ignoring basic security practice. There’s a kernel of truth in that, but it isn’t only the newbie who clicks links they shouldn’t, and it isn’t only the novice who’s fooled into running nefarious executables by technical and social-engineering techniques.
The crux of the problem is that threats have changed dramatically in recent years, with the rise in malware mirroring the rise in broadband popularity. As the number of online users grow, and the technology used to connect to the net becomes simultaneously simpler at the front end yet more complex behind the scenes, so the opportunity to make money expands. And that’s where the answer to the “why?” question can be found: no longer are viruses the hobby of the über-nerd; malware has evolved into what most IT security experts quite rightly refer to as crimeware. Scatter-gun attacks are on the way out; targeted and financially motivated strikes are the new modus operandi.
But while everyone has heard terms such as worm, trojan, phishing and rootkit bandied about, how many people actually understand how they exploit security weaknesses? By understanding how malware works, you get one step closer to stopping it.
Dodgy diagnosis
There’s a great deal of misinformation when it comes to describing malware attacks. The terms worm, virus and trojan are used almost interchangeably, for example, yet the three threats are actually quite distinct.
The quick-and-dirty definition is that a virus spreads by attaching itself to something, and requires human interaction (running a program, forwarding an email attachment) to be distributed and replicated. A worm can self-replicate without any human intervention (sending copies of itself to everyone in your email contacts list, for example) and can exploit your network and the internet beyond to multiply very quickly indeed. The trojan, named after the mythical Trojan horse, hides within another container, be that a file or application, but can’t self-replicate or spread by infecting other files.
Just for fun, we can add the blended threat into the malware mix, combining the worst characteristics of all three: stealth, replication and payload. Using server and internet application vulnerabilities, they can spread rapidly without human intervention, doing vast amounts of damage courtesy of the multiple attack payload (for example, Denial-of-Service, backdoor installation and data theft).
Next: Viruses, Torjans and Rootkits
Viruses
Like their biological counterpart, viruses replicate and mutate. Consequently, they can avoid being snared by your security software’s byte-pattern signature detection by changing key text within the code payload, or part of that code themselves, every time they’re copied.
They’ve come a long way since the first-known “in the wild” example, Elk Cloner, was discovered in 1982 on the Apple DOS 3.3 OS, or the first PC virus, (c)Brain, four years later. But today’s viruses can still be divided into two camps: resident and non-resident. The resident variety loads itself into memory upon execution and transfers control to the host program while it infects new hosts as the infected files are accessed. A non-resident virus will check executable files on the system for infection and, if uninfected, replicate before transferring control to the host program. Cavity viruses such as CIH will infect without increasing the host file size, overwriting unused parts of the executable, in an effort to make antivirus software detection harder.
The type of virus that downs millions of computers worldwide is almost unheard of these days, but that doesn’t mean the threat has evaporated – it’s merely evolved.
Drive-by downloads
The goal of a typical web-based attack is to install malware on the victim’s PC. One of the most common methods used today is the injection of malicious code into otherwise innocuous web pages – the so-called drive-by download. This involves squirting code directly into a program or script from an external source to await execution. So it’s possible to create a text file containing PHP code relating to server A, and have it executed on the exploited server B. One of the reasons code injection is so popular is the availability of kits that can be bought online, making it easy to create malicious code to install spyware, viruses or launch phishing attacks.
Once an appropriate web host is found, the code is injected and the victim is lured by being redirected from another site or via a link embedded in spam. “In a typical attack,” Fraser Howard, principal virus researcher at Sophos, explains “the hacker will have embedded additional iframes onto the web page, often indiscernible to your average web user. These iframes silently load content, which usually attempts to exploit browser vulnerabilities in order to infect the victim’s PC.”
While many of these drive-by downloads are hosted on custom domains registered and set up specifically for the job, a growing number of cybercriminals are injecting malicious code onto legitimate web pages. “During the week before the Miami Dolphins were due to host the Super Bowl earlier this year, malicious code was hosted on the team’s website as hackers tried to take advantage of the influx of visitors to the site,” said Howard. Another tactic is to compromise a web server, as this enables the hackers to inject their code into many sites in a single strike, again increasing the number of potential victims.
Worms
Worms come in several species, but can be divided into four main categories. Email worms are the most prevalent and typically spread as a file attachment, hijacking the email system and sending themselves to the entire contacts list. “They often rely on social-engineering tricks to tempt the user into running the attached file,” says David Emm, senior technology consultant at Kaspersky Lab. “Or the worm’s code may be embedded as script in an HTML email message, or arrive as a link to malicious code.”
Internet worms spread directly over the internet or LAN. “They get a foothold on the system by exploiting an OS or application vulnerability, and then look for other vulnerable systems to infect,” explains Emm. IM worms use links within the messaging software to infect local contact lists, while P2P worms target file-sharing system users with the worm copying itself to a shared folder and letting the P2P network do the rest.
Regular security updates – such as the Microsoft Patch Tuesday run – are worm killers, since they reduce the vulnerabilities left to exploit. As a result, the good news is that “worms account for just a small percentage of today’s threats, around 5%,” according to Emm.
Trojans
The weapon of choice for the criminal malware underground is the trojan. According to Symantec, “increasingly, trojans are the first stage of an attack, and their primary purpose is to stay hidden while downloading and installing a stronger threat such as a bot. Trojans are crimeware, and the creation and distribution of these programs is on the rise. Along with spyware, they’re now 37% of all the malware Symantec processes on a weekly basis.”
Take the recent Trojan.Bayrob, for example, targeted at second-hand car purchasers on Ebay. This is a highly efficient attack, where victims are sent an email about a car for sale, complete with a slideshow of images. While the victim views the slideshow, the trojan is silently installed in the background. “The email most likely contains two different components that are crucial for the attack to succeed. It contains a link to a real Ebay auction and an executable. This executable is a dropper that plants two files into the ‘c:\documents and settings\[current user]\local settings\Temp\’ folder, both named kvet*.exe. One file is the clean slideshow app, and the other is the trojan,” Symantec claims.
If the victim clicks on a link to visit the Ebay auction, the trojan already running in the background will start intercepting that traffic. Check the seller feedback and they’re presented with a fake feedback page by the trojan instead, showing an excellent sales record of course. If the victim decides to buy from the trustworthy seller, that’s the last they’ll see of their money.
That’s just one clever example of a trojan payload: others include installing a backdoor (so-called remote access trojans, or RATs) enabling your PC to be used as part of a spamming or DoS botnet, the encryption of data files as part of a cryptoviral blackmail scam, dropping other malware onto your system, or logging keystrokes and screen capture for ID theft purposes.
You can reduce the risk of trojan attacks by never opening unsolicited email attachments, downloading porn or indulging a trigger-happy link-clicking finger. Sometimes, the odds are stacked against you. Earlier this year, some TomTom Go 910 units came preinstalled with the win32.Perlovga.A trojan and TR/Drop.Small.qp on the device’s hard drive, ready to copy over to a Windows-based PC when the device was connected for updates.
Next: Rootkits, Spyware and Phishing.
Rootkits
A threat needs to remain undetected by the user and their antivirus software to deliver maximum value from its malware payload. One of the favoured methods of delivery is a rootkit. Often modifying parts of the operating system or installing themselves as drivers or kernel modules, rootkits serve simply to conceal running processes and exist on both Windows and Linux.
While the rootkit itself isn’t harmful, the files running within it can be highly malicious. “A rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system,” explains Mark Yason, lead X-Force malware scientist for IBM Internet Security Systems. “Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the superuser.
“A major use for rootkits is allowing the programmer to access usernames and login information for sites that require them. This makes the rootkits hazardous, as it allows trojans to access this personal information while the rootkit covers it up.”
W32.Mytob.AR is a good example of rootkit malware. Complete with mass-mailing and bot functionality, it uses the FU rootkit to hide its system processes. Upon execution, it will drop and run the rootkit loader (winsystem.exe), which will then drop and load the rootkit kernel mode driver (msdirectx.sys) by creating and starting a service. This then hides all of Mytob’s processes by instructing the kernel mode driver to hide the specified PIDs using DeviceIoControl ().
Spyware
We couldn’t finish this look inside malware without mentioning the two words that drive fear and loathing into the minds of most IT users: spyware and phishing. Spyware is generally defined as software that collects personal data without the informed consent of the user. Everything from collecting passwords and financial information for identity theft and fraud, through to recording internet search histories and targeted advertising can be accomplished with spyware. Spyware isn’t self-replicating, like viruses and worms, but relies upon user deception or software vulnerability.
Spyware can be broken down into three elements that serve a unique role in the success of the threat: stealth, survival and objective. Obviously, if it can remain undetected on the target PC then its chances of success are greater, and stealth plays its part when trying to avoid detection by the main spyware predator, antimalware software.
Although spyware authors employ a number of stealth tactics, some of the most common are revealed by Chris Spencer, senior security researcher with PC Tools, developers of Spyware Doctor. “Once executed, stealth spyware will reside in process memory and then remove all traces of itself in the file system. Antimalware products that only scan files rather than checking running processes for an infection can miss these threats. Spyware files may unpack or decrypt as they execute, but always with a different body on the file system, so ensuring they can’t be statically identified. Also, rootkit components loaded into the system kernel itself are used to hide spyware.”
When it comes to survival – the ability to remain resident on a PC despite rebooting and even disinfection – spyware can entrench itself within a load-point location where it can be executed automatically. “By adding a Registry run key it can load each time the user starts the PC, and Browser Helper Objects are used to load malicious code into Internet Explorer upon startup,” explains Spencer. Spyware will often come with a self-defence mechanism to disable antimalware applications and constantly check the load point hasn’t been removed, and reset it if it has.
That leaves us with the objective, which is usually the collection of banking logins or other personal information. Many techniques are exploited in order to garner this information, but some appear time and again. “Keyloggers capture keyboard input, and screen captures on every mouse click can counteract the use of onscreen keyboards,” reveals Spencer.
Phishing
Although phishing has the same financial motivation as spyware, its application is almost the polar opposite. Rather than relying on stealth to succeed, phishing employs social-engineering techniques to wave itself directly in front of the potential victim, hoping they’ll take the bait. By posing as a trustworthy source, the phisher hopes to simply con, trick or scam the user into handing over login and account details under the misapprehension that they’re dealing with a genuine entity. Ebay, PayPal and high-street banks are frequently targeted, and email is the most common form of attack, although IM and the humble phone are also used.
Phishers are gradually moving away from indiscriminate spamming. Instead, they’re now targeting users, sending fewer messages to a well-researched audience in a trend known as spear phishing. One novel method, called USB seeding, is dropping infected USB flash drives outside the offices of a target company, or in the coffee shop its staff frequent. The hardware is cheap, and human nature dictates it won’t be long before someone picks it up, plugs it in and falls victim.
More often than not, though, the technical modus operandi falls into a predictable routine. Link manipulation is almost always used to create a link within an email that appears to belong to the supposed sending organisation. Most commonly, this manipulation will take the form of the inclusion of a subdomain such as www.hsbc.com.somewhere-else.com, or simply using HTML anchor text to state one domain while the underlying URL points to another. Both are enough to fool all but the most security-savvy user, as indeed is the use of a similar-sounding domain such as paypal-security.com instead of paypal.com, for instance.
Proposed initiatives such as RFC 4871 – which uses cryptography signatures to verify the domain identity of the sender – might help, but that depends upon future take-up. For now, you click on that fake link and end up at a fake website. Here you might find a simple piece of JavaScript altering the address bar by imposing an image of the real URL over the fake one, or opening a new address bar altogether. Although phishing messages and the websites they link to often look genuine, there are some tell-tale signs that should set off alarm bells; namely, “requests for confidential information via email, emotional language or urgent requests to respond, spelling mistakes, lack of personal greeting or customised information,” according to a Webroot spokesperson. Legitimate emails from banks usually include partial account numbers, username or passwords.
Keep it real
Although it isn’t always possible to prevent malware attacks, you can still take sensible precautions. Ensure your computer and network is protected by regularly updated security software, and that your applications and operating system remain free of “in the wild” vulnerabilities by setting Windows to Auto Update. Also, avoid the temptation to link-click anything and everything or open unsolicited attachments. Steer clear of the dodgy underbelly of the internet, and don’t download freeware without checking its reputation first. Unfortunately, it’s the last of these basics that lets too many of us down.