Introduction

Just because a system freezes or desktop icons quit responding to being clicked does not mean that the system has been infected by a virus or worm. Most likely it is an indication of a poorly written application or driver, or something even more probable, those annoying little dust bunnies that have nested inside the system causing the CPU to over heat. Of course a good cleaning with a can of air can evict those little dust bunnies and allow your system to run cooler. Still another cause of random reboots could be resolved by re-seating the RAM in your system as well as the constant heating and cooling of these stick can cause them to become improperly seated.

With that in mind, do remember that it is still important to have a proper response and antidote for viruses. Being prepared and preventing infections can neutralize this form of attack almost 100% if your discipline is ongoing and made a matter of strict routine. Just remember that once a virus has gone wild, it is forever present. It may be slowed down or made dormant due to countermeasures, but it is capable of becoming active again should the opportunity arise.

History And Evolution Of Viruses And Worms

Since there are thousands of documents on the Internet regarding the evolution of Viruses and Worms, there will not be much covered here. However, a complete time-line of the history of viruses and worms can be found on this site on the A Virus and Worm Timeline page.

The Structure of Malicious Code

There are three phases of a viral attack:

  1. Infection Phase
  2. Spreading Phase
  3. Attack Phase

The Infection Phase - A weakness in the system is sought out and this weakness is then exploited. The exploit may come in the form of buffer overflows or single logic errors in which attackers understand the sequence of expected steps better than the application developer(s). They then can inject code into a running process.

A direct virus can infect their hosts by executing as stand-alone applications. Lying in wait could be Logic Bombs just waiting for an event to trigger the executable. Terminate and Stay Resident (TSR) programs execute at various stages even after the initial host application has been closed.

The Spreading Phase - Depending on the objective determines how the spreading phase occurs.

If a virus is looking to drop code or breach data integrity, it will spread through file shares, portable storage, email and boot sectors. Worms usually are typical with denial of service objectives and can spread using network protocols with the end user having to trigger them.

The Attack Phase - Modern malicious codes incorporate several types of payloads. A dropper is a code that leaves behind other malicious code that completes the gaining access while maintaining an access loop. They can also use encryption and morphing techniques that allow them to evade detection algorithms.

Infection Characteristics

Standard incident response procedure is critical when handling infections. Hoax viruses are designed to exploit any over-reactions or poor analysis. False positives also can be as costly as any actual breach, depending on what the attacker was trying to accomplish and how alert the response team is. The following is a list of common symptoms of viral activity.

  • Malicious code can reside in computer random access memory (RAM) and replicate itself as a matter of a host application performing normal activities.
  • Malicious code can leave random access memory (RAM) and then copy itself to a secondary storage while waiting for another event to call it back out of its dormancy.
  • Malicious code can copy itself into the boot sector of a file or setup an auto-start from a removable media.
  • Malicious code can transform itself though polymorphic means or by rearranging its instructions mixing with some decoy mnemonics to perform steps between the attack opcodes, or metamorphic.
  • Malicious code might alter its host to avoid changing the file size or affecting detection criteria.
  • Malicious code can encrypt the files it is targeting and hold them for ransom.
  • Malicious code can slightly "break" a host causing unexpected events such as changing screen resolution, turning the display upside down or cause "kernel panics", otherwise known as the "Blue Screen Of Death" in Windows. This mimics common driver compatibility issues.
  • Malicious code can redirect the input/output (I/O) stream of an operating system function in order to avoid detection.
  • Malicious code can trigger events within its own code and make system calls. If the code is installed with a rootkit, it can even hide completely from the operating system kernel.
  • Malicious code can use the I/O processes that both involve memory access and network access to spread. They can also access features of an operating system to access resource shares and directories to facilitate their propagation.
  • Malicious code can even have a nuclear feature that will allow a remote attacker to ask their host victims to self-destruct themselves because it is one way to cover the attacker's tracks.

Replicating Software Life-cycle

There is a six-step life-cycle of a virus. These steps are:

  1. Design
  2. Replication
  3. Launch
  4. Detection
  5. Incorporation
  6. Elimination

Design - After using a combination of computer languages, processing theory and knowledge of a particular platform, a researcher discovers a vulnerability. The researcher drafts a proof of concept and then tests. The code is only a few lines and the cleverness is often in how easy it looks to everyone else once the attack is demonstrated.

Replication - In order to spread, a virus needs to replicate. Using either the aid of an user or with self-replication, this process is achieved. By using existing files, the researcher finds it a convenient way to guarantee the spread of the virus. Hiding within critical resources makes detection and response a process that is challenging. Part of the defensive puzzle is how to remove the virus without destroying the host.

Launch - These infections are dependent on user actions. By using external storage media such as USBs the infection can be aided in its spreading. The spread of the infection can also be as simple as visiting a website.

Detection - Avoiding over-reacting is harder than avoiding an infection when having a response plan.

In most businesses, Incident Response Planning (IRP) and Disaster Recovery Planning (DRP) are mandatory. A measured, reasoned approach makes a difference between success and failure. Detection is a necessity of due diligence and organizations that do not perform detection processes may face liability risks that can exceed the damage of an outbreak.

Incorporation - When it comes to the fight against malicious code that involves commercial researchers, academic researchers and private individuals with a range of motivations demonstrates an amazing effort. A race against time in involved for each to be the first to exploit an opportunity and to understand the defense vectors.

Elimination - Saying that the "good-guys" win the incorporation battle, the elimination step is about installing counter measures and to mitigate damages. Remember that no virus is ever completely eliminated or does it disappear; it just slows down. Diligent monitoring is necessary following the elimination of any threat, more so a self-replicating code.

Difference Between Viruses And Worms

Here is a table that shows the difference between a virus and a worm.

Virus Worm
Requires a user-initiated event to spread and must have a carrier Can execute itself and can be self-replicating.
Typically affects files such as executables or can be hidden in media files. Typically does not target data but rather carries out its own agenda.
Are difficult to remove without affecting the infected host. Can usually be removed without damaging the host.
Have fewer spreading options because they target data and rely on external vehicles of transmission. Have almost limitless spreading possibilities because they can provide their own services and protocols.

The Motivation For Creating Malicious Code

The writing of malicious code started as mere curiosity or exercises in the power of computing. As this coding grew and matured, the intrigue created a strong motivation to further exploration. Eventually the "bad guys", aka: Black Hats found this a business opportunity; strangely enough, this was the same motivation as the "good guys", aka: White Hats. This eventually made adversaries of the two. Here are the main reasons behind the motivation to create malicious code.

  • Research
  • Pranks
  • Vandalism
  • Industrial Espionage
  • Extortion
  • Spreading of payloads with increased capabilities

Virus And Worm Types

Naming and Classifying Viruses

Since there are no two systems that can accurately recognize whether a code is a virus or not, the job of classifying a virus has become a difficult task. There are, however, three possible ways to categorize viruses and worms. They are:

  • How does the spreader work?
  • How does the virus store itself?
  • What sort of damage does the virus do?

How does the spreader work? - Viruses attach themselves to files or copy themselves by means of network resources, boot sectors or removable storage devices. Worms carry their own tftp or http servers and can spread through native clients.

How does the virus store itself? - A Shell virus wraps its code around the infected file and then calls the original file as a function. Viruses that are considered an Add-on place themselves at the beginning of an executable and run when the application is called. An Intrusive virus completely overwrite the original file while corrupting the it in the process. A Cavity virus hide within the executable.

What sort of damage does the virus do? - By wasting system resources, some malicious code can cause denial of service. They could do this by taking up network bandwidth or filling storage space with useless files. Still, other viruses steal data while other corrupt data. Lastly, there are those who actually cause damage to the host by making the system unusable after a restart or by scrambling firmware code within the hardware.

Virus Types

Here is a list of common viruses and how they interact with their targets.

Hoax Virus - Triggers false alarms and causes hysteria. These viruses can be as damaging as the genuine article. This virus is a good social engineering trick that can also attack the reputation of the product as people will still consider it a hoax after it has been proven differently.

MBR (Master Boot Record) Virus - The bootable volume on a HDD, USB or Floppy, (if you still used these) contain a small program located on the first available sector, (Cylinder 0, Head 0, Sector 1). It loads enough code into the memory to give the processor the instructions as to what to do. A boot sector virus will overwrite this code and completely control the system during boot-up. It will then copy itself into memory and will infect the boot sector of any other secondary storage media that is inserted. This virus' intent is to damage the system at the next time it is restarted.

Cavity Virus - Executable binaries can hide where other executable code can hide. A Cavity Virus is also be a file infecter that seeks out these vulnerable programs and modifies them to host the malicious code. Cavity viruses target critical system files that were never expected to change and were not scanned.

Multipartite Virus - This virus can use multiple means to infect systems.

Network Virus - This virus spreads itself through protocols that communicate across the network and target file shares and email.

Source Code Virus - Scripts that are downloaded from the Internet may have malicious code inserted by either the original author or someone else that wants to intentionally compromise the script. The spreading comes from advertising and sharing the code.

File Infector Virus - Executables and data files are often targets of the file infector. Office documents are often targets as they are most likely to be emailed or copied.

Macro Virus - The common social engineering technique that helps spread the infected files is to rename the file extension in order to hide the fact that it is a script.

Polymorpic Virus - This virus can change its appearance to avoid detection by the anti-virus scanner. They can change themselves with encryption. It is not possible to detect a polymorphic virus directly using signature analysis, the decryption engine can be detected. Different viruses can use the same decryption engine making analysis always necessary.

Metamorphic Virus - This type of virus has the capability of re-writing itself.

Stealth Virus - These viruses copy themselves to temporary locations leaving the infected files to appear clean when they are scanned and can do this while hiding themselves from the anti-virus counter-measures.

Tunneling Virus - This virus hides itself from anti-virus applications by intercepting the interrupt handlers of the operating system making sure the scanner never knows it is there.

Camouflage Virus - This virus pretends to be a genuine application while masquerading as having characteristics the anti-virus scanner is looking for in terms of what is deemed allowable code.

The important element of a virus is making it small enough while still being able to make it accomplish its objective. Along with remaining undetected, the virus might include not breaking the system it has infected or not slowing itself down with complex operations as it spreads.

Virus Detection And Removal

Virus Construction Kits

Programs have been created that can generate malicious code by asking the user to configure a few options. Some programs even have graphical environments with drop-down menus and wizards that assist users unknowingly create malicious code.

These types of tools are known as Potentially Unwanted Programs (PUPs) and most anti-virus scanners can detect and eliminate them. Many hacking tools are considered PUPs and this at times generates controversy within the defense community.

Prevention and Incident Response

Obviously, prevention is the best first response followed closely by user education. Teaching users how to handle email attachments and how to report suspected breaches is critical.

All traffic that comes in and goes out of the network should undergo scanning. This process is known as Sheep Dipping. Sheep Dipping is a term coined from the practice of never letting a sheep join the flock without first being through a flea bath because all it takes is one infected sheep to infect the entire flock.

When an infection is detected, standard incident response procedures are applied. It is important that these procedures are tested and rehearsed on a regular basis to ensure the most effective and rapid resolutions are achieved. The following is a review of an incident response model.

  1. Detection - Monitoring systems notice that a breach has occurred.
  2. Notification - The proper personnel are notified and arrive on the scene.
  3. Assessment - An assessment of the situation is taken and a measured response is determined.
  4. Containment - The breach is prevented from further spreading.
  5. Eradication - The malicious code is neutralized or removed.
  6. Reconstitution - Affected services are restored.
  7. Lessons Learned - The total lifecycle is reviewed and feedback is given to the risk and management team.

Virus Detection Techniques

Commercial and free-ware anti-virus scanners

Many commercial anti-virus software products are on the market and extremely competitive. What you need to look for during the evaluation is:

  • How often new signatures updates are published?
  • Will the interface be intrusive to the user?
  • Does the software uninstall correctly and completely if there is a decision to remove it?

Some confusion exists over the marketing words used to describe the products. Viruses, worms, malware, Trojans and PUPs are all different classes of risks and various products handle each class differently. You can find an all-in-one solution, but expect to pay for it. As an alternative, there are also free software products out there that can handle these classes separately.

Host and Network Based Intrusion Detection Systems (IDS)

There is a class of tools called System Integrity Verifier (SIV) that keep a database of the file sizes, access times and hash calculations of all critical files on a system. If there are any changes about these files, the change is logged.

The process of detecting virus and worm activities involves setting up a series of checks. Signatures, which are essentially recognizable sequences of data bytes, are looked for and compared to a database of known byte combinations. Checksums are kept of files to detect changes in the data as well. Heuristic scanning focuses on the behavior characteristics and is useful when the malicious code is either metamorphic or polymorphic.

Dissemblers and Debuggers

There are commercial tools such as "IDA Pro" or freeware such as "OllyDBG" that allow the analyst to take a byte-by-byte look at every instruction and step an application takes when it executes. These tools are used in reverse engineering and for breaking license enforcement within applications.

Utilities for Forensics and Troubleshooting

Tools such as "Pstools" can be useful for analysis. File comparison tools such as "Windiff" are also helpful. There are commercial tools available that an make short work of comparing the "before-and-after" snapshots of virtual machines. Some malware will detect and decide not to infect virtual machines for this reason.