6.3 Virus and Worm Concepts

Introduction to Viruses

• A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document.
• Viruses are generally transmitted through file downloads, infected disk/flash drives and as email attachments.
• Virus Characteristics:
  • Infects other program
  • Transforms itself
  • Encrypts itself
  • Alters data
  • Corrupts files and programs
  • Self-replication

Stages of Virus Life

1. Design: Developing virus code using programming languages or construction kits.
2. Replication: Virus replicates for a period of time within the target system and then spreads itself.
3. Launch: It gets activated with the user performing certain actions such as running an infected program.
4. Detection: A virus is identified as threat infecting target systems.
5. Incorporation: Antivirus software developers assimilate defenses against the virus.
6. Elimination: Users install antivirus updates and eliminate the virus threats.

Working of Viruses: Infection Phase and Attack Phase

• Infection Phase:
  • In the infection phase, the virus replicates itself and attaches to an .exe file in the system.
• Attack Phase:
  • Viruses are programmed with trigger events to activate and corrupt systems.
  • Some viruses infect each time they are run and others infect only when a certain predefined condition is met such as user's specific task, a day, time, or a particular event.

Why Do People Create Computer Viruses

• Inflict damage to competitors
• Financial benefits
• Research projects
• Play prank
• Vandalism
• Cyber terrorism
• Distribute political messages

Indications of Virus Attack

• Abnormal Activities: If the system acts in an unprecedented manner, you can suspect a virus attack.
  • Processes take more resources and time
  • Computer beeps with no display
  • Drive label changes
  • Unable to load Operating system
  • Anti-virus alerts
  • Browser window "freezes"
  • Hard drive is accessed often
  • Files and folders are missing
  • Computer freezes frequently or encounters error
  • Computer slows down when programs start
• False Positives: However, not all glitches can be attributed to virus attacks.

How does a Computer Get Infected by Viruses

• When a user accepts files and downloads without checking properly for the source.
• Opening infected e-mail attachments.
• Installing pirated software.
• Not updating and not installing new versions of plug-ins.
• Not running the latest anti-virus application.

Virus Hoaxes and Fake Antiviruses

• Hoaxes are false alarms claiming reports about a non-existing virus which may contain virus attachments.
• Warning messages propagating that a certain email message should not be viewed and doing so will damage one's system.
• Attackers disguise malwares as an antivirus and trick users to install them in their systems.
• Once installed these fake antiviruses can damage target systems similar to other malwares.

scareware (偽防毒軟體，製造假中毒跡象)

Q1) You receive an e-mail with the following text message.

"Microsoft and HP today warned all customers that a new, highly dangerous virus has been discovered which will erase all your files at midnight. If there's a file called hidserv.exe on your computer, you have been infected and your computer is now running a hidden server that allows hackers to access your computer. Delete the file immediately. Please also pass this message to all your friends and colleagues as soon as possible."

You launch your antivirus software and scan the suspicious looking file hidserv.exe located in c:\windows directory and the AV comes out clean meaning the file is not infected. You view the file signature and confirm that it is a legitimate Windows system file "Human Interface Device Service". What category of virus is this?

1. Virus hoax
2. Spooky Virus
3. Stealth Virus
4. Polymorphic Virus

Ransomware

• Ransomware is a type of a malware which restricts access to the computer system's files and folders and demands an online ransom payment to the malware creator(s) in order to remove the restrictions.
• Ransomware Family:
  • Cryptorbit Ransomware
  • CryptoLocker Ransomware
  • CryptoDefense Ransomware
  • CryptoWall Ransomware
  • Police-themed Ransomware

勒索軟體

Q1) It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a remote location. This malware generates a pop-up windows, webpage, or email warning from what looks like an official authority. It explains your computer has been locked because of possible illegal activities and demands payment before you can access your files and programs again. Which term best matches this definition?

1. Spyware
2. Adware
3. Ransomware
4. Riskware

Riskware (風險軟體): 是一種合法軟體，但本身存在嚴重安全性問題，會被惡意軟體利用來對電腦造成傷害。

Types of Viruses

• System or Boot Sector Viruses
• File and Multipartite Viruses
• Macro Viruses
• Cluster Viruses
• Stealth/Tunneling Viruses
• Encryption Viruses
• Metamorphic Viruses
• File Overwriting or Cavity Viruses
• Spare Infector Viruses
• Companion/Camouflage Viruses
• Shell Viruses
• File Extension Viruses
• Add-on and Intrusive Viruses
• Transient and Terminate and Stay Resident Viruses

System or Boot Sector Viruses

• Boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR.
• When system boots, virus code is executed first and then control is passed to original MBR.

• 開機磁區病毒：病毒是放在開機磁區的一種病毒。當電腦試著去讀取和執行開機磁區的程式時，病毒會附著在電腦的記憶體內，等到機會成熟時感染其他的電腦，也就是從這裡延伸到其他磁碟區。開機程式再被執行時，病毒也再次被執行， 又再一次散佈到其他磁區上。
• 改變MBR的位置，讓病毒先執行

Q1) Which of the following items of a computer system will an anti-virus program scan for viruses?

1. Boot Sector
2. Deleted Files
3. Windows Process List
4. Password Protected Files

Q2) Which of the following describes the characteristics of a Boot Sector Virus?

1. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR
2. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
3. Modifies directory table entries so that directory entries point to the virus code instead of the actual program
4. Overwrites the original MBR and only executes the new virus code

File and Multipartite Viruses (重要)

• File Viruses:
  • File viruses infect files which are executed or interpreted in the system such as COM, EXE, SYS, OVL, OBJ, PRG, MNU and BAT files.
  • File viruses can be either direct-action (non-resident) or memory-resident.
• Multipartite Virus:
  • Multipartite viruses infect the system boot sector and the executable files at the same time.

Multipartite Virus具有多重散播途徑：可同時感染boot sector與executable files

Q1) A virus that can cause multiple infections is know as what type of virus?

1. Multipartite
2. Stealth
3. Camouflage
4. Multi-infection

A1) A multipartite virus can cause multiple infections.

Macro Viruses

• Macro viruses infect files created by Microsoft Word or Excel.
• Most macro viruses are written using macro language Visual Basic for Applications (VBA).
• Macro viruses infect templates or convert infected documents into template files, while maintaining their appearance of ordinary document files.

感染Microsoft的Word以及Excel文件檔

Q1) Which of the following programs is usually targeted at Microsoft Office products?

1. Polymorphic virus
2. Multipart virus
3. Macro virus
4. Stealth virus

Q2) Melissa is a virus that attacks Microsoft Windows platforms. To which category does this virus belong?

1. Polymorphic
2. Boot Sector infector
3. System
4. Macro

A2) The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment.

Q3) The Melissa virus exploited security problems in Microsoft Excel and Word. What type of virus was it?

1. Macro
2. Named
3. Stealth
4. Multipartite

A3) Macro viruses, like Melissa, take advantage of macro functionality in files.

Q4) A user has just reported that he downloaded a file from a prospective client using IM. The user indicates that the file was called account.doc. The system has been behaving unusually since he downloaded the file. What is the most likely event that occurred?

1. Your user inadvertently downloaded a macro virus using IM.
2. Your user may have a defective hard drive.
3. Your user is imagining what cannot be and is therefore mistaken.
4. The system is suffering from power surges.

A4) The file itself is a Microsoft Word file and as such can have VBA macros embedded into it that can be used to deliver macro viruses.

Cluster Viruses

• Cluster viruses modify directory table entries so that it points users or system processes to the virus code instead of the actual program.
• There is only once copy of the virus on the disk infecting all the programs in the computer system.
• It will launch itself first when any program on the computer system is started and then the control is passed to actual program.

• 叢集病毒：此病毒會改變目錄表頭的位址，將位址連結到病毒的位址，當程序啟動時也代表病毒一起啟動(P.S.程序並未被修改)；如果系統感染到叢集病毒，所有程序都會受到感染，好像一個叢集都被感染，但病毒只是在一個固定空間上被連結出去執行。
• 例如：Dir-2病毒

Stealth/Tunneling Viruses

• These viruses evade the anti-virus software by intercepting its requests to the operating system.
• A virus can hide itself by intercepting the anti-virus software's request to read the file and passing the request to the virus, instead of the OS.
• The virus can then return an uninfected version of the file to the anti-virus software, so that it appears as if the file is "clean".

隱形病毒：這類病毒會透過攔截防毒軟體的請求，並回傳未被感染的版本回去，因此防毒軟體會認為這個檔案是乾淨的，但其實已經感染了。

Q1) Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?

1. Cavity virus
2. Polymorphic virus
3. Tunneling virus
4. Stealth virus (Stealth與Tunneling是不一樣的)

Encryption Viruses

• This type of virus uses simple encryption to encipher the code.
• The virus is encrypted with a different key for each infected file.
• AV scanner cannot directly detect these types of viruses using signature detection methods.

• 病毒自我加密
• 加密病毒：病毒將自己的病毒編碼經過加密演算法去感染檔案。每一次的感染病毒編碼都會自動再次演算一次，所以每次產生的病毒編碼都不一樣。

Polymorphic Code

• Polymorphic code is a code that mutates while keeping the original algorithm intact.
• To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine).
• A well-written polymorphic virus therefore has no parts that stay the same on each infection.

• 多型，不斷變形，不容易被抓
• 病毒會透過感染別的病毒後，改變感染目標的型態，但是又保留病毒的基本架構。在感染病毒期間，會建立壓縮加密機制，並建立金鑰，每次的金鑰都不同。

Q1) ViruXine.W32 virus hides their presence by changing the underlying executable code. This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all. What is this technique called?

1. Polymorphic Virus
2. Metamorphic Virus
3. Dravidic Virus
4. Stealth Virus

Q2) June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus?

1. Yes. June can use an antivirus program since it compares the parity bit of executable files to the database of known check sum counts and it is effective on a polymorphic virus
2. Yes. June can use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and it is very effective against a polymorphic virus
3. No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program
4. No. June can't use an antivirus program since it compares the size of executable files to the database of known viral signatures and it is effective on a polymorphic virus

Q3) What type of virus modifies itself to avoid detection?

1. Stealth virus
2. Polymorphic virus
3. Multipartite virus
4. Armored virus

A3) A polymorphic virus modifies itself to evade detection.

Q4) Your client is confident that his enterprise antivirus protection software will eliminate and prevent malware in his system. Will this signature-based antivirus system protect against polymorphic viruses?

1. Yes. No matter the virus, the generic signatures will catch it.
2. Yes. All signature-based systems also use a heuristics engine to catch these.
3. No. Because the system compares a signature to the executable, polymorphic viruses are not identified and quarantined.
4. No, because the system compares file sizes to potential viruses and would catch the polymorphic that way.

A4) Polymorphic viruses constantly change their code in order to defeat the signature-based comparison of the executable.

Q5) A polymorphic virus _.

1. Evades detection through backdoors
2. Evades detection through heuristics
3. Evades detection through rewriting itself
4. Evades detection through luck

A5) A polymorphic virus evades detection through rewriting itself.

Metamorphic Viruses

• Metamorphic Viruses: Metamorphic viruses rewrite themselves completely each time they are to infect new executable.
• Metamorphic Code: Metamorphic code can reprogram itself by translating its own code into a temporary representation and then back to the normal code again.
• Example: For example, E32/Simile consisted of over 14000 lines of assembly code, 90% of it is part of the metamorphic engine.

• 多態病毒：除了像polymorphic會改變特徵外，連行為也會跟著改變
• ex: simile, zmist
• Mistfall is the first virus to use the technique called "code integration."

File Overwriting or Cavity Viruses

• Cavity Virus overwrites a part of the host file that is with a constant (usually nulls), without increasing the length or the file and preserving its functionality.

• CIH(Chernobyl or Spacefiller)

Sparse Infector Viruses

• Sparse Infector Virus: Sparse infector virus infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range.
• Difficult to Detect: By infecting less often, such viruses try to minimize the probability of being discovered.
• Infection Process: For example, wake up on 15th of every month and execute code.

• 例：只感染最大只有128 kb容量大小的檔案或每月12日執行感染，減少被偵測的機會

Q1) A sparse infector virus __.

1. Creates backdoors
2. Infects data and executables
3. Infects files selectively
4. Rewrites itself

A1) A sparse infector evades detection by infecting only a handful or selection of files instead of all of them.

Companion/Camouflage Viruses

• A Companion virus creates a companion file for each executable file the virus infects.
• Therefore, a companion virus may save itself as notepad.com and every time a user executes notepad.exe (good program), the computer will load notepad.com (virus) and infect the system.

• 更改副檔名，讓同樣檔名提高優先執行順序
• 例：在相同檔名下，副檔名.com會比.exe先被執行

Shell Viruses

• Virus code forms a shell around the target host program's code, making itself the original program and host code as its sub-routine.
• Almost all boot program viruses are shell viruses.

感染後，都會先執行virus code，然後才執行original program

File Extension Viruses

• File extension viruses change the extensions of files.
• .TXT is safe as it indicates a pure text file.
• With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you will only see BAD.TXT.
• If you have forgotten that extensions are turned off, you might think this is a text file and open it.
• This is an executable Visual Basic Script virus file and could do serious damage.
• Countermeasure is to turn off "Hide file extensions" in Windows.

另個攻擊手法：unicode RLO 反轉字元

Q1) You are trying to package a RAT Trojan so that Anti-Virus software will not detect it. Which of the listed technique will NOT be effective in evading Anti-Virus scanner?

1. Convert the Trojan.exe file extension to Trojan.txt disguising as text file
2. Break the Trojan into multiple smaller files and zip the individual pieces
3. Change the content of the Trojan using hex editor and modify the checksum
4. Encrypt the Trojan using multiple hashing algorithms like MD5 and SHA-1

Add-on and Intrusive Viruses

• Add-on Viruses: Add-on viruses append their code to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning.

不會改變host的code

• Intrusive Viruses: Intrusive viruses overwrite the host code partly or completely with the viral code.

複寫host部份或整個code

Transient and Terminate and Stay Resident Viruses

Basic Infection Techniques:

• Direct Action or Transient Virus:
  • Transfers all the controls of the host code to where it resides in the memory.
  • The virus runs when the host code is run and terminates itself or exits memory as soon as the host code execution ends.
• Terminate and Stay Resident Virus (TSR):
  • Remains permanently in the memory during the entire work session even after the target host's program is executed and terminated; can be removed only by rebooting the system.

• 根據lifetime可分為transient和resident based兩種:
  • Direct Action or Transient Virus: 當被host執行時它才被載入到記憶體裡執行，當host終止時它也隨之終止
  • Terminate and Stay Resident Virus (TSR): 當被感染時，病毒會永久存在記憶體裡。只有在重開機後才會被移除。

Writing a Simple Virus Program

Sam's Virus Generator and JPS Virus Maker

Andreinick05's Batch Virus Maker and DeadLine's Virus Maker

Sonic Bat - Batch FIle Virus Creator and Poison Virus Maker

Computer Worms

• Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction.
• Most of the worms are created only to replicate and spread across a network, consuming available computing resources; however, some worms carry a payload to damage the host system.
• Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet; these botnets can be used to carry further cyber attacks.

• 獨立運作，不需宿主
• 大量自我複製、散播，消耗電腦、網路資源
• 夾帶的payload會損壞系統、植入後門、建立botnet

How is a Worm Different from a Virus?

• Replicates on its own: A worm is a special type of malware that can replicate itself and use memory, but cannot attach itself to other programs.
• Spreads through the Infected Network: A worm takes advantages of file or information transport features on computer systems and spread through the infected network automatically but a virus does not.

Q1) Which of the following is one of the key features found in a worm but not seen in a virus?

1. The payload is very small,usually below 800 bytes.
2. It is self replicating without need for user intervention.
3. It does not have the ability to propagate on its own.
4. All of them cannot be detected by virus scanners.

A1) A worm is similar to a virus by its design,and is considered to be a sub-class of a virus. Worms spread from computer to computer,but unlike a virus,it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system,which allows it to travel unaided.

Q2) What are worms typically known for?

1. Rapid replication
2. Configuration changes
3. Identity theft
4. DDoS

A2) Worms are typically known for extremely rapid replication rates once they are released into the wild.

Computer Worms: Ghost Eye Worm

• Ghost Eye worm is a hacking program that spreads random messages on Facebook or steam or chat websites to get the password.

Worm Maker: Internet Worm Maker Thing