As you can see, there are quite a few measures that malicious code can take in an attempt to bypass our security mechanisms. For every measure there is a counter-measure, which has its own counter-countermeasure, and so on. To remain effective in such an environment, make sure you understand the threats and how they apply to your environment, and do not rely on a single defensive layer to protect yourself against malware infections. Each of these self-preservation techniques can be thwarted by the diligent application of antivirus software, configuration hardening, and user education. Antivirus software solutions have grown increasingly intelligent in their abilities to spot stealthy polymorphic code and survive simple deactivation attempts. By
keeping your antivirus signatures and scanning engine up to date, you'll benefit from these advances. Additionally, with sound user education, even very subtle malicious code will be less likely to find its way into your systems in the first place.
Conclusions
With the proliferation of network worms, some people think plain old viruses are obsolete. Yet, despite this mistaken perception, malware authors continue to create and spread viruses, and even more important, they incorporate virus characteristics into other types of malicious code. The idea that software can propagate by making copies of itself and by attaching itself to benign programs is powerful. These properties allow malware to reach deep within the network infrastructure. Whether through floppies, USB keychain drives, or networks, malicious code continues to find its way through our security perimeters. The arms race between the defenders and the attackers grows ever nastier,
especially when the techniques we've discussed in this chapter spread via the network itself in the form of worms. In the next chapter, we'll analyze worm capabilities, discuss future trends in worm evolution, and look at additional methods we can employ when defending against the blight of malicious code.
Summary
A virus is self-replicating software that spreads by attaching itself to other programs. In most cases, a human is expected to take action, such as opening the infected program, to activate the virus. Once activated, the virus can
continue propagating by attaching to other programs accessible to the victim.
Activating a virus might also trigger its payload, which is typically programmed to perform destructive or distractive actions such as deleting files, corrupting data, or displaying messages on the victim's screen.
A virus can attach itself to several types of carrier programs: executable files, boot sectors, documents, scripts, and so on. Specimens that target executables or scripts typically infect their hosts via overwriting, prepending, or appending methods. When attaching to the boot sector, a virus often stores the copy of the original boot sector somewhere on disk, to allow the boot process to
continue once the virus loads itself into memory. Although modern operating systems prevent typical boot sector viruses from activating once the operating system starts up, such viruses can still cause damage while the system is in the early stages of the boot process.
Viruses that attach themselves to documents expect the program opening the document to execute the embedded macros. If activated, a macro virus usually becomes persistent on the system by infecting the user's default template such as the Normal.dot file in Microsoft Word. Because of the popularity of macro viruses that target Microsoft Office documents, features in Microsoft Office
allow us to disable the execution of untrusted macros, and to prevent access to the dangerous VBProject object.
When trying to reach new systems, viruses often rely on humans to carry them between machines. Removable storage, e-mail attachments, Web
downloads, and shared directories are the primary transport mechanisms for viruses. Antivirus software should be tuned to carefully scan these carriers of malicious code.
Antivirus software uses three primary techniques for detecting malware:
signatures, heuristics, and integrity verification. Among these methods, looking for signatures of known specimens is the most popular approach.
Unfortunately, purely signature-based detection can be fooled using
polymorphic and metamorphic techniques, and it cannot detect viruses that the vendor did not fingerprint beforehand. Heuristics is the most sophisticated method of detecting malicious code, because it tries to identify viruses based on the behavior they are likely to exhibit. This technique involves emulating
the execution of the program to determine whether it would act as a virus, which is especially difficult to accomplish with macro viruses. Integrity
verification attempts to detect unexpected changes to scanned files, and is useful for identifying modified files if the infection could not be prevented.
Configuration hardening adds resilience to the infrastructure by following the principle of least privilege and by removing components that are not
absolutely needed on the system. There are numerous checklists and
automated tools you can use to harden the configuration of your operating systems and applications. Another important factor in defense against malware is user education. End users of your systems can help you protect the
environment if you explain to them what they can do to prevent the spread of viruses, and how they can recognize the signs of infection.
In an effort to protect itself, malicious software employs techniques to avoid detection and elimination. Stealthing is a self-preservation method that attempts to conceal the presence of the virus on the infected system.
Polymorphism and metamorphism involve automatically mutating malicious code to make it difficult to create a signature. Malware can also actively attack antivirus software and personal firewalls by terminating their processes,
preventing access to security vendors' Web sites, and disabling some of the protective measures you have implemented to fight virus infections.
References
[1] Alef0, "Computer Recreations," SoftwarePractice and Experience, Vol. 2, pp. 9396, 1972.
[2] A. K. Dewdney, "Computer Recreations: In the game called Core War hostile programs engage in a battle of bits," Scientific American, pp. 1422, 1984.
[3] John Walker, "The Animal Episode," Open letter to A. K. Dewdney, February 1985, www.fourmilab.ch/documents/univac/animal.html.
[4] Rich Skrenta, "Elk Cloner (circa 1982)," www.skrenta.com/cloner.
[5] Jeremy Paquette, "A History of Viruses," July 2000, www.securityfocus.com/infocus/1286.
[6] Phil Goetz, "Risks Digest," Volume 6, Issue 71, April 1988, http://catless.ncl.ac.uk/Risks/6.71.html.
[7] Joe Dellinger, "Risks Digest," Volume 12, Issue 12, September 1991, http://catless.ncl.ac.uk/Risks/12.30.html.
[8] Fred Cohen, "Computer VirusesTheory and Experiments," IFIP TC-11 Conference, Toronto, 1984, www.all.net/books/virus/part1.html.
[9] Rob Slade, "Rob Slade's Take on Fred Cohen,"
http://sun.soci.niu.edu/~rslade/cohen.htm.
[10] F-Secure Virus Descriptions, "Brain," www.f-secure.com/v-descs/brain.shtml.
[11]"Dr. Solomon History: 19861987The Prologue,"
www.cknow.com/vtutor/vt19867.htm.
[12] Sir Peter Medawar, "Viruses," National Geographic, July 1994.
[13] Mark Ludwig, The Giant Black Book of Computer Viruses, (2nd Ed), pp.
2223, 1998.
[14] Vmyths.com, "The Worldwide Michelangelo Virus Scare of 1992," 1998, www.vmyths.com/fas/fas_inc/inc1.cfm.
[15] Symantec AntiVirus Research Center, "Understanding Virus Behavior
under Windows NT,"
http://securityresponse.symantec.com/avcenter/reference/virus.behavior.under.win.nt.pdf [16] VirusLibrary, "Macro.Office97.Triplicate," February 2002,
www.viruslibrary.com/virusinfo/Macro.Office97.Triplicate.htm.
[17] Eric Cole, Jason Fossen, Stephen Northcutt, SANS Security Essentials with CISSP CBK, Sans Press, 2003.
[18] McAfee Security, "NAVRHAR.A," 1997, http://vil.nai.com/vil/content/v_98245.htm.
[19] Symantec Security Response, "VBS.Beast.B," 2002,
http://securityresponse.symantec.com/avcenter/venc/data/vbs.beast.b.html.
[20] Eugene Kaspersky, "OBJ, LIB Viruses and Source Code Viruses,"
Computer Viruses, www.viruslist.com/eng/viruslistbooks.html?id=36.
[21] F-Secure Virus Descriptions, "CIH," www.europe.f-secure.com/v-descs/cih.shtml.
[22] CNET News.com, "Melissa Virus Launch Identified," 1999, http://news.com.com/2100-1023-223677.html.
[23] Robert Vibert, "Dealing with VirusesTaking Another Look at the Approaches Used," 2000, www.securityfocus.com/infocus/1280.
[24] McAfee Security, "ProcKill-AF," 2003, http://vil.nai.com/vil/content/v_100119.htm.
Chapter 3. Worms
A little, wretched, despicable creature; a worm…
Jonathan Edwards, The Justice of God in the Damnation of Sinners, 1734 So, you're just sitting there working on your computer, innocently surfing the Web. Then, all of a sudden, without warning… whooomph! You receive a flurry of 50 e-mails from coworkers pledging their undying love to you. As you smile whimsically at the thought of your newfound attractiveness, you realize that every single one of these messages beckons you to read an enclosed
attachment and respond immediately to their amorous advances. At the same time, your personal firewall goes berserk, detecting strangely formed Web requests sent to your laptop. You start to mumble, "But I'm not running a Web server on this computer," as you realize the truththe Internet in general, and your network in particular, is under attack from yet another Internet worm.
In the last several years, we have faced an avalanche of increasingly nasty worms. Indeed, in the history of the Internet, worms have caused the most widespread damage of any computer attack techniques, and could become even more devastating in the near future. What makes worms so nasty? We can get a glimpse into their nature by analyzing this definition:
A worm is a self-replicating piece of code that spreads via networks and usually doesn't require human interaction to propagate.
A worm hits one machine, takes it over, and uses it as a staging ground to scan for and conquer other vulnerable systems. When these new targets are under the worm's control, the voracious spread continues as the worm jumps off these new victims to search for additional prey. A single instance of the worm running on a single victim machine is known as a segment. The worm code running on your compromised box is one segment; that same worm installed on my machine is yet another segment of the same worm. Once the ball gets rolling, and the worm controls thousands of systems, watch out! Using this recursive process to spread, a worm could distribute itself on an exponentially increasing basis, taking over more and more victims in time.
The term worm used to describe such code appears to have originated in the sci-fi book Shockwave Rider by John Brunner way back in 1972 [1]. In that book, a program called "tapeworm" spreads across a futuristic data network linking millions of systems around the globe (sound familiar?). As an example of very early cyberpunk literature, it's a pretty nifty read and is still available
at major bookstores. The fictional Shockwave Rider helped establish the notion of very powerful self-replicating code that we'd later see implemented in real-world viruses and worms.
The previous chapter of this book focused on computer viruses. I frequently get asked about the difference between worms and viruses. The two types of malware are indeed related, in that each type self-replicates as it spreads.
However, the defining characteristic of a worm is that it spreads across a network. If it doesn't spread across the network, it just isn't a worm. As we discussed in the last chapter, a virus's defining characteristic is that it infects a host file, such as a document or executable. Worms don't necessarily infect a host file (although some specific worm specimens do).
At the risk of mixing metaphors with abandon, worms are rather like viruses that have spread their wings by propagating across a network. It's like the proverbial amphibian crawling out of the muck, sprouting wings, and flying through the sky. Of course, some malicious code is both a worm and a virus, in that it propagates across a network and infects a host file. In fact, with the widespread deployment of the Internet today, most modern viruses include worm characteristics for propagation.
Although the network characteristic is the intrinsic feature that defines worms, it's also important to recognize that most (but not all) worms spread without user interaction. They usually exploit some flaw in a target and conquer it in an automated fashion, without a user or administrator doing anything. Most viruses (but, again, not all) require a user to run a program or view a file to invoke the malicious code. These differences between worms and viruses are summarized in Table 3.1.
Table 3.1. Viruses versus Worms
Malware
Type Replication Spread Via… User Interaction Required for Spread?
Virus Self-replicating
Infecting a file, such as an executable or document file.
Typically, user interaction is required for propagation, such as running a program or opening a document file.
Worm
Typically, no user interaction is required, as the worm spreads via vulnerabilities or misconfigurations in target systems. However, for a small number of worms, some user interaction is necessary for propagation (e.g., opening an e-mail viewer).