Transcription
Norman Book onComputer eQuarantineDisketteReademailPeace of MindNorman is one of the world’s leading companies withinthe field of data security. With products for viruscontrol, spam control, email control, download control,personal firewall, encryption, data recovery, certifieddata erasure and computer forensics, the companyplays an important role in the data industry.www.norman.com
Norman ASA is not liable for any other form of loss or damage arisingfrom use of the documentation or from errors or deficiencies therein,including but not limited to loss of earnings.In particular, and without the limitations imposed by the licensingagreement with regard to any special use or purpose, Norman ASAwill in no event be liable for loss of profits or other commercialdamage including but not limited to incidental or consequentialdamages.The information in this document as well as the functionality of thesoftware is subject to change without notice. No part of thisdocumentation may be reproduced or transmitted in any form or byany means, electronic or mechanical, including photocopying,recording or information storage and retrieval systems, for anypurpose other than the purchaser's personal use, without the explicitwritten permission of Norman ASA.Contributors to The Norman Book on Viruses:Snorre Fagerland, Sylvia Moon, Kenneth Walls, Carl BrettevilleEdited by Yngve NessThe Norman logo is a registered trademark of Norman ASA.Names of products mentioned in this documentation are eithertrademarks or registered trademarks of their respective owners. Theyare mentioned for identification purposes only.Norman documentation isCopyright 1990-2003 Norman ASA.All rights reserved.Last revised February 2003.Copyright 1990-2003 Norman
Contents ! vContentsContents .vIntroduction .7What is a virus? .8What is a program . 8What is residency . 9Malware classes overview. 9Virus . 9Worm. 10Trojans, backdoors, security risks . 10Denial-of-service tools, nukers, mail bombers . 10Hacking tools, virus creation kits. 11Bugs, logic bombs, time bombs . 12Hoax . 12Virus/worm types overview .12Boot virus . 14Multipartite virus. 14Binary file virus .14Script file viruses .17Macro virus .19How it works . 19Why it’s such a risk. 19Embedding and linking . 20MS Word. 21MS Excel. 21Office 97, Office 2000, Office XP . 22Boot viruses .22The booting process . 23A bootable diskette .23Copyright 1990-2003 Norman
Contents ! viHow a boot virus infects . 24Special case: The CIH virus (W95/CIH.1003.A). 24Special case: The Melissa virus (W97M/Melissa.A@mm) . 25Special case: The CodeRed worm (NT/CodeRed.A). 26Special case: The LoveLetter virus (VBS/LoveLetter.A@mm). 27Special case: Nimda (W32/Nimda.A@mm) . 27Special case: Sircam (W32/Sircam.A@mm) . 28Special case: Klez (W32/Klez.H@mm). 29Special case: Friends Greetings (W32/FriendGreet). 30Predictions for the future. 31How many viruses are there. .32.and does it matter? . 32In the wild viruses .33The evolution of the virus problem .35Viruses on different operating systems .36MS-DOS .37Windows .37OS/2 .38Windows 95/98/ME .39Windows NT/2000/XP .41Solutions to the virus problem .42Establish routines . 42Anti-virus solutions. 42Sandbox .46About Sandboxing .46Sandboxing using emulation . 47Sandboxing using a virtual machine . 48Forecasting the sandbox technology . 48Industry facts .49Norman Virus Control .50Copyright 1990-2003 Norman
Contents ! viiNVC 5 – a new approach to virus control .50Certification .51Awards .52Virus Alert Program .52Index .53Copyright 1990-2003 Norman
Contents ! viiiCopyright 1990-2003 Norman
Introduction ! 7IntroductionIt’s hard to believe that the first IBM personal computer (PC)was introduced in August, 1981. In the beginning they were usedby a small group of people. Today, however, we can’t imaginelife without them, both at work and at home. Look around youroffice when the electricity goes out, and you’ll see peoplestanding around talking because they feel they can’t get anywork done without their computers.We have become dependent on these machines and theinformation stored within. As the importance of a “thing” rises, itbecomes equally as important, if not more, to secure it. (Howmany of you have alarm systems in your cars?)A large portion of modern computing life is to secure theinformation that we are creating and processing. There are manyaspects of information security, ranging from physical access toensuring that the information has not been changed in any way."The only secure computer is onethat’s unplugged, locked in a safe,and buried 20 feet under theground in a secret location.andI’m not even too sure about thatone.”Attributed Dennis Huges, FBIOne of the most high-profile threats to information integrity isthe computer virus. Surprisingly, PC viruses have been aroundfor two-thirds of the IBM PC’s lifetime, appearing in 1986. Withglobal computing on the rise, computer viruses have had morevisibility in the past two years. In fact, the entertainment industryhas helped by illustrating the effects of viruses in movies such as“Independence Day”, “The Net” and “Sneakers”.Note that computer viruses are also found on Macintoshes andother platforms, but in this book, we will focus on PC viruses.The topics we will cover are: what a virus is the evolution of the virus problem viruses on different operating systems solutions to the virus problem how Norman Virus Control products helpCopyright 1990-2003 Norman
What is a virus? ! 8What is a virus?The terms “computer virus” and “virus” are used very loosely ineveryday conversation and have become synonymous with“trouble”.A virus is usually not something that creates cool screen effectsand enables you to hack into Pentagon. The “Launching virus”screen as seen in Hollywood movies bear no resemblance withreal life viruses. In reality, a virus infection is most ofteninvisible to the user. The machine may slow down a little. Someprograms may be unstable and crash at irregular intervals, butthen again that happens ever so often on clean systems too.Still, some viruses have some sort of screen effect. The Windowsvirus “Marburg” fills the desktop with red circles with a white“X” inside”. A couple of viruses will make desktop icons escapethe mouse cursor. Such effects are not particularly common,since they expose the existence of the virus.In order to explain such vexing programs, we will need to look atwhat programs really are.What is a programA program is a recipe for a computer’s behavior. Now,computers do not read these things as we humans do. Theycannot understand free text messages – instead they have to relyon numbers, because computers are really only glorifiedcalculators. For example, let’s look at the instruction for “donothing” in ordinary Intel processors (yes, there is an instructionfor that) – it’s the number 144. If the number 144 is translatedinto binary it can be written as 10010000 – which physicallymeans voltage on, off, off, on, off, off, off, off in wires going intothe processor.When a program is run on your computer, what happens is thatthe operating system, for example Windows, reads the programCopyright 1990-2003 Norman
What is a virus? ! 9from the disk, examines it and determines what kind of programit is. From there the processor is fed the numbers in the program.Modern operating systems are multitasking – that is, they canjuggle around with many programs simultaneously. That is whyyou can have several program windows open at the same time.What is residency“Residency” is a term you will come across far and wide in thisbook. It means “active in memory”. A resident program is aprogram that exists in the computer’s memory for an extendedperiod of time. The term was more relevant in the DOS heyday,when most programs were non-resident – i.e. they did what theywere supposed to do and died. In the Windows world, however,it’s fair to say that most programs are resident. They stay activeuntil you close them.Malware classes overviewViruses, Worms, Trojan horses, Logic Bombs etc. are allexamples of what is called malicious software programs, ormalware for short.Malware is primarily an unwanted, uninvited, potentiallydangerous set of programs, but there are important distinctionsamong the different subtypes. The following overview defines afew of the most important categories:VirusViruses require a host, and their goal is to infect other files sothat the virus can “live” longer. Some viruses performdestructive actions although this is not necessarily the case.Many viruses attempt to hide from being discovered.Remember: Viruses are simply software programs.Replicates?Yes. All viruses make copies of themselves, infecting bootsectors, programs, or “data files” as the opportunity arises.Copyright 1990-2003 Norman
What is a virus? ! 10WormA host is not required, although one in some cases may arguethat a worm’s host is the machine it has infected. As such, someresearchers define worms as a subtype of viruses. In thebeginning worms were considered to be mainly a mainframeproblem. This changed after Internet became widespread; wormsquickly got accustomed to the Windows operating system andstarted to send themselves via e-mail, IRC, and other networkfunctions. In addition we have lately seen a re-emergence of theUNIX-based worms, which exploit security holes in the differentflavours of UNIX.Replicates?Yes. A worm makes copies of itself as it finds the opportunity.Trojans, backdoors, security risksDo not require a host. The word Trojan is derived from the term“Trojan horse”, and although it sometimes refers to thedestructive code contained in the program, the term is more oftenused to refer to the entire program file. Trojans are programs thatperform some unwanted action while pretending to be useful.Most trojans activate when they are run and sometimes destroythe structure of the current drive (FATs, directories, etc.),obliterating themselves in the process.A special type is the backdoor trojan, which often does not doanything overtly destructive, but sets your computer open forremote control and unauthorized access. Unfortunately, some ofthe commercially available remote administration tools can beused as trojans in certain settings. Tools that do not have enoughprecautions against being used for malicious purposes may bedetected by Norman Virus Control as a “security risk”.Replicates?No.Denial-of-service tools, nukers, mail bombersThese categories are software weapons. They do not pose anydirect threat to the computer where they are installed, but aredesigned to disrupt the operation of other networked computers.Copyright 1990-2003 Norman
What is a virus? ! 11Sometimes these weapons can be installed silently to be usedfrom unsuspecting users’ computers, and in this respect suchtools also fit the description trojans.Denial-of-service (DOS) tools are used to bombard othercomputers with connection attempts to such a degree that thecomputer that is under attack cannot handle the traffic load, andlegitimate requests are neglected. A special case of denial-ofservice is the so-called “Distributed Denial-of-Service”, orDDOS. DDOS occurs when several machines start a coordinatedattack against the same target.Nukers send malformed network requests to try to confuse theattacked machine and cause a crash.Mail bombers are pretty self-explanatory – they are used toannoy people by filling up their mailbox.Replicates?No. None of these replicate by themselves, but it is possible tocombine viruses and some of these attack methods.Hacking tools, virus creation kitsThere are quite a few people who engage in shady activities, andthere are plenty of tools available to help them.Hacking, which unfortunately has come to mean gainingunauthorized access to remote computers, has been a problemsince long before the first computer viruses emerged. There are anumber of obtainable tools that can be used to gain knowledgeabout and break into other computers.There are also quite a few programs that in turn can createcomputer viruses. These programs are made as help for would-bevirus authors, and is one of the main reasons for the current virussituation. These tools are so easy to use that persons with noprogramming skills can make new viruses. Such programs arecalled virus generators, virus creation kits, or just kits.Replicates?No. A virus creation kit creates new viruses, but does notreplicate by itself.Copyright 1990-2003 Norman
What is a virus? ! 12Bugs, logic bombs, time bombsThese are program malfunctions. You can say that they require ahost — programmers cannot write a bug without at the same timewriting other code — although it's fair to say that mostprogrammers do not intentionally write bugs. Logic bombs andtime bombs are malfunctions intentionally inserted in otherwise“good” code.Replicates?No. This code generally has better things to do than makingcopies of itself. Logic bombs and time bombs wish to remainhidden, with only their effects being visible. Bugs do just abouteverything except make more bugs.HoaxA hoax is a chain letter, typically sent over e-mail, which carriesfalse warnings about viruses or trojans. This causes wellmeaning users to send the warning on in the belief that they aredoing other users a favor. Often such warnings apparently stemfrom well-known companies and organizations, but this is not thecase. Hoaxes may also contain other messages that are supposedto trick people to send the message on, for example they willoffer money or a cell phone as a reward for forwarding themessage to friends.If you receive a warning about a virus, do not pass the warningon to other users! This rule applies even if the virus actually doesexist, and applies doubly if the warning asks to be sent on. Itwhips up anxiety and increases the workload.Replicates?No, not by itself. They trick the user into making copies instead.Virus/worm types overviewWhen speaking about viruses and worms, we normally speakabout these main categories:Copyright 1990-2003 Norman
What is a virus? ! 13Binary file virus and wormsFile viruses infect executables (program files). They are able toinfect over networks. Normally these executables and virusesconsist of instructions that are created for easy machineinterpretation, so-called machine code. To the untrained eye,machine code is incomprehensible, as it is basically a row ofnumbers to be queued into the processor. File worms are alsowritten in machine code, but instead of infecting other files,worms focus on spreading to other machines. See page 24 fordetails.Binary stream wormsCodeRed is a binary streamworm that employs thenetwork.Stream worms is a group of network spreading worms that nevermanifest themselves as files. Instead, they travel from computerto computer just as pieces of code that exist only in memory. Themost renowned of this group is the CodeRed series of worms thatspread between IIS systems. See page 26 for details.Script file virus and wormsA script virus is technically a file virus, but script viruses arewritten as pure text and thus easily readable for everybody. Sincecomputers cannot understand text instructions directly, the textfirst has to be translated from text to machine code. Thisprocedure is called “interpretation”, and is performed by separateprograms on the computer. For example, Visual Basic Script(VBS) is interpreted by the program WSCRIPT.EXE, and oldDOS batch language (BAT) is interpreted byCOMMAND.COM. Script viruses infect other script files, buteven more common are the script worms that travel frommachine to machine, preferably over e-mail. See page 27 fordetails.Macro virusMacro viruses infect data files, or files that normally areperceived as data files, like documents and spreadsheets. Many“data file types” have the possibility to include instructions alongwith the normal content – f.ex. Microsoft Word files can containinstructions that tells Word how to show a particular document,Copyright 1990-2003 Norman
What is a virus? ! 14or instructions that tells Windows to do certain actions. Justabout anything that you can do with ordinary programs on acomputer can be done through such so-called macro instructions.Macro viruses are among the most common viruses today. Theseare able to infect over networks. See page 25 for details.Boot virusBoot viruses infect boot sectors of hard drives and floppy disks.These are not able to infect over networks.Multipartite virusMultipartite viruses infect both executable files and boot sectors,or executable files and data files. These are able to infect overnetworks.You may also have come across terms like “polymorphic”,“stealth”, and “encrypted”. These are not types of viruses per se,but rather methods that viruses use to disguise themselves fromanti-virus products.The next sections describe binary, script, macro, and boot virusesmore thoroughly.Binary file virusA file virus attaches itself to a program file (the host) and usesdifferent techniques in order to infect other program files.There are several basic techniques for infecting an executablefile: companion, link, overwrite, insert, prepend, append, andothers.A companion virus does not modify its host directly. Instead itmaneuvers the operating system to execute itself instead of thehost file. Sometimes this is done by renaming the host file intosome other name, and then grant the virus file the name of theCopyright 1990-2003 Norman
What is a virus? ! 15original program. Or the virus infects an .EXE file by creating a.COM file with the same name in the same directory. DOS willalways execute a .COM file first if only the program name isgiven, so if you type “EDIT” on a DOS prompt, and there is anEDIT.COM and EDIT.EXE in the same directory, theEDIT.COM is executed.A link virus makes changes in the low-level workings of the filesystem, so that program names do no longer point to the originalprogram, but to a copy of the virus. It makes it possible to haveonly one instance of the virus, which all program names point to.An overwriting virus places itself at the beginning of theprogram, directly over the original program code, so the programis now damaged. When you try to run this program, nothinghappens except for the virus infecting another file.Copyright 1990-2003 Norman
What is a virus? ! 16Such viruses are easily apprehended and destroyed by users anduser support staff, so they actually spread very poorly in the wild.You have almost no chance of ever getting an overwriting virusin your machine.An inserting virus copies itself into the host program. Programssometimes contain areas that are not used, and viruses can findand insert themselves into such areas. The virus can also bedesigned to move a large chunk of the host file somewhere elseand simply occupy the vacant space.The pure prepending virus may simply place all of its code at thetop of your original program. When you run a program infectedby a prepending file virus, the virus code runs first, and then youroriginal program runs.Copyright 1990-2003 Norman
What is a virus? ! 17An appending virus places a “jump” at the beginning of theprogram file, moves the original beginning of the file to the endof the file, and places itself between what was originally the endof the file and what was originally at the beginning of the file.When you try to run this program, the “jump” calls the virus, andthe virus runs. The virus then moves the original beginning of thefile back to its normal position and then lets your program run.This was a brief overview of how a virus attaches itself to aprogram file. It uses different techniques in order to infect. Manyfile viruses go memory-resident so that they can monitor allactions and infect other program files as they are run orotherwise accessed. Other file viruses infect by “direct action”,which means that they infect other program files right away,without going memory resident. Under Windows this distinctionbecomes blurred, as many viruses are resident and “directaction”.Several other methods exist.Script file virusesScript file viruses are a not really a new class of viruses, but hasonly quite recently evolved into a major threat. As mentioned,scripts are pure text instructions that are interpreted by someprogram. There are quite a few scripting languages:Visual Basic Script: These scripts are normally found as separate*.VBS files or inserted into web pages. VB scripts have aCopyright 1990-2003 Norman
What is a virus? ! 18functionality that is a subset of the Microsoft Visual Basiclanguage, and it’s expandable by importing functions from otherprograms. For example, many of Microsoft Words’ functions canbe used through VB script.JavaScript: The scripting language that was introduced by SunMicrosystems alongside the development of the HTML standard.Standard JavaScript is usually quite safe, as it does not affect thefile system. You’ll normally find JavaScript on web pages.JScript: The Microsoft version of JavaScript. It is about asflexible and expandable (and unsafe) as Visual Basic Script.JScript is found in *.JS files or on web pages.DOS BAT language: When you wanted venerable old DOS todo something, you used to type the command on the commandline. E.g. displaying files in a directory was performed by typingDIR Enter .However, sometimes you instructed DOS to perform certaintasks when you weren’t around to type in the commands. TheBAT (batch) language was developed for this purpose: enter thecommands into a text file and then type the filename on thecommand line to give DOS a set of commands to process. Suchfiles are always called batch files and have the extension *.BAT.UNIX shell script: This is similar to DOS batch language only itwas developed for the different varieties of UNIX. UNIX hasvery wide set of commands available from the command line, soshell scripts are quite powerful and can do a lot of differentthings.IRC scripts: Internet Relay Chat is a chat system for the Internet.Chat systems can be scripted to perform certain tasksautomatically, like sending a greeting to someone who justjoined the chat room. However, the scripts also support sendingof files, and many worms and viruses spread over IRC. KnownIRC programs that have been exploited are the popular mIRC,pIRCH and VIRC clients.Other scripting languages: Many other scripting languagesexist. Corel Draw, Visual Foxpro, SuperLogo, InstallShield etc.can be scripted and have been used for malicious purposes.Copyright 1990-2003 Norman
What is a virus? ! 19Macro virusSince the introduction of the first macro virus in August 1995and until quite recently, this virus type has been the fastestgrowing category. The first time we discussed this phenomenonin this publication, in January 1997, the number of known macroviruses was 100. Some four years later, Norman had identifiedmore than 8,000 macro viruses, and the number is still growing.Even though bigger threats have emerged since the heyday of themacro virus, the problem still exists and cannot be ignored.How it worksTraditional file viruses do not attempt to infect data files, for datafiles are not an ideal ground for replication. That is, one does not“run” a data file one “reads” and “edits” a data file. However,in the past few years, organizations have been building uponopen systems, in which data is shared more readily. This in turnmeans that there is little security. Macro viruses take advantageof the fact that many applications now contain macroprogramming languages. These languages allow users (andvirus authors) more flexibility and power within the applicationthan ever before, and in fact convert what used to be data filesinto programs. Often macro viruses are not detected earlyenough because many users are not familiar with the nuances ofmacros. As a result, macro viruses have an infection rate muchhigher than traditional file and boot viruses.In the beginning, the most targeted macro programminglanguage was WordBasic, the language within early versions ofMicrosoft Word. Later, the predominant macro programminglanguage used in viruses became Visual Basic for Applications,or VBA. This programming language is shared by a lot ofapplications – Word, Excel, Access, PowerPoint, Project, Visioand many others.Why it’s such a riskSince data files, and in particular documents, are shared morefrequently than executable (program) files, the security threatposed by macro viruses is very real. VBA is also a very powerfulCopyright 1990-2003 Norman
What is a virus? ! 20programming language which can be used to control almostanything on the computer.Some macro viruses contain destructive code and some evencreate and execute traditional file and boot viruses. Whiletraditional file and boot viruses affect the operation of a machine,macro viruses affect the quality and reliability of informationcontained within data files.Embedding and linkingThe open systems in many of Microsoft’s applications utilizeOLE in order to combine different data types. You can embed anobject such as a bitmap or an executable within a Worddocument. Embedding an object means that any edits to theobject will not be reflected in any other copies of the object. Youcan also link an object such as an Excel spreadsheet to a Worddocument. Linking an object means that you may edit the objectin either its source application or from within the application towhich it is linked, and all copies of the objec
the computer virus. Surprisingly, PC viruses have been around for two-thirds of the IBM PC’s lifetime, appearing in 1986. With global computing on the rise, computer viruses have had more visibility in the past two years. In fact, the entertainment industry has helped
