Pradeepa Chandramohan - Virus Hunting

fallsnowpeasInternet and Web Development

Nov 12, 2013 (3 years and 9 months ago)

77 views

VIRUS HUNTING

Presented by

Pradeepa Chandramohan

Introduction


Developer’s machine is much more prone to virus attacks than an average
corporate user because developers access different servers and other remote
machines.


More security than anti
-
virus software is required.


Most viruses today disable the anti
-
virus software as their first step in the
activation.


Anti
-
virus software are good at keeping us safe from known threats.


To look out for viruses, it is necessary to think like a virus writer. A basic
understanding of viruses and the most common areas through which they
enter the system is required to deal with them.

Preparing to do battle


Author writes the executable code.


What is the author’s intention


Reformatting hard drive? Delete JPG files?
Mail copies of itself to yourself and your contacts?


Usually, a virus executable code is run in the direct method. Some user
receives an e
-
mail attachment called “Fun.exe” or some equally appealing
name. The virus is released when this code is run.


Now
-
a
-
days less obvious techniques have been adopted.

What constitutes an Executable code?


.exe, .cmd, .com are all examples of executable files.


Word processing documents contain macros to perform customized tasks


UNSAFE!!! Macros can run unsafe code.


In general, executable code falls into three categories: stand alone programs,
code included within resources or libraries, and script or macro code executed
by an interpreter of some kind.


A stand alone program is any file that relies on the operating system for it to
execute. To examine which of these are affected by virus we need to examine
the windows registry.


Launch the Registry Editor, regedit.exe and expand the
HKEY_CLASSES_ROOT (HKCR) node, which is the Operating System’s
repository for information on file associations and commands.


Navigate down the tree until you locate the key named .exe. Select this node,
its default value is exefile. This is a pointer to another key under HKCR (the
exefile key).

What constitutes an Executable code? (Contd..)


The exefile key contains a shell subkey where a file type’s available actions are
defined. These are called ‘verbs’. For example, In a Word document, ‘print’ is
a verb.


Expand the shell subkey for the exe file node to view available verbs for EXE
files.


The key to be considered is ‘open’. Expand this node and select its command
subkey. Each verb has its own subkey and each of those keys inturn has its
own command subkey. The default value in this subkey dictates what exactly
happens when that verb is executed.


Double clicking an icon executed the default verb’s command (‘open’ for
EXE files)


‘open’ command verb has the value: %1 %*. The path and the filename of the
EXE file activated are substituted for the %1 parameter, while any switches
or command line parameters that go along with it are passed through the %*
parameter.


All files like .com, .pif, .vbs, .cmd have a default open verb of %1.

Screensavers


BEWARE!!!


Default value of ‘open’ verb for EXE file is “%1” %* and for SCR
(Screensaver) file is “%1” /S.


The only difference between these two default verbs is the /S switch for the
SCR file type.


Intended purpose of screensaver’s ‘open’ verb is to allow for testing a
screensaver and the screensaver executable interprets the /S switch
accordingly.


A virus writer gives the application a .SCR extension and just ignores the /S
switch passed to it when user invokes the program.


Screensaver’s ‘open’ verb is shown as ‘Test’ in the context menu. User thinks
he is just testing a screensaver, while actually activating a virus. This caption is
stored in the default value for the open key. This should be changed to open
and test. This way the user realizes that when they select that menu item, any
executable code inside the screensaver is going to execute and is therefore
harmful.

Libraries can be dangerous


Executable code may be contained inside resources or component libraries of
many different varieties.


These file types include Dynamic Link Libraries (DLL), Control Panel
Applets (CPL), various type libraries (TLB, OLB, etc), ActiveX Controls &
COM components (OCX, VBX, etc).


Consider the following example:


rundll32.exe shell32.dll,OpenAs_RunDLL c:
\
winnt
\
win.ini


The OpenAs_RunDLL function exported from SHELL32.DLL accepts one
parameter, a file name.


When invoked, it displays the Open With Dialog Box. When OK is clicked
after selecting an application, the filename passed as a parameter is opened in
the target application.


Two possible attacks can be expected. One would be to replace an existing
DLL with a compromised version in which a particular function’s
functionality is modified.


Libraries can be
dangerous

(Contd..)


This way, whenever the system invokes this function, instead of having the
desired result, virus gets activated.


Another approach would be to write a DLL from scratch and invoke its
functions using RUNDLL32.EXE when needed.


This is not quite straight forward but it is most likely to be accepted by an
unsuspecting user or to be overlooked by an anti
-
virus program.

Scripts & Macros


Script code requires a script engine to interpret and run, but it can still be
exploited.


Macros contained in Microsoft office documents are the ones that are most
frequently exploited.


Windows Script Host (WSH) files, .js or .vbs files carry a default file
association which causes them to be executed, when a user double clicks
them.


Solution would be to change the default action from “open” to “edit” to
avoid any accidents. This can be done by using the Folder Options dialog
box.

Registration files


Files with REG extension (registration files) hold information to be integrated
to the system registry.


They carry a default verb of “open” with the caption “Merge”. If any
registration file is double clicked, it dumps its contents directly into the
system registry, without any confirmation.


Solution would be to change the default verb for REG file from “open” to
“edit”.

Scrap Objects


Scrap objects (SHS & SHB file extensions) are particularly risky. They can
hide executable code, often overlooked by anti
-
virus software.


Ensure that anti
-
virus program includes both file types. Usually either one is
omitted.


Another reason is that the SHS and SHB extension are always hidden by
Explorer. So a virus writer could create a scrap object and add their own
extension. For example, ‘Funny.jpg’ while its actual filename is
‘Funny.jpg.shs’.


Solution would be to delete the “NeverShowExt” registry value from both
keys or select the “Always show Exension” option in the Folder Options
Dialog Box.

Conclusion


First step in dealing with virus is to understand them and to know where to
untangle them from your system once it has been compromised.


More sophisticated the virus, more aggressive they are towards anti
-
virus
software.

THANK YOU