HOME

Sunday, January 6, 2008

How Viruses Infect (2)

Multipartite Virus

Some viruses can be all things to all machines. Depending on what needs to be infected, they can infect system sectors or they can infect files. These rather universal viruses are termed multipartite (multi-part).
Sometimes the multipartite virus drops a system sector infector; other times a system sector infector might also infect files.
Multipartite viruses are particularly nasty because of the number of ways they can spread. Fortunately, a good one is hard to write.

Summary

• Multipartite viruses have dual capabilities and typically infect both system sectors and files.

Spacefiller (Cavity) Virus

Most viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don't see the increase in file length when the virus is active in memory.
A spacefiller (cavity) virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A spacefiller virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a spacefiller virus.
Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare...however... A new Windows file format known as Portable Executable (PE) is designed to make loading and running programs faster. While a great goal, the implementation has the effect of leaving potentially large gaps in the program file. A cavity (spacefiller) virus can find these gaps and insert itself into them. The CIH virus family takes advantage of this new file format. There will likely be more.

Summary

• A spacefiller (cavity) virus attempts to install itself inside of the file it is infecting.
• In the past this was difficult to do properly, but new file formats make it easier.

Tunneling Virus

One method of virus detection is an interception program which sits in the background looking for specific actions that might signify the presence of a virus. To do this it must intercept interrupts and monitor what's going on. A tunneling virus attempts to backtrack down the interrupt chain in order to get directly to the DOS and BIOS interrupt handlers. The virus then installs itself underneath everything, including the interception program. Some anti-virus programs will attempt to detect this and then reinstall themselves under the virus. This might cause an interrupt war between the anti-virus program and the virus and result in problems on your system.

Some anti-virus programs also use tunneling techniques to bypass any viruses that might be active in memory when they load.

Summary

* A tunneling virus attempts to bypass activity monitor anti-virus programs by following the interrupt chain back down to the basic DOS or BIOS interrupt handlers and then installing itself.

Camouflage Virus

You don't hear much about this type of virus. Fortunately it is rare and, because of the way anti-virus programs have evolved, is unlikely to occur in the future.

When anti-virus scanners were based completely on signatures there was always the possibility of a false alarm when the signature was found in some uninfected file (a statistical possibility). Further, with several scanners circulating, each had their own signature database and when scanned by another product may indicate infection where there was none simply because of the inclusion of the virus identification string. If this happened often, the public would get understandably annoyed (and frightened). In response, a scanner might therefore implement logic that, under the right circumstances, would ignore a virus signature and not issue an alarm.

While this "skip it" logic would stop the false alarms, it opened a door for virus writers to attempt to camouflage their viruses so that they included the specific characteristics the anti-virus programs were checking for and thus have the anti-virus program ignore that particular virus. Fortunately, this never became a serious threat; but the possibility existed.

Today's scanners do much more than simply look for a virus signature string. In order to identify the specific virus variant they also check the virus code and even checksum the virus code to identify it. With these cross-checks it would be extremely difficult for a virus to camouflage itself and spoof a scanner.

However, it should be understood that even with these precautions, false alarms continue to now and again occur. The anti-virus fixes when this happens, however, are such that a virus should not be able to piggyback onto the false alarm fix.

Summary

* In the past it was possible for a virus to spoof a scanner by camouflaging itself to look like something the scanner was programmed to ignore.
* Because of scanner technology evolution this type of virus would be very difficult to write today.

NTFS ADS Viruses

The NT File System (NTFS) contains within it a system called Alternate Data Streams (ADS). This subsystem allows additional data to be linked to a file. The additional data, however, is not always apparent to the user. Windows Explorer and the DIRectory command do not show you the ADS; other file tools (e.g., COPY and MOVE) will recognize and process the attached ADS file.

The basic notation of an ADS file is :. A simple example that creates an ADS file is probably the best way to illustrate this. At the system prompt use the ECHO command to create a file and then you can also use ECHO to create an ADS attachment to that file (if doing this, create a directory/folder specifically for the test).

ECHO "This is the test file" > testfile.txt

You should now have a file called TESTFILE.TXT in your test directory. The TYPE, EDIT, and NOTEPAD commands should be able to access this file and show you its contents and a directory command will show it to be about 23 bytes long. The TESTFILE.TXT file was created in what's called the "named stream" portion of the file system. Now create an alternate data stream file:

ECHO "This is text in the ADS file" > testfile.txt:teststream1.txt

Note that this new file is in the format described above: :.

But, now try to find this new file. A directory command does not show it; the TYPE and EDIT commands won't find it. The command...

NOTEPAD testfile.txt:teststream1.txt

...will bring it into the editing area; but even NOTEPAD will only read the file; you can't do a File|SaveAs and try to create an ADS file with NOTEPAD. Most other programs will not see the ADS file at all. You should also note that you've added about 30 bytes to the original file but a directory command on testfile.txt only shows the original size. The ADS file is effectively hidden from view.

Further, an alternate stream file can be created that has no normal stream file association. Here is why it's suggested you try these experiments in a test directory. Try:

ECHO "This is a really invisible stream file." > :invisible.txt

This file will be created but will be completely invisible to any directory commands or Windows Explorer.

Finally, you may have some trouble trying to delete the stream files you just created. The DEL command does not work with ADS files so DEL :invisible.txt, for example, does not work. The main way to delete alternate stream files associated with a normal stream file is to delete the normal stream file. All ADS files associated with that file will also be deleted. So DEL testfile.txt would have to be used for the first test file created. The :invisible.txt file will be deleted when the directory the file is in is removed (now you see why CKnow said to use a new directory for your testing).

If you need to keep the main file but delete the stream(s) attached to it there are two ways to proceed:

* Copy the file to a FAT or FAT32 partition and then back again to the NTFS partition. This effectively strips the ADS files off of the primary file.
* Use the NT Resource Kit CAT utility. You'll have to rename the file, use CAT on it, and then delete the temporary file you created. The syntax would be:

REN needtokeep.exe temp.exe
CAT temp.exe > needtokeep.exe
DEL temp.exe

Note: Alternate Data Streams can attach to a directory as well as a file. Some rootkits (e.g., Mailbot) establish themselves in this way.
Virus Use

An alternate stream file can be an executable and executed in a variety of ways. For our purposes here the files can be exploited by viruses that make their way into files saved as part of the normal stream. In one such exploit the virus (Streams) creates a copy of itself as a temporary EXE file and then copies the original EXE file as an ADS file attached to the temporary EXE file. The temporary EXE file is then renamed to the original EXE name. Now, when the user tries to run the original file they actually run the virus which does its thing and then sends the original program file to the operating system which then runs the program. The only thing you might see is a slight delay in program start.

For a virus like Streams you should not just delete an infected file. If you do the original file will also be lost as it's attached. If your anti-virus software does not provide a recovery utility you will have to use the CAT utility in a manner similar to that described above:

CAT filename.exe:STR newname.exe (this copies the original file to "newname.exe")

COPY /B newname.exe filename.exe (this copies "newname.exe" back to its original name and overwrites the virus)

The virus can be operating system specific. Streams, for example, checks for Windows 2000 and only runs if it's found.

There are other ways a virus might use an alternate data stream. It could, for example, hide most of its code attached to files not normally scanned by virus scanners (e.g., INI or other text files). Only a small executable that extracts the virus would have to be visible and might be easier to hide. There are more malicious things a virus could do as well (please don't ask).
Summary

* The NT File System allows alternate data streams to exist attached to files but invisible to some normal file-handling utilities.
* Viruses can exploit the NTFS ADS system in a variety of ways.

No comments: