Beating a Virus, and the (Trojan)

Horse It Rode In On.

Written By: John M. Herron
Illustrated (poorly) By: John M. Herron
 Objectives:
• Virus history 101
• Virus tricks: How to defunct the defunct
• Virus examples, demo (yay!)
• How to detect an infection
• What do I do if I don’t want this virus?
• Quick (*QUICK*) overview on debugging
viruses
In the beginning, man created the
virus, and it was bad.
• The first computer virus
– Several stories
• Pakistani Brain Virus (1986): This is the first widely
spread IBM Compatible virus. This is commonly
mistaken for the first virus.
• Apple Virus 1 (1981): Boot sector infecting virus.
Possibly created for pirated games.
• Animal (1975) (Univac): “Guess an animal” game.
Copied to other users’ home directories when run.
 Types of Malicious Code
• Virus • Worm
– MBR Infector
– These are beginning to
– Boot Sector Infector
–
merge with other
File Infector
–
techniques (virus, trojan,
Memory Resident
–
backdoor, etc).
Polymorphic
– Multi-Partite • Spyware
– Macro – HTTP Redirector
• Trojan – HTTP Hi-jacker
– Key loggers
– Data Miner
– File Over-writer
– Companion – Standard Exploit
– ANSI Bomb
– Logic Bomb
 Benefits of Computer Viruses:

(This page was intentionally left blank.)

Master Boot Record/Boot Sector
Viruses
Boot sector virus (Apple Viruses 1,2,3, “Elk
Cloner”), Pakistani Brain (x86)
 File Infectors
• Overwriting virus
• COM infector/EXE infector (Prepend/Append
target file)
• NewEXE/PE Infector
 Memory Resident Virus
• Intercepts Interrupt Calls (modifies Vector address
table (int13 memory address relocated to virus
routine. Original int13 moved and called once
virus is done)).
Evolved to Stealth Viruses
• Stealth viruses monitor for AV like activity and
feed you false information. (Displays
(freespace+virus_length), displays
(memfree+virus_length), shows you original MBR
upon request, not infected MBR).
 More tricks (Polymorphic viruses)
• Modify their code with unimportant
commands/data upon each infection.

• (Commonly uses NOP, MOV DX,DX, any

redundant assembly command (add ax,2,
dec ax,2).
• Makes creating virus signature much more
difficult.
 Trojan Horse
• A program disguised as something
desirable, but has another program hidden
inside of it.
/bin/login
WinXPfullCD_reallyworks!!.exe (17k)
Trojan Horse (Unix)
Trojan Horse (DOS/Windows)
 ANSI Bomb
• Plain .txt file with ANSI codes
• Example ( ←[“d”;”del *.*”p )
• This lead to Macro viruses

DEMO
 Macro Viruses
• Written in VBA, VBS, etc.
• Examples (Word, Excel, PowerPoint)

Commonly uses “auto” macro’s in Microsoft

Office products.
 Worms
• Worms traditionally do not infect files.
• Morris Worm (1988,Vax), Melissa, Calib
• Some of the latest e-mail based worms have
brought some of the fastest e-mail servers to
their knees within hours of release.
• *Worms are beginning to be integrated with
more viral features. Most of the latest also
support software updates.
Graphical Virus Payload
Demo
 Detecting an Infection
Signs to look for on an infected system:
– Decrease in system performance
– Unexpected increase in system activity
– Large amount of new files
– Unexplained decrease in free memory
– Unexplained decrease in free drive space*
 Detecting an Infection
Virus “features” that tell you there is an
infection:
• Displays a message
• Displays an animated visual effect
• Plays a tune*
• Adds text to infected files (name of virus or
virus author’s alias).
How to throw this garbage away
• 1st Boot from a KNOWN CLEAN source
• MBR virus (in DOS): “fdisk /mbr”
• File infector: Restore file from original
source/Use trusted Anti-Virus program
• Worm: Remove suspect files (search for
newly created files)
• Trojan: Restore modified files with original
clean files.
 Problems When Removing
Malicious Code
Automated backups can easily be infected
with a virus. (This is a newly increased
problem with Windows ME and XP’s
backup automated ability.)
Must be a clean boot device (how many
removable disks did you use while you
were infected?)
 Problems When Removing
Malicious Code
Cannot find/distinguish infected files
Did not get all infected files removed
 Virus Testing/Debugging
• Use a “sandbox” environment. (VirtualPC,
VMWare, BOCHS, any environment
emulator).
• Create footprint of “clean” system load.
– *nix (Tripwire, AIDE, etc)
– Windows (Tripwire, Winalysis, Regshot (for
registry changes))
 Virus Testing/Debugging
*Make sure system cannot get to live environment before tests
• Run suspect code.
• Re-run analysis utilities to note any changes made
to system.

If virus is protected by compression or encryption

agent, LordPE is a good tool to pull a program
from RAM back to file on disk.
 Debugging Malicious Code
(Requires knowledge of programming/assembly language)
 OllyDbg is free debugger for Windows to step through a
desired program.
 Gdb in linux is a good, free debugger for watching each
assembly command a program is running.
 IDA (from DataRescue) (not free) is a good Disassembler
if you want to reverse engineer a program to assembly.
 SoftICE (not free) is a good realtime debugging agent
where you can stop system operation at your will and
begin debugging memory or running processes.
 Debugging Malicious Code
• If studying a worm, setup virtual (or
separated) network.
• Sniff all traffic from victim PC.
• If needed, redirect DNS queries to another
fake computer (what does it send that
computer?)
• If IP, use router to redirect traffic to desired
computer.
 Got Questions?

Contact Information:
John M. Herron
John.herron@rrc.state.tx.us