IT-Security 2

Chapter 2: Malware – Trojans, Viruses,

Worms, and Payloads
Prof. Dr.-Ing. Ulrike Meyer
 Overview on the Malware Chapters

§ Chapter 2: Malware – Trojans, Viruses, Worms, and Payloads

§ Motivation of malware writers
§ Classical malware classification with respect to spreading
§ Virus, Trojan Horse, Worms
§ Malware classification by payload (malicious action)

§ Chapter 3: Malware – Botnets

§ Command-and-Control protocols
§ Underground Economy
§ Examples, Including advanced persistent threats like the Stuxnet worm
§ Detection and take down

§ Chapter 4: Malware – Countermeasures

§ Chapter 5: Malware – Mobile Malware
§ The specifics of malware targeting (mainly) Android devices

IT-Security 2 -- Chapter 2 Malware 2

 Malware = Malicious Software

§ Accoring to NIST SP 800-83, 2013, malware is

“A program that is inserted into a system, usually covertly, with the intent
of compromising the confidentiality, integrity or availability of the
victim’s data, applications, or operating system or otherwise annoying or
disrupting the victim”

§ Note that
§ Definition excludes coincidences, although their consequences may
be similar
§ Owner of the system and the victim do not have to coincide

IT-Security 2 -- Chapter 2 Malware 3

 Malware = Malicious Software

§ Malicious code often masquerades as good software

§ Some malicious programs need host programs

§ Trojan horses, logic bombs, viruses

§ Others can exist and propagate on their own

§ Worms

§ Many infection vectors and propagation methods

§ Modern malware often combines several types of malware

§ E.g. a malware may combine trojan, rootkit, and worm functionality

IT-Security 2 -- Chapter 2 Malware 4

Motivation to Write Malware (1)

§ Experiment how to write viruses

§ Test own programming talent

§ Gets famous around the World

§ Get a buzz, acknowledged or otherwise,

from vandalism

§ Some consider they are fighting

authority

IT-Security 2 -- Chapter 2 Malware 5

Motivation to Write Malware (2)

§ Some like 'matching wits' with anti virus vendors

§ Pentesting – hacking by order of the target

§ Goal: identify vulnerabilities and close them before
anyone can exploit them maliciously

§ Combating crime and terrorism

§ Very controversial use of ”malware”
§ E.g. use a trojan to spy on suspect’s online activities
§ Or use a ”cleaning worm” that disinfects machines
infected with a specific malware

IT-Security 2 -- Chapter 2 Malware 6

Motivation to Write Malware (3)

§ Direct financial gain and organized crime

§ Botnets- e.g. Spam distribution, DDoS attacks
§ Ransomware- Encrypt victim’s data, blackmail
§ Selling attack kits, payloads, exploits etc.
§ Stealing and selling information
§ E.g. access credentials for ebay, facebook accounts,
credit card numbers,…

§ Corporate espionage
§ Stealing patented information, prizing strategies,
information on new models,…
§ Indirect financial gain

IT-Security 2 -- Chapter 2 Malware 7

 Simple Example for Malicious Code

§ Attacker writes a small shell script on a UNIX system:

cp /bin/sh /tmp/.xyz
chmod u+s,o+x /tmp/.xyz
rm ./ls
ls $*

§ Attacker saves this script in a file called “ls” and tricks a victim user into
executing it

§ To the victim user, the result will look as if the real ls command would
have been executed

§ This leads to a copy of the shell in a hidden file executable by anyone with
the userid set to who-ever-executed-the-script

IT-Security 2 -- Chapter 2 Malware 8

 Trojan Horse

§ Program with an
§ overt purpose (known to user) and a
§ covert purpose (unknown to user)
§ Often called a Trojan

§ Example script on previous slide is a Trojan horse

§ Overt purpose: list files in directory
§ Covert purpose: create setuid shell

§ In the classical sense, Trojans do not replicate themselves

§ Modern Trojans often come with worm-like functionality

IT-Security 2 -- Chapter 2 Malware 9

Examples for Covert Purposes (not restricted to Trojans)

§ Back doors
§ Methods of bypassing normal authentication
§ Gain remote access to a computer
§ While attempting to remain undetected

§ Keystroke loggers – steal passwords

§ Web clickers – run up advertising costs

§ Proxies – allows others to use your machine to

launder connections
§ Spam engines

§ DDoS engines

§…

IT-Security 2 -- Chapter 2 Malware 10

 Spreading of Trojans

§ Many Trojans are inadvertently installed by the user, e.g.

§ Trojan horses in purported hacking tools and free AV tools, other types of
security software
§ Source Repositories that plant Trojan in popular packages
§ Third-party widgets that make sites “prettier” (e.g. calendars, visitor counters,
etc.)
§ Example: free widget for keeping visitor statistics operates fine from 2002 until
2006
§ In 2006, widget starts pushing exploits on all visitors of pages linked to the counter
§ Website with thumbnails of adult videos
§ Clicking on a thumbnail brings up a page that looks like Windows Media Player and a prompt:
§ “Windows Media Player cannot play video file. Click here to download missing Video ActiveX
object.”
§ The “codec” is actually a malware binary

IT-Security 2 -- Chapter 2 Malware 11

 End-User License Agreement Attacks

§ If you agree to a Trojan being installed does that make it legal?

§ Is it legal if the license agreement is deliberately confusing?

§ How carefully do you read license agreements, anyway?

IT-Security 2 -- Chapter 2 Malware 12

 How do we Avoid Installing Trojans

§ Seemingly obvious solution

§ Install only trusted operating systems, applications, and tools

§ But: how do we decide whether or not to trust an executable?

§ Often claimed safe approach

§ Use open source code
§ Compile source code yourself

§ But:
§ Do you really check the source code?
§ And what about the compiler?

IT-Security 2 -- Chapter 2 Malware 13

 Ken Thompson's C Compiler Hack 1984

§ Published in 1984: “On trusting trust”

§ Describes how to
§ Write a self-reproducing code fragment
§ In a first step, modify the compiler such that
§ when it compiles the login program, it inserts a back door
§ login with back door accepts the user's correct password or a fixed master
password (the same one for all users)
§ Now make the original login code open source such that anyone can check it
for backdoors

IT-Security 2 -- Chapter 2 Malware 14

 The Login Program

user password

login source correct compiler login executable

logged in

user password or
magic password

login source modified compiler login executable

logged in

IT-Security 2 -- Chapter 2 Malware 15

 What About the Compiler Source?

§ Modify the compiler again such that

§ when it compiles a new version of the compiler, the extra code to do the first
step is automatically inserted

§ Recompile the compiler

§ Backdoor persists in the executable

§ Delete the source containing the modification and put the original
compiler source back in place

§ So, what we can now published is

§ The original compiler source
§ The compiler executable that contains the modification
§ The original login source

IT-Security 2 -- Chapter 2 Malware 16

 The Compiler

login source

compiler source correct compiler compiler executable

correct login executable

login source

compiler source modified compiler compiler executable

rigged login executable

IT-Security 2 -- Chapter 2 Malware 17

 The Point of Thomson’s Hack

§ Proven by Thomson’s Hack:

§ Even if your system uses verifiable software on operating system, application
and tools level, your compiler may still contain a Trojan
§ Open source does not entirely solve the problem

§ Thompson during his speech when receiving the Turing award in 1983
§ “The moral is obvious. You can't trust code that you did not totally create
yourself. (Especially code from companies that employ people like me.) No
amount of source-level verification or scrutiny will protect you from using
untrusted code.“

IT-Security 2 -- Chapter 2 Malware 18

 Example: Zlob Trojan

§ Also known as [Link], first detected in late 2005

§ Masquerades as required video codec

§ along with online games
§ but mostly over instant messaging

§ Once installed it displays popup ads

§ Ads inform users that their computer is infected with spyware and advertises a
fake anti-spyware program
§ Clicking on popup triggers download of fake anti-spyware program in which
another Trojan is hidden
§ This one causes random computer shutdowns or reboots
§ Payload of some versions also modified DNS settings

IT-Security 2 -- Chapter 2 Malware 19

 More Recent Example for a Trojan: CryptoLocker

§ Ransomware that occurred in 2013-2014

§ Trojan that targeted Windows Machines

§ Propagated via infected email attachments containing zip file with executable disguised
as pdf-file
§ When run, encrypts certain types of files stored locally and on mounted network drives
§ Uses RSA public-key for encryption, private key stored on the control server for the
malware
§ Displays a message which offers to decrypt the data if a payment through either bitcoin
or a pre-paid cash voucher is made

§ Reported total amount of ransom gained by attack varies

§ Reports rage between 3-27 million $ partly due to variance in bitcoin value, partly due to
differences in the estimates for the unreported cases

§ Recovering encrypted data impossible until the private-key database was

discovered

IT-Security 2 -- Chapter 2 Malware 20

 Computer Virus

Software fragment that attaches itself to some existing executable. Virus can
replicate itself and pass on malicious code to other non-malicious executables
by modifying them
§ Analogy to a biological virus
§ Infects healthy subjects by attaching itself to the program
§ Either destroys or coexists with with the program after infection

§ A computer virus can be transient or resident

§ The life span of a transient virus depends on its host program
§ Virus runs as long as the program to which it is attached executes
§ Terminates when host program ends
§ Spreads while it is running
§ A resident virus locates itself in memory
§ Can remain active or be activated as a stand-alone program even after its host
program ends

§ Someone has to run the infected program to initially execute the virus

IT-Security 2 -- Chapter 2 Malware 21

 The Nature of Viruses

§ Pieces of software that

§ Can infect an executable file by modifying it
§ Virus thus embedded in the executable of a program or any other carrier of
executable content

§ Modification includes
§ Injecting a routine to make copies of the virus code

§ Whenever the infected executable comes into contact with an uninfected

piece of code a fresh copy of the virus is passed on

§ Whenever users exchange infected programs or files the virus spreads to

other machines
§ E.g. via disks, USB sticks, file sharing applications, email attachments, instant
messengers, social networks,…

IT-Security 2 -- Chapter 2 Malware 22

 Is a Virus a Trojan Horse or Not?

§ Some say Yes

§ Overt action = infected program’s actions
§ Covert action = virus’ actions (infect, execute)

§ Other say No
§ Overt purpose = virus’ actions (infect, execute)
§ Covert purpose = none

§ Semantic, philosophical differences

§ Defenses against Trojan horse also inhibit computer viruses

IT-Security 2 -- Chapter 2 Malware 23

 Viruses History (1)

§ Programmers for Apple II wrote some

§ Not called viruses; very experimental
§ E.g. Elk Cloner, written by Richard Skrenta in 1982
§ Resulted in first large scale computer virus outbreak
§ Boot sector virus that spread over infected floppy disks
§ Infected computers would display a short poem every 50th boot
§ When a computer was booted from an infected disk a copy of the virus
was placed in the computer’s memory
§ Any uninfected disk would then also be infected with the virus

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!

IT-Security 2 -- Chapter 2 Malware 24

 Viruses History (1)

§ Fred Cohen 1983

§ Graduate student who described a self-replicating computer program
§ Teacher (Adleman) named it “computer virus”
§ Tested idea on UNIX systems and UNIVAC 1108 system

IT-Security 2 -- Chapter 2 Malware 25

 Parts of a Virus

§ Infection mechanism (infection vector) – The means by which

a virus spreads or propagates, enabling it to replicate.

§ Trigger – The event or condition that determines when the

payload is activated or delivered.

§ Payload – What the virus does, besides spreading. The payload

may involve damage or may involve benign but noticeable
activity.

IT-Security 2 -- Chapter 2 Malware 26

 Typical Phases in the Lifetime of a Virus

§ Dormant phase – The virus is idle and waiting to be activated

§ Propagation phase – The virus places a copy of itself (or a

mutation of it) into other programs or into certain system
areas on a disk

§ Triggering (activating) phase – The virus is activated to perform

the functionality for which it was created. Can be caused by
e.g. number of copies made of this copy, date and time,...

§ Execution phase – The malicious function (payload) is

performed (executed). E.g. message displayed on screen,
destruction of programs or data files

IT-Security 2 -- Chapter 2 Malware 27

 Computer Virus – Classification by Target

§ Boot sector infector

§ Infects a boot record and spreads when a system is booted from the disk
containing the virus

§ File infector / Executable infector

§ Infects files that the operating system or shell consider as executable

§ Macro virus
§ Infects files with macro or scripting code that is interpreted by an application

§ Multipartite virus
§ Infects files in multiples ways. Typically, the multipartite virus is capable of
infecting multiple types of files, so that virus eradication must deal with all of
the possible sites of infection

IT-Security 2 -- Chapter 2 Malware 28

 Executable Infectors

Header Executable code

0 100 1000
First program instruction to be executed

Header Virus Code Executable code

0 100 200 1100

§A virus that infects executable programs

§ Part of an ordinary executable
§ E.g., adds itself to one end, saves the old code, inserts a branch to it
§ Easy to detect as length of the original executable increases
§ Consequence: more sophisticated viruses hide increase e.g. by
§ Overwriting (an unused) part of the original code
§ Compressing the original executable

IT-Security 2 -- Chapter 2 Malware 29

 Early Example for an Executable Infector

§ Jerusalem (Israeli) virus first spotted in 1987 in Jerusalem

§ DOS file virus that infects every executable except for [Link]
§ Checks if system infected
§ If not, set up to respond to requests to execute files
§ Checks date
§ If not 1987 or Friday 13th, infect all programs run
§ Otherwise, set destructive flag; will delete, not infect, files
§ Then: check all calls asking for files to be executed
§ Do nothing for [Link]
§ Otherwise, infect or delete

§ Programming error in the virus:

§ .EXE files continuously re-infected and grow on each reinfection until they are
too large to load into memory

IT-Security 2 -- Chapter 2 Malware 30

 Macro Viruses

§ A macro..
§ is an executable program written in a scripting language embedded in a file
generated with an application
§ E.g. embedded in a word processing document or spreadsheet

§ A macro virus…
§ is composed of a sequence of instructions that are interpreted by an
application (e.g. Word, Excel) rather than executed directly
§ are platform independent
§ spread easily as documents are more often exchanged than programs

§ When an infected document is opened, the virus copies itself into the
global macro file and makes itself auto-executing
§ Invoked whenever any document is opened or created

§ Decreased in popularity as detection and warning tools directly embedded

in applications like Word, …

IT-Security 2 -- Chapter 2 Malware 31

 Computer Viruses – Classification by Concealment Strategy

§ Encrypted virus
§ Stealth virus -> uses rootkit techniques

§ Polymorphic virus
§ Metamorphic virus

IT-Security 2 -- Chapter 2 Malware 32

 Encrypted Viruses

§ A virus that is enciphered except for a small decryption routine

§ Detecting virus by signature now much harder as most of virus is encrypted

Virus code Decryption routine Encrypted virus code

Decryption key

IT-Security 2 -- Chapter 2 Malware 33

 Polymorphic Viruses

§ A virus that changes its form each time it inserts itself into another
program
§ While functionality stays the same
§ Idea is to prevent signature detection by changing the “signature” or
instructions used for decryption routine
§ Simplest form: encrypt the same virus body with a different key on each
infection

§ More advanced
§ At instruction level: substitute instructions
§ At algorithm level: different algorithms to achieve the same purpose
§ Possible also on the decryption routine

§ Toolkits supporting virus writers

§ E.g. Mutation Engine MtE, Trident Polymorphic Engine

IT-Security 2 -- Chapter 2 Malware 34

 Anti-Virus Technologies

§ Simple anti-virus scanners

§ Look for signatures (fragments of known virus code)
§ Heuristics for recognizing code associated with viruses
§ Polymorphic viruses often use decryption loops
§ Integrity checking to find modified files
§ Record file sizes, checksums, MACs (keyed hashes of contents)

§ Generic decryption and emulation

§ Emulate CPU execution for a few hundred instructions, recognize known body
after virus decrypts
§ Does not work very well against mutating viruses and viruses not located near
beginning of infected executable
§ Virus decryptor can start with millions of NOPs

IT-Security 2 -- Chapter 2 Malware 35

 Detecting an Encrypted Virus by Emulation

Randomly generates a new key Decrypt and execute

and corresponding decryptor code

Mutation A

Virus body

Mutation B

Mutation C

To detect an unknown mutation of a known virus ,

emulate CPU execution of until the current sequence of
instruction opcodes matches the known sequence for virus body

IT-Security 2 -- Chapter 2 Malware 36

 Metamorphic Viruses

§ Obvious next step: mutate the virus body, too!

§ Virus can carry its source code (which deliberately contains some useless
junk) and recompile itself
§ Apparition virus (Win32)
§ Virus first looks for an installed compiler
§ Virus changes junk in its source and recompiles itself
§ New binary mutation looks completely different!

§ Mutation is common in macro and script viruses

§ Macros/scripts are usually interpreted, not compiled

IT-Security 2 -- Chapter 2 Malware 37

 Obfuscation and Anti-Debugging

§ Common in worms, viruses, bots

§ Goal: prevent analysis of code and signature-based detection, foil reverse-
engineering
§ Insert garbage opcodes and change control structure
§ Different code in each instance
§ Effect of code execution is the same, but difficult to detect by passive analysis
§ Packed binaries

§ Detect debuggers and virtual machines, terminate execution

IT-Security 2 -- Chapter 2 Malware 38

 Examples for Mutation / Obfuscation Techniques

§ Same code, different register names

§ Regswap (Win32)

§ Same code, different subroutine order

§ BadBoy (DOS), Ghost (Win32)
§ If n subroutines, then n! possible mutations

§ Decrypt virus body instruction by instruction, push instructions on stack,

insert and remove jumps, rebuild body on stack
§ Zmorph (Win95)
§ Can be detected by emulation because the rebuilt body has a constant
instruction sequence
§…

IT-Security 2 -- Chapter 2 Malware 39

 Mutation Engines

§ Real Permutating Engine/RPME, ADMutate, etc.

§ Large set of obfuscating techniques
§ Instructions are reordered, branch conditions reversed
§ Jumps and NOPs inserted in random places
§ Garbage opcodes inserted in unreachable code areas
§ Instruction sequences replaced with other instructions that have the same
effect, but different opcodes
§ Mutate SUB EAX, EAX into XOR EAX, EAX or
PUSH EBP; MOV EBP, ESP into PUSH EBP; PUSH ESP; POP EBP

§ There is no constant, recognizable virus body!

IT-Security 2 -- Chapter 2 Malware 40

 Example of Zperm Mutation

§ From Szor and Ferrie, “Hunting for Metamorphic”, Symantec White Paper,
2001

IT-Security 2 -- Chapter 2 Malware 41

 Putting It All Together: Zmist

§ Zmist was designed in 2001 by Russian virus writer Z0mbie

§ Technique: code integration
§ Virus merges itself into the instruction flow of its host
§ “Islands” of code are integrated
into random locations in the host
program and linked by jumps
§ When/if virus code is run, it infects
every available portable executable
§ Randomly inserted virus entry point
may not be reached in a particular execution

IT-Security 2 -- Chapter 2 Malware 42

 MISTFALL Disassembly Engine

§ To integrate itself into host’s instruction flow, virus must disassemble and
rebuild host binary

§ This is very tricky

§ Addresses are based on offsets, which must be recomputed when new
instructions are inserted
§ Iterative process: rebuild with new addresses, see if branch destinations
changed, then rebuild again
§ Requires 32MB of RAM and explicit section names (DATA, CODE, etc.) in the host
binary – doesn’t work with every file

IT-Security 2 -- Chapter 2 Malware 43

 Simplified Zmist Infection Process

Randomly insert
indirect call OR jump
to decryptor’s entry
point OR rely on
instruction flow to
reach it

Pick a Portable Decryptor must

Executable binary restore host’s
< 448Kb in size registers to
preserve host’s
functionality

Disassemble, insert space for new Insert mutated virus body Encrypt virus body by Insert random garbage
code blocks, generate new binary • Split into jump-linked “islands” XOR (ADD, SUB) with a instructions using
• Mutate opcodes (XOR ↔ SUB, OR ↔ TEST) randomly generated key, Executable Trash Generator
• Swap register moves and PUSH/POP, etc.
insert mutated decryptor

IT-Security 2 -- Chapter 2 Malware 44