130 likes | 260 Views
VIRUS HUNTING. Presented by Pradeepa Chandramohan. Introduction. Developer’s machine is much more prone to virus attacks than an average corporate user because developers access different servers and other remote machines. More security than anti-virus software is required.
E N D
VIRUS HUNTING Presented by Pradeepa Chandramohan
Introduction • Developer’s machine is much more prone to virus attacks than an average corporate user because developers access different servers and other remote machines. • More security than anti-virus software is required. • Most viruses today disable the anti-virus software as their first step in the activation. • Anti-virus software are good at keeping us safe from known threats. • To look out for viruses, it is necessary to think like a virus writer. A basic understanding of viruses and the most common areas through which they enter the system is required to deal with them.
Preparing to do battle • Author writes the executable code. • What is the author’s intention – Reformatting hard drive? Delete JPG files? Mail copies of itself to yourself and your contacts? • Usually, a virus executable code is run in the direct method. Some user receives an e-mail attachment called “Fun.exe” or some equally appealing name. The virus is released when this code is run. • Now-a-days less obvious techniques have been adopted.
What constitutes an Executable code? • .exe, .cmd, .com are all examples of executable files. • Word processing documents contain macros to perform customized tasks – UNSAFE!!! Macros can run unsafe code. • In general, executable code falls into three categories: stand alone programs, code included within resources or libraries, and script or macro code executed by an interpreter of some kind. • A stand alone program is any file that relies on the operating system for it to execute. To examine which of these are affected by virus we need to examine the windows registry. • Launch the Registry Editor, regedit.exe and expand the HKEY_CLASSES_ROOT (HKCR) node, which is the Operating System’s repository for information on file associations and commands. • Navigate down the tree until you locate the key named .exe. Select this node, its default value is exefile. This is a pointer to another key under HKCR (the exefile key).
What constitutes an Executable code? (Contd..) • The exefile key contains a shell subkey where a file type’s available actions are defined. These are called ‘verbs’. For example, In a Word document, ‘print’ is a verb. • Expand the shell subkey for the exe file node to view available verbs for EXE files. • The key to be considered is ‘open’. Expand this node and select its command subkey. Each verb has its own subkey and each of those keys inturn has its own command subkey. The default value in this subkey dictates what exactly happens when that verb is executed. • Double clicking an icon executed the default verb’s command (‘open’ for EXE files) • ‘open’ command verb has the value: %1 %*. The path and the filename of the EXE file activated are substituted for the %1 parameter, while any switches or command line parameters that go along with it are passed through the %* parameter. • All files like .com, .pif, .vbs, .cmd have a default open verb of %1.
Screensavers – BEWARE!!! • Default value of ‘open’ verb for EXE file is “%1” %* and for SCR (Screensaver) file is “%1” /S. • The only difference between these two default verbs is the /S switch for the SCR file type. • Intended purpose of screensaver’s ‘open’ verb is to allow for testing a screensaver and the screensaver executable interprets the /S switch accordingly. • A virus writer gives the application a .SCR extension and just ignores the /S switch passed to it when user invokes the program. • Screensaver’s ‘open’ verb is shown as ‘Test’ in the context menu. User thinks he is just testing a screensaver, while actually activating a virus. This caption is stored in the default value for the open key. This should be changed to open and test. This way the user realizes that when they select that menu item, any executable code inside the screensaver is going to execute and is therefore harmful.
Libraries can be dangerous • Executable code may be contained inside resources or component libraries of many different varieties. • These file types include Dynamic Link Libraries (DLL), Control Panel Applets (CPL), various type libraries (TLB, OLB, etc), ActiveX Controls & COM components (OCX, VBX, etc). • Consider the following example: rundll32.exe shell32.dll,OpenAs_RunDLL c:\winnt\win.ini • The OpenAs_RunDLL function exported from SHELL32.DLL accepts one parameter, a file name. • When invoked, it displays the Open With Dialog Box. When OK is clicked after selecting an application, the filename passed as a parameter is opened in the target application. • Two possible attacks can be expected. One would be to replace an existing DLL with a compromised version in which a particular function’s functionality is modified.
Libraries can be dangerous (Contd..) • This way, whenever the system invokes this function, instead of having the desired result, virus gets activated. • Another approach would be to write a DLL from scratch and invoke its functions using RUNDLL32.EXE when needed. • This is not quite straight forward but it is most likely to be accepted by an unsuspecting user or to be overlooked by an anti-virus program.
Scripts & Macros • Script code requires a script engine to interpret and run, but it can still be exploited. • Macros contained in Microsoft office documents are the ones that are most frequently exploited. • Windows Script Host (WSH) files, .js or .vbs files carry a default file association which causes them to be executed, when a user double clicks them. • Solution would be to change the default action from “open” to “edit” to avoid any accidents. This can be done by using the Folder Options dialog box.
Registration files • Files with REG extension (registration files) hold information to be integrated to the system registry. • They carry a default verb of “open” with the caption “Merge”. If any registration file is double clicked, it dumps its contents directly into the system registry, without any confirmation. • Solution would be to change the default verb for REG file from “open” to “edit”.
Scrap Objects • Scrap objects (SHS & SHB file extensions) are particularly risky. They can hide executable code, often overlooked by anti-virus software. • Ensure that anti-virus program includes both file types. Usually either one is omitted. • Another reason is that the SHS and SHB extension are always hidden by Explorer. So a virus writer could create a scrap object and add their own extension. For example, ‘Funny.jpg’ while its actual filename is ‘Funny.jpg.shs’. • Solution would be to delete the “NeverShowExt” registry value from both keys or select the “Always show Exension” option in the Folder Options Dialog Box.
Conclusion • First step in dealing with virus is to understand them and to know where to untangle them from your system once it has been compromised. • More sophisticated the virus, more aggressive they are towards anti-virus software.