«
»

14 Jul

Famous Virus and Worms….

Posted by alaps in IT 100 Assignments.

Nimda Virus is one of the more complex virus/worm constructs released. It infects files, spreads itself via E-mail, spreads via Web sites, and spreads via local area network exploits. It infects all versions of Windows from Win95 through Win2000 as well as Microsoft’s IIS(Internet Information Service).

A Vietnamese security firm that makes the BKAV antivirus software, announced that they found clues that the virus may have originated in China. Previously, there were rumors that it might have been from Russia or Europe.

The firm’s conclusion is based on its analysis of the virus’ coding. It found that Conficker’s code is closely related to that of the notorious Nimda, a virus that wreaked havoc on the Net and e-mail in 2001. At that time, BKIS determined that Nimda was made in China, based on the firm’s own data.

It’s important to note that the origin of Nimda was never verified. Though Nimda contained text indicating that it may have originated from China, that is in no way hard evidence.


Nimda is credited with several “firsts” in its infection techniques. It is the first beast to infect .EXE files by embedding them into itself as a resource. It also infects Web pages so unsecured browsers will infect upon viewing the Web page. Finally, Nimda is the first worm to use any user’s computer to scan a network for vulnerable machines behind a firewall to attack (in the past only infected servers did that).

Nimda uses several known weaknesses in Microsoft IIS servers. It would not have spread as far as it did had administrators applied the known patches. For reference, the patches are at…

Nimda uses these methods to spread:

  • from client to client via E-mail and an infected .EXE file
  • from client to client via open network shares
  • from web server to client via browsing of compromised Web sites
  • from client to Web server via active scanning for and exploitation of the “Microsoft IIS 4.0 / 5.0 directory traversal” vulnerability
  • from client to Web server via scanning for the back doors left behind by the “Code Red II” and “sadmind/IIS” worms.

File Infection. In one mode, Nimda acts like any standard file infector with a new twist. It searches for .EXE files and adds them to itself as a resource. When the .EXE file on a server downloads it then spread the beast. Additionally, if the file is on a local computer, sharing that file can also spread the beast.

When an infected file is run the worm extracts the original program and runs it. Nimda attempts to delete this file after it finishes but cannot always do this. In that instance it creates WININIT.INI with commands to delete the file the next time Windows starts.

Nimda finds .EXE files to infect by searching the keys [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths], [Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders], and all subkeys. Strangely, WINZIP32.EXE is not infected.

E-mail Worm. In another mode, Nimda acts like any other worm. It searches your E-mail client address book(s) and HTML files on your computer for E-mail addresses and then sends itself to these addresses in an attached file. An E-mail from the worm comes as a “multipart/alternative” message with two sections. The first is defined as MIME type “text/html”, but contains no text (the message appears empty). The second is defined as MIME type “audio/x-wav”, but contains a base64-encoded attachment named README.EXE, which is a program.

Many users can be tricked into opening such attachments and any mail software running on Windows that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the attachment and infects the machine. (both bad practices!).

Nimda uses its own SMTP server to send E-mail messages.

Web Worm. Using one of the known exploits listed above, Nimda scans the Internet for Microsoft IIS Web servers. When a server is found, if it has open security holes, Nimda enters and modifies random Web pages on the server (as well as .EXE files found on the server). The modifications allow the worm to spread to users simply browsing the infected site.

To do this, Nimda searches drives for .HTML, .ASP, and .HTM files. When found, it adds a small JavaScript snippet to the end of the files. This code opens a file named README.EML when loaded by a Web browser. README.EML is another form of the worm (MIME-encoded) deposited into directories where the .HTML file were found. Browsers not patched (see MIME exploit above) will automatically execute this file with no user input. Users will not see the worm running as it runs in a minimized window.

File Share Propagation. Infected computers on a local network will search for other computers with open file shares. When found, Nimda will transfer a hidden/system file (RICHED20.DLL) onto the other computer in any directory where .DOC or .EML files are found. After that, if any of these files are opened in Word, Wordpad, or Outlook the hidden RICHED20.DLL file will also be automatically executed. This will infect the that computer.

Additionally, Nimda will try to replace the Windows RICHED20.DLL master file and will place .EML (and sometimes .NWS) files into folders it accesses.

Nimda On Your Computer

Nimda usually shows up as a README.EXE attachment to an E-mail, but can show up as any .EXE file with over five characters in the rootname. If run, it first copies itself to a temporary directory with a random name of the form MEP*.TMP (where * represents random characters). It then runs itself from that folder using the command line option “-dontrunold”).

The first thing the launcher does when running is to see if it has enough resources to run the main worm. If so, it extracts itself from the infected .EXE file and executes. Using the current time and some arithmetic operations the worm determines if it can delete files from the temporary folder. Once that is done, the worm builds its primary infection tool: a MIME-encoded copy of itself and multi-part message that can be attached to. This latter is given a random name and stored in a temporary directory. Now it’s ready to get to work.

Nimda next looks for the process called “Explorer.” In some cases it opens this process and assigns itself to a remote thread under Explorer. If that fails the worm uses API information to get needed information about the local computer. Then, it rests.

When it wakes up Nimda checks to see what operating system it’s running on. If NT-based, it compacts itself and copies itself out to LOAD.EXE in the Windows\System folder. The SYSTEM.INI file is then modified to start with the shell EXPLORER.EXE (as usual) but with “LOAD.EXE – dontrunold” as well. This assures the worm will run at each system start.

Finally, the worm copies itself to RICHED20.DLL, also in the System folder, and sets the file to hidden and system. When that’s done Nimda looks for shared network resources and starts to scan files on remote computers. Here it’s looking for .DOC and .EML files and, when found, RICHED20.DLL is copied to their directory so it will be run when an OLE component is needed on the remote computer. This, then starts the infection process on the remote computer.

While looking around the remote computer Nimda also copies infected .EML and (sometimes) .NWS files with names similar to HTML files already found on that remote computer. These files can also infect the remote computer if accessed.

Using the IP address of the infected computer, the worm searches for IIS servers to infect using a known backdoor (a patch is available, see the notes at the start of this page). The idea is that if the current computer is not properly protected then other local computers may not be as well so 50% of the probes (approximately) will be using near-by IP addresses.

Some other things the worm does…

  • It modifies the key [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] so that hidden files are no longer seen. This hides the worm in Explorer.
  • It adds the account “guest” to an infected system and gives it Administrator and Guests group priviledges. Using this it shares the C:\ drive with full access privileges.
  • It deletes subkeys from the key [SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security] which effectively disables sharing security.

This beast places itself in a number of different locations so it is easy to overlook one or more if you’re trying to disinfect manually. It’s best to use a tool to do any disinfection. Many Anti-Virus sites have free tools to help with this job. Use them.

The ILOVEYOU virus comes in an e-mail note with “I LOVE YOU” in the subject line and contains an attachment that, when opened, results in the message being re-sent to everyone in the recipient’s Microsoft Outlook address book and, perhaps more seriously, the loss of every JPEG,MP3, and certain other files on the recipient’s hard disk. Because Microsoft Outlook is widely installed as the e-mail handler in corporate networks, the ILOVEYOU virus can spread rapidly from user to user within a corporation. On May 4, 2000, the virus spread so quickly that e-mail had to be shut down in a number of major enterprises such as the Ford Motor Company. The virus reached an estimated 45 million users in a single day.

The attachment in the ILOVEYOU virus is a VBScript program that, when opened (for example, by double-clicking on it with your mouse), finds the recipient’s Outlook address book and re-sends the note to everyone in it. It then overwrites (and thus destroys) all files of the following file types: JPEG, MP3, VPOS, JS, JSE, CSS, WSH, SCT and HTA. Users who don’t have a backup copy will have lost these files. (In March 1999, a virus namedMelissa virus also replicated itself by using Outlook address books, but was less harmful in destroying user files.) The ILOVEYOU virus also resets the recipient’s Internet Explorer start page in a way that may cause further trouble, resets certain Windows registry settings, and also acts to spread itself through Internet Relay Chat (Internet Relay Chat).

The alleged authors of the virus were reported to be Filipinos. Siblings Irene and Onel de Guzman of Manila; Irene’s boyfriend, Reomel Lamores, who was briefly held in May 2000 in connection with the virus outbreak; and Michael Buenafe, a fellow student of de Guzman at AMA Computer College. Onel finally came forward but denied writing the virus, although he said he may have inadvertently been responsible for its release. As there were no laws in the Philippines against virus-writing at the time, he was released and in August the prosecutors dropped all charges against him. The original charges brought up against her dealt with the illegal use of passwords for credit card and bank transactions.

The Melissa worm, also known as “Mailissa”, “Simpsons“, “Kwyjibo“, or “Kwejeebo”, is a mass-mailing macro virus. As it is not a standalone program, it is not in fact a worm.

First found on March 26, 1999, Melissa shut down Internet mail systems that got clogged with infected e-mails propagating from the virus. Melissa was not originally designed for harm, but it overflowed servers and caused unplanned problems.

Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called “List.DOC”, which contained passwords that allow access into 80 pornographic websites. The virus original form was sent via e-mail to many people.

Melissa was written by David L. Smith in Aberdeen Township, New Jersey, and named after a lap dancer he encountered in Florida. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component. Smith was sentenced to 20 months in a federal prison and fined $5,000 United States dollars. This arrest was a result of collaboration between the FBI, New Jersey State Police and Monmouth Internet. Smith would later go on to help the FBI in tracking down Jan de Wit, the Dutch creator of theAnna Kournikova Computer virus.

The “Code Red” worm is self-replicating malicious code that exploits a known vulnerability in Microsoft IIS servers .

Attack Cycle

The “Code Red” worm attack proceeds as follows:

  1. The “Code Red” worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service described in CERT advisory CA-2001-13.
  2. The same exploit (HTTP GET request) is sent to each of the randomly chosen hosts due to the self-propagating nature of the worm. However, depending on the configuration of the host which receives this request, there are varied consequences.
    • IIS 4.0 and 5.0 servers with Indexing service installed will almost certainly be compromised by the “Code Red” worm.
    • Unpatched Cisco 600-series DSL routers will process the HTTP request thereby triggering an unrelated vulnerability which causes the router to stop forwarding packets. [http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml]
    • Systems not running IIS, but with an HTTP server listening on TCP port 80 will probably accept the HTTP request, return with an “HTTP 400 Bad Request” message, and potentially log this request in an access log.
  3. If the exploit is successful, the worm begins executing on the victim host. In the earlier variant of the worm, victim hosts with a default language of English experienced the following defacement on all pages requested from the server:
    HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

    Servers configured with a language that is not English and those infected with the later variant will not experience any change in the served content.Other worm activity on a compromised machine is time senstive; different activity occurs based on the date (day of the month) of the system clock.

    • Day 1 – 19: The infected host will attempt to connect to TCP port 80 of randomly chosen IP addresses in order to further propagate the worm.
    • Day 20 – 27: A packet-flooding denial of service attack will be launched against a particular fixed IP address
    • Day 28 – end of the month: The worm “sleeps”; no active connections or denial of service

In addition to possible web site defacement, infected systems may experience performance degradation as a result of the scanning activity of this worm. This degradation can become quite severe since it is possible for a worm to infect a machine multiple times simultaneously.

Non-compromised systems and networks that are being scanned by other hosts infected by the “Code Red” worm may experience severe denial of service. In the earlier variant, this occurs because each instance of the “Code Red” worm uses the same random number generator seed to create the list of IP addresses it scans. Therefore, all hosts infected with the earlier variant scan the same IP addresses. This behavior is not found in the later variant, but the end result is the same due to the use of improved randomization techniques that facilitates more prolific scanning.

Furthermore, it is important to note that while the “Code Red” worm appears to merely deface web pages on affected systems and attack other systems, the IIS indexing vulnerability it exploits can be used to execute arbitrary code in the Local System security context. This level of privilege effectively gives an attacker complete control of the victim system.

Conflicker

Conficker, also known as DownupDownadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.

The origin of the name Conficker is thought to be a portmanteau of the English term “configure” and the German word Ficker, which means “fucker.” On the other hand, Microsoft analyst Joshua Phillips described the name as a rearrangement of portions of the domain name trafficconverter.biz, which was used by early versions of Conficker to download updates.

The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000Windows XPWindows VistaWindows Server 2003Windows Server 2008, and Windows Server 2008 R2 Beta. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the worm, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares. Researchers believe that these were decisive factors in allowing the worm to propagate quickly: by January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million. Antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker.

Recent estimates of the number of infected computers have been more notably difficult because of changes in the propagation and update strategy of recent variants of the worm.

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well-known to researchers, the worm’s combined use of so many has made it unusually difficult to eradicate. The worm’s unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm’s own vulnerabilities.

Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 200829 December 200820 February 20094 March2009 and 7 April 2009, respectively.


References:           www.wikipedia.org    www.howstuffworks.com    www.colorado.edu   www.cnet.com   www.usatoday.com  ww.cmu.edu  www.cert.org  www.wired.com

Respond to this post