Transmission and camouflage techniques
How they spread. Where they hide.
Transmission
Camouflage
Vulnerabilities
New Tactics
Viruses and other threats are constantly evolving new disguises and ways to penetrate network security. As IT companies produce new applications, viruses and other threats seek out weaknesses and new entry points into systems and networks.
Transmission
Some of the more common ways for viruses and other threats to spread include:
Attaching HTML code in the AutoSignature of e-mail messages.
Installing and activating the virus when messages are viewed in the Preview Pane.
Sending code that, when the user opens an infected message, causes the execution of the infected file.
Exploiting flaws or vulnerabilities in Internet Explorer and the Outlook and Outlook Express mail clients.
Using network drives and directories to access information and resources shared by users.
Hiding in online file-sharing networks like Gnutella. General strategies used to spread viruses and other threats include gaining the confidence of users or deceiving people into downloading a file that appears to contain music, images, documents of interest etc. but is in fact infected.
In the immediate future, means of transmission will no doubt be created. There is already a type of virus that sends out text messages to GSM mobile phones and even cable TV systems may soon be at risk.
Today, not all files are susceptible to virus attacks or other types of attack, but this may change in the future. Once it was assumed that web pages could not spread viruses but we know now that this is possible.
[ top ]
Camouflage Techniques
Viruses disguise themselves from antiviruses and other security devices using a host of complex techniques:
a) Stealth. Viruses that use this technique hide the normal characteristics that would indicate their presence.
For example, the size of the file will normally increase when it is infected. However, by only inserting code in free file sections, this type of virus tricks the system by making it seem that the file size has not changed.
During file infections the date and time are registered as file modifications. However, when these viruses infect a file, they do not make such changes and the file date and time information will remain as it was before the infection.
To avoid suspicion, stealth viruses will hide some files and change their attributes so that they cannot be viewed.
b) Tunneling. The 'tunneling' system is quite complicated, as these viruses try to avoid detection by the antivirus software by directly intercepting the interrupt handlers of the operating system and effectively 'burying' under the detection software.
c) Armoring. Viruses that use the 'armoring' techniques disguise their code so that it cannot be read. To detect armored code, antiviruses must use heuristic scanning techniques.
d) Self-Encrypting. Antivirus programs search for certain tell-tale signs of virus activity such as groups of characters or instructions. These viruses encode or encrypt their code to make it more difficult for the antivirus program to detect them. However, modern antivirus solutions use algorithms to detect the encryption routine of these viruses.
e) Polymorphism. Polymorphic viruses encrypt their code in a different way with each infection (their signature changes from one infection to the next). They take encryption one step further by also encrypting the way (routine or algorithm) in which their signature is encrypted. This means that a polymorphic virus is capable of creating different variants of itself from one infection to the next, changing its 'shape' with each infection.
Fortunately, the virus cannot completely encrypt itself, as it needs to keep part of its original code unencrypted to be able to run. Antivirus programs can detect polymorphic viruses by locating the routine or algorithm that allow the virus to execute.
[ top ]
Vulnerabilities
Vulnerabilities are weaknesses or security holes in certain applications or software programs.
Attacks exploiting vulnerabilities have increased in frequency, especially those preying on the more commonly used programs and operating systems. Some of the most recent ones include:
a) Internet Explorer Vulnerabilities.
Cross-site scripting. Affects Internet Explorer (versions 5.01, 5.5 and 6.0), spreading viruses to users by executing malicious code through a web page or through e-mail in HTML format.
Additional Information: Microsoft Security Bulletin MS02-008.
Solution: Available on Microsoft website, under Knowledge Base article Q321323 and under Windows Update.
XMLHTTP Control Can Allow Access to Local Files. Allows access to local files by sending and receiving XML data in HTTP format. The problem arises from the way the XMLHTTP control configures Internet Explorer, giving access to local files.
Additional Information: Microsoft Security Bulletin MS02-008.
Solution: Available on Microsoft website under Knowledge Base article Q317244.
Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files. Permits an attacker to access frames in other domains through web pages or e-mails in HTML format. Internet Explorer does not correctly recognize the domain when using code written in Visual Basic Script programming language, making it possible for an attacker to access confidential information.
Additional Information: Microsoft Security Bulletin MS02-009.
Solution: Available on Microsoft website under Knowledge Base article Q318089.
Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone. Gives attacker access to web pages on the Internet with low levels of security and allows them to redirect the computer to a predetermined website. Finally, it permits a malicious programmer to log on to remote sessions of Telnet through Internet Explorer.
Additional Information: Microsoft Security Bulletin MS01-051.
Incorrect MIME Header Can Cause IE to Execute E-mail attachment. A vulnerability preventing IE from interpreting HTML code correctly.
Additional Information and Solution: Microsoft Security Bulletin MS01-020. b) Outlook Vulnerabilities.
Outlook View Control Exposes Unsafe Functionality. For Outlook versions 98, 2000 and 2002, consists of ActiveX control that allows access to e-mail folders from a web page.
Additional Information and Solution: Microsoft Security Bulletin MS02-038.
Unchecked buffer in vCard Handler. Problem in Outlook Express and vcard manipulation allows an attacker to cause the client program to fail when a vcard is opened. Also allows execution of malicious code in the system which opens the vcard.
Additional Information and Solution: Microsoft Security Bulletin MS02-012.
Malformed E-mail Header. Permits remote execution of malicious code after opening a specially-crafted message sent by an attacker.
Additional Information and Solution: Microsoft Security Bulletin MS00-043, MS00-045 and MS00-046.
Virus Update for Outlook 2000 and 98. Not a vulnerability but a series of updates released by Microsoft to restrict access to executable files.
Security in Outlook in messages with attached unexecutable files. Automatic execution of a file attached to a message.
Additional Information and Solution: Microsoft Security Bulletin MS99-048.
c) Windows XP/2000 Pro/NT/Me/98/95 Vulnerabilities.
Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service en Windows 2000 and Exchange 5.5. Exclusive to Windows 2000 Pro., this vulnerability allows messages to be sent without authorization through the SMTP mail server.
Additional Information and Solution: Microsoft Security Bulletin MS02-011.
Windows 2000 Security Rollup Package 1 (SRP1). Exclusive to Windows 2000 Pro. A patch that includes a series of improvements included since Windows 2000 Pro SP2.
ActiveX Parameter Validation. Exclusive to Windows 2000 Pro. Permits the running of malicious code or viruses from a web page or e-mail using ActiveX. Additional Information and Solution: Microsoft Security Bulletin MS00-085.
Microsoft VM ActiveX Component. For Windows 2000 Pro/NT/Me/98/95. Problems with Virtual Java Machine. The vulnerability could allow remote action to be taken on a computer.
Additional Information and Solution: Microsoft Security Bulletin MS00-075.
DOS Device in Path Name Vulnerability. For Windows 98/95. Vulnerability that could cause a user's system to crash, if they attempted to access a file or folder whose path contained certain reserved words.
Additional Information and Solution: Microsoft Security Bulletin MS00-017.
Autorun File. For Windows 98/95. Permits creation of a file called AUTORUN.INF in the root directory of any disk drive, allowing malicious programmers to execute files containing viruses or other threats.
Additional Information and Solution: To solve this problem substitute the value 0 for 1 in the Autorun key, found in the Windows Registry: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ Cdrom.
Program CMD.EXE - Buffer overflow. For Windows 2000 Pro/NT 4.0. Permits an attacker to consume all or part of the memory of an infected computer.
Additional Information and Solution: Microsoft Security Bulletin MS00-027.
d) Viruses, Threats and Vulnerabilities.
One of the most common vulnerabilities is found in Internet Explorer (versions 5.01 and 5.5). Viruses and other threats take advantage of the Microsoft browser to automatically run code when the message carrying the virus is viewed through the Preview Pane.
Other vulnerabilities have been found in Internet IIS and Apache servers, where viruses have been able to execute malicious code.
In the future, there is also a threat of the appearance of a virus that could take advantage of a vulnerability in the Winamp player, used for listening to sound files with MP3 extensions.
[ top ]
New Tactics
Viruses and other threats are constantly evolving into new forms and using more complicated techniques, increasing the risks to users. These recently detected viruses and threats are based on notably sophisticated technology:
SWF/LMF-926, the first virus that infects files with a SWF extension (Shockwave Flash).
Donut, pioneer virus designed to infect Microsoft's .NET platform files.
Dadinu, first e-mail worm to infect files with CLP extensions.
Kazoa, spreads using the popular file exchange program KaZaa.
Other examples infamously known for their advanced engineering include:
WorldCup (Chick.F) users the subject field and content of this infected message to dupe users into believing that the attached file contains the World Cup 2002 match results.
Gibe is sent through an e-mail message disguised as an update from Microsoft to fix various vulnerabilities.
Petlil.A sent as en e-mail message that attracts the attention of the receiver using erotic pictures.
Kazoa uses files that appear to be games, movies and music to infect users of KaZaa.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment