viruses.md

Viruses

Virus type

Stealth virus

• Virus takes active steps to conceal infection from antivirus
• 📝 Characteristic behaviors
  • Restores original file timestamp
  • Intercepts system calls to play back original information of file to e.g.
    • change system libraries to hide its existence from antiviruses
    • run the rootkit

Tunneling virus

• Backtracks interrupt chain to go directly to DOS and BIOS interrupt handlers
• Avoids monitoring
• Kernel software protected in other OS
• Legacy, was only possible in MS-DOS

Logic Bomb virus

• Not self-replicating, zero population growth, possibly parasitic
• Consists of
  • Payload
  • An action to be performed
  • Trigger
    • Boolean condition to be executed
• E.g. if Bob is not getting paid then delete the cloudarchitecture.io website

Polymorphic virus

• 📝 Modifies their payload to avoid signature detection
• Mutates its payload and usually encrypts it.
• Can hide file changes against simple checksums

Metamorphic virus

• Viruses that can reprogram/rewrite itself.
• In polymorphic virus, the mutation engine is always the same while payload is mutated, metamorphic virus can also mutate its own mutation engine.
• Usually
  • Inserts dead code
  • Reshapes the expressions
  • Reorders instructions
  • Encrypts program code
  • Modifies the program control structure
• E.g. Win32/Simile and Zmist

Macro virus

• Changes or creates new macro for MS Office products
• 📝 Macros
  • Code that is part of documents.
  • Used extensively in MS Office Tools
    • Written in or translated to Visual Basic for Applications (VBA) code
  • Macro language: a programming language which is embedded inside a software application
• Protective strategies
  • Later versions of MS Office have security levels for execution of macros
    • Level high only executes signed macros
  • MS Office provides warnings when files contain macros
• E.g. Concept, first macro virus for Microsoft Word (1995-1997)
  • Infects Word's global document-template NORMAL.DOT
  • Creates PayLoad and FileSaveAs macros
  • Infects all documents saved with the Save As command
• E.g. Laroux, first macro virus for Microsoft Excel (1996)
  • Consists of auto_open and check_files
    • auto_open executes whenever an infected spreadsheet is opened, followed by check_files
    • Virus looks for PERSONAL.XLS
  • Virus contains no malicious payload

File infectors

• Virus infects executables

Appending virus

• At the end
• To get control
  1. Save original instruction in code
  2. Replace by jump to viral code
  3. Execute virus
  4. Restore original instruction and jump to them
     • or run original instruction at saved location followed by jump to the rest of the code

Overwriting file virus

• 📝 Also known as cavity virus or spacefiller virus
• 📝 Houses itself in target files without altering their size.
• Virus gets control in normal execution of file
• Placement Strategies
  • Place virus in superfluous data
  • Place virus in file slack or unused allocated file space
  • Stash overwritten contents in a companion file
  • Compress (parts of) the original file, decompress
• E.g. Lehigh (an early DOS virus)

Inserting virus

• Move target code out of way
• Intersperse small pieces of virus with infected file

Companion virus

• Virus gets executed before infected file
• Infected file barely changed
• Examples
  • Change name of target file
    • Copy notepad.exe to notepad.exp
    • Virus is in new notepad.exe, which calls notepad.exp
  • Virus placed earlier in search path
    • notepad.exe in a different directory than real notepad.exe
    • notepad.com is executed before notepad.exe
  • Use Windows registry to change association for .exe files
  • Change interpreter in ELF files
    • Typically the run-time linker, but now virus
  • Associate icon of target with virus

Boot sector infectors

• Contains code that runs when a system starts up.
• Also known as boot sector virus
• 📝 Copies itself into the MBR or VBR on hard disk
  • Typically after making copy of MBR in a "safe location"
• Extinct in the wild
  • Floppies are rarely used to boot, disabling the propagation mechanism
  • OS prevent writing to a disk's boot sector without proper authorization
  • BIOS can enable boot block protection
• E.g. Michelangelo (1991)
  • Moves original boot sector to safe location
  • Infects all floppy disks inserted into computer
  • Payload: overwrites file system with zeroes
• E.g. Stoned Virus (1988)
  • Infects 360KB diskettes and MBR
  • Many variants
  • Payload: Shows "Your PC is now stoned!"

Boot record types

• Volume Boot Record
  • First sector of an unpartitioned storage device
  • First sector of an individual partition
• Master Boot Record
  • First sector of data storage device that has been partitioned

Booting

• Bootstrap loader
  • Loads software to start OS
• Multi-stage bootstrap loader
• Boot sequence on IBM-PC
  • Runs instruction at memory location F000:FFF0 of BIOS
  • Jumps to execution of BIOS startup program
  • Executes Power-On Self-Test (POST)
    • Checks, initializes devices
  • Goes through preconfigured list of devices
  • If it finds bootable device, loads, and executes boot sector
    • Assume MBR on hard drive
    • MBR contains address of bootable partition
    • Load boot sector of bootable partition
    • Boot sector moves OS kernel into memory and starts it

Multipartite viruses

• Also known as hybrid virus
• 📝 Combines file infectors and boot record infectors
• Re-infects a system repeatedly
• In order for it to be eradicated, the whole virus has to be removed from the system
• E.g. Ghostball, first multipartite virus (1989)
  • Infects both executable .COM-files and boot sectors.

Other virus types

• Camouflage virus: Disguise as legit files.
• Network: Spreads via network shares.
• Shell virus
  • Like boot sector but wrapped around application code, and run on application start.
• Sparse infector
  • Only fire when a specific condition is met
  • E.g. a virus which infects only the 20th time a file is executed.