Chapter 1 is an introduction to the world of malicious code and its authors. You will learn there is a lot more to the rogue program world than computer viruses and worms. The chapter discusses what malicious mobile code is and its classifications. It summarizes the very active virus-writing subculture and the laws written to protect us.
I had been called to a company because it appeared that one of their Windows 98 computers had been hacked. The computer was connected to the Internet and was used for web surfing and email. The only symptom they reported was a significant slowdown in processing. Sure enough, even though the PC had more than enough processor power to run its applications, it was running very sluggishly. The day before it had been a fast and responsive machine. Now, it seemed to struggle with every mouse click and screen change. The mouse cursor hesitantly flashed during operations -- an indication of slow processing. They had already run an antivirus scanner with an updated signature database file. It had found nothing. Still, everyone was suspicious. Malicious mobile code is coming out so fast these days than even the most accurate scanners can’t track all of the new ones.
The first thing I did when I arrived was to disconnect the PC from
the Internet by unplugging its network card cable. That way if the
machine was being attacked or monitored from the Internet, no more
damage could be done. I then hit
to see what program processes were running. There were a few that I
didn’t recognize, but that by itself is not surprising. Then I
command to examine the system startup
file definitely had something
suspicious. There was a line under the
that was loading a strange file into memory every time Windows
started. First, I used the Task menu to remove
Netlog1.exe from memory, and then I examined it
using a file text editor.
Quickly scanning the file for anything out of the ordinary, I noticed
text strings pointing to a public Internet IP address and port number
(explained in Chapter 6, Trojans and
Worms). Then I saw it, a text string saying, “The
victim is online!” A legitimate company didn’t write this
file. I did a search for all files that had been modified or created
in the last few days. There were a dozen or so. I removed all the
ones I didn’t trust. One was a password file, evidencing that a
hacker had entered into the system and set up his own logon accounts.
The root directory contained a
file, which would allow the hacker to
erase most of his tracks and files with one command if he thought he
was about to get caught. There was even a module that would move a
backup copy of
Netlog1.exe into memory if the
first was removed.
After analyzing the bogus files a bit more, I identified the culprit as The Thing. The Thing is a remote access Trojan that provides backdoor access to hackers. Once loaded, the Trojan uses both IRC and ICQ chat channels to notify hackers of the IP address of the latest victim. Then hackers can upload and download files secretly. The Thing is used to upload larger hacking programs with more functionality. What made this sort of attack even more dangerous was the hacked machine was attached to a corporate network with access to lots of other resources. The hackers could have downloaded every datafile on the network (constrained only by the local user’s logon permissions). Once the Trojan was removed, the PC gained its original efficiency again. I uploaded The Thing to commercial antivirus researchers so it could be incorporated in the next signature database releases. My clients didn’t understand how a Trojan program could have been placed on their computer. They hadn’t downloaded any programs (or so they thought). They wondered how the Trojan got installed if all they did was surf the Web. Welcome to the world of malicious mobile code.