Shadowserver Foundation - Viruses

Modern Computer Viruses

Author
Aim
Four Installments
- Infection

Author - Chas Tomlin

IT Security Specialist in School of Electronics and Computer Science
Member of Shadowserver
Maintains a db of currently ~16,000 unique viruses and their associated network traffic.

Top

Aim

Take a look at current viruses/malware and how they propagate
See what features modern viruses come with
See what impact an infected machine might have on your network
Learn to detect and prevent viruses

Top

Four Installments

Infection
Payload
Impact
Response

Focus on Windows viruses

Top

Infection

Malware may infect systems in two primary ways;

Self propagating

(malware that exhibits this behaviour is usually called a ‘worm’)

Propagating via user interaction

Self propagating malware usually exploits some sort of security vulnerability in a system to spread. Where as propagating by user interaction requires a user on a system to run an executable, this may be achieved by tricking the user to run something by social engineering.

Some examples of each method are listed below.

Self Propagating

Remote buffer overflow
Drive by (browser vulnerability exploitation)
Copying to Windows file shares

User Interaction

Email attachment
P2P
Instant messaging spamming
Pop ups

Top

Propagation Distribution

Top

Self-Propagating - Remote Overflow

How devastating are remote buffer overflows?

Exploits security vulnerability in some network service.
Requires no user interaction.
Modern viruses contain the ability to exploit multiple vulnerabilities.
Typically give the malware complete control over the infected system.

Top

Self Propagating - Infection Time

How long do unpatched Windows XP systems last when exposed to the internet?

An un-patched Windows machine exposed to the internet will get infected.
Very quickly……

This screenshot shows an emulated vulnerable Windows system being infected in 13 minutes during the early hours.

Top

Try it out for yourself...

Want to see how long a system would last on your ISP?

Linux based honeypot running nepenthes
Emulates a vulnerable Windows system.
Runs on Windows using the free vmplayer

Top

Self Propagating - Drive by download

Drive by downloads do require a user to visit a malicious web site to work. However just by visting a web site you can become infected. How?

Uses security vulnerability to download and execute malicious code without users knowledge.
Windows WMF vulnerability was used extensively by drive by downloads.
WMF file would act like a dropper, contain code that when viewed in browser would simply download and run malware.

Top

Self propagating - Drive by download & web attacker

Drive by download kits are being used on the internet to collect infected machines.

For as little as $20 you can purchase a toolkit to infect hosts as they visit your site.

Top

Self propagating – Windows file share

Some malware has the ability to spread by copying itself to mapped network drives. Although this typically has a limited 'spreading range'.

May also infect normal files on share.

Top

User interaction - Email

We've all had them, email that wants you to download and run some attachment, but why?

Currently the most common propagation method for malware.
In most cases requires the user to run an attachment. Which will infect a system
Uses all sorts of scams to get a user to run the executable.

Top

User interaction – P2P

Peer to peer networks are used to share all sorts of illegal material. But thats not all...

Files are placed on P2P networks that aren’t what they seem…
Probably disguised as something desirable, vista keygen, etc
Requires a user to execute them to infect host.

Top

User interaction – Instant Messenger

This method is becoming more popular, as malware sends messages to contacts on instant messaging networks.

Viruses spread via the various instant messaging networks. AIM, MSN etc
Account information maybe harvested from online profiles such as MySpace, or infected systems.
Malware then sends a link to the victim hoping they will download and run.

Top

User interaction – Pop Ups

Pop ups confuse users and trick them into installing something they probably didn’t want...

Top

Conclusion

Malware/Viruses are everywhere on the internet. They can spread automatically very easily to unpatched systems. Even to systems that are patched malware has methods to trick users into infecting their own systems.

Unpatched systems / systems with no antivirus software are not secure and will be a matter of time before they are infected.

Next installment we will look at what capabilities modern viruses carry with them

Top

<< | Viruses | >>

Big View ? Attach:Site/PageHeader/softflow.gif Δ Home Edit History Recent Changes
HomePage Shadowserver Mission Terms of Service Standards and Guidelines Organizations Calendar Future Goals Job Opportunities Press Security Organizations News Articles Blogs and Forums Misc Presentations Chronological Operations Status Knowledge Base Technology in Use Botnets Botnet Detection Honeypots eFraud Malware Whitepapers Definitions Links Get Involved Get Reports on your Network Blacklists and Blocking TOR Nodes and Reporting Mailing List Submit a Botnet Build a Honeypot Hall of Fame Services Info Binary Whitelist Test IP/ASN/Geo Mapping MD5/SHA1 AV Results Statistics ASN Bots Bot Counts Drone Maps Drone Historical Conficker Botnets Botnet Charts Botnet Maps Botnet Maps Historical DDoS DDoS Charts DDoS Maps DDoS Historical Geo Locations IRC Ports Malware Sandbox Charts Sandbox Graphs Packer Statistics Scans Scan Charts Scan Maps Scan Maps Historical URLs Viruses Sharing Virus Daily Stats Virus Weekly Stats Virus Monthly Stats Virus 60-Day Stats Virus 90-Day Stats Virus 180-Day Stats Virus Yearly Stats Virus Two Year Stats Virus Three Year Stats Combined Results Combined Performance Improvement Between Initial and Retests Contact Us Site Statistics edit SideBar	Infection Modern Computer Viruses Author Aim Four Installments Infection Propagation Distribution Self-Propagating - Remote Overflow Try it out for yourself... Self Propagating - Drive by download Self propagating - Drive by download & web attacker Self propagating – Windows file share User interaction - Email User interaction – P2P User interaction – Instant Messenger User interaction – Pop Ups Conclusion Author - Chas Tomlin IT Security Specialist in School of Electronics and Computer Science Member of Shadowserver Maintains a db of currently ~16,000 unique viruses and their associated network traffic. Top Aim Take a look at current viruses/malware and how they propagate See what features modern viruses come with See what impact an infected machine might have on your network Learn to detect and prevent viruses Top Four Installments Infection Payload Impact Response Focus on Windows viruses Top Infection Malware may infect systems in two primary ways; Self propagating (malware that exhibits this behaviour is usually called a ‘worm’) Propagating via user interaction Self propagating malware usually exploits some sort of security vulnerability in a system to spread. Where as propagating by user interaction requires a user on a system to run an executable, this may be achieved by tricking the user to run something by social engineering. Some examples of each method are listed below. Self Propagating Remote buffer overflow Drive by (browser vulnerability exploitation) Copying to Windows file shares User Interaction Email attachment P2P Instant messaging spamming Pop ups Top Propagation Distribution Top Self-Propagating - Remote Overflow How devastating are remote buffer overflows? Exploits security vulnerability in some network service. Requires no user interaction. Modern viruses contain the ability to exploit multiple vulnerabilities. Typically give the malware complete control over the infected system. Top Self Propagating - Infection Time How long do unpatched Windows XP systems last when exposed to the internet? An un-patched Windows machine exposed to the internet will get infected. Very quickly…… This screenshot shows an emulated vulnerable Windows system being infected in 13 minutes during the early hours. Top Try it out for yourself... Want to see how long a system would last on your ISP? Linux based honeypot running nepenthes Emulates a vulnerable Windows system. Runs on Windows using the free vmplayer Top Self Propagating - Drive by download Drive by downloads do require a user to visit a malicious web site to work. However just by visting a web site you can become infected. How? Uses security vulnerability to download and execute malicious code without users knowledge. Windows WMF vulnerability was used extensively by drive by downloads. WMF file would act like a dropper, contain code that when viewed in browser would simply download and run malware. Top Self propagating - Drive by download & web attacker Drive by download kits are being used on the internet to collect infected machines. For as little as $20 you can purchase a toolkit to infect hosts as they visit your site. Top Self propagating – Windows file share Some malware has the ability to spread by copying itself to mapped network drives. Although this typically has a limited 'spreading range'. May also infect normal files on share. Top User interaction - Email We've all had them, email that wants you to download and run some attachment, but why? Currently the most common propagation method for malware. In most cases requires the user to run an attachment. Which will infect a system Uses all sorts of scams to get a user to run the executable. Top User interaction – P2P Peer to peer networks are used to share all sorts of illegal material. But thats not all... Files are placed on P2P networks that aren’t what they seem… Probably disguised as something desirable, vista keygen, etc Requires a user to execute them to infect host. Top User interaction – Instant Messenger This method is becoming more popular, as malware sends messages to contacts on instant messaging networks. Viruses spread via the various instant messaging networks. AIM, MSN etc Account information maybe harvested from online profiles such as MySpace, or infected systems. Malware then sends a link to the victim hoping they will download and run. Top User interaction – Pop Ups Pop ups confuse users and trick them into installing something they probably didn’t want... Top Conclusion Malware/Viruses are everywhere on the internet. They can spread automatically very easily to unpatched systems. Even to systems that are patched malware has methods to trick users into infecting their own systems. Unpatched systems / systems with no antivirus software are not secure and will be a matter of time before they are infected. Next installment we will look at what capabilities modern viruses carry with them Top << \| Viruses \| >> Edit Page History Source Attach File Backlinks List Group Page last modified on December 31, 2005, at 04:32 AM	Bot Counts Botnets Calendar/Blog March 2011 01 · April 2011 03 · May 2011 17 · June 2011 July 2011 August 2011 02 \| 08 · September 2011 21 · October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 Link List Arbor Networks ASERT AV Comparatives Emerging Threats Mwcollect Nepenthes Offensive Computing SANS ISC Securtyfix SecuriTeam Sunbelt/CWSandbox Support Intelligence TaoSecurity ThreatSTOP Websense Zeus Tracker