DonkBoy
Internet |
The Evolution of 32-Bit Windows Viruses
-----------------------------------------------------------
The world of computer antivirus research has changed drastically since the
introduction of Windows 95. One reason for this change is that certain DOS-based viruses
that used stealth techniques and undocumented DOS features became incompatible with Win95.
As a result, virus writers took on the challenge of investigating the new OS and began
creating new Win95-compatible DOS-executable viruses and boot viruses.
In March 1999, only 100 or so 32-bit Windows virus variants existed. Today, this number
has grown to more than 600. Most of these variants are known as zoo viruses because
they're contained in virus
collections only and generally don't cause problems for end users. Most of the older
32-bit Windows viruses attacked only Win95. A year ago, fewer than 20 percent of all
32-bit Windows viruses were capable of replicating on Windows NT. Today, however, half of
all 32-bit Windows viruses are true Win32 viruses, meaning they can replicate on NT and
Windows 9x systems. Some of these viruses are already compatible with Windows 2000. Only
about 25 percent of old Win32
viruses (i.e., written before Win2K) do not replicate on the release version of Win2K
because of some slight incompatibility issues. To protect yourself from viruses, it helps
to understand where they
came from, what forms they take, and how they can damage your systems. Armed with this
information, you will stand a better chance of protecting yourself.
Early Years The first Win95 virus, Win95/Boza, appeared in 1995 and was written by a
member of the Australian VLAD virus writing group. Although it took time for others to
understand the insides of the Win95 architecture, several new Win95 viruses began
appearing in 1997. Some of these viruses were in the wild, meaning that they caused a
significant outbreak in several end-user environments. At the end of 1997, Jacky/29A
introduced Win32/Cabanas.A, the first Win32 (NT-compatible) virus.
The first major outbreak of a 32-bit virus began with the Win95/Anxiety family in late
1997. The virus patched its short code (i.e., modifying the Virtual Machine
Manager's-VMM's-code in memory,
not in the actual files) directly into Win95's VMM. On Win9x systems, the memory area
where the system kernel and other Virtual Device Drivers (VxDs) load remains unprotected
against memory writes, which makes these systems very vulnerable to attack. As a result, a
user-mode application that runs in Ring3 can easily modify system-level code that runs in
Ring0. Because Win2K and NT don't support VxDs, the Win95/Anxiety virus could not spread
to systems running these OSs. Regardless, Win95/Anxiety caused major problems on home user
and business desktop systems.
Damaging the Hardware Under Windows 9x Virus attacks took a big step in 1998 when the
infamous Win95 virus, Win95/CIH, became the first virus to damage system
hardware-specifically, the flash BIOS. CIH, like Win95/Anxiety, implements a PE infection
mechanism based on VxD calls. Because the virus executes its damage routine in Ring0
(system level), you can't prevent the damage caused by the port commands (e.g., IN, OUT).
Such dangerous viruses don't yet exist for Win2K and NT, but they are possible. To execute
port commands, a virus has to be running in kernel mode under Win2K or NT. As a result,
because most virus writers lack the knowledge to create the necessary drivers, many will
have a hard time creating this type of virus.
Infecting Kernel32.dll Virus writers have written several Win32 viruses that attack
kernel32.dll, which most PE applications load and use to access the most important Win32
API set, such as file functions. These viruses work by patching the export address of one
exported API (e.g., GetFileAttributesA) to point into the virus code that the virus has
appended to the end of the DLL image. Because 32-bit DLLs use the PE file format, virus
writers can easily infect this type of file. The Win95/Lorez virus was the first virus of
this kind.
These viruses can easily be per-process resident (i.e., the viruses run actively as part
of a process or several processes). As a result, each process that uses kernel32.dll,
which is any process that uses
the basic Win32 file functions and directory functions, links to the virus code. The
infected DLL attaches to every program that has kernel32.dll imports. Whenever the
application calls the API with the attached virus code, the virus code gets control in the
address spaces of the infected application.
Every system DLL contains a precalculated checksum that the linker places in the DLL's PE
header. Unlike Win95, NT recalculates this checksum before it loads DLLs and drivers. If
the calculated checksum doesn't match the checksum in the DLL's header, the system loader
stops with an error message at the blue screen during system boot. However, this extra
step doesn't mean that a virus writer can't implement such a virus for NT.
The Win32/Heretic virus was the first of its kind to implement proper kernel32.dll
infection. As a result, the virus ran on NT. The Win32/Kriz virus also used this method to
make its way into the wild.
Win32/Kriz uses the CIH damage routine, but the damage routine doesn't work under NT
because the virus runs in Ring3 (user mode).
The First Successful Win32 Worm Virus writers released the first known Win32 worm (a
special sub-
class of viruses that primarily spread over networks) in January 1999. Known as
Win32/SKA.A, or Happy99 worm, the worm originated on the Win95 platform. The worm also ran
on older versions of NT under special circumstances where the worm could patch
wsock32.dll.
Although the worm appeared more than a year ago, it continues to spread. These types of
chain-letter worms are very successful because people usually trust messages they receive
from their friends and
associates. Although Win32/SKA.A came out long before the Melissa macro virus, many
corporations didn't understand the worm's message in time and didn't institute strict
policies that could have
minimized the chance of other worm-related outbreaks later on.
Worms with Dangerous Payloads Virus writers took the idea behind Win32/SKA.A and
implemented it in many Win32 worms. Win32/PrettyPark.A, which first appeared in France,
and Win32/ExploreZip.A, which came from Israel, were probably the two most important
because they were wide spread.
Win32/ExploreZip.A, which hit large American and Japanese companies, contained a very
dangerous payload that truncated documents such as .doc and .xls files. Without proper
backups, many companies lost thousands of files. PrettyPark let the virus writer use it as
a back door to the infected system via remote commands.
Be Prepared At least one-third of new 32-bit Windows viruses written this year propagate
via email. These creations present the biggest risk for corporate users. Systems
administrators have to understand this risk and educate their users to pay attention to
email attachments. Not only can documents be dangerous by hiding a short macro, but
executable code attachments can open access to all available resources and do anything
that the user's rights allow. With the rise in Win32 viruses, you need to be prepared and
understand the security features of your Win2K and NT systems. When used properly, several
built-in security features can save you time, resources, and money.
Friday, January 12, 2007