Security

Malware

Last updated Jan 1, 2001.

This new section will be devoted to the subject of malware. By malware, we are referring to the viruses, worms, Trojans and other forms of software out there that threaten information security. As we will discuss in coming weeks, malware can undermine all three facets of the CIA (confidentiality, integrity, availability) security model. Depending on the program's intent, sensitive information can be extracted from a victim's computer, files deleted, and denial of service attacks initiated by the infected host to limit the availability of other hosts. This section will investigate these aspects of malware, demonstrate how malware works, and provide tips to help users protect themselves.

Viruses vs. Worms

Is it a virus, or a worm? This question often causes a great deal of confusion, and for good reason: even anti-virus "experts" have never been able to agree on an exclusive definition for each.

The list of possible definitions includes advanced, expert-oriented classifications that define worms as a sub-class of viruses. At the other extreme are newbie-oriented classifications. For example, the Computer Security Division of the National Institute of Standards and Technology (NIST) gives a beginner's introduction to viruses as follows:

"Viruses are the colds and flus of computer security: ubiquitous, at times impossible to avoid despite the best efforts and often very costly to an organization's productivity. NIST recommends using a two-tiered approach for detecting and preventing viruses from spreading: On personal computers, install and use anti-virus software capable of scanning disks, attachments to email, files downloaded from the web, and documents generated by word processing and spreadsheet programs. Use anti-virus software at Internet gateways or firewalls to scan email attachments and other downloaded files. Anti-virus software should be installed when the personal computer is initially configured. The software should be updated weekly with new virus definitions, and your vendor may provide an automated update feature. Organizations may benefit from using several brands of anti-virus software."

Most antivirus researchers will give a common, yet not fully accurate differentiation of viruses vs. worms as follows: "A virus must attach to another program to spread, while a worm spreads on its own." This echoes an ancient post by Purdue Professor Gene Spafford, from 14 years ago, on the public alt.comp.virus newsgroup:

"Well, there are many differing definitions, with one extreme being that all worms are viruses.

"The definitions I think most people use are:

• A virus is code that cannot run on its own. It is inserted into another ("host") program, and causes that program to run the virus code when the host is run. The virus code, when run, will insert a copy of itself in another "host," then possibly do some other task (often known as the "manipulation" task), then possibly execute the original host code. Viruses are not self-contained programs.

• A worm is a program that can run by itself. It is self-contained in that it can run as an independent program. It may use system programs to propagate itself. Worms travel (and possibly multiply) over communications links. They do not necessarily do anything other than travel from machine to machine (or propagate around a network), but they may also perform manipulation tasks, carry viruses, etc."

Although this antique delineation is convenient for Internet discussion, it is no longer accurate for academic research involving viruses and worms. In fact no one has ever been able to successfully separate the two, as Nick FitzGerald reported on the public alt.comp.virus newsgroup:

• "As there are no firmly agreed definitions of either amongst the technical specialists who work in the field, any answer you get will only be the opinion of the person answering.

• "That said, most people will tell you that worms are 'self-sufficient [or self-contained] programs' rather than parasitic and/or that worms are written to distribute themselves through network transfer mechanisms.

• "In reality, neither of those, nor their combination, are sufficient determinants."

In contrast, commercial vendors often use a working definition, such as

Symantec's:

• "Viruses are computer programs that are designed to spread themselves from one file to another on a single; they require humans to spread between computers. Worms rely less (or not at all) upon human behavior in order to spread themselves from one computer."

However, this does not take into account combination worm/viruses, such as the Melissa virus.

In 1996 Fridrik Skulason attempted a more academic definition of a virus on the alt.comp.virus newsgroup:

"#1 A virus is a program that is able to replicate - that is, create (possibly modified) copies of itself.

#2 The replication is intentional, not just a side-effect.

#3 At least some of the replicants are also viruses, by this definition.

#4 A virus has to attach itself to a host, in the sense that execution of the host implies execution of the virus

---

#1 is the main definition, which distinguishes between viruses and Trojans and other non-replicating malware.

#2 is necessary to exclude for example a disk-copying program copying a disk, which contains a copy of itself.

#3 is necessary to exclude "intended" not-quite-viruses.

#4 is necessary to exclude "worms", but at the same time it has to be broad enough to include companion viruses and .DOC viruses."

However, the definition breaks down on the qualifier to #4.

The truth is that no one has been able to delineate viruses vs. worms successfully. Any analogy to medical parasites breaks down very quickly. Thus, when discussing viruses or worms in an academic paper, it is important to define your malware in the context with which you are presenting it.

To date, we prefer Dmitry Gryaznov's classifcation of viruses and worms. From a catholic perspective, it is the most accurate and most suitable for academic research:

• "Worms are a subset of the more general class viruses, which covers all self-replicating programs. Thus, if something is a worm it automatically is a virus."

Keyloggers

One of the most popular and devastating types of spyware is the keylogger. When one is installed correctly, it has the power to capture and record all the data passing from the input device (keyboard, mouse, etc) to the computer. While the ethical considerations of using such a program are open for discussion, the keylogger is used for numerous purposes. Whether monitoring a child's actions, spying on a spouse, capturing keystroke information for productivity purposes, or even collecting passwords, the keylogger is one of the most commonly used spyware. This section will take a look at the internals of keyloggers and how they work. In addition, we will also discuss the methods by which you can detect keyloggers and protect your computer from nosy intruders.

Figure 1: Hardware Keylogger

Figure 2: Installation of keylogger

The hardware keylogger is a very straightforward device. It simply captures the electronic signal from the keyboard and stores it in a local data buffer within the tube shaped device. In order to extract the data from the internal buffer, the device constantly monitors the incoming keystrokes until it detects a secret password. This will in turn trigger a program located on the keylogger that allows the user to output the captured data into a waiting program, such as Word or Notepad. While this is usually done at the target computer after hours or when the target is away on an errand, it is just as simple to remove the keylogger for future analysis at any computer.

Hardware based loggers have the advantage of remaining mostly invisible to the average user. Since most users don't have a clue about what should or shouldn't be plugged into their computer, they won't notice the small device. In addition, since there are no processes or programs running on the target computer, it is invisible to any nosy users or antivirus/keylogger detection programs. Related to this, a hardware keylogger is impervious to hardware crashes, system formats, or even complete changes to an operating system. If your target user dual boots their system between Linux and Windows, this type of keylogger could be your best choice.

Unfortunately, there are several disadvantages that could make this type of keylogger impractical. First, the cheapest version costs about $60 for the 32k version. This will provide enough space for a few days of data capture, depending on how heavily the computer is used. There are more expensive versions that can store 128k for about $89.00, but when compared to software based keyloggers, some of which are free, the price could be a major deterrent. Another disadvantage is that a hardware logger requires local manual installation, which means you must have access to the machine. Most software loggers can be installed and then monitored remotely, which reduces the chance of getting caught red handed. Finally, you will have to extract the data regularly or risk the chance that the buffer will fill up. This means replacing the device with a spare, or spending time at the user's computer reading the keystrokes. Finally, many of these devices have one standard password that allows you to access the captured data. If someone inadvertently types this password, they will end up with a rather interesting surprise.

Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer

'You are checking each character stroke in decimal...though your typical 'ASCII characters are decimal 32 – 126
For i = 1 To 255
  state = 0
  state = GetAsyncKeyState(i)

  'This checks to see if the state is on or off
  'If on, they you got your key stroke
  If result = -32767 Then
   keyText = Chr(i)
   'Keytext can then be stored into a file

Next i

There are ways a programmer can optimize this general process. For example, a program could monitor the keyboard state for changes and then check each key state or it could include a filter to only capture valid keystrokes. Examples of this are easy to find online, and often are the creation of college students looking to expand their programming skills while donating something "hackerish" to the public. As a result, many of these programs are buggy or could include a hidden surprise that are just as, if not more, dangerous than the keylogger.

[ ** USER sfogie on COMPUTER 8200XP ** ]

[Ghost Keylogger] - Wed Jun 23 15:55:35 2004
[Disarm ALL software keyloggers and hardware keyloggers on your PC and servers! - Netscape] - Wed Jun 23 15:55:39 2004
 [Keys]
 {
  c
  
 }
 [URL] { http://www.anti-keylogger.com/ }
[Ghost Keylogger] - Wed Jun 23 15:55:49 2004
[Ghost Key Logger Lite Configuration] - Wed Jun 23 15:55:50 2004

Ironically, this demonstrates both the strengths (lots of detail) and weakness of this type of keylogger. You can see from the log file that I hit the letter "c". This letter was entered in my address bar of Netscape, which promoted a dropdown box with several URLs listed. From this list I clicked on cnn.com, which caused http://www.cnn.com to load. As you can see, GhostLite did not automatically fill in the rest of the generated address automatically, and when it did capture a URL, it got the wrong one. I suspect that because Netscape opens different websites in tabbed windows, GhostLite accidentally focused on the wrong tab, which caused it to post the wrong URL and web information.

---