ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[BINVIRUS.TXT]ÄÄÄ Binary Viruses: =============== To my life's woman 1. Abstract: --------- I would not be wrong if I say that the one reading this paper knows 'Imposible Mission' movies. Obviously, I don't want to discuss its artistic details, likes or dislikes. But, what we surely all agree about these films, is the technological power they show. It is amazing, we were thinking that it was not possible to overcome James Bond's gadjets ... But we were definitely wrong ... Once again, Ethan Hunt was showing that it is always possible to go one step beyond. At this moment, I would like to recall that 'two-flavoured chewing gum' that Ethan Hunt was given at 'Imposible Mission I'. That gum was nothing but a binary plastic explosive. Each of those flavours were harmless when they were alone, but terribly powerful when joined together. In this case, the movie-star had only 5 seconds left to scape before the explosion took place. Ok, as you can imagine, this paper is about to explain how to take this behaviour into the digital world: the binary virues. The word 'virus' has been used on its widest meaning. 'Virus' as the whole family of programs that share common goals: execute code and expand over foreing machines entering them by more or less furtive means. The final intention of that execution varies with the program itself. Worms and Trojan Horses are, inside the virii world, the ones that better match the scenarios we are going to discuss here. One binary worm it is the one structured in two pieces, each one depends on the other to achieve the final goal what it was created for. If we remove the ability to self-spread and self-reproduce, we would have a binary trojan. On this particular case, the trojan would only manifest its presence and activity when the the other part took place. One binary virus is just another example of non-authorized code execution which can be potentially harmful. Over the following pages, we will study what is a binary virus. We will see one implementation example and will try to analyze possible enhancements and future research paths. 2. Description: r0bin-&-m4rian --------------------------- r0bin & m4rian are the names of each part of our demostrative example. It is a basic example. It lacks of self-replication and self-spreading abilities and it is harmless to the system it runs on. Actually, once activated, it shows the following message: echo -------------------------------------- echo m4rian, echo. echo I love you more than I can say. echo I wish I could give you all my life. echo. echo r0bin echo -------------------------------------- r0bin & m4rian can only be run over Windows NT and Windows 2000. I have released nothing for Windows 9x because it is trivial. The fact that I focus on Windows platforms does not mean that this model cannot be implemented on non-Microsoft systems (let's say Unix and the like). 2.1 r0bin: r0bin is the first part of the pair. It's mission is register a new file type on a Windows system. To be more accurate, it registers a .DZ file type and binds it to the system shell command-line interpreter. Besides that, it also binds the file type with a user-familiar desktop icon. 2.2 m4rian: m4rian is a .DZ file that gets executed by the system command-line interpreter when launched by the user. Given self-spreading and self-reproducing capabilities, they would be built inside m4rian. On our case, this part has not been implemented. 2.3 Hábitat and ability to survive: As everyone can see, r0bin is the head and main part of the team. Without head, the binary strategy is over. This is the main problem and, at the same time, the main advantage of this approach. Being required both parts, if one of them is not present, the other one goes useless, or, being optimistic, held on waiting for the other to arrive. When talking about plastic explosives, this is not a big problem, but it really is on a distributed environment like a computer network. Both sides can reach to a system on initially random moments with absolute independence. So, success is not guaranteed. Besides that, it must be the user the one activating the bomb when trying to run the .DZ file or that file type the worm's head had registered or redefined. This point brings up specialization and modularity. It is fairly possible that programmers start develop each part as separate entities. Even programmers themselves needn't to be the same: ones creating r0bins and others programming m4rians with no common goals between them. Each part can be thrown to the network on the wish of finding the other side somewhere somehow on the Internet. We are talking about lot's and lot's of possible m4rians for the same r0bin, and we are also refering to versions of m4rians installing new r0bins and so on: a full chain of binary programms. 3. Present and Future: ------------------- 3.1 The doors, The incomming ways: On the example shown before, r0bin is a .cmd file lacking any intention of hiding itself from nobody. Nevertheless, in the case we want to introduce r0bin on one system in a furtive manner, we can implement any or one subset of the well-known techniques on the virii and trojan scene: inside an executable file (a patch, an installation program, an active document, a multimedia presentation, etc.). Can you set gates to imagination? ;) r0bin's success is based on performing a legal operation on the user context running it. That is why, its execution will be unnoticed to anyone on the system. Opposite to this, m4rian needs to be a file of a certain type (as r0bin has registered or defined). Well, ... this is not that true ... ;). Let's go on. 3.2 N-arian viruses. Weaknesses: Aquiles' toe: May be you are wandering if n-arian viruses might exist. The answer is yes. But, due to their strong dependency from external factors, nobody can guarantee their surviving. In my honest opinion, they don't seem to be viable projects. Though, 3-arian (ternarian) viruses, can result really interesting due to the possibilities opened by code micro/emulation. On this particular case, r0bin, besides installing the entry point to m4rian, would also drop and install the interpreter, engine or virtual machine (VM) able to run m4rian successfully. By code emulation we understand that either the languaje or the program code are propietary. They can only be understood under the platform that the virus is by itself. The same happens when considering the virtual machine approach: the bit-chain which is in m4rian is p-code of an unknown, non-standard and proprietary VM. Only the virus creator/owner knows its specificaion. To read more about micro/emulation, you can read 'Microemulación y Seguridad': http://www.deepzone.org/editions/others/microem.htm Then, on this particular case, we can assume a weaker but more powerful virus. Its surviving possibilities decrease, but its ability to go unnoticed is considerably greater. 3.3 More about code emulation: Until this moment, we have seen how r0bin & m4rian have their code uncovered. This is not positive. The essence of a binary virus is to pass unnoticed, so clear text code is not desireable. Computer science history shows lots of ways viruses use to hide themselves from antivirus and protection systems sight. These techniques can be applyed to r0bin without restrictions. r0bin can be shipped inside any executable object. Now, we have m4rian. How to or hide something that must be executed directly (shell script code, WSH, VBA, etc.) and which is delivered to the victim as an stand-alone file. One first step to achieve m4rian's protection is micro/emulation, already explained. But, let's try to introduce m4rian inside other object. This is also possible, but is not that easy. We could think on m4rian implementations living inside HTML note tags as part of a new file type readable by the locally installed browser. Let's suppose r0bin registers the extension .DZHTML. We should also have registered the proper MIME type to have the browser read the file. In this case, we need to process the note tags before the browser takes place. One option is to use emulation and have r0bin install an interpreter on the system. This component would give control to the browser inmediatly after processing note tags. To achieve it, it would be as easy as calling the interpreter at the 'open' action of the MIME type assigned to .DZHTML. Depending on the source of m4rian's file would be necessary to set the MIME type also on the server side. But, of course, this is not a compolsory restriction. Now, let's think for a while the case of redefining the .HTML file type and its MIME type definition ... ;) We can create similar approaches to different data types. The web case is specially interesting because allows m4rian to come from completely unexpected sources. 3.4 Other entry points r0bin & m4rian take the file type registration as the entry point. Nevertheless, Windows registry, INI files, INF files, etc. are full of surprises to be discovered and operations that any user can legaly perform remaining unnoticed to any looker eyes. It is fairly possible that, over the following months, we assist to new ways of creating an entry point and interesting binary exercises. 3.5 Side Effects Depending on how the file type registration has been made, it is very easy to create an endless recursive process. This will lead to process creation and progressive memory usage on the operating system: a clasic process bomb. This is one of the undesireable effects of r0bin & m4rian: a delayed bomb. Let's see an example: if when registering the .DZ file type, we select as the program to be launched to read that file: "CMD /C %1", this is, step by step, what will happen: i. On trying to lauch the .DZ file, the system will look up for that file type on on the registry. ii. The system finds one entry for .DZ file type and tries to execute the program associated to it iii. The system creates a new process. iv. Over that new process, the system will launch CMD.EXE. v. CMD.EXE will try to execute 'm4rian.dz', which is the file he was given as first parameter (%1). vi. We return to step 1 until system resources get exhausted. This situation appears on every case where the file type registration follows the structure: => . So, if we don't want r0bin & m4rian to enter an infinite loop, we need to introduce an end condition inside r0bin. One option is to rename the file hosting m4rian and then run the renamed version. [ cmd /c move /y %1 r0bin-m4rian.cmd && r0bin-m4rian.cmd ] On the other side, if what we really want is to create a process bomb, methods for faster resource exhaustion can be studied, to minimize the victim's ability to stop it: achieving geometric or logaritmic growth insted linear. Other point to take into account is to achieve process persistency to be able to block the resources it owns. For example, when talking about 'CMD /C', the process chain can be terminated by the user. But, running 'CMD /K' would make the user to kill each process one by one to free the resources blocked by them. 4. Detection, protection and removal: ---------------------------------- r0bin is, clearly, the weakest point on the binary chain. Killed the head, killed the tail. To make things easier, r0bin comes as or with executable content. Privilege management on NT systems is useless most of the times, taking into account that r0bin performs a legal operation for a plain user on a system. Windows 2000 'Users' group cannot perform this kind of operations, so r0bin cannot run successfully under this credentials. But, Windows 2000 is shipped with the 'Power Users' group as a backward compatibility feature with NT 4 systems. This group has been granted with the same permissions the NT 4 'Users' group used to own. This is due to compatibility issues with legacy applications. So, one member of the 'Power Users' group under Windows 2000 can run r0bin successfully. Needn't to say that all Windows 9x systems are also affected. Over Windows 2000, applications must follow the 'Windows 2000 Application Specification Requirements'. When one application doesn't match this specification, there is no guarantee about wheter that application can run successfully as a plain user under Windows 2000. This is the case with lot of software developed for NT4 or earlier and currently running on production environments. That is the reason why, on many systems, users have more privileges than those assigned by Windows 2000 by default. To look more information about this particular aspect: www.microsoft.com/technet/win2000/win2ksrv/technote/secdefs.asp Of course, it is trivial for an Antivirus to implement a new monitoring procedure looking into the file type table. Just another point to note into a Security Policy. ;) 5. Conclussion: ------------ The success of this kind of creatures will be determined by this two factors: 1. The reaction shown by the Antivirus Companies 2. How mature the users are on their use of the technology. Unfortunately, the amount of Win9x users is really big, and the domestic uses of NT and 2000 is far long from responsible: the use and managing of privileges is not the appropriate. Anyway, binary worms and trojans are weak creatures. Time will say the role this kind of programs will play on the virii ground. -------------------------- Nemo - Nemo@deepzone.org www.deepzone.org DeepZone Digital Security "The Deepest, The Highest" -------------------------- ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[BINVIRUS.TXT]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[R0BIN.CMD]ÄÄÄ @echo off cls rem -------------------------------------------- rem r0bin v1.0 - 2000/10/22 rem Nemo@deepzone.org rem rem To my beloved girl. I love you more than I rem can say. Wish I could give you all my life. rem rem Script description: rem Automatic registration of a new file type rem for the current user profile. rem rem Files required: rem associate-nt4.exe - NT4 Resource Kit rem associate-w2k.exe - Win2k Resource Kit rem rem IMPORTANT NOTES: rem This script is not a trojan horse nor an rem i-worm. It is a 'proof-of-concept' to rem show a new way to spread and run rem potentially harmful code on any Windows rem machine. rem -------------------------------------------- rem Script variables rem set CMD2run="cmd /c" ;Useful to create a DoS. This generates an infinite loop. set CMD2run="cmd /c move /y %%1 r0bin-m4rian.cmd && r0bin-m4rian.cmd" set ToolsDir=e:\data\deepzone\tests set OStype=Win2k rem Installing r0bin head if not exist "%SystemDrive%\Documents and Settings" set OStype=NT4 if %OStype% == NT4 %ToolsDir%\associate-nt4.exe .dz %CMD2run% /q /f > nul if %OStype% == Win2k %ToolsDir%\associate-w2k.exe .dz %CMD2run% /q /f > nul rem Releasing script variables set CMD2run= set ToolsDir= set OStype= ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[R0BIN.CMD]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[M4RIAN.DZ]ÄÄÄ @echo off cls rem -------------------------------------------- rem m4rian v1.0 - 2000/10/22 rem Nemo@deepzone.org rem rem To my beloved girl. I love you more than I rem can say. Wish I could give you all my life. rem rem Script description: rem Displays a message on the console and rem removes the file registration previously rem installed by r0bin. rem rem Files required: rem associate-nt4.exe - NT4 Resource Kit rem associate-w2k.exe - Win2k Resource Kit rem rem IMPORTANT NOTES: rem This script is not a trojan horse nor an rem i-worm. It is a 'proof-of-concept' to rem show a new way to spread and run rem potentially harmful code on any Windows rem machine. rem -------------------------------------------- rem Script variables set ToolsDir=e:\data\deepzone\tests set OStype=Win2k echo -------------------------------------- echo m4rian, echo. echo I love you more than I can say. echo I wish I could give you all my life. echo. echo r0bin echo -------------------------------------- echo. rem UnInstalling r0bin head if not exist "%SystemDrive%\Documents and Settings" set OStype=NT4 if %OStype% == NT4 %ToolsDir%\associate-nt4.exe .dz /d /f > nul if %OStype% == Win2k %ToolsDir%\associate-w2k.exe .dz /d /f > nul rem Releasing script variables set ToolsDir= set OStype= rem Final notes ;) echo ________________________________________ echo r0bin and m4rian successfully executed ! echo binary concept proved. echo. echo Nemo@deepzone.org echo DeepZone Digital Security echo www.deepzone.org echo. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[M4RIAN.DZ]ÄÄÄ