Thursday, April 07, 2005

The "Perfect" Virus

On the theme of my earlier article on viruses, I'd like to touch on how a perfect virus is not only possible but also, if ever created, extremely nasty to stop.

PLEASE NOTE: I do not condone the creation of viruses, nor of any program which resides or gains entry to a computer in illicit ways, including spyware, adware, forced updates, etc. This article is targetted at a particular operating system, notably the one most prevalant today and that which is subject to the greatest number of virus attacks... (two facts which are not, despite popular belief, cause and effect)... Windows in all its flavours. Most of the ideas listed below WOULD NOT WORK for any other operating system and the purpose of this article is to highlight just how Windows leaves itself open to mass destruction, and also to just how tame current viruses are compared to what they could be. I accept no responsibility if some idiot uses some of these ideas, in the same way as someone who says "the security on that building looks weak... someone could walk right in there and slip through unnoticed" has no responsibility if someone actually DOES do just that.

Viruses in the last few years have changed tack. At first, the early DOS viruses merely spread over floppies, infecting already-present executables (because of the lack of any autorun facility in the operating system), the startup files or the computers boot sector. Later they became more sohpisticated and started to not only infect executables but to hide themselves in such a way that they could not be detected easily. These early viruses were highly destructive... reformatting hard drives, destroying hardware, even taking out the CMOS settings.

Then Windows become more prevelant and the viruses changed tack. No longer were they destructive, no longer did they have to hide themselves so well or use particular avenues to infect the machines. Network shares, badly coded files leading to security vulnerabilities, scripting and macro languages with WAY too much power over the computer are all open doors as far as a virus is concerned. And now, the viruses could turn your PC into a valuable commodity that would sell on the black market, useful for spamming, covering tracks, attack remote machines and taking down large corporation's websites.

At the same time, virus scanners were updated to cope. Nowadays hardly any virus scanners actually take control of your machine from boot but instead rely on Windows to initalise the anti-virus program. This, however, is a reversion to previous, bad ideas. The best anti-virus scanner is one that runs as the sole program in memory. Other protections were enabled though that did help, such as the BIOS options to protect your boot sector and guard against unauthorised BIOS flashing, Windows and Internet Explorer in particular were updated to stop scripting attacks working so well from remote websites.

Soon, traffic coming over the network cable could exploit the holes in the operating systems services to take control of a machine without even having to be on the hard disk or in RAM already. Firewalls stopped the majority of those attacks but lots of people who were unprotected were caught out by the early variants. Running Windows Update would have prevented many of these attacks but not all and, besides, what use is a cure if you have to open yourself up to attack to obtain it?

So, what would the perfect virus look like?

Hopefully, a number of infection methods would be available. Rather than just relying on a single hole through which to gain access to a machine, several methods would have to be available. The more entry methods, the greater the chances of spreading. Executable size is rarely an issue nowadays, what with broadband connections, so many methods could be implemented in a simple executable.

Secondly, detection avoidance would be a must. If the cause can be discovered, it can be cured. Having got on to a target machine, a passive analysis of it's hardware and software should be conducted. Does it have anti-virus? Are the BIOS options for boot-sector protection turned on? Where can I hide?

After the passive analysis, hopefully we still wouldn't have triggered anything that would alert the user to our presence. But how would we stop things like AV packages finding us? For that, we'd need to revert to the older tactics. AV packages, on the whole, rely on file "signatures", little pieces of identifying strings that match against a particular virus.

We'd have to be signature-less, as best we could. In the olden days of viruses, we had polymorphism: the ability to change size, shape and contents and yet still be the same executable. Look around your hard drive. Somewhere there will be files which are designed to hide their contents, be they encrypted, compressed or obfuscated. Programs like UPX (an executable compressor) are commonly used in viruses to reduce the size but for the same executable they would give the same compressed signature.

There are also such things as encrypted files. One of the lesser-known goals of encryption is to make the resulting file data appear as random as possible. Encyrpted files have no consistent signature between similar contents. A tiny change to the program would render any signature useless.

However, we would need a "key" with which to decrypt ourselves. That key could well be changed at will by the program itself as it transmits itself between computers, reencrypting its raw contents with the new key each time and somehow transmitting the key and the encrypted data inside itself. The code that it would use to decrypt itself would also be a signature, as that could not be encrypted if it were to be executed. Somewhere down the line we'd have to give ourselves away eventually.

Or would we? Surely a method could be devised where the decryption code is some kind of standard file access, such as the decryption engine of a ZIP program, for instance, or some other signature which couldn't be hunted without also turning up innocent programs. Nobody would trust AV vendors if there software suddenly started spouting out virus warnings for a perfectly innocent file. Maybe that could be a possibility. There are lots of genuine program out there that have a built-in decryption engine and some encrypted content inside an ordinary executable file. If we were to hide in one of those files, we could remain undetected at least until we'd had a chance to start executing our code, couldn't we?

Many programs misuse some low-level services within the computer to actually hide the files themselves from virus scanners, intercepting file system calls and substituting fake harmless data whenever the contents of themselves are requested by a program. Once activated, our program could well do this too. Why not? Any step to make it harder to remove would help it stay.

There are several places that a program can hide itself in to be automatically executed when the computer is started, the boot sector, windows itself, as a service or as another program that runs on startup. Why not, if we can verify that nothing is watching us doing so, try all of them. That way ALL of them would have to be cleaned up in order to stop us loading.

Most AV disinfection is done while the computer still has the virus present, i.e. while the infected computer is actually running. For a lot of viruses, the first thing you need to do is to terminate their processes in order to be able to remove their files. If you don't, you run the risk that the virus will notice this and try to compensate by reinstating all the entries that it needs to run.

So if someone is going to be trying to shut us down while we are running, why don't we spawn a few more copies of ourselves, as soon as we possibly can, and have them coexist. Have them watch each other. As soon as any one virus process disappears for no good reason, IMMEDIATELY reinstate another one, or even two. If you do it fast enough you will negate any manual attempt at shutting those processes down.

Sometimes, in Windows, programs are notified that they are about to be shutdown before they are actually terminated. Why not look out for these notifications and, if we get one, execute some code in the brief window of opportunity we are given to cancel the action, or spawn more copies of ourself?

With processes all watching each other, the user would have to be bloody quick to get rid of us all and may even need specialised tools or knowledge to do so. It might even baffle most automated programs that try to do so, at best sending them into an infinite loop where for every process they terminate, two more turn up. That's what the user gets for detecting us and trying to remove us. He'll have to do better than that.

On the subject of retribution there was a brief spate of DOS viruses that, when activated, removed a critical part of your machine's data, usually the partition table, and held it to ransom. "Co-operate with me or I won't put it back. Turn me off and you lose it forever." It might be an idea to do that while we're at it. Given the wealth of vital information on the computer, blackmail might not be a bad tactic for a virus to execute.

Setting vital computer passwords (such as the admin accounts) to random values, removing the password for encrypted files or disks, setting CMOS passwords or hard disk passwords if we think we know where they are stored. The ATA spec does include some facility for encrypting disks with a password that must be sent over the IDE cable before the disk is readable. If we could get that to work, that might be fun.

Of course, we'd only do this if someone tried to remove us. The worst case for a virus is that the computer gets formatted and replaced with a clean copy of Windows. We want to make sure that that is the ONLY way the user could remove us because we want to cause as much inconvenience as possible. That way, the virus gains a name for itself (which is actually a bad thing... much better if people aren't aware we exist) but also provides us with a fresh source of un-patched machines trying to get to Windows update before we can infect them via whatever hole Microsoft may have patched.

Obviously, though, we have more than one entry ticket up our sleeve and we can try a number of different ways to get in. In fact, it might even be an idea to use a plug-in style interface. Have the virus contact some location... or several such locations in case one is discovered and shutdown (file sharing networks, ftp and www sites, already-infected computers, there's no end of places) and download the latest "updates".

They could include plugins for new methods of infection to combat any patches that may become available, plugins for more advanced analysis of the computer to discover it's flaws, plugins which can update the update locations themselves in case the sites all get shutdown, plugins to change the way that the virus polymorphs itself, plugins to cater for more architectures (64-bit or even different processors), more machine types, plugins to take advantage of new technologies, new storage methods, new ways to hide inside different file formats, plugins that interact with your CD-Writing software to make any bootable CD contain the virus and/or any autorun entry to run the virus from the CD silently, plugins to infect over instant messaging network, plugins to swamp filesharing networks with fake files (or even better, real files) containing the virus, plugins to allow backdoor access, using UPnP or discovered passwords to disable or tweak any firewall protection blocking it. There is no end to the number of ways the virus could be upgraded, all of which would make it harder to detect and remove, easier for it to propogate, harder to block its attacks and harder to brush it aside as just a virus.

However, this plugin interface may well be a possible avenue for an anti-virus worm, a self-cleanser that would find virus-infected machines and exploit the virus itself to remove it instead of make it more powerful. Some sort of public-key-encryption signature (suitably obscured or encrypted within the executable itself) would be needed, to verify that any updates have been signed by the virus author themself. Defeating this would be a massive piece of work, involving defeating high-level encryption by working out the private key from the public key, something which only supercomputers are currently capable of. And if such an anti-virus virus should ever appear? Well.. send out a plugin update that changes the public-private key pair to those machines that still remain infected and on the Internet.

As people try to defeat the virus, hopefully new updates to it would ensure that the usual ageing process of a virus from obscurity to notoriety back to obscurity wouldn't occur. Instead of slowly dwindling away, more and more machines would succumb to the virus, taking advantage of every known hole as soon as it appeared. Those who had removed the virus and patched to the latest level would only be safe until the next plugin appeared. Generated from the few remnants of the virus remaining on the older, unpatched, unmaintained machines on the internet, the virus would reappear in new forms, taking advantage of new techniques which have taken account of whatever its previous weaknesses were.

The distribution of the virus would be controlled by a changeable plugin. Once one signature had been spotted by AV vendors, an update could be rolled out to change that signature so that the next generation of the virus would be different as it spread.

New plugins for analysis would recognise specific versions of the tools designed to remove the virus itself. The standalone removers would be blocked or fooled into thinking they had done their job, the major anti-virus tools would have to change signatures often to catch up with each new variant formed by the newer plugins. Newer virus versions would have detailed information on what virus scanners look like and how to defeat them, either by hiding themselves, faking some of their information, or, crudely, terminating the antivirus program (that actually seems quite amateur and noticable and we'd only want to do that if it were absolutely necessary for a particular version of that AV scanner/virus signatures).

Using the above, we'd aim to get onto as many machines as possible, whether we can sneak in past some ancient or poorly-crafted AV scanner or whether we have to get into the machine, terminate everything and attract the attention of anyone using the machine. Preferably, we'd do the first because we also want to stay on each machine for as long as possible, too. We want nobody to know we are there. We can sit dormant and wait for years for someone to hook us up to the Internet so that we can cause as much havoc as we can.

Thirdly, once we're on millions of machines worldwide, we need a purpose. Previous viruses have done everything from re-format the machine to send out spam, or even attack certain websites. Each of those is malicious and doesn't achieve much. Maybe the payload of the virus should be something simple. Demonstrate to people what you COULD have done. Pop up a message once a week showing what you could have achieved.

How's this sound?

"You have been infected with the Super-X virus. This virus was created with the goal of showing you just how insecure your operating system is and how the trust you have put into the company that made it, Company X, is misplaced. Company X left the following gaping holes in their software:

-A vulnerability caused by a buffer overflow in Service X.
-A poorly implemented software firewall which doesn't blocks packets of type X.
-A security oversight in the default settings of program X (created by Company X).
-A security oversight in the default settings of program Y (created by Company Y).
-Poorly checked security restrictions in module X.
-A failure of your anti-virus software, X, to discover my presence despite you paying for an up-to-date subscription, with your credit card XXXX-XXXX-XXXX-XXXX.

Using the above (and other) holes, I could quite easily have done any of the following without you knowing and without your permission:

-Formatted your hard drive, losing all your data.
-Send out spam email claiming to have come from anyone on the Internet, to anyone on the Internet.
-Attack any website that I chose, co-operating with NNN,NNN other infected computers globally, possibly resulting in a complete loss of that website.
-Stolen all your passwords and your credit card numbers from file XXX and website XXX and sent them to random, or selected, people on the internet for them to use to obtain further information about you.

Please inform any of the above software vendors if you are unhappy about my ability to do this so easily or, alternatively, vote with your feet.

It would become the most famous virus ever and, like the Millenium Bug and Black Monday, stick in the minds of users who might, just might, then ask for a computer that isn't susceptible to a virus the next time they buy one at PC World.

Can you imagine just what that would do to the Internet, to the way common people work and trust machines or companies and to the way people think about computer security?

No comments: