In-Depth

Lifecycle of an E-mail Worm

Dealing with e-mail worms and viruses is becoming a bigger part of every administrator’s job. Learn from one of the industry’s foremost experts how worms enter your network in the first place and compromise your systems.

Malicious mobile code programs, like viruses and worms, aren’t mysterious. Many clients I talk to think that virus writers are child prodigies with special talents and some of IBM’s magic pixie dust, like the commercials. In truth, viruses, worms and Trojans are significantly easier to write than your standard office application—or for that matter, the Windows Notepad application. A fairly workable computer virus can be written in about 200 bytes of assembly language. The smallest is around 30 bytes. It’s much harder to write a word processing program and be forced to put in 10,000 of lines of error-checking code.

The only “secret” malicious coders understand is how to write a program designed to seek out and manipulate other system files or applications. Instead of writing a word-processing app that opens documents, they tell their creations to open executables and do devious things. I’m going to take you on a well-traveled adventure surrounding a fictitious, but reasonably representative, e-mail worm. In the process, I’ll explain how a malicious mobile code program is conceived, initiated and spread and show how the computer security community responds. In short, I’ll cover the lifecycle of a typical e-mail worm.

Malicious Conception
Malicious programs begin as the gleam in a young programmer’s eye. Nurtured by an online subculture of like-minded people, worm and virus writing is about acceptance and glorification for someone who doesn’t get the same recognition in the offline world. Each malware writing success is ever more intoxicating to the cracker. Typically, someone other than the worm writer releases the electronic creation into the world. The releaser usually has less talent than the writer but, nevertheless, is trying to be involved—in other words, a wannabe. This separation of duties allows the creator to deny that he or she intentionally released the creation if it gets traced back.

A crafty releaser could post the worm to a popular online mailing group from a random Internet café terminal whose use was paid for in cash. Popular mailing lists can contain over 100,000 subscribers, and many aren’t moderated. When the e-mail worm is posted, it immediately ends up in every subscriber’s inbox without any vetting mechanism to determine legitimacy. The spreader would probably use an e-mail account from one of the plethora of free services, which couldn’t be easily traced. To be successful, the worm e-mail must contain a message with mass appeal. Maybe it’s a message of national solidarity, maybe it’s forged as an emergency patch from Microsoft, or maybe it petitions the lowest common denominator with an offer of free porn. Whatever the pitch, the e-mail with the hostile executable gets distributed around the world, arriving in thousands of inboxes. It hasn’t yet been executed.

Growth Spurt
An unsuspecting user opens the e-mail, reads the message and clicks on the attached executable. Sometimes, because of vulnerabilities in the e-mail client, the user doesn’t even need to run the attachment. He or she simply opens the message or views it to set off the executable (see www.microsoft.com/technet/tree view/default.asp?url=/technet/security/bulletin/MS01-020.asp, “Incorrect MIME Header Can Cause IE to Execute E-mail Attachment”). There have even been a couple of cases, using maliciously crafted messages to instigate buffer overflows, where the message only needs to show up in the user’s inbox to take control. If it doesn’t auto-execute, the malicious file can arrive as a separate file or be linked to the e-mail using an embedded URL or script. If the file is pulled across the Internet, the malicious code is usually stored on a Web site hosted by one of many free Web site services.

If not appropriately restricted, when Outlook and Outlook Express recognize HTML coding in an e-mail message, they call the Internet Explorer Web browser control (SHDOCVW.DLL), which, in turn, calls the HTML parser (MSHTML.DLL) and rendering component (see Figure 1). The rendering component then calls other supporting components as required and can launch other ActiveX controls, plug-ins, the Java Virtual Machine (JVM), or ActiveX scripting engines (JSCRIPT.DLL or VBSCRIPT.DLL). If Outlook or Outlook Express encounters an embedded URL, the client will launch Internet Explorer in its entirety.

Worms move from outside to inside a network
Figure 1. The path which a malicious worm can take to move from the outside of your network to the inside. (Click image to view larger version.)

Malicious hackers go to great lengths to try to fool the user into thinking the attachment is safe. Most e-mail users know not to run attached .EXE files, so crackers use many tricks to deceive the user into thinking the executable is safe. They can:

 Give it a multi-extension name like readme.txt.exe.

 Give it a .pif extension like readme. pdf.pif.

 Make it a screensaver like nation alflag.scr.

 Arrive as a maliciously crafted media file like britney.wma.

The first two tricks work because every version of Windows since Windows 95 hides “known extensions” by default, concealing the last extensions and making the files appear to be harmless Read-only documents. The second two tricks work because most users don’t know what is and isn’t a dangerous executable. My own list of potentially dangerous file extensions is at nearly 100. The majority of users have never heard the phrase “buffer overflow,” don’t know how easy it is for one file type to launch another file type, or understand that the Snow White and the Seven Dwarfs screensaver can hurt their system.

The tricked user runs the executable. If the worm doesn’t want to be immediately discovered, it’ll display what the user was expecting—a picture or document, or perhaps a Trojaned screensaver. The malicious coder can also generate a fake error message, making the user run the executable a few times. Usually the first symptom of the e-mail worm attack the user notices is a sudden, acute slowness in his or her computer. Maybe the screen flickers or the cursor is slow to respond to mouse input. By that time, the game is over. The worm has won and has already spread to dozens or hundreds of other unsuspecting users. More on this shortly.

Not Just for LANs Anymore

E-mail worms affect more than e-mail servers and LANs these days. Because we often store the e-mail addresses of cell phones and pagers to send short messages, worms end up multiplying on cellular and pager networks. When the Loveletter worm first appeared, my cell phone didn’t work for more than three hours, and even my land-based Ma Bell network was overwhelmed for an hour as both of those services came to grips with the onslaught of malicious messages. This type of tertiary interaction worries security experts as more companies and public utilities begin to rely on the Internet for their operations.

—Roger A. Grimes

Local Infiltration
When the worm program is executed, its immediate task is to modify a system in such a way that it gets placed into memory each time the user starts or uses his or her computer. It’s common for malicious code to place itself in the Registry startup keys. These are located at HKEY_ Local_Machine\Software\Microsoft\ Windows\CurrentVersion\ and begin with the word Run. Any program listed in these areas will automatically be executed when Windows starts.

Alternately, the worm can install itself as a service and gain privileged access to the Windows operating system kernel. NT, Windows 2000 and Windows 2003 prevent normal, user-mode applications from directly interfacing with the OS kernel, I/O devices and disk and memory access—all the things to which viruses and worms want unbridled access.

Loading as a service or device driver gives a worm two advantages beyond kernel-level privileges. First, services run before the user logs in and continue running after the user has logged out, if the machine is still turned on. Second, services and device drivers have a better chance at hiding from inspection utilities looking for active files.

Getting to kernel mode as a device driver isn’t nearly as easy in NT and later Windows versions as it was in earlier versions. This holy grail of malicious programming kept pure 32-bit Windows viruses at bay for a few years when NT was initially released until virus and worm coders learned the ins and outs of Win32-bit programming APIs.

Depending on the Windows version, a worm has several ways to go to kernel mode or become a service. It can use the Windows RegisterServiceProcess() API to register and load itself as a service. It can copy itself as a .SYS or .VXD file to the default Windows driver directory (for example, \system32\drivers). It can execute itself as a program under the RunServices Registry key or use the Create RemoteThread() API to inject and hide its code under another legitimate process (such as explorer.exe). Depending on how it was loaded, the worm may or may not appear in Task Manager or other service listing utilities.

Even when the worm is displayed as a running process, often a user doesn’t know enough about Windows and their other legitimate active programs to pick out the rogue process. Worms are famous for using characters in their process name that aren’t readily displayable or choosing a sound-alike name. Worms can use “unprintable” ASCII characters that display as spaces or create a file name with lots of blank spaces, like______________________ ______________________mutex. The displayable character portion of the name is pushed to the far right and doesn’t appear in Task Manager’s small, left-justified window. In either case, if the user pulls up Task Manager, he or she usually won’t notice a blank row in the list of running services or programs. Some worms will create new files with official-sounding names or names spelled very closely to legitimate file names, like win32.exe, winservices.com or system32.vxd. Unless you’re familiar with Windows system files, you might be fooled.

Viruses that infect protected system executables in Windows Me, Win2K, XP or Windows 2003 will be thwarted by Microsoft’s Windows File Protection or WFP (called System File Protection, or SFP, in Me) mechanisms. WFP and SFP allow the original file to be modified, then look at the modified file for a valid stored digital signature. If the digital signature of the modified file doesn’t match an accepted signature, the original file is replaced. For this reason, many viruses don’t spread as efficiently on Microsoft’s newer OSs, although they still can do damage during their initial execution and infect non-system files.

Malicious code has dozens of other places it can hide to make sure it gets placed into memory. First, there are several other areas in the Registry, including modifying HKEY_CLASSES_ROOTexefile\shell\open\command in such a way that the worm is loaded whenever any Windows executable is started. Malware can place itself in the Startup group or modify or create the following files to gain control: autoexec.bat, config.sys, winstart. bat, dosstart.bat, win.ini, system.ini, or wininit.ini. Windows’ flexibility gives malicious startup programs lots of places to hide.

Procreation
The worm begins to search for e-mail addresses so it can replicate. It can use Microsoft’s MAPI API to enumerate the addresses, but Microsoft closed that hole with an Outlook security patch. It can still look for and manipulate the physical files containing your e-mail messages and harvest e-mail addresses from there.

In Outlook Express, the Inbox file is called inbox.dbx, and the address book is stored in a file with the extension .wab. The filenames and their locations are queried out of the Registry by the worm, then opened and the e-mail addresses extracted. The worm can use the MAPI API to send e-mail or, as is becoming more common, it might contain its own SMTP engine so it doesn’t need your Outlook client or Exchange server to send itself.

Network administrators should be suspicious if SMTP requests coming from user workstations start hitting your firewall trying to get out. In Outlook/Exchange environments, Outlook uses the RPC protocol to communicate with the Exchange server, not SMTP over port 25 (see Figure 2). Most properly configured firewalls should only allow SMTP traffic out from verified mail servers, plus any clients who need special SMTP access for home accounts or Web-based e-mail accounts.

Figure 2. If your clients aren't using RPC to talk to Exchange, as shown here, it might be an indication that a worm is hiding on your network. (Click image to view larger version.)

The e-mail worm collects addresses and sends itself out. It could be only to five, 10 or 50 addresses or maybe to everyone in your e-mail address book. It may or may not pretend to be from you. First-generation worms wanted to make the message appear as if it were coming from you, so your acquaintance would trust the attachment and get infected. Today, e-mail worms use one of the found e-mail addresses as a forged sender address so that recipients and e-mail antivirus scanners can’t warn the originator about the infection. This new trait leads to many false accusations and wasted time, as the accused party has to make sure they aren’t infected even if they had nothing to do with the attack.

It’s usually at this point, as dozens of identical messages begin to pop up on everyone’s PC at the same time, that the IT department gets called. By this time, if the worm is going to do damage beyond e-mailing itself, the harm has already been done.

What worms do to computer systems is as varied as the number of worms. Luckily, most just want to spread themselves around the globe to gain the cracker some subculture fame. Others are more malicious in nature and start overwriting content on local hard drives, mapped drivers and network shares. The worm may use one of Windows’ programming function calls, like WNetEnumResource, to find shares or be hard-coded to look for specific resources. Once it finds a share, it infects or corrupts files. Or, like Klez, it may drop another virus. Others install backdoors to allow crackers remote access. Network administrators may notice this when their firewall reports strange, persistent outgoing port attempts coming from user workstations. Other worms change share permissions, search for passwords, disable antivirus software or phone home.

Phoning Home
It’s common for worms to contact the originating hacker to let them know about each successful exploit. Sometimes they e-mail the hacker’s temporary e-mail account to give notice, but often they set up an IRC or ICQ client and begin transmitting instant messages to a private hacker channel. Hackers monitor the channel and wait for exploit announcements. The worm announcement will say something like, “Victim at 10.1.1.123 is online.” The cracker can then manually investigate the host computer or maybe send one predefined chat channel command to tell all the worms to begin doing something damaging. Enterprising malicious writers have even coded their worms to download and upload malicious plug-in modules using legitimate antivirus chat channels, like Hybris did with the alt.comp.virus newsgroup. That one smarted.

What the worm or virus does is limited by the OS it infects and what it is coded to exploit. As a rule, malware is limited by the rights and permissions of the logged-in user (user- mode process) unless it can become a service, become a part of the system kernel, or grab an administrator’s credentials. Of course, in most cases, the user’s access is enough to do a whole lot of damage. In other cases, malware wants the coveted Administrator account privileges, and it’ll attempt to elevate its security rights or exploit other system holes to gain higher privileges. Some malware programs, like RemoteExplorer, wait for an administrator to log in and then grab the admin’s credentials (using the process token) to attack other systems with impunity.

Many malicious programs can execute and spread across several Windows versions but, because of the APIs they use to access the disk or hardware resources, they may not be able to cause damage. For example, the CIH virus can infect 9x and NT executables but can’t spread on NT or later systems. Also, depending on the OS, it may not be able to corrupt the BIOS. For example, although the Magistr virus can spread across most Windows platforms, it can only manipulate the BIOS of Windows 95/98 machines. When antivirus vendors prefix a virus or worm name with W95 or NT vs. Win32, they’re saying the malware only works completely on certain platforms. Win32 viruses, on the other hand, can infect and may be able to damage Windows 95 and later systems. Again, WFP or OS security may prevent some virus interactions. For example, although most boot-sector viruses can crash an NT system if an infected disk was used to boot the machine, once NT (or later) is loaded, pure boot sector viruses will be prevented from interacting with the boot sector and infecting other floppy disks.

Within a few seconds of the worm’s execution, it has sent itself to everyone in the user’s address book, modified the local system so that it’s in memory every time the PC starts, infected remote network shares, modified files, and, in general, done its damage. And the same scenario is playing out in hundreds or thousands of networks at the same time, often spreading blindingly fast: The SQL Slammer worm infected 90 percent of potential hosts in its first 10 minutes.

Catch Me if You Can
Within 15 minutes of the initial attack, sketchy reports start pouring in to antivirus vendors, Internet security coordination sites and spreading by word of mouth. It’ll still be another 30 minutes until enough reports have been confirmed for CNN to run a story about the latest e-mail outbreak.

When antivirus vendors get their first sample, they have two objectives: detection and repair. They hand off a copy of the latest bug to their best researchers, who start running the worm on a laboratory PC in a virtual environment. The virtual environment is watched by all sorts of monitoring utilities. Every file write, system call and Registry write is recorded. They let the worm make hundreds to thousands of infections against “bait” files or e-mails looking for commonalities and differences to make a reliable byte pattern signature. Reliably detecting the worm is usually not that hard; it’s reliably detecting the worm and not having a whole slew of false positives that’s challenging.

Once the detection signature’s found, figuring how to remove the worm and repair the system becomes key. This is where time plays against the vendor. The longer they research how to repair every system in the world that the worm may have infected, the longer the detection signature is held up. It’s common for the vendor to release a mostly reliable detection and repair tool in the first few hours, but it can take a day or two to craft the perfect detect and repair mechanisms.

At this point, antivirus administrators are often frustrated because their vendor’s antivirus Web sites have the new worm signature and removal tool, but are too overworked to handle the download volume. The admin sits and watches the vendor’s Web page time-out again and again. Luckily, most vendors today have bandwidth agreements in place to get bigger emergency pipes if the traffic demands it, and centralized corporate servers can grab the update and distribute it to the rest of an internal organization.

Official notices about the worm start being released around the same time as the detection signatures. All the details and consequences of the worm won’t be known and released until the following day. The worm will be added to next month’s WildList, www.wild list.org, detailing the world’s most popular worms and viruses, and vendors may release patches to close discovered holes. More typically, vendors tell customers to apply the patches that have been out for some time but weren’t applied.

A popular worm can go from a single copy to blanketing the world in less than a few hours. And they’re getting faster all the time: I predict the Slammer’s record of 10 minutes will fall. Slammer only infected unpatched Microsoft SQL servers (and a multitude of clients with MSDE installed). A faster spreading worm could infect workstations and use each of them as host server spreaders.

Threat Matrix

Click here to download a list of potentially dangerous file extensions that I've compiled into a table. The download, in .PDF format, requires Adobe Acrobat Reader, which you can obtain for free by clicking here. The .PDF format is currently not on this list.

(If you encounter problems obtaining the files, send e-mail to MCPmag.com Editor Michael Domingo at [email protected]).
—Roger A. Grimes

A Long Lifespan
Most worms peak the first day and start dying down each day thereafter. Some, like Klez and CodeRed, will continue to propagate in large numbers across the Internet for months and years. If the worm is popular and garners national media exposure, the cracker subculture will begin to make variant copies—slightly adjusted to fix bugs—to evade antivirus software or to send around a new message. Most of these variants are simple nuisances that can be easily detected. Eventually, the bug will plateau to a sustained level of infection for a few months, then dwindle down to a few infections every now and then. However, because of the very nature of malicious code, it’ll always replicate if given the chance. The WildList is full of viruses originally released in 1994 and 1995. Occasionally, a copy of the Stoned boot virus from 1987 will pop up on an infected floppy disk and make the list.

Future Worms
This account was just a simple worm. Advanced threats like Nimda have several different attack methods and would make a much longer story. Internet-spreading malware will continue to proliferate, although the mechanisms will evolve as people’s usage patterns change. Boot sector viruses used to be the primary method of infection, then macro viruses, and now e-mail and Internet worms. The next big explosion of malicious code will follow the popular path of technology; if the pundits are accurate, that means malware will eventually concentrate on attacking PDAs, cell phones and instant messaging channels with a vengeance.

What Can You Do?
Make sure your company has a multi-tiered computer security defense, including antivirus software, firewalls and automated patch-distribution systems. And don’t forget education: for both the users and you, the administrator. You must constantly keep up on the latest viruses and worms, how they spread, and what attack vectors they’re likely to choose next, so you can proactively protect your network instead of just reacting to the latest e-mail outbreak. This will keep you from having to explain to your boss why yet another e-mail virus has brought the network to its knees.

Featured