Lifecycle of an E-mail Worm
Dealing with e-mail worms and viruses is becoming a bigger part of every administrator’s job. Learn from one of the industry’s foremost experts how worms enter your network in the first place and compromise your systems.
- By Roger A. Grimes
- July 01, 2003
Malicious mobile code programs, like viruses and worms, aren’t mysterious. Many clients I talk to think that virus writers are child prodigies with special talents and some of IBM’s magic pixie dust, like the commercials. In truth, viruses, worms and Trojans are significantly easier to write than your standard office application—or for that matter, the Windows Notepad application. A fairly workable computer virus can be written in about 200 bytes of assembly language. The smallest is around 30 bytes. It’s much harder to write a word processing program and be forced to put in 10,000 of lines of error-checking code.
The only “secret” malicious coders understand is how to write a program
designed to seek out and manipulate other system files or applications.
Instead of writing a word-processing app that opens documents, they tell
their creations to open executables and do devious things. I’m going to
take you on a well-traveled adventure surrounding a fictitious, but reasonably
representative, e-mail worm. In the process, I’ll explain how a malicious
mobile code program is conceived, initiated and spread and show how the
computer security community responds. In short, I’ll cover the lifecycle
of a typical e-mail worm.
Malicious programs begin as the gleam in a young programmer’s eye. Nurtured
by an online subculture of like-minded people, worm and virus writing
is about acceptance and glorification for someone who doesn’t get the
same recognition in the offline world. Each malware writing success is
ever more intoxicating to the cracker. Typically, someone other than the
worm writer releases the electronic creation into the world. The releaser
usually has less talent than the writer but, nevertheless, is trying to
be involved—in other words, a wannabe. This separation of duties allows
the creator to deny that he or she intentionally released the creation
if it gets traced back.
A crafty releaser could post the worm to a popular online mailing group
from a random Internet café terminal whose use was paid for in cash. Popular
mailing lists can contain over 100,000 subscribers, and many aren’t moderated.
When the e-mail worm is posted, it immediately ends up in every subscriber’s
inbox without any vetting mechanism to determine legitimacy. The spreader
would probably use an e-mail account from one of the plethora of free
services, which couldn’t be easily traced. To be successful, the worm
e-mail must contain a message with mass appeal. Maybe it’s a message of
national solidarity, maybe it’s forged as an emergency patch from Microsoft,
or maybe it petitions the lowest common denominator with an offer of free
porn. Whatever the pitch, the e-mail with the hostile executable gets
distributed around the world, arriving in thousands of inboxes. It hasn’t
yet been executed.
An unsuspecting user opens the e-mail, reads the message and clicks on
the attached executable. Sometimes, because of vulnerabilities in the
e-mail client, the user doesn’t even need to run the attachment. He or
she simply opens the message or views it to set off the executable (see
“Incorrect MIME Header Can Cause IE to Execute E-mail Attachment”). There
have even been a couple of cases, using maliciously crafted messages to
instigate buffer overflows, where the message only needs to show up in
the user’s inbox to take control. If it doesn’t auto-execute, the malicious
file can arrive as a separate file or be linked to the e-mail using an
embedded URL or script. If the file is pulled across the Internet, the
malicious code is usually stored on a Web site hosted by one of many free
Web site services.
If not appropriately restricted, when Outlook and Outlook Express recognize
HTML coding in an e-mail message, they call the Internet Explorer Web
browser control (SHDOCVW.DLL), which, in turn, calls the HTML parser (MSHTML.DLL)
and rendering component (see Figure 1). The rendering component then calls
other supporting components as required and can launch other ActiveX controls,
plug-ins, the Java Virtual Machine (JVM), or ActiveX scripting engines
(JSCRIPT.DLL or VBSCRIPT.DLL). If Outlook or Outlook Express encounters
an embedded URL, the client will launch Internet Explorer in its entirety.
|Figure 1. The path which a malicious worm can
take to move from the outside of your network to the inside. (Click
image to view larger version.)
Malicious hackers go to great lengths to try to fool the user into thinking the attachment is safe. Most e-mail users know not to run attached .EXE files, so crackers use many tricks to deceive the user into thinking the executable is safe. They can:
Give it a multi-extension name like readme.txt.exe.
Give it a .pif extension like readme. pdf.pif.
Make it a screensaver like nation alflag.scr.
Arrive as a maliciously crafted media file like britney.wma.
The first two tricks work because every version of Windows since Windows 95 hides “known extensions” by default, concealing the last extensions and making the files appear to be harmless Read-only documents. The second two tricks work because most users don’t know what is and isn’t a dangerous executable. My own list of potentially dangerous file extensions is at nearly 100. The majority of users have never heard the phrase “buffer overflow,” don’t know how easy it is for one file type to launch another file type, or understand that the Snow White and the Seven Dwarfs screensaver can hurt their system.
The tricked user runs the executable. If the worm doesn’t want to be
immediately discovered, it’ll display what the user was expecting—a picture
or document, or perhaps a Trojaned screensaver. The malicious coder can
also generate a fake error message, making the user run the executable
a few times. Usually the first symptom of the e-mail worm attack the user
notices is a sudden, acute slowness in his or her computer. Maybe the
screen flickers or the cursor is slow to respond to mouse input. By that
time, the game is over. The worm has won and has already spread to dozens
or hundreds of other unsuspecting users. More on this shortly.
Just for LANs Anymore
E-mail worms affect more than e-mail servers and LANs
these days. Because we often store the e-mail addresses
of cell phones and pagers to send short messages, worms
end up multiplying on cellular and pager networks. When
the Loveletter worm first appeared, my cell phone didn’t
work for more than three hours, and even my land-based
Ma Bell network was overwhelmed for an hour as both
of those services came to grips with the onslaught of
malicious messages. This type of tertiary interaction
worries security experts as more companies and public
utilities begin to rely on the Internet for their operations.
—Roger A. Grimes
When the worm program is executed, its immediate task is to modify a system
in such a way that it gets placed into memory each time the user starts
or uses his or her computer. It’s common for malicious code to place itself
in the Registry startup keys. These are located at HKEY_ Local_Machine\Software\Microsoft\
Windows\CurrentVersion\ and begin with the word Run. Any program listed
in these areas will automatically be executed when Windows starts.
Alternately, the worm can install itself as a service and gain privileged access to the Windows operating system kernel. NT, Windows 2000 and Windows 2003 prevent normal, user-mode applications from directly interfacing with the OS kernel, I/O devices and disk and memory access—all the things to which viruses and worms want unbridled access.
Loading as a service or device driver gives a worm two advantages beyond kernel-level privileges. First, services run before the user logs in and continue running after the user has logged out, if the machine is still turned on. Second, services and device drivers have a better chance at hiding from inspection utilities looking for active files.
Getting to kernel mode as a device driver isn’t nearly as easy in NT and later Windows versions as it was in earlier versions. This holy grail of malicious programming kept pure 32-bit Windows viruses at bay for a few years when NT was initially released until virus and worm coders learned the ins and outs of Win32-bit programming APIs.
Depending on the Windows version, a worm has several ways to go to kernel mode or become a service. It can use the Windows RegisterServiceProcess() API to register and load itself as a service. It can copy itself as a .SYS or .VXD file to the default Windows driver directory (for example, \system32\drivers). It can execute itself as a program under the RunServices Registry key or use the Create
RemoteThread() API to inject and hide its code under another legitimate process (such as explorer.exe). Depending on how it was loaded, the worm may or may not appear in Task Manager or other service listing utilities.
Even when the worm is displayed as a running process, often a user doesn’t know enough about Windows and their other legitimate active programs to pick out the rogue process. Worms are famous for using characters in their process name that aren’t readily displayable or choosing a sound-alike name. Worms can use “unprintable” ASCII characters that display as spaces or create a file name with lots of blank spaces, like______________________ ______________________mutex. The displayable character portion of the name is pushed to the far right and doesn’t appear in Task Manager’s small, left-justified window. In either case, if the user pulls up Task Manager, he or she usually won’t notice a blank row in the list of running services or programs. Some worms will create new files with official-sounding names or names spelled very closely to legitimate file names, like win32.exe, winservices.com or system32.vxd. Unless you’re familiar with Windows system files, you might be fooled.
Viruses that infect protected system executables in Windows Me, Win2K, XP or Windows 2003 will be thwarted by Microsoft’s Windows File Protection or WFP (called System File Protection, or SFP, in Me) mechanisms. WFP and SFP allow the original file to be modified, then look at the modified file for a valid stored digital signature. If the digital signature of the modified file doesn’t match an accepted signature, the original file is replaced. For this reason, many viruses don’t spread as efficiently on Microsoft’s newer OSs, although they still can do damage during their initial execution and infect non-system files.
Malicious code has dozens of other places it can hide to make sure it gets placed into memory. First, there are several other areas in the Registry, including modifying HKEY_CLASSES_ROOTexefile\shell\open\command in such a way that the worm is loaded whenever any Windows executable is started. Malware can place itself in the Startup group or modify or create the following files to gain control: autoexec.bat, config.sys, winstart. bat, dosstart.bat, win.ini, system.ini, or wininit.ini. Windows’ flexibility gives malicious startup programs lots of places to hide.
The worm begins to search for e-mail addresses so it can replicate. It
can use Microsoft’s MAPI API to enumerate the addresses, but Microsoft
closed that hole with an Outlook security patch. It can still look for
and manipulate the physical files containing your e-mail messages and
harvest e-mail addresses from there.
In Outlook Express, the Inbox file is called inbox.dbx, and the address book is stored in a file with the extension .wab. The filenames and their locations are queried out of the Registry by the worm, then opened and the e-mail addresses extracted. The worm can use the MAPI API to send e-mail or, as is becoming more common, it might contain its own SMTP engine so it doesn’t need your Outlook client or Exchange server to send itself.
Network administrators should be suspicious if SMTP requests coming from
user workstations start hitting your firewall trying to get out. In Outlook/Exchange
environments, Outlook uses the RPC protocol to communicate with the Exchange
server, not SMTP over port 25 (see Figure 2). Most properly configured
firewalls should only allow SMTP traffic out from verified mail servers,
plus any clients who need special SMTP access for home accounts or Web-based
|Figure 2. If your clients aren't using RPC to talk to Exchange, as shown here, it might be an indication that a worm is hiding on your network. (Click image to view larger
The e-mail worm collects addresses and sends itself out. It could be only to five, 10 or 50 addresses or maybe to everyone in your e-mail address book. It may or may not pretend to be from you. First-generation worms wanted to make the message appear as if it were coming from you, so your acquaintance would trust the attachment and get infected. Today, e-mail worms use one of the found e-mail addresses as a forged sender address so that recipients and e-mail antivirus scanners can’t warn the originator about the infection. This new trait leads to many false accusations and wasted time, as the accused party has to make sure they aren’t infected even if they had nothing to do with the attack.
It’s usually at this point, as dozens of identical messages begin to pop up on everyone’s PC at the same time, that the IT department gets called. By this time, if the worm is going to do damage beyond e-mailing itself, the harm has already been done.
What worms do to computer systems is as varied as the number of worms.
Luckily, most just want to spread themselves around the globe to gain
the cracker some subculture fame. Others are more malicious in nature
and start overwriting content on local hard drives, mapped drivers and
network shares. The worm may use one of Windows’ programming function
calls, like WNetEnumResource, to find shares or be hard-coded to look
for specific resources. Once it finds a share, it infects or corrupts
files. Or, like Klez, it may drop another virus. Others install backdoors
to allow crackers remote access. Network administrators may notice this
when their firewall reports strange, persistent outgoing port attempts
coming from user workstations. Other worms change share permissions, search
for passwords, disable antivirus software or phone home.
It’s common for worms to contact the originating hacker to let them know
about each successful exploit. Sometimes they e-mail the hacker’s temporary
e-mail account to give notice, but often they set up an IRC or ICQ client
and begin transmitting instant messages to a private hacker channel. Hackers
monitor the channel and wait for exploit announcements. The worm announcement
will say something like, “Victim at 10.1.1.123 is online.” The cracker
can then manually investigate the host computer or maybe send one predefined
chat channel command to tell all the worms to begin doing something damaging.
Enterprising malicious writers have even coded their worms to download
and upload malicious plug-in modules using legitimate antivirus chat channels,
like Hybris did with the alt.comp.virus newsgroup. That one smarted.
What the worm or virus does is limited by the OS it infects and what it is coded to exploit. As a rule, malware is limited by the rights and permissions of the logged-in user (user- mode process) unless it can become a service, become a part of the system kernel, or grab an administrator’s credentials. Of course, in most cases, the user’s access is enough to do a whole lot of damage. In other cases, malware wants the coveted Administrator account privileges, and it’ll attempt to elevate its security rights or exploit other system holes to gain higher privileges. Some malware programs, like RemoteExplorer, wait for an administrator to log in and then grab the admin’s credentials (using the process token) to attack other systems with impunity.
Many malicious programs can execute and spread across several Windows versions but, because of the APIs they use to access the disk or hardware resources, they may not be able to cause damage. For example, the CIH virus can infect 9x and NT executables but can’t spread on NT or later systems. Also, depending on the OS, it may not be able to corrupt the BIOS. For example, although the Magistr virus can spread across most Windows platforms, it can only manipulate the BIOS of Windows 95/98 machines. When antivirus vendors prefix a virus or worm name with W95 or NT vs. Win32, they’re saying the malware only works completely on certain platforms. Win32 viruses, on the other hand, can infect and may be able to damage Windows 95 and later systems. Again, WFP or OS security may prevent some virus interactions. For example, although most boot-sector viruses can crash an NT system if an infected disk was used to boot the machine, once NT (or later) is loaded, pure boot sector viruses will be prevented from interacting with the boot sector and infecting other floppy disks.
Within a few seconds of the worm’s execution, it has sent itself to everyone
in the user’s address book, modified the local system so that it’s in
memory every time the PC starts, infected remote network shares, modified
files, and, in general, done its damage. And the same scenario is playing
out in hundreds or thousands of networks at the same time, often spreading
blindingly fast: The SQL Slammer worm infected 90 percent of potential
hosts in its first 10 minutes.
Catch Me if You Can
Within 15 minutes of the initial attack, sketchy reports start pouring
in to antivirus vendors, Internet security coordination sites and spreading
by word of mouth. It’ll still be another 30 minutes until enough reports
have been confirmed for CNN to run a story about the latest e-mail outbreak.
When antivirus vendors get their first sample, they have two objectives: detection and repair. They hand off a copy of the latest bug to their best researchers, who start running the worm on a laboratory PC in a virtual environment. The virtual environment is watched by all sorts of monitoring utilities. Every file write, system call and Registry write is recorded. They let the worm make hundreds to thousands of infections against “bait” files or e-mails looking for commonalities and differences to make a reliable byte pattern signature. Reliably detecting the worm is usually not that hard; it’s reliably detecting the worm and not having a whole slew of false positives that’s challenging.
Once the detection signature’s found, figuring how to remove the worm and repair the system becomes key. This is where time plays against the vendor. The longer they research how to repair every system in the world that the worm may have infected, the longer the detection signature is held up. It’s common for the vendor to release a mostly reliable detection and repair tool in the first few hours, but it can take a day or two to craft the perfect detect and repair mechanisms.
At this point, antivirus administrators are often frustrated because their vendor’s antivirus Web sites have the new worm signature and removal tool, but are too overworked to handle the download volume. The admin sits and watches the vendor’s Web page time-out again and again. Luckily, most vendors today have bandwidth agreements in place to get bigger emergency pipes if the traffic demands it, and centralized corporate servers can grab the update and distribute it to the rest of an internal organization.
Official notices about the worm start being released around the same time as the detection signatures. All the details and consequences of the worm won’t be known and released until the following day. The worm will be added to next month’s WildList, www.wild
list.org, detailing the world’s most popular worms and viruses, and vendors may release patches to close discovered holes. More typically, vendors tell customers to apply the patches that have been out for some time but weren’t applied.
A popular worm can go from a single copy to blanketing the world in less
than a few hours. And they’re getting faster all the time: I predict the
Slammer’s record of 10 minutes will fall. Slammer only infected unpatched
Microsoft SQL servers (and a multitude of clients with MSDE installed).
A faster spreading worm could infect workstations and use each of them
as host server spreaders.
here to download a list of potentially dangerous
file extensions that I've compiled into a table. The
download, in .PDF format, requires Adobe Acrobat Reader,
which you can obtain for free by clicking
here. The .PDF format is currently not on
(If you encounter problems obtaining the files, send
e-mail to MCPmag.com Editor Michael Domingo at email@example.com).
—Roger A. Grimes
A Long Lifespan
Most worms peak the first day and start dying down each day thereafter.
Some, like Klez and CodeRed, will continue to propagate in large numbers
across the Internet for months and years. If the worm is popular and garners
national media exposure, the cracker subculture will begin to make variant
copies—slightly adjusted to fix bugs—to evade antivirus software or to
send around a new message. Most of these variants are simple nuisances
that can be easily detected. Eventually, the bug will plateau to a sustained
level of infection for a few months, then dwindle down to a few infections
every now and then. However, because of the very nature of malicious code,
it’ll always replicate if given the chance. The WildList is full of viruses
originally released in 1994 and 1995. Occasionally, a copy of the Stoned
boot virus from 1987 will pop up on an infected floppy disk and make the
This account was just a simple worm. Advanced threats like Nimda have
several different attack methods and would make a much longer story. Internet-spreading
malware will continue to proliferate, although the mechanisms will evolve
as people’s usage patterns change. Boot sector viruses used to be the
primary method of infection, then macro viruses, and now e-mail and Internet
worms. The next big explosion of malicious code will follow the popular
path of technology; if the pundits are accurate, that means malware will
eventually concentrate on attacking PDAs, cell phones and instant messaging
channels with a vengeance.
What Can You Do?
Make sure your company has a multi-tiered computer security defense, including
antivirus software, firewalls and automated patch-distribution systems.
And don’t forget education: for both the users and you, the administrator.
You must constantly keep up on the latest viruses and worms, how they
spread, and what attack vectors they’re likely to choose next, so you
can proactively protect your network instead of just reacting to the latest
e-mail outbreak. This will keep you from having to explain to your boss
why yet another e-mail virus has brought the network to its knees.