Archived

This topic is now archived and is closed to further replies.

CProgrammer

How do virus hacks work(one needs some knowledge to protect oneself)

Recommended Posts

CProgrammer    303
I was just resently attacked by the new virus W.32-Blaster. I had turned off my firewall for mere seconds and was infected in that time. Luckily i was able to remove the threat thanks to symantecs help. Now i would like to know how these viruses work in general? Were is the flaw that alows them o put files on my computer? -CProgrammer

Share this post


Link to post
Share on other sites
IllMind    122
If Im not mistaken, the blaster worm (which i got hit by yesterday) uses the buffer overflow technique. This is when more information is stuffed in a buffer then the buffer is designed to hold. For example if you make a char[10] array and try and put 15 chars inside. This can allow the virus writer to make the program flow jump to other bits of code that are malicous. Of course what i just wrote is simplified. Look up buffer overflow attack in google to get more info on it. As far as how it got on your machine, i believe that once the worm infects a computer it generates random ip addresses. If you didnt have a firewall up then anything could get through your ports and executed code by using a variety of techniques (in this case using buffer overflow in the RPC). However I did have a firewall up when i got that webpage looking thing with the timer to shutdown message, so im not sure how i got hit, must of seeped through one of my open ports, although the port that are listed that it used, i have closed. My computer never did shut down once the time hit zero, but i did end some processes immediatly when i saw it so that is probably why.

Share this post


Link to post
Share on other sites
A real intresting question would be how do some viruses attach to the entrypoint of an exe making the virus execute itself upon execution of other programs Ive ALWAYS wanted to know how that worked. Not to make a virus its just like Ive always wonnderend how does that work? Im sure it has to do with like machine code but HOW DOES ONE DO THAT? 0.0 it boggles the mind

Share this post


Link to post
Share on other sites
n0ob    176
webpage looking thingie with a countdown timer?? I got hit too, but it was an XP thing. Little Windows XP box saying "necessary service has been closed" yada "reboot in 1:00"..

Anyway, I got an exe joiner once. I tried it out, and it worked, however buggy it was.. I believe one of the exes I joined crashed... Anyway, it turns out that my virus scan, that I did from the blaster worm, detected the exe-joiner install file as having a virus in or attached to it. I thought that was kinda funny. hehe.. hah

Kings of Chaos

Share this post


Link to post
Share on other sites
noixtirdoe    157
do a google search on "The Little Black Book of Computer Viruses"...there is an electronic version of it you can download.

-noix-

In this world gone mad, we won''t spank the monkey; the monkey will spank us.

Share this post


Link to post
Share on other sites
Trienco    2555
quote:
Original post by DevLiquidKnight
Im sure it has to do with like machine code but HOW DOES ONE DO THAT?


dont think machine code is anything mystical or special. id guess after having a look at assember for a few minutes it will be quite clear how you do it.

also: no, contrary to what the media is trying to sell you, its not "have a firewall or be completely vulnerable" (as someone above already noticed that his was pretty useless... but im sure its telling him about "blocked hacker attacks" whenever someone is pinging him). especially those "lets call them firewall, even if thats not what they are"-portfilters are more of a solution for those that just dont want to learn enough to simply disable all useless services. not running a service thats using a certain port is obviously a better solution than hoping that some 3rd party software will block it. not only is it ridiculously easy to avoid them from the inside, but some are so horrible, that they can be the target of attacks and open new security holes.

short: a firewall doesnt close a port, it will just control who gets through. i prefer to just close a door instead of praying that the guy watching it wont fall asleep (of course some ports need to be open or surfing the net might be a little difficult).

in this case: disable dcom via dcomcnfg (i'll just claim that most private users dont need/want it anyway) and that should be it. or install that patch that will solve at least a tenth of the actual problem. but as it seems that the update server is having a hard time with millions of panicked people trying to get the updates i'd suggest to visit for example
http://www.theeldergeek.com/windows_management_instrumentation_driver_extensions.htm
step through all the services and disable what you dont need.

btw. i read that disabling dcom on w2k with sp2 or lower will NOT really disable it. thanks again ms, would be nice if all those funny little buttons and checkboxes wouldnt just be around for entertainment but actually DO what they say.

and keep in mind that the shut down is NOT what the worm is supposed to do. its just the result of it "guessing" your os wrong. if it does what its supposed to, then the only thing you notice might be a slow connection (because your pc is constantly trying to infect other machines and uses up bandwidth). a shutdown (XP) or a crashing svchost is the result of a failed attempt to infect you. in no way does it mean that an earlier or later attempt didnt/wont succeed. and as that thing is open source expect a lot of different variations to show up (just in case somebody out there blindly relies on his av software or whatever).
so keep an eye on your traffic and if you find yourself sending data all the time better go offline and check the usual places (registry/startup/ini files/taskmanager).


"Were is the flaw that alows them o put files on my computer?"

that would be ms not only incorporating some of the most embarassing bugs, but although coming up with features that most users will never ever need but are still loaded per default (as ms considers us users too dumb to start it ourselves if we DO need it someday). a harmless but annoying example would be that messenger service.

[edited by - Trienco on August 14, 2003 3:32:36 AM]

Share this post


Link to post
Share on other sites
Pootle    122
My computer was hit by a virus in the mid ''90s, and I had no virus killer software. I can''t remember the exact symptoms, but I found that various executable files I''d been running had become infected. The virus had appended itself to the end of the executable, and inserted a jump instruction at the start of the executable to jump to the virus code. The virus code would do it''s stuff, then jump back to the start of the original executable.

Fortunately, my C compiler was unaffected, as was a simple text editor, so I could put together a file searching program that scanned executables for a particular string contained in the virus code, and if found, cut the initial jump instruction. I guess I was lucky that it was a pretty simple virus, with no real destructive payload!

Share this post


Link to post
Share on other sites
Guest Anonymous Poster   
Guest Anonymous Poster
goto Shields Up on grc.com, have it test your connection. if you get bad results, install zonealarm.

Share this post


Link to post
Share on other sites
_the_phantom_    11250
its worms like that W.32-Blaster which make me glad i''m sitting behind a linux firewall running in stealth mode so unless i''ve expressly forwarded the ports all packets to the unwanted ports get dropped and never replied to

Share this post


Link to post
Share on other sites
foofightr    130
quote:
Original post by Anonymous Poster
goto Shields Up on grc.com, have it test your connection. if you get bad results, install zonealarm.




That was really interesting to read about the various attacks he faced and how he dissected and dealt with them. Thanks for the link.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster   
Guest Anonymous Poster
quote:
Original post by DevLiquidKnight
A real intresting question would be how do some viruses attach to the entrypoint of an exe making the virus execute itself upon execution of other programs Ive ALWAYS wanted to know how that worked. Not to make a virus its just like Ive always wonnderend how does that work? Im sure it has to do with like machine code but HOW DOES ONE DO THAT? 0.0 it boggles the mind


Well it''s not exactly rocket science... The executable file will have the address of the entry point stored in itself, in order for the operating system to know it when it''s loading the program. A typical exe virus will read that address, attach its own code to the program (either in unused spaces of the program, which will not change the file sise, or just as an appendix, which would change the file size.), change the entry point stored in the executable to the beginning of the virus code instead, and finally insert a jump to the original entry point at the end of the virus code.

I guess you could say it''s a self-contained primitive linker. Sort of.

Share this post


Link to post
Share on other sites