On that special day, Ned, (
[email protected]) said...
By exploit, do you mean an external equivalent of someone double clicking on
a document which would then cause windows to open its associated application
called Word.exe which is really a virus exe masquerading as the original?
(phew, long badly phrased sentence)
There are many exploits.
One of the first worms to infect MS-Os running PCs over the internet,
was qaz. It was rather benign, compared to the later specimens. It would
copy itself in place of the accessory notepad.exe, and save the original
program as note.com.
Every time someone wanted to see something in the editor, he/she would
execute notepad (ie the worm), which would then call note.com to do the
job of displaying text, but by now the worm was active and did scan for
new IP numbers with computer with open shares (at least on C:\windows),
and copy itself onto the newly found hard disk, to find another user to
execute it.
In this case, the exploit was twofold:
- copying itself as a common program to open shares
- relying on users to run said application.
A new twist was the wrong MIME type exploit, that made the worm
autoexecutive. A mail with a attachment was sent, which was declared to
be a music piece (wave or midi). But in fact it was an executable.
The Outlook Express and Internet Explorer versions from 5.0 until 5.5
*without* the Service Pack 2 were designed to show mail contents in
advance, in the preview panel, and hand executables to the OS, so that
the infection method went like this:
Recipient previews mail.
OE detects a "music piece", and wants to "play" it.
OE finds (from the beginning of the code that is read) that this cannot
be music, but is an executable. It passes the executable to Windows.
Windows sees that the executable has been handed over from a local
program (OE), so it must be a local executable must be a local program,
too.
Windows executes the worm, the PC gets infected.
This one didn't rely on open shares, but used a double exploit, too:
- OE runs "music files" in the preview pane, whatever they might be
- Windows executes everything passed from OE, whatever it is
An open share dependent worm also uses exploits:
- worm copies itself to open shares on critical places like C:\Windows
or C:\Programs (this is the main exploit)
and performs things like this:
* worm overwrites commonly used applications with own version
* worm copies itself into C:\Windows\startup (auto execution at boot
time)
* worm changes registry (autostart via run and runonce keys)
* worm writes a start entry into win.ini of the kind run=worm.exe or
load=worm.exe
* worm copies itself to a different place, but drops a component into
said autostart slots, and after being run, check every n minutes if the
dropped component is still there, if not, it copies the dropped
component again
....
- worm copies itself over other internet services like KaZaA, drops a
component into the autostart, creates a folder and shares it to the
world, so that others will start downloading it (benjamin and clones)
- worm copies itself over ICQ or IRC and relies on the recipient's
curiosity by adding a message like "look at this, you just must"
Some worms already don't rely on a single spreading method any more, but
combine several exploits, to make sure that they will find more victims.
The MiMail is only new in so far, as it uses an exploit which hadn't
been used by any worm before, and that it will probably "serve" as a
model for virus coders, to make more of these.
Gabriele Neukam
(e-mail address removed)
