 As I'm waiting for my system to boot up here and get everything functioning and I will plug it in and get you on the screen here. I always ask this question when I do the lecture here, so I'll ask you guys this question now. How many people in this audience by show of hands have actually written a computer virus in the past? Raise your hand. Cool. All right. Most federal officers are actually making track of the guys who just raised their hand. Raise your hands. Thanks. All right. Now, how many hackers are now keeping track of the federal officers? Thanks. You're late. Do we have any locals? Anybody here live in Vegas? Okay. So this heat is not bothering you at all. I know. I just moved to Vegas here three months ago and I'm still trying to get used to this. How long have you been here? 15 years? You know the freeway actually leaves the town. You know that, right? Okay. Just want to make sure you knew that. I found that out by accident. I got lost, wrapped around and I was out of town. I was like, wow. So that we're meaning that everybody else is from out of town. That's pretty much a good guess. Yeah. All right. Who here is from out of town? Yeah. Raise your hands. Yeah. I found out that of all the years I've been coming to DEF CON, I finally got my wife, Stacy, to come out to DEF CON with me. So she is a CON virgin here. All right, gentlemen. I like to point out wife, Stacy. Yes. Oh, I am so changing operating systems. All right. Who can guess what operating system I'm using? BSD. That's one of them. Which really sucks is I wrote this presentation on PowerPoint. I bumped my head. Give me a break. Hey, wow. It looks like it's actually fucking finished. Yeah. It's infected with tri-state. Yeah. Bastard. I know where you're sitting. Okay. You want to do slides? All right. Now, excuse me. We're actually going to start this now. I'd like to, again, thank you coming out to my lecture. I think better when I'm moving. So I'm going to be pacing back a lot so the camera guy is going bastard. All right. How many people have actually seen my talk before? Raise your hand. Thank you. I have four friends. Thanks. All my friends. Oh, yeah. I'll make your talk. Yeah. This is the introduction to computer viruses. This is where we're going to talk about the different types of basic viruses that are out there in the world. How they actually work, how they infect the systems, how to remove several of them. And we'll talk a little bit about how to actually protect yourself in the past and future. This will be online. This was not in the CD because as many times as I sent, hey, am I speaking or not, my email's got lost. Finally, I get this phone call a week ago from Noid. Dude, how can we ever hear from you? I was like, hello. Yeah. I love it. So this is not on the DEF CON CD. I will be giving a copy of this to Noid to put on the DEF CON website. Next-Gen Professional Services. I'm a owner in the corporation. We do IT stuff. This is not a sales pitch. My name, email address at Next-Gen, and personal email addresses below in my website. Excuse the website. It hasn't been updated in a while. It will be, though. This will be on my website and probably also be on the DEF CON site. Okay. I'm used to being able to actually see this shit. So let me see here. Let's cover in this talk. What is the malicious code? We'll talk about boot sectors, the multi-power ties, file infectors, macros, Trojan horses, fakes, VBS scripts, hostile code, computer viruses in the future. Definition of malicious code, mailware. Any program or script written specifically to execute on behalf of the user without the user's permission or knowledge, violating worms and Trojans, horses are all examples of malicious code. So anything, all right, stop saying windows. By definition, maybe. But you paid for it. Unless you were that smart gal, Chris, who actually came back with her system and had them back, the unused CDs and said, I want the money back on this because I don't agree to the license agreement. That was clever. What is a virus? Parasitic self-replicating code that attaches itself to a host. Host can be floppy boot records, master boot records, partition boot records, doc's boot sectors, binary files and data files. Docs, you know, XLS, PPTs, comms, yada, yada, yada. Viruses now are actually becoming a little bit more prominent and actually infecting a lot more things. You guys read about the JPEG virus, right? Raise your hand. This is audience participation. God damn it. Raise your hand. All right. Good. Yeah. I'll wake your asses up yet. I know it's hot. Give me a break. The viruses are really expanding out now. A lot of people are getting a little bit more clever. Well, let me back up. All right. One of the issues with the computer viruses are is in the past, you used to have to actually have coding skills to actually write a freaking virus. Back when I was really into viruses and working for an unnamed antivirus company, we were getting on an average of about two to 300 viruses a month, brand new and never before seen. Most of these would not go into the DAP files because there are viruses sent to us by the virus for creators going, hey, try to figure this one out. And we go, yeah, whatever. But back then, the whole key for virus writers was, hey, how small can we get this and how much damage could we possibly do? You're seeing viruses out there like 9 and 10K, all written in machine code, really, really well written. These guys were actually, as much as I dislike the concept of actually going out there and purposely destroying other people's lives and destroying their systems or I'm working and destroying small companies, not that I'm bitter about it, these guys actually knew what they were doing. My mother now can write a VBS script. What the fuck? And now these guys were writing things like the I love you virus and going, hey, I'm elite. I'm going, no, you're a script kitty with no morals, no concepts, no clue. But you can write a VBS script. Anybody can write a VBS script. It doesn't mean you're a virus writer. But now these guys are sitting there going, you know what we'll do is we'll take scripts written by hackers and we'll incorporate them in worms and viruses and see if we can just spread the chaos. And it's becoming more prominent. Now, I don't know what Brainiac thought it was a good idea to put in, like, you know, coding capabilities into applications like Word and Excel, giving people the applications like, hey, let's totally screw with people. The guy should be a thump in the head, but that's just me. When we give people the capabilities to actually create malicious code, we're going to see a lot of people without concepts trying this stuff out. It's not hard anymore. And because it's not hard, we're going to see more and more dangerous things out here in the future. What is a worm? Anybody fish? Just me. Okay. Hey, a fisherman. Cool. It's all about bass, dude. It's all about bass. All right. What is a worm? Self-operating, self-contained program or code that is not parasitic. Worms do not infect master boot records, boot sectors, binary files, and macros. They do not. Yet. Now, if you read the RFCs, you can tell me the RFC that covers worms and viruses. What's the number? Anybody? Yeah, I don't remember either. Who the fuck reads RFCs and memorizes the number? By the RFC definition of a worm, this is the RFC definition of a worm. It separates it from a virus. But now we have worms out there who are becoming parasitic. Can someone name me one? Raise your hand. Anybody? Sorta. Nimda. Yeah, because it actually infect executables. So is Nimda a worm or a virus or a hybrid? It's a hybrid. Who thinks it's a hybrid? Raise your hand. Who thinks it's just a worm? Raise your hand. Bloody purist. Who thinks it's a virus? Who's only here because they wanted to take a nap? Thank you. Boot sector viruses. How they work. What to look for, ways to remove them. Boot sectors. The NBR is divided into three parts. The code, the fat partition information, the marker, 55AA. The virus first copies the hard code, the boot code on the drive to a different sector of the media. And then copies its code over to the boot code. Over the boot code, the end of the virus code then prompts to the new sector. The old fashioned boot sector viruses really sit there and say, let's grab this code, we'll move it to like sector 7, 8, 9, 12, 17. And then what we're going to do is we're going to say, whatever boot code is there, we're just going to copy over it. And then what we're going to do is we're going to put a pointer toward the sectorist and let the machine boot normally. Now the boot code is that part of your system. It says syntax error, you know, crap like that. It's all hard coded. So this loads the virus into memory. Blue has an idea why they want to look for multiple sectors instead of just one. Raise your hand. Anybody? What? Back up? Yes and no. Anybody? Bigger? No. The reason why is that it allows for multi-infections. If your drive is already infected with New York boot and monkey wants to kick in and it's looking for the same sectors, you know, first check and say, hey, there's actually code there. We'll just go to the next sector. Hey, there's code there too. Let's go to this next sector. There's nothing there. Well, in fact, over this. And what it'll do is it'll start putting the markers over there to the other sides. So it now allows for multi-infections of a boot sector. So if you think you have a boot sector virus and you run an antivirus product by running like a clean, you know, clean boot disk or a clean boot CD, and it finds a boot sector virus, run it again. Several times I've actually gone to people's sites and oh man, my whole system's all screwed up and I'll run an antivirus product and boom, hey, there's a boot sector virus. And then I'll run it again and hey, there's a different one. Then I'll run it again. And hey, there's a third different one because it'll just kind of start falling the tracks and go through. It becomes really, really monotonous, but still kind of clever. The fat partition info of the MBR holds the data in the partition info of the disk. Some virus encrypt this info, making it impossible to retrieve your data if you remove the virus incorrectly. The monkey is such a virus. Has anyone here been infected with monkey bee in the past? For the new people, this was a better written virus. You know, young kids are like, what's a boot sector virus? Anybody? Monkey? Okay. How much of a pain in the ass was it to get rid of monkey? Mando. None. You'll be filming the hard drive. What did you do? A special program. McAfee actually had a thing called the monkey remover. The antivirus product itself wouldn't remove the virus. You actually had to have the monkey remover. What the monkey did is it replaced the code up here that it encrypted the fat partition information. Well, by encrypting the fat partition information, if monkey wasn't loaded, it never saw your directory structure. It was gone. And it encrypted itself. So what the monkey remover would do is it would actually create a simulator type situation where it would actually say, hey, I'm going to infect a floppy disk. And the monkey goes, oh, cool. And it would start unencrypting itself, and then it would open up the encryption key. And the moment it saw the encryption key, it would stop in its tracks, use the encryption key to encrypt your fat partition information, and then it would remove the virus. The 55AA is the marker that identifies the part of the boot sector. So, yes, exactly. Yeah, basically it would catch the... I thought you were talking about my fly was open. It would catch the virus with its pants down. I was like, what, here, okay. Yeah, basically what it would do is it would actually catch the virus with its pants down, not this virus, that virus, because my pants were up. All right. That's going to be one of those years again, isn't it? All right, what to look for? Before we go into what to look for, I want to discuss one of the things about the monkey virus. One of the ways to actually remove a boot sector virus is to use a very simple DOS command, which is fdisk slash... not just fdisk by itself, because that will really remove the virus. But, you know, it's fdisk slash nbr. Who's used that command? Oh, you guys rock. Cool. I don't need to talk. fdisk slash nbr, for those of you who use the command in newbies, or people who are spouses, and that doesn't count just girls. I know a lot of girls here who brought their boyfriends are like, I don't know for a clue. What it does is it says, I don't care what code's over on the nbr, just replace it. Then new code, it's crept it, boom. Now, the problem with monkey is, if you use fdisk slash nbr, it's like, boom, new code. The virus is gone, and then you boot up, and it's like nothing there. No data, no drive, no nothing. And it's like, well, now we'll just go back to the fdisk portion of the show. No. Because it changes the key. If you could do that, then you could remove it easily because it'd be the same key. His question was, can you re-infect with the monkey virus to actually recover the data? And it's like, well, no. Doesn't quite work. All right, what to look for? Go back. I wasn't there. Look for copies of the code on different sectors, design, et cetera. Look for changes in memory usage. If you're like, wasn't using a lot of memory to wake up. If you're not using a lot of memory, and also you're peaking, that's usually an issue. Stop saying windows. All right, look for strange behavior in the OS. No jokes, we are dealing with windows. Ah, windows. That's a whole new section. What is to remove them? fdisk slash nbr. Copy the old code from the sector it was moved to and put it back. You can use like semantics at disk utilities to do that. You can actually view your sectors. One of the things I would often do to see if I was infected by a boot sector virus is I would use disk editor and I would just go through the different sectors. These sectors are not commonly used by any programs, so there should not be anything there. If you see something there, you have a problem. Now, not necessarily though because you have to keep in mind that if you're using an antivirus product it will remove the virus but it won't clean the sector. Thanks, dad. I listened to your talk. So what you'll do is you'll take it like a disk editor, you'll go down the row, try to find the different types of sectors. I'd go maybe about 25. If I didn't see anything, we're cool. Now, if I do know I have a virus and I see a sector like on something 9, I can copy that code and copy it back over. And that gets rid of the virus. Antivirus software is a given but the problem with antivirus software, the weakest link in antivirus software is anybody? The user. You are the weakest link of your antivirus product. How many people here have not updated their antivirus product this week? Raise your hand and be honest. I have him because I haven't been home. He has a new week. How many people have not updated their antivirus product in over a month? How many people are not sure how to update their antivirus product? My wife. Yeah. That's why hers is automated. You know how embarrassing it is when my wife calls me, I have a virus. No, you thought you did though. I think I have a virus. You can't. This is bad for my reputation. You're not allowed. Reboot. You know what? You don't have that system anymore. Just bury it in the backyard. No one will ever see it. I'll buy you a new one. I've done audits all over the country and one of the first things I do is I look at the antivirus products and I look at the death files and I was at an ISP in San Francisco and we're doing a security audit except for the fact that everything else was blowing chunks. Their server room had this big, huge window with the IP addresses to the outside world which they got... No, it's not them. I won't say who it is because they're not in business anymore. Seriously, I never got my check either. Bastards. I went and checked their primary dial-in server with their bank of modems. Their modem phone numbers were in the phone book. Not a joke. I was serious. I sat there and said, what are all these phone numbers in the phone book under your name? Ah! Then I went home and checked. But I checked their antivirus files. The primary server, the death files, had been updated in two and a half years. The version of antivirus product they're using, the engine, was outdated. You couldn't even get updates for it. You are the weakest link. Goodbye. I wasn't done. I didn't do that yet. Note, the first two will not work with some viruses that may boobar your whole system, aka monkey. His question is, are people still putting out bootsector viruses? Yes. Why? The reason why is because bootsector viruses actually take skill to right. So the hard-core virus riders are actually still working with them because it's a lot more fun if you can actually infect an NT system than a bootsector virus. Okay. Now here's the audience participation part again. With a show of hands, we'll raise one hand for Truro, and then I'll say who thinks it's false, and we'll raise the hands again. Truro false. It is impossible to infect an NT workstation server, whatever, that is formatted NTFS with a bootsector virus. Who thinks it's true, raise your hand. And don't raise your hand because you're not sure, or you think it's a trick question. Who thinks it's impossible? Raise your hand. Nobody. Who thinks it is completely and utterly possible to infect a bootsector, an NT workstation, or whatever, that's formatted with NTFS with a bootsector virus? Raise your hand if you think it's possible. Okay. All those who raised your hand, how? If I have a floppy disk that's infected with a bootsector virus, and I put that in the disk, will it infect the system? No. It's impossible. It's impossible doing that way. The reason why is NTFS doesn't show up as a drive with a bootsector virus. I am so not here. What happens is the bootsector virus will look to try to infect this drive. Well, NTFS is not a DOS partition drive. So it sees no hard drive can infect. I take a bootsector virus boot disk, you know, DOS boot disk, Windows 95, whatever, put it in the drive. I boot it up. It sees no drive. Cannot infect. Trick question, it's possible. And what you need to do is you need to create an NT boot disk with a DOS formatted disk. Not an NTFS formatted disk, but a DOS formatted disk. And reason why is because if it's an NTFS formatted disk, you can infect that disk with a bootsector virus. So what you end up doing is you get your NT boot loaders and all the other required files and you have a FAT32 disk. Then you take that disk. That's Francesca, by the way. You take this disk, you go to a system that's actually infected with a bootsector virus, you put the disk in and being that it's a DOS infected disk, it will actually infect that. A bootsector virus, if you look at the disk, will infect that disk instantaneously. You can go A colon, instant infected. You can always tell when you're being infected because it goes, and you're like, that didn't sound good. That's one of the key years. No. No. Not really, no. Just hit clear. Thank you. I was mentioning that CIS internals and other companies, they have NTFS drive mounting tools that are used under DOS. I wondered if anybody had tried to reap that technology and incorporate it into a virus. No, because this is easier to do. You wouldn't incorporate it so much into the virus because it really depends on how your system is set up, regardless. I actually was at a job interview and I was asked that question and I said, sure, it's possible. He goes, nah, it's not possible. No one's ever gotten that right. I said, I bet you I could do it. He says, if you can do it, you get the job. I'll be back tomorrow. I came back tomorrow with a disc and he goes, I said, this is infected with neo-poot. I said, I bet you I can infect your system. He goes, okay. I said, now, do you need any of the information on this system? Have you backed up this system? He goes, this was his workstation at his desk. He goes, no. I said, well, do you have another system I can try this on? He goes, I think this is going to screw up you. He goes, no, it's impossible. I only believed it was impossible. I said, okay, so if I screw up everything on that drive, if this infects and your system's blown away, I still get the job, right? And I won't be the janitor, right? And he said, yeah. I said, okay, and I put the disc in the drive. I booted up the system. Grin, grind, grind. He's like, and then all of a sudden, like, you know, nothing happens on the screen and I pop out my disc and I press the reset button and he goes, I told you. I said, pow. Big blue. System trashed, which is the key, the problem with the bootsectors on an anti-FS partition. It doesn't act like a normal virus. It just says format something because it's gone. It's like, sorry dude, game over. Thanks for playing. And I got the job. I only had empty as garbage for a week, but I got the job. And he wasn't happy. He was like, how did you do that? And I told him what I did. And he's like, well, I never thought of that. I said, well, that's why you hired me. All right, the types of bootsector viruses we have, stealth, polymorphic, encrypting and any combination of these. Some of the most fancy viruses will use all three sequences. Stealth bootsector viruses. Stealth virus hides in upper memory and helps hide the virus from virus detectors. You have a virus product running on your system and it will not see a well-done stealth virus. Because the stealth virus says, you know, the anti-virus product says, hey, look in that memory block and the virus goes, nope, I'm not there. And he goes, well, what's going on? No, I'm not there either. Hey look, the queen. And it hides itself real well, which is why it's really required to use a clean boot disk or a clean boot sequence there. So this is a great example of a lot of my favorites. Which is really kind of a hypocritical thing for me to say, because I really, it's one of those love hate things, I love to hate viruses. Polymorphic viruses are very tricky. They change the code every time they replicate, by changing their encryption code they make it very difficult for movers to get rid of it. Anti-virus software programs use a simulator to identify the code key and then use the key to remove the virus. XYZ file over here using, it's basically sandbox type technology. So everybody understand sandbox technology? Raise your hand if you don't. Yeah, I tricked some of you guys, yeah. Okay, sandbox technology, just to break the flow here, like I haven't done that all throughout the speech here. But what sandbox technology does is it acts like a DMZ on your system. It basically says, hey look, we're gonna isolate, who uses VMware? Okay, it's like a VMware. And it says, who cares? And what the sandbox technology says is we're gonna run it in an isolated sequence here which will allow no damage to your system. So it says we're gonna actually infect this spook floppy drive here or this file here. And then what it does is it actually goes over there and starts doing the unencryption scheme. It looks for the code key. It'll stop it in its tracks and use that same code key because the code key changes each time. It actually finishes the replication process. That's gonna be the code key. So it stops it in its tracks, backs up and says, hey, we're gonna remove you. It says, yeah, right. It says, and we have this code key. And the virus goes, shit, damn, piss, hell, and now it goes. By changing their encryption code, they make it very difficult to remove and get rid of it. Anti-virus software programs use the simulator to identify the code key and then use the key to remove the viruses. Like I said, this is a very, very cool technology. It's getting a lot more advanced now. I can't hear you at all. How do you know when to stop? I don't. The program does. I don't know. I didn't like the program. I don't have an answer for that. I'm sure it's on the net. My birthday is on the net. So I'm sure that's there too. What? Which one? Encrypting boot sector viruses. Encrypting viruses will encrypt data or themselves making it more difficult to remove. And also make it impossible to recover data without the virus to de-encrypt it. Once again, back to the monkey. Monkey really is my favorite virus. It's such a pain in the ass. It was very, very cool. Back in the olden days of the antivirus rallies and stuff like that, back in like DOS, you know, before 6-2, if anyone remembers back that far, aside from me, I'm so aging myself right now. Everybody who's shaking their head right now has gray hair like I do. This is all out of a tube, buddy. There was a great boot sector virus called the Music Box or Music B or Music Virus. Anybody remember that virus? Raise your hand. Okay. This virus so rocked. It was so fun. Because what this virus would do is you'd be working on your DOS computer and you'd be moving around, right? And all of a sudden your whole system would completely hang and your speaker would go do-do-do-do-do-do-do. And you're going, what the fuck? And everything would work fine again. And you're like, okay, okay, it's late. I'm tired. This game isn't working too well. I bumped my head. Life's slipping me wood shit in my coffee. What the hell? And you'd be working again for a little while and also your system would hang. And you're like, okay, now I know I'm not imagining this. You're looking at your computer and there's some sign. And you're like, what the hell? And it would do this randomly, sometimes not for a week, sometimes not for days, sometimes every freaking minute. And then finally it would say, I'm done playing. Wipeout, everything. Tried, not readable. Crash, boom, bam. Out the door. It was a cool virus. I respected the virus. Flash, NBR, virus gone, game over. But that's just fun. Things that fuck with the users were kind of fun. Up into the destructive part. Another virus like that was who remembers Rabbit? Mostly on the Macintosh. The old Macs. No one remembers the Rabbit. Oh, come on. The guy with the gray hair and the receding hairline, you got to remember Rabbit. No? All right, Rabbit was cool. Rabbit would actually go from the Macintosh to the Apple Link system, and you would be working in a system and this little Rabbit would go bouncing across your screen, and then the person next to you down the loop, and then the person next to you down the loop, and you would sit there going, huh? That's a newer version of it. They didn't have Energizer batteries back then. I'm talking old. So this, huh? Yeah, they were called Ever Ready. Just one bump. Yeah, it was kind of a cool thing that they would go zoom in and crush it, and then everybody else would be going, hey, hey! And that's all it did. It was harmless, but it was these little things that mess with the users. And now we have window programs that do that, so. Those are features. Yeah, there are no boxing windows. They're all features. Blue Scream to Death was designed specifically to give you a coffee break. Didn't you know that? It's a little hard. Let me just crash the system so you can take a break. Encrypting bootsector viruses. Encrypting viruses will encrypt data or themselves making it... Do we do this? What are you doing? File and vector viruses. User error. The beginning of the virus code will point to the end of the file and the beginning of the real virus putting this code into memory. So basically, it jumps over into memory, jumps over to finish the run at the end, and that loops over to the beginning of the actual virus file. These are really easy to identify because your file size gets big. Some of these were designed specifically to increase the file size each time you ran the program. Who remembers those? Who right now can tell me the maximum size of a COM file? Oh, you're scaring me now. 64K. Yeah. So if you have a one meg COM file, this would be bad, right? What if your COM file was like 10 gigs? That would be really bad. Well, some of these files were designed to say, hey, if you got any executables or any COM files, every time they'll run, let's increase the size expeditiously. So you're sitting there going, I've got three programs on my system and the drive is full. What is wrong with this? This is one of them. Yeah, you didn't update the fat. The end of the virus code, yeah, we did that. Multi-par-tie viruses. The multi-par-tie virus will infect both the boot sector and files. It doesn't care. It wants to hit both. This problem increases the spreading capabilities of the virus by disk, email, or other ways to remove the file. So what happens is if you ever access a drive, if you ever access any executable file, spread. Made it really, really easy for the virus to just spread like EngBuskers, you know, just go everywhere. Macroviruses. The macroviruses use a basic computer language included with Word and Excel to create the virus. You just got to love the guys. Several of the macroviruses use the normal.dot file. Whenever you create a new document, it uses the standard template to create a new file. So the virus writers were actually saying, let's replace that file with our virus code. So whenever you create a new doc or an Excel spreadsheet, you're creating it with a brand new virus each time. And then when you hand it to somebody else, they'll open it and then it'll look through and replace the normal.dot file, which means whenever you open any of your docs or Excel spreadsheets, they're automatically infected. One of the interesting ones was the rainbow macrovirus. Anybody remember that one? Okay. One of the interesting things with rainbow was is rainbow would just randomly start changing colors of things, like your background and desktop wallpaper information. So you'll get your drop-down headers and the boxes and all that, all different colors. Everybody's seen the color schemes on Windows, right? Raise your hand because everybody's at least had one job where they made you use the damn thing, right? Well, you know, you'll start booting Windows or using things and they'll start changing colors on you. You're like, that's not the color scheme. I didn't choose pews. I'm very confident on this. And baby shit yellow is not my favorite color. But that becomes interesting up into the time when it says just make all the colors black. Or let's make all the colors white. And then you're like, okay, now we have an issue. We'll just do the background. We'll just do everything black. Black, black, black, black, black, black. Not a pleasant situation. Very, very popular virus. Somewhat harmless. I really didn't have a payload. It was just a pain in the butt. Not too hard to remove. The easiest way to remove these is to get a fresh normal dot file and replace it. Or delete it and let it recreate one. Where is the chosen horse? A playground or a piece of code that appears to be legitimate, but actually has a hidden oftentimes malicious purpose. Trojans do not replicate, but can be parasitic. A really popular one was Wack-a-mole. Do you remember Wack-a-mole? Raise your hand. How many of you activated Wack-a-mole because someone sent it to you in email and played it for hours? Just me? Yeah, great. Just me. Thank God it was not my computer. You get it from a friend. Dude, killer game. Play this. And you double click it and it was actually a game of Wack-a-mole. And you play it. Hey, this kicks ass. Some of the versions actually had Bill Gates' head. Bam, bam, bam. This really kicks ass. And then weird things happen to your computer and it's like, well, it doesn't kick it ass anymore. It's kicking my ass. Trojanhurst. These are programs that are put on your system by someone or you are tricked into activating yourself. Most often these are backdoor programs like BO, BO2K, Netbus, etc. There's a lot of different actually, a lot of different programs out there which are like Trojan Generators where they'll sit there and say, what is the actual executable you want, that you want to use? What program do you actually legitimate program do you want to use? Like Wack-a-mole or any type of like Solitaire game or whatever. And then it says, what Trojan do you want to put in there? Like BO2K, Netbus, whatever you want. And then it combines it into one executable. And then you send that off to somebody. And he said, hey, check out this game called Wack-a-mole or hey, check out this new Solitaire game. And it's the real program. But as you double click on it and run it, it now loads the Trojan on your system. How's that for fun? Nimda. This is Marty's baby here. So I'm going to let him talk about Nimda a bit. Yeah, Nimda was extremely successful and probably one of the most well known of the hybrid viruses because of media coverage and because of its high propagation rate. It used multiple methods of getting into networks. For instance, the first method was email. It was, it would arrive as an executable, but if you had let's say mail scanning software, virus scanning software, you could block these executables coming in without actually putting up, doing it that way. But one of the most interesting ways of its propagation was infecting web servers. And it did this by looking for vulnerable IIS servers, 4.0 and 5.0 and also personal web servers. It would find these servers and run an exploit on them and infect the HTML files on the web server. Now this is interesting because there's also vulnerability in Internet Explorer 5 through 5.5 that allowed the running of arbitrary code, mime and coded code. So it would attach its mime to the bottom of the web page and then a person would browse the web page and then the machine would become infected and then it would start to beek and then infect other machines. Once the machines were infected they would search the local user drives and also map drives looking for word documents. This is the Trojan part which I think was pretty slick. It would look for word documents or anything that used rich text like WordPad or Word and it would drop a Trojan copy of Rich at 20 DLL and what happens is on network shares if a user that's not infected executes this document the first thing it does is look for Rich at 20 DLL to run. It has the worm code in it and then infects the user and again they start to beek and propagate through the network and through the Internet. One of NIMDA's strengths which is the broadcasting and searching for phone and web servers is also its weakness because it was soon tracked on the Internet. If you've ever been to Incidence.org if you've never been to I'd recommend going it's a good site. They were heavily tracking it and then obviously companies got wise and started using their IDS systems to track this activity to disconnect infected subnets. So that's it. Alright, virus evolution. New methods of virus writing are emerging all the time. New forms of malicious code have the ability to change themselves to obey detection. 1981, the first known virus Mac OS. 1986, first known MS-DOS virus. 1988, encrypted viruses came out. 1997, Ugly Morphic Viruses. 1998, Polymorphic Viruses. Metamorphic Viruses. Keep in count, antivirus software vendors identified 1,000 new viruses last year bringing the total to 71,000 known worldwide viruses. There are no super questions. How could there be a Mac virus three years before NOS is released? Lisa. That wasn't the Mac OS. It was 83 or 84. The Lisa was actually the predecessor to the Macintosh. It was the same type of OS. The exact same type of OS. The Macintosh was the upgraded version of the Lisa. This is when they were moving away from the Apple II family. So when people were still using the Apple II GS, the Apple IIe, the Apple IIc and all that stuff, the next revolution, the Lisa, which was probably the most unsuccessful computer ever devised, was actually the predecessor to the we know nowadays Macintosh. I hate to say this, but I used to wear a t-shirt. I used to say friends, don't let friends buy Mac. And now that we have OS 10, which is based on free BSD, and actually gives you a CLI, damn it, buy a Mac. If it was ever actually wondering what a metamorphic virus is, polymorphic viruses change versions of the code. They're encrypting keys and all that stuff. Each time they replicate, the metamorphic viruses actually change the code structure. Do you understand what I'm saying here? Okay. Let me explain this. If I only change portions of my code, I can still maintain a signature for the antivirus products to remove. Okay? I'm only changing encrypting codes, I'm only changing files, file information, okay? And my encrypting keys. If I actually change the whole code structure like a metamorphic virus does, it's almost impossible to maintain a signature for an antivirus product to remove. Very, very difficult. There was an article, I can't remember, I wish I could, there was an article that was in one of the tech things where they were actually talking to antivirus products and they're saying we need to rewrite or reinvent the wheel when it comes to antivirus products because the viruses that are coming out now and the ones that are coming out in the future don't follow the same rules that we've been using in the past. So the engines they've been running for years now are almost completely useless. What's a good example of metamorphic? Zeperm? Yeah, Zeperm A. Zeperm? It used jump insertion and filled the body. It used jump insertion and filled the body with junk code. This way it avoided detection. Yes. The watch one? Oligomorphic. Oligomorphic was their first attempt. When they first had encrypted viruses they used a static decryption key which antivirus vendors soon put that into their signatures. Into the signature buttons. Oligomorphic had the ability to use up to 64, I think, it was like 64 different encryption keys that rotated them randomly. So it was another way for them to avoid detection. Yeah. So where the virus virus is using or looking for a specific encryption key by changing the encryption key when finding the virus. Fakes and false alarms. One of the interesting things that a lot of virus riders are using especially for back doors and trotions is they're using different types of compression programs. There's several compression programs you can get on the internet for free. You can get an executable into another executable. Now normally if you use an executable zip program or whatever the antivirus product will still identify it and remove it because when you activate it it uncompresses and actually runs the code. What these files do is they actually compress into a brand new executable and it doesn't uncompress when it executes. So you can take a B02K compress it once and it's a whole new file right through antivirus products. Well fine, we'll just create a signature for that. Okay, well let me compress it three times. Brand new executable. Fine, make another one. I'm going to do it 64 times. Now it's almost impossible because I have to adapt file for like from one to a thousand different types of compressions. Well great, that works for that one program but what about another one that's compression with a different algorithm? So what people are doing is your antivirus product will be up to date. Every antivirus product right now can block B02K. I mean if you have it on there it's going to see it, it's going to stop it. Well with these compression programs do it it makes it impossible for these antivirus products to see it because it's not the signature base. So right now I could send you a file that's compressed once or twice or three times you can execute it on your system and I can infect you with B02K. And you could have dat files that were updated this morning and it wouldn't make a damn bit of difference, it's too late. All right, I'm going to go back. Fakes and false alarms. All right, most fakes and false alarms are spread through email. What? Anybody? Whatever. Look for lots of bangs on your email header and read this in your capital's. Read this and it's followed by These are usually really good indication that someone's yanking your dink. All right, this and send to everyone you know I'm telling you right now if anybody in this room ever forged an email that they get from this I will find you. One way or the other, I will track you down, and you will buy me a beer. My favorite is the most destructive virus ever. This virus is amazing. Not only will it delete your hard drive, but it will delete the hard drive in the other room. It will mow your lawn. Your wife will get pregnant. Your virgin daughter will get pregnant. Your dog will be pregnant. Also, when you start seeing things like, Microsoft says this is the most destructive virus it's ever seen. Microsoft doesn't really give out virus warnings, I'm sorry. You know, it's like, McAfee says that it's impossible to remove. Well, first of all, when you see something where it says any type of anti-virus product says that it cannot remove the virus, what anti-virus company would ever make a statement like that? We can't handle it. We have no clue. Better buy somebody else. We don't know what to do. We're clueless. Well, that's true, but that's not the reason why they're clueless. But we won't go there. So be careful. Realistically, this becomes a virus. Think about it. A virus's job is to replicate and spread as fast as it can everywhere it can. It does not have to be destructive. If I have an address book of 400 billion people and I send this to them, I've replicated this to everybody. Spam is one of the biggest freaking viruses ever developed. And if I get one more piece of marketing material from some bastard, you know, like, hi, I'm Cindy. Want to see my tits? It makes you just want to slap somebody or something. I don't know. Okay. VBS visual basic scripts. Damn script kitty in the world can now write viruses. I love you. Virus was one of these. Now, the first time I gave this lecture, I had a seven-year-old boy in the background. He raised his hand. He goes, you spelled damn wrong. It's like I am very well at how I spell damn. It's spelled there. It's supposed to be a joke. Here's the key here. If you get the joke, cruel. If you don't get the joke, don't ask me. You need to figure it out yourself. It's not that difficult. But I can tell you right now, those of you who have not gotten the joke are going to be up tonight going, what the hell did he mean by damn? It could be. The I Love You virus is a really good example. It took basic exploit capabilities. It was written in VBS scripts. It spread like wildfire. It covered everybody. Who here was actually, worked at a company that was infected by the I Love You virus? Raise your hand. If you were working at a company or you yourself were infected by the I Love You virus. Most of us were. Most of us were. Oh, I like that. His security manager got it and afforded it to the company. Is he still working there? Anacorticova. He says they love us. I knew I was pretty close to my boss. I wasn't that close. My wife doesn't see this one. When I had emails sent to me from the secretary, which I could understand, but I mean from like the president of the company and my manager, the trash lady who does the shipping, I love you man. Look, I mean, I'm a nice guy, but that's pushing it, you know? I knew something was wrong. Now, the interesting thing about the I Love You virus and stuff like this is these cannot really be detected because you don't have the upper dad files. How do you protect yourself from malicious and hostile code? How do you protect yourself when you surf a website and you get nailed by a JavaScript or an ActiveX script? A site from actually running a UNIX program. You can. You can turn it off. You can turn it off in the web browsers. You can turn it off ActiveX and Java. There are other places you need to go sometimes that require ActiveX and Java. So you can actually set them up to say, request my permission before you run any of these codes. I like this. Don't you love the little thing you get in the windows? It's like, hey, we're trying to give you this. It has a little click, but always trust Microsoft. Oh yeah, I'm checking that box right now and clicking. Okay, right here, buddy. Yeah, yeah. And the check's in the mail and I won't, never mind. But you really need to defend yourself against all the code. There are programs out there right now that use the sandbox technology to actually protect you from malicious code. Now these programs are not designed to replace your antivirus product. They're designed to work in conjunction with your antivirus product because they don't remove the virus. They stop malicious activity. There's a couple of different programs out there that do that. Hustle code. Everything we talked about is considered hustle. So what's the deal here? New and undiscovered hitting the wild, Java, ActiveX, other crap. How do you defend against new hustle code? Use your brain. That doesn't always work because your brain was your worst enemy. Huh? That's before beer. Yeah, right. But it's amazing how much you actually do when you've had like a case of jolt. Defending against hustle coding. Setting the public security settings on your using. Yes, this means your unique systems as well. Yes, unique systems are now under attack by viruses and torsions. Yes, having a unique system doesn't mean you're 100% safe. Anyone in this room who actually thinks that because they're running Linux, they are completely 100% safe. I need to drag your ass over to the capture the flag area right now. I don't care how locked down your box is. I don't care how many IDS systems you have on that system. It is still able to access if you know what you're doing. One of the theories that are running around in some of the virus areas is what about having a virus that looks to a secret FTP server for new vulnerabilities, loads and updates itself and then goes out and tries to attack web servers that may have this vulnerability or workstations on the internet. Now that we all have DSL and cable modems and we're on 24-7, this makes it really, really easy. Now I want you to really think about that for a moment. Imagine a virus who looks for new exploits. What about the exploits that aren't released to the wild? You guys do know that when a hacker crew releases an exploit, they've had it for months, right? That they just didn't discover it that day and release it, right? Most of these are released to the vendor months before it's released to the wild. Sometimes out of courtesy. Sometimes because it's just a book in the eye. I know people who have vulnerabilities to different operating systems, free BSD, Solaris, Linux, Windows, that they've never released to anybody that they use daily that still have not been discovered. So what if you had a virus that would look for these at secret locations and then hit your system and you couldn't defend against it? How many people right here are just a little twinged on that? Just a little scared? Well, you should be. The future hostile code is pretty astronomical. Don't even get me started on cyberterrorism. That's another hour talk. What these programs do is they use the sandbox technology, okay? The programs look for hostile activity on your systems. Stop all these tracks and give you a warning. A good example is there's a program called Vengeance Surf and Shield. It's a good product. I use it on my systems too. And it works in conjunction with your products. No, I'm not a rep. I don't get kitbacks. I get no money from them. It's just a good product. Sandbox, I'll learn how to talk. Sandbox technology, how does it work? What about that file updates? A great app to use the Vengeance Surf and Shield. No, I don't get kitbacks. Told you. There's a website. Dany Nelson. She's a sales rep. She works with me a lot. I'm trying to get it for the company I work for right now. The thing with Vengeance Software is it doesn't use DAT files. So you don't have to worry about that anymore. What it does is it looks for hostile activity. Once again, this works in conjunction with your antivirus product. Here's a good example. When the ILoveView virus hit the wild and spread across the United States under a couple of hours and infected thousands of systems, companies that actually were using the sandbox technologies were completely unaffected because it recognized it as hostile activity and stopped in its tracks. This would be for the DAT files were out. It took like two hours for some of the companies to get DAT files out for this. In two hours, your systems were hosed. If you think in conjunction to the amount of downtime you're involved with, you really need plan for hostile activity. If you take your salaries, if you have tech people, let's take an average salary of $60,000 a year. Is that fair for mid-upper-level techs? Thumbs up? Let's just take that as a number. I wouldn't take that as a salary, but that's just me. For $60,000 a year, if I have five techs, if it takes them one day to recover all my systems, they're now spent one day less working on their normal projects. I've lost money. If all my employees in my company cannot operate because their systems are down, I still have to pay their salaries. Now I've lost a lot of money. They say it takes on the average, for a large company of a couple hundred employees, something we're in the realm of $250,000 a day to recover if they're not working. That's natural disasters and hostile activity. So that's it. That's my talk. Thank you very much for coming out. I'd like to thank my partner Marty here. Marty helped me out with a lot of the slides and we've been working back and forth. We've both lectured together at H2K2, and we're working on a new advanced antivirus product talk for next year. This is the last year this talk will ever be spoken. The next talk will be advanced with actual samples of code and explaining how the code is actually operating. So questions? Would Zoom Alarm Pro help or AVP? Zoom Alarm Pro help or programs like that. Yes and no, those help against some things, but not hostile activity directly on the system from malicious code. It's a different process. Which one? TDS. I'm actually not familiar with that product, so I'm not sure. Which one? That one's not working. I haven't seen it. Do you have an opinion on Kaspersky Labs antivirus software product? Actually, I haven't used it. I haven't seen it. Yeah, a lot of CPU cycles. I'll flat out tell you right now. I've been dealing with computer viruses for a lot of years. I have never, ever written a virus. Doesn't mean I can't. It's just part of my moral fibers. I can't come out here and preach antivirus and actually produce it myself. I refuse. I won't be a hypocrite. I can tell you right now there is no antivirus product out there right now who will write or create or work with anybody who works, who's ever written a virus. McAfee has actually escorted people out the door for admitting that they've written a virus. You don't even get to pick up your shit. We'll mail it to you. They'll escort you out the door. The reason being for that is if you work for an antivirus company or any antivirus companies, if they ever, ever discovered they released a virus, the company would be out of business immediately. Either way, no, they won't even do it. They won't do it. They can't. They can't. The company would fold it in 24 hours. So a lot of companies like, well, you know, so and so I know they write viruses. I can tell you right now I've worked at several antivirus companies. No, they never write viruses. They had, I was over at McAfee and they wanted to hire this engineer who was phenomenal. The guy was great. They were just like sweating bullets. We were going to offer him the moon and they asked the question, hey, have you ever written a virus? Yeah, I've written two or three. And everybody's heads at the table went, we can't hire you. We can't. Well, it was early on in my college years. I don't do it now. He goes, we can't hire you. We can't have anybody here ever who's ever written a virus. And as a matter of fact, we have to escort you out right now. And they did. They bought him up. They bought in security and they escorted him right to the door. He was really stringent on that. I went to lunch with the guys and I was sitting there and they were talking about like, yeah, you know, John McAfee, you know, it was like, it was the Michelangelo that basically put, you know, McAfee on the map and it's really what launched the company. And I was kicking back at lunch with a bunch of the guys. I said, yeah, great. How long did it take John to write it? Dead silence. Irriglaring at me. They're going, we don't even fucking joke about that. I was like, wow, been here two days. I'm almost fired. I mean, they were really pissed. Don't you ever even joke about that? McAfee really, I mean, I can tell you right now, McAfee takes it really, really serious. So is Symantec. With the code blue virus, was it basically just a copy of code red with a different attack point or is there anything else unique about it? That's a long discussion. That's something that we can kick back over a beer sometime and talk. Yeah. Yeah, there was differences, but once again, it was basically someone based off another technology running back in. It's like the second version of the, I love you virus. You know, it's like, yeah, we'll take the basic concept and we'll just throw new packages on, but it did add some other new features. So that's, it's kind of an interesting discussion. Anybody else? Yeah. What's the policy with politics behind antivirus software deciding what to look for, for example, keyboard sniffers or other spyware, whether it be government or otherwise? Basically, in a nutshell, the attitude is how fast can this replicate? How relevant is it in the wild? If they feel that it's actually in the wild right now or it will be in the wild very soon and it's going to replicate real fast and spread, then they put it in DAT files. Thousands of viruses written aren't in DAT files anymore. There's viruses that were in DAT files years ago that aren't in DAT files now because those viruses only worked on specific versions of the OS, of specific OS systems. There's some viruses that were in DAT files that you will never see again because they only worked on DOS 5.0 systems. So it's, you have to keep the DAT files downloadable. So that's what they do. Yeah. One more question. Sandboxing and them detecting hostile activities. What does this program define as hostile? How do you define hostile activity? Basically, a hostile activity is anything that, if it's going to replicate or place something on the system that it considers hostile, changing the kernel code, sending out email without permission, opening up other applications, these can all be ascertained as hostile activities because it looks for specific things that hostile activity is doing now and looks for that type of replication capabilities. All right. Thank you very much. Appreciate you guys coming out.