La “ERE” en la historia educativa de Colombia Para Meza (2011):

Basically, very few tools are required to experiment in computer virology (and in particular to write a virus or a worm). Moreover these tools are not very difficult to obtain. Therein lies the danger. If it is possible to con- trol mass destruction weapons ranging from nuclear, chemical to biological weapons (with more or less difficulty depending on their nature), on the 48_{TheW32/Netsky-Pworm appeared in the wild on March 21st, 2004 while theW32/Zafi-}

Bworm has been spreading since June 11th, 2004. Both are email worms.

49_{According to the French CERT-Renater, as an example, in February 2004, more than}

contrary, trying to control “massive viral infection weapons”, like worms, is wishful thinking.

Knowledge in such techniques is easy to acquire (event though it requires a lot of dedication to master) and the tools are common and harmless: they are simply those which are currently used in the computer industry. All things considered, there are grounds for saying that worldwide attacks (such as theSaphhire/Slammer attack in 2003) are bound to increase in the near future. International organisms in charge of monitoring viral alerts will have to face huge challenges: they will try to outdo the virus writers in skills and imagination while to managing software vulnerabilities and critical flaws. The actual victims of such attacks are essentially industrial and national computer resources of each countries striken by them.

As far as tools are concerned, let us precise that they are shared by both antiviral researchers/experts and virus programmers. Let us draw up a list of the tools which are necessary to write or analyze a malware:

• a compiler (assembly language, C language...) or an interpreter (VBA, VBScript...) for the considered language. For languages like VBA or other scripting languages, the corresponding interpreter is natively included in some applications (Office applications,Internet Explorer...);

• a disassembly program. Thanks to it, a source code can be obtained from a binary executable file. Both people who wish to protect against viruses and those who want to acquire these techniques can take advantage of viral code analysis. In this respect, theIDA Pro software is probably the best50;

• a debbugger (software designed for execution in step mode). This type of software enables infectious code to be analysed in order to better understand its behaviour. The most popular software in this respect is Soft ICE51;

• a hexadecimal editor or hex editor (designed for displaying and handling raw data of any kind);

• miscellanous tools which facilitate the analysis or the handling of files (PE header analyzer as an example) or of the real time activity system (API calls for example; FileMon,Regmon... tools);

• some bibliographic material and technical documents. Nowadays, most technical information is available on the Internet and is provided by 50_{IDA Pro cDatarescue -http://www.datarescue.com}

51_{Soft ICE cCompuware - http://www.compuware.com/products/driverstudio/} softice/

computer compagnies (hardware, software, protocols) and other reliable sources.

The list is now complete. Indeed, one needs much patience, motivation, and tenacity to acquire the knowledge necessary to create efficient viruses or fight against them. While looking at this brief list (some home-made tools could be considered as well), the reader will assess the scope of the viral threat. To date, most virus programmers write viruses as a hobby. Consequently, many of these programs contain sloppy code and are simple enough to be detected easily. Fortunately, the inefficiency of these viral programs prevents them from causing a global disaster. Now, let us imagine what would happen if extensive research was carried out on viruses by any country or organization with a view of using them as genuine weapons52. In such a situation, it would be an illusion to believe that UN disarment experts could play any serious part in this field.

Exercises

1. Taking as an example the Unix.satyr virus whose code is described in Chapter 8, write a virus (in C language) designed to infect ELF binaries, by appending the major part of its own code. So that the virus takes precedence over the infected host file, whenever the latter is run, a part of the code will have to be prepended to the executable target file (it is equivalent to a jumpfunction towards the viral code located at the end of the file).

2. Implement an overwriting virus (in C language). Taking thevcomp ex v2

virus as an example, described in Chapter 8, decrease its infective power (virulence) by taking into account the target file size before the infection takes place.

52_{In 2004, North Korea acknowledge the fact their armed forces developped such viral}

5

Fighting Against Viruses

5.1 Introduction

The purpose of this chapter is to make a survey of the different techniques1 which are currently used to defend against viruses. These techniques, though efficient, do not remove all the risks but will at best limit them. That is the reason why it is illusive to solely base an antiviral protection policy on the use of an antivirus software, how efficient it may be. We will present therefore the main computer “hygiene rules” which can be very effective when properly applied and judiciously combined with an antivirus software. Most of these rules are derived from the security models defined during the eighties.

The issue behind defense against viral infections (prevention, detection, eradication) is far more tricky to address and to deal with than it seems, beyond the theoretical results presented in Chapter 3. We will just consider these two following aspects, at least to illustrate our comments.

• The first aspect is the notion of protection. The latter is only valid with reference to a specific environment, specific tests or techniques... The theoretical complexity of viral detection compels us in practice to use probabilistic and statistical techniques which have their inherent error 1 _{It is worth noticing that technical data and information about how to make viruses is}

paradoxically far easier to find than that dedicated to antiviral detection and protec- tion. Generally, it will then be useful to study some antiviral software through black box testing or even to partly or wholly disassembly them – a long and tedious approach, which may be hard when faced with protected executables (by means of compression, encryption or obfuscation techniques) – to get a deep knowledge about antiviral tech- niques. The careful study of the viral signatures databases is required as well.

probalilities2. To make things clear, if the environment of reference and techniques change, the defense against viruses is bound to fail unless these new changes are taken into account. It is precisely this weakness that the virus writer will exploit. No single defense is best for all situations.

• The second aspect is to assess the reliability of antiviral techniques prop- erly, beyond the error probabilities discussed in the last point. Let us consider the following accurate attack scenario: let us assume that my antiviral program detects theB variant of a given worm. To what extent shall I trust it? Will this antiviral program be able to detect a potential

B variant, which is similar in every respect to the B variant (that it will detect as such) in which a logic bomb or a Trojan horse has been carefully hidden, in such a way that it will be installed before the worm is detected? Despite the fact that the disinfection has been successfully per- formed, this additional malware which has been installed and has evolved in an independent way before the eradication of its viral carrier may still be active and may have become indetectable (let us recall that its viral vector has been eradicated). Obviously, my antiviral program has done its job. The user now feels relieved, convinced that the danger is over. Let us examine the following scenario. Imagine an attacker wants to infect my computer. He is likely to choose a worm or virus that my antiviral software generally efficiently detects and eradicates, but he will add a payload (for instance, after analysing my antiviral program) in a non discriminating way (the antiviral program will be unable to distinguish this version from the early one). Let us now consider the case of companies or public institutions, in which a targeted attack has been launched at two different levels. The antiviral program will simply detect the first level of the attack, but will fail to detect the second one. What is going on then? In fact, the antiviral program will act just as it was programmed. Certainty can only be gained from viral code analysis. Now this analysis is mostly performed at an early stage to update the product but in the absence of any good reason, this analysis is unlikely to be done again at a later stage. For instance, if the logic bomb of the attacker remained undetected, there are no grounds for performing such an analysis. Tests and experiments carried out in our laboratory showed that any an- tiviral program is relatively easy to bypass. Unfortunately, no exception was noticed, whatever techniques or functional mode (static mode or dynamic 2 _{The term “false alarm, which is generally ill-defined and sometimes misused, by antiviral}

software professionals and by many authors, precisely corresponds to the type I error as defined in statistics.

mode) antivirus software are used. In all cases, viruses which were introduced and executed for the purpose of the experiments remained undetected.

Does it mean that antiviral programs are useless? Definitively not3! Yet to assess the limitations of each of them, the best solution is to describe the techniques they use and how they work. The purpose is to improve user’s education and awareness regarding the necessity of strictly applying com- puter “hygiene rules” upstream and downstream of any antiviral program to reduce the risks of viral infection.