Are Viruses Making a Comeback?

ronjor · May 16, 2013

Tim Rains - Microsoft

In the six or seven years that we have been publishing the Microsoft Security Intelligence Report (SIR) I have seen many trends emerge over time. The threat landscape is constantly changing as attackers try to find methods that will help them compromise the systems they target. For several years viruses (file infectors) seemed to be out of favor with attackers as they used other categories of threats to attack systems.

Viruses simply didn’t support the profit motive many attackers had in the same way that Trojan Downloaders and Droppers, Miscellaneous Trojans, and Password Stealers and Monitoring Tools all did. Viruses are threats designed in an era before ubiquitous Internet connectivity made it easier for Worms to successfully self-propagate. Worms like SQL Slammer and Blaster spread around the world in minutes. This would likely take an old fashioned file-infector much, much longer to accomplish, limiting their ability to infect large numbers of systems quickly. Additionally, Viruses tend to be relatively “noisy” threats as they typically try to infect large numbers of files (.exe, .dll, .scr) on the systems they compromise. This characteristic can make them easier to detect than other more blended threats.
Click to expand...

https://blogs.technet.com/b/securit...iruses-making-a-comeback.aspx?Redirected=true

Rmus · May 16, 2013

Note that while Viruses and Trojans do different things once installed, prevention of infection by remote code execution (aka Drive-by Download) is the same, since both tend to drop binary executable files to disk:

Virus, from Microsoft MPC:

Win32/Sality

Installation

Most variants employ a DLL that is dropped once on each infected machine. The DLL is written to disk in two forms, for example:

<system folder>\wmdrtc32.dll

<system folder>\wmdrtc32.dl_
Click to expand...

Trojan, from f-secure:

Trojan-Downloader:W32/Agent.BRK

Execution

Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:

%sysdir%\drivers\runtime.sys
Click to expand...

A system with protection against the downloading/installing of unauthorized executables will intervene to block these exploits.

----
rich

Gullible Jones · May 16, 2013

Hmm. Since the Sality one uses a DLL, wouldn't it bypass a HIPS silently if rundll32 were allowed?

Rmus · May 17, 2013

If the security program whitelists all executable file types on the system, then others can not run or load.

In the case of rundll32.exe, it can do whatever it wants, as long as the DLL is whitelisted. If not:

----
rich

Gullible Jones · May 17, 2013

I see, thanks. I'd read that some HIPS will allow any DLL to be executed through rundll32 if the latter is allowed, but I guess that's not the case for all of them.

Log in or Sign up

Are Viruses Making a Comeback?

ronjor Global Moderator

Rmus Exploit Analyst

Gullible Jones Registered Member

Rmus Exploit Analyst

Gullible Jones Registered Member

Log in or Sign up

Are Viruses Making a Comeback?

ronjor Global Moderator

Rmus Exploit Analyst

Gullible Jones Registered Member

Rmus Exploit Analyst

Gullible Jones Registered Member

Useful Searches