Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsec
Match Point:
Analysis of the Anna Kournikova virus
ull
rig
ht
s.
By Mark Muzzi
rr
eta
ins
f
We’ve seen this time and time again within the past two years. An innocent
looking email arrives in our inbox and subsequently begins to wreak havoc with our
company’s mail server, and the mail servers of all the addresses listed in our address
book. It is the purpose of this paper to examine the latest such outbreak called the Anna
Kournikova or VBS/SST virus. This paper will examine the technicalities of the virus,
how fingerprint
it was able =toAF19
spread,
and2F94
examine
how
the user
canF8B5
better06E4
defend
themselves
Key
FA27
998D
FDB5
DE3D
A169
4E46 from
such a virus. In the end, you will hopefully come away with a better understanding of
how a virus works and how to better defend yourself against them.
5,
A
ut
ho
Malware is the term used to describe types of malicious code. Consisting of
viruses, Trojan horses, worms and malicious applets these are the major players in the
disruption of productivity among computer users.
A virus can best be described as:
te
20
00
-2
00
A self-replicating program containing code that explicitly copies itself and that can
“infect” other programs by modifying them or their environment such that a call to an
infected program implies a call to a possibly evolved copy of the virus.
The two basic types are:
• File Infector
• Boot Record Infector (1)
In
sti
tu
Some viruses do little or no damage, simply replicating themselves, while others affect
programs a degrade system performance. Never assume that a virus is harmless and leave
it alone.
SA
NS
Trojan Horses are programs with a hidden action. Usually they are disguised as
some harmless program. A popular example of a Trojan horse is Back-Orifice.
©
Malicious Applets are applets that attack a local system via the web, and can
include denial of service, invasion of privacy, and annoyance. These are different from
attack applets, which look for weaknesses in the implementation of the Java security
Model
Worm viruses are able to spread themselves either as a host computer worm or a
Key
fingerprint
AF19
FA27 2F94
998D
DE3D
F8B5 06E4
network
worm. =Host
computer
worms
are FDB5
local to
the machine
theyA169
run on4E46
and use
network connections only to replicate themselves out to other computers. Once a copy is
made and out on another host, the original terminates itself, so there is only one copy out
at any given time. Network worms are made up of various parts called “segments”
© SANS Institute 2000 - 2005
Author retains full rights.
running on separate machines. The network is used for communication purposes as well
as propagating segments to new host systems. Worms of both types also tend to
propagate themselves without any action form the user.
ins
f
ull
rig
ht
s.
The Anna Kournikova (VBS/SST) virus aka VBS.Lee-o, VBS.OnTheFly,
VBS.Kalamar, and VBS.Vbswg.gen could be either a virus or a worm. The code requires
the user to open the email and run the attached file, making it in this respect a virus.
Although it has also been referred to as a worm, since it uses a network to propagate
itself, instead of using disks or files. It is because of this it is incredibly similar to “Love
Bug” virus.
ut
ho
rr
eta
The Love Bug virus appeared around May 4th, 2000. It contained the subject line
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
“ILOVEYOU” and asked the user to check the attached love letter. The love Letter was a
VBScript and runs on systems with windows scripting host (WSH) or systems that
interpret Visual Basic and have a Wscript library, just like the Anna Kournikova virus.
The Anna Kournikova virus itself was written using a virus kit called “Visual Basic Worm
Generator’.
20
00
-2
00
5,
A
The Anna Kournikova virus arrives as an email attachment called
AnnaKournikova.jpg.vbs with the subject line “ Here you have, ;o)”. As of February 15th,
2001, its only known payload is a mass-mailing routine that emails everyone within your
Microsoft Outlook Address book, and a date trigger of January 26th, which upon reaching
that date, the worm redirects your web browser to a site in the Netherlands. It creates the
registry key:
te
HKEY_CURRENT_USER\Software\OnTheFly
sti
tu
This is the key that attempts to redirect your browser. There is also a registry that is
created upon successful completion of the mass-mailing called:
NS
In
HKEY_CURRENT_USER\Software\OnTheFly\mailed
©
SA
This key prevents the mail routine from running again. If an attempt is made to delete the
worm it will try to recreate itself, but due to a bug in the code, the worm recreates itself as
a zero-byte file.
A 20-year old Dutch man with the moniker “OnTheFly” created the virus. What
makes this, in the writer’s eyes a very significant event, is that OnTheFly proclaims he
knows nothing about programming, and set the virus up using a kit called “Visual Basic
Worm Generator. In a letter OnTheFly posted on the Internet Tuesday February 13th, he
statedfingerprint
that he saw
a research
on998D
the website
of International
Data
Corp.,
a
Key
= AF19
FA27note
2F94
FDB5 DE3D
F8B5 06E4
A169
4E46
Framingham Mass., analyst firm, that said users had failed to learn anything from the
“Love Bug” experience. Taking inspiration from the note, OnTheFly decided to test their
theory.
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
After releasing his letter and claiming remorse for having caused such a wide
outbreak, OnTheFly turned himself into Dutch authorities. The Netherlands has a
computer misuse law, but are uncertain if it can be used in this case. It also unlikely that
the Dutch Courts will allow the man to be turned over to U.S. Authorities. Also what still
remains to be determined are whether charges will be brought against the creator of the
virus kit, named Kalamar. Kalamar is an 18-year-old teenager from Argentina. Upon
discovery that his virus kit had been used in the creation of the Anna Kournikova virus
Kalamar removed the virus tool from his site.
ho
rr
eta
ins
f
So how was it possible for this virus to Spread so fast? Anna Kournikova virus
uses virus characteristics similar to the “Love Bug” virus, running only on windows
operating system, and only being able to propagate on machines that had not installed a
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
patch provided by Microsoft for Outlook, after the spread of the Love Bug virus. This
virus spread quickly because of ineffective security policies, uneducated users, and in
secure systems.
00
5,
A
ut
The lack of an effective security policy is extremely dangerous. By not properly
stating your company’s stance on such matters as information disclosure, responsibilities,
backups, virus detection, and other security issues, your company is setting itself up for
failure.
sti
tu
te
20
00
-2
An effective security policy should reflect the overall stance of the organization
about security, and how that stance will affect the individuals within the organization. The
policy should let people know what is expected of them, defining who is responsible for
what activities, who has accountability for those activities, and explain what the
consequences are for not following them. When creating a policy you must allow room
for change, whether it is an overall change in your organizations stance on security or one
from within the business community.
SA
NS
In
Educating the members of your organization to the risk of malicious software
should be a key part of your security policy. By letting people know what dangers are out
there, you begin to lay down a base layer of protection. Although the Anna Kournikova
virus was not very lethal, it is only a matter of time before such a lethal virus will be
released upon the world. Education is a major key to this.
©
One of the best ways to detect and protect against infection is an anti-viral
program. Although sometimes these prove in effective, especially when the users fail to
update their virus definitions, and when the attacker writes a new virus program that
subverts the existing definitions. When this occurs the best way to detect infection is by
the indication of different behavior by your computer. The system may suddenly seem
slower,
the drive= light
on2F94
for no
apparent
stays
on, A169
the drive
makes a
Key
fingerprint
AF19turns
FA27
998D
FDB5reason,
DE3Dand
F8B5
06E4
4E46
large amount of noise. These are some sings that there may be infection, but they are not
in and of themselves indications that there is infection.
If infection has occurred, DON’T PANIC. The system needs to be contained
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
through isolation. Unplug the network connection and leave the system powered and
ready, but do not use it. If you are not the System Administrator, contact them
immediately and ask for help. Fix the problem by installing anti-viral software to clean up
the system or to determine that you are not infected. The last thing you need to do is
share your experience. By letting others know, even if you made a mistake, you prevent
them from doing the same type of error and causing valuable harm to productivity.
ins
f
Anti-virus software is an indispensable tool in maintaining a secure work
environment. There are three techniques for software protection: activity monitoring
programs, virus scanners, and integrity checkers.
ut
ho
rr
eta
Activity monitors or behavior blockers attempt to prevent infection by looking for
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
virus-like activity. (e.g. writing to .exe) They posses the potential to detect viruses that
have not been seen before. Bearing in mind that the virus performs some action that the
monitor is looking for. These are considered a weak form of defense since some viruses
posses the ability to circumvent the monitoring or even have the ability to disable the
monitoring.
00
-2
00
5,
A
Scanners are the best-known form of defense. The search for known viruses by
looking for signatures or specific algorithms. Norton and McAfee anti-virus are the most
popular examples of scanners. Scanners suffer from the fact that they are not proactive,
and must rely on existing definitions, thereby causing even simple new viruses to be
missed. Alone they are only a partial defense against viruses.
sti
tu
te
20
Integrity checkers compute checksums or hash values of files and store the results
in a database. Later the program recomputes this value and checks it against the original.
If a virus has modified a file the values will not match, indicating that an infection has
occurred. These programs are true virus detectors not virus preventers like the scanner
anti-virus software.
©
SA
NS
In
Remembering the “Defense in Depth” strategy can help us with our virus
detection capabilities. Not one type of software defense is by itself a good defense. Only
when combined with the capabilities of the other types of software do we begin to get a
solid defense. Also a backup strategy should be implemented in the event that a virus
leaves us in a position of un-recoverability.
A lack of regular backups can be a serious threat to any organization. Often antivirus software has never been updated since the time the machine was first turned on.
This will result in catastrophe, especially in the case of critical production machines.
There are three types of backup techniques: full, incremental, and differential.
Full backups
capture
all FA27
files. They
typically
on aF8B5
weekly
basis,
and4E46
are necessary
Key
fingerprint
= AF19
2F94 are
998D
FDB5 run
DE3D
06E4
A169
to restore a system from a severely damaging event.
Differential Backups leave what is known as the archive bit in place after saving a
file. An archive bit is a special tag Windows systems use. It signals the backup program
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
that the file has changed since the previous backup took place. Therefore when a
differential backup is run on Monday, and the Full was performed on Sunday, the
differential Backup will contain only those files that changed since the time of the full
backup. Differential Backups will tend to get larger as time progresses, since they backup
all files that have changed since the full backup was last run.
rr
eta
ins
f
Incremental Backups look for changes that have occurred since the last full or
incremental backup. It scans the file system and looks for files with their archive bit
turned on. When it completes its backup, the files that were scanned will have their
archive bits turned off. Administrators can save the system configuration, and then
capture changed information quickly using incremental backups. A problem exists in that
all incrementals since the last full backup are required to do a full restore. Requiring the
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
administrator to restore first from the full backup and then from each subsequent
incremental backup up to the failure.
20
00
-2
00
5,
A
ut
ho
The purpose of this paper was to examine the technicalities of the Anna
Kournikova virus, how it was able to spread, and examine how both users and
administrators can better defend their organization from such a virus. The paper touched
on different types of anti-virus software, their use, and how proper backups and security
policy can best be used together to provide a “Defense in Depth” type structure against
viruses. Although recent history, basically the subject of this paper, tells that these lessons
have yet to be learned. Hopefully through reading this you have come away with a better
understanding of how important it is to defend against such threats.
http://www.faqs.org/faqs/computer-virus/faq/index.html
sti
(1)
tu
te
Sources
SA
NS
In
Alijo, Hernán, ZDNet Latin America and Lemos, Robert, ZDNet News, “Purported 'Anna'
virus toolkit author yanks files from site” February 15th, 2001, ZDNET
http://www.zdnet.com/zdnn/stories/news/0,4586,2686768,00.html
©
Leyden, John, “Dutch Police arrest virus suspect”, The Register, February 14th, 2001
http://www.securityfocus.com/news/153
Leyden, John, “ Kournikova virus strikes net” The Register, February 12th, 2001
http://www.securityfocus.com/news/151
Delio,
Michelle,=“Why
Surrendered”,
Wired
News,
14th, 2001
Key
fingerprint
AF19Worm
FA27 Writter
2F94 998D
FDB5 DE3D
F8B5
06E4February
A169 4E46
http://www.wired.com/news/culture/0,1284,41809,00.html
Chien, Eric, and Hindocha, Neal “Virus Encyclopedia: VBS.SST@mm”,
© SANS Institute 2000 - 2005
Author retains full rights.
Symantec, February 12th 2001
http://www.symantec.com/avcenter/venc/data/[email protected]
ull
rig
ht
s.
Green, John “Security Essentials 1.1” SANS Network Security 2000, October 20th, 2000
ins
f
Northcutt, Stephen “Information System Security K-2” SANS Network Security 2000,
October 16th, 2000
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
Last Updated: June 15th, 2017
Upcoming Training
SANS Minneapolis 2017
Minneapolis, MN
Jun 19, 2017 - Jun 24, 2017
Live Event
SANS Cyber Defence Canberra 2017
Canberra, Australia
Jun 26, 2017 - Jul 08, 2017
Live Event
SANS Columbia, MD 2017
Columbia, MD
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Paris 2017
Paris, France
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS London July 2017
Jul 03, 2017 - Jul 08, 2017
Live Event
Cyber Defence Japan 2017
London, United
Kingdom
Tokyo, Japan
Jul 05, 2017 - Jul 15, 2017
Live Event
SANS Munich Summer 2017
Munich, Germany
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Cyber Defence Singapore 2017
Singapore, Singapore
Jul 10, 2017 - Jul 15, 2017
Live Event
Community SANS Phoenix SEC401
Phoenix, AZ
Jul 10, 2017 - Jul 15, 2017
Community SANS
SANS Los Angeles - Long Beach 2017
Long Beach, CA
Jul 10, 2017 - Jul 15, 2017
Live Event
Mentor Session - SEC401
Macon, GA
Jul 12, 2017 - Aug 23, 2017
Mentor
Mentor Session - SEC401
Ventura, CA
Jul 12, 2017 - Sep 13, 2017
Mentor
Community SANS Atlanta SEC401
Atlanta, GA
Jul 17, 2017 - Jul 22, 2017
Community SANS
SANSFIRE 2017
Washington, DC
Jul 22, 2017 - Jul 29, 2017
Live Event
Community SANS Charleston SEC401
Charleston, SC
Jul 24, 2017 - Jul 29, 2017
Community SANS
SANSFIRE 2017 - SEC401: Security Essentials Bootcamp Style
Washington, DC
Jul 24, 2017 - Jul 29, 2017
vLive
Community SANS Fort Lauderdale SEC401
Fort Lauderdale, FL
Jul 31, 2017 - Aug 05, 2017
Community SANS
SANS San Antonio 2017
San Antonio, TX
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS Prague 2017
Prague, Czech Republic
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Boston 2017
Boston, MA
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Salt Lake City 2017
Salt Lake City, UT
Aug 14, 2017 - Aug 19, 2017
Live Event
Community SANS Omaha SEC401*
Omaha, NE
Aug 14, 2017 - Aug 19, 2017 Community SANS
SANS New York City 2017
New York City, NY
Aug 14, 2017 - Aug 19, 2017
Community SANS San Diego SEC401
San Diego, CA
Aug 21, 2017 - Aug 26, 2017 Community SANS
Virginia Beach 2017 - SEC401: Security Essentials Bootcamp
Style
Community SANS Trenton SEC401
Virginia Beach, VA
Aug 21, 2017 - Aug 26, 2017
Trenton, NJ
Aug 21, 2017 - Aug 26, 2017 Community SANS
SANS Virginia Beach 2017
Virginia Beach, VA
Aug 21, 2017 - Sep 01, 2017
Live Event
SANS Adelaide 2017
Adelaide, Australia
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Chicago 2017
Chicago, IL
Aug 21, 2017 - Aug 26, 2017
Live Event
Mentor Session - SEC401
Minneapolis, MN
Aug 29, 2017 - Oct 10, 2017
Mentor
SANS Tampa - Clearwater 2017
Clearwater, FL
Sep 05, 2017 - Sep 10, 2017
Live Event
Live Event
vLive