Bolzano - a simple virus, or a dangerous intrusion tool?
----------------------------------------------------------------------------
----
SUMMARY
W32.Bolzano is a new virus that replicates under Windows 95 and Windows NT
infecting Portable Executable applications with EXE or SCR extensions.
Win32.Bolzano does not infect if the size of the host program is less than
16K. 17 different variants of the virus currently exist. Bolzano is
currently the biggest in the Win32 virus family.
This virus is particularly dangerous if it infects Windows NT machines is
it modifies the kernel in such a way that makes the kernel's security
protocols useless.
DETAILS
>From the replication point of view, there is nothing remarkable about the
first few versions of the Bolzano viruses. It is a simple, direct action
appending type. It adds its code to the end of the last file section and
modifies the entry-point of the program to point to the virus body (A, B
and C variants). The D variant does not modify the entry point of PE
files; instead, it searches for 12 possible CALL instructions inside the
code section of the host and hooks the randomly selected CALLs to the
entry point of the virus. The virus creates a thread in the infected
process for itself and replicates in the background while it the host
program (the main thread) continues to run.
Therefore, the user will not easily notice any delays. Several variants of
Bolzano use inserting/polymorphic techniques (infection without
entry-point modification) and also polymorphic at the same time. This
makes the detection of the virus more complicated. Bolzano was reported
"in the wild" in France. Most likely the virus writer is also from France.
Several variants of the Bolzano virus do not only replicate, but also
attack the Windows NT file-security system. It uses a new strategy that
may be used by NT viruses in the future. This attack will work on any
version of Windows NT (Version 3.5 up to 4.0) with all the service packs.
The attack does not work on any betas of Windows 2000, but it remains
feasible.
In order for the virus to attempt the attack, it needs administrative
rights on a Windows NT Server or Windows NT Workstation during the initial
infiltration. Therefore it is not a major security risk (since
administrator should never run untrusted applications), but still remains
a potential threat. Viruses can always wait until the Administrator or
someone with the equivalent rights logs on. In such a case, W32.Bolzano
has the chance to patch ntoskrnl.exe, the Windows NT kernel, located in
the WINNT\SYSTEM32 directory.
The virus modifies only 2 bytes in an undocumented security API called
SeAccessCheck that is part of ntoskrnl.exe. This way Bolzano is able to
give full access to all users to each file regardless of its protection,
whenever the machine is booted with the modified kernel. This means that a
Guest -having the lowest possible rights on the system- will be able to
read and modify all files including files that are normally accessible
only by the Administrator.
This is a potential problem since the virus can spread everywhere it wants
to regardless of the actual access restrictions on the particular machine.
Furthermore, after the attack, no data can be considered protected from
any user. The latest variants of Bolzano also patch MSV1_0.dll in the
System32 directory in order to remove password checks from there.
Unfortunately the consistency of ntoskrnl.exe is checked in only one
place. The loader, ntldr, is supposed to check it when it loads
ntoskrnl.exe into physical memory during machine boot-up. If the kernel
gets corrupted ntldr is supposed to stop loading ntoskrnl.exe and display
an error message even before a "blue screen" appears. In order to avoid
this particular problem W32.Bolzano also patches the ntldr so that no
error message will be displayed and Windows NT will boot just fine even if
its checksum does not match with the original. Since no code checks the
consistency of ntldr itself, the patched kernel will be loaded without
notification to the user. Since ntldr is a hidden, system and read-only
file W32.Bolzano changes the attributes of it to "archive" before it tries
to patch it. The virus does not change the attribute of the ntldr back to
its original value after the patch.
Several variants of W32.Bolzano delete the contents of the
\WINDOWS\Cookies and \WINNT\Cookies directories. The virus writer probably
wants to introduce the virus onto a machine he was using in order to cover
where he was web surfing.
ADDITIONAL INFORMATION
This information has been provided by: Peter Szor of
<http://www.Symantec.com> Symantec
-------
AFLHI 058009990407128029/089802
milis ini didukung oleh :
>> http://www.indolinux.com - dunia linux indonesia
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
