Information Technology Reference
In-Depth Information
A very good example of network communication via Named Pipes can be observed
in the behavior of a family of parasitic viruses named EfishNC
1
[5], the “C” version
of this virus uses named pipes when trying to communicate to other computers on the
network. While the actual source code for resource enumeration via named pipes is
only a couple of lines, the operating system has to take care of most of the
communication. Thus, the algorithm for named pipes from the OS' point of view
would be as follows:
1.
Open a pipe as a file object
2.
Set appropriate information affecting the pipe
3.
Send a request for resource enumeration to the pipe
4.
Receive enumerated shares of a remote computer
5.
Proceed with regular replication
All the events listed above are accomplished by consequently invoking regular file
management system calls with specific parameters as illustrated in table 7.
Communication through the means of Named Pipe “PIPE\srvsvc” presented above
requires several valid handles to be produced during sequence execution. First, a file
object has to be created with NtCreateFile pointing to a remote machine (BU-
SY46Q9D3MCQ2), this file object is assigned with a handle (228). As soon as the
handle is returned, the file object is set to represent a pipe that is later involved in
communication with the remote machine to obtain its available resources.
NtFsControlFile sends a packet containing the enumeration request to remote
computer (BU-SY46Q9D3MCQ2) returning a list of all available resources including
standard Windows administrative resources such as “IPC$” and “Admin$”, as well as
a single file share directory named “fake”. For the purpose of the experiment, this
directory contains a fake copy of the “Windows” system folder allowing viruses to
safely replicate onto critical operating system components - the most hunted targets.
From the point of view of networking through named pipes, Internet
communications work almost identically with a single difference in remote machine
naming convention. Specifically, when opening a named pipe to access a remote
machine over the Internet, its IP address is used as the UNC instead of the computer's
actual name. For example, the following system call would try to open a named pipe
connection on a PENTNET remote computer.
Replication over the Internet is usually more complicated than the local network
attack, partially due to the fact that remote machines with direct Internet access are
less vulnerable. Longer response times and a much broader range of computers to
scan can make such virus activity obvious for a skilled user. Computer viruses have to
conduct a variety of tests on every single computer they attack in order to detect,
recognize and exploit vulnerability so that replication can be possible. However, such
activities are hard to predict and they should not be accounted for when defining this
1
W32.EfishNC is a memory-resident infector of all Windows Portable Executable
applications. It infects files in all folders on all local and mapped network drives. It also
infects files in folders on network shares and IP addresses that are shared with write access. It
uses entry-point obscuring (EPO) and an encryption method that is both very simple to
implement and very hard to decrypt without the key. [Symantec Security Response]
