Network Working Group zhang. zhang Internet-Draft seak Intended status: Standards Track kang Expires: January 8, 2009 Antiy Labs July 7, 2008 General Virus Process Language(GVPL) draft-malware-gvpl-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 8, 2009. zhang, et al. Expires January 8, 2009 [Page 1] Internet-Draft General Virus Process Language(GVPL) July 2008 Abstract General Virus Process Language (GVPL) is lua scripting language expansion. It is designed to dispose of the virus which found in network terminal quickly. Because of the flexibility and simplicity of Lua script, GVPL is easy to achieve the goal which is rapid response to large-scale expansion of the virus. At the same time,it will reduce economic losses of users. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. GVPL of concepts and definitions . . . . . . . . . . . . . 3 1.2. GVPL component . . . . . . . . . . . . . . . . . . . . . . 3 1.3. The Implementation GVPL interpreter . . . . . . . . . . . 3 2. Ecliptic . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. GVPL example . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Kill GrayBird . . . . . . . . . . . . . . . . . . . . . . 6 4. Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.1. function of GVPL . . . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. Normative References . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 Intellectual Property and Copyright Statements . . . . . . . . . . 13 zhang, et al. Expires January 8, 2009 [Page 2] Internet-Draft General Virus Process Language(GVPL) July 2008 1. Introduction 1.1. GVPL of concepts and definitions Script language interpreter: GVPL script procedures to interpret and execute a GVPL script command. The working environment: working environment of interpreter. The target system: The system is that GVPL will clean up, it is probably the working environment in local system, also can be connected to the working environment in other hard drive or remote computers of the network.. Activities system state: The running state Of the current target system. 1.2. GVPL component GVPL integrity of the running operation of the system as followings: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- | | | | | | | |------------| | | |---------------| | | | | | script | | | | script | | | Target system| | | | | | | interpreter | | | | | | interpreter| | | |---------------| |net| | | |------------| | | |==>| | |working environment| | working | | | | Ttarget system | | environment | | | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Disposal Local computer Disposal remote computer 1.3. The Implementation GVPL interpreter GVPL follows the grammar of LUA, it is an expansion of LUA. GVPL defines of the function on the global variables GVPL GVPL states on the pre-defined in the global variables STATUS the functions and variables about interpretation on the global variables HOST HOST must have the following items Name: the name of interpreter. zhang, et al. Expires January 8, 2009 [Page 3] Internet-Draft General Virus Process Language(GVPL) July 2008 version: Version of interpreter. GVPL:the GVPL version supported by interpreter. zhang, et al. Expires January 8, 2009 [Page 4] Internet-Draft General Virus Process Language(GVPL) July 2008 2. Ecliptic Ecliptic is GVPL interpreter, Ecliptic in the windows operating system, support command line parameters, Ecliptic system is the goal of the local computer, support GVPL V1.Command line ecliptic - h ecliptic command line to get the number of parameters and format - s parameter specifies ecliptic to load the script file designated to replace the default script ecliptic, ecliptic default script is stored in the resources of the ecliptic. -e ecliptic resources in the default script to a specific document Enter the command line "Ecliptic -e test", scripts will be exported to the test document. The contents of the documents should be as follows: function ShowInfo() print() print('welcom use ecliptic') print('use -h help information') end function start() print("test start") end ShowInfo() print() print(HISTORY) the grammer see Lua 5.1 Reference Manual.[lua]. Change the contents of the test document, function start() print() print('the fuction supported') local k for k in pairs(GVPL) do print(k) end end for k,v in pairs(HOST) do print(k,v) end The use of "Ecliptic -s test" test the script. Push "start" button will see The api list zhang, et al. Expires January 8, 2009 [Page 5] Internet-Draft General Virus Process Language(GVPL) July 2008 3. GVPL example 3.1. Kill GrayBird According the analysis result of malious software, we can easily write the GVPL scripts for cleaning up the malious software on users' computers. Backdoor.Win32.GrayBird.ph Analysis: 1) the virus run its own copy to the system folder, both named "klylgz.exe", to delete their own: % WINDIR% \ "klylgz.exe" 2) the virus modifies the registor to add the new services, that launch with the system boot. HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ conminec.exe 3) Add the service: Service Name: conminec.exe. Display Name: conminec.exe. Executable file path: "C: \ WINDOWS \ klylgz.exe" 4) the virus creates a IEXPLORER.EXE process for network comunication. 5) the virus is a variant of gray pigeons. Through it, hackers can control a user's computer remotely . In order to eliminate the virus thoroughly , the script will do the following operation. 1. kill the IE process. 2. Delete file %WINDIR%\"klylgz.exe" 3. stop service conminec.exe 4. delete register key about HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ conminec.exe zhang, et al. Expires January 8, 2009 [Page 6] Internet-Draft General Virus Process Language(GVPL) July 2008 the script is illustrated: function start() print() print('NOW SUPROT FUNCTION') local k for k in pairs(GVPL) do print(k) end end for k,v in pairs(GVPL.GetProcesses()) do print(k , v.imagefile ) s, e = string.find(v.imagefile, "iexplore.exe") if(s~=nil) then GVPL.KillProcess(k) end end GVPL.DeleteService("conminec.exe") ret = GVPL.DeleteRegValue("SYSTEM\\ ControlSet001\\Services\\conminec.exe","") print("delete regvalue", ret) winddirecotory = GVPL.GetWindowsDirectory() virusfile = winddirecotory.."\\klylgz.exe" GVPL.DeleteFile(virusfile) In this example, easy use . zhang, et al. Expires January 8, 2009 [Page 7] Internet-Draft General Virus Process Language(GVPL) July 2008 4. Appendix 4.1. function of GVPL The detail use of function see GVPL manual.[gvpl] GVPL Function List table GetFileInformation ( filename ) number DeleteRegValue(key , item) number KillProcess(pid) number DeleteFile(filename) number SetRegValue(key,item ,value ) number IsAdmin() value ,type GetRegValue(key ,item) number IsActive() table GetDrivers() table GetProcesses() directory GetWindowsDirectory() directory GetSystemDirectory() number DeleteService(servicename) zhang, et al. Expires January 8, 2009 [Page 8] Internet-Draft General Virus Process Language(GVPL) July 2008 5. Security Considerations None. zhang, et al. Expires January 8, 2009 [Page 9] Internet-Draft General Virus Process Language(GVPL) July 2008 6. IANA Considerations This document has no actions for IANA zhang, et al. Expires January 8, 2009 [Page 10] Internet-Draft General Virus Process Language(GVPL) July 2008 7. Normative References [gvpl] , leiwhere., "gvpl & ecliptic manual", Mar 2008. [lua] , R., "Lua 5.1 Reference Manual", Aug 2006. zhang, et al. Expires January 8, 2009 [Page 11] Internet-Draft General Virus Process Language(GVPL) July 2008 Authors' Addresses zhang Antiy Labs seak Antiy Labs Email: seak@antiy.net sandy.kang Antiy Labs Email: kangkang@antiy.net zhang, et al. Expires January 8, 2009 [Page 12] Internet-Draft General Virus Process Language(GVPL) July 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. zhang, et al. Expires January 8, 2009 [Page 13]