VIRUS IN VISTA

In fo

rm

at io

Viruses in Vista

n
Page 1

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Table of Contents
Acknowledgement Abstract 1. Introduction 1.1. 1.2. 4

Data Protection as well as the Security Improvements Malware in Windows Vista

2.1.

Types of Virus

O n

2. Background on Malware

2.1.1. Boot sector virus 2.1.2. Macro viruses

2.1.3. Parasitic viruses / Infectors file 2.1.4. Encrypted viruses 2.1.5. Date Virus

at io

2.1.6. Stealth virus

2.1.7. Polymorphic viruses 2.2.

Some malicious programs

2.2.1. Worms

rm

2.2.2. Trojan 2.2.3. Rootkit

3. Methods of attacks 3.1. Social engineering

In fo

3.1.1. Mass in E-mailers Vulnerabilities software which are exploited Process of Phishing Process of Pharming

3.2. 3.3. 3.4.

4. Anti Virus 4.1. 4.2. 4.3. 4.4. 4.5. Pattern matching Signature detection Emulation Analysis of frequency X – raying Heiristics

U0925517

nl
7 7 9 10 11 11 11 11 11 12 12 13 13 13 13 14 14 14 14 15 15 17 17 17 17 18 18
Page 2

y
5 6

MSc Computer forensics and Information Security

Viruses in Vista

5. About Recent malware 5.1. 5.2. 5.3. 5.4. SpamThru Trojan Trojan Beast Win32. Glieder. AF Winevar

19

7. Some new malware attack exploited Windows 8. Computer worm 8. 1. Examples Worms 8. 1. 1. Email worms

O

6. First virus for Windows Vista family

n

8. 2. How to prevent computer worms 9. Practical Implementation 9. 1. Trojan. gozi

at io

8. 1. 2. IM (Instant messaging) worms

Features of Gozi Gozi Installation

rm

Detection of Gozi Removal of Gozi

9. 2. Prorat 1. 9

How it infects the PC? How to use Prorat 1. 9? How to remove Backdoor. prorat?

In fo

Lessons what I have learned Evaluations for malicious software’s Findings

Recommendations Conclusion References Index

U0925517

nl
20 21 22 23 24 24 24 25 25 26 26 26 27 44 45 46 46 49 66 68 69 70 71 74 76 81
Page 3

y
20

19

In fo

rm

U 951 0257

at io
Page 4

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

ABSTRACT

Virus’s plays a major role in today’s computer world; this paper

Backdoor. Prorat which are affected to the systems. This Paper presents an overview of the Vista features and Security features which will have

penetrate the system without granting the permission from the system user.

Trojan horses, root kits, worms etc. This guide is designed for all users and for organizations of any size. Here we will provide some Security Guidelines and the Threats caused by malware software’s and Countermeasures. In

this paper I also mentioned a critical evaluation on the well known Trojan horses like Trojan. Gozi, Backdoor. Prorat.

In fo

rm

U0925517

at io

Malware includes computer viruses, worms, dishonest adware, spyware,

n

maximum impact on users.

Malware is software which is intended to

O

presents an explanation on the malicious programs like Trojan. Gozi,

nl
Page 5

y

MSc Computer forensics and Information Security

Viruses in Vista

1. Introduction:

rapid business implementation.

In representing the Vista, Microsoft has tended to show some new

features such as graphical previews of the documents during the use of AltTab switching, aero user interface and the Windows Presentation Foundation. It will be very hard to find an obvious and scientific link between

these productivity, features and improvements in security. Within these five to six years of the development in between XP and Vista OS, Microsoft tried hard on major improvements which are really matters to the businesses. [Microsoft, 2006]

Whatever may the environment would, you are advised to take the security issues seriously? In the world many of the organizations underestimate the importance of the information technology. If any attack on

In fo

rm

main servers in the environment is severe, it could be considerably damage the whole organization progress. For instance, if the malware infects the client computers on the whole network, then the organization may lose most valuable data, and the significant overhead which costs you to restore the secure state. For example, In case your Website is unavailable it also could consequence in major loss of the revenue as well as the client’s confidence. Considering a security risk, vulnerability and experience of

examination informs you the tradeoffs between the functionality and security that all the computer systems are subject in the networking environment. Here in this document we consider the main security-related measures which are obtainable in Windows Vista operating system, the vulnerabilities and the countermeasures help the address, and potential negative consequences [if any] connected to the implementing of the each and every countermeasure. Microsoft Vista tried to include major improvements in the four areas which are important to business such as the manageability, security, networking, and mobile computers [Preston Gralla, 2006]
U0925517 Page 6

at io

n

O

nl

y

Windows Vista entered into market in the year 2006 and could see

MSc Computer forensics and Information Security

Viruses in Vista

1. 1 Data Protection as well as the Security Improvements:
In vista operating system Microsoft made quite a lot of changes for data

Windows, and the addition of the Defender antispyware product. But mainly two security features Bit Locker Drive Encryption, UAC [User Account Control] of Vista stand out.

With the User Account Control feature we can reduce the harm a user may unintentionally do to his system. For example reduce the impact of malicious software or malware by making it easier to make use of Windows without administrator privileges.

Bit Locker Drive Encryption, which is useful for laptop computers, allows the laptop users to encrypt the total Windows volume of the computer so that important data stay secured even the computer is stolen or missed [Bill Detwiler, 2007].

1. 2. Malware in Windows Vista:

In fo

rm

Majority of today’s malicious software is intended to aim Windows

systems; this is the case where people who use the other operating systems [OS] believe they were not at risk. Though, this is not the case. Malicious programs are also targeting the other operating systems since 1970s; Apple was first under attack in 1982 by Elk Cloner virus, and it wasn’t until in 1986 MS-DOS compatible malware had appeared. [John Timmer 2007].

Malicious programs are exists mainly in two forms, among them some are with host (Trojan horses, viruses, trap doors, logic bombs) and some are without host (bacteria, worms). [Chris Imafidon, 2006] As Microsoft Windows gaining a significant market share had created ideal conditions for malware to increase. Though non-Windows operating systems seem security dreamland, users of the other operating systems have to be ready for cybercriminals and malware authors to start targeting them. Viruses attack Vista mainly by updates of Windows.

U0925517

at io

n

O

nl
Page 7

y

protection and security, like developments to Internet Explorer, Firewall for

MSc Computer forensics and Information Security

Viruses in Vista

automatically also installing some malicious software’s.

The well-known

for malwares by the updates of windows.

The well-known security

researcher Frank Boldewin, said “The Trojan horses which were spammed in 2007 March end were used a new methods to download Malware in to the computers.

Update of Windows = May be sometimes Update of Malware

Vista Windows = Paradise for Malware

Here it is strongly suggested to install an anti virus scanner. May be not all antivirus scanners will be recognized by Windows Vista, even if these virus scanners are completely fine and properly functional. If your anti-virus

In fo

rm

scanner is installed properly then it will be recognized by windows Vista and automatically “Malware Protection” line will turn green. Most of the anti-virus programs are required to reboot after installation [Malwarekilla, June 2010].

U0925517

at io

n

O

nl
Page 8

Symantec Anti Virus vendors warn that the Windows systems are vulnerable

y

When the user tries to download the Windows Vista updates, he is

MSc Computer forensics and Information Security

Viruses in Vista

2. Background on Malware:
The term Malware is the short form of the malicious software.

Trojan horses, Spyware, root kits, worms etc all together comes under

malicious software’s. This malicious software’s infects the systems and then travel via networks to infect all the remaining systems.

increase the attacking until infection is spreading all the systems around the remote places. [T. M. Chen, 2003]. Malware attacks are not recent things; they are available since a long time. At the starting stages, malwares are created for disruption.

at io

n

O

starting day’s attempts to remove files erase hard drives. Now a day’s these are designed to steal the secret data like passwords PIN [Personnel Identification Numbers], numbers of Credit cards and social security numbers provide for a kind of money profits for the malware writers. Now a days the

In fo

rm

malware creators changed the way of creation of malicious code. Malwares are considered as dangerous in today’s world because of the damage they were creating are effecting important data of the companies and confidential data of the government. Malicious software holds a virus, root kit, recorder password. Now a day’s programmers writing these programs by using the available software in the internet. [T. M. Chen, 2003].

Figure 2. 1 Types of malicious programs
U0925517 Page 9

nl
Internet helps to Viruses in

Malicious software are infects a system unknown to the owner. Viruses,

y

MSc Computer forensics and Information Security

Viruses in Vista

2. 1. Types of Viruses:

Computer worms or viruses are the programs which were intended to disturb the removal of the data, corrupting the data and to infect the viruses

Internet worm was created to calculate the internet size.

O

all over the internet. In 1988 the 1st Internet worm was created. The 1st But later the

systems which were infected by the worm are running slowly compared to

infects the remaining programs by changing their code and cause damage.”

In 1990, it was estimated that 500 virus are available on the internet. Where as in the year 1996, there are more than10000 viruses on internet. In the year, 2002 it is increased to more than 60,000 viruses on internet, in those some of the viruses are most dangerous [J. Munro, 2002]. At present

In fo

rm

there are more than 103,000 viruses on internet [DaBoss, 2009]. More over the Viruses has the capability to infect other programming code. Then if the user of the system tries to use the virus program then it will immediately infects whole system and it will take control of the system and destroys the system very badly. “A system virus is a type of program code which can able to change the program or try to affect the program.” [Dr. Chris Imafidon, 2006].

But these type of virus are easy to detect and are very flexible to

remove from the system. But now a day’s present worms and viruses are became more dangerous than that of the previous viruses and worms. Here are some types of viruses. They were as follows [C. Nachenberg, 1997].

U0925517

at io

[Chris Imafidon, 2006]

n

the previous running.

[E. H. Spafford, 1989].

“Virus is the code which

nl
Page 10

y

MSc Computer forensics and Information Security

Viruses in Vista

2. 1. 1. Boot sector virus: There are about 5 percent boot viruses on
record [MBR] of a system. Master boot record is program which stays on the 1st sector of the hard disk which boots the system without the involvement of the system user.

Because of this reason these boot viruses are more

dangerous when compared to the other types of viruses. When it penetrates in the system the boot virus stays in the memory of the hard disk and it can infect any layer of the system. These boot viruses are very dangerous and they were not easy to erase from the system. But only perfect antivirus software can delete this type of virus. Boot Crazy and AntiEXE etc are the

2. 1. 2. Macro viruses: The macro virus will infects the services such as
Microsoft excel and Microsoft word. The 1st macro virus was created for Microsoft Word 95 [Crispin Cowan CTO, WireX Communications, and Inc. top].

In fo

rm

2. 1. 3. Parasitic viruses / Infectors file: If the files containing some
content are infected with is viruses the content of the file will be unchanged [Richard Barnhart, 1996]. It will penetrate into the memory of the system when the system user runs the infected files. Then the virus will spread into other applications and destroys the system.

2. 1. 4.

Encrypted viruses: These encrypted viruses contain the

decryption engine as well as encryption key [D. J. Sanok, 2005]. These viruses are created to hide the virus scanning methods. This method is used in Cascade virus.

2. 1. 5. Date virus: These data viruses will stay in the system and affects
the system at a particular time or date [C. Nachenberg, 1996]. A virus or worm can gain momentum on the system by using this method. Century, Sunday etc are the examples of this type of viruses.

U0925517

at io

examples of this virus.

n

O

nl
Page 11

y

internet. [J. O. Kephart, 1997]. This type of viruses infects the Master boot

MSc Computer forensics and Information Security

Viruses in Vista

2. 1. 6. Stealth virus: These stealth viruses will exist in the hook ING
the DOS command prompt mode. A worm named Lion installs in a rootkit

and then it will make more than a few hooks to avoid from the antivirus scanner [Akshaya Bhatia, 2008].

2. 1. 7. Polymorphic viruses: This virus also like encrypted virus
contains an engine which can able to change and create new encryption viruses for infection the system. When the user of the system executes the infected program the decryption engine executes the virus and infects the memory of the system. Then the polymorphic virus generates the encryption virus and decryption for the sake of the next infection. These viruses encrypt a copy of it by using the encryption engine in a new file. The virus, 1260 was the 1st well known polymorphic virus created in USA by Mark Washburn in 1990 [P. Szor, 2005].

In fo

rm

U0925517

at io

n

contains decryption engine as well as encryption key.

O

nl
This virus also
Page 12

y

system. This virus tries to suspend systems calls which will be detected in

MSc Computer forensics and Information Security

Viruses in Vista

2. 2. Some malicious programs:

2. 2. 1. Worms: These worms attack the networking connections but they

will not infect the files on the system like viruses. These worms utilize the

heavy damage.

[Bob Page, 1988].

Worms can spread autonomously

without acceptance of the user compared to the viruses. [Chris Imafidon,

software and enters into the system. There are different types of Trojans present in the internet but the functionality of each Trojan would be different. Trojan virus will look as genuine software for the user but it will create a dangerous treat to the system. [Joseph Lo aka Jolo, 2006]. The Trojan virus uses the existing viruses in the system and it will create more damage by

In fo

rm

using the existing viruses. Trojans are mainly do two things one of them is it causes direct damage or cause useful function but copies damageable instructions to other exe files. [Chris Imafidon, 2006]

2. 2. 3. Root kit: The main aim of the Root kit virus is to offer more
controls to the hackers [P. Szor, 2005]. Now a day’s most of the hackers they were using root kit method to enter into the system by avoiding the antivirus scanner. The most dangerous root kit on internet is Sony root kit. This root kit uses the string “$ sys $”.

U0925517

at io

2. 2. 2. Trojans: Trojan is a virus which will be embedded in genuine

n

2006]

O

networking connection to enter into the network and after that they will create

nl
Page 13

y

MSc Computer forensics and Information Security

Viruses in Vista

3. Methods of Attacks:
A malware uses many methods to attack the system. Important methods of

utilizing messenger or from a E-mail and with this method the hackers can

bluff the user and made him to do some unwanted actions. [Hacker Tactics, 2001]. This virus transfers through a email in the form of image or a file which can be executed. In many situations, viruses reach destination

through mails from attackers under a picture or an. EXE file, after clicking on it, it installs Trojan in to the system. Another worm Happy99 happened to

it displays fireworks and then .EXE file installs in to PC [Cert incident, 2002].

3. 1. 1. Mass E-mailers: These are holding unusual content such as
viruses can get through the machine via e-mail. Once if the attachment is started by the user the Trojans get activated in background and gain access

In fo

rm

of the system. Later it finds the user address book and automatically delivers it to all in the list. Generally all mailers of mass use socialized techniques of engineering and some tricky concepts which tend user to open the file. Familiar types are Love Letter & Explore Zip. Almost 90% of viruses in 2002 are this type. [T. M. Chen, 2003].

3. 2. Vulnerabilities of software which are Exploited: Computer
& OS smooth – articles pertain several vulnerabilities & bugs which are broken for controlling a computer. The term ruin points to a tiny section which belongs to code that may have advantage of bluff which is in software. This is widely reused in several Trojans as well as viruses before correcting the vulnerabilities by the developers via a particular patch. Several damages are renovated to give access from root on a system [Jeremy Kirk, Published: 2010]. It can be done by a single operate, or operate through multiple, each providing level privilege escalation to the attacker. advantageous
U0925517

at io
of vulnerability which

computer through mail, which holds the file Happy99. Exe. When clicking on

n
is

O
particular

A damage caused is about software.
Page 14

nl

3. 1. Social engineering: This method is used to attack the system by

y

attacks are:

MSc Computer forensics and Information Security

Viruses in Vista

Classification of exploits is done based on vulnerability they cause. Some achievements are 1. Overflow by Buffer 2. Overflow by Heap 3. Overflow by Integer 4. Injecting Code 5. Injection by SQL 6. Scripting from Cross Site. This is difficult to eliminate vulnerabilities of software because that was tough to give whatever goes incorrect with small code piece. Developers can be made familiar of coding in a style which may be difficult there by achievements are normalized. The whole process is familiar as safe coding.

In fo

rm

3. 3. Process of Phishing: The process related to theft of data which
belongs to the users who surf techniques of socialized engineering. This is generally performed through entities which are most trusted. Most abruptly it is done through e-mail. It points the end user to the websites which seem to be a replica of entities which are trusted.

3. 4. Process of Pharming: It is type of hitting in order to redirect the
traffic to a website which is fake. It may be by modifying the file of host on a system or by damaging some particulars. Have been poisoned servers are the one which are compromised. It is utilized for theft of confidential data. Attack against the Pharming is much more a tough job. No antivirus can defend this threat. Tools of Security such as secure coding and OS help to implement the termination of vulnerabilities of software. Both found to be a flop show since the OS is of million lines code. And more over most are seen ineffective in practice. In fact the code is available in huge size. And this has
U0925517 Page 15

at io

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

to be finally in a single kernel file which is bug free. It is very impossible to write code without bugs. [R. Basili and Barry T. Perricone, 1984]. The infected problem is much complex as all the hackers are dependent on errors

from above that preventing infection is almost impossible because providing apt error caused by user is also much complex.

Hence the software of

security is made dependent on Detecting rather than preventing.

In fo

rm

U0925517

at io
Page 16

n

O

nl

y

by human in orders to compromise the computer. Therefore it is crystal clear

MSc Computer forensics and Information Security

Viruses in Vista

4. Anti – Virus
1980’s virus in computer has appeared by the presence of anti-virus.

else constantly if there are any malicious bodies found. Day by day the software of antivirus grew up along with the malicious entities such as viruses. The methods utilized by the software of antivirus are given below:

signatures points to protecting a system against malicious entities such as flies which consist code for detecting the viruses. Initially these programs

Then after developers came to know that major infections from the malicious bodies like viruses are with code placing at the entry level of the program. Since the program for scanner always begin the check from the entry level point of related data or program. This process becomes stagnant whenever the polymorphic or encrypted type of viruses evolves [Daniel Newman, Kristina M. Manalo, Ed Tittel Jun 18, 2004].

In fo

rm

4. 2. Emulation: In order to defend from the polymorphic type of viruses
this technique has been evolved. In this a departure type of Processor is involved which loads particularly the executable type of files with regard to this function. Therefore the virus program couldn’t know that it’s been

running in the environment which is emulated. This provides space for the antivirus program for monitoring the activities of virus body in an environment which is enclosed thereby preventing damage caused to the user’s PC.

4. 3. Frequency analysis: It is no more a method which is stand alone.
This process involves the analysis of presence or absence of specified type of opcode. It is realized most legitimate by the programs in terms of

programming that utilization of DOS abrupt as the 21h exists in its code itself. This abruption is truly seen through malware.

U0925517

at io

n

see through the executable files and locate the existence of code for virus.

O

4. 1. Pattern matching or Signature detection: Recognizing the

nl
Page 17

y

This software generally scans and monitors the computer at particular times

MSc Computer forensics and Information Security

Viruses in Vista

4. 4. X - Raying: Since the malicious viruses are arrived encrypted, the
program of antivirus initiates utilizing the code description which is brute force. Possibility for this exists because it has to known as crystal clear type of attack upon the code which is encrypted. Developers of virus could utilize algorithms which are randomly encrypted, where it becomes damn easy to crack the protocols. Muttik, 2000].

This analysis process is renowned as radiology [I.

4. 5.

Heuristics: The developers of these types of viruses are

of the file execution. Finally they were following new techniques or methods to infect the viruses all over the internet. This virus tries to change their way of techniques to avoid from the scanning of the antivirus software. If it is performed to the file access and page errors [Daniel Newman, 2004].

In fo

rm

U0925517

at io

n

implementing new types of methods and they don’t execute virus at the time

O

nl
Page 18

y

MSc Computer forensics and Information Security

Viruses in Vista

5. About Recent malware:
In recent malwares the developers of the malwares are trying to implement new methods of coding to escape from the powerful anti viruses

software’s. Because of this system the new malicious programs are having the capacity to disable the antivirus software and other types of security how good the antivirus software’s are working.

Some types of Trojans are as follows:

5. 1. Spam trough Trojans: This Trojan [Ryan Naraine, 2006] shows
various types of faults the security of the system is having which are not best to protect from the viruses. These Trojan spam’s enter into the system or

In fo

rm

computer by using the social networking sites or by means of patched files, These types of Trojans tries to disable the security measures of the system and by blocking the antivirus software’s. After wards these Trojans spam’s will creates another copy of the Kaspersky Anti-Virus software’s in the systems. These viruses create a duplicate file in the hard disk of the system. Viruses once infected will change all types of settings like they will stop the notification of the antivirus when the license of the antivirus is expired. These type of Trojans after infecting the antivirus software tries to find the other types of malicious software’s and clear them so that there will be no

existence of other virus other than this. These type of Trojans will also tries to hack the ip addresses of the systems which were infected. Most of These Trojans had the capacity to avoid from the scanner of antivirus system.

U0925517

at io

n
Page 19

O

software’s. The rising of this type of malicious software’s will able to show us

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

5. 2. Trojan Beast: Trojan Beast is a type of Trojan horse which behaves
like a remote administration tool. In the year 2002 the first Trojan beast was discovered. These are the first type of Trojans which established a Because of this server there is no

connection setback in the server.

requirement of the ip address of the user but it will directly connect to the

server. Explorer. Exe was the file which is infected by these Trojans. This

virus penetrates the DLL file in winlogon. Exe, it was considered as method

because of the penetration of these viruses.

infected then the antivirus will restrict the antivirus and as well as the

computer [Dshield, published: Fri, 17 Oct 2003].

5. 3. Win32. Glieder. AF: This is a type of Trojan worm which will
download the files and it will execute the infected files. This type of Trojans will spam the users system by utilizing the other type of Trojan horse called Win32. Bagle. BG. This type of Trojans occurs by means of email or by a

rm

type of zip attachment. [Win32. Glieder. AF, 2005]. These types of files when executed they will create a new file of the same file and it will exist in “Nwinshost. exe% System%”. “winshost. exe”. It will This will then create a add-on known as create a boot type of registry like:

In fo

After completing this process it will try to stop the security concern software’s

like firewalls and antivirus etc.

U0925517

at io

n

windows vista firewall and it will automatically consist the control of the

O

in Windows 2000, vista. We can see the gaps of the current system security

When the computer gets

nl
Page 20

y

MSc Computer forensics and Information Security

Viruses in Vista

5. 4. Winevar: This is file with the size of 90 kb. If these files are
executed then they will by a fine name as “WINxxxx”. The winevar also create a directory like as follows.

These worms will try to scan the systems hard disk content and after completion of the scanning of the system they will try to locate the file by the

same name and immediately they will remove the all the files which were available on the particular folder. In these there are viruses like “Fizzer, Bugbear, Klez,” which will tries to stop the antivirus software present in the

Actually the antivirus is created to scan the viruses on the system and they will remove the virus and if they found the new virus on internet they will update the new antivirus version so that the new virus will be removed from the system. But if this type of viruses tries to remove the antivirus software then there is no question of protection for the system from viruses. So, the antivirus software companies had to make the software’s which can be protected from these types of viruses. But most of the time virus

In fo

rm

programmers also face some problems for hiding their viruses from the antivirus software’s, so they are using different methods or techniques to solve this problem. All the time these antivirus software’s are facing so many problems to detect and to remove the viruses in PC. Now a day’s all antivirus software companies updating the software’s with patches as soon as possible to protect the system as well as to protect the name of their companies name in the present market. Sometimes many of the virus

programmers do not want to reveal the details like type of the virus. But presently there is no software present in the market which will give 100 percentage assurance of their antivirus software. It is not possible to detect and delete the virus as soon as possible when it is created. [T. M. Chen, 2003]

U0925517

at io

system.

This method is also called as Armoring [T. M.

n

O

nl
Chen, 2003].
Page 21

y

MSc Computer forensics and Information Security

Viruses in Vista

6. First virus for Windows Vista family
There has been a new virus invented which has become the best virus

command with Monad as in name of that which has got the rid from the

viruses that have been invented in the upgraded versions of the Win OS. This was published in the material by the hacking group that belong to the underground with named as in Ready Ranger Liberation Front from the

interface that took the lead over the security concerns over others. GUI uses the mouse over concept of theory for the purpose of navigation process to make the user fulfill the commands using the text mode that can make the application more powerful unlike the Operating Systems based on Windows named “Second Part to Hell” is the replica of the one published after the earlier Austrian based virus material named Monad which was published by the Microsoft. This was also proven by the Director of Research named Mikko Hypponen with the Corporation that is based on F secure part of the Second part to hell. Danom the head of the Virus Family is from the name

In fo

rm

Monad i. e.

Microsoft is given by the F-secure. Danom according to the Hypponen was proved to be cautious but at the same time also said to have no harm for the Microsoft users in using that Operating System which is in turn a proof of the virus. According to the Hypponen the new upcoming hackers developing the viruses for the different platforms will not expect to look at the virus based on the Operating Systems of Microsoft so fast. Since there were few issues raised for publishing the Danom like should there be the option for allowing the Monad with the Operating system of Microsoft Windows Vista since the Manod will be used only by the users who are well experienced. There is a topic raised by the hypponen that Software which is to be a pack that is kept standard defaults for Operating System based on Microsoft. Microsoft

Corporation was been burned by a similar software Microsoft Windows Script, in windows 2000 system. Virus writers were exploiting, as he was been working on the system he said.

U0925517

at io

for the predecessor. Recent published virus by the hacker written in DOS

the reversal of the name Monad which was published by

n

O

nl
Page 22

y

named for the Vista.

Viruses took over the advantage over the shell

MSc Computer forensics and Information Security

Viruses in Vista

7. Some new malware attack exploited Windows:
As per the Security vendors, Most of the viruses which have been invented and published in the recent past by the Microsoft have been found

by the writers and be spread upon various operating systems. The security vendors have found that two new malwares raised into the market within the

other files of the system. Stuxnet have been opened which was very crucial by the targets set to that. SCADA which is the to control the data acquisition

been discovered than the stuxnet which also looks at the technical input given or developed the other users. This was earlier displayed in the blog by the Eset Pierre Marc Bureau. The one invented in the recent past is used to install the logger i. e. a keystroke logger which in turn is used to hack the passwords or the data given as input on any of the specific system. Server required to give the components for the attacks is presently located in the USA but with the IP directed to the china customer who is according to the

In fo

rm

bureau. With each of the virus attack done there will be the force applied on the Microsoft corporation to join the weak portion of the software. The next round of the joining for the attacks done is to be done on Aug 10, if the customers attacked with this virus are reached up to certain level then that company will have to forced to join the emergency point for the concerns raised by the [Robert MacMilan, 2010]. Microsoft is presently working on the concern which has been raised so as to solve the issue of joining the patches. According to Randy Abrams said that Stuxnet indicates the very small ratio when compared to that of the earlier one’s i. e. it is . 01% of the malwares that is observed on the internet. This can even change its

features. This can even become the most common option for the attackers. This is expected to reach the 100 or 1000’s of malwares who are linked up with the vulnerability.

U0925517

at io

n

from the MNC named Siemens. Less crucial one is the latest one that has

O

operating systems of Microsoft Corporation. Files to provide cutoff of the

nl
Page 23

y

MSc Computer forensics and Information Security

Viruses in Vista

8. Computer worms:
Worms are malicious programs which are specially written to design to

software which includes virus as well as Trojans. People frequently install worms accidentally opening a message or an attachment that hold the

e-mail containing additional copies of the worm. Worms can easily penetrate into the networking security and proper antivirus will try stopping the infection

Morris in the year 1988 discovered internet worm. These usually penetrate through emails and they will spread across the internet very quickly. In 1999 the worm named Melissa was discovered, which is spread by the means of e-mail. This worm has the features of the Trojan worm and they will spread the worm by means of internet or emails. [Denning. P, 1989].

In fo

rm

8. 1. Examples of Worms:

8. 1. 1. Email Worms: These email worms spread the means of emails
or the attachments of the emails. This attachment contains the links of some unsecured websites. When the user tries to open the infected emails then the virus will enter into the system and spread into the system as quickly as possible. The virus first infects the system when the email opens and in the second step when the link is opened then automatically it will get infected to the computer. [Mary Landesman]. The well known types of the transmission are as follows:  Microsoft Outlook services  Windows MAPI functions

U0925517

at io

n

on the system [By Bradley Mitchell, About. com Guide].

O

executable codes. If worm is installed in system, it spontaneously generates

nl
Robert Tappan
Page 24

attack the systems through system networks. Worm is type of malicious

y

MSc Computer forensics and Information Security

Viruses in Vista

8. 1. 2. IM (Instant Messaging) Worms: This type of worms will
messengers. These will penetrate through other website and make the

websites infected of viruses. [Andy Sudduth of Harvard, 1988].

8. 2. How to prevent computer worms:

 To help prevent infections and to get rid of worms:  Use a firewall.

 Update operating system and software you use. [Use Windows Update to automatically update all Microsoft products. ]  Use antivirus and antispyware, such as Microsoft Security Essentials, a free download from Microsoft.  Please note that files attached to e-mail and links to websites.  Use a standard user account instead of an administrator account [By

In fo

rm

Mary Landesman, About. com Guide].

U0925517

at io

n

O
Page 25

nl

y

penetrate to the system by means of messengers and as well as instant

MSc Computer forensics and Information Security

Viruses in Vista

9. Practical Implementation
9.1
Name Threat Level Type Alias Identified

. Trojan. Gozi:
: Trojan. Gozi : High : TT_Trojan : Gozi Trojan

: Jan 2007(20-03-2007 Final identification)

Gozi is the famous Trojan which have been spreading before 17 April 2007,

[Brain Prince, 2007], It affected around 5200 hosts ten thousand accounts. The cost of stolen Data is around $2 Million. [John Bambenek, 2007] The data stolen is of memory 3. 3GB [Don Jackson, 2007]. Gozi is connected with Russian Heritage which is helpful for cyber

In fo

rm

criminals. Previous version of Gozi is in 2007. The latest version has many features which are listed below. [Andreas Baumhof, 2010]. systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, and Win 7.

Features of Gozi:
       It has an advanced Winsock2 functionality which is useful in stealing the SSL data. It Trojan code is modularized. It can spread through the Internet Explorer. It has a personalized server to extract and store the sensitive data. It has a customer interface to buy the stolen data through online. The value of the data is around $2 million US. The Gozi is stores in the system and hides, after that it starts it tasks like stealing the personal and sensitive data. 2010]
U0925517 Page 26

at io

the new variant of this Trojan is steals the Secure Sockets Layer (SSL) data.

n

O

nl
[Andreas Baumhof,

y

MSc Computer forensics and Information Security

Viruses in Vista

like by malicious Pdf files or by Exploit kits (Like Justexploit).

“As we seen early most of the Gozi viruses are transferred through the malicious PDF files. The PDF with MD5 b72163b1d5fbc0f2e88e984bf0ac601e,
exploit the buffer overflow in Adobe Acrobat Reader (CVE-2007-5659). The aim of this PDF is to download the original Gozi known as update. exe having MD5 cd4d37ea17007cbdfa0d9cc96b5fc1dc. This type of distribution is around 65%. ”

[Andreas Baumhof, 2010]

Justexploit kit:

The Justexploit kits are 27%, the common feature of exploit kits are used for

rm

geographic distribution.

accessing the infected regions.

Australia and Germany. [Andreas Baumhof, 2010]

In fo

STEP1: Identification
“A file namely “xx_ymvb” is stores in to the “C:\Documents and settings\<username>” which is directory pointed to by the %USERPROFILE% VARIABLE”. [BY Don Jackson, 2007]. It is not detected which malware it is particularly at the time of scanning by more than 30 well known antiviruses. Some of those used heuristics identified this as “Generic” threat or Suspicious file. [Don Jackson, 2007]

U0925517

at io

So only the bad people are infected due to These are mostly installed in US, UK,

n

O

Malicious PDF files:

nl
Page 27

Most of the Gozi viruses are transfers to the system as drive by infections,

y

Gozi Installation:

MSc Computer forensics and Information Security

Viruses in Vista

Figure 9. 1. 1: Identification of Gozi

While conducting a forensic examination on the PC which is infected by this Trojan, data which is recovered from the deleted Internet Explorer cache it is shown that the PC user accessed the web site “alchemylab. com” the code shown is the following. [Don Jackson, 2007]

In fo

rm

Figure 9. 1. 2 Internet cache code from the infected system

It writes the below code to that web page:

Figure 9. 1. 3 Code written one frame on web page

U0925517

at io
Page 28

n

O

STEP2:

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

One more IFRAME available on the page:

functions which are used to download, run them . EXE file are presented in

Crapanzano, 2003]

Earlier, for the purpose of the analyzing the behavior of any specific reason the tool was structured using which the duplicate executable file is been

In fo

rm

founded and then make use of that in the VMware Virtual machine of Windows XP. Files, System Hardware, System Software, disks were under the monitoration by the tools which belong to the Microsoft company. Ethereal which is now familiar with the name Wire shark can find out and grab the packets which are present on the Network Interface VM. Exploit which has rendered its services through the directory which is not permanent where exactly the malware which has got its execution is present. This all happened soon after the sandbox was into the picture. DLL’s after its loading process is done completely, the file to the destination from the source directory will be transferred. There will be the name created for the file with variously picked up names. The registry will look after the files that have been created and saved into the directory and also takes care about the changes done to that particular file and see that it starts running soon after starting the system. [B. Schneier, 1999]

U0925517

at io

the last frame of the webpage those are hosted on same server. [Jamie

n

Java script Code using ActiveX Data Objects (ADODB) and XMLHTTP

O

Figure 9. 1. 4 Code written another frame on web page

nl
Page 29

y

MSc Computer forensics and Information Security

Viruses in Vista

Figure 9. 1. 5 Registry values

the user’s personal computer i. e. the value allotted to the different keys for e. g. for the key yy_name the value allotted is some x, then the value for another key say yy_address will also be the same as in case of the yy_name key. Same as in case of the other key since its value is same but only thing which varies is its siz that is a big in size with the compressed text in it. The

In fo

rm

tools by windows are used to store the data or information on the files and the registers present in the folder. Regedit does not approves or disclose its data i. e. the entries which are made in that at the same that not even display the profile in the internet. Tools which are to monitor the deleted files of that folder are not founded. The Windows malwares used in the folders does its job in keeping its data highly secured and safe from leaking it out. For which the root kit only according to many of them think it supports such a functionality. The file and the entries into the registers are made seen to everyone using the entries such as run command to prevent the executable file to load its applications by re starting the system in the safe mode. The server on which the file was executed using the hyper text transfer protocols of 80/tcp, the links used to connect the program to the port has started and successfully completed its part. Wire shark as discussed above has dealt in with

detecting the traffic in that particular file or folder [Don Jackson, 2007].
U0925517 Page 30

at io

The key value for all the will be the same but varies when it comes to that of

n

Figure 9. 1. 6 Gozi Registry entries

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

STEP3:
Sending a CGI program to the server will be the initial step.

Figure 9. 1. 7 POST request of gozi to certs. cgi

Data format used in sending the request is the MIME. This also includes the header with the content of its type as binary which is totally a different concept. This was again according to the statistical analysis proved as the

duplicate copy from the area of Microsoft company where the storage of data or information is done.

rm

In fo

STEP4:

Hyper text transfer protocol’s request is to get the file of . cgi format onto the same server which will be the second step.

Figure 9. 1. 9 Request HTTP GET to options. cgi
U0925517 Page 31

at io
Figure 9. 1. 8 certs data posted. cgi

n

certificates issued to the clients and the information which has been the

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

A value for some x key might suite the value that has been generated for some other y key at the same time the value for some z key might match with the value of another key that has been generated statically. This is all

entries are same as the parameter values. [Don Jackson, 2007]

The data or information delivered from the server is the binary data then soon after the response is received as OK then the data looks similar to that in the key that is in the register file.

In fo

rm

Figure 9. 1. 11 HTTP 200 response in options data

File within the %USERPROFILE% directory as in the name of xx_tempopt. bin after filled with the data or information. Data or information will be saved in the key by overwriting it on the existing old registry folder. In such

situations the memory occupied by that registry will be more than what that file previously occupied i. e. 3799 bytes of memory allocation is done.

U0925517

at io

Figure 9. 1. 10 HTTP GET request to options. cgi

n

O
Page 32

nl

y

possible when there is an option of the values given in the registers as an

MSc Computer forensics and Information Security

Viruses in Vista

There was also a proved statement that due to the data or information which is posted in all the forms through the hyper text transfer protocol and the duplicate content sent through the hyper text transfer protocol will

located at any particular place through the hyper text transfer protocol. This is proved after the packets which were been founded and examined. Some of the things which can be easily caught by the Wire shark Malware is that addresses of the email id’s can be easily be seen. 2003]

In fo

rm

The tools of that Malware seeks to maintain its combination of finding the secret codes such as finding out the PINS of various users and sending the data to the destination point from the source point after the request has been made. Throughout the process there has been a circular way of approach done to follow that process. Virtual machine starts restarting after some time. Restarting can even be a chance in providing them the loss of data since during the execution of file, when the system gets restarted then the data can be known across to many of the users. [Don Jackson, 2007]
U0925517 Page 33

at io
Figure 9. 1. 12 SSL/TLS Stolen Data

n

O

the secret codes i. e. the PIN code of the ATM card, where the SSN and the

nl
[Jamie Crapanzano,

y

automatically change its nature with the requests it receives to the server

MSc Computer forensics and Information Security

Viruses in Vista

STEP5: Static Analysis
Importing of the table is done soon after the Upack is filled up with mixing the

made in the memory which were been compressed in structure rebuild in

such cases Upack comes into picture i. e. upack looks after the files in the registry directory during the time of uncompressing. Execution of the Upack code is done only when the PE headers are available in the directory where the execution process happens. Malware Execution from the virtual machine should have to be disturbed and debug that to the hardware. This process is preferred to be done in OllyDbg because to use the plug in which is of much useful. This is written by Joe Stewart who works as a Senior Security Researcher for the Secure Works. As discussed in the above paragraph regarding the OllyDbg, There was a test which has been performed using the system with its specifications as

In fo

rm

listed, Windows XP Professional SP2, 750 MHz Pentium III Micro Processor with its Ram size of 512Mb. OllyDbone Plug in’s and the Malware software were used in the PC as per the directions given by the Joe. The issue was raised soon after the execution was done using the malwares installed into the system of OllyDbg. [Jamie Crapanzano, 2003]

Figure 9. 1. 12 OllyDbg Error at the time of Upack-ed EXE loading

U0925517

at io

n

O

nl
Page 34

files which can even mangle the header. Any kind of compressions to be

y

MSc Computer forensics and Information Security

Viruses in Vista

Execution keeps in the tilt stage after the execution is done with result as in ntdll. dll code error and by neglecting that. Executable files in order to work must see that the upack must return the header to any point for the size to

Program keeps running till the execution part is done once it is set. The code

rm

of the program in the PE header looks after the execution by continuously running control F9. Going with the Exception of removing the break on

through the context menu and tuning in back to the memory map which directs you to the destination source can make the debugging possible in that memory location.

In fo

U0925517

at io

Figure 9. 1. 13 Set BonE

Figure 9. 1. 14 GetProcAddress () Finding

n
Page 35

O

nl

y

come up with the menu and reach the breaking point. [Don Jackson, 2007]

MSc Computer forensics and Information Security

Viruses in Vista

For the execution part to complete successfully the thing we have to check in is to make use of the controls as follows, For setting a breakpoint we have to make use of F2 control and to run the program till the breakeven occur make

achieve the execution part of the code to complete successfully. TO run the

program till the function sets to return we need to press Contol+F9 soon after for a single step we need to press F7 for the instructions of RETN. This itself

Schneier, 1999] Dumping the memory off the disk i. e.

the data or information as an

executable file we make the Virtual machine link with the utilities of PE_Stub. Testing the import table can be done except the issue that the unpack file cannot be executed so there is no chance for the debugger to come into action.

In fo

rm

U0925517

at io

Figure 9. 1. 15 Importing loops at the end time

n

O

is a table known as Import table which follows the concept of loop.

nl
[B.
Page 36

y

use of F9. Directions by the getProAddress have to be strictly followed to

MSc Computer forensics and Information Security

Viruses in Vista

STEP6:
A single move down here could simply reach the OEP. OEP stands for

compressed state which retains the general memory map which is usable, that is through the main function of the malware.

malware’s secrets got revealed. However no further tricks used for antianalysis can show the result.

Figure 9. 1. 16Registry keys and files to restart the system

rm

The Trojan makes virtual memory simpler in such a way to pierce the code through the processes which are been running. Therefore this relative

phenomenon which is utilized for making the registry keys & files useful for the survival of reboot is known to be the rootkit-like. And the particular code is necessary to access the Protected Storage of Windows & for exporting the certificate stores which are available in the PFX format. In fact this is the data which is sent to the server with respect to the program of certs. cgi. So usually the way down this relative code, a person can notice the DLL functions of networking which are required for building & sending the actual request which in fact implements the POST. [Carnegie Mellon University (1999)]

In fo

U0925517

at io

n
Page 37

O

nl
So presently all the

y

Original Entry Point. However the code belonging to this is never been in

MSc Computer forensics and Information Security

Viruses in Vista

While going through the code, we are made able to check – which was

Windows Functions which are necessary for performing the common tasks which usually needed to complete is much more a helping hand. The one

And this data – any of which is brought together as a code else that is drawn from its mother ship is usually encrypted very weakly. Once we are able to locate the loop of decryption then we can grab the way OPTIONS are been crafted. This helps us in concluding from evidence the remaining capabilities related to the malware residing inside the code which might ever been

In fo

rm

reached during the analysis done till then.

U0925517

at io

With the peculiar interest the relative code performs the data of OPTIONS.

n

that justifies the experience of analysis is familiar as the key.

O

noticed during the analysis of behavioral.

Having the concept about

nl
Page 38

Figure 9. 1. 17 code that stolen data to the "mothership"

y

MSc Computer forensics and Information Security

Viruses in Vista

Figure 9. 1. 18 Decrypted data with Internet Protocol address.

STEP7:

In fo

rm

Further examination of the OPTIONS data which is decrypted inside memory of the batch, we are able to find that it consists of:

The URLs & IP address that is required for upload of data which is stolen The required Identifiers which are needed for marking some specific characteristics of forms(HTML) from remaining kinds of pages in web A specific IP address which is required for the registration of options given for downloading and the infection Detailed options which let us know the formatting of data which is stolen[D. Wagner, 1996]

As an add-on for Trojan which is original, two different variants related to side of executable client are available. Later these do not seem to be useful for further attacks. It denotes similar to the area of presentation set for the later release for bringing ahead the detection of anti-virus lead times.
U0925517 Page 39

at io

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Since no peculiar address of IP is denoted inside requests of HTTP, the data grabbed or stolen is transformed as files which are flat and are indexed

In fo

rm

based upon infection ID i. e. , sent via parameter of user id. Several number of infection IDs via same address of IP could indicate:

IP address in fact known as address of NAT (hosts lie on corporate network else same home) While the machine get subjected to infection, then it is cleaned, again it is re-infected as on IP address which is assigned for serving a separate machine i. e. , the DHCP is even infected Whenever a collision takes place in specific generated ID i. e. , when two separate hosts carry the similar ID number without any dependency[Carnegie Mellon University, 1999]

For the purpose of the test run there will be a Trojan parameter which can be added and a version_id which will be helpful for the purpose of the wild
U0925517 Page 40

at io

Figure 9. 1. 19 Home page of Gozi

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

production execution. This will similar variant of GOZI will be utilized for both. The ID, IP, version of the Trojan or the URLs will be infected by the server interface ("signin. hackmebank. com") or by the post data ("password=").

In fo

rm

The front end with consists of the graphics can be sinkable and there is need to perform this installation. "76service"is a default logo which will be allotted for group or individual.

The delivery option will be selected by the client who will be allowed by the features of the frontend. There will be one option called compressed

document. Here file name cannot be found but the file folder can be located. Only in these two things only one will be found. The file which is compressed will be contains 3. 3 GB data which is stolen personal files from the clients from more than 5200 systems. Here the client would be paid with bogus funds and value is set as “1”. [Don Jackson, 2007]

U0925517

at io
Figure 9. 1. 20 Default values on the server
Page 41

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

STEP8:
Managing low prices, logins of customers in the server which can handle

underground economy. Here malicious software is selling as a centralized

database having a centralized server with customized features. The reason to provide these many features to skill developed the counter measures.

For example Gozi is posturing like Computer criminal data in UK, Jackson posted many posts in forums, Internet relay channels because there is more phishing and data which is stolen available commonly.

In fo

rm

There he got instructions how to join in a particular IRC on a particular channel in a day. There no other persons are there except he and me on that particular channel. He operated Jackson with a fake name to contact with him and he said that he will give a kit named Snatch. The price of the kit is $2000 for the new people and he will give it for $1000 to the persons he knew. But he provided only preview account. The customers who are don`t know Russian Language are suggested to translate and follow the site to use AltaVista’s Bablefish with free of cost.

U0925517

at io

Figure 9. 1. 21 Searching for sources

n
Page 42

O

nl

y

stolen data is key points to an increasing trend for malicious software’s in the

MSc Computer forensics and Information Security

Viruses in Vista

The home page of the 76SERVICE is as shown in below.

In fo

rm

Figure 9. 1. 23 Previous Manager. cgi skin of 76SERVICE

U0925517

at io

Figure 9. 1. 22 The Snatch which is advertised by him

n

O
Page 43

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

They are posing like they are adding new features to the kit. The previous version is uses manager. cgi to access whereas latest version uses serv. cgi.

The 76SREVICE trail server is locating the ISP in Georgia, Atlanta at one time, later the server is moved to Midwest America (Oklahoma, Texas), but whereas the server Internet Protocol address is allocated to a Tampa company. They are always keeps on moving.

In fo

rm

Detection of Gozi:
We can identify the presence of Trojan. gozi by checking for the registry values as shown in below figure.

U0925517

at io

Figure 9. 1. 24 Newer Serv. cgi or Serv2. cgi skin of 76SERVICE

Figure 9. 1. 25 Dll’s of Gozi

n

O
Page 44

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Removal of Gozi:
To remove the Gozi from the system, as we know Gozi comprises on DLL, Gozi are hidden; it is difficult to delete all DLL’s from the system directly. Firstly we need to identify the . dll files of Gozi, after that by using utilities such as Move file from sysinternals delete all the registry entries related to the Gozi. Reboot the system, later check whether the registry entries of Gozi all are deleted or not. Now the system is safe. [Andreas Baumhof, 2010]

In fo

rm

U0925517

at io
Page 45

n

O

nl

y

we need to remove all registry entries which are related to Gozi. DLL’s of

MSc Computer forensics and Information Security

Viruses in Vista

9. 2. Prorat 1. 9:
Name Threat level Damaged level Identified Updated Type Alias : Backdoor. prorat. 10b3 [Kaspersky] : Low : Medium : 13-06-2003 : 13-02-2007 : Trojan horse : Prorat

Description : This Trojan helps the attacker to give full access on victims PC; it opens a port in the PC, it written in Delphi, packed with UPX. [Kaoru Hayashi, 2007]

It is a Remote administration tool which is used by the attackers,

In fo

rm

without our permission, the systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, Win 7, whereas Mac, Linux and Unix users are not affected by this Trojan. [Spyware database, 2007]

How it infects the PC: Step1:

It firstly copies itself in to the %Winddir% of %System% folder. different variants with different file name as shown below.

at io
Figure 9. 2. 1

n
It has
Page 46

U0925517

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step2:
It creates . dll files in to the %System%, those are as shown in below.

Figure 9. 2. 2

Step3:

Windows registry values are as shown inbellow.

In fo

rm

U0925517

at io

Figure 9. 2. 3 (a)

Figure 9. 2. 3 (b)

n
Page 47

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step4:
It modifies the data as shown in below

Step5:

It opens a port in the victims PC in the range of 50000-60000, and sends the

In fo

rm

IP address and port Number of victims PC using the ICQ web pager to the ICQ user. There is a chance to inject . dll file into winlogon process as a thread, it terminates the function of security products. [Kaoru Hayashi, 2007]

U0925517

at io
Figure 9. 2. 4

n
Page 48

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

How to use the Prorat 1. 9: Step1:
Download Prorat 1. 9. Double click on the Prorat 1. 9 as shown below.

In fo

rm

U0925517

at io
Figure. 9. 2. 5
Page 49

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step2:
It will appear as shown in below figure.

In fo

rm

U0925517

at io
Figure 9. 2. 6
Page 50

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step3:
Click on create and the Create Prorat Server(342Kbayt) as shown below

rm

In fo

U0925517

at io
Figure 9. 2. 7
Page 51

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step4:
Click on the Notifications tab and then give the IP address and the E-mail to

In fo

rm

U0925517

at io
Figure 9. 2. 8
Page 52

n

O

nl

y

which we want to receive notifications as shown below.

MSc Computer forensics and Information Security

Viruses in Vista

Step5:
Goto general settings and tick the options according to the user requirement.

rm

In fo

U0925517

at io
Figure 9. 2. 9
Page 53

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step6:
Click on the bind with file tab, tick on bind with server file and select file what

file, click on ok as shown in figures 9. 2. 10 (a), 9. 2. 10 (b), 9. 2. 10 (c).

In fo

rm

U0925517

at io
Figure 9. 2. 10 (a)
Page 54

n

O

nl

y

file we want to bind , after that a dialogue box shows that Server bind with

MSc Computer forensics and Information Security

Viruses in Vista

In fo

rm

U0925517

at io

Figure 9. 2. 10 (b)

Figure 9. 2. 10 (c)
Page 55

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step7:
Click on the Server Extensions tab we can give any extension as our requirement, here I am clicking on “. SCR” as shown in figure 9. 2. 11

In fo

rm

U0925517

at io
Figure 9. 2. 11
Page 56

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step8:
Now click on Server Icon and then choose any one icon and then click on that “The Blinded server has been created with your settings in the current

12 (c).

In fo

rm

U0925517

at io
Figure 9. 2. 12 (a)
Page 57

n

O

nl

directory. ” Click on OK as shown in figures 9. 2. 12 (a), 9. 2. 12 (b) and 9. 2.

y

create server, after that a dialogue box is appeared on the screen showing

MSc Computer forensics and Information Security

Viruses in Vista

In fo

rm

U0925517

at io

Figure 9. 2. 12 (b)

Figure 9. 2. 12 (c)
Page 58

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step9:
Now we can see the binded server is created, create an new zip file, rename

shown in figures 9. 2. 13 (a), 9. 2. 13 (b).

In fo

rm

U0925517

at io
Figure 9. 2. 13 (a)
Page 59

n

O

nl

y

the binded server with the name as your wish, and send it in to a zip file as

MSc Computer forensics and Information Security

Viruses in Vista

In fo

rm

U0925517

at io

Figure 9. 2. 13 (b)

n
Page 60

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step10:
Send the zip file to the victim.

In fo

rm

U0925517

at io
Figure 9. 2. 14
Page 61

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step11:
Now give the IP address of the victim and connect as shown below figure.

In fo

rm

U0925517

at io

Figure 9. 2. 15

n
Page 62

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step12:
Now we can access the victim pc and we can see all the information

opened, we can turn off, restart, look all the files in the hard disk, services, we can chat with the victim, find the passwords etc as show in below figures.

rm

In fo

U0925517

at io
Figure 9. 2. 16 (a)
Page 63

n

O

nl

y

whatever we want like PC information, applications, message, windows he is

MSc Computer forensics and Information Security

Viruses in Vista

In fo

rm

U0925517

at io

Figure 9. 2. 16 (b)

Figure 9. 2. 16 (c)

n
Page 64

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

In fo

rm

U0925517

at io

Figure 9. 2. 16 (d)

Figure 9. 2. 16 (e)
Page 65

n

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

How to remove Backdoor. prorat: Manually:
To remove the Backdoor. prorat manually we must follow the below instructions. [spyware database, 2007]

Step1:
Stop the Processes which are as shown in below.

Step2:

Unregister the . dll files as shown below.

In fo

rm

U0925517

at io

Figure 9. 2. 17

Figure 9. 2. 18

n
Page 66

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Step3:
Locate and delete all the files shown in below.

We can use anti-virus tools also and there is a tool “Anti-Prorat” is available we can use this tool also.

In fo

rm

U0925517

at io

Figure 9. 2. 19

n
Page 67

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Lessons what I have learned:
I have learnt lots of things from this module such as viruses, worms,

on Trojan horses, those are Trojan. gozi, Backdoor. prorat.

Gozi is the Trojan horse; it steals the SSL data from the infected PCs

and maintains a central server for the database. The attackers take the membership of Gozi and extracts the data whatever they wants, and hack the accounts of the victims. Gozi affected the systems around 5200 and the accounts more than ten thousands and the black market data is around

$2Millions. The best way to remove Trojan. gozi is first remove the . dll files and then deleting all the gozi registry entries.

Prorat belongs to Trojans family, It is a Remote administration tool which is used by the attackers, without our permission, the systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, Win 7, whereas Mac, Linux and Unix users are not affected by this Trojan. By using this the attacker can take all his passwords, personnel data,

In fo

rm

etc, even he can crash the entire system. [Spyware database, 2007]. We can remove prorat by using best antivirus software. It is very much difficult to identify the malicious software’s. Every time Malicious software’s are illegal, fraud or unwanted

it is not possible for the user to determine whether the malicious software is necessary or not. software’s.

Some famous anti malware software can able to detect and

identify from malicious software’s. We can examine the software’s in following ways Such as: By the source of the program, background of the software, behavior of the software, software impact on the system like performance, security as well as privacy.

U0925517

at io

n

O

nl
Page 68

y

Trojans and much malicious software. Coming to the practical part I worked

MSc Computer forensics and Information Security

Viruses in Vista

Some evaluation criteria for malicious software’s:
1. Privacy: Here the malicious software will collect the data or 2. Security: In case of security the unwanted software’s will disable or stop the functioning of the security features of the user system.

3. Unreliable behavior: Here the unwanted software’s will stop the user from removing the programs.

There a many types of malicious software which are creating trouble to user of the system such as:

Worms: These worms attack the networking connections but they will not

networking connection to enter into the network and after that they will create heavy damage.

Trojan: Trojan is viruses which are implanted in authentic software and enters into the computer. There are so many types of Trojans present in the

In fo

rm

internet but the functionality of the each Trojan would be different. Trojan virus will look as genuine software for the user but it will create a dangerous treat to the system [Joseph Lo aka Jolo, 2006]. The Trojan virus uses the existing viruses in the system and it will create more damage by using the existing viruses. Dialer: dialer is malicious software which will install into the dialer settings of the system without the knowledge of the client and the dials the numbers without the knowledge of the client. Backdoor: This will gain access on the entire system of the user and then it will create a heavy damage to the computer. To protect the system or computer from malicious software’s it is preferable to install a malicious software removal tool.

U0925517

at io

infect the files on the system like viruses.

n

O

These worms utilize the

nl
Page 69

y

information of the user without knowing to the user.

MSc Computer forensics and Information Security

Viruses in Vista

Findings:
In this module I found many things such as:

    

Types of malicious programs. Types of viruses and worms. Methods of attacks. About Anti-virus.

Practical knowledge of Trojan. gozi and Backdoor. prorat

In fo

rm

U0925517

at io
Page 70

n

O

nl

Features of Vista.

y

MSc Computer forensics and Information Security

Viruses in Vista

RECOMMENDATIONS:
Step1: Network, software applications and operating system should be kept

operating systems must be updated to protect from malicious hackers. Hackers tries to find out the problems in software products and when they find a mistake in the following software’s the hackers immediately prepare a program to create problems in the software as well as they will attack the systems on the internet.

Immediate update of the software’s and antivirus must be required as when

but then the perfect version of the software should download and install in to the computer. In the mean time hackers will try to affect the systems on the world wide systems. So, immediate updating of the software and antivirus should be performed.

In fo

rm

Some famous companies like Microsoft and apple will provide automatic update checks when you on the system but some software vendors they do not provide such options. So it is better to check the website of the software periodically for the updates. So, immediate updates of the software will be recommended to protect our system.

Step 2: It is compulsory to install antivirus software. The viruses and worms can be detected by using some excellent antivirus software’s . These antivirus will use a technique called heuristics which will has the ability to detect the virus which are suspicious.

U0925517

at io

the software vendors find a fault in the software they will immediately rectify it

n

O

nl
Page 71

The network software’s, servers of the web, internet browsers and the

y

up to date.

MSc Computer forensics and Information Security

Viruses in Vista

Step 3: The antivirus should be running In this antivirus software we can implement two types of methods, in the first

when the system started the antivirus will start scanning all the files in the system and protect from antivirus. It is better to go for a real time scanner as when we are in work station mode without interrupting our work the virus will

scan the system files and folders. And periodically it is better to scan a batch file once in a week.

Step 4: Antivirus should be updated frequently

It is better to go for genuine antivirus software than that of pirated antivirus software. When you subscribe an antivirus the vendors of the antivirus software’s will provide virus information updates and also new virus alerts will be provided. If the antivirus subscription is outdated automatically there will be risk from the viruses. So keeping updated antivirus will protect the system

In fo

rm

from viruses.

Step 5: Be aware of phishing The process related to theft of data which belongs to the users who surf techniques of socialized engineering. This is generally performed through entities which are most trusted. Most abruptly it is done through e-mail. It points the end user to the websites which seem to be a replica of entities which are trusted. So, do not provide personal information to any of the fake sites or mails. phone. Good reputed companies will verify your information via

U0925517

at io

n
Page 72

O

nl

y

method we can keep the antivirus in the real time mode. In real time mode

MSc Computer forensics and Information Security

Viruses in Vista

Step 6: Data sharing and accessing untrusted websites must be avoided. USB, cds, DVDs, emails and net surfing will increase the risk of infection of

It is not recommended to transfer data from removable disks as they will

not allow there users to use removable disks.

Never open or click on the links from unknown emails, avoid visiting untrusted websites and try to avoid files from unpopular or untrustful websites. These unwanted websites will try to infect the system and try to rob some personal information from the system user.

Future Implementation:

In fo

rm

Now a day’s many anti-viruses are available in market, as well as

many Malwares are also there, still new Malwares are creating day by day, but there is no ideal anti-virus scanner is available, which means if a new malware is created at this time it is taking time to analyze, to detect and the procedures to remove the malicious programs. Gozi is stealing the SSL data of thousands of accounts, so the banks should provide high standards of security, and the operating systems should be designed in such a way that highly restrict the malicious programs.

U0925517

at io

n

O

cause infection to the system. Because of this reason many organizations do

nl
Page 73

We should avoid the following things:

y

the system.

MSc Computer forensics and Information Security

Viruses in Vista

Conclusion:
In this paper we discussed about Trojan. gozi, Backdoor. Trojan how infects the systems and how to remove these from the infected systems. And also how to improve the consistency of the anti viruses and how to avoid

or protect the system from new viruses or existing viruses. As the antivirus

protect the system from viruses, but also the new viruses which are created are defeating the antivirus software’s. In malwares the developers of the powerful anti viruses software’s. Because of this system the new malicious programs are having the capacity to disable the antivirus software and other types of security software’s.

The rising of this type of malicious software’s will able to show us how good the antivirus software’s are working. To prevent infections and to get

In fo

rm

rid of worms some of these methods should be implemented like Using a firewall in the system, Updating the operating system (VISTA OS) and software’s you use, Using antivirus and spyware software’s, such as Microsoft Security Essentials which are free download from Microsoft and Use a standard user account instead of an administrator account.

Majority of today’s malicious software’s are intended to attack

Windows systems, this is the case where people who use the other operating systems [OS] believe they were not at risk, though, and this is not the case. Malicious programs are also targeting the other operating systems such as Apple and Linux operating systems.

U0925517

at io

n

malwares are trying to implement new methods of coding to escape from the

O

software companies are implementing new methods or new techniques to

nl
Page 74

y

MSc Computer forensics and Information Security

Viruses in Vista

Here it is strongly suggested to install an anti virus scanner. May be not all antivirus scanners will be recognized by Windows Vista, even if these virus scanners are completely fine and properly functional. If your anti-virus automatically “Malware Protection” line will turn green. Most of the anti-virus programs are required to reboot after installation. But the actual fact is that if you were one of the million users of internet we should be careful about the

there is no antivirus software which can protect our worldwide internet immediately when a worm or virus is created.

In fo

rm

U0925517

at io
Page 75

n

O

computer virus and protect our self accordingly. According to my research

nl

y

scanner is installed properly then it will be recognized by windows Vista and

MSc Computer forensics and Information Security

Viruses in Vista

References:
[T. M. Chen, 2003] [Trends in Viruses and Worms. By T. M. Chen, 6[3],

[Dr. Chris Imafidon] [Analysis of two recent worms, Date published: 20-082006] Date accessed: 20-07-2010

[Spafford E. H, 1989] [Spafford E. H. The internet worm program: ACM

SIGCOMM Computer Communication Review, Published 1989. ] Date accessed: 24-07-2010

Date Published: 01-07-2002] Date accessed: 30-07-2010 http://www. extremetech. com/article2/0%2C1558%2C325439%2C00. asp. ] [DaBoss, 2009] [DaBoss. Number of viruses. Published: 03. 05. 2009 http://www. cknow. com/vtutor/NumberofViruses. html] Date accessed: 30-07-2010 [Nachenberg.

at io
C, 1997] [Computer Nachenberg.

n

[J. Munro, 2002] [J. Munro. Antivirus research and detection techniques,

O
virus-antivirus

In fo

rm

Communications of the ACM, Published: 1997. ] Date accessed: 05-082010

[G. B. Sorkin, 1997] [G. B. Sorkin, D. M. Chess, and S. R. White. Fighting computer viruses. Scientic American, Published: 1997. ] Date accessed: 09-08-2010

[Richard Barnhart, 1996] [Richard Barnhart. Notes on computer viruses. Last updated 23-09-96 http://courses. cs. vt. edu/professionalism/Viruses/viruses. html. ] Date accessed: 09-08-10. Understanding and managing

[C.

Nachenberg, 1996] [C.

polymorphic viruses. Published: 1996. ] Date accessed: 09-08-10.

U0925517

nl
coevolution.
Page 76

y

Date published: 2003] Date Accessed: 20-07-2010

MSc Computer forensics and Information Security

Viruses in Vista

[Sanok D. J, 2005] [Virus list.

http://www. viruslist.

com/en/viruses/encyclopedia?chapter=153311150. ] Date accessed: 09-08-10. [P. Szor] [The Art of Computer Virus Research and Defense. ] Date accessed: 09-08-10.

[Hacker Tactics, 2001] [Social Engineering Fundamentals, Part I: Hacker

com/connect/articles/social-engineering-fundamentals-part-i-hackertactics ] Date accessed: 14-08-10. Cert incident note Date published: Feb 99.

[Erik Larkin ,2009] [Spotting a PC Infection, Erik Larkin, PC World, Date Published: 02-02-2009] Date accessed: 16-08-10. [Roger Grimes, 2007] [Malware Troubles? Start from Square One, Roger Grimes, PC World, 20-02-2009] Date accessed: 16-08-10.

In fo

rm

[Ryan Naraine, 2006] [Ryan Naraine. Security, Date published: 20. 10. 2006 http://www. eweek. com/article2/0,1895,2034680,00. asp. ] Date accessed: 20-08-10.

[Dshield ,2003] [Dshield. The beast. Date published: Fri, 17 Oct 2003 http://lists. virus. org/dshield-0310/msg00337. html. ] Date accessed: 22-08-10.

[Win32. Glieder. AF, Date Published: 21 Apr 2005, Last Updated: 31 May 2005. http://www3. ca. com/securityadvisor/virusinfo/virus. aspx?id=42627. ] Date accessed: 22-08-2010. [Don Jackson ,2007] [Gozi Trojan, Don Jacson, Date published: March 2007 http://www. secureworks. com/research/threats/gozi/, Date of accesses: 28-Aug-2010]

U0925517

at io

notes/IN-99-02. html. Date accessed: 14-08-10.

n

O

Tactics Published: December 18th, 2001] http://www. symantec.

http://www. cert. org/incident

nl
Page 77

y

MSc Computer forensics and Information Security

Viruses in Vista

[E.

Messmer,1999] [Pentagon gets smart. accessed: 24-08-10.

Published: Sep 99] Date

Corporate Limited Date Published: 2006 February] Date Accessed: 2808-10

[I. Muttik,2000] [Stripping down an AVENGINE. Published: 2000]. Date

[By Robert McMillan , 2005] [Viruses take advantage of new command shell

http://www. infoworld. com/d/security-central/first-family-windows-vista-

[Robert Macmilan, 2010] [New malware variants exploit Windows attack By Robert Macmilan. Date published: 23. 07. 2010 http://www. infoworld. com/d/security-central/new-malware-variants-exploit-windows-attack424] Date accessed: 22-08-10

In fo

rm

[Bob Page, 1988] [A Report on the Internet Worm by Bob Page, November 7, 1988. ] Date accessed: 24-08-10.

[Andreas Baumhof ,2010] [Gozi, Andreas Baumhof Date published: 28-Feb2010, http://www. trustdefender. com/blog/2010/02/28/gozi-a-perfectexample-of-an-older-trojan-re-inventing-itself/ Date of accesses: 28Aug-2010] Date accessed: 28-08-10.

[P. Denning, 1989] [P. Denning, The Internet Worm Vol. 77, Mar-89] Date accessed: 22-08-10.

[Bob Page, 1988] [A Report on the Internet Worm by Bob Page, November 7, 1988] Date accessed: 22-08-10 [Cert incident, 2002] [Love Letter Worm, http://www. cert. org/advisories/ca2000-04. html. ] [John, 2009] [Markoff, John [2009-01-22]. "Worm Infects Millions of Computers Worldwide". New York Times. http://nytimes.
U0925517 Page 78

at io

viruses-unleashed-213] Date accessed: 22-08-10

n

in beta OSBy Robert McMillan, IDGNS. Date published: 04. 08. 2005

O

Accessed: 28-08-10.

nl

y

[R.

Basili and Barry T.

Perricone, 1984] [Matsushita Electric Industrial

MSc Computer forensics and Information Security

Viruses in Vista

com/2009/01/23/technology/internet/23worm. html. Retrieved 2009-0423. ] [Ryan Naraine, 2006] [What Is the Difference: Viruses, Worms, Trojans, and Bots? - Cisco Systems]

[Jamie Crapanzano, 2009] [Jamie Crapanzano [2003]: "Deconstructing

SubSeven, the Trojan Horse of Choice", SANS Institute, Retrieved on

[Carnegie Mellon University [1999]: "CERT Advisory CA-1999-02 Trojan Horses", Retrieved on 2009-06-10. ]

[Gizmo Richards, 2008] [Do you really need a spyware scanner? [Editorial]

[By Mary Landesman] [Best Free Trojan Scanner/Trojan Remover, torresmagnifico, TechSupportAlert, July 2, 2010 -- Emsisoft AntiMalware, PC Tools ThreatFire, Malwarebytes' Anti-Malware, and SUPERAntiSpyware. ]

In fo

rm

[Spyware database, 2007] [Spyware database, uninstall prorat database http://www. uninstall-spyware. com/uninstallProRAT. html] Date access: 03-09-10.

[Kaoru Hayashi, 2007] [[Kaoru Hayashi, Backdoor. Prorat Date published: 13-Feb-2007 http://www. symantec. com/security_response/writeup. jsp?docid=2003-061315-4216-99&tabid=2] Date accessed: 01-09-10.

[Andreas Baumhof, 2010] [Gozi, by Andreas Baumhof, 2010 http://www. trustdefender. com/blog/2010/02/28/gozi-a-perfect-example-of-an-oldertrojan-re-inventing-itself/ Date published: 28-02-2010] Date accessed, 20-08-10. [Jamie Crapanzano , 2003], [Deconstructing SubSeven, the Trojan Horse of Choice, Date Published: 06-11-2009] Date accessed: 26-08-10 [Carnegie Mellon University, 1999], [BitDefender. com Malware and Spam Survey, Published: 1999], Date accessed: 26-08-10
U0925517 Page 79

at io

Gizmo Richards' Support Alert Newsletter, April 17, 2008. ]

n

O

2009-06-11. ]

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

[D. Wagner, 1996] [Carnegie Mellon University (1999): "CERT Advisory CA1999-02 Trojan Horses", Retrieved on 2009-06-10. I. Goldberg, D.

Wagner, R. Thomas, and E. A. Brewer. A secure environment for

Proceedings of the 1996 Usenix Security Symposium. USENIX, July 22-25 1996. ] Date accessed: 02-09-10

[B. Schneier, 1999] [B. Schneier. The Trojan horse race, Communications of the ACM, 42 Sep 1999] Date accessed: 04-09-10.

In fo

rm

U0925517

at io
Page 80

n

O

nl

y

untrusted helper applications: Confining the wiley hacker.

In

MSc Computer forensics and Information Security

Viruses in Vista

Index

Anti-virus Backdoor Backdoor. prorat Bit Locker Boot sector viruses Buffer overflow Bugbear Computer worms Cross site Date virus Dialer Email Worms Emulsion

17 69 46 7 11 15 21 10, 24

Encrypted viruses Fizer

rm

Frequency Analysis Happy99

Heap overflow Heuristics

In fo

Injecting code injection by SQL Instant messaging Worms

Integer overflow Justexploit kit Kaspersky Klez Love letter worm Macro Viruses Malicious PDF file

U0925517

at io
11 69 24 17 11 21 17 14 15 18 15 15 25 15 27 19 21 14 11 27
Page 81

n
15

O

nl

y

MSc Computer forensics and Information Security

Viruses in Vista

Malicious programs Malware Mass E-mailers Newtwork Softwares Parasitic viruses Pattern Matching Pharming Phishing Polymorphic virus Privacy Prorat 1. 9 Root kit Security

7 8 14

11 17 15 15 12 69 46 13 69 17 14 19 9

Signature detection Social Engineering

Spam through Trojans Spyware Stealth virus Trojan Beast Trojan. Gozi Trojans UAC

rm

In fo

User Account Control Virus

Vulnarabilities Win32. Bagle. BG Win32. Glieder. AF Winevar Worms X-Raying

U0925517

at io
12 20 26 13 7 7 10 14 20 20 21 13 18
Page 82

n

O

nl

y

71

Sign up to vote on this title
UsefulNot useful