You are on page 1of 106

Viruses and Worms

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Viruses and Worms

M o d u le

0 7

Engineered by Hackers. Presented by Professionals.

M

E

t h

i c

a

l

H

a

c

k

i n

g

a

n

d

C

o

u

n

t e

r m

e

a

s u

r e

s

v 8

 

M

o d u l e

0 7 :

V ir u

s e s

a n d

W

o r m

s

Module 07 Page 1007

E x a m

3 1 2 - 5 0

Ethical Hacking and Countermeasures Copyright © by EC-C0linCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Security News

I GlobalResearch

Hom e

P ro d u cts

A b o u t

5«rv*ccs

Exam 312-50 Certified Ethical Hacker

CEH

O ctober 19,2012

Global Cyber-W arfare T actics: N ew Flam e-linked M alw are used in “Cyber-Espionage”

espionage program linked to th e n o to rio u s Flam e

The a n ti-viru s giant's c h ie f w a rns th a t global cyber w a rfa re is in

The virus,

A

n ew cyber

and Gauss m a lw a re has been d e te cte d by Russia's Kaspersky Lab. "fu ll sw in g " and w ill p robab ly escalate in 2013.

U n ite d

d u b bed

m in iF la m e ,

and

also

know n

as SPE,

has a lre a d y

in fe cte d

c o m p u te rs in Iran, Lebanon,

France, th e

S tates and Lith u a n ia . It was discovered in July

2012 and is described as "a small and highly flexible malicious program designed

to steal data and control infected systems during targeted cyber espionage operations," Kaspersky

o n its w ebsite.

The m alw are w as o rig in a lly id e n tifie d as an appendage o f Flame -

East and ackno w le dged to be p a rt o f jo in t U S -lsraeli e ffo rts to

But later, Kaspersky Lab analysts discovered th a t m in iF la m e

malicious program, or concurrently as a plug-in fo r both the Flame and Gauss malware."

Lab said in a sta te m e n t posted

th e program used fo r targ eted cyber espionage in th e M iddle

underm in e Iran's nuclear program .

is an "interoperable tool that could be used as an independent

^

^ ^ ^ T h e a n a l y s i s

also show ed new

evidence o f c o o p e ra tio n

be tw e e n th e cre a to rs o f Flame and

G

a u s s ^ ^ ^ ^ ^ —

http ://www. globa/research, ca

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

S ecu rity N ew s

an

M

M

G

l o b a

l

C

y b e r - W

a r f a r e

T a

c

t i c

s :

N

e w

F

l a

m

e

-

l

i n

k e

d

 

M

a

l w

a

r e

u s e d

i n

C

y b e r - E

s p

i o n

a g e ”

 

A new cyber espionage program linked to the notorious Flame and Gauss m alware has been

detected by Russia's Kaspersky Lab. The antivirus is in "fu ll s w in g " and p ro b a b ly escalate in 2013.

th a t global cyber w arfare

giant's chief warns

The virus, d u b b e d m

Lebanon, France, th e U nite d States, and Lithuania. It w as discovered in July 2012 and is described as "a small and highly flexible m alicious program designed to steal data and control infected systems during ta rg eted cyb er espionage o pe ra tion s," Kaspersky Lab said in a statem ent posted on its website.

iniFlam e,

and

also

k n o w n

as SPE, has a lrea d y infecte d

c o m p u te rs

in Iran,

The m alw are was originally identified as an appendage o f Flame, the program used fo r targeted cyber espionage in the M iddle East and acknowledged to be part o f jo in t US-lsraeli efforts to underm ine Iran's nuclear program .

Module 07 Page 1008

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

But later, Kaspersky Lab analysts discovered th a t m in iF la m e is an "in te ro p e ra b le to o l th a t could be used as an in d e p e n d e n t m alicious p ro g ra m , o r c o n c u rre n tly as a plug-in fo r b o th th e Flame and Gauss m alware."

The

Gauss, as both viruses can use m iniFlam e fo r th eir operations.

analysis

also

showed

new

evidence

of

cooperation

between

the

creators

of

Flame

and

"M in iF la m e 's a b ility to be used as a plug-in by e ith e r Flame o r Gauss clearly connects th e collaboration between the developm ent teams of both Flame and Gauss. Since the connection between Flame and S tuxnet/D uqu has already been revealed, it can be concluded th at all these advanced threats come from the same 'cyber warfare' factory," Kaspersky Lab said.

H i g

h

- p

r e

c

i s

So far just

50 to

i o

n

a t t a c k

t o

o l

60 cases o f infection

have

been detected

w orldw ide ,

according to

Kaspersky

Lab. But unlike Flame and Gauss, m iniFlame infected by those viruses.

in

m eant

fo r

installation

on

machines

already

"M in iF la m

e

is a h ig h-precision

a tta ck

to o l.

M o s t

likely

it

is

a

ta rg e te d

cyb er

w e a p o n

used

in

w h a t

can

be

d e fin e d

as

th e

second w a v e

o f

a

c y b e r

a tta c k ,"

Kaspersky's Chief Security Expert

Alexander Gostev explained.

 

"First, Flame or Gauss are used to

infect as

m any victim s as

possible to collect large quantities

o f

and

cyber-espionage."

in fo rm a tio n .

A fte r data

and

is co lle cted and

is installed

id e n tifie d ,

m in iF la m e

re vie w e d ,

in

o rd e r

to

a

p o te n tia lly

c o n d u c t

m o re

in te re s tin g v ic tim

in -d e p th

is

d efin e d

and

s u rv e illa n c e

The

a

A d o b e Reader, in s ta n t m essenger service o r FTP client.

m a lw a re

n ew ly -d is c o v e re d

can

also take

screenshots

as

w e b

ru n n in g a specific

p ro g ra m

o r

a p p lic a tio n

in such

o f

an

in fe c te d

c o m p u te r

b ro w se r,

M ic ro s o ft O ffice

w h ile

it

is

p ro gram ,

Kaspersky Lab believes miniFlame's developers have probably created dozens of different

m odifications of the program. "A t this tim e, we have only found six of these, dated 2010-2011,"

the firm said.

‘ C

y b e r

w

a r f a

r e

i n

f u

ll

s w

i n

g

M

ea nw h ile ,

Kaspersky

Lab's co -fo un d er and

CEO Eugene

Kaspersky w arned

th a t global

cyber

w

arfare

tactics

are

becom ing

m ore

sophisticated

w hile

also

becom ing

m ore

threatening.

He

urged governm ents to w ork together to fight cyber warfare and cyber-terrorism , Xinhua

news

agency reports.

 

Speaking

at

an

International

Telecom m unication

Union

Telecom

W orld

conference

in

Dubai,

th

e

a n tiviru s ty c o o n

said,

"c y b e r

w a r fa re

is in

full

sw ing

and w e expe ct it to escalate in 201 3."

"The latest malicious virus attack on the world's largest oil and gas company, Saudi Aramco, last

today on the In te rn et and inform a tion technology in

general, and how vulnerable we are," Kaspersky said.

August shows how depen de nt w e are

He stopped short of blaming any particular player behind the massive cyber-attacks across the

M id d le

East, p o in tin g

o u t

th a t

" o u r

jo b

is

n o t

to

id e n tity

hackers o r c y b e r-te rro ris ts . O ur firm

is

Module 07 Page 1009

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

like an X-ray m achine, m eaning w e can scan and

w h a t

is b eh in d

it."

identify a problem , but w e cannot say w h o or

Iran, w ho confirm ed th at it suffered an

blames the United States and Israel fo r unleashing the cyber-attacks.

attack by Flame m alw are th a t caused severe data loss,

C

o p y rig h t

©

2 0 0 5 -2 0 1 2

G lo b a lR e s e a rc h .c a

B

y R ussia T o d a y

cyber-espionage/5308867

Module 07 Page 1010

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Module Objectives

CEH

J

Introduction to Viruses

J

Stages of Virus Life

J

Working of Viruses

J

Indications of Virus Attack

J

How does a ComputerGet Infected by Viruses

y

Virus Analysis

J

Types of Viruses

J

Virus Maker

J

Computer Worms

J

Worm Analysis

J

Worm Maker

J

Malware Analysis Procedure

J

Online Malware Analysis Services

J

Virus and Worms Countermeasures

J

Antivirus Tools

J

Penetration Testing for Virus

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le

O b je c tiv e s

expose you to th e va riou s viruses and w o rm s This m odule

available today. It gives you inform a tion about all the available viruses and worm s.

exam ines th e w orkings

it affects systems. This m odule will go into detail about the various counterm easures available to p ro te c t against these virus infections. The m ain o b je c tiv e o f this m o d u le is to e d u cate you

the ways to protect

against various viruses, and testing your system or netw ork against viruses or w orm s presence. This m odule will familiarize you w ith:

about the available viruses and worm s, indications of their attack and

The

o b je c tiv e

o f

this

m o d u le

is

to

o f a c o m p u te r virus, its fu nctio n, classification, and th e m an ne r in w hich

0

Introduction to Viruses

 

0

Stages of Virus Life

0

W orking of Viruses

0

Indications of Virus Attack

0

H ow

Does

a

C om pu te r

Get

Infected

by

Viruses?

 

0

Virus Analysis

 

0

Types of Viruses

0

Com puter W orm s

0

W orm

Analysis

0

W orm

M aker

0

M alware Analysis Procedure

0

Online M alware Analysis Services

0

Virus and W orm s Countermeasures

0

Antivirus Tools

Modute07

!M aker

Ethical H ackif^ a n P ^ f it F iS t ia n e T e ^ Q g t f e f y V iF W

f illC il

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Module Flow

Exam 312-50 Certified Ethical Hacker

Virus and

Worms

Concepts

Penetration

Testing

Types of

Viruses

Computer

Worms

Counter-

Malware

measures

Analysis

Copyright © by E&Ctlllcil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le

F low

This section introduces you to various viruses and w orm s available today and gives you

It lists

various types of viruses and their effects on your system. The w orking of viruses in each phase

on

a

b rie f o vervie w

has will

o f each virus

and

statistics

o f viruses and

used

by the

w o rm s

in

th e

recent years.

be discussed

in detail. The techniques

attacker to

distribute

m alw are

the web are highlighted.

Virus and W orm s Concept

Types of Viruses

י/—

Computer Worms

V׳׳

Malware Analysis

f|j||־ Countermeasures

^ Penetration Testing

Module 07 Page 1012

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

m

Introduction to V iruses

C EH

_l

A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document

J

Viruses are generally transmitted through file downloads, infected disk/flash drives and as email attachments

 

V iru s C h a ra cte ristics

 

Infects Other Program

Alters Data

 

V

%

 

Transforms Itself

Corrupts Files and Programs

%

#

 

F*

Encrypts Itself

m

Self Propagates

1

f §

1

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

אן

I n t r o d u c t i o n

to

V ir u s e s

C om puter viruses

W o rld w id e ,

have the

potential to w reak

have

been

personal

self-

is

code by attaching copies of it into other executable

havoc on

both

business and

p o in t.

A virus

c o m p u te rs .

replicating program

m o s t

businesses

in fe c te d

at som e

a

that produces its own

codes.

This

virus

operates

w ith o u t

th e

know ledge

o r

desire

o f

th e

user.

Like

a

real

virus,

a

c

o m p u te r

virus

is c o nta gio us

and

can

c o n ta m in a te

o th e r

files.

H o w e v e r,

viruses

can

in fe ct

outside m achines only w ith th e assistance o f c o m p u te r users. Some viruses affe ct co m p u te rs as

soon

as

th e ir

code

is

execu ted ;

o th e r

viruses

lie

d o rm a n t

u ntil

a

p re -d e te rm in e d

logical

c

ircu m stan ce is m et. T here are th re e categories o f m alicious p rogram s:

 
 

0

Trojans and rootkits

0

Viruses

0

W orm s

A

w o r m

is a m alicious

p ro g ra m

th a

t can in fe c t b o th local and re m o te m achines. W o rm s spread

a

u to m a tica lly

by

infecting

system

a fte r

system

in

a

n e tw o rk ,

and

even spreading fu rth e r to

o

th e r

netw orks. Therefore,

w o rm s

have a greater pote ntia l fo r causing dam age because they

do not rely on the user's actions for execution. There are also m alicious program s in the wild

that contain all of the features of these three malicious programs.

Module 07 Page 1013

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Virus and Worm Statistics

75,000,000

60,000,000

45,000,000

30,000,000

15,000,000

2008

2010

2011

2012

http://www.av-test.org

Copyright © by E&Ctinctl. All Rights Reserved. Reproduction is Strictly Prohibited.

^ V iru s a n d W o rm S tatistics

This graphical representation gives detailed inform a tion o f the attacks th a t have occurred in

the recent years. According to the graph, only 1 1 ,6 6 6 , 667 systems were affected by viruses and

w orm s in the year 2008, whereas in the year 2012, the count drastically increased to

o f m a lw a re attacks on system s is increasing

exponentially year by year.

70,0 00 ,0 00 systems, w h ic h m eans th a t th e g ro w th

Module 07 Page 1014

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

75.000.000

60.000.000

45.000.000

30.000.000

15.000.000

0

Module 07 Page 1015

2008

2009

2010

Exam 312-50 Certified Ethical Hacker

2011

2012

FIGURE 7.1: Virus and Worm Statistics

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Design

Replication

Exam 312-50 Certified Ethical Hacker

Launch

Developing virus

Virus replicates for

It

gets activated w ith

code using

a

period o f tim e

th e user perform ing

program m ing

w

ith in the target

certain actions such

languages or

system and then

as

running an

construction kits

spreads itself

infected program

Elimination

Users install

antivirus updates and e lim inate the

virus th re a ts

S ta g e s

o f V iru s Life

Incorporation

A ntivirus so ftw a re

developers

assim ilate defenses

against th e virus

Detection

virus is id e n tifie d

A

as th re a t in fectin g targ et systems

C om puter virus elim ination.

attacks

spread

through

various

stages from

inception

to

design

to

1. Design:

 

A

virus code

is d e v e lo p e d

by using

p ro g ra m m in g

languages o r c o n s tru c tio n

kits.

A n y o n e

w

ith

basic

p ro g ra m m in g

kn o w le d g e

can create a virus.

2. Replication:

A virus first replicates itself w ith in a ta rg e t system over a period o f tim e.

3. Launch:

It

infected program.

is a ctivate d

w h e n

4. Detection:

a user

p e rfo rm s

ce rta in

actions

such

as

trig g e rin g

o r

ru n n in g

an

A

damage to the target system's data.

virus

is

id e n tifie d

as

a

th re a t

in fe c tin g ta rg e t systems.

Its actions cause co nside rab le

Module 07 Page 1016

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

5. Incorporation:

Exam 312-50 Certified Ethical Hacker

Antivirus software developers assemble defenses against the virus.

6. Elimination:

Users are advised to user groups

Module 07 Page 1017

install antivirus softw are

updates, thus creating awareness among

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Working of Viruses: Infection Phase

Infection

Phase

J In the infection phase, the virus replicates itself and attaches to an .exe file in the system

Before Infection

After Infection

Clean File

*

V irus Infe cte d File

Copyright © by EG-G0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rk in g

o f V iru se s:

In fe c tio n

P h a s e

by using various m ethods. They attach

themselves to programs and transm it themselves to other programs by making use of certain

events. Viruses need such events to take place since they cannot:

Viruses

attack

a

ta rg e t

host's

system

© Self start

© Infect o th e r hardw are

© Cause physical dam age to a co m p u te r

© T ransm it them selves using non -e xecu ta ble files

Generally viruses have tw o phases, the infection phase and the attack phase.

In

Programs m od ifie d

th e

infection

phase,

th e

virus

replicates

itself and

system.

on th a t system.

is e xecuted, since th e p ro g ra m code leads

attaches

to

an

.exe

file

run

in

th e

by a virus

infection

can enable virus functio na litie s to

p ro g ra m

Viruses g et ena bled as

to th e virus code. Virus w rite rs have to

soon as th e

in fe c te d

m a in ta in

a balance a m o n g fa cto rs such as:

© w ill th e virus infect?

How

 

© it spread?

How

w ill

 

© it

H ow

w ill

reside

in

a ta rg e t

c o m p u te r's

m e m o ry

w ith o u t

being detected?

Module 07 Page 1018

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Obviously, viruses have to be triggered and executed in order to function. There are many ways

to e xecu te p ro g ra m s w

num erous program s th a t m ay be built into a system, and som e o f these are d is trib u tio n

h ile a c o m p u te r is run nin g. For e xam ple, any setup p ro g ra m calls fo r

m e d iu m

execution and infect th e a dditional setup program as well.

program s. Thus, if a virus

program already exists, it can be activated w ith this kind o f

There are virus programs that infect and

program s do n o t infect the program s w he n

keep spreading every tim e they are executed.

Some

first executed. They reside in a co m p u te r's m e m o ry

and

in fe c t

p ro g ra m s

at

a

la te r

tim e .

Such

virus

p ro g ra m s

as TSR

w a it

fo r

a specified

trig g e r

e v e n t

to

spread at a la te r stage.

It

is,

th e re fo re ,

d iffic u lt

to

recognize w h ic h

e v e n t

m ig h t

trig g e r

th e execution o f a d o rm a n t virus infection.

Refer to

th e

fig u re

th a t

fo llo w s

to

see

h o w

th e

EXE file in fe c tio n w orks.

In

th e

fo llo w in g figure, th e

.EXE file's header,

w h e n triggered, executes and starts running

th e

a pp lica tion . Once this file

is infecte d,

any trig g e r

e v e n t

fro m

th e file's

hea de r can a c tiv a te

th e

virus code to o , along w ith

th e

a p p lic a tio n

p ro g ra m

as soon

as

it

is run.

Q A file virus infects by attaching itself to an executable system

application program . Text

files such as source code, batch files, script files, etc., are considered p o te n tia l targets

for virus infections.

©

B o ot

booted

sector

viruses

execute

th e ir

o w n

code

in

th e

firs t

place

b e fo re

th e

ta rg e t

PC

is

Before Infection

After Infection

Clean File

N

.exe

_u

Virus Infected

File

FIGURE 7.2: Working of Viruses in Infection Phase

Module 07 Page 1019

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Working of Viruses: Attack

Exam 312-50 Certified Ethical Hacker

r cu

D

U

o

q

p

V

t

11

^

^

Urt׳fW<

ttkxjl

Nm Im

J

Viruses are programmed with trigger events to activate and corrupt systems

J

Some viruses infect each time they are run and others infect only when a certain predefined condition is met such as a user's specific task, a day, time, or a particular event

Unfragmented File Before Attack

File: A

1 1

File: B

1

Page:

1

1

Page:2

J

Page:3

1

Page: 1

Page:2

Page:3

 

A

A

File Fragmented Due to Virus Attack

 

Page: 1

 

Page:3

Page: 1

Page:3

Page:2

Page:2

File: A

File: B

File: B

File: A

File: B

File: A

W o rk in g

o f V iru se s:

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

A tta c k

P h a s e

Once viruses spread themselves throughout the target system, they start corrupting

the

files and

program s

of the

host system. Some viruses have trigger events that

need to

be

activated

to

corrupt the

host system. Some viruses

have

bugs that

replicate themselves,

and

perform activities such as deletin g files and increasing session tim e .

They co rrup t th eir targets

th a t attack ta rg et systems p e rform

only after spreading

as intended

actions such as:

by th eir developers.

M ost viruses

Q

D eleting

files

and

a lte rin g

c o n te n t

in

data

files,

th e re b y

causing

th e

system

to

slow

down

e

Perform ing

tasks

not

related

to

applications,

such

as

playing

music

and

creating

animations

 

Module 07 Page 1020

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

U n fra g m e n te d

F ile

B efo re

A tta c k

Exam 312-50 Certified Ethical Hacker

 

File: A

File: B

Page: 1

Page: 2

Page: 3

Page: 1

Page: 2

Page: 3

A

F ile

F ra g m e n te d

D ue to

V iru s

A tta c k

Page: 1

Page: 3

Page: 1

Page: 3

Page: 2

Page: 2

File: A

File: B

File: B

File: A

File: B

File: A

A

A

FIGURE 7.3: Working of Viruses in Attack Phase

Refer to this fig ure, w h ic h has t w o files, A and B. In section one, th e tw o files are located one

a fte r

th e

o th e r

in

an

o rd erly fashion. Once

a virus

code

infects th e file, it alters the p o sitio n in g

o f th e

files th a t w ere

consecutively placed, thus leading to inaccuracy in file allocations, causing

th e system to slow d ow n as users try to retrieve

th e ir files. In this phase:

©

Viruses execute w hen som e events are triggered

0

Some execute and corrupt via built-in bug programs after being stored in the host's

m em ory

0

M ost viruses are w ritten to conceal their presence, attacking only after spreading in the

host to the fullest extent

Module 07 Page 1021

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

W h y Do People Create Computer r c u

Viruses

UrtifWd |ttkiul

Km Im

Computer Viruses

Inflict damage to competitors

Financial benefits

Research projects

Play prank

Vandalism

Cyber terrorism

Distribute political messages

J

J

J

V u ln e ra b le

S ystem

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W hy Do

P e o p le

C re a te

C o m p u te r

V iru se s?

C

om puter viruses are not self-generated, but are

created

by cyber-crim inal minds, intentionally

designed to cause d e s tru c tiv e occurrences in a

system.

Generally, viruses are created

w ith

a

d is re p u ta b le m o tiv e . C y b e r-c rim in a ls create viruses to d e s tro y a c o m p a n y 's data, as an act o f

vandalism o r a prank, or

viruses are

actually intended to be good fo r a system. These are designed to im prove a system's

to destroy a com pany's products.

H ow ever, in som e cases,

perform ance by deleting previously em bedded viruses from files.

Some reasons viruses

have been w ritten include:

e

Inflict damage

to com petitors

e

Research projects

0

Pranks

Q

Vandalism

e

Attack the products of specific companies

©

Distribute political messages

0

Financial gain

Module 07 Page 1022

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Q

Id en tity th e ft

Q

Spyware

Q

Cryptoviral e xto rtio n

Module 07 Page 1023

Exam 312-50 Certified Ethical Hacker

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Processes take

m ore resources

and tim e

C o m p u te r slow s

d o w n w hen program s start

C o m p u te r freezes

fre q u e n tly o r enco unte rs e rro r

In d ic a tio n s

o f V iru s

A tta c k s

machines

w ithin three to five days. Viruses can infect W ord files which, when transferred, can infect the

machines of the users w ho receive them . A virus can also make good use of file servers in order

to infect files. The fo llo w in g are indications

An

effective

virus

tends

to

m u ltip ly

rapidly

and

a tta ck

m ay

on

infect

a

n u m b e r

of

o f a virus

a co m p u te r system:

Q

Programs take longer to load

 

Q

The

hard d rive

is alw ays full, even w ith o u t installing any

pro gram s

Q

The

flo p p

y disk d rive

o r hard

d rive runs w

h e n

it

is n o t

being

used

9

Unknown files keep appearing on the system

 

0

The keyboard or the com puter emits strange or beeping sounds

 

Q

The

c o m p u te r m o n ito r displays strange graphics

 

Q

File

nam es tu rn strange,

o fte n beyond recognition

 

Q

The

hard drive becom es

inaccessible w he n trying to b oot fro m the flo p p y drive

©

A pro gram 's size keeps changing

 

Q

The

m e m o ry

on

th e

system

seems to

be

in

use and th e

system

slows d ow n

Module 07 Page 1024

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

H o w does a Computer Get Infected by Viruses

W hen a

properlyforthe source

user accepts files and downloads without checking

ן ing infected e-mail attachments

Installing pirated software

Not updatingand not installing new versions of plug-ins

: runningthe latest anti-virus application

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

H ow D o es

a

C o m p u te r

G et In fe c te d

There are m any ways in w hich m ethods are as follow s:

a

c o m p u te r gets infected

b y V iru se s?

by viruses. The m ost p opular

© W hen a

user accepts files and d ow nloads w ith o u t checking

properly fo r th e source.

©

A tta cke rs

the

system.

usually send viru s -in fe c te d files as e m a il

system.

If the

victim

opens

the

mail,

victim 's

a tta c h m e n ts

the

virus

to

spread th e virus on

the

autom atically

infects

© A ttackers in c o rp o ra te viruses in pop ular so ftw are

program s and upload th e infected

software on websites intended to download software. W hen the victim downloads

infected software and installs it, the system gets infected.

© Failing to install new versions or update w ith latest patches intended to fix th e know n bugs may expose your system to viruses.

©

W ith

latest antivirus applications may expose you to virus attacks

th e

increasing technology, attackers also are designing n e w viruses. Failing to

use

Module 07 Page 1025

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

C T e c h n iq u e s

o m m o n

U se d

to

D M a lw a re

is trib u te

o n

th e W eb

CEH

B

lackh at Search Engine

O

ptim ization

(SEO)

Ranking malware pages highly in search results

H Malvertising

Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites

Social Engineered

Com prom ised

Legitim ate

Click-jacking

W ebsites

Tricking users into clicking on innocent-looking webpages

Spearphishing Sites

Mimicking legitimate institutions,

^

such

as banks, in an attempt to

jl.

steal account login credentials

C o m m o n

T e c h n iq u e s

Hosting embedded malware that spreads to unsuspecting visitors

Drive-by Dow nloads

Exploiting flaws in browser software to install malware just by visiting a web page

Source: Security Threat Report 2012 (http://www.sophos.com)

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

U sed to D istrib u te

M a lw a re

on

^ th e W eb

Source: Security Threat Report 2012 (h ttp://w w w .sophos.com )

Blackhat Search Engine Optimization (SEO): Using this technique the attacker ranks m alw are pages high in search results

Social Engineered Click-jacking: The attackers trick the users into clicking on innocent-looking web pages th at contain malware

Spearphishing Sites: This te c h n iq u e is used fo r in an a ttem pt to steal account login credentials

m im ic k in g

le g itim a te

in s titu tio n s , such as banks,

Malvertising: Embeds m alw are in ad netw orks th a t display across hundreds o f legitim ate, high- traffic sites

Compromised Legitimate Websites: Host em bedded

visitors

m alware

that

spreads

to

unsuspecting

Drive-by Downloads: The attacker exploits flaws in browser software to install m alware just by visiting a w eb page

Module 07 Page 1026

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Virus Hoaxes and Fake Antiviruses

Exam 312-50 Certified Ethical Hacker

J

Hoaxes

a re

fa ls e

a la rm

s

cla im in g

re p o rts

 

A tta cke rs d isg u ise

m a lw a re s

as an

a n tiv iru s

a b o u t

a

n o n -e x is tin g

v iru s

w h ich

m ay

a n d

tric

k

users to

in s ta ll

th e m

in

th e ir

con ta in

viru s

a tta ch m e n ts

 

system s

 

J

W a rn in g

m essages

p ro p a g a tin g

t

a

O

nce in sta lle d

th e s e

fake a n tiv iru s e s

can

c e rta in

e m a il

m essage sh o u ld

th a n o t

be

v ie w e d

dam age ta rg

e

t

syste m s s im ila r

to

o th e r

and

d o in g

so w ill dam age

one 's syste m

m a lw a re s

 

tifai*ft-F0RWAI1r)T14l'WA«NINflAM0Nn'RlFN0VtAMIIVANnrONTArn

 

***

 

A W C

 

ntAsc rmv/Aflo mu warning among rniCNDS.rAMiiv and contacts Ho* •houM t* »k«t d*'•*

tbv mat fmv Jwyv Co ikx cptn «1»yi׳i«im«« with 411etMchmvH vntlltvO >OSTCAAO 'ROM •Uir.O ■

RtMONATION Of BARACK OBAMA . regjrdl«»l0f WhO sent IttO you It IS J vlruStlWt Opers A

KttrtAftUlMAOt, then Dim* th«- whole run) C a « ol YOU' computer.

rih b lIvmNHMlWdiliuumnl Uy CNN Uni

(*• sif jctivtvirasawf Thevirw

1 . discovered b v M cAfee v«terdiv. «n d th p ׳p 14nor tear j* fo r :h &

Imk Hid)

U•••1I

jyM lllW A

l י« HUM

1>tSeZetoSetloiof llie llodDiM., mIivictl.r viulxifoimatbonk«vL

»׳—

w- jy y |rJ!!L

ifsrsr*־־״״•

l:— =«=— נ

V iru s H o ax es

a n d

V

A

i

r

u

s

virus

H o a x e s

hoax

is

F a k e

sim p ly

a

Copyright © by EG-G0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.

A n tiv iru se s

b lu ff.

Viruses,

by

th e ir

n a tu re ,

have

alw ays

crea ted

a

horrifying impression. Hoaxes are typically untrue scare alerts that unscrupulous individuals send to create havoc. It is fa irly c o m m o n fo r in n o c e n t users to pass th ese p h o n y messages along thinking they are helping others avoid the "virus."

© Hoaxes are false alarm s

claim ing reports abo ut non-existing viruses

© These w arning messages, w hich can be pro pa ga te d

rapidly, stating th a t acertain

email

message should not be opened, and that doing so would damage one's system

©

In

so m e

cases, th ese w a rn in g

messages th e m se lve s c o nta in virus a tta c h m e n ts

© These possess th e capability o f vast d e stru ctio n on ta rg et systems

M any hoaxes try to "sell" things that are technically nonsense. Nevertheless, the hoaxer has to be som ewhat of an expert to spread hoaxes in order to avoid being identified and caught.

T h e re fo re ,

search for inform ation in the wild to learn more about the hoax, especially by scanning bulletin boards where people actively discuss current happenings in the com m unity.

it

is a good

practice to

look fo r

te c h n ic a l

d e ta ils

a b o u t

h o w

to

b e c o m e infecte d. Also

Module 07 Page 1027

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Try to crosscheck the identity of the person w ho has posted the warning. Also look for more

sources. Before jum ping to conclusions by following:

secondary

inform ation about the hoax/warning from

reading certain docum ents on the Internet, check the

Q

If

it

is

posted

by

n e w sgro up s

th a t

are

suspicious,

crosscheck

th e

in fo rm a tio n

w ith

another source

 

©

If th e person w h o

has

posted th e

new s

is

n o t

a

k n o w n

person

in

th e

c o m m u n ity

o r

an

expert, crosscheck the

inform ation w ith another source

 

0

If

a

g o v e rn m e n t

body

has

posted th e

news, the posting should also have a reference to

the corresponding federal regulation

Q

One o f th e

m o s t

e ffe c tiv e

checks

is

to

look

up

th e

suspected

h oa x

v iru s

by

n am e

on

antivirus software vendor sites

 

Q

If th e posting is technical,

h u n t

fo r

sites th a t

w

o u ld

ca te r to

th e

te c h n ic a litie s ,

and

tr y

to

authenticate the inform ation

Subject: FORWARD THIS W ARNING AM ONG FRIENDS, FAMILY AND CONTACTS

PLEASE FORWARD THIS WARNING AM ONG FRIENDS, FAMILY AND CONTACTSI You

the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM BEJING or 'RESIGNATION OF 8ARACK OBAM A , regardless of who sent it to you. It is a virus that opens A POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer.

should be alert during

This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most destructive virus ever. The virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.

COPY THIS E MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US.

End-of-mail

Thanks.

FIGURE 7.3: Hoaxes Warning Message

F a k e

A

n

t i v

i

r

u

s e s

 

Fake a ntiviruses

is

a

m e th o d

o f

a ffe c tin g

a system

by hackers

and

it can

poison y o u r

system and outbreak the registry and system files to allow the attacker to take full control and access to y o u r co m p u te r. It appears and p e rform s sim ilarly to a real a n tiv iru s p ro gram .

Fake antivirus programs first appear on different browsers and warn users that they have

suspicious

viruses. W hen the

where they need to buy or subscribe to that antivirus and proceed to paym ent details. These

fa ke a n tiviru s program s are been fa b ric a te d unsuspecting user into installing the software.

another page

d iffe re n t s e c u rity th re a ts on th e ir system , and this message is backed up by real

user tries to

rem ove the viruses, then

in such

a

w a y

they are

th a t

th e y

navigated to

d ra w

th e

a tte n tio n

o f

th e

Some of the m ethods used to extend the usage and installation of fake antivirus programs include:

© Email and messaging: Attackers

use spam em ail and social n etw o rkin g messages to

spread this type of infected email to users and probe the user to open the attachm ents for software installation.

Module 07 Page 1028

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Q

Search engine optim ization: Attackers generate pages related to public or current

search term s and plant th em to appear as

e x tra o rd in a ry

and the latest in search engine

results. The w eb pages show alerts about infection that encourage the user to buy the

fake antivirus.

Q

Com prom ised w ebsites: Attackers secretly break into popular sites to install the fake antiviruses, which can be used to entice users to download the fake antivirus by relying on the site's popularity.

Module 07 Page 1029

J

a

a

0,

q

'S

Protection

-׳wacy

M

p«0M<1*©r»י*י#י S4

Path

Inlrctiom

C \w »C «C ^ S\JN t5 ^ c^ «U Jr^ 4 ifV *g 0 a 5 7 2

35

SMtWI

I

I

FIGURE 7.4: Example of a Fake Antivirus

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Virus Analysis: DNSChanger

CEH

DNSChanger (Alureon) modifies the DNS settings on the victim PC to divert Internet traffic to malicious websites in order to generate fraudulent ad revenue, sell fake services, or steal personal financial information

<W>

J

J

It acts as a bot and can be organized into a BotNet and controlled from a remote location

It spreads through emails, social engineering tricks, and untrusted downloads fromthe Internet

$

DNSChanger malware achieves the DNS redirection by modifying the following registry keysettings against ainterface device such as network card

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\Tcpip\Parameters\lnterfaces\%Ra ndom CLSID%NameServer

< K >

J

U H U

t

DNSChanger has received significant attention due to the large number of affected systems worldwide andthe fact that as part of the BotNet takedown the FBI took ownership of the rogue DNS servers to

ensure those affected did

lose the ability to resolve DNS names

not immediately

http://www.totaldefense.com

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

V iru s A n aly sis:

D N S C h an g er

DNSChanger (A lu re o n )

u n tru s te d

co ntrolle d fro m a rem ote location. This m alw are achieves DNS re d ire ctio n by m odifying the

and

em ails, social e n g in e e rin g tricks, and

is

fro m

m a lw a re

th e

th a t

spreads th ro u g h

as

d o w n lo a d s

In te rn e t.

It acts

a

b o t

and

can be organized

in to

a

b o tn e t

system registry key settings against an interface device such

as

n e tw o rk

card.

DNSChanger has received significant attention

due

to

the

large

num ber

of

affected

systems

w

o rld w id e

and th e

fa c t

th a t

as

p a rt

o

f

th e

b o tn e t

ta k e d o w n ,

th e

FBI

to o k

o w n e rs h ip

o f rogue

DNS servers to

ensure

those

affected

did

not

im m ediately

lose

the

ability

to

resolve

DNS

nam es. This can even

m o d ify

th e

DNS settings

on

th e

v ic tim 's

PC to

d iv e rt

In te rn e t tra ffic

to

malicious websites in

order

to

generate

frau du len t

ad

revenue,

sell

fake

services,

or

steal

personal financial inform ation.

Module 07 Page 1030

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Virus Analysis: DNSChanger

L

DNSChanger

( C o n t’d)

The rogue DNS servers can exist in any of the following ranges:

64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255 77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255

DNSChanger sniffs the credential and redirects the request to real website

Real Website

ww.xrecyritY-tP1

IP: 200.0.0.45

DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2

Attacker runs DNS Server in Russia (IP: 64.28.176.2)

http://www.tota!defense,com

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

tout

V iru s A n aly sis:

D N S C h an g er

(C o n t’d)

The rogue DNS servers can exist in any of the follow ing ranges:

64.28.176.0 - 64.28.191.255, 67.210.0.0

־ 67.210.15.255

77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255

85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255

Module 07 Page 1031

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

Whal is the IP address of www. *security. corn

DNS Request do to 64.28.176.2

DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2

 

>

 

Fake Website

IP: 65.0.0.2

©

 

>

©

© DNSChanger sniffs the credential and redirects the request to real website

Attacker runs DNS Server in Russia (IP: 64.28.176.2)

»

י

Real Website

wvAv.xsecuritv.com

IP: 200.0.0.45

FIGURE 7.5: Virus Analysis Using DNSChanger

To infect the

a tta c k e r runs

system

his

and

steal credentials, the

Russia w ith

attacker has to

Here the a tta c k e r

IP address to : 64.28.176.2. W h e n this

DNS settings of the

first

run

DNS server.

Next, th e

infected

o r

her D N Sserver in

an IP of, say, 64.28.176.2.

by the is se nt address

to

o f

th e

infects th e v ic tim 's c o m p u te r by changing his o r her DNS

m alw are

and forces all the

s e ttin g

Here, th e v ic tim

has infected the system, it entirely changes the

o

f th e

DNS request to

go to

DNS, any

sent

re q u e s t DNS

th a t

is

R equest

the

machine

DNSserver run by th e system

is

th e

IP

attacker. A fter

m a lic io u s

altering the

DNS server.

to

m ad e ״w h a t

w w w .x s e c u rity .c o m ״

to

located at 65.0.0.2. W hen victim 's brow ser connects to 65.0.0.2, it redirects him or her to a fake

w e b s ite crea ted

passw ords) and redirects th e re q u e s t to real w e b s ite (w w w .x s e c u rity .c o m ) w ith IP: 200.0.0.45.

(64.28.176.2). The a tta c k e r gave

a

response

th e

re q u e s t

as

w h ic h

is

by th e

a tta c k e r

w ith

IP: 65.0.0.2. DNSChanger sniffs th e c re d e n tia l (user nam e,

Module 07 Page 1032

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

M odule Flow

Exam 312-50 Certified Ethical Hacker

CEH

Virus and

Worms

Concepts

Penetration

Testing

Computer

Worms

Counter•

M alware

measures

Analysis

Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

=

||

M o d u le

F low

Prior to this, we

d iffe re n t types o f viruses.

have discussed about viruses and worm s. Now we will discuss about

Virus and W o rm s Concept

i

C

Types o f Viruses

y

C om puter

W orm s

This section describes

a b o u t

d iffe re n t

types

X

^ )

o f Viruses.

M a lw a re Analysis

Counterm easures

P en etratio n Testing

Module 07 Page 1033

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

System or

Stealth Virus/

Boot Sector

Tunneling

Viruses

Virus

Cluster

Viruses

Multipartite

Encryption

Sparse

Infector

Virus

Polymorphic

Metamorphic

Direct Action

or Transient

T y p e s

So

far,

w e

of V iru se s

have

discussed

various types of viruses.

various

virus

and

w o rm

concepts.

N ow

w e

will

discuss

This section highlights various types o f viruses and w o rm s such as file and m u ltip a rtite viruses, macro viruses, cluster viruses, stealth /tu nn e lin g viruses, encryption viruses, m etam orphic viruses, shell viruses, and so on. Com puter viruses are the m alicious softw are program s w ritten

by attackers to in te n tio n a lly e n te r th e ta rg e te d system

result, they affect the security system and perform ance of the machine. A few of the most

co m p u te r

detail on the follow ing slides.

in

co m m on types o f

p erm ission. As a

w ith o u t

th e

user's

systems

viruses

th a t

adversely

affe ct

security

are

discussed

T y p e s

o f V iru s e s

Viruses are classified depending on tw o categories:

Q W h a t Do They Infect?

© How Do They Infect?

Module 07 Page 1034

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

What Do They Infect?

System or Boot Sector V iruses

f*.

the M aster Boot Record and the DOS Boot Record System sectors. These are the areas on the

Every disk has a system sector o f so m e sort. They

specially infect the floppy boot sectors and records of the hard disk. For example: Disk Killer and Stone virus.

b u t

The

m o s t

c o m m o n

ta rg e ts

fo r

a virus

are

th e

system

sectors, w h ic h

are

n o th in g

_

disk th a t are execu ted w h e n th e

PC is b o o te d .

File Viruses

Executable files are infected

by file

larger

can

viruses, as th e y insert th e ir code

in num ber,

be fo un d

but they are

not the

in a large

n u m b e r

original

m ost com m only

into th e

file

fo un d. They infect in a va riety o f ways and

and get executed.

File viruses are

o f file types.

M ultipartite Virus

They infect program files, Flip, and Tequila.

and this

file in tu rn affects the

b o o t sectors such as Invader,

C luster Viruses

Cluster viruses infect files

w ith o u t

changing the file or planting extra files; they change

the

program.

DOS

directory

inform a tion

M acro Virus

so th a t entries p oint to the virus code instead o f the actual

M ic ro s o ft

W o rd

or

a

sim ilar

application

can

be

infected

th ro u g h

a

co m p u te r

virus

called

a

m acro virus, w hich

auto m a tica lly

p erform s

a sequence

o f actions w he n

the

application is trig g e re d o r so m e thin g else. M acro viruses are so m e w h a t less h arm ful than o th e r types. They are usually spread via an email.

How Do They Infect?

Stealth V iruses

־־

try to hide them selves fro m antivirus program s by actively a lte rin g and

corrupting the chosen service call interrupts when they are being run. Requests to perform operations in respect to these service call interrupts are replaced by virus code. These viruses

state false inform ation to hide their presence from antivirus programs. For example, the stealth virus hides the operations that it m odified and gives false representations. Thus, it takes over

׳ These viruses

portions o f th e ta rg e t system and hides

its virus code.

Life־:

T unneling V iruses

These viruses trace the steps of interceptor programs that m onitor operating system requests so that they get into BIOS and DOS to install themselves. To perform this activity, they even tunnel under antivirus software programs.

Module 07 Page 1035

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

\ Encryption Viruses

c

_

This type o f virus consists o f an e n cryp te d

Exam 312-50 Certified Ethical Hacker

copy of th e

virus and a decryption m odule.

The decrypting m odule remains constant, whereas the different keys are used for encryption.

iri) Polym orphic V iruses

, ״ ״ These viruses w ere developed to confuse antivirus program s th a t scan fo r viruses in th e system . It is d iffic u lt to tra ce th e m , since th e y change th e ir characteristics each tim e th e y infect, e.g., every copy of this virus differs from its previous one. Virus developers have even created m etam orphic engines and virus w riting tool kits that make the code of an existing virus look different from others of its kind.

M etam orphic Viruses

A

code th a t

can

re p ro g ra m

itse lf is called

m e ta m o rp h ic code. This code

is

tra n s la te d

into th e

te m p o ra ry

e ffe c tiv e

code, and then converted back to the norm al code. This

m

o f virus

technique, in w hich

so ftw a re .

consists o f co m p le x

th e original a lg o rith

This

extensive code.

rem ains intact, is used to avoid p a tte rn

in

co m p a ris o n

to

p o ly m o rp h ic

re c o g n itio n

o f a n tiviru s

is m o re

code. This ty p e

O verw riting

Som e p ro g ra m

File or Cavity Viruses

files

installs

have areas o f e m p ty space. This e m p ty space

itself in this

is th e

m ain

ta rg e t

o f

in this

the

to

these viruses. The Cavity Virus, also know n

em pty space. The virus

original code. It installs itself in the file it a tte m p ts to infect.

as the Space Filler Virus, stores its code

unoccupied

space w ith o u t any destruction

a ®

Sparse Infector Viruses

A sparse infector virus infects only occasionally (e.g., every tenth

or only files w hose lengths

fall w ith in

a

n a rro w

range.

program

executed)

Com panion Viruses

The com panion virus stores itself by having th e identical file n a m e as th e targeted

p ro g ra m

file. As soon

as th a t

file

is e x e c u te d ,

th e

virus

infects th e

c o m p u te r,

and

hard disk data

is m o d ifie d .

 

^

Cam ouflage Viruses

W

-------- They

disguise

them selves

as genuine

applications

of the

user. These viruses are

not

difficult to

find

since

antivirus

programs

have

advanced

to

the

point where

such viruses

are

easily traced.

 
 

Shell V iruses

This

virus

code

fo rm s

a

layer

a ro u n d

th e

ta rg e t host

p ro g ra m 's

code

th a t

can

be

Module 07 Page 1036

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orms

Exam 312-50 Certified Ethical Hacker

co m p ared to

an

"egg

s h e ll/׳

m aking

itself th e

original

program

and

th e

host

code

its

sub-

ro u tin e . Here, th e original code is m o v e d to a n e w loca tion assumes its identity.

by

th e

virus

code

and

th e

viru s

te

x t

F .

file.

File Extension Viruses

File e x te n s io n viru ses change th e extensions o f files; .TXT is safe, as it indicates a pure

a file

If

y o u r

c o m p u te r's

file

e x te n s io n s

v ie w

is

tu rn e d

o ff and

so m e o n e

sends you

named BAD.TXT.VBS, you will see only BAD.TXT.

> '«f|