Viruses and Worms

Module 07

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

V iru se s and W orm s
M o d u le 07

Engineered by Hackers. Presented by Professionals.

M

E th ic a l H a c k in g

a n d

C o u n te rm e a s u re s v 8

M o d u le 0 7 : V iru s e s a n d W o r m s E xam 3 1 2 -5 0

M odule 07 Page 1007

Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Secu rity N ew s
I GlobalResearch

CEH

H om e

P ro d u c ts

About

5«rv*ccs

O ctobe r 1 9 ,2 0 1 2

G lo b al C y b e r-W arfa re T a c tic s : N e w F la m e -lin k e d M a lw a re used in “ C y b e r-E s p io n a g e ”
A n e w c y b e r e s p io n a g e p ro g ra m lin k e d t o th e n o to r io u s F lam e and Gauss m a lw a re has bee n d e te c te d by Russia's K aspersky Lab. T he a n ti-v iru s g ia n t's c h ie f w a rn s t h a t g lo b a l c y b e r w a rfa r e is in " f u ll s w in g " a n d w ill p ro b a b ly e s c a la te in 2013. T h e v iru s , d u b b e d m in iF la m e , a n d a lso k n o w n as SPE, has a lre a d y in fe c te d c o m p u te rs in Ira n , L e b a n o n , France, t h e U n ite d S ta te s a n d L ith u a n ia . It w as dis c o v e re d in July 20 1 2 a n d is d e s c rib e d as "a small and highly flexible malicious program designed

to steal data and control infected systems during targeted cyber espionage operations," Kaspersky Lab said in a s ta te m e n t p o s te d
o n its w e b s ite . T he m a lw a re w a s o rig in a lly id e n tifie d as an a p p e n d a g e o f F lam e - th e p ro g ra m used f o r ta rg e te d c y b e r e spionage in th e M id d le East a n d a c k n o w le d g e d to be p a r t o f jo in t U S -ls ra e li e ffo r ts t o u n d e rm in e Iran 's n u c le a r p ro g ra m . B u t la te r, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF la m e is a n "interoperable tool th a t could be used as an independent malicious program, o r concurrently as a plug-in f o r both the Flame and Gauss m alw are." ^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c re a to rs o f F lam e a n d G a u s s ^ ^ ^ ^ ^ —

http ://www. globa/research, ca
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

S e c u rity N e w s
an
M M

G lo b a l C y b e r - W a r fa r e T a c tic s : N e w M a lw a re u s e d in “ C y b e r-E s p io n a g e ”

F la m e - lin k e d

S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 . T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran, L e b a n o n , F rance, t h e U n ite d States, a n d L ith u a n ia . It w a s d is c o v e r e d in July 2 0 1 2 a n d is

d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l in fe c te d s y s te m s d u r in g ta rg e te d cyber e s p io n a g e o p e ra tio n s ," K a sp e rsky Lab said in a

s t a t e m e n t p o s te d o n its w e b s i t e . The m a lw a re w a s o r i g i n a l l y i d e n t if ie d as an a p p e n d a g e o f F lam e, t h e p ro g ra m u sed f o r

t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m .

M odule 07 Page 1008

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e a n d Gauss m a l w a r e . " T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s . " M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said. H ig h - p r e c is io n a tta c k to o l So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y i n f e c t e d b y t h o s e v iru se s . " M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt A l e x a n d e r G o s te v e x p la in e d . "F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd c y b e r-e s p io n a g e ." T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m , A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t. K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , " t h e f i r m said. ‘C y b e r w a rfa re i n f u ll s w i n g ’

M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s a g e n c y r e p o r ts . S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i, t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ." " T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said. He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is

M odule 07 Page 1009

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r w h a t is b e h in d i t . " Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss, b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s .

C o p y r i g h t © 2 0 0 5 - 2 0 1 2 G lo b a lR e s e a r c h .c a B y R u s s ia T o d a y

http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-incyber-espionage/5308867

M odule 07 Page 1010

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M odule O b jectives
J J J J J Introduction to Viruses Stages of Virus Life Working of Viruses Indications of Virus Attack How does a ComputerGet Infected by Viruses Virus Analysis Types of Viruses Virus Maker J J J J J J J J Computer Worms Worm Analysis Worm Maker Malware Analysis Procedure

CEH

Online Malware Analysis Services Virus and Worms Countermeasures Antivirus Tools Penetration Testing for Virus

y J J

Copyright © by

EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le O b je c tiv e s
T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e . T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h : 0 0 0 0 0 I n t r o d u c t i o n t o V iru s e s Stages o f V ir u s Life W o r k i n g o f V iru s e s I n d ic a tio n s o f V ir u s A t t a c k How D oes a C o m p u te r Get In f e c t e d by 0 0 0 0 0 0 C o m p u te r W o rm s W o r m A n a ly s is W o rm M aker M a l w a r e A n a ly s is P r o c e d u r e O n lin e M a l w a r e A n a ly s is Services V ir u s a nd W o r m s C o u n te rm e a su re s 0 A n t i v i r u s T o o ls

V iru se s? 0 0 Modute07 V ir u s A n a ly s is T y p e s o f V iru s e s !M a k e r

Ethical H a c k if^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i l l C i l All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Module Flow

Virus and Worms Concepts

Typ e s of Viruses

Penetration Testing

Com puter Worms

Countermeasures

M alware Analysis

Copyright © by

E&Ctlllcil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le F lo w
T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n t h e w e b a re h ig h lig h t e d .

V ir u s a n d W o r m s C o n c e p t

M alware Analysis

,‫• נ‬

Types of Viruses

f | j | | ‫ ־‬Countermeasures
^

‫י‬/ —
V ‫— ׳׳‬

Computer W orm s

Penetration Testing

M odule 07 Page 1012

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Introduction to V iru se s
_l A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document J Viruses are generally transmitted through file downloads, infected disk/flash drives and as email attachments

C EH

V ir u s C h a r a c t e r is t ic s

Infects Other Program

Alters Data

%
Corrupts Files and Programs

V

Transforms Itself

m

% #
1 f § 1

F*

Encrypts Itself

m

Self Propagates

Copyright © by

EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

‫ ןא‬I n t r o d u c t i o n to V i r u s e s
C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as soon as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d logical

c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s : 0 0 0 T r o ja n s a n d r o o t k i t s V iru s e s W o rm s

A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s . W o r m s s p re a d a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o o t h e r n e t w o r k s . T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n . T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s .

M odule 07 Page 1013

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus and Worm Statistics

75,000,000

60,000,000

45,000,000

30,000,000

15,000,000

2008

2010

2011

2012 http://www.av-test. org

Copyright © by

E&Ctinctl. All Rights Reserved. Reproduction is Strictly Prohibited.

^ V iru s a n d W o rm S ta tis tic s
S o u rc e : h t t p : / / w w w . a v - t e s t . o r g T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd w orm s in t h e year 2008, w he re a s in t h e ye ar 2012, th e c o u n t d ra s tic a lly in c r e a s e d to 7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g e x p o n e n t ia l ly y e a r b y ye a r.

M odule 07 Page 1014

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

7 5 .0 0 0 .0 0 0

6 0 .0 0 0 .0 0 0

4 5 .0 0 0 .0 0 0

3 0 .0 0 0 .0 0 0

1 5 .0 0 0 .0 0 0

0
2008 2009 2010 2011 2012

FIGURE 7.1: Virus and Worm Statistics

M odule 07 Page 1015

Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Design
D eveloping virus code using p ro g ra m m in g languages or c o n s tru c tio n kits

Replication
V iru s replicates fo r a perio d o f tim e w ith in th e ta rg e t system and th e n spreads its e lf

Launch
It gets activated w ith th e user p e rfo rm in g certa in action s such as ru n n in g an in fected program

Elim ination
Users in s ta ll a n tiv iru s u p d a te s a n d e lim in a te th e v iru s th re a ts

Incorporation
A n tiv iru s s o ftw a r e d e v e lo p e rs a s s im ila te d efenses a g a in s t th e viru s

Detection
A v iru s is id e n tifie d as t h re a t in fe c tin g ta rg e t system s

S t a g e s o f V i r u s L ife
C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o e lim in a tio n .

1.

Design:
A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s .

2.

Replication:
A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e .

3.

Launch:
It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an in fe c te d p ro g ra m .

4.

Detection:
A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le d a m a g e t o t h e t a r g e t s y s te m 's d a ta .

M odule 07 Page 1016

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

5.

Incorporation:
A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s .

6.

Elimination:
Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g user g ro up s

M odule 07 Page 1017

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Working of Viruses: Infection Phase
Infection Phase
J In the infection phase, the virus replicates itself and attaches to an .exe file in the system

Before Infection

After Infection

*
C lean File V iru s In fe c te d File

Copyright © by

E G -G 0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rk in g o f V iru se s: In fe c tio n P h a s e
V ir u s e s a tta c k a ta rg e t h o s t's s y s te m by u sin g v a r io u s m e th o d s . They a tta c h t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t: © © © © S e lf s t a r t In f e c t o t h e r h a r d w a r e Cause p h y s ic a l d a m a g e t o a c o m p u t e r T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s

G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e . In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m . P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m . V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as: © © © H o w w i ll t h e v ir u s in f e c t? H o w w i ll it s p re a d ? H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ?

M odule 07 Page 1018

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

O b v io u s ly , v iru s e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d in o r d e r t o f u n c t i o n . T h e r e a re m a n y w a y s t o e x e c u te p r o g r a m s w h i l e a c o m p u t e r is r u n n in g . For e x a m p le , a n y s e tu p p r o g r a m calls f o r n u m e r o u s p r o g r a m s t h a t m a y be b u i l t i n t o a s y s te m , a n d s o m e o f th e s e a re d i s t r i b u t i o n m e d i u m p r o g r a m s . T hu s, if a v ir u s p r o g r a m a lr e a d y exists, it can be a c tiv a te d w i t h t h is k in d o f e x e c u t i o n a n d in f e c t t h e a d d it io n a l s e t u p p r o g r a m as w e ll. T h e r e a re v ir u s p r o g r a m s t h a t in f e c t a n d k e e p s p r e a d in g e v e r y t i m e t h e y a re e x e c u te d . Some

p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n . R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s . In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n . Q A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s f o r v iru s in f e c tio n s . © B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is b o o te d

Before Infection

A fte r Infection

.exe

N

Clean File

Virus Infected File

_u

FIGURE 7.2: Working of Viruses in Infection Phase

M odule 07 Page 1019

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Working of Viruses: Attack
D U
^ ^

r cu
Urt‫׳‬fW < ttkxjl Nm Im

o q p

V t

11

J J

Viruses are programmed with trigger events to activate and corrupt systems Some viruses infect each time they are run and others infect only when a certain predefined condition is met such as a user's specific ta sk , a day, time, or a particular event

Unfragmented File Before Attack
File: A

Page: 1

1

1 1 J _____________ 1 Page:3 A Page: 1

File: B

1 Page:3

Page:2 A

Page:2

File Fragmented Due to Virus Attack
Page: 1 File: A Page:3 File: B Page: 1 File: B Page:3 File: A Page:2 File: B Page:2 File: A

Copyright © by

E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rk in g o f V iru se s: A tta c k P h a s e
O n c e v iru s e s s p re a d t h e m s e l v e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g t h e fi l e s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be a c t i v a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v i r u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd p e r f o r m a c tiv it ie s such as d e l e t i n g f i l e s a n d in c r e a s in g s e s s io n t i m e . T h e y c o r r u p t t h e i r t a r g e t s o n l y a f t e r s p r e a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as: Q D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta file s, t h e r e b y c a u s in g t h e s y s te m t o s lo w down e P e r f o r m in g a n im a tio n s ta sks not r e la t e d to a p p lic a tio n s , such as p la y in g m u s ic and c r e a tin g

M odule 07 Page 1020

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

U n f r a g m e n t e d F ile B e fo r e A t t a c k

File: A Page: 1 Page: 2 A Page: 3 Page: 1

File: B Page: 2 Page: 3

F ile F r a g m e n t e d D u e t o V ir u s A t t a c k

Page: 1 File: A

Page: 3 File: B

Page: 1 File: B

Page: 3 File: A A

Page: 2 File: B

Page: 2 File: A A

FIGURE 7.3: Working of Viruses in Attack Phase

R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se: © 0 V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's m em ory 0 M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e h o s t t o t h e f u l le s t e x t e n t

M odule 07 Page 1021

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W h y Do People Create Computer Viruses Computer Viruses
Inflict damage to competitors Financial benefits

UrtifWd

r cu |
ttkiul Km Im

Research projects

Play prank

J J J

Vandalism

Cyber terrorism Distribute political messages
V u ln e r a b le S y s te m

Copyright © by

E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W hy Do P e o p le C re a te C o m p u te r V iru se s?
S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are a c t u a lly in te n d e d to be g o o d fo r a s y s te m . T he se a re d e s ig n e d to im p ro v e a s y s te m 's

p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files. S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e : e e 0 Q e © 0 I n flic t d a m a g e t o c o m p e t i t o r s R esearch p r o je c ts Pranks V a n d a lis m A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s D is t r i b u t e p o litic a l m essa ge s F ina ncia l g ain

M odule 07 Page 1022

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Q Q Q

Id e n tity th e ft S pyw are C r y p t o v ir a l e x t o r t i o n

M odule 07 Page 1023

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

P rocesses ta k e m o re re s o u rc e s a n d tim e

C o m p u te r s lo w s dow n when p r o g ra m s s ta rt

C o m p u te r fre e z e s fr e q u e n t ly o r e n c o u n te rs e r ro r

I n d ic a tio n s o f V iru s A tta c k s
A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m : Q Q Q 9 0 Q Q Q © Q P r o g r a m s ta k e lo n g e r t o loa d T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e A p r o g r a m 's size k e e p s c h a n g in g T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n

M odule 07 Page 1024

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

H o w does a Computer Get Infected by Viruses
W h e n a user accepts files and d o w nloads w ith o u t checking p ro p e rlyfo rth e source

‫ן‬

ing infected e-mail attachm ents

Installing pirated so ftw are

Not updatingand not installing new versions o f plug-ins

: runningthe latest anti-virus application

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

H ow D o es a C o m p u te r G et In fe c te d b y V iru se s?
T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r m e t h o d s a re as f o l lo w s : © © W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e . A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e s y s te m . © A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d . © Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n b ug s m a y e x p o s e y o u r s y s te m t o viru s e s . © W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s d o w n lo a d s

M odule 07 Page 1025

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

C o m m o n T e c h n i q u e s U s e d to D istrib u te M a lw a re o n th e W eb
B la c k h a t S e a rc h E n gin e O p tim iza tio n (SEO ) Ranking malware pages highly in search results

CEH

H

M a lv e rtis in g Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites

S o c ia l E n g in eered C lic k -ja c k in g Tricking users into clicking on innocent-looking webpages

C o m p ro m ise d L e g itim a te W e b sites Hosting embedded malware that spreads to unsuspecting visitors

S p e a rp h is h in g S ites Mimicking legitimate institutions, such as banks, in an attempt to steal account login credentials ‫^ ״‬ ‫ ן ן ו‬jl.

Drive-by D o w n lo ad s Exploiting flaws in browser software to install malware just by visiting a web page
Source: Security Threat Report 2012 (http://www.sophos.com )
Copyright © by

EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

^

C o m m o n T e c h n i q u e s U s e d to D i s t r i b u t e M a l w a r e o n th e W eb

S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m )

Blackhat Search Engine Optimization (SEO): U s in g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e
p a g e s h ig h in se arch re s u lts

Social Engineered Click-jacking: T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g
w e b p ages t h a t c o n t a i n m a l w a r e

Spearphishing Sites: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks,
in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s

Malvertising: E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y ac ro s s h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites

Compromised Legitimate W ebsites: H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g
v is ito rs

Drive-by Downloads: T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by
v is itin g a w e b p age

M odule 07 Page 1026

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus Hoaxes and Fake Antiviruses
J H o axes a re fa ls e a la rm s c la im in g r e p o r ts a b o u t a n o n - e x is tin g v ir u s w h ic h m a y c o n ta in v ir u s a tta c h m e n ts J W a r n in g m e s s a g e s p r o p a g a tin g t h a t a c e r ta in e m a il m e s s a g e s h o u ld n o t b e v ie w e d a n d d o in g s o w ill d a m a g e o n e 's s y s te m A tta c k e rs d is g u is e m a lw a r e s as a n a n t iv ir u s a n d t r ic k u s e rs t o in s ta ll th e m in t h e ir s y s te m s O n c e in s ta lle d th e s e fa k e a n tiv iru s e s c a n d a m a g e t a r g e t s y s te m s s im ila r t o o t h e r m a lw a re s

tifa i* ftF 0 R W A I1 r)T 1 4 l'W A « N IN flA M 0 N n 'R lF N 0 V tA M IIV A N n rO N T A rn
ntAsc rmv/Aflo m u warning among rniCNDS.rAMiiv and contacts Ho* •houM t* »k«t d*'•* tbv mat fmv Jwyv Co ikx cptn «1» yi‫׳‬i«im«« with 4 1 1etMchmvH vntlltvO >OSTCAAO 'ROM •Uir.O ■ RtMONATION Of BARACK OBAMA . regjrdl«»l0f WhO sent IttO you It IS J vlruStlWt Opers A KttrtAftUlMAOt, then Dim* th « -whole run) C a « ol YOU' computer. rih b lIvmNHMlWdiliuumnl UyCNN Uni Im k Hid) U • • • I

* * * »‫׳‬ — wi fs r s r * ‫־‬ ‫־‬ ‫״‬ ‫״‬ •

A W C

(*•sif jctivtvirasawf Thevirw ...1 .discoveredbv McAfee v«terdiv. «ndthp‫׳‬p nortear

1

jy M lllW A

1 4

l ‫ «י‬HUM

j*for :h&

1>

tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonk«vL

jy y |r J !!L
l: —

=«=— ‫נ‬

Copyright © by E G G

0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.

V iru s H o ax e s a n d F a k e A n tiv iru s e s
V iru s H o a x e s A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . " © © H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m © © In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s e m a il

M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t. T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y .

M odule 07 Page 1027

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g : Q If it is p o s te d a n o th e r source © If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e 0 If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o th e c o rre s p o n d in g fe d e ra l r e g u la tio n Q O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n a n t i v i r u s s o f t w a r e v e n d o r sites Q If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o a u th e n tic a te th e in fo rm a tio n
Subject: FORWARD THIS W ARNIN G A M O N G FRIENDS, FAMILY AND CONTACTS PLEASE FORWARD THIS WARNING AM O N G FRIENDS, FAMILY AND CONTACTSI You should be alert during the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM BEJING or 'RESIGNATION OF 8ARACK O B A M A , regardless of who sent it to you. It is a virus that opens A POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer. This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most destructive virus ever. The virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept. COPY THIS E MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU WILL BENEFIT ALL OF US. End-of-mail Thanks.

by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h

FIGURE 7.3: Hoaxes Warning Message

F a k e A n tiv iru s e s Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m . Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e . S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s in c lu d e : © E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s f o r s o f t w a r e i n s t a lla t io n .

M odule 07 Page 1028

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Q

Search e n g in e o p tim iz a tio n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o

p u b lic o r c u r r e n t

s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e fa k e a n tiv ir u s . Q C o m p ro m is e d w e b s ite s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g o n t h e s ite 's p o p u l a r i t y .

J
a
Protection

a

‫׳‬w acy

I
P a th C \ w » C « C ^ S \ JN t5 ^ c ^ « U Jr^ 4 ifV * g 0 a 5 7 2

I

q

'S (‫י‬

0,

M p « 0 M < 1 *© r»‫י*י‬#‫ י‬S 4

Inlrctiom

35

SMtWI

FIGURE 7.4: Example of a Fake Antivirus

M odule 07 Page 1029

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus Analysis: DNSChanger
DNSChanger (Alureon) modifies the DNS settings on the victim PC to divert Internet traffic to malicious websites in order to generate fraudulent ad revenue, sell fake services, or steal personal financial information J

CEH

<W >

It acts as a bot and can be organized into a BotNet and controlled from a remote location It spreads through emails, social engineering tricks, and untrusted downloads from the Internet

J

UHU

$
DNSChanger malware achieves the DNS redirection by modifying the following registry key settings against a interface device such as network card J

t

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\Tcpip\Parameters\lnterfaces\%Ra ndom C LSID %NameServer

<K >

DNSChanger has received significant attention due to the large number of affected systems worldwide and the fact that as part of the BotNet takedown the FBI took ownership of the rogue DNS servers to ensure those affected did not immediately lose the ability to resolve DNS names

http://www. totaldefense. com
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

V iru s A n a ly sis: D N S C h a n g e r
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd . D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al p e r s o n a l f in a n c ia l i n f o r m a t i o n .

M odule 07 Page 1030

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus Analysis: DNSChanger
( C o n t ’d )
The rogue DNS servers can exist in any of the following ranges:
L

DNSChanger

64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255 77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255

DNSChanger sniffs the credential and redirects the request to real website Real Website ww.xrecyritY-tP1 IP: 200.0.0.45

DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2

Attacker runs DNS Server in Russia (IP: 64.28.176.2)

http://www. tota!defense,com

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

tout V i r u s A n a l y s i s : D N S C h a n g e r ( C o n t ’d)
’ S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m T h e r o g u e DNS s e rv e rs can e x is t in a n y o f t h e f o l l o w i n g ran ge s:

64.28.176.0 - 64.28.191.255 , 67.210.0.0 ‫ ־‬67.210.15.255 77.67.83.0 - 77.67.83.255 , 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255 , 213.109.64.0 - 213.109.79.255

M odule 07 Page 1031

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W h al is the IP address of w w w . *security. corn

>

©
Fake Website IP: 65.0.0.2

DNSChanger sniffs the credential and redirects the request to real website

»

‫י‬
Real Website wvAv.xsecuritv.com IP: 200.0.0.45

DNS Request do to 64.28.176.2

©
>

DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2

©


Attacker runs DNS Server in Russia (IP: 64.28.176.2)

FIGURE 7.5: Virus Analysis Using DNSChanger

T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r . H e re , t h e v ic tim sent DNS Request ‫״‬w h a t is t h e IP a d d re s s o f w w w .x s e c u rity .c o m ‫״‬ to

( 6 4 .2 8 .1 7 6 .2 ). T h e a t t a c k e r g a v e a re s p o n s e t o t h e r e q u e s t as w w w . x s e c u r i t v . c o m . w h i c h is l o c a te d a t 6 5 .0 .0 .2 . W h e n v i c t i m ' s b r o w s e r c o n n e c t s t o 6 5 .0 .0 .2 , it r e d ir e c ts h im o r h e r t o a fa k e w e b s i t e c r e a te d b y t h e a t t a c k e r w i t h IP: 6 5 .0 .0 .2 . D N S C h a n g e r s n iffs t h e c r e d e n t i a l (u s e r n a m e , p a s s w o r d s ) a n d r e d ir e c ts t h e r e q u e s t t o real w e b s i t e (w w w . x s e c u r i t y . c o m ) w i t h IP: 2 0 0 .0 .0 .4 5 .

M odule 07 Page 1032

Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M odule Flow
V iru s and W orm s C on cep ts

CEH

P en etratio n Testing

C o m p uter W orm s

C ounter• m easures

M a lw a re Analysis

Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

■ = || M o d u l e F l o w
P r io r t o th is , w e h a v e d is cu sse d a b o u t v iru s e s a n d w o r m s . N o w w e w i ll discuss a b o u t d i f f e r e n t ty p e s o f viru s e s .

V iru s a n d W o rm s C o nc e p t

X

M a lw a r e A nalysis

i •

C

T y p e s o f V ir u s e s

C o u n te rm e a s u re s

y


C o m p u te r W o rm s

^

)

P e n e tra tio n T es tin g

v‫׳‬

This s e c tio n d e s c r ib e s a b o u t d i f f e r e n t ty p e s o f V iru se s.

M odule 07 Page 1033

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

System or Boot Sector Viruses

Stealth Virus/ Tunneling Virus

Encryption

Polymorphic

Metamorphic

Cluster Viruses

Sparse Infector Virus

Multipartite

Direct Action or Transient

T y p e s of V iru se s
So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m v a r io u s t y p e s o f viru s e s . T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s , m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g v iru s e s , e n c r y p t i o n v iru s e s , m e t a m o r p h i c v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in d e ta il o n t h e f o l l o w i n g slides. c o n c e p ts . N o w w e w ill discuss

T y p e s of V iru se s
V iru s e s a re cla s s ifie d d e p e n d i n g o n t w o c a te g o r ie s : Q © W h a t Do T h e y In fe c t? H o w Do T h e y In fe c t?

M odule 07 Page 1034

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W hat Do They In fe ct?
System or Boot Sector V iruses
f*. _ T h e m o s t c o m m o n t a r g e t s f o r a v iru s a re t h e s y s te m s e c to rs , w h i c h a re n o t h i n g b u t t h e M a s t e r B o o t R e c o rd a n d t h e DOS B o o t R e c o rd S y s t e m s e c to r s . T h e s e a re t h e a re a s o n th e d isk t h a t are e x e c u t e d w h e n t h e PC is b o o t e d . E ve ry d isk has a s y s te m s e c to r o f s o m e s o rt. T h e y s p e c ia lly in f e c t t h e f l o p p y b o o t s e c to r s a n d r e c o r d s o f t h e h a rd disk. For e x a m p le : Disk K iller a n d S to n e v iru s .

F ile V iruses
E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s .

M u ltip a rtite V irus
T h e y i n f e c t p r o g r a m file s, a n d t h is f ile in t u r n a ffe c ts t h e b o o t s e c to r s su ch as In v a d e r , Flip, a n d T e q u ila .

C lu ste r V iruses
C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p ro g ra m .

M acro V irus
M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il.

How Do They In fe ct?
‫־־‬
‫׳‬

Stealth V iruses
T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d

c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e .
Life‫־‬:

T u n n elin g V iruses
T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m

r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . T o p e r f o r m t h is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.

M odule 07 Page 1035

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

\ c_ —

E n cry p tio n V iruses
T his t y p e o f v ir u s c o n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a n d a d e c r y p t i o n m o d u l e .

T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .

iri)
, ‫״ ״‬

P o ly m o rp h ic V iruses
T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in

t h e s y s te m . It is d i f f i c u l t t o t r a c e t h e m , since t h e y c h a n g e t h e i r c h a r a c te r is t ic s e a ch t i m e t h e y in f e c t, e.g., e v e r y c o p y o f t h is v ir u s d if f e r s f r o m its p r e v io u s o n e . V i r u s d e v e l o p e r s h a v e e v e n c r e a t e d m e t a m o r p h i c e n g in e s a n d v ir u s w r i t i n g t o o l k its t h a t m a k e t h e c o d e o f an e x is t in g v ir u s lo o k d i f f e r e n t f r o m o t h e r s o f its k in d .

M e ta m o rp h ic V iruses
A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x e x te n s iv e c o d e .

O v erw ritin g F ile or C avity V iruses
S o m e p r o g r a m file s h a v e a re as o f e m p t y space. T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e viru s e s . T h e C a v i t y V ir u s , also k n o w n as t h e S pace F ille r V ir u s , s to r e s its c o d e in th is e m p t y space. T h e v ir u s in s ta lls it s e lf in th is u n o c c u p ie d sp ace w i t h o u t a n y d e s t r u c t io n t o t h e o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in f e c t.

S parse In fec to r V iruses

A sp arse i n f e c t o r v iru s i n f e c ts o n l y o c c a s i o n a l l y (e.g., e v e r y t e n t h p r o g r a m e x e c u te d )

o r o n l y file s w h o s e le n g t h s fa ll w i t h i n a n a r r o w ra n g e .

C o m p an io n V iruses
T h e c o m p a n i o n v ir u s s to re s it s e lf b y h a v in g t h e i d e n t i c a l f i l e n a m e as t h e t a r g e t e d p r o g r a m file . As s o o n as t h a t f ile is e x e c u t e d , t h e v ir u s in f e c ts t h e c o m p u t e r , a nd h a r d d is k d a ta is m o d if ie d .

^
W

C am o u flag e V iruses
-------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s o f t h e user. T he se v iru s e s a re n o t

d i f f i c u l t t o f i n d since a n t i v i r u s p r o g r a m s h a v e a d v a n c e d t o t h e p o i n t w h e r e such v iru s e s are e a sily t r a c e d .

Shell V iruses
_____ T his v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be

M odule 07 Page 1036

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

c o m p a r e d t o an " e g g s h e l l / ‫ ׳‬m a k in g i t s e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n by t h e v ir u s c o d e a n d t h e v i r u s a s s u m e s its i d e n t it y .

F ile E xtension V iru ses
F. File e x t e n s i o n v ir u s e s c h a n g e t h e e x te n s io n s o f file s ; .TXT is safe, as it in d ic a te s a p u r e t e x t file . If y o u r c o m p u t e r 's f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a file n a m e d BA D .T X T .V B S , y o u w i ll see o n l y B A D .TXT.

> '« f| Add -on V iru ses
M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t c o d e . H o w e v e r , t h e v iru s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e file is c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d .

In tru siv e V iruses
‫־־‬ T his f o r m o f v ir u s o v e r w r i t e s its c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's p r o g r a m c o d e , o r s o m e t i m e s it o n l y o v e r w r i t e s p a r t o f it. T h e r e f o r e , t h e o rig in a l c o d e is n o t e x e c u te d p r o p e r ly .

D irec t A ction or T ra n sie n t V iruses
T r a n s fe r s all c o n t r o l s t o t h e h o s t c o d e w h e r e it reside s, se le c ts t h e t a r g e t p r o g r a m t o be m o d if ie d , a nd c o r r u p t s it.

=—
ffr

T e rm in a te a n d Stay R e sid en t V iru ses (TSRs)
A TSR v i r u s r e m a in s p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se ssio n, e v e n

a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g t h e s y s te m .

M odule 07 Page 1037

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

System or Boot Sector Viruses CEH
Boot Sector Virus
Boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR

Execution
©
When system boots, virus code is executed first and then control is passed to original MBR

o

Before Infection

After Infection

Virus Code

MBR
Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

S y s te m o r B oot S e c to r V iru s e s
m
S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d . T h e t w o ty p e s o f s y s te m s e c to r s are: Q M B R ( M a s te r B o o t R ecord) M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be lost. 0 DBR (DO S B o ot R ecord) T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l p o i n t o f a t t a c k f o r viru s e s . T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s . S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s .

M odule 07 Page 1038

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

1

Virus Rem oval
S y s te m s e c t o r v iru s e s a re d e s ig n e d t o c r e a te t h e illu s io n t h a t t h e r e is n o v ir u s o n t h e s y s te m . O n e w a y t o d ea l w i t h t h is v ir u s is t o a v o id t h e use o f t h e W i n d o w s o p e r a t i n g

s y s t e m , a n d s w it c h t o L in ux o r M a cs, b e c a u s e W i n d o w s is m o r e p r o n e t o th e s e a tta c k s . L inux a n d M a c i n t o s h h a v e a b u i l t - i n s a f e g u a r d t o p r o t e c t a g a in s t th e s e v iru s e s . T h e o t h e r w a y is t o c a r r y o u t a n t i v i r u s ch e c k s o n a p e r io d ic basis.

Before Infection

G
After Infection
V

O
Virus Code

FIGURE 7.6: System or Boot Sector Viruses

M odule 07 Page 1039

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

File and Multipartite Viruses

CEH

F ile a n d M u ltip a rtite V iru s e s
F ile Viruses
File v iru s e s i n f e c t file s t h a t a re e x e c u te d o r i n t e r p r e t e d in t h e s y s te m such as C O M , EXE, SYS, OVL, OBJ, PRG, M N U , a n d BAT file s. File v iru s e s can be e i t h e r d i r e c t - a c t i o n ( n o n - r e s i d e n t ) o r m e m o r y - r e s i d e n t . O v e r w r i t i n g v iru s e s ca use i r r e v e r s i b l e d a m a g e t o t h e files. T h e s e v iru s e s m a i n l y t a r g e t a r a n g e o f o p e r a t i n g s y s te m s t h a t in c lu d e W i n d o w s , UNIX, DOS, a n d M a c i n t o s h .

C h a ra c te riz in g F ile V iruses
File v iru s e s a re m a i n l y c h a r a c te r iz e d and d e s c r ib e d b ase d on th e ir p h ysica l b e h a v io r o r c h a r a c te r is t ic s . T o cla ssify a file v ir u s is b y t h e t y p e o f file t a r g e t e d by it, such as EXE o r C O M file s, t h e b o o t s e c to r , e tc. A f ile v ir u s can also be c h a r a c t e r iz e d b ase d o n h o w it i n f e c ts t h e t a r g e t e d file (also k n o w n as t h e h o s t files): Q Q © Q P re p e n d in g : w r i t e s it s e lf i n t o t h e b e g in n in g o f t h e h o s t file 's c o d e A p p e n d in g : w r i t e s it s e lf t o t h e e n d o f t h e h o s t file O v e rw ritin g : o v e r w r i t e s t h e h o s t file 's c o d e w i t h its o w n c o d e In s ertin g : in s e rts it s e lf i n t o gaps in s id e t h e h o s t file 's c o d e

M odule 07 Page 1040

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

© ©

C o m p a n io n : r e n a m e s t h e o rig in a l f ile a n d w r i t e s it s e lf w i t h t h e h o s t file 's n a m e C av ity in fe c to r: w r i t e s it s e lf b e t w e e n file s e c tio n s o f 3 2 - b i t file

File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e d e c r y p t i o n p ro c e s s . E xecu tio n o f P aylo ad: © © © D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s

Q

M ultip artite Viruses
A m u l t i p a r t i t e v ir u s is also k n o w n as a m u l t i - p a r t v i r u s t h a t a t t e m p t s t o a t t a c k b o t h

t h e b o o t s e c t o r a n d t h e e x e c u ta b le o r p r o g r a m file s a t t h e s a m e t i m e . W h e n r g w v ir u s is a t t a c h e d t o t h e b o o t s e c to r , it w i ll in t u r n a f f e c t t h e s y s te m file s , a n d t h e n t h e v ir u s a tta c h e s t o t h e file s, a n d t h is t i m e it w ill in t u r n i n f e c t t h e b o o t s e c to r .

FIGURE 7.7: File and Multipartite Viruses

M odule 07 Page 1041

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M a c r o V ir u s e s
0 11.
Infects Macro Enabled Documents

Urt fw

CEH
14
ilhiul lUtbM

0

0

Attacker

User

0

0 r 0 Most macro viruses are written using macro language Visual Basic for Applications (VBA)

0 ‫ץ‬ 0 Macro viruses infect templates or convert infected documents into template files, while maintainingtheir appearance of ordinary documentfiles V 0 0 0

r
0

Copyright © by E C -C aIllicit Al 1Rights Reserved. Reproduction is Strictly Prohibited.

M a c ro V iru se s
M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files.

M odule 07 Page 1042

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Infects M acro Enabled Documents

Attacker
FIGURE 7.8: Macro Viruses

User

M odule 07 Page 1043

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

C lu s te r V ir u s e s
C luster V iruses
J
a

C EH
:‫ ב‬I ■ ■ ■ ‫ן‬: * ]

Cluster viruses modify directory table entries so that it points users or system processes to the virus code instead of the actual program

V iru s Copy
J There is only one copy of the virus on the disk infecting all the programs in the computer system

Launch Its e lf
J It will launch itself first when any program on the computer system is started and then the control is passed to actual program

Copyright © by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited

C lu s te r V iru se s
C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s . C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e . T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m .

M odule 07 Page 1044

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

S te a lth /T u n n e lin g V ir u s e s
These viruses evade the anti-virus software by intercepting its requests to the operating system A virus can hide itself by intercepting the anti-virus software's request to read the file and passingthe request to the virus, instead of the OS The virus can then return an uninfected version of the file to the antivirus software, so that it appears as if the file is "clean"

CEH

Hides Infected TCPIP.SYS

i f

Here you go

Original TCPIP.SYS
Copyright © by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

S te a lth /T u n n e lin g V iru se s I S te a lth V ir u s e s
T h e s e v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s by a c tiv e ly a lt e r in g a nd c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s t e a l t h v i r u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hu s, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v ir u s co d e . T h e s t e a lt h v iru s h id e s it s e lf f r o m a n t i v i r u s s o f t w a r e by h id in g t h e o rig in a l size o f t h e file o r t e m p o r a r i l y p la c in g a c o p y o f it s e lf in s o m e o t h e r d r iv e o f t h e s y s te m , t h u s r e p la c in g t h e i n f e c t e d file w i t h t h e u n i n f e c t e d file t h a t is s t o r e d o n t h e h a r d d riv e . A s t e a lt h v ir u s h id e s t h e m o d if ic a t i o n s t h a t it m a k e s . It ta k e s c o n t r o l o f t h e s y s te m 's f u n c t io n s t h a t re a d file s o r s y s te m s e c to r s a n d , w h e n a n o t h e r p r o g r a m r e q u e s ts i n f o r m a t i o n t h a t has a lr e a d y b e e n m o d i f i e d by t h e v iru s , t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t i n g p r o g r a m in s te a d . T his v ir u s a lso re s id e s in t h e m e m o r y . T o a v o id d e t e c t i o n , th e s e v iru s e s a lw a y s t a k e o v e r s y s te m f u n c t i o n s a n d use t h e m t o h id e t h e i r p re s e n c e .

M odule 07 Page 1045

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

O n e o f t h e c a rr ie r s o f t h e s t e a lth v ir u s is t h e r o o t k i t . In s ta llin g a r o o t k i t g e n e r a l l y r e s u lts in t h is v ir u s a t t a c k b e c a u s e r o o t k i t s a re in s t a lle d via T ro ja n s , a n d t h u s a re c a p a b le o f h id in g a n y m a lw a re . R e m o v a l: Q © e
/

A lw a y s d o a c o ld b o o t ( b o o t f r o m w r i t e - p r o t e c t e d f l o p p y d isk o r CD) N e v e r use DOS c o m m a n d s such as FDISK t o fix t h e v iru s Use a n t i v i r u s s o f t w a r e

Tunneling Viruses
T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m

r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . To p e r f o r m th is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.
Give me the system file

tcpip.syi to icon

Anti-virus Software

Hides Infected TCPIP.SYS
VIRUS

*

Here you go Original TCPIP.SYS FIGURE 7.9: Working of Stealth/Tunneling Viruses

M odule 07 Page 1046

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

E n c r y p tio n V ir u s e s
‫־׳י‬
This type of virus uses simple encryption to encipher the code

CEH

‫י‬

Virus Code

V
r

The virus is encrypted with a different key for each infected file

AV scanner cannot directly
detect these types of viruses using signature detection methods

­‫ץ‬
Encryption Virus 2 Encryption Virus 3

V.

-/

Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

E n c ry p tio n V iru se s
T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e . T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n . T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key. © T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd an e n c r y p t e d c o p y o f t h e c o d e . Q For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys, b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d . It is n o t p o s s ib le f o r t h e v ir u s s c a n n e r t o d ir e c t ly d e te c t th e v ir u s by m e a n s o f

s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d . e T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is g e n e r a t e d a n d sa ved b y t h e r o o t v iru s .

M odule 07 Page 1047

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus Code

Encryption Virus 1

Encryption Virus 2

Encryption Virus B

FIGURE 7.10: Working of Encryption Viruses

M odule 07 Page 1048

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

P o ly m o r p h ic C o d e
J J Polymorphic code is a code that mutates while keeping the original algorithm intact To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine A well-written polymorphic virus therefore has no parts that stay the same on each infection

CEH

J

39Encrypted Mutation Engine Encrypted Virus Code ............ Decryptor routine decrypts virus code and mutation engine

Decryptor Routine

New Polymorphic Virus
User Runs an Infected Program

RAM
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

P o ly m o rp h ic C o d e
P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n . T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m . A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing th e codes. V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e s y s te m 's disk.

M odule 07 Page 1049

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Encrypted Mutation Engine (EME) ncrypted M utation j ‫ י‬Encry Engine i I

Instruct to 0 •

A

• Instruct to

A

Encrypted Virus Code

©

I

Decryptor Routine

i

Decryptor routine decrypts virus code and mutation engine

New Polymorphic

*

©
User Runs an Infected Program

Virus Does the Damage RAM

Virus

FIGURE 7.11: How Polymorphic Code Work

P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s . W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s , w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n e n g in e to g en erate a new ra n d o m iz e d d e c ry p tio n ro u tin e , w h ic h has t h e c a p a b i l it y of

d e c r y p t i n g v iru s . H ere, t h is n e w c o p y o f b o t h t h e v ir u s c o d e a n d m u t a t i o n e n g in e is e n c r y p t e d by t h e v iru s . T hu s, t h is v iru s , a lo n g w i t h t h e n e w ly e n c ry p te d v iru s co d e and e n c ry p te d

m u t a t i o n e n g in e (EM E), a p p e n d s t h is n e w d e c r y p t i o n r o u t i n e o n t o a n e w p r o g r a m , t h e r e b y c o n t i n u i n g t h e pro cess . P o l y m o r p h ic v iru s e s t h a t re s p re a d b y t h e a t t a c k e r in t a r g e t e d s y s te m s a re d i f f i c u l t t o d e t e c t b e c a u s e h e r e t h e v ir u s b o d y is e n c r y p t e d a n d t h e d e c r y p t i o n r o u t i n e s c h a n g e s e ach t i m e f r o m in f e c t i o n t o i n f e c t i o n a n d n o t w o in f e c t i o n s lo o k t h e s a m e ; th is m a k e it d i f f i c u l t f o r t h e v iru s s c a n n e r t o i d e n t i f y t h is v iru s .

M odule 07 Page 1050

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M e ta m o r p h ic V ir u s e s
M e ta m o rp h ic V iru s e s M e ta m o rp h ic C o d e

UrtMM itkNjI lUilwt

CEH

Metamorphic viruses rewrite themselves completely each time they are to infect new executable

Metamorphic code can reprogram itself by translating its own code into a temporary representation and then back to the normal code again

For example, W32/Simile consisted of over 14000 lines of assembly code, 90% of it is part of the metamorphic engine

MotaphoR V I by tHE moNTAL D illlei/2 9*

E3

M etaphoRV I bj •H Em tfJTA LD < I# h/29*

E l

a .) V arian tA

c .) T h e"U n official” V arian tC
at IAHM J1 IL bY iH fc ni Ntnl cttllller/^JA A 1LER/2*\ r£TAfSC« iCbVlHE n£W »4l dFIIUi/2^

m E tA PH G R1b B YtH•

E l
b.) V a ria n t B

[1E

I

d .) T h e .D v a ria n t ( w h ic h w a s th e * o ffic ia l' C o f t h e o rig in a l a u th o r)

Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

M e ta m o rp h ic V iru se s
S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n . A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x e x te n s iv e c o d e . T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re : W in 3 2 /S im ile : T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess. Z m ist: Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e e x e c u ta b le .

M odule 07 Page 1051

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

a.) Variant A
Im ElAPHOR 1b BY tHe MeNTAI drilLER/29A mEtAPHOR 1b BY tHe MeNTAI di!LER/ r o in

c.) The "Unofficial" Variant C

12
aA

m

mETAPhOr 1C bY tHE mENtal dRllle1/29A mETAPhOr 1C bY (HE mENtal dRlller/29A

Q

‫ו‬..... ok...‫ך‬

b.) Variant B

d.) The .D variant (which was the "official" C of the original author)
FIGURE 7.12: Metamorphic Viruses Screenshot

M odule 07 Page 1052

Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

File Overwriting or Cavity Viruses
Cavity Virus overwrites a part of the host file with a constant (usually nulls), without increasingthe length of the file and preserving its functionality

CEH

Sales and marketing management is the leading authority for executives in the sales and marketing management industries The suspect, Desmond Turner, surrendered to authorities at a downtown Indianapolis fast-food restaurant
Original File Size: 45 KB

Null Null Null Null Null Null

Null Null Null Null Null

Null Null Null Null Null Null

Null Null Null Null Null Null

Null Null Null Null Null Null

Null Null Null Null Null Null

Null Null Null Null Null Null

N U ll

■ > ■23a

Infected File Size: 45 KB

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

F ile O v e r w r itin g o r C a v ity V iru s e s
T h e s e are also k n o w n as s p a c e -fille r s since t h e y m a i n t a i n a c o n s t a n t file -s iz e w h i l e i n f e c t e d b y in s t a llin g t h e m s e l v e s i n t o t h e t a r g e t p r o g r a m . T h e y a p p e n d t h e m s e l v e s t o t h e e n d o f file s a n d also c o r r u p t t h e s t a r t o f files. T his t r i g g e r e v e n t f i r s t a c tiv a te s a n d e x e c u te s t h e v iru s c o d e , a n d l a t e r t h e o rig in a l a p p li c a t i o n p r o g r a m . S o m e p r o g r a m file s h a ve a re a s o f e m p t y sp ace . T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e v iru s e s . T h e C a v it y V ir u s , a lso k n o w n as t h e Space F ille r V iru s , s to re s its c o d e in t h is e m p t y space. T h e v iru s in s ta lls it s e lf in t h i s u n o c c u p ie d space w i t h o u t a n y d e s t r u c t i o n t o t h e o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in fe c t. T his t y p e o f v ir u s is r a r e ly used b e c a u s e it is d i f f i c u l t t o w r i t e . A n e w W i n d o w s file ca lle d th e P o r t a b l e E x e c u t a b le it d e s ig n e d f o r t h e fa s t lo a d in g o f p r o g r a m s . H o w e v e r , it lea ves a c e r ta in g ap in t h e f ile w h i l e it is b e in g e x e c u t e d t h a t can be used by t h e Space F ille r V ir u s t o i n s e r t its e lf. T h e m o s t p o p u l a r v ir u s f a m i l y is t h e CIH v ir u s .

Original File Size: 45 KB

I

h

.............................................................................^ L
FIGURE 7 .1 3 : File O v e r w ritin g o r C a v ity V iru s

PDF

>1
PDF

Infected File Size: 45 KB

M odule 07 Page 1053

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

S p a r se I n fe c to r V ir u s e s
M ir
S parse In fe c to r Virus
J Sparse infector virus infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range

D iffic u lt to D e te c t
J By infecting less often, such viruses try to minimize the probability of being discovered

In fe c tio n Process

Wake up on 15* of every month and execute code

Copyright © by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

S p a rse In fe c to r V iru se s
Sparse i n f e c t o r v iru s e s in f e c t o n l y o c c a s io n a lly (e.g., e v e r y t e n t h p r o g r a m e x e c u t e d o r o n p a r t i c u l a r d a y o f t h e w e e k ) o r o n l y file s w h o s e l e n g t h s fa ll w i t h i n a n a r r o w r a n g e . By i n f e c t i n g less o f t e n , th e s e v iru s e s t r y t o m in i m i z e t h e p r o b a b i l i t y o f b e in g d is c o v e r e d .

Wake up on 15th of every month and execute code

FIGURE 7.14: Working of Sparse Infector Viruses

M odule 07 Page 1054

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Companion/Camouflage Viruses I C EH

A Companion virus creates a companion file for each executable file the virus infects

A

Therefore, a companion virus may save itself as notepad.com and every time a user executes notepad.exe (good program), the computer will load notepad.com (virus) and infect the system

Virus infects the system with a file notepad.com and saves it in c:\winnt\system32directory

1
Attacker N otepad.exe

...

1

/

£
Notepad.com

Copyright © by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

C o m p a n io n /C a m o u fla g e V iru se s
Com panion Viruses
4 T h e c o m p a n i o n v ir u s s to r e s it s e lf b y h a v in g t h e id e n t ic a l file n a m e as t h e t a r g e t e d p r o g r a m f i l e . As s o o n as t h a t f ile is e x e c u te d , t h e v ir u s i n f e c ts t h e c o m p u t e r , a n d h a rd d isk d a ta is m o d if ie d . C o m p a n io n v iru s e s use DOS t h a t r u n C O M file s b e f o r e t h e EXE file s are e x e c u te d . T h e v ir u s in s ta lls an id e n t ic a l C O M file a nd i n f e c ts t h e EXE files. S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / C o m p a n i o n V i r u s e s . h t m l H e re is w h a t h a p p e n s : S u p p o s e a c o m p a n i o n v ir u s is e x e c u t in g o n y o u r PC a n d d e c id e s it is t i m e t o in f e c t a file . It lo o k s a r o u n d a n d h a p p e n s t o f i n d a f ile c a lle d PGM.EXE. It n o w c r e a te s a file ca lle d P G M .C O M , c o n t a i n i n g t h e v iru s . T h e v ir u s u s u a lly p la n t s t h is file in t h e s a m e d i r e c t o r y as t h e .EXE file , b u t it c o u ld p la ce it in a n y d i r e c t o r y o n y o u r DOS p a t h . If y o u t y p e P G M a n d press E n te r, DOS e x e c u te s P G M .C O M in s te a d o f PG M .E XE . (In o r d e r , DOS w ill e x e c u te C O M , t h e n EXE, a n d t h e n BAT file s o f t h e s a m e r o o t n a m e , if t h e y a re all in t h e s a m e d ir e c t o r y . ) T h e v iru s e x e c u te s , p o s s ib ly i n f e c t i n g m o r e file s , a n d t h e n lo a d s a n d e x e c u te s PGM.EXE. T h e u ser

p r o b a b l y w o u l d fa il t o n o t i c e a n y t h i n g is w r o n g . It is easy t o d e t e c t a c o m p a n i o n v i r u s j u s t by t h e p r e s e n c e o f t h e e x tr a C O M f ile in t h e s y s te m .

M odule 07 Page 1055

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus infects the system with a file notepad.com and saves It In c:\wlnnt\system32 directory

V
Notepad.exe Notepad.com

Attacker

FIGURE 7.15: Working of Companion/Camouflage Viruses

M odule 07 Page 1056

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

S h e ll V ir u s e s
J Virus code form s a shell aro u n d th e target host program 's co d e, making itself th e original program and host code as its sub-routine J Alm ost all boot program v iru se s are shell viruses

(c it ifw d Ith M Jl lU c k M

c EH

[4 U « 1

Before Infection

Original Program

After Infection

‫ ־‬Virus Code--- >

Original Program

Copyright © by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

Ilf

S h e ll V ir u s e s
A s h ell v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be

c o m p a r e d t o an " e g g s h e l l / ' m a k in g its e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n b y t h e v iru s c o d e a n d t h e v iru s a s s u m e s its i d e n t it y .

B efo re In fe c tio n

Original Program

A fte r In fe c tio n

Virus Code

Original Program

FIGURE 7 .1 6 : W o rk in g o f S hell V iru s e s

M odule 07 Page 1057

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

F ile E x te n s io n V ir u s e s
F o ld e rO p tio n s
General Search
Folder views

CEH

File Extension Viruses J F ile extension viruses change the extensions of files J .TX T is safe a s it indicates a pure text file J W ith extensions turned off, if som eone sends you a file nam ed B A D .TX T.V B S , you w ill only see B A D .TX T J If you have forgotten that extensions are turned off, you m ight think this isa text file and open it J This is an executable Visual B asic Script virus file and could do serious dam age J Counterm easure isto turn off "Hide file extensions" in W indows

You can apply the view (such as Detais or Icons) that you are us*1g for this folder to al folders of this type Apply to Folders

Advanced settings: Fies and Folders □ Always show icons, never thumbnails I I Always show menus @ Display Me icon on thumbnails 0 □ Display He size nfoimation m folder tps Display the full path in the title bar

J l Hdden Mes and folders

O Don‫ ז‬show hidden files, folders, or dnves
(§) Show hidden files, folders, and dnves Hide cmgty dnves in the Computer folder

y

V . Ude folder merge conflicts

Restore QfifoJls

* P P * y

Copyright © by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

u
© Q Q

F ile E x te n s io n V iru s e s
S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / F i l e E x t e n s i o n s . h t m l File e x t e n s io n v iru s e s c h a n g e t h e e x te n s io n s o f file s .TXT is safe as it in d ic a te s a p u r e t e x t file W i t h e x te n s io n s a re t u r n e d o ff, if s o m e o n e se nd s y o u a f ile n a m e d BAD.TXT.VBS, y o u can o n l y see BA D .T X T Q If y o u h a ve f o r g o t t e n t h a t t h e e x te n s io n s a re a c t u a lly t u r n e d o ff, y o u m i g h t t h i n k t h is is a t e x t file a n d o p e n it 0 This is an e x e c u t a b l e V is u a l Basic S c r ip t v i r u s file t h a t c o u ld d o s e rio u s d a m a g e

T h e c o u n t e r m e a s u r e is t o t u r n o f f " H i d e f i l e e x t e n s i o n s " in W i n d o w s , as s h o w n in t h e f o l l o w i n g scree nsh ot:

M odule 07 Page 1058

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Folder O ptions General View Folder views You can apply the view (such as Detate or Icons) that you are usng for this folder to al folders of ths type. Apply to Folders Reset Folders Search

Advanced settngs Frfesand Folders H I Always show icons, never thumbnate (‫ )־־‬Always show menus @ Display f<e icon on thumbnab @ Display W e size *formation n folder tps □ Display the h i path n the Mle bar i i Hidden Mes and folders O Don‫ ז‬show hdden Wes. folders, or drrves (•) Show hrfdenMes. folders, and dnves V hfcde empty dnves n the Computer folder □ HkJe exlenswns for known Me types y . Ude folder merge corftcts J c a orc fa u lts OK Cancel App*y

FIGURE 7.17: Uncheck Hide File Extensions

M odule 07 Page 1059

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

“ ■on and Intrusive Viruses
Add-On V iru ses
(crtifwd

c EH
IU mjI NMhM

Add-on viruses append theircode to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning
Original Program Original Program Original Program J.V M R ..

I I I I I I I I I I I I I I I I I I I I
viral code
Original Program

V iru ses

Original Program

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited

A d d-o n a n d In tru s iv e V iru s e s
Add-on Viruses
M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t co d e . H o w e v e r , t h e v ir u s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e f ile is c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d . A d d -o n

Viruses
Original Program Original Program

1 1 — ^

1

. .

................................................................................ JUMP.
FIGURE 7.18: Working of Add-on Viruses

M odule 07 Page 1060

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Intrusive Viruses
In tr u s iv e v iru s e s o v e r w r i t e t h e i r c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's p r o g r a m c o d e o r s o m e t i m e s o v e r w r i t i n g o n l y p a r t o f it. T h e r e f o r e , t h e o r i g i n a l c o d e is n o t e x e c u te d p r o p e r ly .

Original Program

Original Program

FIGURE 7.19: Working of Intrusive Viruses

M odule 07 Page 1061

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Transient and Terminate and Stay Resident Viruses
Basic In fe c tio n T echniques A .

EH

Direct Action or Transient Virus

Terminate and Stay Resident Virus (TSR) Remains permanently in the memory during the

J

the controls of the host code to where
I] resides

f

t

J Selects the target program to be modified and

J

^___

^

entire work session even after the target host's program isexecuted and terminated; can be removed only by

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

T r a n s i e n t a n d T e r m i n a t e a n d S ta y R e s i d e n t V i r u s e s
Transient Viruses
T r a n s ie n t v iru s e s t r a n s f e r all c o n t r o l t o t h e h o s t c o d e w h e r e t h e y re s id e , s e le c t t h e t a r g e t p r o g r a m t o be m o d i f i e d , a n d c o r r u p t it.

Term inate and Stay Resident V irus (TSR)
TSR v iru s e s r e m a i n p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se s s io n , e v e n a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u t e d a n d t e r m i n a t e d . T h e y can be r e m o v e d o n l y b y r e b o o t i n g t h e s y s te m .

M odule 07 Page 1062

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W riting a Sim ple Virus Program
Send the Game.com file as an email attachment to a victim Create a batch file Game.bat with this text

C EH

0 echo off del c:\winnt\system32\*.* del c :\winnt\*.*

Convert the Game.bat batch file to Game.com using bat2com utility

When run it deletes core files in the WINNTdirectory making Windows unusable ,

Copyright © by E& Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

W ritin g a S im p le V iru s P r o g r a m
------For d e m o n s t r a t i o n p u r p o s e s , a s im p le p r o g r a m t h a t can be u sed t o ca use h a r m t o a t a r g e t s y s te m is s h o w n h e re : 1. C re a te a b a tc h file G a m e . b a t w i t h t h e f o l l o w i n g t e x t :

text @ echo off delete c:\winnt\system32\*.* delete c:\winnt\*.*
2. 3. 4. 5. C o n v e r t t h e G a m e . b a t b a tc h f ile t o G a m e . c o m u s in g t h e b a t 2 c o m u t i l i t y A ssign Icon t o G a m e . c o m u s in g W i n d o w s file p r o p e r t ie s scree n Send t h e G a m e . c o m f ile as an e m a il a t t a c h m e n t t o a v i c t i m W h e n t h e v i c t i m r u n s t h is p r o g r a m , it d e le t e s c o re file s in t h e \ W I N N T d ir e c t o r y , m a k in g W i n d o w s u n u s a b le T h e v i c t i m w o u l d h a ve t o r e i n s t a l l W i n d o w s , c a u s in g p r o b l e m s t o a lr e a d y sa ved files.

M odule 07 Page 1063

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Terabit Virus Maker
‫וי! וי־•• י י‬ ‫ ״י‬.I ‫! ־ז־‬
M Disable W indow s Security Center | | ^ | | Disable W indow s Security Essentials Format All Hard Drives Funny Keyboard Funny M ouse Funny Start Button Hide Desktop Icons M Hide Folder Option Menu | | | | B | 0 Hide Taskbar Lock All D rives/old ers Lock Internet Explorer Option Menu Mute System Volum e Open/Close CD-ROM Every 10 Sec Play B eep Sound Every Sec Rem ove Run From Start Menu Rem ove Start Button Rem ove W indow s Clock Slow Down PC Speed f l Spread with Floppy , Folders 0 B ^ Stop SQL Server Transparent Explorer W indows Turn off Computer After 5 Mm M Swap M ouse Buttons M Rem ove Desktop Wallpaper 'M Disable W indow s Them es ^ H ^ i d Opening Copy,Move Window Avoid Opening Gpedit ^ Avoid Opening Media Player | Avoid Opening Mozilla Firefox ^ Avoid Opening M sConfig ^ Avoid Opening Notepad ^ M Avoid Opening Wordpad Avoid Opening Yahoo M esseng er ^ Add 30 User Accounts to W indow s ^ Always Clean Clipboard ^ Alw ays Log Off ^ M Delete All Files In Desktop Delete All Files In My Documents ^ Delete W indow s Fonts H Delete W indow s Screen Savers f | Disconnect From Internet Disable Automatic Updates ^ Disable Command Prompt ^ Disable Printer Disable Regedit ^ Disable Screen Saver ^ M Disable System Restore Disable Task Manager Disable W indow s Firewall ^ Disable W indow s Installer ■

M Gradually Fill System Volum e

M Close Internet Explorer Every 10 Sec 0

t f Turn Off Monitor

|| Q ia sp iem‫׳‬uQ 0 m2

■ lnLU °« COUJbCopyright © by E(

T e ra B IT V iru s M a k e r
T e ra B IT V ir u s M a k e r is a v ir u s t h a t is m o s t l y d e t e c t e d b y all a n t i v i r u s s o f t w a r e w h e n s c a n n e d . T his v ir u s m o s t l y d o e s n ' t h a r m t h e PC, b u t it can d is a b l e t h e a n t i v i r u s t h a t is in s ta lle d o n t h e s y s te m f o r a s h o r t t i m e .

M odule 07 Page 1064

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

•• TeraBn Virus Maker 3 .
■ Avoid Opening Calculator H Disable W indow s Security C enter

H

M Avoid Opening Copy,M ove W indow Avoid Opening Gpedit

| Disable W indow s Security Essentials J f Disable W indow s Them e s jfl Form at All Hard Drives H Funny Keyboard H ^ Funny Mouse Funny Start Button

H Avoid Opening Media Player Avoid Opening Mozilla Firefox

M

Avoid Opening MsConfig Avoid Opening Notepad H

3

Avoid Opening Wordpad Avoid Opening Yahoo M essenger M A d d JO User Accounts to W indow s M Alw ays Clean Clipboard M Alw ays Log Off

ft Gradually Fill System Volum e
J Hide Desktop Icons M Hide Folder Option Menu ^ Hide Taskbar M Lock All Drives,Folders

| Close Internet Explorer Every M Delete All Files In Desktop Delete W indow s Fonts

1 0Sec £

Ru n C u s to m C o m m an d

Lock Internet Explorer Option Menu

M Mute System Volum e J | Open/Close CD-ROM Every M Play Beep Sound Every Sec ^ H £ f

M Delete All Files In My Documents

10Sec

fake KB(s) to virus.

0
^ B

Delete W indow s Screen Savers Disable Automatic Updates Disable Com m and Prompt

'/I Rem ove Desktop Wallpaper
Rem ove Run From Start Menu Rem ove Start Button Rem ove W indow s Clock Slow Down PC Speed

M Disconnect From Internet

F ieName After Instal

| Disable Printer M Disable Regedit

0
H

Disable Screen Saver Disable System Restore

Cl Spread with Flo pp y, Folders U S«>P SQL Server
| Swap Mouse Buttons Transparent Explorer W indow s T u rn off Com pu te r After Min

Fie Name

exe B

jf l Run Virus with W indows

Q Disable Task Manager M Disable W indow s Firewall ■ Disable W indow s Installer

0
| ■

5

Cr eat e Vi rus
About E

Tu rn Off Monitor

x t

FIGURE 7.20: TeraBIT Virus Maker

M odule 07 Page 1065

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

JPS Virus M aker and DELmE's Batch Virus M aker
IP S(V ir u sM a k e r3 .0 ) n f e c t o o ?‫י‬ < ‫ץ‬ ‫י‬ 0 * ‫| נ‬O V ie rO p b o r s\ M t c e lc n e c u s ia n g eU s e rp « o r r r d | ® e c t io o fl 1S w a p UwB jlo n s Q ( > a * n W * h U t g S c x O S p a m L o c a lD a k|S p e n 1 3 0 4 cD a k T « a »| R e s e tT « n e S p a a P a r t e r | P b y W n X P S o n o N e tS e n d S p a m| * d e U riffte C o r to eF ie & 4 e n » 3 n s | B U eS c r e e n O fD e ih| H M eD o c u n e r t sF o ld e r H i* .\ M .Pt | e f c t o A JT 4 M m O fe • #D o cM m| D M e t• A il X m lF f a a| D e le t e M.M p 3 F f e a M e (• A lP h g M m| D e le t e Mb e e F Im T h eL a *R e s t a r t 1 D e M e tW d l D e le t e M y D o c u m e n t s1 D e le t eM yM u n c ! ‫ח‬ ‫י‬ ‫״‬ ‫י‬ ‫י‬ ‫ ז‬F r t o c a io n T o D « * a *M gM( (M a t •| \ v d ‫יין‬ M a te | | f t r f l« ” O a la t e|| « n f l 0 » W • N o t e p a d D e la t e C a lc u la t o r | D e le t e A c c t m
wfig g y fe o yc o m w &c o m |

D a la t e HP r fM m| D a ls t « M **>«| D e la t e *Is*M m| C ra A C c rp is | D c M e M y P c a u n| (M M •| D * » a| M a t• | D a la i• W o d | D e la t e O u llo a k \ 0 * * e S rf» |

0 FV»ta<

O Loo Off

0 Turn Off

O Hibiinofco

0 No‫־׳‬e

O M ttP v l IM t.U c • (

V r* 5A 'le rIr^ H I I ‫יייי‬

fl S e r v e rN a m oI^ rd o T o x ^ -H

9 0 0

J P S V iru s M a k e r

D E L m E 's B a tc h V iru s M a k e r

Copyright @ by E lrC lM K i. All Rights Reserved. Reproduction is Strictly Prohibited.

JP S V i r u s M a k e r a n d D E L m E 's B a t c h V i r u s M a k e r
JP S Virus M a k e r
JPS V ir u s M a k e r is a t o o l t o c r e a t e v ir u s e s . It a lso has a f e a t u r e t o c o n v e r t a v ir u s i n t o a w o r m a n d can be u sed t o d is a b l e t h e n o r m a l h a r d w a r e o f t h e s y s te m .

M odule 07 Page 1066

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

3PS ( V iru s M a k e r 3.0 )

‫ם‬ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □

Disable R e?sby Disable MsCortig Disable T a t* Manager Disable Yahoo Disable M e d a Pa^ei Disable Internet Explore! Disable T m e Disable Gk x «> Pokey Disable W n d o w s Explorer Disable Norton Anb V iu s Disable M cAtee Anb V iu s Disable Note Pad Disable W a d Pad Disable W nd o w s Disable DHCP d e n t Disable Taskbai Disable Start Button Disable MSN Messengei Disable CMD Disable S e c u iy Center Disable System R e s id e Disable Control Panel Disable Desktop Icons Disable S a e e n Save*

□ Hrie ServKet
□ □ □ □ □ Hide Outlook E *p te u H d e W n d o w s Clock Hide Desktop Icon* H id e A IP io c c e s s n Taskmgi Hide A l Tasks n Taskmgi

Q Hide R m

□ Change Explorer Caption
□ □ □ □ □ □ □ □ □ □ □ □ □ □ Clear W n d o m X P Swap Mouse Batons Remove Folder Options Lock Mouse & Keyboard M ute Sound Alw ays C D flO M C ta jy Mouse Destroy T askbat Destroy OIBnes (VM essengetl Destroy Protected Stiotage Destroy A u d o Service Destroy Clpboerd T e<m»Mle W n d o r n Hide C usot

O T u n O H M o n to r

□ Auto Startup

O Restart

O Log OH

O T u n OH

O Htm nate

O None

Name A fter In sta l: Ru n d i3 ;

Server Name:

Sende1 .exe

JPS V tn u M aker 3 0

FIGURE 7.21: JPS Viruse Maker Screenshot

D E Lm E 's Batch Virus M a k e r
( / A

1

DELmE's Ba tch V ir u s M a k e r is a s im p le t o o l t h a t a llo w s y o u t o c r e a te y o u r o w n c h o ic e

o f b a t file v iru s e s t o s u it y o u r tasks.
^LJxj
‫ יי‬Oang• Uaar PaMword To qwarty
I uaar *ujeememe"■. Qwwfy

Swp Mau— Buaong | Oanga Uwr Paa—o>d| ‫׳‬w* Crtah Corrpa•‫׳‬ • c t o <»t ‫־‬ ‫ ־‬VOxratftM •cto M a r t~ %0>xn*>b* •cto M a r t 0\ ‫־‬ ‫־‬ >xraM>bM • c t o H a r t* 0\ ‫־‬ »aa*M * t o M a r t' 0. ‫*־‬ ‫׳‬ > > c r a * fb« 9 C t K * t a r t‫־‬ ‫’־‬ . O x X M h b M • c t o H a r t %0 “‫־‬ >>cr»M1bM •cto M a r t ~ XO»cr»*bM • c t o * a r t 0\ ‫־‬ ‫־‬ » a a * bM •cto ■ a r t ‫\ ־‬O» 0 a#1 b« •cto H a r t‫־‬ ‫*־‬ U ) >xyaah bM •cto * t a r t" \0 » a W 1 M •cto M a r t %0 ‫־‬ ‫־‬ »cra#1 b a l •cto i t a r t“ %0»cr«#1 b a « •cto M a r t %0 ‫־‬ ‫־‬ »aa*1 bM •cto M a r t “ %0>x7aM3bM •cto M a r t %0 ‫י‬ ‫־‬ >x7a#t b a t •cto M a r t %0 ‫» ־‬a*tftbai M a r t craihbal Sp— M agBo a | OpfvOoe• Itwf |

HMSatoSg—

|

HfrVhaW a

|

H»B— cna| I t * Ud P* I

B u iS a M n O ID i* I *da Docunarta FaUar I

Oa>»• H OocFtea

O a l a t o H Tm Hm CM•

|

O a f a t a H Ptf F I a a DcMe

CMcca*
0«— * PhgFlw | T>» La* Rx i |

H* O Fte• I

M»*>4F«m
| | |

DM» H fa tftw

| O a fc-* LrfcF—

Pa*al» Hal & | C r»M > Compuar

OMta% Oocu-rt■ |

0*i«% H um c

| C W k% Plcfcw

O riM tF M jp •
N o t Fie E jecnaon To Ortete leg '6 0

r^r
0Mart *“ XO>>^SyMamO‫״‬v*‘-»\AUTO€XEC RAT

******

p u g g J b o T
j

V W w A q » w 1 rt |

► * ‫״י ס‬ ‫חיי‬ • M W y tw yc o w
goo^• co*H

Chang• How Pag•
Qpan Wab P«g»

FIGURE 7 .2 2 : DELmE's B a tch V iru s M a k e r S c re e n s h o t

M odule 07 Page 1067

Ethical Hacking and C ounterm easures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M odule Flow
V iru s and W orm s C on cep ts

CEH

Types o f V iruses

P en etratio n Testing

I

C ounter• m easures

M a lw a re Analysis

Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le F lo w
P r io r t o th is , w e h a ve d iscu sse d v a r io u s ty p e s o f v iru s e s . Now we w i ll discuss c o m p u t e r w o r m s a n d h o w t h e y a re d i f f e r e n t f r o m viru s e s .

V iru s a n d W o rm s C o nc e p t

M a lw a r e A nalysis

T yp es o f V iruses

C o u n te rm e a s u re s

<4 /

C o m p u te r W o rm s

^

)

P e n e tra tio n T es tin g

•V —

This s e c tio n d e s c r ib e s w o r m s , w o r m a na lys is (S tu x n e t) , a n d a w o r m m a k e r ( I n t e r n e t W o r m M a k e r T h in g ).

M odule 07 Page 1068

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

C o m p u te r W o rm s
Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction

CEH

Most of the worms are created only to replicate and spread across a network, consuming available computing resources; however, some worms carry a payload to damage the host system

0

Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet; these botnets can be used to carry further cyber attacks

Copyright © by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

C o m p u te r W o rm s
— ‫׳״ —יי‬ C o m p u t e r w o r m s a re m a l i c io u s p r o g r a m s t h a t r e p lic a te , e x e c u te , a n d s p re a d across n e t w o r k c o n n e c t i o n s i n d e p e n d e n t l y , w i t h o u t h u m a n i n t e r a c t i o n . M o s t w o r m s a re c r e a t e d o n l y t o r e p lic a te a n d s p re a d acro ss a n e t w o r k , c o n s u m i n g a v a ila b le c o m p u t i n g re s o u r c e s ; h o w e v e r , s o m e w o r m s c a r r y a p a y lo a d t o d a m a g e t h e h o s t s y s te m . A w o r m d o e s n o t r e q u i r e a h o s t t o r e p li c a t e , a lt h o u g h in s o m e cases o n e m a y a rg u e t h a t a w o r m ' s h o s t is t h e m a c h in e it has i n f e c t e d . W o r m s a re a s u b t y p e o f v iru s e s . W o r m s w e r e c o n s id e r e d m a in ly a m a in fra m e p ro b le m , but a fte r m ost o f th e w o rld 's s y s te m s w ere

i n t e r c o n n e c t e d , w o r m s w e r e t a r g e t e d a g a in s t t h e W i n d o w s o p e r a t i n g s y s te m , a n d w e r e s e n t t h r o u g h e m a il, IRC, a n d o t h e r n e t w o r k f u n c t io n s . A t t a c k e r s use w o r m p a y lo a d s t o in s ta ll b a c k d o o r s in i n f e c t e d c o m p u t e r s , w h i c h t u r n s t h e m i n t o z o m b ie s a n d c r e a te s b o t n e t ; th e s e b o tn e ts can be used to carry o u t fu r t h e r cyber-attacks.

M odule 07 Page 1069

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

How Is a W orm D ifferen t from a V irus?

Replicates on its own
A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs A worm takes advantage of file or information transport features on computer systems and spreads through the infected network automatically but a virus does not

Spreads through the Infected Network 4 • »\

\
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

H ow Is a W o rm D iffe re n t fro m a V iru s?
V ir u s A v ir u s is a file t h a t c a n n o t be s p re a d t o o t h e r c o m p u t e r s u n le ss an i n f e c t e d file is r e p l i c a t e d a n d a c tu a lly s e n t t o t h e o t h e r c o m p u t e r , w h e re a s a w o r m does ju s t th e o p p o s ite . Files such as .c o m , .exe, o r .sys, o r a c o m b i n a t i o n o f t h e m a re c o r r u p t e d o n c e t h e v ir u s r u n s o n t h e s y s te m . V iru s e s a re a l o t h a r d e r t o g e t o f f an in f e c te d m a c h in e . T h e ir s p r e a d in g o p t i o n s a re m u c h less t h a n t h a t o f a w o r m b e c a u s e v iru s e s o n l y i n f e c t fi l e s o n t h e m a c h in e .
TABLE 7.1: Difference between Virus and Worms

W o rm A w o r m , a f t e r b e in g i n s t a l l e d o n a s y s te m , can r e p lic a t e it s e lf a nd s p re a d b y u sin g IRC, O u t l o o k , o r o t h e r a p p lic a b le m a ilin g p r o g r a m s . A w o r m ty p ic a lly does n o t m o d ify any sto re d pro gram s.

As c o m p a r e d t o a v iru s , a w o r m can be e a s ily r e m o v e d f r o m t h e s y s te m . T hey have m o re s p re a d in g o p tio n s t h a n a v iru s .

M odule 07 Page 1070

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W o rm A n a ly s is : S tu x n e t
0 -

Stuxnet isa threat targeting a specific industrial control system likely in Iran, such as a g as pipeline or power plant

0

0

J The goal of Stuxnet isto sabotage that facility by reprogram m ing program m able log ic controllers (P L C s) to operate as the attackers intend them to, m ost likely out of their specified boundaries

0

S tu x n e t c o n ta in s m a n y fe a tu re s s u c h a s:

♦ 1
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution Updates itself through a peer-to-peer mechanism within a LAN

2

Spreads in a LAN through a vulnerabilityinthe Windows Print Spooler Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability Copies and executes itself on remote computers through network shares running a WinCC database server Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded

Exploits a total of four unpatched Microsoft vulnerabilities Contacts a command and control server that allows the hacker to download and execute code, including updated versions Contains a Windows rootkit that hide its binaries and attempts to bypass security products Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system
h ttp ://w w w .sy m a n te c .co m

8

1 0

Copyright © by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rm A n a ly s is : S tu x n e t
S o u rc e : h t t p : / / w w w . s y m a n t e c . c o m S t u x n e t is a c o m p le x t h r e a t a n d m a l w a r e w i t h d iv e rs e m o d u l e s a n d f u n c t io n a l it ie s . T his is m o s t l y u se d t o g ra b t h e c o n t r o l a n d r e p r o g r a m i n d u s t r i a l c o n t r o l s y s t e m s (ICS) b y m o d if y in g c o d e o n p r o g r a m m a b l e lo g ic c o n t r o l l e r s (PLCs), w h i c h c r e a te a w a y f o r t h e a t t a c k e r t o i n t r u d e i n t o t h e c o m p l e t e s y s te m a n d la u n c h an a t t a c k by m a k in g c h a n g e s in t h e c o d e a n d ta k e u n a u t h o r i z e d c o n t r o l o n t h e s y s te m s w i t h o u t t h e k n o w l e d g e o f t h e o p e r a t o r s . S t u x n e t c o n ta in s m a n y f e a t u r e s such as: e S e lf- re p lic a te s e x e c u tio n Q Q S p re a d s in a LAN t h r o u g h a v u l n e r a b i l i t y in t h e W i n d o w s P r i n t S p o o l e r S p re a d s t h r o u g h S M B b y e x p l o i t i n g t h e M i c r o s o f t W i n d o w s S e rv e r S ervice RPC H a n d lin g R e m o t e C od e E x e c u tio n V u l n e r a b i l i t y © C op ies a n d e x e c u te s it s e lf o n r e m o t e c o m p u t e r s t h r o u g h n e t w o r k s h a re s r u n n i n g a W in C C d a t a b a s e s e r v e r th ro u g h re m o v a b le d r iv e s e x p lo itin g a v u ln e ra b ility a ll o w i n g a u to -

M odule 07 Page 1071

Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

9

C op ies i t s e lf i n t o S te p 7 p r o je c t s in such a w a y t h a t it automatically executes w h e n t h e S te p 7 p r o je c t is lo a d e d

9 9 9

U p d a t e s it s e lf t h r o u g h a p e e r - t o - p e e r m e c h a n is m w i t h i n a LAN E x p lo its a t o t a l o f f o u r u n p a t c h e d M i c r o s o f t vulnerabilities C o n ta c ts a c o m m a n d a n d c o n t r o l s e r v e r t h a t a llo w s t h e hacker to d o w n lo a d a nd

e x e c u te c o d e , i n c lu d in g u p d a t e d v e rs io n s

9

Contains a Windows rootkit that hide its binaries and attempts to bypass security products

9

F in g e r p r in t s a s p e c ific industrial control system a n d modifies code on t h e S ie m e n s PLCs t o p o t e n t i a l l y s a b o ta g e t h e s y s te m

M odule 07 Page 1072

Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W o rm A n a ly s is : S tu x n e t
( C o n t ’d )

CEH

W hen injecting into atrusted p ro cess, S tuxnet m ay keep the injected code inthe trusted pro cess or instruct the trusted processto inject the code into another currently ru n n in gp ro cess W henever an export iscalled, Stuxnet typically injects the entire D L Linto another p rocess and then just c allsthe particular export Stuxnet hook Ntdll.dll to m onitor for dB*! requ ests to load specially crafted file < ‫ך‬ nam es; these specially craftedfilenam es are m apped to another locationinstead - a locationspecified b yW 32.Stuxnet

S tuxnet c o n sists of a large .dll file that contains m any different exports an d resources and two encrypted configuration b lo cks The dropper com ponent ofStuxnet is aw rapper programthat contains all of the above com ponents stored in sid e itself in a section nam e "stub" W hen the threat isexecuted, the w rapper extractsthe .d ll file fromthe stu b section, m apsit into m em ory a sa m odule, and c allsone of the exports

q

q

It u s e s a sp ecial m ethod d esig ned to b ypass behavior blocking and host intrusion-protection based technologiesthat m onitor LoadLibrarycalls

W lH k tiH W
h ttp :/ / w w w .s y m a n te c .co m

Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited.

W o r m A n a l y s i s : S t u x n e t ( C o n t ’d )
S o u rc e : h t t p : / / w w w . s y m a n t e c . c o m S t u x n e t c o n s is ts o f a la rg e .dll file t h a t c o n t a in s m a n y d i f f e r e n t e x p o r t s a nd r e s o u r c e s a n d t w o e n c r y p t e d c o n f i g u r a t io n blo cks. It h o o k s N t d ll . d l l t o m o n i t o r f o r r e q u e s ts t o lo a d s p e c ia lly

c r a f t e d f ile n a m e s ; th e s e s p e c ia lly c r a f t e d f i l e n a m e s a re m a p p e d t o a n o t h e r l o c a t io n in s te a d , a l o c a t io n s p e c ifie d by W 3 2 . S t u x n e t . T h e d r o p p e r c o m p o n e n t o f S t u x n e t is a w r a p p e r p r o g r a m t h a t c o n t a in s all c o m p o n e n t s s t o r e d in s id e i t s e lf in a s e c tio n n a m e " s t u b . " W h e n t h e t h r e a t is e x e c u te d , t h e w r a p p e r e x tr a c ts t h e .dll file f r o m t h e s tu b s e c tio n , m a p s it i n t o m e m o r y as a m o d u l e , a n d calls o n e o f t h e e x p o r ts . W h e n e v e r an e x p o r t is c a lle d , S t u x n e t t y p i c a l l y in je c ts th e e n t i r e DLL i n t o a n o t h e r p ro c e s s a n d t h e n j u s t calls t h e p a r t i c u l a r e x p o r t . W h e n i n j e c t i n g i n t o a t r u s t e d p ro ce ss, S t u x n e t m a y k e e p t h e i n je c te d c o d e in t h e t r u s t e d p ro c e s s o r i n s t r u c t t h e t r u s t e d p ro c e s s t o i n j e c t t h e c o d e i n t o a n o t h e r c u r r e n t l y r u n n i n g p ro ce ss. It uses a sp ecial m e t h o d d e s ig n e d t o b ypass b e h a v i o r b lo c k in g a n d h o s t i n t r u s i o n - p r o t e c t i o n based te c h n o l o g i e s t h a t m o n i t o r Load L ib ra r y calls.

M odule 07 Page 1073

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W o rm A n a ly s is : S tu x n e t
( C o n t ’d )
Check CFG Infects removable drives Inject in service, call export 32 Inject in Step 7 & call export 32

fertNM [U*4 H akM

c EH
Infects Step 7 projects

......... A..........
Create global m utexes

Infection Routine Flo w
Hides malicious files

--------* -------Create rootkit service reg keys Inject in Step 7 & call export 32

Set file tim es * Create global mutex Decrypt resource 201 & 242 & w rite to disk ------------- * ------------Version OK

Exit

Rootkit files V > 1 ‫׳‬

C re ate .p n f & ■ cfe files Decrypt & load self from disk. Call export 6 - get version

Date<06/24/2012

Compare running version number and version on disk

M rxd s.sys

M rxcls.sys

h ttp ://w w w .sy m a n te c .co m

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W o r m A n a l y s i s : S t u x n e t ( C o n t ’d )
S o u rc e : h t t p : / / w w w . s y r n a n t e c . c o m

I n f e c tio n R o u tin e F lo w
S t u x n e t ch e c k s if it has a d m i n i s t r a t o r r ig h ts o n t h e c o m p u t e r . S t u x n e t w a n t s t o ru n w i t h t h e h ig h e s t p r iv ile g e p o s s ib le so t h a t it has p e r m is s io n t o t a k e w h a t e v e r a c tio n s it likes o n t h e c o m p u t e r . If it d o e s n o t h a v e A d m i n i s t r a t o r r ig h ts , it e x e c u te s o n e o f t h e t w o z e r o - d a y e s c a la tio n o f p r iv ile g e a tta c k s d e s c r ib e d in t h e f o l l o w i n g d ia g r a m . If t h e p ro c e s s a lr e a d y has t h e r ig h ts it r e q u ir e s , it p r o c e e d s t o p r e p a r e t o call e x p o r t 16 in t h e m a in .dll file . It calls e x p o r t 16 b y u sin g t h e in j e c t i o n t e c h n i q u e s d e s c r ib e d in t h e I n je c tio n T e c h n i q u e s e c tio n . W h e n t h e p ro c e s s d o e s n o t h a v e a d m i n i s t r a t o r r ig h ts o n t h e s y s te m , it tr i e s t o a t t a in th e s e p riv ile g e s by u sin g o n e o f t w o z e r o - d a y e s c a la t io n o f p riv ile g e a tta c k s . T h e a t t a c k v e c t o r u sed is b ase d o n t h e o p e r a t i n g s y s te m o f t h e c o m p r o m i s e d c o m p u t e r . If t h e o p e r a t i n g s y s te m is W i n d o w s V ista , W i n d o w s 7, o r W i n d o w s S e rv e r 2 0 0 8 R2, t h e c u rre n tly u n d is c lo s e d Task

S c h e d u le r E sca la tio n o f P riv ile g e v u l n e r a b i l i t y is e x p l o i t e d . If t h e o p e r a t i n g s y s te m is W i n d o w s XP, t h e c u r r e n t l y u n d is c lo s e d w in 3 2 k .s y s e s c a la t io n o f p r iv ile g e v u l n e r a b i l i t y is e x p l o i t e d .

M odule 07 Page 1074

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

If e x p l o i t e d , b o t h o f th e s e v u ln e r a b i l it ie s r e s u lt in t h e m a in .dll file r u n n i n g as a n e w pro ces s, e i t h e r w i t h i n t h e csrss.exe p ro c e s s in t h e case o f t h e w in 3 2 k .s y s v u l n e r a b i l i t y o r as a n e w ta s k w i t h a d m i n i s t r a t o r r ig h t s in t h e case o f t h e Task S c h e d u le r v u ln e r a b i l it y . T h e c o d e t o e x p l o i t t h e w in 3 2 k .s y s v u l n e r a b i l i t y is s t o r e d in r e s o u r c e 2 50 . D e ta ils o f t h e W in 3 2 k .s y s V u l n e r a b i l i t y a n d t h e Task S c h e d u le r v u l n e r a b i l i t y c u r r e n t l y a re n o t re le a s e d as p a tc h e s a re n o t y e t a v a ila b le . A f t e r e x p o r t 15 c o m p le t e s t h e r e q u i r e d ch ecks, e x p o r t 16 is ca lle d . E x p o r t 16 is t h e m a in in s t a l l e r f o r S t u x n e t. It ch e cks t h e d a t e a n d t h e v e r s io n n u m b e r o f t h e c o m p r o m i s e d c o m p u t e r ; d e c r y p ts , c r e a te s , a n d in s ta lls t h e r o o t k i t file s a n d r e g is t r y keys; in je c ts it s e lf i n t o t h e s e rv ic e s .e x e p ro c e s s t o in f e c t r e m o v a b l e d riv e s ; in je c ts i t s e lf i n t o t h e S te p 7 p ro c e s s t o in f e c t all S tep 7 p r o je c ts ; sets u p t h e g lo b a l m u t e x e s t h a t a re used t o c o m m u n i c a t e b e t w e e n d i f f e r e n t c o m p o n e n t s ; a n d c o n n e c t s t o t h e RPC s e rv e r. E x p o r t 16 f i r s t ch e c k s t h a t t h e c o n f i g u r a t i o n d a ta is v a lid , a f t e r t h a t it c h e c k s t h e v a lu e " N T V D M TRACE" in t h e f o l l o w i n g r e g is t r y key: H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ M S - D O S E m u la tio n ( C o n t ’d )
Error

>‫־־‬
Equal

C heck C F G R eg key NTVDM Trace=19790529

Inject in service, call export 32
A..........

Inject in Step7 & call export 32

Infects Step 7 projects

< r~

Create global m utexes

Past deadline

<----- Date<06/24/2012
^ D ate OK

C heck O S
XP o r less V ista o r h ig h e r

: H ides : m alicious : files y Set S A C L

Create rootkit service reg keys

Inject in Step7 & call export 32 V

V Set D A C L

....... V Create global m utex
r>

Set file tim es ---------- A Oem 7a.pnf
Decrypt reso urce 201 & 242 & w rite to disk

E xit

V
C r e a te .p n f &

Rootkit files

.cfgfiles
j . File OK

Date<06/24/2012

Decrypt & load se lf fro m d isk. Call export 6 - get versio n

Com pare running ve rsio n n u m b eran d versio n on disk

FIGURE 7.23: Infection routine Flow

M odule 07 Page 1075

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

-

Worm Maker: Internet Worm Maker Thing
Internet Worm Maker Thing Version 4.00: Public Edition

C EH

IWTFRNFT WORM MAKFR THING V4

0 0 M MV Y f~ C ts c b c S y s tc fl!R e s r a r e ID ra fc l:W ta fc r n s S e a rity r C h a r g e 2 ‫מז‬ 0 ‫ג‬ T e x t O R D s a b fe 1 ‫וגוז‬0 ‫ז‬S e a n ry ‫־‬te CR a n d o m ly A c tiv a te » a > o a d s I- UTsalto'WSrprBowic I -L o o p S o u n d C h a n c e o fa c tiv a T r o p 3 y ( 0 3 d s : IVD s o b fc M 5 c o S c a n ty rr td e D e d c to p 1 IN| C H A N C E r D tditR u iC a nn d r Dsabte Sh_:d:vwn 1 D t s a M e M a a r e 1 “ HdrAI Drives WI n d u S e [C ]N o tc e R e m o v e lw I” D s s b te L 0 3 0 “ r Dsabte Task Manager 1 - He 3 e a f c l e w i n d o w s O u tp utP a th : I- DkW ;W nfcMIWeb F V o tc c to n P Osobfc Keybord r ‫ כ*ז‬Search Corcard n C o rru p tA n tiv iru s r5 ‫®״‬ r ‫©׳‬ u xB -n o rt rC o m p le T o E X E S u p p o r t r BsabteMDuse r—ChangeC om puter 1 “ CptrWaw PM e 3 3 a g e B 0 x U R L : S c r e a d lr g O p tio n s Tifle: S ta rtjp : M .te 5 0 e » ‫*׳‬rt r‫ ־‬C h a n g e C h v e Ic o n f‫־‬ ~ C hangFETilrBar' FG lo b a lR « g tb yS ta rtu p n * *I* C U .E X Z .K O : D ‫׳‬d » * : Text rL o c o iR c c o fr vS ta rt-p Patv |C :\> V n d 0 w :Y J 0 1 |1 rW n to g o n S h e lM o c k Icon: A d d T o C o n te x tM e n u“1 ---------rS ta rtA # S e r v c e f~C h a n g eW n M e A a * to y e rT » t I r Otletr o f flkler rC h a n ? ■ C o d *T tu t tab r rngk! 'itjr t14 > r* « n (hS ta r tu p I” Ita la n S to rtjp
r < S « 1 m a nS ta rtu p f~ ‫־‬S ot***' Stam p

P o y lo o d s : le n je ltv o s s e CA c tiv a te P a y lo a d sO n D a te f C

I -B lu e S c r e m O f tn fe c tto n O p B o r e : r In fe c tB a tF ie s I ” In fe c t‫־‬ A sP ie s I -W e c tV o cR fc s E x tr a s : rH id e W r u s file s

IfY o u Ik e dT h a P r o g r a m P ie tw e

/isl ‫וי־‬- ‫י׳‬ M tp://x< u «tra mfulhr^lnoi. oi

rD e a U lcR c s c d t
Owner:

Tw it(M a *001flf»)i

IfY o u K ro nA i^lH rqA b o u tV 0 5
R ‫״‬ *W). ‫־‬ n .< n k «
C o n tro lP « tw l

f O n « !:lr P » 1 ia r> » 1.« • « • »
r Chaw Reo Owner

f“ OoenCdOrtves Lock Worktlattn P Do*‫׳‬tood file M3r«’ |

PC h a n c e W a to p c r
fe«10rlIU:

I ----------r ! • ‫י‬ ‫י‬ ‫ו‬r m ‫_״‬ ? J

P tc H T d in r ir c tt-lp 5 u « w t1 T tih Purr: I Ry A Pl.yn (S »
p

I ----------r C h a n g eR e gO rg sn sa b o n
OfQansator!:

U R L :

l~ K e y b o a r d D Ik o

PA d d T o F a v o r ite s r
r

CRIMor*•*‫׳‬
Owncer*<

PE x e c u te D a W a a tfe d

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rm M a k e r: In te rn e t W o rm M a k e r T h in g
In te rn e t W o rm M a k e r T h in g is a t o o l s p e c ific a lly d e s ig n e d f o r g e n e r a t in g a w o r m . T he se g e n e r a t e d I n t e r n e t w o r m s t r y t o s p re a d o v e r n e t w o r k s t h a t a re b a s ic a lly p re s e t in vasio n p ro xy a tta c k s t h a t t a r g e t t h e host te c h n ic a lly , p o is o n it, a n d m a k e a base a n d p la n s t o la u n c h t h e a t t a c k in f u t u r e . T h e w o r m s w o r k i n d e p e n d e n t l y . A n I n t e r n e t w o r m se nd s c o p ie s o f i t s e lf via v u ln e r a b l e c o m p u t e r s o n t h e I n t e r n e t .

M odule 07 Page 1076

Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Internet Worm Maker Thing

Vernon

4.00:• Public Edition

INTERNET W ORMM AKFR THING V 4

r^
CfcMWf -n rd iii i S w i h f Om M» Norton Saa**y
j w + t M **1rtan Scr** > 0d r Q

B O m ‫ו‬

d w

'

A*vMadau<(ue

1 — 1 — r
‫ן‬- Owng■ N 0 0 » T««t ng*• F

r RxSOMnorou•! r **KtlMNn
r S r * K tr t« r t o

r* *■ YI S oaJ
r la‫־‬pS«Lrt
r n o t M in e

I ---------C C u k iU r t

r Whcttor*•
EM UM

O In U > H N M a

r i« * i»nr
r CualooiCadt

O ueut*a»:
r Cw^T«e*s>«DB1‫׳‬

r omaetFrfil ' I
r C ‫״‬n * « AnM nj*

0

p Chr 9 1 C«M Pwl1 >

r
r Q BM D a g n ! S

K * kwlx

r C h a n g eO ft*Ic o n
D ll E1E. ICO. to * »

r 1acj1 iU 9u .l 1
r r *H ggvM H M r lM t tr a a

r D am aFte r

(i M>a‫׳‬a.*r M dH C aranrlM n ‫ מ‬fou L*cd Tho
P f Ob V t|f» Q AtXfcif A S

T ( r * * Stork•

r
r

OwttCMTDi

r fim wiUart•
r S p a n * Stork•

rm ^ u l d w i ).

* a y t t » t Haunq A PVjgr p —

r Nndtnvks
T MMnSUrtk•

_
Urrto«*D«ea
Add To F*«nte»

» • * < < >Jtt.

r
r

te n rid W im

r

CRiNarar

r O trn g tT m m

FIGURE 7.24: Internet Worm Maker Thing

M odule 07 Page 1077

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M o d u le F lo w

C EH

V iru s and W orm s C on cep ts

Types o f V iruses

P en etratio n Testing

C o m p uter W orm s

C ounter• m easures

M o d u le F lo w
— M a l w a r e a na lysis is d e f i n e d as t h e a c tio n o f t a k i n g m a l w a r e s e p a r a t e ly a p a r t f o r s t u d y i n g it. It is u s u a lly p e r f o r m e d f o r v a r io u s r e a s o n s such as f o r f i n d i n g t h e v u l n e r a b i l i t i e s t h a t a re e x p l o i t e d f o r s p r e a d in g t h e m a l w a r e , t h e i n f o r m a t i o n t h a t w a s s to le n , a n d p r e v e n t i o n t e c h n i q u e s t o be ta k e n a g a in s t it f r o m e n t e r i n g t h e s y s te m o r n e t w o r k in f u t u r e .

, 4‫ י‬, V iru s and W o rm s C o nc e p t .'V M a l w a r e A n a ly s is

^ •

T yp es o f V iruses

C o u n te rm e a s u re s

•4
s

— v‫— ׳‬

C o m p u te r W o rm s

^

P e n e tra tio n T es tin g

D e t a ile d i n f o r m a t i o n a b o u t t h e m a l w a r e a na ly sis p r o c e d u r e is e x p la in e d in t h e n e x t f e w slides.

M odule 07 Page 1078

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

What is Sheep Dip Computer?
Sheep dipping refers to the analysis of suspect files, incoming m essages, etc. for malware A sheep dip computer is installed with port monitors, file monitors, network monitors and antivirus software and connects to a network only under strictly controlled conditions

(crtifwd 1 tthKjl IlMkM

C EH

Run user, group permission and process monitors

Run device driver and file monitors

Run port and network monitors

Run registry and kernel monitors

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W h a t Is a S h e e p D ip C o m p u te r ?
— m a lw a re . T his " s h e e p d i p p e d " c o m p u t e r is is o la te d f r o m o t h e r c o m p u t e r s o n t h e n e t w o r k t o b lo c k a n y v iru s e s f r o m e n te rin g th e s y s te m . B e fo r e t h i s p r o c e d u r e is c a rr ie d o u t, any d o w n lo a d e d p r o g r a m s a re sa ved o n e x t e r n a l m e d ia such as C D -R O M s o r f l o p p y d is k e t t e s . A s h e e p d ip c o m p u t e r is in s ta lle d w i t h p o r t m o n i t o r s , file s m o n it o r s , n e t w o r k m o n it o r s , a nd a n t i v i r u s s o f t w a r e a n d c o n n e c ts t o a n e t w o r k o n l y u n d e r s t r i c t l y c o n t r o l l e d c o n d i t i o n s . A s h e e p d ip c o m p u t e r : 0 0 0 0 Runs p o r t a n d n e t w o r k m o n i t o r s Runs user, g r o u p p e r m is s io n , a n d p ro c e s s m o n i t o r s Runs d e v ic e d r i v e r a n d f i l e m o n i t o r s Runs r e g is t r y a n d k e r n e l m o n i t o r s S h ee p d ip p i n g r e fe r s t o t h e a n a ly s is o f s u s p e c t file s , i n c o m i n g m essa ge s, e tc . f o r

M odule 07 Page 1079

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Anti-Virus Sensors System s
B

CEH
if

Anti-virus system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. They are used a long with sheep dip computers

Netw ork

Anti-Virus System

a * .....□
System 1 System 2 Allowed Traffic Anti-Virus Anti-Spyware

a
System 3

Anti-Trojan

Anti-Spamware

Reflected **► Traffic

Internet

Anti-Phishing

EE

Email-Scanner

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

A n tiv iru s S en so r S y s te m s
A n a n t i v i r u s s y s te m is a c o ll e c t i o n o f c o m p u t e r s o f t w a r e t h a t d e t e c t s a n d a n a ly ze s v a r io u s m a l i c io u s c o d e t h r e a t s such as v iru s e s , w o r m s , a n d T ro ja n s . T h e y a re u sed a lo n g w i t h s h e e p d ip c o m p u t e r s .

Network

Anti-Virus System

B
S y s te m

..... H
1
‫►י‬
S y s te m

2
Allowed Traffic

Anti Virus

Anti Spyware

Reflected Traffic

1 M
Allowed Traffic

U
System 3

Anti Trojan

Anti Spamware

** Reflected * * > Traffic

Internet

m
Anti-Phishing Email-Scanner

FIGURE 7 .2 5 : W o rk in g o f A n tiv iru s S enso r S ystem s

M odule 07 Page 1080

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

A n a n t i v i r u s s y s te m in c lu d e s a n t iv ir u s , a n t i - s p y w a r e , a n t i- T r o ja n , a n t i - s p a m w a r e , a n ti- P h is h in g , an e m a il s c a n n e r , a n d so o n . U su a lly, it is p la c e d in b e t w e e n t h e n e t w o r k a n d I n t e r n e t . It a llo w s o n l y g e n u i n e t r a f f i c t o f l o w t h r o u g h t h e n e t w o r k a n d b lo c k s m a l i c io u s t r a f f i c f r o m e n t e r i n g . As a re s u lt, it e n s u re s n e t w o r k s e c u r it y .

M odule 07 Page 1081

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M alware A nalysis Procedure: Preparing Testbed
Isolate the systemfromthe D isable the 'shared network by ensuring that the folders', and the'guest NIC card is in "host only" m ode isolation'

C EH

Copy the malware over to the guest O S

* ‫ר‬ fc c a

‫■אי‬

‫׳‬ 0
Install guest OS into the Virtual PC/ VMWare Install VMWare or Virtual PC on the system
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

M a lw a re A n a ly sis P ro c e d u re : P re p a r in g T e s tb e d
M a l w a r e a na lys is p r o v id e s in - d e p t h i d e n t if ie s e m e r g i n g te c h n ic a l t r e n d s f r o m u n d e r s t a n d i n g o f e a ch in d iv id u a l s a m p le a nd la rg e c o lle c t io n s o f m a lw a re s a m p le s . T h e th e

s a m p le s o f m a l w a r e a re m o s t l y c o m p a t i b l e w i t h t h e W i n d o w s b i n a r y e x e c u t a b l e . M a l w a r e a na lys is is c o n d u c t e d w i t h a na lys is p r e p a r i n g T e s tb e d : 0 0 0 In sta ll V M W a r e o r V i r t u a l PC o n t h e s y s te m In sta ll g u e s t OS i n t o t h e V i r t u a l P C / V M W a r e Is o la te t h e s y s te m f r o m t h e n e t w o r k b y e n s u r in g t h a t t h e NIC c a rd is in " h o s t o n l y " mode 0 0 D isab le t h e s h a r e d f o l d e r s a n d t h e g u e s t i s o l a t i o n C o p y t h e m a l w a r e o v e r t o t h e g u e s t OS a v a r i e t y o f goals. T h e f o l l o w i n g is t h e p r o c e d u r e f o r m a l w a r e

M odule 07 Page 1082

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Malware Analysis Procedure
1. Perform static analysis when the malware is inactive 2. Collect information about:

0 String values found in the binary with the help of string extracting tools such as B inText e The packaging and com pressing technique used with the help of com pression and decom pression tools such as U P X B in Te x t
1 -1 °■
Swxeh | r,1* | Htto |

UPX
Administrator: C:\Windows\system32\cmd.exe
D:sCEH T0013 \CEH v 8 Module 07 U lru s e s and W ornsNConpression l\UPXNupx306«#supx306t#>upx.exe U ltim a t e P a c k e r f u r e X e c u ta b le s Copyr i if 1 1 1. <C> 1996 2011 IPX 3.R*w Markus O berliiinw r. L a s z lo M o ln ar 0. Jo h n Rr I Usage: upx I ‫ ־‬I2 3 4 5 6 7 *9 d It Mil. 1 I- q u f k ] -I ‫־‬d -t -h -< j - o F IL k ~f -k F ile .. lyp e e im p ress f a s t e r decom press t * s t com pressed f 11• g i v • n o r • h e lp It• q u l* t w r i t • o u tp u t t o ' P I L k ' f o r c e c o n p ro s c io n o f o u a p ic io u o I kocp backup f i l o • e x e c u ta b le s to <de>conpre3a 1-0 f i l e ! P ile .. com prass b u t t e r l i s t ronppRssRd f i l e d is p la y u r n ion imnb• d is p la y t o f t w M lie •

P|?lO «can [C\U 1tnV A dnw nfc«lc1> D « 1klap\1« < u p e>
TiroUfcan 0109 me• T«41ia> 37310t* 0 1 1364G K |

fbw i

iM fp w
O C C D 3C 000040 000030000110 O C C 03C 000228 O C C 03000Q 250 O C C 03000G 278 O O G 03G 00029f O CCC3C0013C

1 0 1 T f H ~
dau

AC O O O O O O C O M O A '1 1 ‫׳י‬ A ‫ ויו‬i ll 1.V; a ccoocaxcxc AC C O O C O O C G 2 7 8 AC O O O O O O C G 2 9 F a ; ‫זץי;י;ווו;ווי‬

Qitbc

0 M Z u 3 lsf“ ro c « M 0 1F © a 1u 1e P ‫׳‬e iC rt
KEMIE132 G«norj|_RcpoMM FIh To Oo Mo FtoToKoop

A :000000C0928 0C 0030001528 /. ‫ ׳‬m nvin: OC003000IA44 /. ‫ו‬ ‫י‬ ‫ו‬ h i if: OC003000IA70 A XO XO O CCE9C O C C 03C 001A 3C A 3C O X O O C C C C 3 0C CC30001AC 8 A :O O O O O O C C E F O 0C 0030001A FO a :coocaxtfiB O C 003C 1001B 18

L o w n o F lw
inm
R*pcrtnaFlw

*up* - - h e lp ' f o r n ore d e t a ile d h e lp . s i t h t tp :/ '/ u p x .3 f .

JPX con es w it h ABSOLUTELY NO WARRANTY; f o r

h ttp://www. mcafee.com

h ttp://upx.sourceforge.net
Copyright © by EG-Goilicil. All Rights Reserved. Reproduction is Strictly Prohibited

M a lw a re A n a ly sis P ro c e d u re
S te p 1: P e r f o r m s ta tic a n a ly sis w h e n t h e m a l w a r e is in a c tiv e S te p 2: C o lle c t i n f o r m a t i o n a b o u t : Q Q S trin g v a lu e s f o u n d in t h e b in a r y w i t h t h e h e lp o f s tr in g e x t r a c t i n g t o o l s such as B in T e x t T h e p a c k a g in g a n d c o m p r e s s i n g t e c h n i q u e d e c o m p r e s s i o n t o o l s such as UPX u sed w i t h t h e h e lp o f c o m p r e s s i o n a nd

BinText
S o u rc e : h t t p : / / w w w . m c a f e e . c o m B in T e x t can e x t r a c t t e x t f r o m a n y k in d o f file a n d in c lu d e s t h e a b i l it y t o f i n d p la in ASCII t e x t , U n ic o d e ( d o u b l e b y te ANSI) t e x t , a n d r e s o u r c e s trin g s , p r o v id i n g u s e fu l i n f o r m a t i o n f o r e ach it e m in t h e o p t i o n a l " a d v a n c e d " v i e w m o d e .

M odule 07 Page 1083

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

BinText 3.0.3
Search | Filter | Help |

_

‫ם‬

F ile(0s c a n |C:M Js e rs ’A d m n ts tra to rN D e s k to p V s e tipe x e I? A d van cedv ie w F ilep o s A 00000000004D A 000000000110 A 000000000228 A 000000000250 A 000000000278 A 00000000029F A 0 0 0 0 000006B E A 00000000090C A 000000000928 A O O O O O O O O O E 4 4 A 000000000E 70 A O O O O O O O O O E 9 C A O O O O O O O O O E C 8 A 000000000E F 0 A 000000000F 18
a n n n n nnnnnF 44 < [ III

B ro w s e

£0

M e mp o s I© 00003000004D 0 000030000110 0 000030000228 0 000030000250 0 000030000278 0 00003000029F 0 0000300012 B E 0 0000300015 0 C 0 000030001528 0 000030001A 44 0 000030001A 70 0 000030001A 9 C 0 000030001A C 8 0 000030001A F 0 0 000030001818 0 nnnrtw n1R 44 n U N 373

Tim etaken:0.109 s e c s Te x ts iz e : 37340b y te s(36.4 6 K ) A fT e x t !T h isp ro g ra mc a n n o tb eru ninD O Sm o d e u R icheW l te x t d a ta rs » c 0 re (o c 0M Z u 3 Is P ro c e s s o c F e a tu re P re s e n t K E R N E L 32 G e n e ra l.A p p N a m e G e n e talR eportee F te s T o D e le te F ie s T o K e e p L o g g n g F la g s R e p c n tn g F la g s V
llin m w .
h j

R e a d y

A N : 1840

R S :0

find | S ave |

FIGURE 7.26: Bintext Screenshot

U PX
S o u rc e : h t t p : / / u p x . s o u r c e f o r g e . n e t UPX a c h ie v e s an e x c e l l e n t c o m p r e s s i o n r a t i o a n d o f f e r s v e r y f a s t d e c o m p r e s s i o n . It t y p i c a l l y c o m p r e s s e s b e t t e r t h a n W i n Z ip / z i p / g z i p . 3S
Administrator: C:\Windows\system32\cmd.exe

D :\C E H -T o o ls \C E H v 8 M o du le 0 7 U ir u s e s and Worms\C o m p re s s io n and D ecom press l\U P X \u p x 3 0 8 w \u p x 3 0 8 w > u p x .e x e U l t i m a t e P acket* f o r e X e c u ta b le s C o p y r ig h t <C> 19 9 6 - 2011 JPX 3 .0 8 w M arku s O b e rh u m e r, L a s z lo M o ln a r & John R e is e r Dec 1 2 t h U sag e: upx [ 1 2 3 4 5 6 7 8 9 ‫ ־‬d l t h UL ] l-q v fk ] 1 -0 f i l e ] -9 1‫־‬ -U -L -w file s file .. com press b e t t e r l i s t co m p re ssed d is p la y v e rs io n d is p la y s o ftw a re be v e rb o s e

Commands: -1 com press f a s t e r -d decom press -t t e s t co m p re ssed f i l e -h g i v e more h e lp O p tio n s : -q be q u i e t - 0 F IL E w r i t e o u tp u t to ' F I L E ' -f f o r c e c o m p re s s io n o f s u s p ic io u s -k k e e p b a cku p f i l e s F ile .. e x e c u t a b le s t o < de>com press ry p e 'u p x — h e l p ' f o r more d e t a i l e d h e lp .

file num ber lic e n s e

JPX comes w it h ABSOLUTELY NO WARRANTY; f o r d e t a i l s

v is it

h ttp : //u p x .s f .n e

D :\C E H -T o o ls \C E H v 8 M o du le 0 7 U ir u s e s and Worms\C o m p re s s io n and D ecom press l\U P X \u p x 3 0 8 w \u p x 3 0 8 w >

FIGURE 7 .2 7 : UPX W o rk in g in C o m m a n d P ro m p t

M odule 07 Page 1084

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Malware Analysis Procedure
( C o n t’d )

U r t 1 f w 4 ilh iu l lU t b M

CEH

3. Set up network connection and check that it is not giving any errors

a

r > tn o
Filter Tools Options Help

Run the virus and monitor the process actions and system information with the help of process monitoring tools such as Process Monitor and Process Explorer

Process Monitor - Sysinternals: www.sysinternals.com
File Edit Event

L il‫ ״‬J

U I
Time of Day Process Name

‫]י‬
PID Operation 2384 CreateFieMapp 2384 ^ CloseW e CreateFie ReadFie ReadFile ReadFie ,TCP Receive ,TCP Send ReadFie ReadFie ReadFie ReadFie
Path Resut Detail C \Wndows\System32'wnageres <* SUCCESS C \Windows\Systen132Nw1ageres dl SUCCESS C \Lbers\Admostrator\^pp Data\Local\... SUCCES S C \Window«\Mcro*oft NETXFramework... SUCCESS C XWindowsXMcrosoft NETXFramework... SUCCESS C\Window3\fAcT0soft.NETXFramework... SUCCESS WIN-MSSELCK4K41 1056 •>WIN-MSS... SUCCESS WIN-MSSELCK4K41:1055 •> WIN-MSS. SUCCESS C\Windows \H cro soft. NETXFramevvork.. SUCCESS

SyncType SyncTy

P ro ce ss M o n ito r

Desw ed Access: S Offset: 7.623.168. Offset: 7.557.632. Offset: 7.574.016... Length 1. seqnum Length 1. startime Offset: 9.322.496. CXWindowsXAAcrosoft NETXFramework ..SUCCESS Offset: 9.547.776. C XWindowsXMcrosoft NETXFramework... SUCCESS Offset: 9.535.483. CXWindowsXfAcrosoft.NETXFramewoik... SUCCESS Offset: 7.803.392.

Showing 89,723 of 186,768 events (43°: .1

Backed by virtual memory

http://technet.m icrosoft.com
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited

M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t ’d)
S te p 3: Set u p n e t w o r k c o n n e c t i o n a n d c h e c k t h a t it is n o t g iv in g a n y e r r o r s S te p 4: Run t h e v ir u s a n d m o n i t o r t h e p ro c e s s a c tio n s a n d s y s te m i n f o r m a t i o n w i t h t h e h e lp o f p ro c e s s m o n i t o r i n g t o o l s such as P ro ces s M o n i t o r a n d P ro ces s E x p l o r e r

m
.
l^_

Process M onitor
S o u rc e : h t t p : / / t e c h n e t . m i c r o s o f t . c o m

Process M o n i t o r is an a d v a n c e d m o n i t o r i n g t o o l f o r W i n d o w s t h a t s h o w s r e a l- t i m e file s y s te m , r e g is try , a n d p r o c e s s / t h r e a d a c tiv it y .

M odule 07 Page 1085

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Process Monitor - Sysinternals: www.sysinternals.com

F ile E d it E vent Filter Tools O ptions H elp
Time of Day Process Name 12:13:46.620... Explorer EXE 12:13:46.620... ^ ExplorerEXE 12:13:46.621. .. ^Explorer.EXE 12:13:46.676... Bmmc.exe 12:13:46.677... j a mmc.exe 12:13:46.679... Smmc.exe 12:13:46 685 .ttfirefox.exe 12:13:46 685. (Jfirefox.exe2760 12:13:46.687... jqimmc.exe4100 12:13:46.694... ■Btmmcexe 12:13:46.695... jgjmmc.exe 12:13:46.696... ^mmc.exe
n n

PID Operation 2384 2 k Create FileMapp. 2384 ;rk Close File 2384 ;A Create File 4100 9k Read File 4100 2 k Read File 4100 2 k Read File 2760 s*VTCP Receive TCP Send Read File 4100 y k Read File 4100 2 k Read File 4100 irk Read File

Path Result Detail C:\Windows\System32\imageres.dllSUCCESS SyncType: SyncTy.. C:\W1ndows\System32\imageres.dll SUCCESS C:\Users\Administrator\AppData\Local\...SUCCESS Desired Access: S... C:\W1ndows.Microsoft NET.Framework ...SUCCESS Offset:7,623,168,.. C:\Windows\MicrosoftNET\Framework.SUCCESS Offset:7,557,632,... C:\Windows\Microsoft.NET\Framework... SUCCESS Offset:7,574,016,.. WIN-MSSELCK4K41:1056->WIN-MSS...SUCCESS Length: 1. seqnum:. WIN-MSSELCK4K41:1055 ‫>־‬WIN-MSS...SUCCESS Length: 1. startime:.. C:\Windows\Microsoft. NET•‫׳‬.Framework... SUCCESS Offset:9,322,496,.. C:\Windows\Microsoft.NET\Framework... SUCCESS Offset:9,547.776,... C:\Windows\Microsoft.NET\Framework... SUCCESS Offset:9,535.488... C:\Windows\Microsoft.NET\Framework... SUCCESS Offset:7,803,392,..
n u t __ 1____ 1 1 1
n u r n r

1 r r i v ___ i i n n

T3 n

ir i

1

n 1r v ? c g 1 r _ a g _ _!

T m i i n ___

Showing 89,723 of 186,768 events (48%)

Backed by virtual memory

FIGURE 7.28: Process Monitor Screenshot

M odule 07 Page 1086

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Counterm easures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Malware Analysis Procedure
( C o n t’d )

( ^H
( • r t i f W d t t h . u l Nm I w(

|

N etR esident 5. Record network traffic information using the connectivity and log packet content monitoring tools such as NetResident and TCPView
He sear* ve* Evens rods -ep AlDafe | F te ■ OM ■ j>*aJ-ess S3ve ‫^ • י‬ Dees V j Event Octal =totocd ^,W e b ■W Web Web Web web ,y, Web ^ Web ^ Web ^ Web ^ web y / Web •W Web ^ w«b W teb Party A I Pot! A W W -UUQN3... 1076 VV1N-IXQ N3... 1104 WIH-LXQN3... 1109 WW-IXQN3 1110 W 1H-LXQN3... 1111 W 1N-LXQ N3 1114 1114 W 1H1XQN3... \V1N-LXCN3 1145 VV1N -IW 3N 3 1147 WIN-LXQN3... 1163 W 1N-LXQN3... 1114 W1N-UQN3... 1164 W 1N4.XQN3... 1076 W 1N-IXQN3 1205 5 arty B mystart-bni... m5003sM-n... maa03s&4-n... maa03s04-n... ra303s:4*v.. maa03eD4-n... nos03»M-n... rnaa03st>4-n... nao03*&4-n... nas03«:4‫־‬n... ‫ (**ח ו‬3 »&4-‫ת‬... moo03*04-n... mvctrt‫*־‬xU... ™■0‫ר‬.04-«‫ז‬... Po‫׳‬:B 80 443 *43 •*43 443 90 —1 80 80 443 443 B C 80 8 C 80

Cr04>5 * &0-p£ = E “

■ :.dre3‫־‬

6. Determine the files added,
processes spawned, and changes to the registry with the help of registry monitoring tools such as RegShot

1Q/V2012 S siotoefc 0 « '‫* ״‬ ffl 0 i £ *artyA S 0 *art* B

Date KV5/2012 2::. 1 36 ■ !(VS/2012 2:1.. :0/5/2012 2:1 1 36 - 10/5/2012 2:1.. 1 - 10/5/2012 2:1.. 20 10/5/20122:1 - 10/5/2012 2:1.. 10/5/2012 2:1 - 10/5/2012 2:1 10/5/2012 2:1.. 10/5/3012 2:1 - 10/5/2012 2:1.. :0/5.'I012 2:1 - 10/5/2012 2:1

LastLpdated :0/5/3012 2:14:3. 10/5/20122:1^:4.. 10/5/2012 2:14:4. 10/5/2012 2:14:4. 10/5/2012 2:14:4.. 10/5/2012 2:14:5. 10/5/20122:14:5.. 10/5/2012 2:14:5. 10/5/3012 2:14:5. 10/5/2012 2:14:5.. 10/5/2012 2:14:5. 10/5/2012 2:14:5. 10/5/3012 3:15:0. 10/5/3012 3: t5:2.

rvralDH^
T O ...•

POS1 r e q u e s tt 0h t t p e / / n e w t 400 ate-aun/ncws/xhr/rhc/MtlMMcr 1 ‫־‬ Tng
CM

V a l u 4 »

52777990230736.52777991632076.52777992527295.5277798-180851-1.52777983170746 52777984394614

a
h ttp ://w w w . tamos, com

Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited.

M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t ’d)
S te p 5: R eco rd n e t w o r k t r a f f i c i n f o r m a t i o n u s in g c o n n e c t i v i t y a n d lo g p a c k e t c o n t e n t m o n i t o r i n g t o o l s such as N e t R e s i d e n t a n d T C P V ie w S te p 6: D e t e r m i n e t h e file s a d d e d , p ro c e sse s s p a w n e d , a n d c h a n g e s t o t h e r e g is t r y w i t h th e h e lp o f r e g is t r y m o n i t o r i n g t o o l s such as R e g S h o t

NetResident
‫—״‬ S o u rc e : h t t p : / / w w w . t a m o s . c o m is a n e t w o r k c o n te n t a n a ly s is a p p lic a tio n d e s ig n e d to m o n ito r, s to r e , a nd

N e t R e s id e n t

r e c o n s t r u c t a w i d e r a n g e o f n e t w o r k e v e n ts a n d a c tiv it ie s , such as e m a il m essa ge s, w e b pages, d o w n l o a d e d file s, i n s t a n t m essages, a n d V o IP c o n v e r s a t i o n s . It uses a d v a n c e d m o n i t o r i n g t e c h n o l o g y t o c a p t u r e t h e d a ta o n t h e n e t w o r k , saves t h e d a ta t o a d a ta b a s e , r e c o n s t r u c t s it, a n d d is p la y s t h e c o n t e n t .

M odule 07 Page 1087

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

S NetResident - Evaluation Version Fte Search View Events Tools Help Al Data | Events ' Groups * Groups 0 0 0 Dates 0 S 10/5/2012 H 0 ^ Protocols Refresh | y Fiter - I Count 1 36 1 36 1 20 IP Address * | , Date u 10/5/2012 2:1... u 10/5/2012 2:1... ‫ ם‬10/5/2012 2:1... a 10/5/2012 2: L.. 10/5/2012 2:1... a 10/5/2012 2:1... Q 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... o 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... 10/5/2012 2:1... <1 Save * ^ Delete |1^) Event Detail | Protocol ^ ^ ^ ^ ^ Web Web Web Web Web Web Party A WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... Port A 1076 1104 1109 1110 1111 1114 1114 1145 1147 1163 1114 1164 1076 1205 U Party B mystarHon.1... maa03s04-«n... maa03s04‫־‬in... maa03s04-tn... maa03s04-in... maa03s04‫־‬in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... mystart-ton.i... maa03s04-in...

. n x

Last Updated 10/5/2012 2:14:3.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:15:0.. 10/5/2012 2:15:2..

Port B 80 ± 443 443 443 443 80 — 80 80 443 443 80 80 80

0 4 * ) Web 1 0 2 Party A B 0 ® PartyB

8 IH ^ Web Web Web ^ Web

W Web
^ ^ Web Web

V

Iw t D d ii_________________________________________________
■S' ' '• ) I I I r j L^j ‫ ־‬More... *

POST req u e st to h ttp ://n ew s.g o o g !e.co .in /n ew s/x h r/rh c?au th u ser= 0 Tag Value

cid

52777990230736.52777991632076.52777992527295.52777984808514.52777983170746.52777984394614

J‫ח‬ __________________________________________________________
180 bytes [ Q Connected

\~ T \

1,067,459

FIGURE 7.29: NetResident Screenshot

M odule 07 Page 1088

Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Malware Analysis Procedure
( C o n t’d )

( ^H
(•rtifWd

| tth.ul

Nm Iw(

7. Collect the following information using debugging tools such as OllyDbg and ProcDump: ® Service requests © Attempts for incoming and outgoing connections © DNStables information

Copyright © by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t ’d)
‫׳‬ S te p 7: C o lle c t t h e f o l l o w i n g i n f o r m a t i o n u sin g d e b u g g in g t o o l s such as O l l y D b g and P rocD um p: © © 0
1

S e rvice r e q u e s ts A t te m p ts fo r in c o m in g and o u tg o in g c o n n e c tio n s DNS t a b le s i n f o r m a t i o n

O llyD bg
S o u rc e : h t t p : / / w w w . o l l y d b g . d e

O lly D b g is a 3 2 - b i t a s s e m b l e r - l e v e l a n a ly z in g d e b u g g e r f o r M i c r o s o f t W i n d o w s

E m p h a s is o n

b i n a r y c o d e a n a ly s is m a k e s it p a r t i c u l a r l y u s e fu l in cases w h e r e s o u r c e is u n a v a ila b le .

M odule 07 Page 1089

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

O llyD bg O L L Y D B G .E X E - (C P U■m ain thread, m odule O L L Y D B G ]
C ] F ik V iew D ebug P lu g in s O p tio n s W in d o w Hdp

_

a

x

L ‫ ־‬k l]
H<«>S12• => 9C (1 5 6 .1 . fiw : M EPP_iER 0 _r^ n d [CG»t P r o e * t «H»4e

g40 M sL‫־‬ ► ! W l0 \<
004010*0

m>.‫ ׳‬ECx.x
PUSH ECX 3 l L <JM P.IKER fC L32.G M Pf0c*ssM f«0>

j __
ECX OOOOOOOO COX 0 M 9 I0 M OLL'.CGO. <rVcxdw l«Er»t ry P o m t > e b x t f o ?0000

. ? 0 . E 87 2 E 8 0 0 0 0 CALL 'J M P .t*E R f€ L 3 2 .H « « c m io e > OR EOX.EOX . o 0co JI1Z SHORT OLLVOOG. 00401006 0 0 *0 1 0 0 0 .v7 S 0 0 004C10OC . 0 ERX.0FO 8 F O 0 0 O O 0 O E 8B 6 F F F F F F W 00401001 COLL 0LLV066.0040106C PUSH EOX 0 O 4 O 1 O 8 6 . > SO PUSH EOX 00401007 . 6 0 F 3 S1 8 0 1 4 0 0 0 004O1OOS . F DUORO PTR O S !1400110) CALL OLLVOOG.00400304 0O4O1OOE . E O 1 1 C 3 O O O 00 PUSH F 3 S 1 B 0 1 4 & PUSH DMORO PTR DS1 (4801103 O04O1OC3 . F .E 8 1 0 c 3 0 5 6 50 0 0 4 e 1 o c 9 CALL OLLVOOG.004OO3E8 004010CE •SF POP EDI 004e10CF > ? .£ 6 9 9 C 0 0 0 0 0 9 RETN W J ECX.9C 0 0 4 0 1 0 0 0 OR ECX.ECX 0 0 4 0 1 0 0 s . 0 e c 9 0 < M 0 1 0 07 .~ 7 41 9 JE SHORT OLLVOOG. 004010F2 O 0 4 O 1 O O S . E 8 C E C 2 0 O O O CALL OLLVOOG.0O4OO3OC .0 31 B 8 1 4 B O 0 nou 0 o*e 1 o o € OUOPO PTR O S ;C 400ilB 3.E flX Cflp ERX.0 00«e1ec3 . 8 3 F 3 0 0 .*73 SI JNB SHORT XLVO 0G .00401079 004e1aE6 00401OES . 6 8 F C O O O O e e nou eox . ofc 0 04 010ED . E 87 0 F F F F F F CALL OLLVOOG.0040106C RETN 0O401OF2 >C 3 00401OF3 > t0 3 3 0 \m \u m C«P OMOPO PTR OS*[4 0 0 1 1 0 0 . ‫נ‬ 00401OFft .‫״י‬ JO SHORT OLLVOOG. 00401124 7 2 2 € F3 51 8 0 1 4 8 0 0 PUSH 0*OR© PTR OS: [400110) 0 04 010FC . F 8 ed ;’ 5 h 6 5 CULL OLLVOOG.004003C4 1 0 2 .E « 1 OR EOX.EOX 1107 00401003 00401000 00401109 00401100 00401 IOC 00401 IOC 00401113

v m 0040100?

kltoao

HtaoOltoe

ESP O018FF88

El►‫ ־‬O04010OO iX L V t» 1 .< n 0 0 u lt£ o tfv P o ift« >

Aral = 0 0 0 0 0 0 0 0 I 0LLV4CG. O04OO3O4
r

E S 0 0 2 63 2 bit 0 (F F F F F F F F I C S0 0 2 3 (F F F F F F F F > S S 0 0 2 8 32blt 3 2 bIt 0 9 (F F F F F F F F I O S 0 0 2 8 32bit 0(F F F F F F F F 1 F S 00*3 32bit 0(F 7 F O 9 C 0 0 0 1 F F 1 6 $0 0 2 0 32bit F F F F F F F )F LtttErr E ftftO R _ ttO O _ M O T _ F O U M O< 0 0 0 0 0 0 ? E 1

EF. ST0 STl ST2 ST3 ST4 STS

00000244 ‫ י‬N 0.f«.E .B £.N S .P E .G C .LE 1 • n o ty 0 .0 • n o ty 0 .0 ♦*©«y 0 .0 «no«y 0 .0 « n 0 ty 0 .0 t f v t y 0 .0 3 2 10 Coftd 0 0 0 0 P r*< NEAP,S3

•OLLVOOG. 0O4RO3C4

ESPU020I E rr OOO0O0d0 r1 **k 1 1 1 1 1 t

jM nw

h a mm am

JE SHORT OLLVOOG. 00401124 PUSH EOX PUSH 0 CRLL JMP.tKERJCL32.G«tProc«»»H*«o> PUSH ERX CRLL <JMP.t»:EKHLL32.H»*eFf««>

rc•‫ ♦״‬- :! >

F1*»t => C R P _2 E R 0 _rC n C

Pt oc« t *He «c I CG«t l> H t« p I* * * * "

RETURN t o 0019FF9C

FIGURE 7.30: OllyDbg Screenshot

M odule 07 Page 1090

Ethical Hacking and C ounterm easures C opyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

V iru s A n alysis Tool: ID A Pro

CEH
Urt>fW4 ttfciul Nm Im

h t t p :/ / w w w .h e x -r a y s .c o m

Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

V irus A nalysis Tool: IDA Pro
Source: http://www.hex-rays.com This is a dissembler and debugger tool that supports both Windows and Linux platforms.

D issem b ler
The dissembler displays the instruction execution of various programs in symbolic form, even if the code is available in a binary form. It displays the instruction execution of the processor in the form of maps. It enables its users to identify viruses as well. For example, if any screensavers or "gif" files are trying to spy on any internal applications of the user, IDA Pro Tool reveals this immediately. IDA Pro is developed with the latest techniques that enable it to trace difficult binary codes. These are displayed in readable execution maps.

D ebugger
The debugger is an interactive tool that complements the dissembler to perform the task of static analysis in one single step. It bypasses the obfuscation process, which helps the assembler to process the hostile code in-depth.

Module 07 Page 1091

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

IDA Pro is a tool that allows you to explore any software interruptions and vulnerabilities and to use it as tamper resistance. It is an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment. This can also be used to protect your essential privacy rights. This is used by antivirus companies, research companies, software development companies, agencies, and military organizations.
IDA -C:\Program Files (x86)\IDA Demo 6.3\qwingraph.exe
File Edit Jump Search View Debuggei Options Windows Help ► 1 ‫? ם ש‬ ^ ^ f a !«■ r

~ I° I * B

III
(71 Finctxms wndow j IDA View-A Q | | g ] Hex View-A |

IM ■ :!
I Q S Enure________ |

Z 3
1*5[j * Exports

ft] Structures

Line 2 of 944

[g* Output wndow
C o m p ilin g E x e c u t in g C o a p ilin g ID A ia file

1
sub le a push push c a ll push le a push c a ll add mou c a ll how
'C :\ P r o g r a m F ile s fu n c t io n 'm a in '. . . f ile * C :\ P r o g r a n 1 F i l e s f u n c t io n to ' O n Lo ad ' in p u t f ile ... in p u t th e th e a n a ly s in g F L IR T e x p lo r e s ig n a t u r e :

Function name sub_401070 sub.401200 sub.401230 sub_4012F0 sub_4O13A0 sub.4015A0 sub_402EA0 $ub.402EC0 sub_403140 sub_403330 sub.403500 sub.403680 sub.403900 sub.403920 sub.403960 sub_403A40 sub 403B30

=

uar_C= dword p t r -OCh uar_8= duord p t r -8 o a r ^ ' dword p t r -< * h In s ta n c e - duord p t r < 1 h P re u In sta n ce - dword p tr lpCndLine- duord p t r OCh nShowCnd- dword p tr 10h es p , 18h ea x , [esp»18h»uar_1«i] eax OFFFFFFFFh ds:GetConnandLineW eax e c x , [esp»Z<ih«uar_10] ecx d s : ? f ronWCharftrray0QString0QTBBSfl?ftU120PBGH02 ; QT: :Q S trin g ::F ro m W C h a rA rra y (u sh o rt const esp , OCh e c x , eax ds:?toLocal8BitBQ String6Q TBBQ BE?A UQ ByteA rrayQ 2Q XZ ; QT: : Q S t r in g : : t o L o c a l8 B it (u o id ) edx, [esp*18h*w ar_10]

M-iw OCCCCCCCCH 1 0 0 .0 0 * ( - 1 4 1 ,1 0 5 ) (5 0 9 ,2 6 ) 00041357 00 4 4 1 F 5 7 : » i n M 4 in ( x ,x ,x ,x ) + 2 7

( x 8 6 )\ ID A ( x 8 € )\ ID A

Dem o 6 . 3 \ i d c \ i d a . i d c ' . . . Desa□ 6 . 3 \ i d c \ o n l o a d . i d c ' . . .

e x e c u t in g

Y o u m ay s t a r t U s in g

file

r ig h t

now . ru n t

M ic r o s o f t V is u a lC

2- 10/n e t

Module 07 Page 1092

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Online Malware Testing: : VirusTotal "Tj|
3 Antfwus ia n for fbili®‫׳‬

r EH V
tttK 4 l IU (h M

M VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms, Trojans, etc.

C
1 ft

£ htips: ‫'׳‬vk'^w.virustotaLconn ‫־‬ ' e/C’5'5'd625c39d3d5d9l041b9720a30c2fb1e757e603695d3478687c27c392fdt.‫־‬an.aly$s^Statistics DocantflUlidn FAQ About Join our community

=

Community

Sign m 1

&

v

i r u

E

total *K
» 0 ^ 0

& riru!to
M u m m l!*• (** 1 2 V B

SHA2&6 File name

06131d62$c?9dMM91W1W720a30c2ti1«76796C3695<J3478687c27c392Wb smo«a_O6131<l62Sc3*i3dS<*91(Ult072Oa3Cc2lb1e757e6O369Sd3478687c27c392Wb bin

12.*“ “ "

41‫ י‬7 ‫׳‬ 2012-07.T7 K:S2:M UTC (2 ™ ‫״‬.hi 2 oM ki •g‫) ־‬ V

Antlvliuc AhnLab-V3 AntiVif Antiy-AVL Avast

Kutulf WifiTrojarvMMueker 10 36288 BOCWm m xm 23 G1 Bach(fc>or‫׳‬W 1n.32 MoSuckei gen Win32 Tro!an-gen Bac ■CoorMmuc kw

Update 20120716 20120716 20120717 20120716 20120716

http://www.virustotal.com

AVG

.Ccipyright © by EC-C0MCi. All Rights Rese rveC Reproduction isStrictly Prohibited.

|p5|

O n lin e M alw are T estin g : V irusT otal
Source: http://www.virustotal.com

VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans, and all kinds of malware detected by antivirus engines. Features: 0 0 0 0 0 Free and independent service Uses multiple antivirus engines Comprised of real-time automatic updates of virus signatures Gives detailed results from each antivirus engine Has real-time global statistics

Module 07 Page 1093

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

‫ ־‬°
♦‫־‬ C i ‫*׳‬P« ^‫ נוומי״י‬0»^»0‫וי‬/‫־»ן׳‬/06‫»(>ונו‬5 >«>‫>ןג‬1 ‫»>ל‬1 < 4‫םו‬97;0»‫נ‬0}^(^ 7‫>ל»נ(»*לל‬1‫נ‬47‫ ו‬6*7> 27)‫»»נ‬/«% ^« 0

<

3 /iru! to t a l

S! / i r u s t o t a l
MwnumMtwt 3JM B

*N
£ ‫״״‬ £^‫׳‬ ** J71 4 1 »V-071r«M 00U TC (?re«m t |«M > **9 0 ) * 0 § 0

W taTropnM Dttickw1 0 3 (2 8 8 O O CM otutM •2 ‫ ג‬Ol mfray snt*t toscjn a URL o r starchth rtu g hth* /ru»Tc« d Bactdoor‫\׳‬V nX 2M oSucktf 9• ‫י‬

W W 2T r 0 |J0 9 * n
BactO ooi M 1»ucM «

FIGURE 7.32: virustotal Screenshot

Module 07 Page 1094

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Online Malware Analysis
C p V T T l / t p Q
f j ^ I Y X v T O

‫ ״‬,‫״‬
ltfc.nl M m hat

n

Anubis: Analyzing Unknown Binaries
h ttp://anubis. is eclab. org

Metascan Online
h ttp :/ / w w w . metascan-online, com

Avast! Online Scanner
http://onlinescan. avas t. com

Bitdefender QuickScan
h ttp :/ / w w w . bitdefender. com

i

Malware Protection Center
h ttp s://w w w .m icrosoft.co m

GFI SandBox
h ttp :/ / w w w . gfi. com

> ___ j

ThreatExpert
h ttp :/ / w w w . threatexpert.com

UploadMalware.com
h ttp :/ / w w w . uploadmalware. com

Dr. Web Online Scanners
h ttp :/ /v m s . d r web. com

Fortinet
h ttp ://w w w .fo rtigu a rd . com

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

O n lin e M alw are A n aly sis S ervices
( J ___ I Online malware analysis services allow you to scan files and resources and secure them before attackers attack and compromise them. A few online malware analysis services are listed as follows: 0 0 0 0 0 0 0 0 0 0 Anubis: Analyzing Unknown Binaries available at http://anubis.iseclab.org Avast! Online Scanner available at http://onlinescan.avast.com Malware Protection Center available at https://www.microsoft.com ThreatExpert available at http://www.threatexpert.com Dr. Web Online Scanners available at http://vms.drweb.com Metascan Online available at http://www.metascan-online.com Bitdefender QuickScan available at http://www.bitdefender.com GFI SandBox available at http://www.gfi.com UploadMalware.com available at http://www.uploadmalware.com Fortinet available at http://www.fortiguard.com

Module 07 Page 1095

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Module Flow

CEH

T y p e s

o f

V ir u s e s

P e n e t r a t io n T e s tin g

C o m p u te r W o rm s

M a lw a r e A n a ly s is

Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
So far, we have discussed various viruses and worms and malware analysis. Now we will discuss the countermeasures to be applied to protect against viruses and worms, if any are found. These countermeasures help in enhancing security.

Virus and Worms Concept

Malware Analysis

^ •

Types of Viruses

Countermeasures

y— y—

Computer Worms

^

Penetration Testing

This section highlights various virus and worm countermeasures.

Module 07 Page 1096

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Virus D etection M ethods
In t e g r it y S c a n n in g C h e c k in g In t e r c e p t io n

CEH

Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristics of the

Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors

The interceptor monitors the operating system requests that are written to the disk

Copyright © by EtGlUiCil. All Rights Reserved. Reproduction is Strictly Prohibited.

V irus D etectio n M eth o d s
A virus scanner is an important piece of software that one should have installed on the PC. If there is no scanner, there is high chance that the system can be hit by and suffer from a virus. A virus protector should be run regularly on the PC, and the scan engine and virus signature database have to be updated often. Antivirus software is of no use if it does not know what to look for in the latest virus. One should always remember that an antivirus program cannot stop everything. The rule of thumb is if an email looks like a suspicious one, e.g., if one is not expecting an email from the sender or does not know the sender or if the header looks like something that a known sender would not normally say, one must be careful about opening the email, as there might be a risk of becoming infected by a virus. The MyDoom and W32.Novarg.A@mm worms infected many Internet users recently. These worms infected most users through email. The three best methods for antivirus detection are: © Q © Scanning Integrity checking Interception

In addition, a combination of some of these techniques can be more effective.
Module 07 Page 1097 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

S can n in g
Q The moment a virus is detected in the wild, antivirus vendors across the globe start writing scanning programs that look for its signature strings (characteristic of the virus). © The strings are identified and extracted from the virus by these scanner writers. The resulting new scanners search memory files and system sectors for the signature strings of the new virus. The scanner declares the presence of a virus once it finds a match. Only known and pre-defined viruses can be detected. Virus writers often create many new viruses by altering the existing one. What looks like a new virus, may have taken just a few minutes to be created. Attackers make these changes frequently to throw off the scanners.

0

© In addition to signature recognition, new scanners make use of various other detection techniques such as code analysis. Before looking into the code characteristics of a virus, the scanner examines the code at various locations in an executable file. © In another possibility, the scanner sets up a virtual computer in the RAM and tests the programs by executing them in the virtual space. This technique, called "heuristic scanning," can also check and remove messages that might contain a computer virus or other unwanted content. e The major advantages of scanners are: © They can check programs before they are executed. Q It is the easiest way to check new software for any known or malicious virus. Q The major drawbacks to scanners are: Q Old scanners could prove to be unreliable. With the tremendous increase in new viruses old scanners can quickly become obsolete. It is best to use the latest scanners available on the market. Q Even a new scanner is never equipped to handle all new challenges, since viruses appear more rapidly than new scanners can be developed to battle them.

In te g rity C h e c k in g
0 Integrity checking products perform their functions by reading and recording integrated data to develop a signature or base line for those files and system sectors. Integrity products check any program with built-in intelligence. This is really the only solution that can take care of all the threats to data. The most trusted way to know the amount of damage done by a virus is provided by these integrity checkers, since they can check data against the originally established base line.

Q

Module 07 Page 1098

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Q

A disadvantage of a basic integrity checker is that it cannot differentiate file corruption caused by a bug from corruption caused by a virus. However, there are some advanced integrity checkers available that are capable of analyzing and identifying the types of changes that viruses make. A few integrity checkers combine some of the antivirus techniques with integrity checking to create a hybrid. This also simplifies the virus checking process.

Q

In te rc e p tio n
0 The main use of an interceptor is for deflecting logic bombs and Trojans.

Q The interceptor controls requests to the operating system for network access or actions that cause a threat to the program. If it finds such a request, the interceptor generally pops up and asks if the user wants to allow the request to continue. There are no dependable ways to intercept direct branches to low-level code or direct instructions for input and output instructions by the virus. In some cases, the virus is capable of disabling the monitoring program itself. Some years back it took only eight bytes of code for a widely used antivirus program to turn off its monitoring functions.

Module 07 Page 1099

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

V iru s a n d W o rm s C o u n te r m e a s u r e s
Install anti-virus software that detects and removes infections as they appear

CEH

Generate an anti-virus policy for safe computing and distribute it to the staff

Pay attention to the instructions while downloading files or any programs from the Internet

Update the anti-virus software regularly Avoid opening the attachments received from an unknown sender as viruses spread via e-mail attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up

Schedule regular scans for all drives after the installation of anti-virus software Do not accept disks or programs without checking them first using a current version of an antivirus program

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

V irus an d W orm s C o u n te rm e a su re s
Preventive measures need to be followed in order to lessen the possibility of virus infections and data loss. If certain rules and actions are adhered to, the possibility of falling victim to a virus can be minimized. Some of these methods include: 0 © 0 Install antivirus software that detects and removes infections as they appear Generate an antivirus policy for safe computing and distribute it to the staff Pay attention to the instructions while downloading files or any programs from the Internet Update the antivirus software on the a monthly basis, so that it can identify and clean out new bugs Avoid opening the attachments received from an unknown sender as viruses spread via email attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up Schedule regular scans for all drives after the installation of antivirus software Do not accept disks or programs without checking them first using acurrent version of an antivirus program

0

0

0 0 0

Module 07 Page 1100

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

V iru s a n d W o rm s C o u n te r m e a s u r e s
(C o n t'd )

EH

Ensure the executable code sent to the organization is approved

Run disk clean up, registry scanner and defragmentation once a week

Turn on the firewall if the OS used Do not boot the machine with infected bootable system disk is Windows XP

Know about the latest virus threats

Run anti-spyware oradware once in a week

Check the DVD and CDs for virus infection

Block the files with more than one file type extension

QW

Ensure the pop-up blocker is turned on and use an Internet firewall

Be cautious with the files being sent through the instant messenger

^1

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited

V irus an d W orm s C o u n te rm e a su re s (C ont’d)
0 0 0 0 0 0 0 0 0 0 Ensure the executable code sent to the organization is approved Run disk clean up, registry scanner, and defragmentation once a week Do not boot the machine with infected bootable system disk Turn on the firewall if the OS used is Windows XP Keep informed about the latest virus threats Run anti-spyware or adware once in a week Check the DVDs and CDs for virus infection Block the files with more than one file type extension Ensure the pop-up blocker is turned on and use an Internet firewall Be cautious with the files being sent through the instant messenger

Module 07 Page 1101

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Companion Antivirus: Immunet
■Immunet 1□

CEH

A Community! < 2 ‫׳‬ I1 My community
| oltI Greph

Community
2.478,268 people protected

Computerl
SO T.. ‫ך‬

Product ■Immunet 1□P9*VCCt> ^ I j i l f

5 ‫ ״‬n or1 tV • n m :.

IM o t ir e s | | t-njneiCoTi-niritr Nofices

■ Summary
■ 1 DtUledHfctory (

H is to r^ ^ ^
Cuera-^v*■ ) j I a«t sranrxvl 10yS/20126:46:50PM

Scan
Scan Complete Res Seamed: Threars Defected: Threats Removed: llapsed lime: 203228 306 396 0:4‫ל‬:49

j
I

Maximize Y
Uoorade to immunet Plus 3.0 and you wiH recove:

^ iy Br

‫ ״‬AnWr\js81Anawywj(fl •Em ail Da'jbaw Sunt I •A dvan ced RootkitRem oval •En h an cedCom ota T hd *Offlineprotection •T ech n ical Suptwt I

^ »J T aT

YowKjn h«convi*1K !. 1hr«att wwedetected a n d jc U a n * c

|

Scan History |

http://www.im m unet.com
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

C o m p an io n A ntivirus: Im m u n e t
Source: http://www.immunet.com Companion Antivirus means that Immunet is compatible with existing antivirus solutions. Immunet adds an extra, lightweight layer of protection for greater peace of mind. Since traditional antivirus solutions detect on average only 50% of online threats, most users are under protected, which is why every PC can benefit from Immunet's essential layer of security. Immunet Protects detection power relies on ETHOS and SPERO, the heuristics-based engine and the cloud engine. Users of the Plus version also benefit from a third engine called TETRA, which provides protection when not connected to the Internet.

Module 07 Page 1102

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

■ImmunGtlO

$d ‫״‬ , ‫״‬

FIGURE 7.33: Immunet Screenshot

Module 07 Page 1103

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Anti-virus Tools
AVG Antivirus
http ://free . avg. com

Urt1fw4

CEH
ilhiul lUtbM

F-Secure Anti-Virus
http://w w w .f■secure, com

BitDefender
h ttp :/ / w w w . bit defender, com

N
i L

Avast Pro Antivirus
h ttp :/ /w w w . avas t. com

Kaspersky Anti-Virus
' 12/ ‫׳‬ .
h ttp ://w w w .k a sp e rs k y.co m

McAfee AntiVirus Plus 2013
1
h ttp://hom e.m cafee.com

M

Trend Micro Internet Security Pro
h ttp ://ap ac. trendmicro. com

E
!y 9 |

ESET Smart Security 6
h ttp ://w w w .e se t.co m

Norton AntiVirus
h ttp :/ / w w w . s ym antec. com

Total Defense Internet Security Suite
h ttp ://w w w .totald e fe nse.com

Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited.

A ntivirus Tools
Antivirus tools prevent, detect, and remove viruses and other malicious code from your system. These tools protect your system and repair viruses in all incoming and outgoing email messages and instant messenger attachments. In addition, these tools monitor the network's traffic for malicious activities. A few antivirus tools that can be used for the purpose of detecting and killing the viruses in the systems are listed as follows: 0 0 0 0 0 0 0 0 0 0 AVG Antivirus available at http://free.avg.com BitDefender available at http://www.bitdefender.com Kaspersky Anti-Virus available at http://www.kaspersky.com Trend Micro Internet Security Pro available at http://apac.trendmicro.com Norton Anti-Virus available at http://www.svmantec.com F-Secure Anti-Virus available at http://www.f-secure.com Avast Pro Antivirus available at http://www.avast.com McAfee Anti-Virus Plus 2013 available at http://home.mcafee.com ESET Smart Security 5 available at http://www.eset.com Total Defense Internet Security Suite available at http://www.totaldefense.com

Module 07 Page 1104

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Module Flow

C EH

T y p e s

o f

V ir u s e s

C o m p u te r W o rm s

C o u n te rm e a s u re s

M a lw a r e A n a ly s is

Copyright © by R-C m B C I. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
Penetration testing must be conducted against viruses and worms, as they are the most widely used means of attack. They do not require extensive knowledge to use. Hence, you should conduct pen testing on your system or network before a real attacker exploits it

Virus and Worms Concept

Malware Analysis

^ •

Types of Viruses

Countermeasures

y— y—

Computer Worms

^ Z ‫ )׳‬Penetration Testing

This section provides insight into virus and worm pen testing.

Module 07 Page 1105

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Pen etratio n Testing for V iru s

CEH

Install an anti-virus program on the network infrastructure and on the end-user's system Update the anti-virus software to update your virus database of the newly identified viruses Scan the system for viruses, which helps to repair damage or delete files infected with viruses

4‫ י‬v i\ \
J

m

VIRUS .

m

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n e tra tio n T estin g for V iru ses
Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that could damage or steal the organization's information. You need to construct viruses and worms and try to inject them in a dummy network (virtual machine) and check whether they are detected by antivirus programs or able to bypass the network firewall. As a pen tester, you should carry out the following steps to conduct a virus penetration test: Stepl: Install an antivirus program You should install an antivirus program on the network infrastructure and on the end-user's system before conducting the penetration test. Step2: Update the antivirus software Check whether your antivirus is updated or not. If not, update your antivirus software. Step3: Scan the system for viruses You should try to scan your target system; this will help you to repair damage or delete files infected with viruses.

Module 07 Page 1106

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Penetration Testing for Virus CEH (C o n t’d)
> System is not infected

S et the anti-virus to

quarantine or delete the virus

Virus is removed?

‫>׳‬

System is safe

V ____
Go to safe m ode and

IX

Set the anti-virus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible or delete them if not Ifthe virus is not removed then go to safe mode and delete the infected file manually

delete the infected file manually

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n e tra tio n T estin g for V iru ses (C ont’d)
Step4: Set the antivirus to quarantine or delete the virus Set your antivirus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible, or delete them if not. Step5: Go to safe mode and delete the infected file manually Ifthe virus is not removed, then go to safe mode and delete the infected file manually.

Module 07 Page 1107

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Penetration Testing for Virus £ £H
(C o n t’d)
Use tools such as What's Running and Winsonar 9
UrtifM

|

itk iu l

t U t k m

Scan the system for running processes, registry entries, startup programs, files and folders integrity and services If any suspicious process, registry entry, startup program or service is discovered, check the associated executable files Collect more information about these from publisher's websites if available, and Internet Check the startup programs and determine if all the programs in the list can be recognized with known functionalities Check the data files for modification or manipulation by opening several files and comparing hash value of these files with a pre-computed hash

Q Use tools such as jvl6 Power Tools 2012 and Reg Organizer 0 Scan for Windows services Use tools such as SrvManand ServiWin

0

Scan for startup programs

Use tools such as Starter, Security AutoRun, and Autoruns

Scan for files and folders integrity

<■

Use tools such as FCIV, TRIPWIRE, and SIGVERIF

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n e tra tio n T estin g for V iru ses (C ont’d)
Step 6: Scan the system for running processes You should scan your system for suspicious running process. You can do this by using tools such as What's Running, HijackThis, etc. Step7: Scan the system for suspicious registry entries You should scan your system for suspicious registry entries. You can do this by using tools such as JV Power Tools and RegShot. Step8: Scan the system for Windows services You should scan suspicious Windows services running on your system. You can do this by using tools such as SrvMan and ServiWin. Step9: Scan the system for startup programs You should scan your system for suspicious startup programs running on your system. Tools such as Starter, Security AutoRun, and Autoruns can be used to scan the startup programs. Step 10: Scan the system for files and folders integrity You should scan your system for file and folder integrity. You can do this by using tools such as FCIV, TRIPWIRE, and SIGVERIF.

Module 07 Page 1108

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

Penetration Testing for Virus
(C o n t’d)
Scan for modification to OS files
v

Use tools such as FCIV and TRIPWIRE

0

Check the critical OS file modification or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy Document all your findings in previous steps; it helps in determining the next action if viruses are identified inthe system Isolate infected system from the network immediately to prevent further infection Sanitize the complete system for viruses using an updated anti-virus

0

Document all the findings

8 t)

Find other anti-virus solution to clean viruses

Isolate the machine from network

Update and run antivirus

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n e tra tio n T estin g for V iru ses (C ont’d)
Step 11: Scan the system for critical OS modifications You can scan critical OS file modifications or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy. Step 12: Document all findings These findings can help you determine the next action if viruses are identified on the system. Stepl3: Isolate the infected system Once an infected system is identified, you should isolate the infected system from the network immediately in order to prevent further infection. Stepl4: Sanitize the complete infected system You should remove virus infections from your system by using the latest updated antivirus software.

Module 07 Page 1109

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

M odule S um m ary
□ Virus is a self-replicating program that produces its own code by attaching copies

| 0

of itself into other executable codes whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction □ Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre determine logical circumstance is met Viruses are categorized according to file they infect and the way they work Lifecycle of virus and worms include designing, replication, launching, detection, incorporation and elimination stages □ Computer gets infected by Virus, worms and other malware due to not running the latest anti-virus application, not updating and not installing new versions of plug-ins, installing the pirated software, opening the infected e-mail attachments or downloading files without checking properly for the source □ Several virus and worm development kits such as JPS Virus Maker are available in wild that can be used create malware without any technical knowledge Virus detection methods include system scanning, file integrity checking and monitoring OS requests Virus and worm countermeasures include installing anti-virus software and following anti-virus policy for safe computing

□ □

□ □

-

M odule S u m m ary

© A virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes, whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction. © Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre-determined logical circumstance is met. © Viruses are categorized according to file they infect and the way they work. © The lifecycle of virus and worms include designing, replication, launching, detection, incorporation, and elimination stages. © A computer gets infected by viruses, worms, and other malware due to not running the latest antivirus application, not updating and not installing new versions of plug-ins, installing pirated software, opening infected email attachments, or downloading files without checking properly for the source. © Several virus and worm development kits such as JPS Virus Maker are available in the wild that can be used create malware without any technical knowledge.

Module 07 Page 1110

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Viruses and Worms

Exam 312-50 Certified Ethical Hacker

©

Virus detection methods monitoring OS requests.

include system scanning, file

integrity checking, and

©

Virus and worm countermeasures include installing antivirus software and following antivirus policies for safe computing.

Module 07 Page 1111

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.