Viruses and Worms
Module 07
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

V iru se s and W orm s
M o...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

CEH

Secu rity N ew s
I Gl...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

B u t la t e r , K a sp e ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

like an X -ra y m a c h in...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

CEH

M odule O b jectives
...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Module Flow

Virus and
Wor...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Introduction to V iru se s...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus and Worm Statistics
...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

7 5 .0 0 0 .0 0 0

6 0 .0 ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Design

Replication

Launc...
Ethical Hacking and Countermeasures
Viruses and W orm s

5.

Exam 312-50 C ertified Ethical Hacker

Incorporation:
A n t i...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Working of Viruses: Infect...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

O b v io u s ly , v iru s ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Working of Viruses: Attack...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

U n f r a g m e n t e d F ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W h y Do People Create Com...
Ethical Hacking and Countermeasures
Viruses and W orm s

Q

Id e n tity th e ft

Q

S pyw are

Q

Exam 312-50 C ertified E...
Ethical Hacking and Counterm easures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

P rocesses ta k e
m o re ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

H o w does a Computer Get
...
Ethical Hacking and Counterm easures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

C o m m o n T e c h n i q...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus Hoaxes and Fake
Anti...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

T ry t o c ro s s c h e c ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Q

Exam 312-50 C ertified Ethical Hacker

Search e n g in e o p t...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus Analysis: DNSChanger...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus Analysis: DNSChanger...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W h al is the IP
address o...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M odule Flow

CEH

V iru s...
Ethical Hacking and Countermeasures
Viruses and W orm s

System or
Boot Sector
Viruses

Exam 312-50 C ertified Ethical Hac...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

W hat Do They In fe ct?
Sy...
Ethical Hacking and Counterm easures
Viruses and W orm s


c_ —

Exam 312-50 C ertified Ethical Hacker

E n cry p tio n V ...
Ethical Hacking and Counterm easures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

c o m p a r e d t o an " ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

System or Boot Sector Viru...
Ethical Hacking and Countermeasures
Viruses and W orm s

1

Exam 312-50 C ertified Ethical Hacker

Virus Rem oval
S y s te...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

File and Multipartite Viru...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

©

C o m p a n io n : r e ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

CEH

M a c r o V ir u s e ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Infects M acro Enabled Doc...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

C EH

C lu s te r V ir u s...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

S te a lth /T u n n e lin ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

O n e o f t h e c a rr ie ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

CEH

E n c r y p tio n V i...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus Code

Encryption
Vir...
Ethical Hacking and Counterm easures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

CEH

P o ly m o r p h ic ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Encrypted Mutation
Engine ...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

M e ta m o r p h ic V ir u...
Ethical Hacking and Counterm easures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

□

a.) Variant A

c.) The...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

File Overwriting or Cavity...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

S p a r se I n fe c to r V...
Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Companion/Camouflage Virus...
Ethical Hacking and Counterm easures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

Virus infects the system ...
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
Upcoming SlideShare
Loading in …5
×

Ce hv8 module 07 viruses and worms

640 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
640
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
132
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ce hv8 module 07 viruses and worms

  1. 1. Viruses and Worms Module 07
  2. 2. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker V iru se s and W orm s M o d u le 07 Engineered by Hackers. Presented by Professionals. M E th ic a l H a c k in g a n d C o u n te rm e a s u re s v 8 M o d u le 0 7 : V iru s e s a n d W o r m s E xam 3 1 2 -5 0 M odule 07 Page 1007 Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is S trictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH Secu rity N ew s I GlobalResearch H om e P ro d u c ts About 5«rv*ccs O ctobe r 1 9 ,2 0 1 2 G lo b al C y b e r-W arfa re T a c tic s : N e w F la m e -lin k e d M a lw a re used in “ C y b e r-E s p io n a g e ” A n e w c y b e r e s p io n a g e p ro g ra m lin k e d t o th e n o to r io u s F lam e and Gauss m a lw a re has bee n d e te c te d by Russia's K aspersky Lab. T he a n ti-v iru s g ia n t's c h ie f w a rn s t h a t g lo b a l c y b e r w a rfa r e is in " f u ll s w in g " a n d w ill p ro b a b ly e s c a la te in 2013. T h e v iru s , d u b b e d m in iF la m e , a n d a lso k n o w n as SPE, has a lre a d y in fe c te d c o m p u te rs in Ira n , L e b a n o n , France, t h e U n ite d S ta te s a n d L ith u a n ia . It w as dis c o v e re d in July 20 1 2 a n d is d e s c rib e d as "a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations," Kaspersky Lab said in a s ta te m e n t p o s te d o n its w e b s ite . T he m a lw a re w a s o rig in a lly id e n tifie d as an a p p e n d a g e o f F lam e - th e p ro g ra m used f o r ta rg e te d c y b e r e spionage in th e M id d le East a n d a c k n o w le d g e d to be p a r t o f jo in t U S -ls ra e li e ffo r ts t o u n d e rm in e Iran 's n u c le a r p ro g ra m . B u t la te r, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF la m e is a n "interoperable tool th a t could be used as an independent malicious program, o r concurrently as a plug-in f o r both the Flame and Gauss m alw are." ^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c re a to rs o f F lam e a n d G a u s s ^ ^ ^ ^ ^ — http ://www. globa/research, ca Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. S e c u rity N e w s an M G lo b a l C y b e r - W a r fa r e T a c tic s : N e w M M a lw a re u s e d in F la m e - lin k e d “ C y b e r-E s p io n a g e ” S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 . T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran, L e b a n o n , F rance, t h e U n ite d States, a n d L ith u a n ia . It w a s d is c o v e r e d in July 2 0 1 2 a n d is d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l in fe c te d s y s te m s d u r in g ta rg e te d cyber e s p io n a g e o p e ra tio n s ," K a sp e rsky Lab said in a s t a t e m e n t p o s te d o n its w e b s i t e . The m a lw a re w a s o r i g i n a l l y i d e n t if ie d as an a p p e n d a g e o f F lam e, t h e p ro g ra m u sed f o r t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m . M odule 07 Page 1008 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e a n d Gauss m a l w a r e . " T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s . " M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said. H ig h - p r e c is io n a tta c k to o l So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y i n f e c t e d b y t h o s e v iru se s . " M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt A l e x a n d e r G o s te v e x p la in e d . "F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd c y b e r-e s p io n a g e ." T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m , A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t. K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , " t h e f i r m said. ‘C y b e r w a rfa re i n f u ll s w i n g ’ M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s a g e n c y r e p o r ts . S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i, t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ." " T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said. He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is M odule 07 Page 1009 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r w h a t is b e h in d i t . " Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss, b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s . C o p y r i g h t © 2 0 0 5 - 2 0 1 2 G lo b a lR e s e a r c h .c a B y R u s s ia T o d a y http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-incyber-espionage/5308867 M odule 07 Page 1010 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH M odule O b jectives J Introduction to Viruses J Computer Worms J Stages of Virus Life J Worm Analysis J Working of Viruses J Worm Maker J Indications of Virus Attack J Malware Analysis Procedure J How does a ComputerGet Infected by Viruses J Online Malware Analysis Services y Virus Analysis J Virus and Worms Countermeasures J Types of Viruses J Antivirus Tools J Virus Maker J Penetration Testing for Virus Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C M o d u le O b je c tiv e s T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e . T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h : 0 I n t r o d u c t i o n t o V iru s e s 0 C o m p u te r W o rm s 0 Stages o f V ir u s Life 0 W o r m A n a ly s is 0 W o r k i n g o f V iru s e s 0 W o rm M aker 0 I n d ic a tio n s o f V ir u s A t t a c k 0 M a l w a r e A n a ly s is P r o c e d u r e 0 How 0 O n lin e M a l w a r e A n a ly s is Services 0 V ir u s a nd W o r m s D oes a C o m p u te r V iru se s? 0 T y p e s o f V iru s e s In f e c t e d by C o u n te rm e a su re s V ir u s A n a ly s is 0 Get Modute07 !M a k e r 0 A n t i v i r u s T o o ls Ethical H a c k if^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i l l C i l All Rights Reserved. Reproduction is S trictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Module Flow Virus and Worms Concepts Typ e s of Viruses Penetration Testing Com puter Worms Countermeasures M alware Analysis Copyright © by E&Ctlllcil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u le F lo w T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n t h e w e b a re h ig h lig h t e d . M alware Analysis V ir u s a n d W o r m s C o n c e p t ,‫• נ‬ Types of Viruses ‫— /י‬ Computer W orm s fj| Countermeasures ||‫־‬ ^ Penetration Testing V ‫— ׳׳‬ M odule 07 Page 1012 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Introduction to V iru se s C EH _l A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document J Viruses are generally transmitted through file downloads, infected disk/flash drives and as email attachments V ir u s C h a r a c t e r is t ic s Alters Data Infects Other Program V % Corrupts Files and Programs Transforms Itself m F* Encrypts Itself m Copyright © by Self Propagates % # 1 f § 1 EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C ‫ ןא‬I n t r o d u c t i o n to V i r u s e s C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as soon as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d logical c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s : 0 T r o ja n s a n d r o o t k i t s 0 V iru s e s 0 W o rm s A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s . W o r m s s p re a d a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o o t h e r n e t w o r k s . T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n . T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s . M odule 07 Page 1013 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus and Worm Statistics 75,000,000 60,000,000 45,000,000 30,000,000 15,000,000 2010 2008 Copyright © by 2011 2012 http://www.av-test. org E&Ctinctl. All Rights Reserved. Reproduction is Strictly Prohibited. ^ V iru s a n d W o rm S ta tis tic s S o u rc e : h t t p : / / w w w . a v - t e s t . o r g T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd w orm s in t h e year 2008, w he re a s in t h e ye ar 2012, th e c o u n t d ra s tic a lly in c r e a s e d to 7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g e x p o n e n t ia l ly y e a r b y ye a r. M odule 07 Page 1014 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker 7 5 .0 0 0 .0 0 0 6 0 .0 0 0 .0 0 0 4 5 .0 0 0 .0 0 0 3 0 .0 0 0 .0 0 0 1 5 .0 0 0 .0 0 0 0 2008 2009 2010 2011 2012 FIGURE 7.1: Virus and Worm Statistics M odule 07 Page 1015 Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Design Replication Launch D eveloping virus V iru s replicates fo r code using a perio d o f tim e It gets activated w ith th e user p e rfo rm in g p ro g ra m m in g w ith in th e ta rg e t certa in action s such languages or system and th e n as ru n n in g an c o n s tru c tio n kits spreads its e lf in fected program Incorporation Detection Users in s ta ll Elim ination A n tiv iru s s o ftw a r e A v iru s is id e n tifie d a n tiv iru s u p d a te s d e v e lo p e rs as t h re a t in fe c tin g a n d e lim in a te th e a s s im ila te d efenses ta rg e t system s v iru s th re a ts a g a in s t th e viru s S t a g e s o f V i r u s L ife C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o e lim in a tio n . 1. Design: A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s . 2. Replication: A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e . 3. Launch: It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an in fe c te d p ro g ra m . 4. Detection: A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le d a m a g e t o t h e t a r g e t s y s te m 's d a ta . M odule 07 Page 1016 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Viruses and W orm s 5. Exam 312-50 C ertified Ethical Hacker Incorporation: A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s . 6. Elimination: Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g user g ro up s M odule 07 Page 1017 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Working of Viruses: Infection Phase Infection Phase J In the infection phase, the virus replicates itself and attaches to an .exe file in the system Before Infection After Infection * C lean File V iru s In fe c te d File Copyright © by E -G G 0llicil. All Rights Reserved. Reproduction is Strictly Prohibited. W o rk in g o f V iru se s: In fe c tio n P h a s e V ir u s e s a tta c k a ta rg e t h o s t's s y s te m by u sin g v a r io u s m e th o d s . They a tta c h t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t: © S e lf s t a r t © In f e c t o t h e r h a r d w a r e © Cause p h y s ic a l d a m a g e t o a c o m p u t e r © T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e . In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m . P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m . V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as: © H o w w i ll t h e v ir u s in f e c t? © H o w w i ll it s p re a d ? © H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ? M odule 07 Page 1018 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker O b v io u s ly , v iru s e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d in o r d e r t o f u n c t i o n . T h e r e a re m a n y w a y s t o e x e c u te p r o g r a m s w h i l e a c o m p u t e r is r u n n in g . For e x a m p le , a n y s e tu p p r o g r a m calls f o r n u m e r o u s p r o g r a m s t h a t m a y be b u i l t i n t o a s y s te m , a n d s o m e o f th e s e a re d i s t r i b u t i o n m e d i u m p r o g r a m s . T hu s, if a v ir u s p r o g r a m a lr e a d y exists, it can be a c tiv a te d w i t h t h is k in d o f e x e c u t i o n a n d in f e c t t h e a d d it io n a l s e t u p p r o g r a m as w e ll. T h e r e a re v ir u s p r o g r a m s t h a t in f e c t a n d k e e p s p r e a d in g e v e r y t i m e t h e y a re e x e c u te d . Some p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n . R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s . In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n . Q A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s f o r v iru s in f e c tio n s . © B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is b o o te d Before Infection A fte r Infection .exe N _u Clean File Virus Infected File FIGURE 7.2: Working of Viruses in Infection Phase M odule 07 Page 1019 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Working of Viruses: Attack D U ^ ^ r cu V t o q p 11 Urt‫׳‬fW < ttkxjl Nm Im J Viruses are programmed with trigger events to activate and corrupt systems J Some viruses infect each time they are run and others infect only when a certain predefined condition is met such as a user's specific ta sk , a day, time, or a particular event Unfragmented File Before Attack File: A 1 1 1 Page:2 J _____________ 1 Page:3 A Page: 1 File: B 1 A Page:2 Page: 1 Page:3 File Fragmented Due to Virus Attack Page: 1 File: A Page:3 File: B Page:3 File: A Page: 1 File: B Copyright © by Page:2 File: B Page:2 File: A E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W o rk in g o f V iru se s: A tta c k P h a s e O n c e v iru s e s s p re a d t h e m s e l v e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g t h e fi l e s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be a c t i v a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v i r u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd p e r f o r m a c tiv it ie s such as d e l e t i n g f i l e s a n d in c r e a s in g s e s s io n t i m e . T h e y c o r r u p t t h e i r t a r g e t s o n l y a f t e r s p r e a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as: Q D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta file s, t h e r e b y c a u s in g t h e s y s te m t o s lo w down e P e r f o r m in g ta sks not r e la t e d to a p p lic a tio n s , such as p la y in g m u s ic and c r e a tin g a n im a tio n s M odule 07 Page 1020 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  16. 16. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker U n f r a g m e n t e d F ile B e fo r e A t t a c k File: A Page: 1 Page: 2 File: B Page: 3 Page: 1 Page: 2 Page: 3 A F ile F r a g m e n t e d D u e t o V ir u s A t t a c k Page: 1 File: A Page: 3 File: B Page: 1 File: B Page: 3 File: A Page: 2 File: B A Page: 2 File: A A FIGURE 7.3: Working of Viruses in Attack Phase R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se: © V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d 0 S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's m em ory 0 M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e h o s t t o t h e f u l le s t e x t e n t M odule 07 Page 1021 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W h y Do People Create Computer Viruses r cu | UrtifWd ttkiul Km Im Computer Viruses Inflict damage to competitors J J J Financial benefits Research projects Play prank Vandalism Cyber terrorism Distribute political messages V u ln e r a b le S y s te m Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W hy Do P e o p le C re a te C o m p u te r V iru se s? S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are a c t u a lly in te n d e d to be g o o d fo r a s y s te m . T he se a re d e s ig n e d to im p ro v e a s y s te m 's p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files. S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e : e I n flic t d a m a g e t o c o m p e t i t o r s e R esearch p r o je c ts 0 Pranks Q V a n d a lis m e A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s © D is t r i b u t e p o litic a l m essa ge s 0 F ina ncia l g ain M odule 07 Page 1022 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Viruses and W orm s Q Id e n tity th e ft Q S pyw are Q Exam 312-50 C ertified Ethical Hacker C r y p t o v ir a l e x t o r t i o n M odule 07 Page 1023 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  19. 19. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker P rocesses ta k e m o re re s o u rc e s a n d tim e C o m p u te r s lo w s dow n when p r o g ra m s s ta rt C o m p u te r fre e z e s fr e q u e n t ly o r e n c o u n te rs e r ro r I n d ic a tio n s o f V iru s A tta c k s A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m : Q P r o g r a m s ta k e lo n g e r t o loa d Q T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s Q T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used 9 U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m 0 T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s Q T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s Q File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n Q T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e © A p r o g r a m 's size k e e p s c h a n g in g Q T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n M odule 07 Page 1024 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker H o w does a Computer Get Infected by Viruses W h e n a user accepts files and d o w nloads w ith o u t checking p ro p e rlyfo rth e source ‫ן‬ ing infected e-mail attachm ents Installing pirated so ftw are Not updatingand not installing new versions o f plug-ins : runningthe latest anti-virus application Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. H ow D o es a C o m p u te r G et In fe c te d b y V iru se s? T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r m e t h o d s a re as f o l lo w s : © W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e . © A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e s y s te m . © A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim d o w n lo a d s i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d . © Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n b ug s m a y e x p o s e y o u r s y s te m t o viru s e s . © W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s M odule 07 Page 1025 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  21. 21. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker C o m m o n T e c h n i q u e s U s e d to D istrib u te M a lw a re o n th e W eb H B la c k h a t S e a rc h E n gin e O p tim iza tio n (SEO ) CEH M a lv e rtis in g Ranking malware pages highly in search results Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites S o c ia l E n g in eered C lic k -ja c k in g C o m p ro m ise d L e g itim a te W e b sites Tricking users into clicking on innocent-looking webpages Hosting embedded malware that spreads to unsuspecting visitors S p e a rp h is h in g S ites Drive-by D o w n lo ad s Mimicking legitimate institutions, such as banks, in an attempt to steal account login credentials ‫^ ״‬ ‫ ן ן ו‬jl. Exploiting flaws in browser software to install malware just by visiting a web page Source: Security Threat Report 2012 (http://www.sophos.com ) Copyright © by ^ EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C C o m m o n T e c h n i q u e s U s e d to D i s t r i b u t e M a l w a r e o n th e W eb S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m ) Blackhat Search Engine Optimization (SEO): U s in g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e p a g e s h ig h in se arch re s u lts Social Engineered Click-jacking: T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g w e b p ages t h a t c o n t a i n m a l w a r e Spearphishing Sites: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks, in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s Malvertising: E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y ac ro s s h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites Compromised Legitimate W ebsites: H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g v is ito rs Drive-by Downloads: T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by v is itin g a w e b p age M odule 07 Page 1026 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus Hoaxes and Fake Antiviruses A tta c k e rs d is g u is e m a lw a r e s as a n a n t iv ir u s a n d t r ic k u s e rs t o in s ta ll th e m in t h e ir c o n ta in v ir u s a tta c h m e n ts s y s te m s W a r n in g m e s s a g e s p r o p a g a tin g t h a t a O n c e in s ta lle d th e s e fa k e a n tiv iru s e s c a n c e r ta in e m a il m e s s a g e s h o u ld n o t b e v ie w e d d a m a g e t a r g e t s y s te m s s im ila r t o o t h e r a n d d o in g s o w ill d a m a g e o n e 's s y s te m J H o axes a re fa ls e a la rm s c la im in g r e p o r ts a b o u t a n o n - e x is tin g v ir u s w h ic h m a y J m a lw a re s ntAsc rmv/Aflo m u warning among rniCNDS.rAMiiv and contacts Ho* •houM t* »k«t d*'•* tbv mat fmv Jwyv Co ikx cptn «1» i‫׳‬i«im«« with 4 1etMchmvH vntlltvO >OSTCAAO 'ROM •Uir.O ■ y 1 RtMONATION Of BARACK OBAMA . regjrdl«»l0f WhO sent IttO you It IS J vlruStlWt Opers A KttrtAftUlMAOt, then Dim* th -whole run) C a « ol YOU' computer. « rih b lIvmNHMlWdiliuumnl UyCNN Uni 1 Im Hid) U• I k •• jy M lllW A 1 4 (*•sif jctivtvirasawf Thevirw ...1 .discoveredbv McAfee v«terdiv. «ndthp‫׳‬p nortear 1> A W C * * * tifa ft-0WI1 1l'W« IN MN'R NV M A n NA i* F R A r)T4 AN flA 0 n lF 0 tA IIV NrOT rn l ‫ «י‬HUM j*for :h& tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonk«vL »‫׳‬ — wi ss*‫־‬ f rr‫•־‬ ‫״‬ ‫״‬ jy y |r J !!L l: — =«=— ‫נ‬ 0llicil. All Rights Reserved. Reproduction is Strictly Prohibited. Copyright © by E GG V iru s H o ax e s a n d F a k e A n tiv iru s e s V iru s H o a x e s A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . " © H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s © T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in e m a il m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m © In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s © T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t. T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y . M odule 07 Page 1027 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g : Q If it is p o s te d by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h a n o th e r source © If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e 0 If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o th e c o rre s p o n d in g fe d e ra l r e g u la tio n Q O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n a n t i v i r u s s o f t w a r e v e n d o r sites Q If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o a u th e n tic a te th e in fo rm a tio n Subject: FORWARD THIS W ARNIN G A M O N G FRIENDS, FAMILY AND CONTACTS PLEASE FORWARD THIS WARNING AM O N G FRIENDS, FAMILY AND CONTACTSI You should be alert during the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM BEJING or 'RESIGNATION OF 8ARACK O B A M A , regardless of who sent it to you. It is a virus that opens A POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer. This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most destructive virus ever. The virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept. COPY THIS E MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU WILL BENEFIT ALL OF US. End-of-mail Thanks. FIGURE 7.3: Hoaxes Warning Message F a k e A n tiv iru s e s Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m . Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e . S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s in c lu d e : © E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s f o r s o f t w a r e i n s t a lla t io n . M odule 07 Page 1028 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures Viruses and W orm s Q Exam 312-50 C ertified Ethical Hacker Search e n g in e o p tim iz a tio n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o p u b lic o r c u r r e n t s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e fa k e a n tiv ir u s . Q C o m p ro m is e d w e b s ite s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g o n t h e s ite 's p o p u l a r i t y . J a Protection a - acy ‫׳‬w I P a th q 0, 'S (‫י‬ M p 0 < *© ‫ י#י*י‬S « M1 r» 4 Inlrctiom I C w » C « C ^ S JN t5 ^ c ^ « U Jr^ 4 ifV * g 0 a 5 7 2 35 SMtWI FIGURE 7.4: Example of a Fake Antivirus M odule 07 Page 1029 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus Analysis: DNSChanger DNSChanger (Alureon) modifies the DNS settings on the victim PC to divert Internet traffic to malicious websites in order to generate fraudulent ad revenue, sell fake services, or steal personal financial information CEH J <W > It acts as a bot and can be organized into a BotNet and controlled from a remote location J It spreads through emails, social engineering tricks, and untrusted downloads from the Internet UHU $ DNSChanger malware achieves the DNS redirection by modifying the following registry key settings against a interface device such as network card HKEY_LOCAL_MACHINESYSTEMCurrentControl SetServicesTcpipParameterslnterfaces%Ra ndom C %NameServer LSID t J <K > DNSChanger has received significant attention due to the large number of affected systems worldwide and the fact that as part of the BotNet takedown the FBI took ownership of the rogue DNS servers to ensure those affected did not immediately lose the ability to resolve DNS names http://www. totaldefense. com Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. V iru s A n a ly sis: D N S C h a n g e r S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd . D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al p e r s o n a l f in a n c ia l i n f o r m a t i o n . M odule 07 Page 1030 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus Analysis: DNSChanger ( C o n t ’d ) The rogue DNS servers can exist in any of the following ranges: L DNSChanger 64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255 77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255 DNSChanger sniffs the credential and redirects the request to real website Real Website ww.xrecyritY-tP1 IP: 200.0.0.45 DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2 Attacker runs DNS Server in Russia (IP: 64.28.176.2) http://www. tota!defense,com Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. tout V i r u s A n a l y s i s : D N S C h a n g e r ( C o n t ’d) ’ S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m T h e r o g u e DNS s e rv e rs can e x is t in a n y o f t h e f o l l o w i n g ran ge s: 64.28.176.0 - 64.28.191.255 , 67.210.0.0 ‫552.51.012.76 ־‬ 77.67.83.0 - 77.67.83.255 , 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255 , 213.109.64.0 - 213.109.79.255 M odule 07 Page 1031 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W h al is the IP address of w w w . *security. corn © > DNSChanger sniffs the credential and redirects the request to real website Fake Website IP: 65.0.0.2 » ‫י‬ Real Website wvAv.xsecuritv.com IP: 200.0.0.45 © DNS Request do to 64.28.176.2 > DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2 © □ Attacker runs DNS Server in Russia (IP: 64.28.176.2) FIGURE 7.5: Virus Analysis Using DNSChanger T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r . H e re , t h e v ic tim sent DNS Request ‫״‬w h a t is t h e IP a d d re s s o f w w w .x s e c u rity .c o m ‫״‬ to ( 6 4 .2 8 .1 7 6 .2 ). T h e a t t a c k e r g a v e a re s p o n s e t o t h e r e q u e s t as w w w . x s e c u r i t v . c o m . w h i c h is l o c a te d a t 6 5 .0 .0 .2 . W h e n v i c t i m ' s b r o w s e r c o n n e c t s t o 6 5 .0 .0 .2 , it r e d ir e c ts h im o r h e r t o a fa k e w e b s i t e c r e a te d b y t h e a t t a c k e r w i t h IP: 6 5 .0 .0 .2 . D N S C h a n g e r s n iffs t h e c r e d e n t i a l (u s e r n a m e , p a s s w o r d s ) a n d r e d ir e c ts t h e r e q u e s t t o real w e b s i t e (w w w . x s e c u r i t y . c o m ) w i t h IP: 2 0 0 .0 .0 .4 5 . M odule 07 Page 1032 Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker M odule Flow CEH V iru s and W orm s C on cep ts C o m p uter W orm s P en etratio n Testing C ounter• m easures M a lw a re Analysis Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited. ■ = || M o d u l e F l o w P r io r t o th is , w e h a v e d is cu sse d a b o u t v iru s e s a n d w o r m s . N o w w e w i ll discuss a b o u t d i f f e r e n t ty p e s o f viru s e s . V iru s a n d W o rm s C o nc e p t i • y — v‫׳‬ C X M a lw a r e A nalysis T y p e s o f V ir u s e s C o m p u te r W o rm s C o u n te rm e a s u re s ^ ) P e n e tra tio n T es tin g — This s e c tio n d e s c r ib e s a b o u t d i f f e r e n t ty p e s o f V iru se s. M odule 07 Page 1033 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Viruses and W orm s System or Boot Sector Viruses Exam 312-50 C ertified Ethical Hacker Stealth Virus/ Tunneling Virus Cluster Viruses Encryption Polymorphic Metamorphic Sparse Infector Virus Direct Action or Transient Multipartite T y p e s of V iru se s So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m c o n c e p ts . N o w w e w ill discuss v a r io u s t y p e s o f viru s e s . T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s , m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g v iru s e s , e n c r y p t i o n v iru s e s , m e t a m o r p h i c v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in d e ta il o n t h e f o l l o w i n g slides. T y p e s of V iru se s V iru s e s a re cla s s ifie d d e p e n d i n g o n t w o c a te g o r ie s : Q W h a t Do T h e y In fe c t? © H o w Do T h e y In fe c t? M odule 07 Page 1034 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker W hat Do They In fe ct? System or Boot Sector V iruses _ f*. T h e m o s t c o m m o n t a r g e t s f o r a v iru s a re t h e s y s te m s e c to rs , w h i c h a re n o t h i n g b u t t h e M a s t e r B o o t R e c o rd a n d t h e DOS B o o t R e c o rd S y s t e m s e c to r s . T h e s e a re t h e a re a s o n th e d isk t h a t are e x e c u t e d w h e n t h e PC is b o o t e d . E ve ry d isk has a s y s te m s e c to r o f s o m e s o rt. T h e y s p e c ia lly in f e c t t h e f l o p p y b o o t s e c to r s a n d r e c o r d s o f t h e h a rd disk. For e x a m p le : Disk K iller a n d S to n e v iru s . F ile V iruses E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s . M u ltip a rtite V irus T h e y i n f e c t p r o g r a m file s, a n d t h is f ile in t u r n a ffe c ts t h e b o o t s e c to r s su ch as In v a d e r , Flip, a n d T e q u ila . C lu ste r V iruses C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p ro g ra m . M acro V irus M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. How Do They In fe ct? ‫־־‬ ‫׳‬ ■ Stealth V iruses T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e . Life‫:־‬ T u n n elin g V iruses T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . T o p e r f o r m t h is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s. M odule 07 Page 1035 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  31. 31. Ethical Hacking and Counterm easures Viruses and W orm s c_ — Exam 312-50 C ertified Ethical Hacker E n cry p tio n V iruses T his t y p e o f v ir u s c o n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a n d a d e c r y p t i o n m o d u l e . T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n . iri) , ‫״ ״‬ P o ly m o rp h ic V iruses T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in t h e s y s te m . It is d i f f i c u l t t o t r a c e t h e m , since t h e y c h a n g e t h e i r c h a r a c te r is t ic s e a ch t i m e t h e y in f e c t, e.g., e v e r y c o p y o f t h is v ir u s d if f e r s f r o m its p r e v io u s o n e . V i r u s d e v e l o p e r s h a v e e v e n c r e a t e d m e t a m o r p h i c e n g in e s a n d v ir u s w r i t i n g t o o l k its t h a t m a k e t h e c o d e o f an e x is t in g v ir u s lo o k d i f f e r e n t f r o m o t h e r s o f its k in d . M e ta m o rp h ic V iruses A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x e x te n s iv e c o d e . O v erw ritin g F ile or C avity V iruses S o m e p r o g r a m file s h a v e a re as o f e m p t y space. T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e viru s e s . T h e C a v i t y V ir u s , also k n o w n as t h e S pace F ille r V ir u s , s to r e s its c o d e in th is e m p t y space. T h e v ir u s in s ta lls it s e lf in th is u n o c c u p ie d sp ace w i t h o u t a n y d e s t r u c t io n t o t h e o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in f e c t. S parse In fec to r V iruses a® A sp arse i n f e c t o r v iru s i n f e c ts o n l y o c c a s i o n a l l y (e.g., e v e r y t e n t h p r o g r a m e x e c u te d ) o r o n l y file s w h o s e le n g t h s fa ll w i t h i n a n a r r o w ra n g e . C o m p an io n V iruses T h e c o m p a n i o n v ir u s s to re s it s e lf b y h a v in g t h e i d e n t i c a l f i l e n a m e as t h e t a r g e t e d p r o g r a m file . As s o o n as t h a t f ile is e x e c u t e d , t h e v ir u s in f e c ts t h e c o m p u t e r , a nd h a r d d is k d a ta is m o d if ie d . C am o u flag e V iruses ^ W -------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s o f t h e user. T he se v iru s e s a re n o t d i f f i c u l t t o f i n d since a n t i v i r u s p r o g r a m s h a v e a d v a n c e d t o t h e p o i n t w h e r e such v iru s e s are e a sily t r a c e d . Shell V iruses _____ T his v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be M odule 07 Page 1036 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  32. 32. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker c o m p a r e d t o an " e g g s h e l l / ‫ ׳‬m a k in g i t s e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n by t h e v ir u s c o d e a n d t h e v i r u s a s s u m e s its i d e n t it y . F ile E xtension V iru ses F. File e x t e n s i o n v ir u s e s c h a n g e t h e e x te n s io n s o f file s ; .TXT is safe, as it in d ic a te s a p u r e t e x t file . If y o u r c o m p u t e r 's f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a file n a m e d BA D .T X T .V B S , y o u w i ll see o n l y B A D .TXT. > '« f| Add -on V iru ses M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t c o d e . H o w e v e r , t h e v iru s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e file is c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d . In tru siv e V iruses ‫־־‬ T his f o r m o f v ir u s o v e r w r i t e s its c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's p r o g r a m c o d e , o r s o m e t i m e s it o n l y o v e r w r i t e s p a r t o f it. T h e r e f o r e , t h e o rig in a l c o d e is n o t e x e c u te d p r o p e r ly . D irec t A ction or T ra n sie n t V iruses T r a n s fe r s all c o n t r o l s t o t h e h o s t c o d e w h e r e it reside s, se le c ts t h e t a r g e t p r o g r a m t o be m o d if ie d , a nd c o r r u p t s it. =— T e rm in a te a n d Stay R e sid en t V iru ses (TSRs) ffr A TSR v i r u s r e m a in s p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se ssio n, e v e n a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g t h e s y s te m . M odule 07 Page 1037 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker System or Boot Sector Viruses CEH Boot Sector Virus Boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR Execution © o When system boots, virus code is executed first and then control is passed to original MBR Before Infection After Infection Virus Code MBR Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. S y s te m o r B oot S e c to r V iru s e s m S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d . T h e t w o ty p e s o f s y s te m s e c to r s are: Q M B R ( M a s te r B o o t R ecord) M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be lost. 0 DBR (DO S B o ot R ecord) T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l p o i n t o f a t t a c k f o r viru s e s . T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s . S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s . M odule 07 Page 1038 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures Viruses and W orm s 1 Exam 312-50 C ertified Ethical Hacker Virus Rem oval S y s te m s e c t o r v iru s e s a re d e s ig n e d t o c r e a te t h e illu s io n t h a t t h e r e is n o v ir u s o n t h e s y s te m . O n e w a y t o d ea l w i t h t h is v ir u s is t o a v o id t h e use o f t h e W i n d o w s o p e r a t i n g s y s t e m , a n d s w it c h t o L in ux o r M a cs, b e c a u s e W i n d o w s is m o r e p r o n e t o th e s e a tta c k s . L inux a n d M a c i n t o s h h a v e a b u i l t - i n s a f e g u a r d t o p r o t e c t a g a in s t th e s e v iru s e s . T h e o t h e r w a y is t o c a r r y o u t a n t i v i r u s ch e c k s o n a p e r io d ic basis. Before Infection G After Infection V O Virus Code FIGURE 7.6: System or Boot Sector Viruses M odule 07 Page 1039 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker File and Multipartite Viruses CEH F ile a n d M u ltip a rtite V iru s e s F ile Viruses File v iru s e s i n f e c t file s t h a t a re e x e c u te d o r i n t e r p r e t e d in t h e s y s te m such as C O M , EXE, SYS, OVL, OBJ, PRG, M N U , a n d BAT file s. File v iru s e s can be e i t h e r d i r e c t - a c t i o n ( n o n - r e s i d e n t ) o r m e m o r y - r e s i d e n t . O v e r w r i t i n g v iru s e s ca use i r r e v e r s i b l e d a m a g e t o t h e files. T h e s e v iru s e s m a i n l y t a r g e t a r a n g e o f o p e r a t i n g s y s te m s t h a t in c lu d e W i n d o w s , UNIX, DOS, a n d M a c i n t o s h . C h a ra c te riz in g F ile V iruses File v iru s e s a re m a i n l y c h a r a c te r iz e d and d e s c r ib e d b ase d on th e ir p h ysica l b e h a v io r o r c h a r a c te r is t ic s . T o cla ssify a file v ir u s is b y t h e t y p e o f file t a r g e t e d by it, such as EXE o r C O M file s, t h e b o o t s e c to r , e tc. A f ile v ir u s can also be c h a r a c t e r iz e d b ase d o n h o w it i n f e c ts t h e t a r g e t e d file (also k n o w n as t h e h o s t files): Q P re p e n d in g : w r i t e s it s e lf i n t o t h e b e g in n in g o f t h e h o s t file 's c o d e Q A p p e n d in g : w r i t e s it s e lf t o t h e e n d o f t h e h o s t file © O v e rw ritin g : o v e r w r i t e s t h e h o s t file 's c o d e w i t h its o w n c o d e Q In s ertin g : in s e rts it s e lf i n t o gaps in s id e t h e h o s t file 's c o d e M odule 07 Page 1040 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker © C o m p a n io n : r e n a m e s t h e o rig in a l f ile a n d w r i t e s it s e lf w i t h t h e h o s t file 's n a m e © C av ity in fe c to r: w r i t e s it s e lf b e t w e e n file s e c tio n s o f 3 2 - b i t file File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e d e c r y p t i o n p ro c e s s . E xecu tio n o f P aylo ad: © © T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e © Q D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s M ultip artite Viruses A m u l t i p a r t i t e v ir u s is also k n o w n as a m u l t i - p a r t v i r u s t h a t a t t e m p t s t o a t t a c k b o t h t h e b o o t s e c t o r a n d t h e e x e c u ta b le o r p r o g r a m file s a t t h e s a m e t i m e . W h e n r g w v ir u s is a t t a c h e d t o t h e b o o t s e c to r , it w i ll in t u r n a f f e c t t h e s y s te m file s , a n d t h e n t h e v ir u s a tta c h e s t o t h e file s, a n d t h is t i m e it w ill in t u r n i n f e c t t h e b o o t s e c to r . FIGURE 7.7: File and Multipartite Viruses M odule 07 Page 1041 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  37. 37. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH M a c r o V ir u s e s 14 Urt fw ilhiul lUtbM 0 0 11. Infects Macro Enabled Documents 0 Attacker User 0 r 0 0 ‫ץ‬ 0 Macro viruses infect templates or convert infected documents into template files, while maintainingtheir appearance of ordinary documentfiles 0 Most macro viruses are written using macro language Visual Basic for Applications (VBA) r V 0 0 0 0 Copyright © by E -CIllicit Al 1Rights Reserved. Reproduction is Strictly Prohibited. Ca M a c ro V iru se s M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files. M odule 07 Page 1042 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Infects M acro Enabled Documents Attacker User FIGURE 7.8: Macro Viruses M odule 07 Page 1043 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker C EH C lu s te r V ir u s e s C luster V iruses J a Cluster viruses modify directory table entries so that it points users or system processes to the virus code instead of the actual program :‫ ב‬I ■ ■ ■ ‫] * :ן‬ V iru s Copy J There is only one copy of the virus on the disk infecting all the programs in the computer system Launch Its e lf J It will launch itself first when any program on the computer system is started and then the control is passed to actual program Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited -C C lu s te r V iru se s C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s . C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e . T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m . M odule 07 Page 1044 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker S te a lth /T u n n e lin g V ir u s e s CEH These viruses evade the anti-virus software by intercepting its requests to the operating system A virus can hide itself by intercepting the anti-virus software's request to read the file and passingthe request to the virus, instead of the OS The virus can then return an uninfected version of the file to the antivirus software, so that it appears as if the file is "clean" Hides Infected TCPIP.SYS i f Here you go Original TCPIP.SYS Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C S te a lth /T u n n e lin g V iru se s I S te a lth V ir u s e s T h e s e v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s by a c tiv e ly a lt e r in g a nd c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s t e a l t h v i r u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hu s, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v ir u s co d e . T h e s t e a lt h v iru s h id e s it s e lf f r o m a n t i v i r u s s o f t w a r e by h id in g t h e o rig in a l size o f t h e file o r t e m p o r a r i l y p la c in g a c o p y o f it s e lf in s o m e o t h e r d r iv e o f t h e s y s te m , t h u s r e p la c in g t h e i n f e c t e d file w i t h t h e u n i n f e c t e d file t h a t is s t o r e d o n t h e h a r d d riv e . A s t e a lt h v ir u s h id e s t h e m o d if ic a t i o n s t h a t it m a k e s . It ta k e s c o n t r o l o f t h e s y s te m 's f u n c t io n s t h a t re a d file s o r s y s te m s e c to r s a n d , w h e n a n o t h e r p r o g r a m r e q u e s ts i n f o r m a t i o n t h a t has a lr e a d y b e e n m o d i f i e d by t h e v iru s , t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t i n g p r o g r a m in s te a d . T his v ir u s a lso re s id e s in t h e m e m o r y . T o a v o id d e t e c t i o n , th e s e v iru s e s a lw a y s t a k e o v e r s y s te m f u n c t i o n s a n d use t h e m t o h id e t h e i r p re s e n c e . M odule 07 Page 1045 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker O n e o f t h e c a rr ie r s o f t h e s t e a lth v ir u s is t h e r o o t k i t . In s ta llin g a r o o t k i t g e n e r a l l y r e s u lts in t h is v ir u s a t t a c k b e c a u s e r o o t k i t s a re in s t a lle d via T ro ja n s , a n d t h u s a re c a p a b le o f h id in g a n y m a lw a re . R e m o v a l: Q A lw a y s d o a c o ld b o o t ( b o o t f r o m w r i t e - p r o t e c t e d f l o p p y d isk o r CD) © N e v e r use DOS c o m m a n d s such as FDISK t o fix t h e v iru s e Use a n t i v i r u s s o f t w a r e / Tunneling Viruses T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . To p e r f o r m th is a c tiv it y , t h e y even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s. Give me the system file tcpip.syi to icon Anti-virus Software Hides Infected TCPIP.SYS * VIRUS Here you go Original TCPIP.SYS FIGURE 7.9: Working of Stealth/Tunneling Viruses M odule 07 Page 1046 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH E n c r y p tio n V ir u s e s ‫־׳י‬ ‫י‬ This type of virus uses simple encryption to encipher the code Virus Code V r The virus is encrypted with a different key for each infected file V. AV scanner cannot directly detect these types of viruses using signature detection methods ­‫ץ‬ Encryption Virus 2 Encryption Virus 3 -/ Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. E n c ry p tio n V iru se s T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e . T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n . T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key. © T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd an e n c r y p t e d c o p y o f t h e c o d e . Q For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys, b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d . It is n o t p o s s ib le f o r t h e v ir u s s c a n n e r t o d ir e c t ly d e te c t th e v ir u s by m e a n s o f s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d . e T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is g e n e r a t e d a n d sa ved b y t h e r o o t v iru s . M odule 07 Page 1047 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus Code Encryption Virus 1 Encryption Virus 2 Encryption Virus B FIGURE 7.10: Working of Encryption Viruses M odule 07 Page 1048 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  44. 44. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker CEH P o ly m o r p h ic C o d e J Polymorphic code is a code that mutates while keeping the original algorithm intact J To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine J A well-written polymorphic virus therefore has no parts that stay the same on each infection 39Encrypted Mutation Engine Encrypted Virus Code Decryptor Routine ............ Decryptor routine decrypts virus code and mutation engine New Polymorphic Virus User Runs an Infected Program RAM Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. P o ly m o rp h ic C o d e P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n . T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m . A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing th e codes. V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e s y s te m 's disk. M odule 07 Page 1049 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  45. 45. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Encrypted Mutation Engine (EME) ncrypted M utation j ‫ י‬Encry Engine i I A © Encrypted Virus Code I Decryptor Routine A Instruct to • 0 i • Instruct to Decryptor routine decrypts virus code and mutation engine New Polymorphic * © Virus Does the Damage User Runs an Infected Program Virus RAM FIGURE 7.11: How Polymorphic Code Work P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s . W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s , w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n e n g in e to g en erate a new ra n d o m iz e d d e c ry p tio n ro u tin e , w h ic h has t h e c a p a b i l it y of d e c r y p t i n g v iru s . H ere, t h is n e w c o p y o f b o t h t h e v ir u s c o d e a n d m u t a t i o n e n g in e is e n c r y p t e d by t h e v iru s . T hu s, t h is v iru s , a lo n g w i t h t h e n e w ly e n c ry p te d v iru s co d e and e n c ry p te d m u t a t i o n e n g in e (EM E), a p p e n d s t h is n e w d e c r y p t i o n r o u t i n e o n t o a n e w p r o g r a m , t h e r e b y c o n t i n u i n g t h e pro cess . P o l y m o r p h ic v iru s e s t h a t re s p re a d b y t h e a t t a c k e r in t a r g e t e d s y s te m s a re d i f f i c u l t t o d e t e c t b e c a u s e h e r e t h e v ir u s b o d y is e n c r y p t e d a n d t h e d e c r y p t i o n r o u t i n e s c h a n g e s e ach t i m e f r o m in f e c t i o n t o i n f e c t i o n a n d n o t w o in f e c t i o n s lo o k t h e s a m e ; th is m a k e it d i f f i c u l t f o r t h e v iru s s c a n n e r t o i d e n t i f y t h is v iru s . M odule 07 Page 1050 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker M e ta m o r p h ic V ir u s e s M e ta m o rp h ic V iru s e s M e ta m o rp h ic C o d e Metamorphic viruses rewrite themselves completely each time they are to infect new executable Metamorphic code can reprogram itself by translating its own code into a temporary representation and then back to the normal code again CEH UrtMM itkNjI lUilwt MotaphoR V I by tHE moNTAL D illlei/2 9* For example, W32/Simile consisted of over 14000 lines of assembly code, 90% of it is part of the metamorphic engine E3 M etaphoRV bj •H m LDI# /29* I E tfJTA < h E l a V tA .) arian c T e"U official” V t C .) h n arian at IAHM 1 IL bY iH ni Ntnl cttllller/^JA J fc m tA G 1b B tH• E PH R Y A 1LER/2* r£TAfSC« iCbVlHE n£W dFIIUi/2^ »4l E l [1E b.) V a ria n t B I d .) T h e .D v a ria n t ( w h ic h w a s th e * o ffic ia l' C o f t h e o rig in a l a u th o r) Copyright © by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M e ta m o rp h ic V iru se s S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n . A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x e x te n s iv e c o d e . T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re : W in 3 2 /S im ile : T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess. Z m ist: Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e e x e c u ta b le . M odule 07 Page 1051 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  47. 47. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker □ a.) Variant A c.) The "Unofficial" Variant C Im ElAPHOR 1b BY tHe MeNTAI drilLER/29A 12 mEtAPHOR 1b BY tHe MeNTAI di!LER/ r o in b.) Variant B aA m mETAPhOr 1C bY tHE mENtal dRllle1/29A Q mETAPhOr 1C bY (HE mENtal dRlller/29A ‫ .....ו‬ok...‫ך‬ d.) The .D variant (which was the "official" C of the original author) FIGURE 7.12: Metamorphic Viruses Screenshot M odule 07 Page 1052 Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker File Overwriting or Cavity Viruses CEH Cavity Virus overwrites a part of the host file with a constant (usually nulls), without increasingthe length of the file and preserving its functionality Sales and marketing management is the leading authority for executives in the sales and marketing management industries The suspect, Desmond Turner, surrendered to authorities at a downtown Indianapolis fast-food restaurant Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Null Original File Size: 45 KB Null Null N U ll Null Null Null Null Null ■2> a ■ 3 Null Infected File Size: 45 KB Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. F ile O v e r w r itin g o r C a v ity V iru s e s T h e s e are also k n o w n as s p a c e -fille r s since t h e y m a i n t a i n a c o n s t a n t file -s iz e w h i l e i n f e c t e d b y in s t a llin g t h e m s e l v e s i n t o t h e t a r g e t p r o g r a m . T h e y a p p e n d t h e m s e l v e s t o t h e e n d o f file s a n d also c o r r u p t t h e s t a r t o f files. T his t r i g g e r e v e n t f i r s t a c tiv a te s a n d e x e c u te s t h e v iru s c o d e , a n d l a t e r t h e o rig in a l a p p li c a t i o n p r o g r a m . S o m e p r o g r a m file s h a ve a re a s o f e m p t y sp ace . T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e v iru s e s . T h e C a v it y V ir u s , a lso k n o w n as t h e Space F ille r V iru s , s to re s its c o d e in t h is e m p t y space. T h e v iru s in s ta lls it s e lf in t h i s u n o c c u p ie d space w i t h o u t a n y d e s t r u c t i o n t o t h e o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in fe c t. T his t y p e o f v ir u s is r a r e ly used b e c a u s e it is d i f f i c u l t t o w r i t e . A n e w W i n d o w s file ca lle d th e P o r t a b l e E x e c u t a b le it d e s ig n e d f o r t h e fa s t lo a d in g o f p r o g r a m s . H o w e v e r , it lea ves a c e r ta in g ap in t h e f ile w h i l e it is b e in g e x e c u t e d t h a t can be used by t h e Space F ille r V ir u s t o i n s e r t its e lf. T h e m o s t p o p u l a r v ir u s f a m i l y is t h e CIH v ir u s . Original File Size: 45 KB I h .............................................................................^ PDF L >1 Infected File Size: 45 KB PDF FIGURE 7 .1 3 : File O v e r w ritin g o r C a v ity V iru s M odule 07 Page 1053 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker S p a r se I n fe c to r V ir u s e s M ir S parse In fe c to r Virus J Sparse infector virus infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range D iffic u lt to D e te c t J By infecting less often, such viruses try to minimize the probability of being discovered In fe c tio n Process Wake up on 15* of every month and execute code Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C S p a rse In fe c to r V iru se s Sparse i n f e c t o r v iru s e s in f e c t o n l y o c c a s io n a lly (e.g., e v e r y t e n t h p r o g r a m e x e c u t e d o r o n p a r t i c u l a r d a y o f t h e w e e k ) o r o n l y file s w h o s e l e n g t h s fa ll w i t h i n a n a r r o w r a n g e . By i n f e c t i n g less o f t e n , th e s e v iru s e s t r y t o m in i m i z e t h e p r o b a b i l i t y o f b e in g d is c o v e r e d . Wake up on 15th of every month and execute code FIGURE 7.14: Working of Sparse Infector Viruses M odule 07 Page 1054 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Companion/Camouflage Viruses I C EH A Companion virus creates a companion file for each executable file the virus infects A Therefore, a companion virus may save itself as notepad.com and every time a user executes notepad.exe (good program), the computer will load notepad.com (virus) and infect the system Virus infects the system with a file notepad.com and saves it in c:winntsystem32directory ... 1 Attacker 1 / £ N otepad.exe Notepad.com Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited. -C C o m p a n io n /C a m o u fla g e V iru se s Com panion Viruses 4 T h e c o m p a n i o n v ir u s s to r e s it s e lf b y h a v in g t h e id e n t ic a l file n a m e as t h e t a r g e t e d p r o g r a m f i l e . As s o o n as t h a t f ile is e x e c u te d , t h e v ir u s i n f e c ts t h e c o m p u t e r , a n d h a rd d isk d a ta is m o d if ie d . C o m p a n io n v iru s e s use DOS t h a t r u n C O M file s b e f o r e t h e EXE file s are e x e c u te d . T h e v ir u s in s ta lls an id e n t ic a l C O M file a nd i n f e c ts t h e EXE files. S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / C o m p a n i o n V i r u s e s . h t m l H e re is w h a t h a p p e n s : S u p p o s e a c o m p a n i o n v ir u s is e x e c u t in g o n y o u r PC a n d d e c id e s it is t i m e t o in f e c t a file . It lo o k s a r o u n d a n d h a p p e n s t o f i n d a f ile c a lle d PGM.EXE. It n o w c r e a te s a file ca lle d P G M .C O M , c o n t a i n i n g t h e v iru s . T h e v ir u s u s u a lly p la n t s t h is file in t h e s a m e d i r e c t o r y as t h e .EXE file , b u t it c o u ld p la ce it in a n y d i r e c t o r y o n y o u r DOS p a t h . If y o u t y p e P G M a n d press E n te r, DOS e x e c u te s P G M .C O M in s te a d o f PG M .E XE . (In o r d e r , DOS w ill e x e c u te C O M , t h e n EXE, a n d t h e n BAT file s o f t h e s a m e r o o t n a m e , if t h e y a re all in t h e s a m e d ir e c t o r y . ) T h e v iru s e x e c u te s , p o s s ib ly i n f e c t i n g m o r e file s , a n d t h e n lo a d s a n d e x e c u te s PGM.EXE. T h e u ser p r o b a b l y w o u l d fa il t o n o t i c e a n y t h i n g is w r o n g . It is easy t o d e t e c t a c o m p a n i o n v i r u s j u s t by t h e p r e s e n c e o f t h e e x tr a C O M f ile in t h e s y s te m . M odule 07 Page 1055 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  51. 51. Ethical Hacking and Counterm easures Viruses and W orm s Exam 312-50 C ertified Ethical Hacker Virus infects the system with a file notepad.com and saves It In c:wlnntsystem32 directory Attacker V Notepad.exe Notepad.com FIGURE 7.15: Working of Companion/Camouflage Viruses M odule 07 Page 1056 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

×