CEH v8 Labs Module 07 Viruses and Worms.pdf

C EH

Lab

M a n u a l

V ir u s e s a n d W orm s M o d u l e 07 07

Module 07 - Viruses Viruse s and Worms Wo rms

V ir u s e s a n d W o rm s A vims vims is a sef sef-rep -repllicati cating ngpr prog ogra ram m that that prod produc uces es its own code by att attachi aching ng copies of it onto onto other other executable executable codes. codes. Some viruse virusess affect computers as soon as their their codes codes are executed; others lie dormant until a predetermined logical circumstance is met. ICON KEY £Z7 Valuable information Test your knowledge =

Web exercise

m Workbook review

L a b S c e n a r io io A computer virus attaches itself to a program or tile enabling it to spread from one computer to another, leaving infections as it travels. The biggest danger with a worm is its capability to replicate itself 011 your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands thousands o f copies copies o f itself, creating a huge devastating devastating effect. effect. A blended threat is a more sophisticated sophisticated attack that bundles some o f the wo rst aspe aspect ctss o f viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. The attacker would normally serve to transport multiple attacks 111 one payload. Attacker can launch Dos attack 01 install a backdoor and maybe even damage a local system 01 ne tw ork syste systems ms.. Since Since you are an expert Ethic al H acker and Penetration Tester, the IT direc tor instructs you to test the network for any viruses and worms that damage 01 steal the organization’s information. You need to construct viruses and worms and try to inject them 111 a dummy network (virtual machine) and check whether they are detecte detected d b y antivirus programs 01 able to bypass the network firewall.

L a b O b j e c t iv e s The objective o f this lab is is to make students students learn how to create create viruses viruses and worms. lab, you w ill learn how to: 111 this lab, Create viruses using tools Creat Create e worms using using wo rm generator generator tool & T o o ls L a b E n v ir o n m e n t demonstrated in To earn this out, you need: this lab are available in A computer running Window Server 2012 as host machine machine D:\CEHTools\CEHv8 Window Server 2008, Windows 7 and Windows 8 running 011 virtual Module 07 Viruses machine as guest machine and Worms A web browser w ith Internet access Adm inistrativ e privileges privileges to run tools

C E H Lab Lab Manual Page Page 530

Ethica Eth icall Hack H acking ing and Countermeasure Countermeasures s Copyright Copyright © by by EC-Counc EC-Council il All Rights Reserved. Reproduction is Stricdy Prohibited.


L a b D u r a t io n Tune: 30 Minutes

O v e r v ie ie w o f V i r u s e s a n d W o r m s A virus is a self-re se lf-re plic atin g program progra m that produces its ow n code by attaching attaching cop copies ies o f it onto other exec e xec uta ble codes. Some Some viruses viruses affect computers computers as as soon soon as as their codes codes are are execut exe cuted: ed: others others lie dorm ant u ntil nti l a predetermined logical circumstanc circumstance e is met Computer worms are malicious programs that replicate, execute, and spread across network connections independently without human interaction. Most worms are created only to replicate and spread across a network consuming available computing resources. However, some worms carry a payload to damage the host system.

= TAS K Ove rview

1

Lab

T a sk s

Recommended labs labs to assi assist st you 111 creating creating Viruses Viruses and Worm s: Creating a virus using the |PS Y 11us Maker tool Vim s anal analys ysis is using using ID A Pro Yin is Analys Analysis is using using Virus Total Scan Scan fo r Viruses using Kaspersky An tivirus tivir us 2013 2013 Yin is Analysis Analysis Using OllyD bg Creating Creating a W orm Using the the Internet W orm Maker Tilin g

L a b A n a l y s is is Analyze and docum ent the results results related related to the lab exe exerc rcis ise. e. Give your opin ion on your yo ur target’s ta rget’s security posture and exposure. exposure.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

CEH Lab Manual Page 531

Ethic Et hical al Hackin Hacking g and Countermeasures Countermeasures Copyrigh Copyrightt © by EC-Council EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


C r e a t i n g a V i r u s U s in in g t h e J P S V ir u s M a k er T o o l JP S V irus Make M akerr is a tool tool to create vir viruses uses. I f also also has has afeature afeature to convert a virus into a irorm. ICON KEY 1. Valuable _

information

s

Test your knowledge

: Web exercise ea Workbook review

L a b S c e n a r io io 111 recent rears there lias been a large large grow gro w th 111 Internet traffic generated by malware, that is, Internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected 01 during the epidemic stag stage e o f a new wo rm , when the Inte rne t becomes becomes unusable unusable due to overloaded routers. W liat is less less we ll-kn ow n is that there is a backgroun d level o f malware malware traffic at times of non-epidemic growth and that anyone plugging an unhrewalled machine into the Internet today will see a steady stream of port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We need to build better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks. Since Since you are are an expert ethical hacker and and penetratio n tester, tester, your I T direc tor instructs you to test the network to determine whether any viruses and worms w ill damage damage or steal steal the organ ization’s info rm atio n. Y ou nee need d to construc t viruse virusess and worms, try to inject them into a dum my n etwo rk (virtual machine machine), ), and check the ir behavior, whet her they are are detect detected ed by an antivirus and i f they bypass the firewall.

L a b O b j e c t iv e s H T o o ls dem ons trated trat ed in this th is lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms

Tlie Tli e objective o f tins lab is to make student studentss learn and understand how ho w to make viruses viruses and worms.

L a b E n v ir o n m e n t To earn out die lab, you need:


JPS tool to ol located at D:\CEH-Tools\CEHv8 M odule 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker



A computer running Windows Server 2012 as host machine machine Windows Wind ows Server 2008 runn ing on virtual virtu al machine as gue guest st machine Run tins tins too l on Windows S erver 2008 Adm inistrativ e privileges privileges to run tools

L a b D u r a t io n Time: 15 Minutes

O v e r v ie ie w o f V i r u s a n d W o r m s A virus is a self-replicating program diat produces its own code by attaching copies copies o f it onto odier e xe cu tab le codes. Some Some vinises vinises affect affect computer computerss as as soon soon as dieir codes are executed; odiers lie dormant until a predetermined logical circumstance is met.

Lab Tasks k* TA S K 1

1. Launch your Windows Server 2008 virtual mach machine ine..

Make a Virus

2. Navigate to Z:\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker. Maker. 3. Launch die JPS Viru s Maker Make r tool. Installatio n is not no t required for JPS Virus maker. Double-click and launch the jps.exe hie. 4. The JPS (Virus Mak er 3.0) wind wi nd ow app appea ears rs.. JPS ( Virus I taker 3.0 ) Virus Options:

Note: Take a Snapshot of the virtual m achine before launching the JPS Virus Virus Maker tool.

U i The option, tion, Auto Start rtupis alwayschecked by bydefaultandstart the vir iruswheneverthesystem bootson.


□ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □

Disable Registry Disable MsConfig Disable TaskManager DisableYahoo Disable Media Palyer Disable Internet Explorer Disable Time Disable Group Policy Disable Windows Explorer Disable Norton Anti Virus Disable McAfee Anti Virus Disable Note Pad DisableWord Pad Disable Windows Disable DHCP Client Disable Taskbar Disable Start Button Disable MSN Messenger Disable CMD Disable Security Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver

□ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □

Hide Services Hide Outlook Express HideWindows Windows Clock Hide Desktop Icons HideAl Pioccess Pioc cess in Taskmgr Hide Al Tasks in Taskmgr Hide Run Change Explorer Caption ClearWindowsXP Swap Mouse Buttons Remove Folder Options Lock Mouse Mouse &Keyboard Mute Sound Always CD-RO CD-ROM Tun Off Monitor Crazy Mouse Destroy Taskbar Destroy Offlines (YIMessenger) DestroyProtected Strorage DestroyAudio Service Destroy Clipboard T erminateWindows Hide Cursor Auto Startup

Ethica Eth icall Hack H acking ing and Countermeasure Countermeasures s Copyright Copyright © by by EC-Council EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


FIGURE GURE 1.1:JPS JPSVirus VirusMakermainwindow 5.

& This creationof a virusis onlyfor forknowledge purposes; don’tmisusethis tooL

JPS lists die Virus O ptions; check the options that you want to embed111 a new virus hie. hie. JPS ( Virus Virus M aker 3.0 ) Virus Options:

□ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □

m Alist list ofnamesfor thevirusafterinstal installlis shownin theNameaft fter Instal stallldrop-downlist.

Di Disable Registry Disable MsConfig Disable TaskManagei Di Disable Yahoo Disable Media Palye lyei Disab isable In Internet Explorer Disable Time Disable Group Polic licy DisableWindows Explorer Disable Norton Anti Vitus Disab isable McAfee Afee AntiVirus Di Disable Note Pad Di Disable Word Pad Di Disable Windows Disable DHCP Client Di Disable Taskbar Disable Stait Button Disab isable MSN Messenger Di Disable CMD Disable Security Center Disable System Restore tore Disable Control Pa Panel Dis Disable Desktop Ico Icons Disable Screen Saver

O

Restart

□ Hi Hide Services □ Hide Outlook Express □ Hide Wind indows Clock □ Hi Hide Desktop Icons □ Hide ide All Proc Procce cess inTaskmgt □ Hide HideAll Tasks Tasks in Taskmgr □ Hide Run □ Change Explore! Captio tion □ Clear Windows XP □ Swap Mouse Buttons □ Remove Folder Option ions □ Lo Lock Mouse 1 Keyboard □ Mu Mute Sound □ Al Allways CD-ROM □ TurnOff Monitor □ Cr Crazy Mouse □ Destroy Taskbar □ Destroy troy Offlin fflines(YIMe (YIMessen ssenget) □ De Destroy Protected Strorage □ DestroyAudio Service □ Destroy Clip lipboard □ TerminateWind indows □ Hid Hide Cursor □ Au Auto Startup

OLogOff OTurn Off

Name After Install: Install: |Rundll |Rundll32 32

About

||

J

OHibrinate ONone

Server Name: |Sender.exe

Virus* Cieate Virus*

~~|

|» |

JPS Virus Maker 3.0

FIGURE GURE 1.2:JP JPSVirusMakermainwindowwithoptionsselected 6.

Sele Select ct one of o f die rad io buttons to specify whe n die virus should sta rt attacking die system after creation. O Resta Restart rt

O L o gU ff

O Turn Turn Off Off

Name After Install: Rund Rundll ll32 32

About

J

O Hibrin Hibrinat ate e

O Non None e

Server Name Name:: Sender.exe

Create Virus!

JP S Virus Maker 3.0 3.0

J FIGURE GURE 1.3:JP JPSVirusMakermainwindowwithRestartselected

m Alilistof ofservernames ispresentintheServer Namedrop-downlist. Sele lect anyserver name.

7.

Sele Select ct the name name o f the the service serv ice you want to make virus behave behave like fro m die Name after Install drop-down list.

FIGURE GURE 1.4:JP JPSVirusMakermainwindowwithdieNameafterInstal Install option Select a server name for die virus from die Server Name drop-down list. C E H Lab Lab Manual Page Page 534

Ethical Hacking and Countemieasures Copyright © by EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


O Restar estartt

O Log Log Off

OTur OTurnD nDff f

Name Name After Aft er Install: Install: Rundll32 Rundll32

Don't forgetto changediesettin ingsfor everynewvirus creation. Otherwise, bydefault, it tak akesth thesamenameasan earliervirus.

O Hibrinate ibrinate

O None one

Server Serv er Name: Name: Svchost.exe Svchos t.exe ■Svchost.exe Q I Kernel32.exe Kernel32 .exe ■ I spo o l sv .e x e ■ ALG.EXE svchost .exe■

Create Virus! JP S Virus Virus Maker Maker 3.0 3.0

FIGURE 1.5:JPS VimsMakermainwindowwithServerNameoptio ion 9. N ow , before clicking on Create Virus! change change setting and vinis vin is options by clicking die

icon. Create Virus!

JP S Virus Virus Maker Maker 3.0

FIGURE GURE 1.6:JPS JPSVirusMakermainwindowwithSettingsoption 10. Here you see more options for the vims. Check die options and provide related related informatio n 111 die respective text held.

m TASK 2

PS PS ( Virus Ma ker 3.0 ) Virus Options :

Make a Worm

□ Change ange XP Password: Password: J p @ sswQ(d □ Change Computer Name: Nam e: Test □ Change IE Home Page

j www !uggy boy c om

□ Close CustomWindow: mWind ow: [Y ah oo 1Me ■;nger □ Disable Cus CustomService :■Alerter □ Disable CustomProcess :[ypaget. [ypa get.exe exe □ Open CustomWeb mWebsi site te :

|

-,-!ey blogta c :

□ Run R un CustomCommand: | □

Enable Enable Convert Convert to Worm ( auto copy to path's ) | Copy Copy After : | 1

Worm Name :

lUsa Youcanselectany iconfromt fromthe hechangeicon options. Anewicon canbe addeda dapart fromt mthoseon thelist. list.

[!□I Sec' .

Change Icon:

OTransparnet OLove Icon OFlash Icon 1 OFlash Icon 2 OFont Icon 3

ODoc Icon OPDF Icon OIPG Icon OBMP Icon OHelp Icon

O EX EXE Icon

OBAT Icon OSetup 1Icon OSetup2 Icon OZIP Icon

JPS Virus Maker 3.0

FIGU FIGURE RE 1.7:JPS JPS VirusMakerSettingsoption 11. You can change Windows XP password. IE home page, close custom window, disable a pa rticular custom service, etc etc.. 12. You can even allow the virus to convert to a worm. To do diis, check die Enable Convert to Worm checkbox and provide a Worm Name.


Ethica Eth icall Hack H acking ing and Countermeasures Copyrigh Copyright © by EC-Coun EC-Council cil All All Rights Reserved. Reproduction Reproduction is Strictly Strictly Prohibited.


13. For die wo rm to self-repli self-replicate cate after after a particular time period, specify die time (111 seconds) 111 die Copy after held. 14. Y ou can can also also change change the the viru s icon. Selec Selectt die type o f icon you wa nt to view for die created vims by selecting die radio button under die Change Icon section. IPS ( Virus Maker 3.0 )

Makesuretocheck allllth theoptio ionsandsettin ings beforeclickingonCreate Virus!

Virus Options:

□ Change XP Password ord :

|

□ Change Computer Name |jPS □ Change IE Home Page

|www ^ -

□ Close CustomWindow : [Ya [ Ya ho o ' Me ••nger □ Disable Custom Seivice :J Alerter □ Disable Custom Process : I □ Open CustomWeb tomWebsite site :

|

.. ,»

. c<

□ Run R un CustomCommand: | □ Enable Convert to Worm (auto ( auto copy to path's) Worm Name Name : |fedevi|

Copy After :

OTransparnet OLove Icon OFlash Icon 1 OFlash Icon 2 OFont Icon 3

O Doc Icon O PDF PDF Icon JPG Icon O BMP Icon Help Icon

O O

ORestart OLogOff OTurn Off Name Name After Install: Rundl32

Features ChangeXP XP Password ChangeCompute ter Name ChangeIE IE HomePage CloseCustomWindows Disable CustomService ustomService DisableProcess OpenCustomWebsite RunCusto tomC mCommand Enable ConvertToWorm -AutoCopyServerTo Active Active PadiWith WithCustom Name&Tim ime ChangeCustomIcon ustomIcon For yourcreatedVirus(1 (15 Icons)

f!

|

I Sec's

O EXE Icon BAT Icon Setup 1Icon Setup2 Icon ZIP Icon

O O O O

OHibrinate ONone

Server Name: Name: Svchost.ex e

I

JPS Virus Maker 3.0

_

FIGURE GURE 1.8:JP JPS VkusMakermainwindowwithOptions 15. A fte r completing your selecti selection on o f options, options, click Create Virus!

FIGUR URE 1.9:JPS PSVkusMakerMainwindowwithCre reateVkus!Button 16. A pop-u p win do w with wit h the mes messa sage ge Server Created Crea ted S ucc essfu es sfully lly appe appear ars. s. Click OK. JPS ( Virus Maker 3.0 )

FIGUR URE 1.10:JP JPSVkusMakerServer Createdsuccessfulymessage


Ethical Hacking and Countemieasures Copyright © by EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


17. The newly newl y created created virus viru s (serve (server) r) is placed placed automatically automatical ly111 the same folder as jps. jp s.ex ex e but bu t with wi th name Svchos Svc host.ex t.exe. e. 18. N o w pack tins virus w ith a binder o r virus package packagerr and send send it to the victim machine machine.. ENJOY!

L a b A n a l y s is is Docum Do cum ent all die tiles, tiles, create created d viruse viruses, s, and worms 111 a separate location.


T o o l /U / U t ilil i t y

I n fo fo rm r m a ti t i o n C o llll e ct c t e d/ d / O b je je ct c t i v es e s Ac A c h i e ve ve d To make Virus options are used:

JPS JPS Virus M aker Tool

Disable Disable Yahoo Disable Disable Interne t Exp lorer Disable Disable N orto n Antivirus Disable Disable McA free Antivirus Disable Taskbar Disable Security Restore Restore Disable Co ntrol Panel Panel Hide Windows Clock Hide A ll Tasks Tasks 111 Task.mgr Change Cha nge Ex plore r Caption Destroy Taskbar Taskbar Des troy Off line s (YIMesseng (YIMessenger) er) Destroy Au dio Serv Servic ices es Terminate Terminate Windows Au to Semp Semp

Q u e s t io n s 1.

Infe In fect ct a virtu vir tual al macliine wi th the created created vkuses and evaluate evaluate the behavior behavio r o f die virtual macliine. macliine.

2. Examine Exam ine whedie whe die r the created created viruses are are detected or blocked blo cked by any antivirus programs or antispyware.




Internet Connection Required □ Yes

0 No

Platform Supported Supported 0 !Labs Labs


Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.


V i r u s A n a l y s i s U s in i n g ID A P r o Computer Computer n orms are malicious programs program s that th at replicate, replicate, execute execute,, and spread themselves themselves across net netiro irork rk connection connectionss independentl independently, y, nith nitho ont human interaction. ■c o n

/ Valuable information S

Test your

knowledge _____ _ ________ _____ ___ £ ____

flB fl B Web exercise exercise m

L a b S c e n a r io io

k ey

Workbook review review

Virus, worms, or Trojans can erase your disk, send your credit card numbers and passwords to a stranger, 01 let others use your computer for illegal purposes like denial ol service attacks. Hacker mercenaries view Instant Messaging clients as their the ir personal p ersonal banks becaus because e o f the ease ease by wh ich they can access your computer via the publicly open and interpretable standards. They unleash a Trojan horse, virus, 01 worm, as well as gather your personal and confidential information. Since you are an expert ethical hacker and penetration tester, tester, the IT dire ctor instructs you to test the ne two rk fo r any viruses and worms that can damage 01 steal the organization’s information. You need to construct viruses and worms, try to inject them 111 a dummy network (virtual machine), and check their behavior, whether they are detected by any antivirus programs 01 bypa bypass ss the firew all o f an organization.

L a b O b j e c t iv e s The objective of tins lab is to make students learn and understand how to make vinises and worms to test test the organization’s firewall and antivirus programs. programs. I S 7 Tools L a b E n v ir o n m e n t demonstrated in this lab are are To earn* out die lab, you need: available in IDA Pro located locat ed at D:\CEH-T00 ls\CEHv8 Module 07 Viruses and D:\CEHWorms\Malware Analysis Tools\IDA Pro Tools\CEHv8 Module 07 Viruses A computer running Windows Server 2012 as host machine machine and Worms Windows Server 2008 running 011 virtua virt uall machine as guest machine Run tins too l 011 Windows Server 2008 Yo u can can also also download downloa d the latest latest version o f IDA Pro from the lin k http: http: / / w ww.hex-ravs.com ww.hex-ravs.com / products products / ida / lndex.shtml lndex.shtml


Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.


Adm inistrative inistra tive privileges privileges to run tools


O v e r v ie ie w o f V i r u s a n d W o r m s Computer worms ar are ma licious program s that rep licate , ex ecu te, and spr sprea ead d acro across ss network netwo rk connections independently, independently, witho wit ho ut human hum an interaction. Attackers use worm payloads to install backdoors in infected computers, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.

Lab Tasks TASK 1 IDA Pro

1.

Go to Windows Server 2008 Virtua l Machine. Machine.

2. Install Inst all IDA Pro, wh ich ic h is located at at D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Malware Ana lysis Tools\IDA Pro Pro.. 3.

Open Ope n IDA Pro, and click clic k Run 111 die Open File-Security Warning dialog box. Open File - Se cu rity Warn ing

The publisher publi sher could not be verified verif ied Are you sure you want want to run this software? Name: .. .rs\Administrator\Pesktop\idademo63_windows.exe Publisher lisher:: Unkno wn Publis Pu blis her he r Type: Application

m You ouhaveto agreethe

From: From: C: '!]User '!]Users s\Administratordeskt des ktop op 'jdademoo 3_windo...

Lic icense agreementbefore proceedingfurther onthis tool

Run Run

Cancel

I ? Always ask before before opening openingthis file

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what softw software are to run ~

FIGUR IGURE E2.1:IDA IDAPro ProAbout. 4.


Click Next to continue die installation. installation.

Ethica Eth icall Hack H acking ing and Countermeasures Copyrigh Copyright © by EC-Coun EC-Council cil All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


\ Setup -IDA Demo v6_S v6_S

IM

-

xj

Welcome to the IDA Demo v6.3 Setup Wizard This will install IDA Demo v6.3 on your computer. It is recommen recommended ded that you dose all other applications before continuing. Click Next to continue, or Cancel to exit Setup.

ReadtheLicense Agreementcareful carefullly before accepting. Demo Version 6.3 Hex-Rays 2012 Cancel

FIGU FIGURE RE 2.2:IDA IDAPro Setup 5.

Sele Select ct the I acc ep t the agre emen t radio radio button fo r the ID A Pro lic licen ense se agreement.

6. Click Clic k Next. ^ Setup -IDA Demo v63 License Agreement Please read the following important information before continuing.

S ' Reloaddieinput file This iscommandreloadsth the sameinputfil file into tothe database. IDA IDA tries tries to reta tainasmuchinformatio ion aspossib iblein inth thedatabase. Allth thenames,comments, segmentationinfo formatio ion andsimilarwil wil beretained.

Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation. IDA License Agreement SPECIAL DEMO VERSION LICENSE TERMS This demo version of IDA is intended to demonstrate the capabilities of the foil version of IDA whose license terms are described hereafter. The demo version of IDA may not, under any circumstances, be used in a commercial project. The IDA computer computer progr programs, ams, hereafter hereafte r described described as 'th e softw are’ are licensed, not sold, to you by Hex-Rays SA pursuant to the

z\

agreement (• I accept the agreement agreement C I do not accept the agreement

< Back Back

Next >

Cancel

FIGUR IGURE E 2.3:IDA IDAPro Prolicense. 7. Keep die destination destination location default, default, and click Next.

C EH Lab Manual Manua l Page Page 541

Ethic Et hical al Hackin Hacking g and Countermeasures Countermeasures Copyrigh Copyrightt © by EC-Council EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


a Add breakpoint This is commandaddsa breakpointat thecurrent address.If If aninstruction existsat diisaddress,an instructi struction onbreakpointis created.Or else,IDA IDA offe fersto tocreateahardware breakpoint, andalowsthe userto toedit breakpoint settings.

FIGU FIGURE RE 24:IDA IDAProdestinationfolder 8.

Check the Create Creat e a des ktop ic on check box, and click Next. ^ Setup Setup -IDA Demo Demo v63

J H

3

Selec t Additional Additional Tasks Which additional tasks should be performed?

Select the additional tasks you would like Setup to perform while installing IDA Demo

v6.3, then dick Next.

H Tracewindow In till tills swindow,youcan vie iewsomeinfo formatio ion relatedtoall alltraced tracedevents. Thetrac acingeventsarethe info formatio ion savedduring theexecutiono offaprogram. Different Differenttypeoftrace eventsareavailable: instructi struction ontracingevents , function functiontracing tracingevents and write, read/write or executiontracin cingevents.

Additional icons: Crea te a desktop icon W Create

< Back

j

Next >

\

Cancel

FIGURE GURE 3.5:CreatingIDAPro Proshortcut 9. The Ready Ready to Install Ins tall wind wi nd ow appe appear ars; s; clic k Install. Insta ll.


Ethica Eth icall Hack H acking ing and Countermeasure Countermeasures s Copyright Copyright © by by EC-Council EC-Council All All Rights Reserved. Reproduction Reproduction is Strictly Strictly Prohibited.


\ Setup

Ready to Install

Add execution trace

This isco commandaddsan executiontracetothe curre rentaddress.

Setup is now ready to begin installing IDA Demo v6.3 on your computer.

Click Install to continue with the installation, or dick Back if you want to review or change any settings. Destination location: C: ,'Program Files (x86)\ID (x 86)\IDA A Demo 6.3 Additional tasks: Additional icons: Create a desktop icon

L j < Back

LJ Instructiontracing This iscommandstarts ts instructi struction ontracing tracing. You can thenuseal die iedebugger commandsasusual:l: the debuggerwilillsaveallllth the modified iedregistervalues valuesfor eachinst stru ructio ion. Whenyou cli clickonaninstructi struction ontrace eventin thetracewindow, IDA displaysthe correspondingregister valuesprecedin ingthe executionofthi this instruction. In In the'Result' columnof ofthe theTrace window,youcanalso see whichregiste terswere modified iedbythis instruction.

Install

Cancel

FIGU FIGURE RE26:IDA IDAProinstall 10. 10. Click Cli ck Finish. . S et et up up - I D A D em em o v 6 3

10*

Completing the IDA Demo v6.3 Setup Wizard Setup has finished installing IDA Demo v6.3 on your computer. The application may be launched by selecting the installed icons. Click Click Finish to exit Setu Setup. p. R Launch Launch IDA Demo Demo

Demo Version 6.3 I Hex-Rays 2012 Finish

FIGURE GURE 2.7:IDA IDAPro Procompleteinstallation 11. The IDA Licens e wind ow appe appear ars. s. Click I Agree.


Ethical Hacking and Countemieasures Copyright © by EC-Council All All Rights Reserved. Reproduction Reproduction is Strictly Strictly Prohibited.


IDA License Agreement

Theconfiguration urationfil files aresearch chedintth he IDA.EXE directory.In In the configuration urationfil files, youcan useC,C++style commentsand ndincludeffiiles. If no file is found, IDA IDA usesdefault ltvalues.

SPECIAL DEMO VBISION LICENSE TERMS This demo version of of IDA is intended to demonstrate the capabilities capabili ties of the t he full version of IIDA DA whose license terms are described hereafter. The demo version of o f IDA may not, under any circumstances, be used in a commercial project. The IDA computer programs, hereafter described as 'the software" are license li censed, not sold, to you by Hex-Rays SA pursuant to the terms and conditions of this Agreement. Hex-Rays SA reser reserves ves any right not expressly expressly granted granted to you. Youown the media onwhich the software is delivered but Hex-Rays SA retains ownership of al copiesof the software sof tware itself. The sof software tware is protected by copyright law. The software is licensed on a "per user" basis. Each copy of the software soft ware can only be used by a single user at a time. This user may instal the software on his office workstation, personal laptop and home computer, provided that t hat no other user uses the t he software software on those computers. This license also allows you to Make as many copies of the installation installation media as you need for backup or installation purposes. Reverse-engineer the software. Transfer the software and all rights under this license to an other part party y together with a copy of o f this license and all material, written writ ten or electronic, accompanying the software, provided that the other party par ty reads and accepts the terms and conditions of this license. li cense. You lose the right to use the software soft ware and all other rights under this license when transferring the software. Restrictions

// CompileanIDC script. // Theinputshouldnot containfun functions ctionsthatare // currendyexecutingotherwisethe thebehaviorof thereplaced // functionsis isundefined. // input -if -if isfile !=0, thenthisis isdie dienameoffi file tocompile // otherwiseit holdthetexttocompile // returns: 0-ok, 0-ok, otherwiseit itreturns returnsan erro ror message. stringCompileEx(stri pileEx(stri11g input, longisfile); isfile);

You may not distribute copies of the sof software tware to another party par ty or electronically transfer the software from one computer to another if one computer belongs to another party. part y. You may not modify, adapt, translate, rent, lease, resell, r esell, distribute,

rr rrmxtmrW1\/;»hva •A!rvrlccK»caiH1 K»caiH1irvnn

cnft\A>Ar<»nr *rtv/ *rtv/rvart

I Agree

I Disagree |

FIGU FIGURE RE 2.8:IDA IDAPro ProLicenseaccepts. 12. Click die die Ne w butto n in die Welcome window. \ IDA: Quick Quick start

New

I Disassemble Disassemble a new file

Go

| Work on your own

f

t

// Conveniencemacro: Previous Prev ious

| Load the old disassembly

#define Compile(fil pile(file) e) CompileEx(fi pileEx(file, le, 1) W Display at startup

FIGURE GURE 2.9:IDA IDA ProWelcomewindow. 13. 13. A file browse brow se win do w appears; appears; sele select ct Z:\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Livel\face.e xe and click Open Open..




3

■

_j?rr _j ?rr

0 D9n«

Function tracing

This iscommandstarts ts function functiontracing.Youcan thenuseallll debugger commandsasusual:l: the debuggerwil will saveall all addresseswhereacal al toa functionorareturnfroma froma function functionoccured.

|»| :aarod'iec

Povari*Lr*3

jil Dqcutc-C P

«

g} kuct:

.

Qf Recently C en5ed P S&atch»

II PiMc

S l Add/Edit an enum

Action na me : AddEnu AddEnum m Action name: EditEnum These com comman mands ds allow you you todefine and to edit an en enum type.You need to specify: - name of enum - its serial number

(1,2 .. .) .) representation of enum members

|.| tvp.

_^ f^ 2i20U12S0_ 2i20U12S0_=ieF =ieFod£_ od£_ -;?.:):3:0;^^ Apsfcatisr •V26■ZZQ 39:5 39:52PM Apdc335r ^:3/2003 1:02AM Application 200310:36/27,... Apdrai draiio iorr

U Desktop

FIGURE GURE 2.10:IDA IDA Profi filebrowsewindow. 14. The Load a new file window appears. Keep die default settings and click OK ^ Load a new file file Load file Z:\CEHv8 Z:\CEHv8 Module 07 Viruses and Worms\V1rusesV0ez Virus Live! Liv e!\face \face.exe .exe as Portable executable for 80386 (PE) [pe.ldw]

Processor type

B

Intel Inte l 80x86processors: metapc

Analysis Loading segment 10x00000000

W Enabled enabled W Indicator enabled

Loading offset offs et |0 Options

W Create segments Load resources 1✓ Rename DLL entries Kernel options 2

P Manual load F Rll segment egment gaps 17 Make imports segment segment

Processor options

Crea te FLAT group V Create

1

DLL directory |C:\W ndows OK

Cancel

Help

FIGURE GURE 2.11:Loadanewfil newfilewindow. 15. I f any warning warnin g wind ow prompts pro mpts appea appear, r, click OK.




16. The Please confirm window appears; read die instructions carefully and click Yes.

m Select appropriate te optionsasperyour requirement

IDA-View has now a new mode: proximity view. This mode allows you to browse the interrelations between functions and data items. When inside a function, press to toggle toggle the proxi proximity mity viewer and '+ ' to zoom zoom back into a function. Do you want to switch to proximity view now?

I

Don't display this message again

FIGUR URE 2.12:Confir irmatio ionwizard. 17. 17. The final fina l win do w appears appears after ana analys lysis. is. File Ed t Jj mp Search View Debuacer Options Windows Help

&TMP or TEMP: Specifies ifies the director)' irector)' wherethetemporaryfililes wil willbecreated.

^ Hill ■»-II**]*fa^ »|»| »|»|>a >a ||g ||g|g|M |g|Mri riii *f + X|ll ►OO F W dlfr dlfrlr lrff Ija Ij a ir r III III j gf] Imports □ 1 m Exports I hex View-A J j [a] Structures l =ajrrs

Finction rone 71 sub_^0:0C0

3 sub_< 01198 3 sub_«01284 3 sub.■•():^ 3 subjIOUfA 71 StartAddress

T j tub_0:74* tub_0:74*B

3 sub_1017■ * 3 sub_-< 0:8C 8 71 ub.-Wietl 3 sub_<0;8t9 3 tub_«01AIE 3 sub_< O*02 7\ sub_40220C 3 ub_<023:9

i t

' ,mMltM'i 100.03% <4193,3 0 |(377,171:1 |300C73I2 0C4073Z2: WinMain

a Addread/write trace This isco commandaddsa read/writetrace tracetothe curre rentaddress. Each Eachtim timethegiven addresswilill beaccessedin readorwrit ite mode, the debuggerwil will addatrace atrace eventtotheTracewindow


Compilin Compiling g fi le 'C:\Fr3gr 'C:\Fr3grem em Fill Executi ng runc-lar. ' OaLo=a' OaLo=a' .. .

:3€)MDA Eemo S. 3\idc \9n leai . idc ’

I DA DA i s a n a l y s i n g t h e i n p u t r i l e . . . Y ou ou m ay ay s t a r t t o e x p l o r e th th e i n p u t f i l e

righ t

!Pawn

FIGU FIGURE RE 2.13:IDA IDA Prowindowafteranalysis. 18. C lick Vie w ^ Graphs G raphs > Flow Chart Char t from die menu bar. bar.



File Edt Jurro Sea <±

Deougger Opliors Windows Help Open stbvtews

Ill

k •/ * s i X l I t

|r® debugger

»J |fc |^ ]

fl) ---------------- 3

oofears Q

f Functions vwndow

B Createalignment directive Acti tionname:Make Alignment This iscommandalowsyou to create ana nalignment directive.



Fl t i c o o t rame

3 SUbj-OlOOO 3 Sllb_401198 3 sub_4012S4 3 5ub_«013A9 3 sub_4013 FA 71StartAddrcss J sub_01 sub_017» 7»« 3 sub_<017^ 3 *ub_4018C8

Cacuator. .

?

Ful screen

F ll

r

Output ivirdcw

,«

Graph Cvervew

^

Reiert Reiert sapt3

Alt+F9

Database snapshot manager...

CtH4-Shift+T

^

CtH4F12

| |

§1 Imports

J mExports

Xref Xrefss from

.Si User User *refs *a rt. .

ct!1 +5pace

jp] Pmt seg segment registers Print nterra l flags

S sub_4018«l sub_*018F9 3 9ub_4 9ub_401A:E 71subj01EC2 3 «ub_4 «ub_4032C 032CC 3 sul_402319 SUb_ «O26« 0 «*_40680 7]5ub_020* © 7]Subj02 C38 C38 3 *uh_40»00 7]sub_402D72 71S 1Sub_402D CE 2 1 sub_-i02EE0 «[

FuncfoncaDs 1 Xrefisto

F

= rt r toe

Ctri+NuT1pad+-

•fr UOTiOC

CtH-l Nunpodi Nunpo di ■ f

ttoeal 3*. unr*oeal X

Occfc hidde idden o'co co Seu c hdden items

4

LOO.OO»[T4i9C.- -:j :114,2 5) OOCO’ 312 C0< 031 2 : Mir.Mair.(I,

!Oltpu: window

__ E x e c u t i n g f u n c t i o n , m a i n * __ Conpilina fil e 'C:\Eroara2! Fil es (x£6)\IEA Demo S.3\idc\cn load.id c' Executing fur-etian ,OnLoad ,OnLoad . . IDA i a i a a n a ly ly s in in g t he he i n p u t f i l e . . .

Toa may may 3-a rt to ex plore one lapuc r ile IDC

rig ht no now. w.

|

Display flow chart cf the cuirene function

FIGU FIGURE RE 2.14:IDA IDA Proflow flowchartmenu. 19. A Graph windo win do w appe appear arss w ith die flow ; zoom to view clearl clearly. y. Edit Jump Search

Debugger Option;

JD Jx j

III III

Rk View Zoom Move Hep

Function name

nov

7 ] sub_H01 0 71 sub_401196

ca Zoomin tohavea betterview viewof thedetails

©tp, 6-ef.

Ha (xer! ea-c !xen !xen 2

3 sub_401284 71 Sub_H013^9 3 SUb_4013R\

] j preciu ; imion teqfia M

71 StartAdcress

sub_4017-e 7 ] sub_4017Ê 7 ] sub_ 01303 71 SUb_
JL enp |jz

byte.4 te.41n 1nni ni4, 4, P 74;d| ehort 10c.4d74;

3

3 3 3 3

. t

1 »0c_«»7«* pwft

Wl»o

[«ftp*v*r_8!, 0 l«©p*v*r_4|, 0 04m, [«tp*vrv1co»t4nr4M«] <®p*-3 -3«v1»3Urt r4bH.lj 8«vv«««»»], 0ff* *t 5*r v1c«Mil# •w 1 lp9»rvlo«3 lp9»rvlo«3trtTt0 trtTt01• («&p*?«rvl «034.r
J=c J=c

Executing runct C o g p i l in in g f i l e Executing funct is an al ys ir. 57 !4% (0 0) 8 nodes, nodes, 2£ edge segmen segments, 0crossirgs 0crossirgs You You may may Star t t u --

m. xi.^juuliil j..l).1ut.un. 1-n.pxi l.—

IDC idl e

Dcwn Dcwn

FIG FI GUR E 2.15: IDA ID A Pro flow chart




Zoomin Zoomin tohave a betterviewoftthe hedetails

FIGUR IGURE E Z16: IDAPro Prozoomflowchart. [3 WnG raph32

jF jFte Mew

2001

~ 1 1 x|

Graph at _WnMai _WnMain«>16 n«>16

How

Hejp

___________________________________

[|a|1K 3. % * ♦ II IIIR IR** © ® §5 *

*

byte_410004, 0 short loc_407420

3

r

true

arp jz

push push ca ll test pop

dword_4938F8, 0 sh or t loc_407449

jnz

end and lea rov push push rov call

of fs et byte_4100D4; byte_4100D4; lpFileName sub_4CJ5B0F sub_4CJ5B0F e a x , eax ecx short loc_407457

[et)p+-var_8l , 0 [ebp+-var_4J , 0 eax, [ebp+Ser [ebp+ServiceS tartT able ] [ebp^ServiceStartTable.lpS [ebp^ServiceStartTable.lpServiceName], erviceName], offse t ServiceNare ServiceNare eax ; lpServ iceSta rtTab le [ebp+ServiceStartTabl [ebp+ServiceStartTable e .lpService Proc ], offse t loc loc_4 _407 073C 3C3 3 d s : S t a r t S e r v iceCtrlD ispatcherA

| ca ca 11 11

s ub ub_ 4t 4tn2 F2 F2 |

nor leave retn

J

eax , eax lOh

if1 A

85 .71 % (-153,-240) 8 nodes, 28 edge segments, 0 crossings

__

FIGUR IGURE E 217:EDAProzoomflowcha mflowchart 20. 20. Click Vie w ^ Graphs ^ Function Calls from die menu bar. bar.




t J ' f m X Flow chart

III III

~odbdrs

►

Hi screen

01000

sub ] 7 _» sub 1198 3

JQ

21

r

I su _ su b 4017»

Database snapsh apshot manager... Ip] Pnn Pnnt segment registers

sub ]7 _*017 017^

5ub_-1018ce

21

sub_*018 *l ]7 sub_<018F9 3 £ 5ub_-H)lA ] 7 sub_<01EC2 ]7 ib_40:?cr« 3 9ub ]7 _*02319 5ub ] 7 _4026C

1h_<0?fiP0«

21

=

] | 13jJ Impotls

| [f+] Expoits

Output tput tvird« ird«w w

Recent sarpts

21

sub_*013FA 3 StartAddress 71 ,

Fll

Graoh Cvervev>

sub _4012£4 SUb_*013A9

✓ Print flow c! a t labels

r | J

p] Camahr. . Function rame

I► F I2

Alt+F9

1

Xrefisfran

1

User xrefe :Kart..

Ctri+ Ctri+Shift+ Shift+T ctri+ ri+5pace

Print nterral flags

F

ftoe

Ctr1+Numpad+Ct7H4J1mpod-f*

Hweal v}, urmoean

^ Dccfc Hddcn o co Seuc hdden items

7

]2

sub _ K( 28 © sub_<02C3B 2 tub_4O3D0D 3 sub _ K)2D72 Sub Sub 71_ »02DCE ub* ] 7 _ s0XE0

21

.11

_____

Line7of 258 vwncow

S Empty Empty input file The inputfiledoesn't contain inany nyinstructions 01 data.i.e.thereis nothing ngtodisassemble. Some fileformats allo low thesimation when thefileisnot emp pt ty but itdoesn't containanythingto disassemble.Fo or r example, COFF/OMF/EXE formatscould containa fileheader wh hi ic ch hjust declares esthatthereare no executablesections inth the file.

J

LOO.00%[ (419C, - 6 ) ir s

d |000073 |000073Ei Ei !00407 !0040711 112: 2: Ud fain b.z .ztz >

E x e c u t in in g f u n c t i o n , m a i n • . . . Conpilina file C : \ E r o a ra ra n F i l e s ( x £ 6 ) \I\I E & Dem3 6 . 3 \ i d c \ o n l o a d . i d c ' Ixacuting fur.etian ,Onload•.-I DA DA i s a n a ly ly s i n g t a e i n p u t f i l e . . . Tou may may 3-a rt t o explore one input; input; ril e rig ht no now. w. 10C

|

Display graph of fucction calls

FIGURE GURE 2.18:IDA IDA ProFunctioncalkmenu. 21. 21. A qind ow showing s howing call cal l flo w appe appear ars; s; zoom to have a better view. view.

FIGU FIGURE RE 2.19:IDA IDAProcallflowof flowofface.




H Emptr input file The inputfiledoesn't contain inany nyinstructions or data. i.e.thereis nothing ngtodisassemble. Some fileformats allow ow thesimation when thefileisnot emp pt ty but itdoesn't containanythingto disassemble.Fo or r example, COFF/OMF/EXE formatscould containa fileheader wh hi ic ch hjust declares esthatthereare no executablesections inthe file.

FIGURE GURE 2.20:IDA IDAPro Procall flowo flowofffacewithzoom. 22. 22. Click Windows Windo ws ^ Hex View-A. IVIDAZ:\CCItveM eModule07VtiusesandWorm s\V 1ruscs\KlczVirusLive1\focc.cxc File Edt Jump Sea d* Vtew De9ugger Opbors I Windows I Help 1+ *11 *111 *j] % ] &

1^

I f

L* l«1 X

® I Load Load desktop. top... .. rP Sjve decctop. .

III III _________________________ ___________________________ __ i£ Delete desktop... desktop... D?!IDAView Resetdesktop

O

Q

|to de debu bugg gger er

E v*ns

j 51 Import J [I♦]

f

Export

© Windowslist Next v\lndow ]

Previous window

Shift+F6

Ctose windo/v

Alt H=3

Focus command Ine

' SUb_4017^J 3 sub_ sub_40 4017 17Ê Ê 6ub_^018C8 3 SUb_40JB41 3 sub_ sub_^01 ^018E9 8E9 7 ] 6ub_401A£ 6ub_401A£ 7 ] sub_-0£C2 sub_-0£C2 3 sub_ sub_40 4022 220C 0C 7 ] 5ub_40 5ub_402319 3 sub_< sub_<0* 0*<6 <6 7 ) sub_<0»80 sub_<0»80 7 ] 3ub_*0 3ub_*028 28© 3 sub_4 sub_402C 02C» » 3 sub_4 sub_403X 03XC C 7 ] 5ab_-K)2D72 H s u b_ b_ 4 02 02 x t Vn sub.OPFFO

jT] Functio nctionswind window

Ait41

! 1 IDAWewA WewA

At42

I Al Structure3

Alt44

Enums ]01

Alt+5

5H ! ports

At-K)

Export 0

Alt 47

100.00* [ (4190,-76) |(1S2, 21) |0000?3£ |0000?3£^ ^ -04073E2: WmM slc(x , x, x,x '

Line 7 of 258 [T] Outpu: wncov. Executing fraction •main*...

--A'--'. TTBK TTBK i 'BUU

Comp Compi1 i1ing ing fi le 'Crvlr ogra a Fil•■ ix cutiag fur.ctisr. ,Onl-o&d1---

(xSCJVICA (xSCJVICA De Dema 6.3\ide\onload idc

I DA DA i s a n a l y s i n g tn tn e i n p ut ut - r i l e . . . You You may may st a rt to explore cfce cfce input; fi le

~n —1

_zj

rig ht a!

roc r . lie

- ?

Reset hidden messages. .

Sub_ H)10C0 sub_011 S8 sub_ sub_40 4012 12S4 S4 SUb_0 SUb_013 13 A9 sub_^013FA StartAddress

1L

J ►

*—□ 10

7 | Functions wooov»

7] 71 2 7] [Z ] 71

TH3

Down Down

FIGURE GURE 221: IDA ProHexView-Amenu. 23. 23. The to llowmg is a win dow showing Hex View-A. View-A.


Ethica Eth icall Hack H acking ing and Countermeasure Countermeasures s Copyright Copyright © by by EC-Council EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


Zi\C£Mv8 f Kxkj*e 07 /ir usn diH l Wonm\V)nn»
II1•^sl ^slII•♦

'ftew Debugger

Opboro Windows help

*I4|j|g0|

Functions windovr

d!DAMe>v-A d!DAMe>v-A

-

cton na ne sjb_ KD10X sjb_40113S sub_401234 SJb_4013A9 sub_4013FA StartAodress SJb_ W17<* sjb_40174E SJb.'WlSDfi sjb 401841 cub_4018E5 SJb 401A1E SJb_401K)2 eub_4022X SJb_40231S sub_40264e Cjb_40263C SJb 40280 SJb_402C3C Cjb_402D00 SJb.402C72 sj L 402CCE sjb 402EC 402EC 1

0 0 40 7 3 B 2 8C407 3B 2 5G 40 73C2 9C 4 0 7 3D 2 4 6 4 0 7 3 E2 8 P40 73 F? 0G4O74O2 8P40741? 9G40 7422 flP40743? 9G407 442 0P 4O 4O 74 74 5? 5? 0 04 04 0 74 74 62 62 0 04 04 0/ 0/ 4 //2 2 0 0 4 0 74 82 0040/4y2 0 04 04 07 07 *1 *1 02 02 0 0 40 7 4B 2 00407MC2 0 04 04 0/ 0/ 4 02 02 0O4O74E2 0 0 40 74 F2 00407502 0 0 4 0 75 12 0040752? 0 04 04 0 75 75 32 32 - I 0 0 4 0 75 4? 0 04 0 4 0 75 7 5 52 52 H

4

0S I# ■s+

10]hex vew-A Q |

00 93 00 00 6B 54 D4 F8 45 00 FB 38 UO 75 10 oc 08 3B 3U FB IE F8 33 5C 06 00 00

00 D8 68 60 8B 0? E8 08 3 38 8 F ft FF 9R 01 00 rc 8D 33 88 45 11 00 46 89 F6 37 8D FF 80

00 FF 7C 00 EC FF F5 41 49 r.7 15 FF 00 8B 75 85 CO OC 0C 00 73 40 47 EB 04 85 75 45

FF FF 73 03 81 15 F9 80 00 45 U4 FF E0 D8 87 /4 8D OH 72 fb 11 EB FC 48 53 74 FT 16

35 85 40 1C EC F0 FF F8 00 F0 D0 FF r6 33 33 U/ BD 84 E9 06 38 EF 89 88 F8 C7 RD 83

1C CO 60 39 fiO 01 FF F4 74 nr. 40 33 on F6 CO FE 78 C9 3B 41 C1 81 17 45 64 FE 44 C4

39 74 68 49 01 40 80 E6 20 33 00 CO 00 3b E9 FE C7 74 45 3B 73 7D 83 F8 00 FF 37 1C

&

X

II ► □

] Struc Structures

49 05 DC 00 00 00 3D FF 83 49 E8 09 00 Db DD 56 FE OD OC 4D C1 F8 C7 89 00 50 04 89

00 E8 33 E8 60 FB D4 FF 65 00 ro 0? 53 59 00 50 FF 88 73 0U 8B 10 08 75 00 8D FF 18

FF 33 49 9D 8D FF 06 85 F8 50 D7 r6 89 86 1H 3B 8C 4n r/ 55 27 8B FC 8B 46 75 80

[JO fruns

15 FF 00 FF 85 F1 41 CQ 00 C7 FF 00 TF 5D 00 5.1 45 IE 8B F1 08 00 C1 88 F0 04 F4 5D

58 FF FF FF 60 FF 60 59 83 45 FF 55 75 F4 57 02 OC 46 C8 BB 8A 60 EB F8 RB 50 50 r4

Hilt s la r hr

□ |no |nocebugger

DO 4 0 FF C9 15 3 4 FF C2 FE FF FF 85 00 7 4 75 3 7 65 FC F4 C3 85 CO 8R EC '3( E8 8V 75 68 80 00 0 0 73 66 48 89 8e 55 D1 28 14 1 0 73 OF 9C 89 C l E7 45 F8 E8 BD Ffi BD 53 E8

| £ 1 ) [irports

00 C2 DO 08 FF CO OF 83 00 73 74 RB 10 FB 38 b:i 8B / 08 DO 88 FF 75 03 57 06 06 87

E8 04 40 08 58 74 68 3D 8D 48 05 8n 0D 89 01 C4 <1D FC 80 83 14 45 FC 8D 89 00 00 06

| (j*\ (j*\ Expons

. . . 5 .9 .9 1 1.. . x -e - e .F .F o * a *t *t . F 3 . t l |s @ . h 3 1 1.. . 4 -0 -0 . j . U .9 . 9 I. I. F . Ui'8 . 8 d __ ___ Y \ P j . . a - Q .F .F fftt a + t T F) F) Q=♦.A.•t.h ♦ . A .F .F ()1 a«-V117a= " 8 1 . - t a e °. ° . a e n .. .. E=!E= 31 -P! E(+«;P E(+«;P . . .. - @ ..F F u» a » t . Ft! 3 + * 8 4 )115. . 8 . . F t. t. .. .. S U u . F . . . .!'♦ 3F: !YeJ(eu e u n u .3 .3 *T * T !. ! . .. .. U h g 8 . . . a t ! ! U P F P. . . 3 . 3* . | | ; E . s fi 'H .^..a*t.§..F«eun ;E . r T; T ; E . s JI l +IU.C < . . u . A ; M . rt rt I + a • . s . ; - s - i ' U . e . ..© ©. . FQUll. < * .• . . S. E °e eC C ne n e ..2 2 J .1 . 1 -d -d £ £o ou un n 3 +d H1 E e u n i * t . . \7.S Fd . . A*-YF A*-YF°W» °W» . . a t ; P . F .P .P F ♦ . . . un .D7 . 11(PF ^ . . . i’i ’ E. E. a .e .e . i]i] (S (S F 5 •

I

zi

v.irdovi T ] Dutpu: v.irdovi

9

X

E x e c ut ut i ng ng f u n c t i o n n ^ i n ' . _ . Conpiling fi le 'C:\Prcgrazn 'C:\Prcgrazn File s .x8S)\IDA .x8S)\IDA Demo 6.3 \idc\o nloa d.ids i i o c i i r i n c f i m s t i o a * Or Or -l-l o sd sd 1 . . I DA DA i s a n a l y s i n g . L e In In p u t r i l e . . . Y ou ou n a y s t a r t t o e x p l o r e th th e i n p u t f i l e r i g h t n ow ow. IDC

[” Disk: S4GS

F I G U R E 2 .2 . 2 2: 2: I D A P r o H e x V i e w - A re re su su lt lt .

24. Click Windows ^ Structures . odule07 VitusesandWorms\V1ruscs\KlczVirusLive1\focc.cxc I V IDA Z:\CCItve Z:\CCItve M File Sdt Jump Sea d

View De3ugger Opbors I Wirdowsl Help

1+ *11 *111 *j] % ] &

1^

I f

® I Load Load desktop. top... ..

rP Sjve decctop. .

III _________________________ ___________________________ __ !£ 7 | Functions woeov» Ftncaon rarae 7] 71 7] 7] [Z ] 71

Sub_ H)10C0 Sub_011 S8 sub_4012S4 SUb_013 SUb_013 A9 sub_^013FA StartAddress

■' SUb_4017^J 3 sub_40 b_4017 17Ê 6ub_^018C8 7] 3 7] 7] 3 7] 7] 7) 7] 3 3 7]

sub_40JB41 sub_^018E9 sub_401A sub_401A£ SUb_-01EC2 sub_<022CC 5ub_402319 sub_<0 * < 6 sub_<0»80 3ub_*028© sub_402C3B sub_«)2D0D 5ab_-K)2D72

H sub_40 sub_402xt 2xt Vn sub_40/EF0

1L

[Jcj IE A View iew ■

0040730? 0O4073B2 004073C2 0040/302 064073E2 0A4073F2 00407402 00407412 00407422 0040/432 00407442 00407452 00407462 00407472 0040/482 00407492 0040740? 00407482 0O4074C2 00407402 0O4074E2

0 O4074F2 004075 02 00407512 00407522 00407532 00407542 0040755?

Delete desktop... desktop... Rcse Rcset desktop

*— □

Reset hidden messages. . © Windowslist Next v\lndow

F6

Previous window

Shift+F6

Ctose windoA

AH4P3

Focus commard Ine |71 Functions window

AH+1

f^=] IDA I DA View A

Alt+2

[o] hex V1ew A

Alt43 Alt 44

I ] Enums

Alt 45

51 inports

At4<>

g ] Exports

Alt47

FB 1E F8 33 5C 06 00 00

OB 46 80 T6 37 8D FF BR

73 11 40 EB 47 FC ED48 0*♦ 0*♦ 53 8574 85 74 75 FC 4510 45 10

3B EF EF 89 8D E8 C7 8D 8D 83

C1 C1 81 17 45 64 FE 44 C4

73 7D 83 T8 Oft FF 37 10

C1 F8 C7 89 00 50 04 89

1 0

58 FF 3 49 00 FF 8 9D FF FF 0 8D 85 60 8 FF E1 FF O 111 0O U CO1 F 85 CO 59 5 F8 00 83 0 50 C7 45 B D7 FF FF 55 3 56 FF 75 9 89 5D F4 157 0 E8 5 0 02 F 3B 115 0n PC 1E **6 8 3 '*A 80 C8

71000

E v*ns

no un FF C9 15 3 * FF C2 FE FF FF 85 00 74 75 37 65 FC F4 C3 85 C0 SB EC 0C E8 89 75 68 80 00 73 >10 80

| ft! } Imports

no f 8 C2 01* DO 40 08 OB FF 50 C0 7U OF 68 83 3D 00 8D 73 40 74 05 B8 8C ID 00 F8 89 38 01

.. .

0♦ a+t.F3 a+t.F3

+-.

[email protected]_3I. -** @

. j.j. U . 9 1 - F .

18 8 (>1

U . a j .

.a -G .F

a'| ft

P a+t

TF)• £=«-.A. .t .h +.A.F a+Vu7a“81..t de°.den.. E |E=_3I.P!E(+S@ . . [email protected]* a+t. FCJ 3++-. .1118*1 8. .F t . . . S U U.F.. . . 3 < *; ; V e ] ( e u unu.3M; . . .wny8 .wny8. ..at!! UPFP...a.3+.+x!! ;E.sFi'M .o. .a«-t .0 .. FOcun

e

; E . r T ; E .sJl'+VU.C

<. .u .A .A ;M.r±l‘ ;M.r±l‘-4 -4—3 •.s.;-S-KU.&..3.

00 EB T8 8B 8D *46 (V. 50 FF 75 F4 50 18 RB 5D FI1

73 9C C1 45 E8 E8 53

OF 89 E7 F8 BO BO F8

. F 0 d n . > °. °. ' . . s .

1

E

*ofino. 2J . -dl'i‘iin

3:d Hi'E etf11ni‘0 t . . \ 7 . S F d . . . i - i'i' E ° W e . . h t \ \ P.F.PF+.. . un.D7. u(P Fi.. 1F.a-.P.i](SFg.

JQOG73E2 G73E2 I004073E2 I004073E2 : WinM iin (x, x, x, x)

Line 7 of 258

8

Outpu: vwnoow TL'^ TL'^ nm u —--e--■g^-^-a-1 J: 1 t3

Executing fur.ction •main*...

•. j j l '. v .

Compi 1ing fi le •C:\Erograa Fil« a ix cutiag fur.ctisr. ,O aloai 1. . .

X

urei

(xfl£) (xfl£)\IDA \IDA.. D«1

I DA DA I s a n a l y s i n g tn tn e i n p u t r i l e . . . Yo u m ay ay s t a r t t o e x p l o r e t h e i n p u t f i l e roc

| ( ♦] Expor t

5-915-91- .X-(a.F

6.2\ide\onload.idc

righ t

r . lie

Down Down

FIG FI GURE 2.23: ID IDA Pro Hex Structure menu

25. 25. The follo win g is is a liii d o w showing Stru cture s (to expend expend stru structu ctures res click click Ctrl and +).




File Edt Jumo Sea d

View Dexjqcer Opbors Windows Hdp

Iv^ Iv^lns

d I*!lain a r r

ao F^

III 7 ] Functions vwnoovr

5

X | QgiCAView-A

Fl t i c o o t rame

BQQ0GGOG 06006090 0 60 60 06 06 09 09 0 0 60 06 0 0 0 0 60 0 60 90 0 00 06 0 3 0 0000009 0000009*1 *1 0 60 60 06 06 00 00 8 06006008 0 00 00 06 06 01 01 8 06006018

SUbj-OlOOO ]7

3

SUb_^011S8 |sub_<012S4 ]7 SUb_4013A9 ]2 sub_4013FA T l StartAddrcss, sub ] 7 _>017» sub ] 7 _>017^ 3ub_4018ce ] 7 sub_^018*l ]7 sub_*018F9 £ Jub_-K)1A ]7

3

| [0] hex View-A

CP PP PE H RECORD o l d esp exc pt r reg istra tion CP CP PE PE H RE RECOR D

(X Structures Q

struc

|

Exmrs

| g j Imports ports

| 0

3

Expa Exparts rts

; ( 5 iz iz e of of - 0 x1 x1 8 )

; SREF: starter ; c r t L C M a p S t r in q A i r . . . dd ? ; XREF: start+23Tu ; s t a r t : l o c ii O f i ' i U S T r . . . dd ? ; X R E F : s t a r t : l o c J !0 8 5 2 F t r ; o F f s e t C113 E X C EP EP T IO IO N R E G IS IS T R A TI TI O N ? ; X R E F : s t a r t : l o c * 40 40 8* 8*4CVt u : c r t L C M a p s t r i n q f H 10fiTw . . . e nd nd s

3

sub_«01EC2 ]7 ub_<0??CC« sub 3 _^02319 sub _>026 »

3

S

» jh_4036a0

j ] sub_-K( 200

& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms

5ub_402C38 ]7 ub* _40« 00 sub_-K)2D72 ] 7 SubjSOZXE ]7 sub_40I£E0

3

3

>1

24. CPPEH SZCORD:G0G0

j l ojtpu: VtfnGOW E x e c u t in in g f u r . c t i 3 n , m a i n __ *__ C o n p i l i n a f i l e ' C : \E \E r o g r a m F i l e s ( x £ 6 ' \ I E A Demo € . 3 \ i d c \ o n l o a d . i d c ' Exacuting funetiDn *Onload1... I DA DA i : a n a ly ly s i n g t h e i n p u t f i l e . . . Toa Toa may may 3-a rt to exp lore ti . e I n p a o r i l e r i g h t n ow ow . IDC

Disk. 343B

F IG U R E 2.24: ID A Pro Hex Struct Structure ure resu result lt

26. 26. Click Windows Windo ws Enums. I V ID AZ:\CCItveM eM odue l 07VirusesandWorms\V1ruscs\KlczVirusUvc!\»occ.cxc File E dt

Juro

Sea-d* View Deouooer Opttors | Wirdows | Help

3 Hill Hill » ||

B

II I

-|||y -|| |y =, *1!

*b

b

I ♦ ,Ml Loaddesktcp,.,

f runcbons vymdovr Ftncaon raree

7] SUbjKHOCO 71 sub_401198

7 ] Jub_102 _10231 319 9

V

sub_<02b«

3 sub_<0?680

| dD

|

£ e o ff- 0 x 1 8 )

Next window

F6

Previous window

Shift 4F6

Cose window

Alt4P3

Focus command Ine

SUb_-0I7-B

3 sub_*018E9 7 ! 5ub_401A:E *C2 3 5ub_0£*C 3 sub_<0?2CC

;ture* Q

Windows list

71 StartAddress

7 ] sub_*018C8 7 ] sub_<018*l

Q |r\0 debug debugger ger

Enuns

Imports

1

to1^1uan* 1uan* r | || +] Exports

Reset hidden messages. .

3 sub_4012£4 7 ] SUb_-013A9 3 sub_^013FA 3 sub_4017Ê

xj ►

$ Save deolctop...

__________________________________ & Delete desktop... S X ICA ViewReset desktop

-

■lafxl

; __ crtLcnapstringfljr ...

1

0

; __ crtLCM« pStrlngA+l fiTw ...

Alt-tl

' [71 F unctions wndow ! 3 ] IDA View■A

Alt42

[y] hex V1ew A

A t +3

ia I I

; XREF: sta rte r

; XREF: start+23Tu ; s t a rt rt : 1 0 c J 4 f l8 l8 5 U 3 t r . . . ; XREF: start:locJ108 52 Ftr ; offset 10N_RE 10N_REG G ISTR AT I OH ? ; XREF : sta rt:l oc J*0 8 4c M u

Strixturca

At Alt45

^ 2 Imports

A t 46

( 3 Exporto

Alt-47

71 9ub_4028 © 71 Sub_«02C3B

3 «Jb_40/TX10 3 6ub_40X72

S1 <

sub_402XE cub 403T0

24 . CPPEH PZCOXD: COOO

Line 7 of 258 [§1 Outpu: wncow

■1: H *'-«■ 1-1*•- -*

Executing fur.ctia fur.ctia n *main’ Compiling fi lo •C:\rrogra31 •C:\rrogra31 Filca (»S6:\IEA (»S6:\IEA.. Doj Executing £ur.cti3n 'OsI-3ei' . . . I DA DA la la a n a ly ly s i n g th th e i n p u t r i l e . . .

S.3\idc\onlo

You may ssart to explore the input f ile right IDC

I H ie

Sown Sown

FIG FI GURE 2.25: IDA ID A Pro Emims menu.

27. 27. A qin dow do w appe appears ars,, showing showin g die Enum result.




File Edt Juno Sea-d

U 1 4 * & 1 % 1

iisi » * m Im I

I j , * eS

d i f c l f r l i i a i r r

III

: /

Functions vwnoovr

Function name 3 sub_ sub_*01 *01000 000 3 sub_ sub_^01 ^011S8 1S8 [7 ] sub_«012S4 2 ] SUb_*0 b_*013A9 3 Sub_4013FA ^ StartAddr rtAddrcss css T j sub_*017^b 7 ] sub_<017^ sub_<017^ 21 5ub_ l018ce 71 sub_4018*l 3 sub_* sub_*018 018F9 7 ] 8ub_401A£ 8ub_401A£ 7 ] sub_<01EC2 3 ftA_40 ftA_40220 220C C j ] sub_«02319 T \ sub_4026 ® 3 «jb_4056a0 4056a0 7 ] 5ub_ H)20 © 7 ] SubJ02C3B SubJ02C3B 3 *ub_40 *ub_40X>00 X>00 7 ] sub_ sub_ H)2D72 71 sub_0 Z>CE 3 sub •0 EE0

S X

[|ÎCA\/iew-A ; ; ; ;

| [0]hexVle w A

Ins/D el/Ctrl-E: H /Ctrl N : U : ; or : :

; F or or b i t f i e l d s

J (X Stru Struct ctur ures es

JD

Enur Enure e

Q

J

Impo Import rtss

| (!*] (!*] Expar xparts ts

c r e a t e / d e l e t e / e d i t e n um um e r a titi on on t y pe pe s cre ate /ed it a synb olic constant d e l e t e a s y m b o li c c o n s t a n t s e t a c om om m en en t f o r t h e c u r r e n t i t e n

t h e lili n e

d Z.

[ f l Outpu: wndow E x e c u t in in g f u n c t i o n ar a n F i l e s C o n p i l in in a f i l e ' C : \ E r o ar

15 X ( x £ 6 ) \I\I D A De Demo S . 3 \ i d c \ o n l o a d . i d c ' . . .

IDA. i a analysing Che mpuc £ i l e . . . Tou may may 3-art to exp lore t r.e I n p u t r i l e id c

-

p r e f i x e s d i s p l a y t h e b itit m a s k

*1 Line 7 of 258

4

xT

View Deougger Opliors Windows Help

H

r i g h t n ow ow.

r 3

j

FIGUR IGURE E 2.26:IDA IDAPro ProEiiumsresult. L a b A n a l y s is is Analyze and document the results related to die lab exercise. Give your opinion on your yo ur target’s security posUire posUire and exposure. exposure.


T o o l /U / U t ilil i t y

I n fo fo rm r m a ti t i o n C o llll e ct c t e d/ d / O b je je ct c t i v es e s Ac A c h i e ve ve d F ile nam e: face face.e .exe xe Output:

I D A P ro ro


Vie w functiona l call callss Hex view-A Vie w struct structures ures View enums enums



Q u e s t io n s 1. Analyze the chart gen generat erated ed w ith die dow d ow chart and functio n calls calls;; trv to find die possible detect that can be caused bv the virus file. 2.

T ry to analy analyze ze more virus files from die location D:\CEH-Tools\CE D:\CEH-Tools\CEHv Hv8 Module 07 Viruses and Worms\Viruses\Klez Virus Live!. Live!.

Internet Connection Required □ Yes

0 No

Platform Supported Supported 0 Class Classro room om


0 1Labs

Ethica Eth icall Hack H acking ing and Countermeasure Countermeasures s Copyright Copyright © by by EC-Counc EC-Council il All All Rights Reserved. Reproduction Reproduction is Strictly Strictly Prohibited.


3 V i r u s A n a l y s i s U s in in g V ir u s T o t a l Computer worms are malicious prog progra rams ms that rep/ rep/iicate, cate, execute, and and spread spread themselves themselves across netwo network rk connections connections independently, independently, withou w ithoutt human interaction. I C O N

/ Valuable information

y* Test your knowledge s

L a b S c e n a r io io

K E Y

\\”eb exercise

m Workbook review

111 today's online environment it's important to know what risks lie ahead at each click. Even day millions ol people go online to find information, to do business, to have a good time. There have been many warnings issues, about theft of data: identity theft, phishing scams and pharming; most people have at least least heard o f denial-of-service attacks attacks and "zom bie" computers, and no w one more mor e type o f online attack has has emerged: emerged: hold ing data for fo r ransom. Since you are an expert ethical ethical hacker and penetration tester, tester, the the IT direc tor instructs you to test the network for any viruses and worms that can damage 01 steal the organization’s information. 111 this lab we explain how to analyze a virus using online virus analysis services.

L a b O b j e c t iv e s The objective o f tins lab is is to make student studentss learn and understand ho w to make viruses and worms to test the organization’s firewall and antivirus programs. •

Analyze Analyze virus files over over the Internet

& T o o ls L a b E n v ir o n m e n t demonstrated in this lab are are To earn out die lab, you need: available in A computer running Windows Server 2012 as host machine machine D:\CEHTools\CEHv 8 A web browser w ith Internet connection Module 07 Viruses and Worms L a b D u r a t io n Time: 15 Minutes


Ethica Eth icall Hack H acking ing and Countermeasure Countermeasures s Copyright Copyright © by by EC-Counc EC-Council il All All Rights Reserved. Reproduction Reproduction is Strictly Strictly Prohibited.


O v e r v ie ie w o f V i r u s a n d W o r m s Computer worms ar are ma licious program s that rep licate , ex ecu te, and spr sprea ead d acro across ss netwo rk connections independently, independently, with ou t human interaction. Attackers use worm payloads to install backdoors in infected computers, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.

Lab Tasks —

• ASK

1

VirusTotal Scanning service

1.

Open Op en a web browser brows er 111 111 the Windows Server 2012 host machine,

2. Access Access die website http: / / www.v1n 1stotal.com. stotal.com. VirusTotal [F ie

Free Online Virus, Malware and URL URL Scanner

Mozilla Fircfox

Edit /!ew History Bookmarks Bookmarks Tools Tools Help

1 1>1VrusTotal

Free Online Virus, Malware ...

^

A hrtpcj'/unv^yv 1rurtotal.com

■A

Comnuiity

Sta'isticb Sta'isticb

e l k i ' G oogle Ducjir enta entatio tiorr

FAQ

Abou Aboutt

► H v ir ir u s t o t a l VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms trojans, and all kinds of malware

No fie sc cc:cJ Maxi mum Tile siz e 321/18

Dy clicking 'Scan itf. you consent 10 ou! Terms of Ser\ice and allow VirusTotal 10 char• this Mo with the security corrmunny See our Privacy Policy tor details.

You may prefsr to scar a URL URL or search through the VirusTotal datasst

Englsh Espan Rlnn I Twitter I r.nntar.tlfivinisrota: r.nm I fi.inal•* fi.inal•* rrniios I Tnf i I Pr var.v

FIGUR GURE 3.1:VirusTotalHomePage 3. The A"mis To tal ta l website is used to analyze analyze online viruses. viruses.


4.

Click die Choose file button, button , and selec selectt a vims hie located located111 D:\CEHTools\CEHv8 Module 07 Viruses and WormsWiruses\tini.exe.

5.

Click Cli ck Open.



F

VirusTotal

Tree Online Virus, Virus, Malware and URL URL Scanner

Mozilla Hrcfox

E

File Upload (^ ) v O ~ ^ 1 Organize

Recent p J 1Music

Name

Date mocEficd

Type

J_. Win32.Bo Win32.Botvoice.A ice.A

4/12/20111:10 P M

F ilil efcl der File Filefcld fclder er

J. Wm32Cd_infec 2Cd_infected@Ch

4/12/20111:10 PP^

J_. Win32.Loretto.E©ch Win32.Loretto.E©ch

4/12/2011 0 : pm

Fi le le fc fcl de der

Win32.Minip2p©Ch

4^12/20111:10P 4^12/20111:10 P M

F ilil ef cl de der

J . Win32Wamet.B.MassiveW@RMM

4/12/2011

F ilil efcl der

J* worm_cris

4/12/20111:10 P M

J

4/12/20*11:10 4/12/20*11:10 PM

File fclder

J . ysor ysor

4/12/2011 1:10P 1:10P M

Fi le le f cl de der

J . levach

9/22/20122:16 :16 PM

File fclder

L1bra bra1 »?

0? Documet J 1Music

“

S i Pictures 8

- tm•

New folder

£ 0o *nJca '

H=y1Y 1You canupload any infectedfile file toanalyze

/deo /deos s

•® Compute!

< 0103 Um!■©

yanetha

U ne netbu»17.rar

bioP M

4/4/2011 5:48 PM 02AM

| ■' tini cxc

. ■L©
Search Viruses

CEHv8Module07v'ru5Ma•• ►Viruses

A/A/20)1H A/A/20)1H 7 PM

(1 ■1101

Siz

F ilil ef cl de der

Wi nRARorchivc Applic plicat atio ion n WiaRAR ZIP arehiv*

D1« v

You may prefer to scan a URL 01 search thicugh the VirusTotal dataset

Engl sh Espaficl Hlnn I Iwittor I rnntapffeflv rnntapffeflvmifitiral rnm I :•imnie riming I Ir S 1 Pru/arv nnlirv

FIGURE GURE 3.2:SelectafileforVirusanalysis 6.

Click Scan it!. VirusTotal

Tree Online Virus, Virus, Ma'wa rc and URL URL Scanner

Mozilla Firefox

Eie Edit Vew Hiilory Bocknidrki lool i Help 1

&Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms

V ru ru tT tT at at ilil hr** Onhn# hr** Onhn#Virus, Malwar e it.. it .. | 4 ^

ari

.- ,wwwvmictotal.n

A

Community

Statistics

C I 1 5 1 Googl#

Documentation

faq

P

*

About

£2 v i r u s t o t a i VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection ofviruses, worms, trojans and all kinds of malware

Choose File

Maximum fie size. 32MB By click ing ,Scan itr. you consent to our Terms of Service and allow VirusTotal to share this file with the security commurw y Seeour Privacy Policy tbr details

You may pr»lw to scan a URL or search through tho VirusTotal dataset

Engl!«h - bsparicl Bing I Twillft! I f^nlarJjShiruslnial com 1beanie a -ax a 1Tc£ 1Privacy nnlicv

FIGURE GURE 3.3:Qick QickSendbuttontosendthefilesfor analysis 7. The selected selected tile wil w illl be sent sent to die di e server fo r analy analysis sis.. 8.


Click Reanalyse.



VirusTotal

Tree Online Virus, Virus, Malware and and URL URL Scanner

Mozilla Firefox

fi e £dr. View History Ecckmarks Tools Help '/rwTotil -frte -frte Onhne Onhne Virus. Malwar e a... | 4 ^

♦

fi https•/ w\

virustotalcom

File already analysed This file was already an alysed b y VirusTotal cr 2012-09-21 17:32:24.

91

Detecti on ratio 40/43 You can take a look at the last analysis cc analyse it agar now.

Choose HI# Maximum Me s!2 e 32MB

By clicking ,Scan it!* it!* you consent to our tarns of Seruce and allow allow Viruslotal to share this file with the security com mun ty See our Pnvacy Policy for details

You may prefer to scan a URL

search thicugh the VirusTotal dataset

01

FIGUR IGURE E3.4:SendingFile gFile 9. The Th e selected selected hie ana analysis lysis queu queues es are scanned, scanned, as shown sho wn in die di e follo fo llo w ing in g figure. Antivirus scan for b7513cc75c68bdcc96c814544717c413 at UTC VirusTotal VirusTotal | fie

Mozilla firefox

“

I

x

Edit V ca Ustory Bookmarks Tools Help

I j & Antivirus sr»n ferh/M i##/Vt!HbrUryt>r... i##/Vt!HbrUryt>r... j 4 4

ft ^rtj>c /v»wwv1r1.1rtot»l.co1n/t11<*/%S4hb;4H1 y/r 0rt ^1H« o (

i1

Co C ommunity

St Sta tis ti c s

Do D o c u m e n t a ih n

FA FAQ

C |

Ab About

Googl•

P

#

1

Join our c om mu

1 s tv i r u s t o t a l O

Your £13i s at position 4397 in the analysis queue.

SHA256: File name

9654bb748199882b0fb29b1fa597cOcfe3b9d61Oadi4183aDbUCf3fafEee527 tin! exe V

War# d«taiB

Comments

Votes

Additional information

l BuqBoppor BuqBoppor idontifoc thic filo ac Tinv.aon i More info info htto /BuaBoooor c:>1r./M3lwaro rf0.MD5/b7/b76l3co75c&8bd0c96c811S447170413 aeo 1 #tr> #bkdr c #tini n t lM lM

2

years * oy1 i ghrpo^rtiuy

You havo not signod in. Only rogictorod ucorc can loavo comments sign in and ha%o a voice! Sgn h

Join the community .

L

>

FIGU FIGURE RE 3.5:ScannedFile edFile 10. A detailed report repo rt w ill be displayed after analys analysis. is.

C EH Lab Manual Manua l Page Page 558

Ethic Et hical al Hackin Hacking g and Countemieasures Countemieasures Copyrigh Copyrightt © by EC-Council EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


m

Antivirus scan for b7513ec75c68bdec96c8l4644717e413 at UTC

[ Filr Fdit View Hiitary roo t' M i.

TooJ\ H«lp

VirusTotal

Mozilla Firefox

I

I !

x m

j |>1Antivir us s: 3 •0 t .5' icc/icbfcbiccVfcc.. | + 1 ^

i

h!tpsy/w*w/virustotalxonrvfil€/9eS4bo74S' 9M32b0fb29blfa597 s/1344 J 0418t \ t v C 597c0 de3 b9d610adf 4l 83a0M 40fJfaf 5ee527 analy51s/ Statistics

A

i S

v

i r

u

s

t

Do Documentation

o

t

a

FA FAQ

141 ■Google

Ab About

P

Joi n our community

*

1

Si Sigo in

l

SHA266

9654bb748199882b0lb29b1fa597c0cfe3b9d610adid 188aDM4 Of3fa5ee527

SHA1:

3f8e7SdO*3e33e8eebOdd991f22ccObb44aOB98c

MD5 MD5

b7513ee75c68bdec96c814W4717e413

Fit• 520

3.0 KB ( 3072 bytos )

File name

tro exe

File lype

'Art03? EXE

Detect 0 ratio

39/42

Anal/sis dale

2012-09-22 08 56 26 UTC( UTC( 1 minute ago )

©

5

®

0

A More deuic

Antivirus

"

R esult

Update

Agntjm

Backdoor.Tiny'AaycdfDNCxtfi

20120921

AntiVir

BDS/Tini B

20120922

............

___

.........................

FIGURE GURE 3.6:Fi FieQueuedforanalysis a

Antivirus scan for b7513ee75c68bdec96c b7513ee75c68bdec96c814644717e413 814644717e413 at UTC

F!lt» lt» Fdit Viv« HkJor/ Fo it rw lv

VirusTotal

1- ° »

Mozilla Firefox

70014 M*|p

►1Art! 1Art!™: ™: scarforb513 cc75
I tt^bOtb2ybifa59rcOcfcibydOK>adf418fi*Ot)44C1»aricc^;/an»V'tt'>^W « ' Documentation

FAQ

C

if

Gooqlc

About

Antivirus

R esult

ll|1drtl♦*

Agnfcum

Backdoor TinyiAaycdfDNCwQ

20120921

AntiVir

BDSffini B

20120922

Artiy-AVL

Backdoor/Win32.Try.g&n

20120911

Avast

Win32:Tmy XU [TnJ

20120921

A VG

BackDoorTiny A

20120922

BrtDefender

Backdoor.Tiny.B

20120922

ByteHero

20120918

CAT Qu ickCal

Backdoor.Tiny.c.n3

20120922

OamAV

Trojan Tiny-1

20120922

Comirtouch

W32fMal\varelda0d

20120921

Comodo

Backdoor Win32.T ny.B

20120922

DrWeb

BackDooi Tiny 88

20120922

bmsJDCt

Backdoor Win32.Trry.c!K

20120919

eSafe

Win32 BackDoor IQ B

20120920

FIGU FIGURE RE 3.7:Analyzingdiefile file L a b A n a l y s is is Analyze and document die results related to die lab exercise. Give your opinion 011 your target’s security posture and exposure.


Ediical Hacking and Countermeasures Copyright © by EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.



T o o l /U / U t ili l it it y

Inform ation Collected/Objectives Collected/Objectives Achieved Scan Report shows:

Virus Total

SHA256 SHA1 MD5 File size File name File type Detection ration ration Analysis date

Q u e s t io n s 1. Analyze more vim s files files t o m D:\CEH-Too D:\CEH-Tools\CE ls\CEHv Hv8 Module 07 Viruses and WormsWiruses Worm sWiruses w ith the demonstrated demonstrated proc proces ess. s. Internet Connection Required 0 Y es

□

No

Platform Supported Supported 0 C la la ss ss ro ro om om


□ iL a b s

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited. Prohibited.


S c a n fo r V ir u s e s U s in g K a s p e r sk y A n t iv i v ir ir u s 2 0 1 3 Computer n onus are malicious prog progra rams ms that that repl eplicat cate, ex execute, and spre spread ad themselves themselves across nehvor nehvork k connections independently, independently, mtho m thout ut human interaction. ICON KEY _ Valuable

information Test your knowledge

Web exercise

m Workbook review

L a b S c e n a r io io Today, many people rely oil computers to do work and create or store useful information. Therefore, it is important tor the information on the computer to be stored and kept properly. It is also extremely important for people on computers to protect their computer from data loss, misuse, and abuse. For example, it is crucial for businesses to keep information they have secure so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions. transactions. A com puter security risk is any action tha t could caus cause e loss of information, software, data, processing incompatibilities, 01 cause damage damage to c omp uter hardware. Once you start suspecting that there is spyware 011 your computer system, you must act at once. The best thing to do is to use spyware remover software. The spyware spyware remover software is a kind o f program that scans scans the the com pute r tiles and settings and eliminates those malicious programs that you actually do not want to keep 011 your operating system. In tliis lab Kaspersky Antivirus 2013 program detect the malicious programs and vulnerabilities in the system.

& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms

L a b O b j e c t iv e s The objective o f tins lab is is to make students students learn learn and understand understand how ho w to t o make viruses viruses and worms to test the the organization’s org anization’s tirewall tirewall and antivirus programs.

L a b E n v ir ir o n m e n t To earn out die lab, you need: ”


Kas persk y An tiviru s 2013 is located located at D:\CE D:\CEH-T H-T0 0 ls\CEHv8 Module 07 Viruses Viruses and Worms\Anti-Virus Tools\Kaspe rsky Anti-Virus

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited. Prohibited.


Yo u can can also also download the latest latest version o f Kas pers ky An tiviru s 2013 from the link http://www.kaspe1 sla .com/anti-virus I f vou decide decide to download the the late st version, then screen screensho shots ts shown 111 the lab might differ

m Downlo loadthe

KasperskyAntivirus2013 fromthelink http://www.kaspersky.c co om/ anti-virus

Run tins tins tool in Windows 7 virtua l machine machine Active Internet connection connection


O v e r v ie ie w o f V i r u s a n d W o r m s Computer worms are are ma licious program s that rep licate , ex ecu te, and spr sprea ead d acro across ss network netwo rk connections independently, independently, witho wit ho ut human huma n interaction. Attackers use worm pavloads to install backdoors in infected computers, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.

Lab Tasks — TAS K 1 Scan the System to Detect Virus

Note: Before runn ing tins lab, lab, take take a snapshot snapshot of o f your virtua l machine. machine. 1.

Start the Windows Wind ows 7 Virtua Vir tuall Machine.

2.

Before scaminig scaminig die disk, disk, nifect nifec t die disk w id i vinises. vinises.

3.

Open Op en die CEH-Tools folder fold er and browse to the location loca tion Z:\CEH Z:\CEH-Tools\CEHv8 Module 07 Virus es and a nd WormsYVi WormsYVirus ruses. es.

4.

Doub le-click die tini. exe file.

■

1

1M FIGUR FIGURE E4.1:TiniVirusfile

m Advancedantii-phishing

technologiesproactiv ively ly detectfraudulentURLs Lsand usereal-timeinfo formatio ion fro romthecloud,to tohelp ensureyou’renottri rickedinto disclosingyour urvaluabledata tophishingwebsites.


5.

Open die CEH-Tools folder and browse to the location Z:\CEHv8 Module 07 Viruses and Worms\Viruses\netbus17. Worms\Viruses\netbus17.

6.

Double-c Dou ble-click lick the Patc h.exe file. file.



7.

Open Ope n die CEH-Tools CEH-Tools folder and browse to the location Z:\CEHv Z:\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Live!.

8.

Doub le-click die face.e xe tile. tile.

u

Kaspersky Protects against all viruses by combining cloudbased functiona lity and powerful security technologies technologies tha t runs on your PC

Chernobel

AVKillah

Blaster

«

+

digital doom

Doomjuice.a

DrDeathviruses

killharddisk

CodeRed.a

* Doomjuice.b

HD-

Lnwtg

Living

Parparosa

FIGURE GURE 4.3:FaceVirusfile 9.

N ote ot e diat dia t diese diese tools w ill not no t reflect any chang changes. es.

10. 10. Go to t o die location loca tion D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Anti-Virus Tools\Kaspersky Anti-Virus.

m KasperskyAnti-Vir irus 2013worksbeliind-thescenes—defendin ingyo youand yourPC againstviruses, spyware,Trojans, rootkit itsand otherthreats

11. Install Kaspersky A ntiviru s 2013 software software 111 Windows 7. 12. W’lu le installing it will w ill ask fo r activation; activation; click Ac tiv at e Tria l Version Vers ion and dien click Next. 13. The main win do w o f Kasperskv An tivir us 2013 as as show 111 below figure.




1*

KA$PER$KY!

1_

hi

Cloud protection

'

X

o

Reports Settings

Computer is protected !

Threats:

malware

enabled V ' Databas Databases: es: hav enotupdatedf dforal alongtim ime s/ License: 30daysrem ain ining Protection Pro tection components: \/

A

o

© Scan

Help

Support

X

Update

Tools

5

>

Quarantine

My My Kaspersky Account

Licensing

FIGUR URE 4.4:Kasperskymainwindow 14. 14. Select Scan Sca n Icon. Icon .

' a ’_ ' x " KA$PER$KYI

hi

Cloud protection

y=J.Kas y=J.KasperskyAntiv ivirus 2013is isfullllycompatiblewidi Microsoft’ t’sl slatestoperating system

Q

Reports Settings

Computer is protected !

X

Threats:

malware

enabled enotupdatedf dforalo longti time >/ Databases: haven V Lice Licens nse: e: 30daysre remain ining V

■■

Protection Protection compone components: nts:

A

® Scan

Help

Support

O

5

X Update

Tools

My Kaspersky Account

>

Quarantine

Licensing

FIGUR URE 4.5:KasperskvScanwindow 15. Select Select Full Scan Sca n to scan scan the compute com puterr (Windows (Windo ws 7 Virtu Vi rtu al Machine).




k a J p e r J k y i

Full Scan

O

Reports Settings

Scan

Back

Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms

hi

Cloud protection

Managetasks tasks

Critical Areas Scan Scans Scan s your entire computer We recommend youruna Full Scar immediately after installing the application. application. Note that this may take sometime

^

^

A quick scan of objects that are loaded with the operating operating system system at startup. It does not require much time

Vulnerability Vulnerability Sca n Scans your system and applications forvulnerabilities vulnerabilities that may allow for malicious attacks

^

For a custom custom scan of an object drag it here or browse tor it

Help

Support


FIGU FIGURE RE 4.6:KasperskyStartingfall fall scan 16. It w ill display display die Full scan window . Click Scan now. Q.

KA$PER$KYI

—

X

& hi Reports Settings

Cloud protection

Scan

m KasperskyAnti-Vir irus 2013is isoptimiseds dsoth thatit doesnothaveas asignificant impactonnetworkactiv ivity, theinstallllatio ionofprograms, thela launchofwebbrowsers ordie iela launcho hofprograms.

Kaspersky Anti-Virus 2013 Full Scan

Scans Sca ns your entire comd We recommend you ru immediately alter insta application. Note that tl sometime

Databases are out of date. New threats can be mrssed durng scanning. W e strongly recommend recommend to wait u ntJ the update is completed.

S c a n a f t e r th th e u p d a t e

>that are loaded temat startup. It !time.

( re re c o m m e n d e d )

Scan task wi be run after the databases are updated updated

Vulnerability Vulnerability Sca n

^

S c an a n n ow ow Scan task w i be run before update is completed completed

^

Scans your system an( forvulnerabilities vulnerabilities that n malicious attacks

You are using trial version. You are advtsed to purchase a commercial version.

For a custom custom scan of an object drag it here or

Drowsefo forit it

Help

Support


Licensing

FIGURE4.7:Scanningprocess 17. Kaspersky Antivirus 2013 scans die computer. (It will be take some time so be patient.)




Q. ' “ 1 x

m EvenifyourPCand

theapplicatio ionsrunningonit haven’t beenupdatedwithdie latestfixes,KasperskyAntiVirus2013canp nprevent exploitationofvulnerabilities by:

k a $p e r $k

i!i

Cloud protection

&

Reports Settings

Scan

Critical Areas Scan

11

Annirk Qran nfnhiprta that are lloaded oaded — x tartup. It

Remainina. - n ules_ n Task Manager

• controlling llingthelaunchof executablefililesfr from applicationswith vulnerabilities

Full Full Scan 50 % Scanning: Scanni ng: C:\Wlndows\wrnsxs\amd64_miao C:\Wlndows\wrnsxs\amd64_miao 30d42t42615860\flpres dll mul Remaining: 9 minutes Scanned: Scanned: •13.118riles 18ril es Threats: 6 Neutralized: 0 When When scan scan is complete complete keepthe computer turned on

• analysingthebehaviour ofexecutablefilesfor anysimilaritie ieswith malilicio iousprograms • restrictingtheactions alowedbyapplicatio ions withvulnerabilities

® Close

Help

Support


FIGURE4.8:Scanningprocess 18. The Viru s Scan wind w ind ow appe appear ars; s; it w ill ask lo r to perfo p erfo rm a spec specia iall disinfection procedure. procedure. 19. Click Yes, dis infe ct with reboo t (recommended). Kaspersky Anti-Virus 2013 V I R U S S C A N

Active malware detected.

m Themaininterfa face windowis isoptimisedt dtohelp boostperfo formanceande dease ofusefo formanypopularuser scenario ios—inclu luding launchingscansandf dfix ixing problems

Trojan program:

Backdoor.Win32.Netbus.170 Backdoor.Win32.Netbus.170 © Location: c:\Windows\patch.exe

Do you want to perform a special disinfection procedure? ^

Yes, Yes, disinfect disinfect with reboot (recom (recomme mende nded) d)

Themostreliabledisinfectio ionm nmethod,aft fter whicht hthe computerwillberebooted. Werecommendyoud udoseal _________ runninga gapplicationsandsaveyourdata._________ !#• !#• Do not no t run

Objectwill beprocesseda daccordingt gtot otheselecte tedactiio on, Thecomputerwillnotberebooted. You are using a trial version.

You You are a dvised to pu rchase a comm ercial version. version. Apply to all objects

FIGUR URE 4.9:Detectin ingdiemalware




20. 20. The Adva nced Dis infectio infe ction n scan sca n will wil l start start;; it will wi ll scan scan the complete system (tins may take some tune). 1 a 1 - 1 1'

k a J p e r J k y i _

r» Task Manager

x

•ts Settings !age tasks

Advanced Disinfection Disinfection 49 % Object: C \Windows\System32\msasn 1dll Remaining: <1 minute Scanned: 2,648 tiles Threats: I Neutralized: 1

loaded rtup It

Full Scan 'S Completed: <1 minute ago Scanned: 83,366 files Threats: 5 Neutralized: 4

Vulnerability

Help

Support


FIGUR URE 4.10:AdvancedDisinfe fectio ionscanning 21. 21. The cleaned vinises w ill appears, appears, as shown in the follo fo llowi wing ng figure. r% Detailed Detai led report 0

Detected Detected threats threats

►

8 Protection Center

Toda y, 9/24/2012

S c an

& T o o ls demonstrated in this lab are are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms

Vi ew w |

Components ^ 2 F ile Anti-Virus

Event

Object D Full Scan: completed 33 minutes ago

Time

-

(events: 38. objects: 83366. 83366. time: 00:14:33) 00:14:33)

t l . M ail Anti-Virus

Task compl eted Web Anti-Virus ^

IM AntiAnti-Vi Viru rus s

®

Syst System em Watcher Watcher

A

9/24/2012 5:33:55 PM

KeyHook.dl KeyHook.dlll

Wi ll be deleted on reboot ... 9/24/2012 5:33:55 PM

Ke yH yHo ok ok .d llll

B a ck ck ed ed up : B ac ac k d oo oo r. r. W in in .. .. . 9/ 9/24/2012 5:33:55 P M

O Ke y Ho ok ok .d llll

D et et e cte d : B a c k do do or or . W in in 3. 3. ..

ti ni .e xe

9/24/2012 5:33:55 P M

N o t p ro ce sse d : Ba ck d o o r . . . . 9/24/2012 5:33:54 P M

O ti t in i. exe

D et e cte d : B a c k d o o r . W in 3 . ..

A pa tch .e xe

W il il l be d e le t e d o n re b o o t ... 9 /2 /24/2012 5:33:40 P M

pa tch .e xe

9/24/2012 5:33:40 P M

B a ck e d up : B a c k d o o r . W in .... . 9 /2 /24/2012 5:33:40 PM

© pa p a tch .e xe

D et e cte d : B a c k d o o r . W in 3. 3. ..

pa tch .e xe

9/24/2012 5:33:35 P M

D el et e d : B ac k d o o r. W in 32 32 .... .. 9/24/2012 5:33:34 PM

NetBus.exe

Delete d: Backdoor.W in32 .... 9/24/2012 5:33:34 PM m

*

Group: Full Scan Events: 38

Help

Save..

FIGURE GURE 4.11:Cleanedinfectedfiles L a b A n a l y s is is Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and exposure.





T o o l /U / U t ilil i t y Kaspersky An tivirus 2013

I n fo fo rm r m a ti t i o n C ol o l l e ct c t e d/ d / O b je je ct c t i v es e s Ac A c h i e ve ve d Result: Lis t o f detecte detected d vulnerabilities vulnerabilities 111 the system

Q u e s t io n s 1. Using Usin g die tinal report, rep ort, analyz analyze e die proc process esses es affected by the virus hies. hies. Internet Connection Required □ Yes

0 No

Platform Supported Supported 0 C la la ss ss ro ro om om


0 !Labs Labs

Ethica Eth icall Hack H acking ing and Countermeasure Countermeasures s Copyright Copyright © by by EC-Counc EC-Council il All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.


L ab

V i r u s A n a l y s i s U s in in g O lly D b g OllyDbg OllyD bg is a debugg debugger er that tha t emphasis emphasises es binaiy binaiy rode rode analysis, analysis, nhich is useful whe when n source source code code is not available. I t traces registers, registers, recognises recognises procedures, _4 P I cal calls, sn itches, itches, tables, tables, constants constants and strings, as well w ell as locates locates routinesfrom fro m object objectfiles files and libraries. I C O N

K E Y

£ Valuable _

information

>> Test your knowledge = Web exercise

m Workbook review

L a b S c e n a r io io There are literally thousands ot malicious logic programs and new ones come out all the time, so that's why it's important to keep up-to-date with the new oness that come out. Ma ny websites one websites keep keep track o f tins. tins. There is no kno wn method fo r providing 100% 100% protection fo r any any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to sig nificantly reduce their chanc chances es o f being infected b y one o f those malicious programs. Since you are an expert ethical hacker and penetration tester tester,, your IT director instructs you to test the the netwo rk to determine whether any viruses and worms will damage or steal the orga nization ’s mf orm ation . 111 this lab ollvD bg is used used to analyze analyze viruses viruses registers, procedures, API calls, tables, libraries, constants, and strings.

L a b O b j e c t iv e s The objective o f tins lab is to make students learn and and understand analys analysis is o f the viruses. & T o o ls L a b E n v ir o n m e n t demonstrated in To earn out die lab, you need: this lab are available in OllyDbg too l located at D:\CEH-Too D:\CEH-Tools\CE ls\CEHv8 Hv8 Module 07 Virus es and D:\CEHWorms\Debugging Tool\OllyDbg Tools\CEHv8 Module 07 Viruses A computer running Windows Server 2012 as host machine machine and Worms Yo u can also also download downloa d the latest latest version o f OllyDbg from fro m the the lin k http: http: / / www.ollvdbg.de/ ww.ollvdbg.de / Run tins tins tool on W indows S erver 2012 Admnnstradve privileges to mn tools C E H Lab Lab Manual Page Page 569

Ethical Hacking and Countenneasures Copyright © by EC-Council All All Rights Reserved. Reproduction Reproduction is Strictly Strictly Prohibited.


L a b D u r a t io n Tune: 10 Minutes

Overview of OllyDbg The debugging engin engine e is now no w m ore stab stable, le, especially especially if i f one step stepss into int o the exception handlers. There is a new debugging option, "Set permanent breakpoints 011 system calls." When active, it requests OllyDbg to set breakpoints 011 KERNEL32.Unl1a11dledExceptionF11ter Q, NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue(), and NTDLL.NtQuen’InlormationProcess(}.

Lab Tasks —

** t a s k

11

.

1. Launch die OllyDbg tool. Installation is not no t required for fo r OllyDbg. Dou bleclick and launch die ollydbg.exe tile.

1

Debug a Virus

2. The OllyDbg wind wi nd ow app appea ears rs.. 5 File

Oll OllyDb yDbg View

l i i

Debug

Trace

Options

►j±j_11J H I M

Windows

1- 1

'

Help

9 uj uj j J i j M j

_b j_mj_h j H

m You canalso downloadthelatest latest version version ofOllyDbgfromdielink link http://www.ollydbg.de

OllyDbgv2.0 .00(i(intermediatev eversio ion• n•underdevelopment!)

Ready

FIGURE GURE 5.1:OllyDbgmainwindow 3. Go to File from menu bar and click Open... Open... 4. Browse Brow se to D:\CEH-T00 ls\CEHv8 Module 07 Viruses and WormsWirusesWirus Total\tini.exe, 5. Clic k Open.




—

OllyDbg File

View

Debug

[&l [&l <4 xj m Datafo formats.Dump windowsdisplaydatain all commonfo formats: hexadecimal, ASCI ASCII,I, UNI UNICO CODE DE,, 16-and32-bit signed/unsigned/liexadeci malin integers, 32/64/80-bit flo loats, addresses, disassembly(MASM, IDEAL IDEAL,, HLA or AT&T).

Trace

Options

Windows

j+jjE j+j jE *M W E

%

Help

uJ

*]™I »J

Select 32-bit 32-bit executable executable and specify arguments arguments

Look Look in: |

. Virus Total tal

Vj *

Name | [■j! tini.exe tini .exe

^

EH!)•*•

Date modified

T)

6/23/20054:03 AM AM

a|

|tm1.exe

Open

files of type:

|Executable file f exe)

Cancel

Arguments:

OllyDbgv2.00(intermediateversion■ underdevelopment!)

Ready

FIGU FIGURE RE 5.2:Selecttini-exeVitustotal 6. The output o f CPU-main CPU-main thread, m odule tini is shown in die following figure. OllyDbg -tini.exe File

View

»| <4_xj 4_xj

Debug

Trace

Options

Windows

Help

►j ♦] ] Ml Ui i J l l ] ^l |_u] _Lj _Ej _Mj Tj Tj _cj _cj - | Bj Mj _Hj CPU - main thread, thread, module tini

m OlyDbgcandebug multithread ithreadapplications. Youcanswitchfr fromone omone threadto another, suspend, resumeandkilill threadsor changedieir priorities. priorities.

00401005 0040100ft 0040100F 00401011 00401013 00401015 0040101ft 0040101F 00401028 00401032 0040103B 0040103D 00401042 00401048 0040104D

.............

68 14304000

680 801010000

E8 B7020000 60 06 60 01 60 02 E8 D0020000 03 02314000 66: C70S 0631 C705 0031400! 66:C705 0831 60 10 68 06314000 FF35 02314001 E8 85020000 60 05

• rFF3c; r.-lri IQ?3140fll

PUSH PUSH OFFSET ti n i ■00403 0403014 014 PUSH 101 CALL PUSH 6 PUSH 1 PUSH 2 COLL 2.023> MOU DWORD PTR DS:[4031O2D. DS:[4 031O2D.EOX EOX MOU WORD PTR DS :[403106 2 , MOU DWORD PTR DS :[40 3100],0 MOU WORD PTR DS :[403108] ,61 IE PUSH 10 PUSH PUSH OFFSET OFFSET t i n i .0040310 .00403106 6 PUSH DWORD PTR DS :[4031023 :[ 4031023 COLL > push

Stack [0018FFS4:=0 Inn=t in i. 0040 004030 3014 14

t in i. Address He 00403000 65 00403010 63 6F 60 00 00 00 00403020 00 00 00 00 00 00 00403030 00 00 00 00 00 00 00403040 00 00 00 00 00 00 00403050 00 00 00 00 00 00 00403060 00 00 00 00 00 00 .1.• 00 00 00 0040 004030 3070 70 00 00403080 00 00 00 00 00 00 00403090 00 00 00 00 00 00 004030A0 00 00 00 00 00 00 004030B0 00 00 00 00 00 00 004030C0 00 00 00 00 00 00

ni.ir.Rn

pt r

nfi-r4ft310?1

o

EAX EAX 754E 754E83 83CD CD ECX ECX 0000 000000 0000 00 EDX 0040 004010 1000 00 EBX EBX 7F4D9000 ESP 0018 0018FF FF88 88 EBP 0018 0018FF FF90 90 {-SI 00000000 EDI 00000000 EIP 00401000 C 0 ES 002B 002B P 1 CS 0023 A 0 SS 00 002B Z 1 DS 002B S 0 FS 0053 0 GS 002B

u

KERNEL KERNEL32.75 32.754E83 4E83CD CD

X —

t in i.
t in i.
0

0 0 LastErr 00000000 ERROR_SUCC

EFL 00000246 (NO,NB,E,BE,NS,PE,C 65 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00

63 00 00 00 00 00 00 00 00 00 00 00 00

6F 00 00 00 00 00 00 00 00 00 00 00 00

6D 00 00 00 00 00 00 00 00 00 00 00 00

0018FF8C 0018FF90 00 0e— 0018FF94 0018FF98 06 0018FF9C 06 0018FFft0 0s 0018FFfi4 06 0018FFO8 Ml• 06 0018FFAC 00 06 0018FFB0 00 06 0018FFB4 00 06 0018FFB8 00 06 0018FFBC 00 06 v 001ftFFP.PI 6D 00 00 00 00 00 00

61 -----

URN to KERNEL32.7 54E 754E830B ■aNu RETURN 7F4D9000 . eM6 0018FFD4 77D99A3F RETURN to ntdl1.77D99A3 7F4D9000 .Ehfi 6B4E77CD =wMk

?uJt.w

0 00 00 00 00 00 00 00 0

7F4D9000 116F2FC7 FFFFF802 0BD7CB80 FFFFFA80 0018FF9C £ t.

00000000

Entry rypointofmainmodule

Paused

FIGUR GURE5.3:CPUutil utilizationoftinLexe 7. Click View fro m die menu bar, bar, and dien click Log (Alt+L). (Alt+L).


Etliical Hacking and Countermeasures Copyright © by EC-Council All All Rights Reserved. Reproduction Reproduction is Stricdy Stricdy Prohibited.

Module 07 - Viruses and Wo rms

O l l y D b g - t i n i .e .e x e

File | View | Debug

Trace

Options

Window Wind ows s

Help

Jxl_cJ1d j J j J jw jw Jxl_cJ1d Executable modules

£ 0 F ul ull U N I C O D E support. All operations available available for AS C II strin strings gs are also available for UN ICO D E, and and vice vice versa. OllyDbg is able to recogniz recognize e UT F strings.

Threads CPU

2.a23> [4 03 102 ],EOX 403106:,2 [4031003,0 ^03108],611E

Watches Search results Run trace INT3 breakpoints Memory Memo ry breakpoints

-8

00■

r e ad ad , m o d u l e t i n i

Memory map

004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004

|=J sisters (FPU) 754E83CD KERNEL32. 754E83C0 754E83C0 00401000 Xin i.
00000000

00401 00401000 000 t i n i .
Hardware breakpoints

t in Odd

File...

0O4W^-

00403010 00403020 00403030 00403040 00403050 00463060 00403070

63 6F MM 00 00 00 00 00 00 00 00 00 m m 00 00 00 00 00 00 00 00 00 00

6D 00 00 00 00 00 m 00 00 00 00 00

00 00 00 00 00 00 m 00 00 00 00 00

00 00 00 00 00 00 m 00 00 00 00 00

00 00 00 00 00 00 m 00 00 00 00 00

00 00 00 00 00 00 m 00 00 00 00 00

00 00 00 00 00 00 m 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 m m 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 m 00 00 00 00 00

00 00 00 00 00 00 m 00 00 00 00 00

bj— 00 06— 0C 06 06 06 06 06 06 06 06— 06 v

Open Log window

Paused

F IG U R E 5.4 5.4: Select Select log information information

8. The output of log data data t1111.exe is shown shown 111 die following figure. _

O l l y D b g - t i n i .e .e x e

File

J T B r e ak ak p o in in t s :

View

Debug

Trace

Options

Windows

x

Help

►j±]J!J ^±ij>[J!H ^l-UJ _l J.e J m JZ j. j.£j:d £j:d _bJm]_h _bJm]_hJJ ■g

O l l y Db Db g s u p p o r t s

C P U - m a i n t h re re a d , m o d u l e ti ti n i

a ll ll c o m m o n k i n d s of breakpoints: INT3, mem ory and hardw are. You m a y s p e c i fy fy num ber of passes and set conditions for pause

Log data 00 Address Mes• )OllyDbg OllyDbg v2.00 v2.00 ( intermediat e version - unde underr developmentf developmentf File 'D:\CEH-T001snC snCEHv8 Modul Module 07 Uiruses and Worns\ Uiruse s\Uirus T o ta l\ ti n i. exe New proce ss CID 000011F4 000011F4)) cr eat ed 00401000 Main thread (ID 00000060) created f1M2^ruuu Unload nodule 00260000 7S4C0000 Unload nodule 754C0000 0 0 nodule 00260000 0 02 26 60 00 00 00 0Unload Unload nodule 00260000 00400000 Module Module D:\CEH-To D:\CEH-Tools\CE ols\CEHv8 Hv8 Modul Module 07 07 Uiruses and Worns\ Uiruse s\Uirus To ta l\ ti n i. e xe 74E80000 Modu I e Cs\W i ndows\SVSTEM dows\SVSTEM32\UIS0CK 32\UIS0CK32 32 .d l l D iffe ren t P PE E headers headers in in f il e and and in nenory nenory )?Systen update is pending( Modu ModuIe Ie Csindo ws\SVSTE M32\bcrypt Pr in it ives . d11 d11 D iffe ren t P PE E headers headers in in f il e and and in nenory nenory )?Systen update is pending( Module Cs\Windows\SVSTEM32\CRVPTBfiSE.dlI D iffe ren t P PE E headers headers in in f il e and and in nenory nenory M od ul"^

il lddr€ lddr€

SVSTEM SVSTEM32 32"S "S

■

C l' d n

D iffe ren t P PE E headers headers in in f il e and and in nenor nenoryy (Systen update is pending?) 7^.4!:0000ModuIe ModuI e Cs\Wi ndous\SVSTEM32\KERNEL32. DLL D iffe ren t P PE E headers headers in in f il e and and in nenory nenory (Systen update is pending?) 768E0000 Module C:\Windows\SVSTEM32\RPCRT4.d11 D iffe ren t PE head headers ers in f il e and and in nenory nenory (Systen update is pending?) 76990000 ModuIe C: MUi ndows\SYSTEM32\NSI. ndows\SYSTEM32\NSI. d11 D iffe ren t P PE E headers headers in in f il e and and in nenor nenoryy Entry point of main module

Paused

F IG U R E 5.5: 5.5: Output of Log data data informati information on of tinLese tinLese

9. Click V i e w from die menu bar, and click E x e c u t a b l e 10. H ie output output of E x e c u t a b l e

C EH Lab Manual Page Page 572

m o d u l es es

m o d u l e ( A l t +E +E ). ).

is shown 111 die following figure.

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.


OllyD OllyDbg bg - tini.exe tini.exe File | View | Debug

Trace

Options

Window Wind ows s

Help

B | « | x J ► l i l J L M l ii i i li l i il i l ll l l ^ ] J Jj Jj _ ! J1 J 1 J h | J jc jc j d

b J m] hJ ]=]

° x

CPU - main thread, module tini

ca

Watches: Watch is an expression evaluated each time die program pauses. pauses. You can use registers, constants, address expressions, Boolean and algebraical operations of any complexity

Base 74E80000 75390000 753F0000 75400000 754C0000 768E0000 76990000 76B60000 76E20000 76E70000 77050000 77D40000

IBS

00008000 74E810C0 00051000 75394955 00009000 753F1005 0001C000 7540PC84 00130000 754D0005 000RC000 7690E42S 00008000 76991520 00033000 76861005 0004F000 76E210B1 0 00B100076E7C575 00005000 7706302C 00156000

,.

00■

Executable modules FLle version WS0CK32 bcryptPrim CRYPTBPSE SspiCli KERNEL32 RPCRT4 N SI sechost WS2_32 nswcrt KERNELBRSE ntdl I

■r o o ls ls s C EH EH ^ S O u t ?

6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.8 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 7.0.8400.0 6.2.8400.0 6.2.8400.0

,,,,,,

6 7 U in in .

m C:\WLndows\SVSTEM32\WS0CK32.dlI n1 C: Mil indows\SYSTEM32Nbcry dows\SYSTEM32 Nbcry pt Pr Pr init m C:\Windows\SVSTEM32\CRVPTBfiSE.dI

n1 C:\Wi C:\W i ndous\SVSTEM dous\SVSTEM32\Ssp 32\Ssp i C I i. d11 d11

m C:\U)indous\SVSTEM32\KERNEL32.DLL ni C:\Windous\SVSTEM32\RPCRT4.dlI m C: Mil Milindows\SVST indows\SVSTEM32\NS EM32\NSII .d ll m C:\Windows\SVSTEM32\sechost. C:\Windows\SVSTEM32\sechost.dll dll m C:\Windows\SVSTEM32\WS2_32.dll ni CsindousNSVSTEM32\nsvcrt.dll n1 C s\y i ndows\SVSTEM32\KERNELBASE. ndows\SVSTEM32\KERNELBASE. d n1 C: \Wi ndows\SVSTEM32s ndows\SVSTEM32sn n t d11. d11

0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 00 0 0 0 0 0 00 00 E- 0018FFB4 0018FFB8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 G 0000 000000000000000000 000Ev 0018FFBC 00’RFFra ----

0C24F950 P-$. FFFFFP80 FFFFFP80 ? 0018FF9C 0018FF9C £ t. t. flftflftftfiftfl........

Entry point of main module

Paused

F IG U R E 5.6 5.6: Output o f execu executa table ble modul modules es of tini.ex tini.exe e

11. Click V i e w from the menu bar, and dien click M e m o r y 12. The output of M e m o r y

Map

is shown in die following following figure.

OllyDbg File IView l Debug Debug

|«| xj b |«|x

Trace

Options

► y ji! iili ii liili ili ili il

Map (Alt+M).

Window s

tini.exe t ini.exe

Help

_!j _!j_Ej _EjM]j M]jrj.cjj

b J m) hj

= 000

CPU - main thread, module tini

ÔllyDbg supports four different decoding modes: MASM, Ideal, HLA and A T & T

Address 00085000 0018C000 0018E000 00190000 001Q0000 001E0000 002900 00290000 00 00400000 00401000 00402000 00403000 00410000 00550000 74E80000 74E8100 74E81000 0 74E8400 74E84000 0 74E85000 75390000 75391000 753DC000 753DD000 753F0000 753F10 753F1000 00 753F5000 753F6000 75400000 75401000 75416000 75417000 754C000O 754D0000

Si 2e 06 06^(36000 00 00002000 00002000 00004000 00002000 00004000 000070 00007000 00 00001000 00001000 00001000 00000000 00075000 00003000 00001000 00003000 00003000 00001000 00001000 00 00003000 00001000 0004B000 00 00001000 00004000 00001000 000040 00004000 00 00001000 00 00003000 00001000 00 00015000 00 00001000 00005000 0.0.0.01-0.0.0.

Owner

Sect ion

t in i t in i t in in i t in i

.t e x t . r da da ta ta .d a t a

WS0CK32 WS0CK32 WS0CK32 WS WS0CK32 bc ry pt P r bc ry pt P r bc bc ry pt P r bcryptPr CRVPTBAS CRYPTBAS CRVPTBAS CR CRVPTBAS S s p iC l i Ss S spLCli S s p iC l i S s p iC l i KERNEL32 KERNEL32

M e m o ry m a p Contains

Type Pr iv Pr iv Stack o f nain t Pr iv Map Pr iv Pr iv Pr iv PE h he eader Ing Code Ing Ing Inports Data Ing Map Pr iv Ing PE header Ing Ing Ing PE h he eader Ing Ing Ing Ing Ing PE header Ing Ing Ing PE h he eader Ing Ing Ing Ing Ing PE header Ing

Access RW Su Sua RUJ Gua RW R RW RW RW R RE R RW Cop R RW R RE RW R R RE RW R R RE RW R R RE RW R R RE

1A 0 0 In itia l ac acc Mapped as A RU Guarded = RW Gu Guarded RW R RW RW RW RWE CopyOnW RWE CopyOnW RWE Co CopyOnW RWE Co CopyOnW R \Dev ice\Hard< RW RWE CopyOnW RWE CopyOnW RWE CopyOnW V RWE CopyOnW ---RWE Co CopyOnW RWE CopyOnW /\ RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE Co CopyOnW RWE CopyOnW RWE Co CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW V RWE CopyOnW V

Entry point of main module

Paused

FI G U R E 5.7: Output of Memory map map o f tiu tiui. i.ex exe e

12. Click V i e w from die menu bar, and dien click T h r e a d s

( A l t + T ). ).

13. The output of T h r e a d s is shown 111 the following figure. C EH Lab Manual Page Page 573



*

OllyDbg - tini.exe

File

View

Debug

Trace

Options

Windows

L > '

X

Help

\T\ _____ ________ _______ Threads

_____ _____

- g |x

Old IIde nt !window’s !window’s t it Le| Last er ro r I Entry I TIB I Susp Suspen end d IP ri o ri t User User t ine ERROR SUCCESS (88! (88 ! t in i n i
w W W W W W W W W 0018FFB4 8C24F950 P-5. 00 00 00 00 00 00 00 00 00 00 00 00 0e 0018FFB8 FFFFFA88 FFFFFA88 ? 00 00 00 00 00 00 00 00 00 00 00 00 0e 0018FFBC 0818FF9C 0818FF9C £ t. t. 00 00 00 00 00 00 00 00 00 00 00 00 0e v flftlftFFf-ft flflflflflflfifl.... Entry point of main module

A

I

Paused

F IG U R E 5.8: Output of thr threa eads ds

Lab Analysis Docume Document nt all die die tiles, created viruses, and worms m a separate separate location. location.


Tool/Util Tool/Utility

Infor nformat matiion Co Colllect ected/Ob ed/Objject ectives ves Achi Achiev eved ed Result:

OllyDbg


■ ■ ■ ■ ■

CPUCPU-ma maiin thr thread Log data Execut Executabl able e mo mod dules ules Memo Memorry map Threads

Eth ica l H ackin g and Countemieasures Countemieasures Copyrigh Copyrightt © by EC-Counci EC-Councill A ll Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 - Viruses and Worms

Questions 1. Using Using die hiial hiial report, analyze analyze die processes processes affected by the virus virus hies. hies. Internet Connection Required □ Yes

0 No

Platform Supported 0 Classr Classroom oom


0 !Labs Labs

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.


C r e a t i n g a W o r m U s in i n g In t e r n e t W o r m M a k e r T h in in g Internet Wor Worn/ n/ M a k e r Thin Thing g is a toolto create norm'. Ita/so has afeature to convert a vims into a n or///.

ICON KEY

Lab Scenari Scenari o

. _ Valuable

1

111 recent recent years there has been a large growth growth in Int Inter erne nett traffic traffic generated generated by malware, that is, internet internet worms and viruses. This This traf traffic fic usually only impinges impinges 0 11 the user when either their machine gets infected or during the epidemic stage stage of a new worm, when the Interne Internett becomes becomes unusable due due to overloaded routers. Wlia W liatt is less less well-known is that there is a background level level of o f malwar malware e traffic at times of non-epidemic growth and that anyone plugging an unfirewalled unfirewalled machine into the Intern Internet et today w ill see see a steady steady stream stream of port scans, back-scatter from attempted distributed denial-of-service attacks, and hostsca hostscans. ns. We must must better firewalls, protect the Internet Inte rnet router infrastructure, and provide early-warning early-warning mechanism mechanisms s for new attacks. attacks.

information

s

Testyour knowledge

: Web exercise review ea Workbookreview

Since you are an expert ethical hacker and and penetration tester, your IT IT director director instructs you to test the network to determine whether any viruses and worms w ill damage damage or steal the the organization’s information. information. You Y ou need to to construct viruses and worms, try to inject inject them into a dum dummy my network (virtu (virtual al machine), and check their beh behavior, avior, whether whether they are detected detected by an an antivirus and if they bypass the firewall. H

Lab Obje Obje cti ves

To o ls

demonstrated in this lab are

The The objectiv objective e of of tins lab lab is to make students students learn and understand how to make make viruses and worms.

available in D:\CEHTools\CEHv 8 Module 07 Viruses and Worms

Lab Environm Environm ent To earn out die lab, you need: need: ■

Internet Worm Maker Thing

located at D:\CEH-T 00 l s \ C E H v 8 M o d u l e

07

V i r u s e s a n d W o r m s \W \W o r m s M a k e r M n t e m e t W o r m M a k e r Thing\Generator.exe




■ A compu compute terr runn runnin ing g Window s ■ Run this tool tool on W i n d o w s

Server 2012

as host machine machine

S e r v e r 20 20 1 2

■ Administrat Administrative ive privil privilege eges s to to nin tools tools

Lab Duratio Duratio n Time: Time: 10 Minutes Minutes

Overview of Virus and Worms A virus is a s e l f - r e p l i c a t i n g p r o g r a m that produces its own code by attaching copies copies of of it onto other other e x e c u t a b l e c o d e s . Some vinises vinises affect affect computers as as soon as their codes are e x e c u t e d ; others lie dormant until until a predetermined predetermined logical circumstance is met.

Lab Tas Tas k s TASK 1 Make a Worm

1. Launch Launch die I n t e rn Installation is not required r n e t W o r m M a k e r T h i n g tool. Installation for I n t e r n e t W o r m M a k e r Th T h i n g . Double-click and launch die G e n e r a t o r . e x e tile. 2. The I n t e r n e t

W o r m M a k e r Th Th i n g

window window appe appears ars.. = 1

Internet Internet Worm Maker Thing: Thing: Version ■4.00: Pubi Pubi c Edition

INTFRNFTW TWORMMAKFRT RTHINGV4 PaybaeeC Activate Payloads On Dote

I-- 3

6

Note: Tak e a

Snapshot of the virtual machine before launching the Internet Worm Maker Thing tool.

r r (v I nduck [C] Ncti:e Ouipu*Path: Pat h:

F

CoixJie To EXESupport

Sheading Optoas

Change Homepage URL:

I

r Doable 'Mrdows Secunty r Our»g Our»g•• M0033T M0033T«r «r OR r Doable Morten Security Title: r Rardonly Aîvace Payoads r Uninstall Ncrton Snnpt Sbdang Chanceofacti vatingpaybads: P Disable Macro Security 1M | CHANCE Dsabl e Run Commrd V Dsable ShutdaAn r H
Siartup: I- GlobalPegsfr Sta*tjp

I- Change IETitle Bar

I- Local Regwtry Starxo

Text:

r MuteSo MuteSoeakefs eakefs r Delete a Fk Path:

r V/Wagon91H Hoot Englsh StS'tap starao

r ioams ioamsh h itarxo f~ P erch SV j L jp r laiiars laiiarstart tartLO LO

Infection Options: r Infect Bat Files les r infect vbs vbs Nes Nes I- LoopSound

r Mfenvt MfenvteNes eNes

r Hide Desktop p Disab isabfcMalware Rrrrove —Discbe 1—Discbe Winders FileProtection FileProtecti on V CcrruDTArtwrus

r Hide VirusFibs

V Ctiange Dnve Icon CLL, EKE, ICO: Ind Index: ex: (C:\WndowcVJ01 |1

Add ToContext Conte xt Menu

I- Start At Smve f~ Genan

r BueSaeen OfDeath

Dkabe Syttnn Ractore

r Chooge ClockText r Dooo oole le Regcdt r Disoo soolc Explorer.exe r Change RegOwner

p ----

Text ^lox 8 Chars):

1

r open cd onve onvess

-----

Lock Workstation r DOAnbadhle nbadhle

r Charge •'.alpoo •'.alpooer

I” HackDll

Pat h Or URL:

r KeyboardDisco sco r AddToFo/o ToFo/ontes ntes

URL;

?|

If YouIked Ths Frooran ^tease Voit MeOn https/Zxructearr.failcmctAO'k.c on If YouKnowAnythnQ uKnow AnythnQAbout About YBS Programing Mdp Stupor t This Pfojcct ByMatorg AWugr (See Readme). Thinks Conti01Pand Generate Warm

r CPUMonster

I” Change Reg Organisation Crgansaticn:

r chanoerme chanoerme Execute DowHoadec

F IG U R E 6.1: Internet Internet Worm maker maker thing thing main main window window

.0 3 . Ente En terr a W o r m

t y ! The opti option, on, Auto Star Startup tup is alway always s chec checke ked d by default and start die

virus whenever die system4. system4. boots on.


Nam e, Autho r. Version . Message,

and O u t p u t

Path

tor die

C re at e d W O flll.

Check die C o m p i l e t o

EXE support

5. 111start startup: up: sele select ct E n g l i s h

check box.

Startup.



:°r

Internet Worm Maker Thing: Version 4.00: Pubic Pubic Edition

INTERNETW TWORMMAKERT RTHINGV4 C

|JBWorm

r Change Changehorrepogc horrepogc

Activate Payloads Cn Dote

Author:

[xigsiroy

r

OR C Rardonly Rar donly Activate Payloads

r

|> jrsystemisefêc 0

Hde Al Drives

A list of names names for the virus after install is shown in the Name after Install drop-down drop-down list.

r DsaW DsaWe ad
|c:\W0 .»

r Dsabk Keybord

C onj le To CXI S
r Osable Mouse r WewajeSox

SDreadnc Optons

I- Disable Wndows Security

F~ Change M0032Texr

1“ Disable Norton Security

Tife:

r uninstallNorton 5:nDt sbefcra r Disable Macro Security |” Disable Run Commrrf I” Disable Shutdown [" Osable logoff I” Outo utooc rtn 1 * I (” Deable Window! Update r No Seorch Commend r swap MouseButtons I- Open Webpage URL1

Chance of act vawg poybads: 1M | CHANCE

f? Indud? [C] Nobre

Oulpu: Path:

TK Je:

M utetto oeakers V rD rtte etealH e

Startup: 1 (JobalKeosry sta'tjo

I” ChanoeIE Title Bat

r

Text:

LxdReOstiySteflo

Pad :

I---------

r wmlixjonSi d Mcxx r Start AsSetvice W Englsh Englsh

Ste'tjpi

I- Ccnan Startup I- Spani Spanish sh Starxp r Perch Perch Sta Sta tjp I Itaiar Startup Startup

r

t~ l>wbe SystemRestye

r

Change WinMedia PbrerT Pbr erT xt

r DdeteaFofcfc DdeteaFofcfcii

Text: r

DisaoteReoedt

r

01saDleExplorer.exe

V O anoe Reo Owner

I- LockWorkstaton

Oner:

Dowib Dowibad ad File ^r e? | URL:

-----I------

r

f” infectvbcr!c5

Loop Sound l~ rt de Desktop

[—DisableMdwere Remove —Oise —Oiseble V/indovss FileProtection FileProtecti on V Ccrruot Anth/tcs —Chang —Change Computer Nam Name

r Chaige Drive Icon |c:\Wr>dowsY!OT

f ~ l e d To To Context

[I Menu

ChanoeCl odcText J I

r Ha« ill Gates J j

Peth Or URL:

V KevooardDBco V~

r

Ogansatkn:

r Hide VirusFibs

CU, EXE,ICO Index:

r clw lw noe.' .'.ataoef I- CPUMonster

ChangeRegOrganisation

infect Bat Bat -1es

r I 1fe:t Vbs Pies

Text(M ax8C hars):

r OpenCdDrives

Sue Screen Of Death

Infecfon Cptions:

ACd lora/o rnes

If YouLked TH5 Pr ogr an *lease Veit M*On

ht©://xrusteafr.falemetA0 k.0>

If YouKnowAnything About /BS Programing Heip SLppor! This Project ByMaklro APkKJr (Sec Readme). Thanks r Control Panei Gererate Worm

None;

Change Tine

d-Evai-i fa —

F IG U R E 6.2: Select Select die options options for creati creating ng Worm Wor m

6. Select Select die A c t i v a t e

Pa y lo a d s o n D a t a

activating payloads,

7. Check die

enter 5.

and M e s s a g e

Message,

9. Check Check die D i s a b l e check boxes. boxes.


Chance of

Hide All Drives. Disable Task Manager, Disable keyboard.

Disable Mouse

8. Enter T i l e , list.

radio button, and lor

Box

and S e l e c t

check boxes.

Icon

as I n f o r m a t i o n from die die drop-down drop-down

Regedit, Disable Explorer.exe

and c h a n g e

R eg eg o w n e r



Internet Worm Maker Thing : Version 4.00 Public Edition

INTERNETW TWORMMAKERT RTHINGV4 Payloads: (• Activate Payloads On Date

|JBWorn

P Charge Homepoge URL:

DO

Author: l^jgcyooy

YY

P DisableWindowsSecurity

OR

r

MM

P DsaW DsaWe S>s^rr Resxre

C Rcndornl 1Actvate Pa
r

Chance o activatingpayloads:

|y0 jr system systemrsefêd

1W | i

P Indtd e [C] Nodce Ouipj: Path: |C;\Worm

p Hkie Al Drives

P CoTuieToEKE Suaxxt

P Deade Mocse

Spreadng Opton* Startup: P Uobal Uobal Keosrv btaituc 1 Loos RecfcA!yS'ua luo

r wmtogonS* nS *J hool r StartAsSav StartAsSavke ke p DngkshSta'tjp P Ge'man Starxp P Spanish SpanishStarap I- Perch Sta'tjp Sta'tjp P ItalianStartup

CHANCE

p Dcjdc ~3ck Marager p Deafck Kcybo cybord V Message Box

rrte:

P Owro?NX>32Text Owro?NX>32Text P Dissble Norton Security P Uninstall rwton script Blocanc r Disable MacroSecurity | Disable Rin Ri n Commnd P Disable Shutdown P Disable Logoff r OutJ OutJoc ockR kR* 1 ? I r DisableWindowsUbdate URL: I” NoSearch NoSearc h Command P 5waoMouse Buttons P OpenWebpage URL:

[Sded

Putexeaters

r Charge ie Tide Ba

Message: |your *yttern is H*rked lean:

inforrraoon

r Change WinMedo Playe! Txt Text:

T]

Dsable *eged*

r~

P DsaWeEtplorer.exe

r~ Open

r IrifectvbsFles P LoopSound

P I!ifect YbeFiles

r HMeDesk eDesktcp tcp - Dsable Malware

r Hide Virus Fifes

Remove

r- Usable Usabl e

Wndovrs =le Protection I- Corrupt Antivirus

r Charge Drive Icon DLL, EXE, ICO: Index: Inde x:

r O i et et ea ea M e

Text:

Palh:

(EvvSndowsv50i [I

------------I-------------

r AddToContext Menu

r CfctrU ctrU: a fdcfc »a#1

[

Charge ClockText » (Max 8 Chars):

------------I-------------

CdDnvea

P Chance Reo Cwner

I” LockWorkstabor

r Chancev/atoace v/atoace

Oner:

P Download Rle More? j

*atiOrLRL:

r *evboardDsco

[Hggyboy

URL:

I-------------

If YouLikedTtiis Proy an ®base \Ac1t W• On ht© :/ftarusteam. fa1lemetwo k.0 If YouKnowAnything About /BS Prog ammingHelp ing Help Suopor: This Projects/ Mahno APlucr (See Readme). Thanks. rControl Panel

p Chang Change RegCrgansaticn ansaticn

I- CPJVonstar

P Add to to Pavontes Name:

Oconboton:

r Chance ChanceTree Tree hour Mn

URL:

|po«verG>rr|

r Blue Screen Of Deatn Infecton Opbore: r infec: infec: Bat Bat Pies Pies

Generat Gener atee Worn*

1----------------------I

F IG U R E 6.3: 6.3: Select Select the the option option for creati creating ng worm

10. Check Check die C h a n g e H o m e p a g e check box. 111 die http: //\\Ayw.powrgym.com. \\Ayw.powrgym.com. 11. Chec Check k die

URL

held, enter

D i s a b l e W i n d o w s S e c u r i t y . D i s a b l e N o r to to n S e c u r i t y . U n i n s t a l l

N o r t o n S c r i p t B l o c k i n g , D i s a b l e M i c r o S e c u r i t y . D i s ab a b l e R un un C o m m a n d . Disable

Shutdow n.

Disable

L o g o f f. f.

Disable

S e ar ar c h C o m m a n d , S w a p M o u s e b u t t o n ,

and O p en en

12. Check Check the C h a n g e I E T i t l e b a r , c h a n g e w i n d r i v e , and L o c k w o r k s t at a t i o n check boxes. Internet Worm Maker Thing

F

change die settings for every new virus creation. Otherwise, by default, it takes the same name as an earlier virus.

Upd ates.

W ebpage

No No

check boxes.

M e d i a P l a y e r T x t , O p e n Cd Cd

Version 4 00 : Public Edition

INTERNETW TWORMMAKERT RTHINGV4 Payloads: (» Actr/ate Pavloads OnDate

D on ’t forget forget to to

Wind ow s

Autfw; |Juggyboy Verson.

r - r |/our cyctMnKeeler

PIndjde [Cl Soxe

Output Path:

[ETv/omi p CcmpifcToEXESupport ort Sj eoctno Cptons Cta tuj: P Global RegsO>Surtuo r LocalRegist'y Ssrt up P v/niooon 5bdl hock r Start As Servce Servce p EngiishS ishS 3np r GeTTKnSta t_o t_o P Spane Spanen n Sta't o

r Ft end SiaiLC r Italian Italian StarLo

^

p Chnge homepage

r Change Cate DD

| /wAVi .poivergym.com

P Disetic Srsterr Restore

P Dsa&te WndOACSeoxity ACSeoxi ty

r Ch»x)eh10032Text T«c:

OR

P DaabfeNoi ton Security P unnstall Norton script 1)11 chance of aai /ating payloads: P DaabfeMauoSearitr DaabfeMauoSearitr in [5 CHANCE P Doable Run Conrnnd P Dca< Shutdown p HKjeANDrvtt Dsaftleiocpff 7 ( p Doabl oablee TaskMenag enagee P Daable WrdoAs Update W Disable Kcyoorc P NoC-cad Conmend p SwapMouoe Butto uttone ne p DiWilr Noifie P Cpenv/eb Cpenv/ebpage p Mes& es&sgeBox URL: Tlte: |'/wav\ .po*«rgym air Hacked P Chx»oe IETitle Bat vessage:

C Randorriy ActtvotePaVoocb

MM YY

1

r LoopSound r- Head* Mawar# V OutockFvr I

? I

URL!

Remove

Pie P>oUs-liwi

r Corrup Corruptt Artwru Artwrucc

P MuteSpccke's

P Ceietea =le

r Charge Drive Icon DLL, EXE, ICO: Index Index:: |C.’Wndowsl/'l01 |l

I

r Add To ContextMenu

i-i^rrarcn

r Detei Deteiea ea= = 0Ue

l~

(7 Dsaoie RegeCi:

Change aodc Text

Text 03« x 8 Chars):

p Dsaoi DsaoieExp eExplorer.e lorer.exe

P openeddrwes openeddrwes

P Change Reg Owner

p Lodi Worotobon] on]

P Change v.alpaper

P □oArload Fie Myc |

Path Or lAL:

1 r Hack HackBll Gates _ ?J

r KeyboofdDbco r AddToFavorites

URL: r CPUVonKer

17 Change «eg oro 0nsat»n Organisation:

r Hde Hde Vrui Vrui Hec

r- D5
Path:

|juaytx>y

P Infcct Vb*Hies P Infert Vh*Hl#«

r Mde Desktop

1 a r sys sys em s Hacked

•»

r Slue Screen Of Death infectwn opaons: P Infect BatPies

If r ou Lked This Prog an Pteaa? Wat Me an htlp: //xrustea //xru steam. m.fialtennetv.'orkcar If rou KnowAnyti rc About VES Programming Help Support Ths f*ojer t ByMaloneAPtugm(See Readme). Thanks. Control Pond ----------Generate worm

None: ne:

P change *me *me

|power Grm P CxemteDowiibaJed




F IG U R E 6.4: 6.4: Select the option option for creat creating ingworm

13. Check Check die P r i n t M e s s a g e , T e x t check boxes.

Disable system Restore,

and C h a n g e

NOD32

14. En Enter ter a T i t l e and M e s s a g e 111 die respecdve fields. 15. Enter die

as http: http: //w~\v\v.po\vrgvm .po\vrgvm.com and die die

URL

Sender Name

as

j u g g y b o y .

16. Chec Check k die M u t e s p e a k e r s . M o n s t e r check boxes. 17. Select Select die C h a n g e r*

Tim e

Delete a Folder. Change Wallpaper,

and CP U

check box enter hour hour and 111111 the respecdve fields. T=Tg!

Internet Worm Maker Thing: Version 4.00: Publ c Edition

INTERNETW TWORMMAKERT RTHN I GV4 pa/twes: (• Actuate Payloads Cn Date

| B Worm Ajlhar:

OR

Version:

r r

Cha ve of actvair g paybads:

(yojt systemise Eetf

1fN 1f N [5

C

Randonl/ Activate Payloads

CHANCE

HdeAl Drives

W I ndud: [C] Ncbic

I? DsaWe TasJcManager

OulputPath: (c:\Wom

S' DsaWe Keybord

(7 Cor oie To EKESupport

^ □sable Mouse

Saieadmc OpUro

j

Startup: V Global Rcgo tr Sto tjp r l»cd Rcgstr Rcgstr// Starxo Starxo r Wml&gcn&>d Hc©< 1“ Start AcService P Er*glehSU tjp f~

O'r un Startu Startup p

I- Spmth^tirtip P French Sta'tup Sta'tup I- lai ar startL startLC C

Iv NessaoeSo* Tide:

|f dcd

Mcwogc:

|ra jf system IsHacXed Icon: [1

noton

_*J

W OfecOfcRegedt W DoaDfcExploret.exe

[v Change RegOwro Owner: |jJ99>bo/ [v ChangeReg Organisation Crgansaticn:

F IG U R E 6.5: 6.5: Select the option option for creat creating ing worm

18. Check Check die C h a n g e respecdve fields. 19. Check Check die

Date

check check box box,, and and ente enterr die DD, DD , MM, MM , YY Y Y 111 die

Loop Sound, Hide Desktop, Disable Malware Remove. Disable

W i n d o w s F i l e P r o t e c t io io n , C o m p u t e r A n t i v i r u s , Name

Change Computer

check boxes.

20. Chec Check k the Change Change die Text, Keyboard Disco,


and

Drive Icon, Add To Context Menu, Change Clock

and A d d

T o F av o r i t e s

check boxes.



Internet Worm Maker Thing : Version ■4.00: Pub ic Edition

TSTS1

INTERNETW TWORMMAKERT RTHINGV4 WormNam?

P Change Homepage

pBV/orr

URL: I'jVivivi .D0wero/m cam

Author: |luggyboy

p Disable Norton rton Searity p Lhnst Lhnstall all Morton ton Serpt Blodc lodcrg rg Chance ofa dv atn a payloads: p Disable MocroSecun Secunty p □sableRun comand comand 1W [i o*MCE p Dibble Shutdo utdown p HceAIIDrves Drves p Disable Logoff p Cisaote Task Marager p □sableWindo indows Update pdate p CtsacJeKe/bcr d p No Scor Scorch chCommand P sawd Mouse Buttons p D«aoleMcu3« p Open V\'eboage age p Message 60x URL: C Rancorriy Actrvate Paybads

|ycu systemb systemb e fcd p Ind Indud udee [C] NoSce Output Pafc

|c:\Wocm P come* TOtx t suxxrt Sprcsdrg Opbonc

nd#

Star xu V Clobd Regatiy Startup r Locol Repsfry Starto r Wnbg Wnbgon on Slid Slid Itnl,

| 1 a r svstern svstern shacked [kVonnabcn

p Crgkh startup startup

p Disable E>pcrer.exe

1“ SDaTSh staruo

Italian Startuo

r DownloadFile More’

|^gg /boy

demonstrated in this lab are

Message: y v j s ysla i is Hecxec Hecxec

[“ DudockFm 1

’

I

URL:

^tfc>:/>v»v».o0werg/n

Sende*Nan ♦:

r Hide VirLSRles

Di3ableWrdows FileProtecton FileProtecton p Corrupt rrupt Antiviru ivirus q Charge Comouter Nane Nane

p Mjtc Speaker Speaker:

p Charg# Drive [eon CXI, DC, ICO:

Path:

|cw5™iw [i

I- CustomCode

Index;

P Add To Context Menu

P Defe* a KUer

p Chang# ClockT#vt

Path

Tort (Max 8 Chare):

I- H01kDllG±es

I f You LikedThis Progrorr Plecae Veit M• Or hrtp:/ /wriJ StMn .falHw>ehvortc can If YouKnow Anythr g Abo jt VES Prcg-amming Help Suppo'tlhs Project By Mating A Pu gn (See Readme). Thants.

?

Control Panel

W Keyboard Keyboa rd Disco

p ^dc ToFavorites•: s•:

URL:

p Change Reg Organisation

p CPJ Monts'

Crgarisabon:

p Giance Giance Trie Hmt VSr

available in

!7 Hide Desktop Disable Malware

P Drkxerfc

p Owge Walpoper Patn Or LRL:

P Lock Workstation

Cvrrer :

V in'ect vbsPile? f~Infect VbeFiles

!7 LcooSojnc

I

P Opened Drives

p Change Reg OAner

1“ French star nc

Infecton Options: r Inflec Inflectt BatFiles es

P charts charts fCD32Tett

Tite: | lack 2d

-----------1------------

T]

p Disable Regedit

f” German StartLX)

[~

P Change [ETitle Bar Text:

Mcosagc:

Irenr

I- Stait Stait AiScivtc AiScivtc

&Tools

|jW w. oowergym.com

Esdcad

I- Blue Screen OfDead•

17 D6afc*e s*st en Rsscxe

p Disable Windo indows Securty ecurty

IS-

Execute Downloaded

Generate Worm

Nare:

]5

D:\CEH-

66

Tools\CEHv 8 Module 07 Viruses and Worms

F I G U R E . : Select the option for creating creating wo rn

21. Check the E x p l o i t W i n d o w s D e a t h check boxes. 22. Check the I n f e c t

B a t F i l es es

check box from I n f e c t i o n

23. Check Check the H i d e

Virus Files

check box from E x t r a s .

24. Click G e n e r a t e

W o r m 111 C o n t r o l P a n el el .

n r

and

Adm in Lock out Bug

Blue Screen of

O p t io io n s .

Internet Worm Maker Thing: Version 4.0 4 .0 0 Pub ic Edition

INTERNETW TWORMMAKERT RTHINGV4 Wormfsam?:

Fayoads:

|JBWorr

<♦ Actva Actva e PaVoads On Date

?P Change HonepaD

Expiat Windows AdminLockoutBjg Bj g

URL:

Au*or:

| jV1ww.oowergy wergym.com

p Disable sable Srsten Restore

fxoovboy

P Dsable Windows Security

p ChargeNCC32 Text

p Disable Norton rton Secu Security rity

Titc:

r

C RanCcrriy Activate Paybads

r

Choice of octrrotng payloocb.

|you•cy^tor11Reefed

:w [i

p Ind Indud udcc (C] No*ce

P hide Al Drves

OWCE

CutputPatk |C:\Wanr

P cisaote taskMaraoer P LisaoteKe/bcrd

p Corrplc ToEXESupp ESupport ort

P Lisaote recuse P MessaceBox

*ore^rtnp rm nw

|

Star&p: r Global RegKtry Startup r Local cal Regic Regictr tr vi tar t jo r Wnogon Shel Hook [~ Start AsServes p Ergish Ergish Start StartLp Lp \~

German Startjo Spansh Startjo

r French Startup Startup f~ Italian Italian Sartuo

P uinstall Morton saot Blodcra packed

p Disable Macro acroSecurty Securty p Disable RunComu Comuid id P Dsable 91utdown p Dioablc Logoff p Disable Windo indows Update pdate p No Searc Search h Command p SA
1«e:

P Chanoe IETitle Bar

Message |yolt system e Hacked

Infecton Options: P Infect BotFiles p LoopSound

|1owe^sten«Hacccc

1

r □Lrtockrm * I URL: ^tto:/>vn j
iertier ftanre:

p HkJ«Desktop top p Disab isable Malw alware are Renove rj Disable Wrdows Fit Protection p Corrup orruptt Antiviru ivirus rr Charge Compute

rext:

P MjreSpMte MjreSpMters rs

p DeteâFfe DeteâFfe

p Chenge enge CbckT CbckText Text (Max 8 Chars):

p Disade Regedit

I

P DisadeE>daer.e>e

p OpenC OpenCdDnv dDnves es

P Chanoe Reg OAnei

p LockWorks orkstat tation ion

v Ciance v/aloaoer v/aloaoer

f " Hack anGates ? 1

Cvrrer:

Download Rle More7 LRL:

Path cr URL:

P Kevtxiard Disco

P

P Jllde Vji

Pbans

|C:\VUrd(MM^Di fl

^

|jtggyboy

Extras:

p Charge ChargeDrive [co [con n CLL, EXE, ICO: Index: Inde x: p AddToConte Context xtMcnj Mcnj

jlnfermaticn jlnfermaticn

r Infect VbsFilesI” Infect vbeFiles

|hxa t>ov

| jWw .p .pow owergym.com

[ttacxec

p Blue lue Screen creen OfDeath Death

------------I------------ p CPJNoast

ChangeRegcrgansatio ion

Favorite s P AddTo Favorites

hare:

[f YouLikedThis ProgramPlease ProgramPleas e VisitM2On nttp :/par jst ean .falfcnncbvorka t If YouKnowAnyding YouKnowAnydi ng Abojt VES 3 cxramminc Help suoco' suo co't Ths Project ByMating APugh (See Readme).Thanks. ControlPanel Generotc Worm

p QwngeTne QwngeTne Hour Mr

craartsaoon:

P Execute Do«vnbaded

(ET :\ir

F IG U R E 6.7 6.7: Select Select die option option for creati creating ng worn!


Eth ica l H ackin g and Countemieasures Countemieasures Copyrigh Copyrightt © by EC-Counci EC-Councill A ll Rights Reserved. Reproduction is Strictly Prohibited.


25. Tlie worm worm is successfully successfully created. created. Tlie following following window window appea appears. rs. Click OK . X

Information!

^ )1

Y o u r n e w w o r m . v b s ha ha s Deen m a de de !

OK

26. Tli T lie e created created w o r m . v b s file is located at die C: drive.

Lab Analysis Document Document all die files, created created viruses, viruses, and worms 111 a separate location location..


Tool/Util Tool/Utility

Infor nformat matiion Co Colllect ected/Ob ed/Objject ectives ves Achi Achiev eved ed To make Worms options are used:

Internet Worm Maker Thing


■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Hide Hide all all drives Disa Disabl ble e Task Task Mana Manage gerr Disa Disabl ble e ke keybor yborad ad Disa Disabl ble e mo mouse Message box Disa Disabl ble e Reg Reged ediit Disabl Disable e Expl Explor orer. er.ex exe e Change Reg Reg Owne Ownerr Chan hange Ho Home mePa Page ge Disabl Disable e Windows Windows sec secur urit ity y Disa Disabl ble e Nortorn Nortorn secu securi ritty Disa Disabl ble e Run comm comma and Disa Disabl ble e sh shutdo utdown wn



Questions 1. Examine Examine whether whether the created worms are detected or blocked by any antivirus or antispyware programs. Internet Connection Required □ Yes

0 No

Platform Supported 0 Classr Classroom oom


0 iLabs Labs


CEH v8 Labs Module 07 Viruses and Worms.pdf

Recommend Documents