Академический Документы
Профессиональный Документы
Культура Документы
Module 07
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 0 7 : V iru s e s a n d W o r m s E xam 3 1 2 -5 0
Ethical Hacking and C ounterm easures Copyright by EC-C0linCil All Rights Reserved. Reproduction is S trictly Prohibited.
Secu rity N ew s
I GlobalResearch
CEH
H om e
P ro d u c ts
About
5rv*ccs
O ctobe r 1 9 ,2 0 1 2
to steal data and control infected systems during targeted cyber espionage operations," Kaspersky Lab said in a s ta te m e n t p o s te d
o n its w e b s ite . T he m a lw a re w a s o rig in a lly id e n tifie d as an a p p e n d a g e o f F lam e - th e p ro g ra m used f o r ta rg e te d c y b e r e spionage in th e M id d le East a n d a c k n o w le d g e d to be p a r t o f jo in t U S -ls ra e li e ffo r ts t o u n d e rm in e Iran 's n u c le a r p ro g ra m . B u t la te r, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF la m e is a n "interoperable tool th a t could be used as an independent malicious program, o r concurrently as a plug-in f o r both the Flame and Gauss m alw are." ^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c re a to rs o f F lam e a n d G a u s s ^ ^ ^ ^ ^
S e c u rity N e w s
an
M M
G lo b a l C y b e r - W a r fa r e T a c tic s : N e w M a lw a re u s e d in C y b e r-E s p io n a g e
F la m e - lin k e d
S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 . T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran, L e b a n o n , F rance, t h e U n ite d States, a n d L ith u a n ia . It w a s d is c o v e r e d in July 2 0 1 2 a n d is
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e a n d Gauss m a l w a r e . " T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s . " M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said. H ig h - p r e c is io n a tta c k to o l So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y i n f e c t e d b y t h o s e v iru se s . " M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt A l e x a n d e r G o s te v e x p la in e d . "F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd c y b e r-e s p io n a g e ." T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m , A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t. K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , " t h e f i r m said. C y b e r w a rfa re i n f u ll s w i n g
M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s a g e n c y r e p o r ts . S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i, t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ." " T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said. He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r w h a t is b e h in d i t . " Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss, b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s .
C o p y r i g h t 2 0 0 5 - 2 0 1 2 G lo b a lR e s e a r c h .c a B y R u s s ia T o d a y
http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-incyber-espionage/5308867
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
M odule O b jectives
J J J J J Introduction to Viruses Stages of Virus Life Working of Viruses Indications of Virus Attack How does a ComputerGet Infected by Viruses Virus Analysis Types of Viruses Virus Maker J J J J J J J J Computer Worms Worm Analysis Worm Maker Malware Analysis Procedure
CEH
Online Malware Analysis Services Virus and Worms Countermeasures Antivirus Tools Penetration Testing for Virus
y J J
Copyright by
M o d u le O b je c tiv e s
T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e . T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h : 0 0 0 0 0 I n t r o d u c t i o n t o V iru s e s Stages o f V ir u s Life W o r k i n g o f V iru s e s I n d ic a tio n s o f V ir u s A t t a c k How D oes a C o m p u te r Get In f e c t e d by 0 0 0 0 0 0 C o m p u te r W o rm s W o r m A n a ly s is W o rm M aker M a l w a r e A n a ly s is P r o c e d u r e O n lin e M a l w a r e A n a ly s is Services V ir u s a nd W o r m s C o u n te rm e a su re s 0 A n t i v i r u s T o o ls
Module Flow
Typ e s of Viruses
Penetration Testing
Countermeasures
M alware Analysis
Copyright by
M o d u le F lo w
T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n t h e w e b a re h ig h lig h t e d .
V ir u s a n d W o r m s C o n c e p t
M alware Analysis
Types of Viruses
f | j | | Countermeasures
^
/
V
Computer W orm s
Penetration Testing
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Introduction to V iru se s
_l A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document J Viruses are generally transmitted through file downloads, infected disk/flash drives and as email attachments
C EH
V ir u s C h a r a c t e r is t ic s
Alters Data
%
Corrupts Files and Programs
Transforms Itself
% #
1 f 1
F*
Encrypts Itself
Self Propagates
Copyright by
I n t r o d u c t i o n to V i r u s e s
C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as soon as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d logical
c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s : 0 0 0 T r o ja n s a n d r o o t k i t s V iru s e s W o rm s
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
75,000,000
60,000,000
45,000,000
30,000,000
15,000,000
2008
2010
2011
Copyright by
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
7 5 .0 0 0 .0 0 0
6 0 .0 0 0 .0 0 0
4 5 .0 0 0 .0 0 0
3 0 .0 0 0 .0 0 0
1 5 .0 0 0 .0 0 0
0
2008 2009 2010 2011 2012
Ethical Hacking and C ounterm easures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.
Design
D eveloping virus code using p ro g ra m m in g languages or c o n s tru c tio n kits
Replication
V iru s replicates fo r a perio d o f tim e w ith in th e ta rg e t system and th e n spreads its e lf
Launch
It gets activated w ith th e user p e rfo rm in g certa in action s such as ru n n in g an in fected program
Elim ination
Users in s ta ll a n tiv iru s u p d a te s a n d e lim in a te th e v iru s th re a ts
Incorporation
A n tiv iru s s o ftw a r e d e v e lo p e rs a s s im ila te d efenses a g a in s t th e viru s
Detection
A v iru s is id e n tifie d as t h re a t in fe c tin g ta rg e t system s
S t a g e s o f V i r u s L ife
C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o e lim in a tio n .
1.
Design:
A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s .
2.
Replication:
A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e .
3.
Launch:
It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an in fe c te d p ro g ra m .
4.
Detection:
A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le d a m a g e t o t h e t a r g e t s y s te m 's d a ta .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
5.
Incorporation:
A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s .
6.
Elimination:
Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g user g ro up s
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Before Infection
After Infection
*
C lean File V iru s In fe c te d File
Copyright by
W o rk in g o f V iru se s: In fe c tio n P h a s e
V ir u s e s a tta c k a ta rg e t h o s t's s y s te m by u sin g v a r io u s m e th o d s . They a tta c h t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t: S e lf s t a r t In f e c t o t h e r h a r d w a r e Cause p h y s ic a l d a m a g e t o a c o m p u t e r T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s
G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e . In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m . P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m . V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as: H o w w i ll t h e v ir u s in f e c t? H o w w i ll it s p re a d ? H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ?
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n . R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s . In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n . Q A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s f o r v iru s in f e c tio n s . B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is b o o te d
Before Infection
A fte r Infection
.exe
Clean File
_u
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
r cu
UrtfW < ttkxjl Nm Im
o q p
V t
11
J J
Viruses are programmed with trigger events to activate and corrupt systems Some viruses infect each time they are run and others infect only when a certain predefined condition is met such as a user's specific ta sk , a day, time, or a particular event
Page: 1
File: B
1 Page:3
Page:2 A
Page:2
Copyright by
W o rk in g o f V iru se s: A tta c k P h a s e
O n c e v iru s e s s p re a d t h e m s e l v e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g t h e fi l e s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be a c t i v a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v i r u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd p e r f o r m a c tiv it ie s such as d e l e t i n g f i l e s a n d in c r e a s in g s e s s io n t i m e . T h e y c o r r u p t t h e i r t a r g e t s o n l y a f t e r s p r e a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as: Q D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta file s, t h e r e b y c a u s in g t h e s y s te m t o s lo w down e P e r f o r m in g a n im a tio n s ta sks not r e la t e d to a p p lic a tio n s , such as p la y in g m u s ic and c r e a tin g
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
U n f r a g m e n t e d F ile B e fo r e A t t a c k
F ile F r a g m e n t e d D u e t o V ir u s A t t a c k
Page: 1 File: A
Page: 3 File: B
Page: 1 File: B
Page: 3 File: A A
Page: 2 File: B
Page: 2 File: A A
R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se: 0 V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's m em ory 0 M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e h o s t t o t h e f u l le s t e x t e n t
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
UrtifWd
r cu |
ttkiul Km Im
Research projects
Play prank
J J J
Vandalism
Copyright by
W hy Do P e o p le C re a te C o m p u te r V iru se s?
S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are a c t u a lly in te n d e d to be g o o d fo r a s y s te m . T he se a re d e s ig n e d to im p ro v e a s y s te m 's
p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files. S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e : e e 0 Q e 0 I n flic t d a m a g e t o c o m p e t i t o r s R esearch p r o je c ts Pranks V a n d a lis m A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s D is t r i b u t e p o litic a l m essa ge s F ina ncia l g ain
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Q Q Q
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
P rocesses ta k e m o re re s o u rc e s a n d tim e
C o m p u te r s lo w s dow n when p r o g ra m s s ta rt
C o m p u te r fre e z e s fr e q u e n t ly o r e n c o u n te rs e r ro r
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
H ow D o es a C o m p u te r G et In fe c te d b y V iru se s?
T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r m e t h o d s a re as f o l lo w s : W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e . A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e s y s te m . A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d . Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n b ug s m a y e x p o s e y o u r s y s te m t o viru s e s . W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s d o w n lo a d s
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
C o m m o n T e c h n i q u e s U s e d to D istrib u te M a lw a re o n th e W eb
B la c k h a t S e a rc h E n gin e O p tim iza tio n (SEO ) Ranking malware pages highly in search results
CEH
M a lv e rtis in g Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites
C o m p ro m ise d L e g itim a te W e b sites Hosting embedded malware that spreads to unsuspecting visitors
S p e a rp h is h in g S ites Mimicking legitimate institutions, such as banks, in an attempt to steal account login credentials ^ jl.
Drive-by D o w n lo ad s Exploiting flaws in browser software to install malware just by visiting a web page
Source: Security Threat Report 2012 (http://www.sophos.com )
Copyright by
C o m m o n T e c h n i q u e s U s e d to D i s t r i b u t e M a l w a r e o n th e W eb
S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m )
Malvertising: E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y ac ro s s h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites
Drive-by Downloads: T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by
v is itin g a w e b p age
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
* * * wi fs r s r *
A W C
jy M lllW A
1 4
l HUM
j*for :h&
1>
jy y |r J !!L
l:
==
Copyright by E G G
M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t. T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g : Q If it is p o s te d a n o th e r source If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e 0 If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o th e c o rre s p o n d in g fe d e ra l r e g u la tio n Q O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n a n t i v i r u s s o f t w a r e v e n d o r sites Q If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o a u th e n tic a te th e in fo rm a tio n
Subject: FORWARD THIS W ARNIN G A M O N G FRIENDS, FAMILY AND CONTACTS PLEASE FORWARD THIS WARNING AM O N G FRIENDS, FAMILY AND CONTACTSI You should be alert during the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM BEJING or 'RESIGNATION OF 8ARACK O B A M A , regardless of who sent it to you. It is a virus that opens A POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer. This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most destructive virus ever. The virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept. COPY THIS E MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU WILL BENEFIT ALL OF US. End-of-mail Thanks.
by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h
F a k e A n tiv iru s e s Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m . Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e . S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s in c lu d e : E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s f o r s o f t w a r e i n s t a lla t io n .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
p u b lic o r c u r r e n t
s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e fa k e a n tiv ir u s . Q C o m p ro m is e d w e b s ite s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g o n t h e s ite 's p o p u l a r i t y .
J
a
Protection
w acy
I
P a th C \ w C C ^ S \ JN t5 ^ c ^ U Jr^ 4 ifV * g 0 a 5 7 2
'S (
0,
M p 0 M < 1 * r*# S 4
Inlrctiom
35
SMtWI
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
CEH
<W >
It acts as a bot and can be organized into a BotNet and controlled from a remote location It spreads through emails, social engineering tricks, and untrusted downloads from the Internet
UHU
$
DNSChanger malware achieves the DNS redirection by modifying the following registry key settings against a interface device such as network card J
<K >
DNSChanger has received significant attention due to the large number of affected systems worldwide and the fact that as part of the BotNet takedown the FBI took ownership of the rogue DNS servers to ensure those affected did not immediately lose the ability to resolve DNS names
V iru s A n a ly sis: D N S C h a n g e r
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd . D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al p e r s o n a l f in a n c ia l i n f o r m a t i o n .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
DNSChanger
64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255 77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255
DNSChanger sniffs the credential and redirects the request to real website Real Website ww.xrecyritY-tP1 IP: 200.0.0.45
DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2
http://www. tota!defense,com
tout V i r u s A n a l y s i s : D N S C h a n g e r ( C o n t d)
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m T h e r o g u e DNS s e rv e rs can e x is t in a n y o f t h e f o l l o w i n g ran ge s:
64.28.176.0 - 64.28.191.255 , 67.210.0.0 67.210.15.255 77.67.83.0 - 77.67.83.255 , 93.188.160.0 - 93.188.167.255 85.255.112.0 - 85.255.127.255 , 213.109.64.0 - 213.109.79.255
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
>
DNSChanger sniffs the credential and redirects the request to real website
>
DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2
T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r . H e re , t h e v ic tim sent DNS Request w h a t is t h e IP a d d re s s o f w w w .x s e c u rity .c o m to
Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
M odule Flow
V iru s and W orm s C on cep ts
CEH
P en etratio n Testing
C o m p uter W orm s
C ounter m easures
M a lw a re Analysis
= || M o d u l e F l o w
P r io r t o th is , w e h a v e d is cu sse d a b o u t v iru s e s a n d w o r m s . N o w w e w i ll discuss a b o u t d i f f e r e n t ty p e s o f viru s e s .
V iru s a n d W o rm s C o nc e p t
M a lw a r e A nalysis
T y p e s o f V ir u s e s
C o u n te rm e a s u re s
C o m p u te r W o rm s
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Encryption
Polymorphic
Metamorphic
Cluster Viruses
Multipartite
T y p e s of V iru se s
So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m v a r io u s t y p e s o f viru s e s . T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s , m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g v iru s e s , e n c r y p t i o n v iru s e s , m e t a m o r p h i c v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in d e ta il o n t h e f o l l o w i n g slides. c o n c e p ts . N o w w e w ill discuss
T y p e s of V iru se s
V iru s e s a re cla s s ifie d d e p e n d i n g o n t w o c a te g o r ie s : Q W h a t Do T h e y In fe c t? H o w Do T h e y In fe c t?
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
F ile V iruses
E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s .
C lu ste r V iruses
C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p ro g ra m .
M acro V irus
M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il.
Stealth V iruses
T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d
c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e .
Life:
T u n n elin g V iruses
T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
\ c_
T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .
iri)
,
P o ly m o rp h ic V iruses
T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in
M e ta m o rp h ic V iruses
A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x e x te n s iv e c o d e .
o r o n l y file s w h o s e le n g t h s fa ll w i t h i n a n a r r o w ra n g e .
C o m p an io n V iruses
T h e c o m p a n i o n v ir u s s to re s it s e lf b y h a v in g t h e i d e n t i c a l f i l e n a m e as t h e t a r g e t e d p r o g r a m file . As s o o n as t h a t f ile is e x e c u t e d , t h e v ir u s in f e c ts t h e c o m p u t e r , a nd h a r d d is k d a ta is m o d if ie d .
^
W
C am o u flag e V iruses
-------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s o f t h e user. T he se v iru s e s a re n o t
Shell V iruses
_____ T his v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
=
ffr
a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g t h e s y s te m .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Execution
When system boots, virus code is executed first and then control is passed to original MBR
Before Infection
After Infection
Virus Code
MBR
Copyright by E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S y s te m o r B oot S e c to r V iru s e s
m
S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d . T h e t w o ty p e s o f s y s te m s e c to r s are: Q M B R ( M a s te r B o o t R ecord) M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be lost. 0 DBR (DO S B o ot R ecord) T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l p o i n t o f a t t a c k f o r viru s e s . T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s . S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Before Infection
G
After Infection
V
O
Virus Code
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
CEH
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e d e c r y p t i o n p ro c e s s . E xecu tio n o f P aylo ad: D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
M a c r o V ir u s e s
0 11.
Infects Macro Enabled Documents
Urt fw
CEH
14
ilhiul lUtbM
Attacker
User
0 r 0 Most macro viruses are written using macro language Visual Basic for Applications (VBA)
0 0 Macro viruses infect templates or convert infected documents into template files, while maintainingtheir appearance of ordinary documentfiles V 0 0 0
r
0
M a c ro V iru se s
M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Attacker
FIGURE 7.8: Macro Viruses
User
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
C lu s te r V ir u s e s
C luster V iruses
J
a
C EH
: I : * ]
Cluster viruses modify directory table entries so that it points users or system processes to the virus code instead of the actual program
V iru s Copy
J There is only one copy of the virus on the disk infecting all the programs in the computer system
Launch Its e lf
J It will launch itself first when any program on the computer system is started and then the control is passed to actual program
C lu s te r V iru se s
C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s . C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e . T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
S te a lth /T u n n e lin g V ir u s e s
These viruses evade the anti-virus software by intercepting its requests to the operating system A virus can hide itself by intercepting the anti-virus software's request to read the file and passingthe request to the virus, instead of the OS The virus can then return an uninfected version of the file to the antivirus software, so that it appears as if the file is "clean"
CEH
i f
Here you go
Original TCPIP.SYS
Copyright by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Tunneling Viruses
T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m
tcpip.syi to icon
Anti-virus Software
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
E n c r y p tio n V ir u s e s
CEH
Virus Code
V
r
The virus is encrypted with a different key for each infected file
V.
-/
E n c ry p tio n V iru se s
T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e . T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n . T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key. T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd an e n c r y p t e d c o p y o f t h e c o d e . Q For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys, b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d . It is n o t p o s s ib le f o r t h e v ir u s s c a n n e r t o d ir e c t ly d e te c t th e v ir u s by m e a n s o f
s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d . e T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is g e n e r a t e d a n d sa ved b y t h e r o o t v iru s .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Virus Code
Encryption Virus 1
Encryption Virus 2
Encryption Virus B
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
P o ly m o r p h ic C o d e
J J Polymorphic code is a code that mutates while keeping the original algorithm intact To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine A well-written polymorphic virus therefore has no parts that stay the same on each infection
CEH
39Encrypted Mutation Engine Encrypted Virus Code ............ Decryptor routine decrypts virus code and mutation engine
Decryptor Routine
RAM
Copyright by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
P o ly m o rp h ic C o d e
P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n . T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m . A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing th e codes. V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e s y s te m 's disk.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Instruct to 0
Instruct to
Decryptor Routine
New Polymorphic
Virus
P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s . W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s , w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n e n g in e to g en erate a new ra n d o m iz e d d e c ry p tio n ro u tin e , w h ic h has t h e c a p a b i l it y of
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
M e ta m o r p h ic V ir u s e s
M e ta m o rp h ic V iru s e s M e ta m o rp h ic C o d e
CEH
Metamorphic viruses rewrite themselves completely each time they are to infect new executable
Metamorphic code can reprogram itself by translating its own code into a temporary representation and then back to the normal code again
For example, W32/Simile consisted of over 14000 lines of assembly code, 90% of it is part of the metamorphic engine
E3
E l
a .) V arian tA
m E tA PH G R1b B YtH
E l
b.) V a ria n t B
[1E
M e ta m o rp h ic V iru se s
S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n . A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e . This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x e x te n s iv e c o d e . T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re : W in 3 2 /S im ile : T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess. Z m ist: Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e e x e c u ta b le .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
a.) Variant A
Im ElAPHOR 1b BY tHe MeNTAI drilLER/29A mEtAPHOR 1b BY tHe MeNTAI di!LER/ r o in
12
aA
..... ok...
b.) Variant B
d.) The .D variant (which was the "official" C of the original author)
FIGURE 7.12: Metamorphic Viruses Screenshot
Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
CEH
Sales and marketing management is the leading authority for executives in the sales and marketing management industries The suspect, Desmond Turner, surrendered to authorities at a downtown Indianapolis fast-food restaurant
Original File Size: 45 KB
N U ll
> 23a
.............................................................................^ L
FIGURE 7 .1 3 : File O v e r w ritin g o r C a v ity V iru s
>1
PDF
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
S p a r se I n fe c to r V ir u s e s
M ir
S parse In fe c to r Virus
J Sparse infector virus infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range
D iffic u lt to D e te c t
J By infecting less often, such viruses try to minimize the probability of being discovered
In fe c tio n Process
S p a rse In fe c to r V iru se s
Sparse i n f e c t o r v iru s e s in f e c t o n l y o c c a s io n a lly (e.g., e v e r y t e n t h p r o g r a m e x e c u t e d o r o n p a r t i c u l a r d a y o f t h e w e e k ) o r o n l y file s w h o s e l e n g t h s fa ll w i t h i n a n a r r o w r a n g e . By i n f e c t i n g less o f t e n , th e s e v iru s e s t r y t o m in i m i z e t h e p r o b a b i l i t y o f b e in g d is c o v e r e d .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Companion/Camouflage Viruses I C EH
A Companion virus creates a companion file for each executable file the virus infects
Therefore, a companion virus may save itself as notepad.com and every time a user executes notepad.exe (good program), the computer will load notepad.com (virus) and infect the system
Virus infects the system with a file notepad.com and saves it in c:\winnt\system32directory
1
Attacker N otepad.exe
...
Notepad.com
C o m p a n io n /C a m o u fla g e V iru se s
Com panion Viruses
4 T h e c o m p a n i o n v ir u s s to r e s it s e lf b y h a v in g t h e id e n t ic a l file n a m e as t h e t a r g e t e d p r o g r a m f i l e . As s o o n as t h a t f ile is e x e c u te d , t h e v ir u s i n f e c ts t h e c o m p u t e r , a n d h a rd d isk d a ta is m o d if ie d . C o m p a n io n v iru s e s use DOS t h a t r u n C O M file s b e f o r e t h e EXE file s are e x e c u te d . T h e v ir u s in s ta lls an id e n t ic a l C O M file a nd i n f e c ts t h e EXE files. S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / C o m p a n i o n V i r u s e s . h t m l H e re is w h a t h a p p e n s : S u p p o s e a c o m p a n i o n v ir u s is e x e c u t in g o n y o u r PC a n d d e c id e s it is t i m e t o in f e c t a file . It lo o k s a r o u n d a n d h a p p e n s t o f i n d a f ile c a lle d PGM.EXE. It n o w c r e a te s a file ca lle d P G M .C O M , c o n t a i n i n g t h e v iru s . T h e v ir u s u s u a lly p la n t s t h is file in t h e s a m e d i r e c t o r y as t h e .EXE file , b u t it c o u ld p la ce it in a n y d i r e c t o r y o n y o u r DOS p a t h . If y o u t y p e P G M a n d press E n te r, DOS e x e c u te s P G M .C O M in s te a d o f PG M .E XE . (In o r d e r , DOS w ill e x e c u te C O M , t h e n EXE, a n d t h e n BAT file s o f t h e s a m e r o o t n a m e , if t h e y a re all in t h e s a m e d ir e c t o r y . ) T h e v iru s e x e c u te s , p o s s ib ly i n f e c t i n g m o r e file s , a n d t h e n lo a d s a n d e x e c u te s PGM.EXE. T h e u ser
p r o b a b l y w o u l d fa il t o n o t i c e a n y t h i n g is w r o n g . It is easy t o d e t e c t a c o m p a n i o n v i r u s j u s t by t h e p r e s e n c e o f t h e e x tr a C O M f ile in t h e s y s te m .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Virus infects the system with a file notepad.com and saves It In c:\wlnnt\system32 directory
V
Notepad.exe Notepad.com
Attacker
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
S h e ll V ir u s e s
J Virus code form s a shell aro u n d th e target host program 's co d e, making itself th e original program and host code as its sub-routine J Alm ost all boot program v iru se s are shell viruses
(c it ifw d Ith M Jl lU c k M
c EH
[4 U 1
Before Infection
Original Program
After Infection
Original Program
Ilf
S h e ll V ir u s e s
A s h ell v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be
B efo re In fe c tio n
Original Program
A fte r In fe c tio n
Virus Code
Original Program
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
F ile E x te n s io n V ir u s e s
F o ld e rO p tio n s
General Search
Folder views
CEH
File Extension Viruses J F ile extension viruses change the extensions of files J .TX T is safe a s it indicates a pure text file J W ith extensions turned off, if som eone sends you a file nam ed B A D .TX T.V B S , you w ill only see B A D .TX T J If you have forgotten that extensions are turned off, you m ight think this isa text file and open it J This is an executable Visual B asic Script virus file and could do serious dam age J Counterm easure isto turn off "Hide file extensions" in W indows
You can apply the view (such as Detais or Icons) that you are us*1g for this folder to al folders of this type Apply to Folders
Advanced settings: Fies and Folders Always show icons, never thumbnails I I Always show menus @ Display Me icon on thumbnails 0 Display He size nfoimation m folder tps Display the full path in the title bar
Restore QfifoJls
* P P * y
u
Q Q
F ile E x te n s io n V iru s e s
S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / F i l e E x t e n s i o n s . h t m l File e x t e n s io n v iru s e s c h a n g e t h e e x te n s io n s o f file s .TXT is safe as it in d ic a te s a p u r e t e x t file W i t h e x te n s io n s a re t u r n e d o ff, if s o m e o n e se nd s y o u a f ile n a m e d BAD.TXT.VBS, y o u can o n l y see BA D .T X T Q If y o u h a ve f o r g o t t e n t h a t t h e e x te n s io n s a re a c t u a lly t u r n e d o ff, y o u m i g h t t h i n k t h is is a t e x t file a n d o p e n it 0 This is an e x e c u t a b l e V is u a l Basic S c r ip t v i r u s file t h a t c o u ld d o s e rio u s d a m a g e
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Folder O ptions General View Folder views You can apply the view (such as Detate or Icons) that you are usng for this folder to al folders of ths type. Apply to Folders Reset Folders Search
Advanced settngs Frfesand Folders H I Always show icons, never thumbnate ( )Always show menus @ Display f<e icon on thumbnab @ Display W e size *formation n folder tps Display the h i path n the Mle bar i i Hidden Mes and folders O Don show hdden Wes. folders, or drrves () Show hrfdenMes. folders, and dnves V hfcde empty dnves n the Computer folder HkJe exlenswns for known Me types y . Ude folder merge corftcts J c a orc fa u lts OK Cancel App*y
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
c EH
IU mjI NMhM
Add-on viruses append theircode to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning
Original Program Original Program Original Program J.V M R ..
I I I I I I I I I I I I I I I I I I I I
viral code
Original Program
V iru ses
Original Program
Viruses
Original Program Original Program
1 1 ^
. .
................................................................................ JUMP.
FIGURE 7.18: Working of Add-on Viruses
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Intrusive Viruses
In tr u s iv e v iru s e s o v e r w r i t e t h e i r c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's p r o g r a m c o d e o r s o m e t i m e s o v e r w r i t i n g o n l y p a r t o f it. T h e r e f o r e , t h e o r i g i n a l c o d e is n o t e x e c u te d p r o p e r ly .
Original Program
Original Program
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
EH
Terminate and Stay Resident Virus (TSR) Remains permanently in the memory during the
^___
entire work session even after the target host's program isexecuted and terminated; can be removed only by
T r a n s i e n t a n d T e r m i n a t e a n d S ta y R e s i d e n t V i r u s e s
Transient Viruses
T r a n s ie n t v iru s e s t r a n s f e r all c o n t r o l t o t h e h o s t c o d e w h e r e t h e y re s id e , s e le c t t h e t a r g e t p r o g r a m t o be m o d i f i e d , a n d c o r r u p t it.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
C EH
When run it deletes core files in the WINNTdirectory making Windows unusable ,
W ritin g a S im p le V iru s P r o g r a m
------For d e m o n s t r a t i o n p u r p o s e s , a s im p le p r o g r a m t h a t can be u sed t o ca use h a r m t o a t a r g e t s y s te m is s h o w n h e re : 1. C re a te a b a tc h file G a m e . b a t w i t h t h e f o l l o w i n g t e x t :
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
|| Q ia sp iemuQ 0 m2
lnLU COUJbCopyright by E(
T e ra B IT V iru s M a k e r
T e ra B IT V ir u s M a k e r is a v ir u s t h a t is m o s t l y d e t e c t e d b y all a n t i v i r u s s o f t w a r e w h e n s c a n n e d . T his v ir u s m o s t l y d o e s n ' t h a r m t h e PC, b u t it can d is a b l e t h e a n t i v i r u s t h a t is in s ta lle d o n t h e s y s te m f o r a s h o r t t i m e .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
| Disable W indow s Security Essentials J f Disable W indow s Them e s jfl Form at All Hard Drives H Funny Keyboard H ^ Funny Mouse Funny Start Button
Avoid Opening Wordpad Avoid Opening Yahoo M essenger M A d d JO User Accounts to W indow s M Alw ays Clean Clipboard M Alw ays Log Off
| Close Internet Explorer Every M Delete All Files In Desktop Delete W indow s Fonts
1 0Sec
Ru n C u s to m C o m m an d
M Mute System Volum e J | Open/Close CD-ROM Every M Play Beep Sound Every Sec ^ H f
10Sec
0
^ B
Delete W indow s Screen Savers Disable Automatic Updates Disable Com m and Prompt
0
H
Fie Name
exe B
0
|
Cr eat e Vi rus
About E
Tu rn Off Monitor
x t
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
0 FVta<
O Loo Off
0 Turn Off
O Hibiinofco
0 Noe
O M ttP v l IM t.U c (
V r* 5A 'le rIr^ H I I
fl S e r v e rN a m oI^ rd o T o x ^ -H
9 0 0
J P S V iru s M a k e r
D E L m E 's B a tc h V iru s M a k e r
JP S V i r u s M a k e r a n d D E L m E 's B a t c h V i r u s M a k e r
JP S Virus M a k e r
JPS V ir u s M a k e r is a t o o l t o c r e a t e v ir u s e s . It a lso has a f e a t u r e t o c o n v e r t a v ir u s i n t o a w o r m a n d can be u sed t o d is a b l e t h e n o r m a l h a r d w a r e o f t h e s y s te m .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Disable R e?sby Disable MsCortig Disable T a t* Manager Disable Yahoo Disable M e d a Pa^ei Disable Internet Explore! Disable T m e Disable Gk x > Pokey Disable W n d o w s Explorer Disable Norton Anb V iu s Disable M cAtee Anb V iu s Disable Note Pad Disable W a d Pad Disable W nd o w s Disable DHCP d e n t Disable Taskbai Disable Start Button Disable MSN Messengei Disable CMD Disable S e c u iy Center Disable System R e s id e Disable Control Panel Disable Desktop Icons Disable S a e e n Save*
Hrie ServKet
Hide Outlook E *p te u H d e W n d o w s Clock Hide Desktop Icon* H id e A IP io c c e s s n Taskmgi Hide A l Tasks n Taskmgi
Q Hide R m
O T u n O H M o n to r
Auto Startup
O Restart
O Log OH
O T u n OH
O Htm nate
O None
Server Name:
Sende1 .exe
JPS V tn u M aker 3 0
Swp Mau Buaong | Oanga Uwr Paao>d| w* Crtah Corrpa c t o <t VOxratftM cto M a r t~ %0>xn*>b* cto M a r t 0\ >xraM>bM c t o H a r t* 0\ aa*M * t o M a r t' 0. * > > c r a * fb 9 C t K * t a r t . O x X M h b M c t o H a r t %0 >>crM1bM cto M a r t ~ XOcr*bM c t o * a r t 0\ a a * bM cto a r t \ O 0 a#1 b cto H a r t * U ) >xyaah bM cto * t a r t" \0 a W 1 M cto M a r t %0 cra#1 b a l cto i t a r t %0cr#1 b a cto M a r t %0 aa*1 bM cto M a r t %0>x7aM3bM cto M a r t %0 >x7a#t b a t cto M a r t %0 a*tftbai M a r t craihbal Sp M agBo a | OpfvOoe Itwf |
HMSatoSg
HfrVhaW a
HB cna| I t * Ud P* I
Oa> H OocFtea
O a l a t o H Tm Hm CM
O a f a t a H Ptf F I a a DcMe
CMcca*
0 * PhgFlw | T> La* Rx i |
H* O Fte I
M*>4Fm
| | |
DM H fa tftw
| O a fc-* LrfcF
OMta% Oocu-rt |
0*i% H um c
| C W k% Plcfcw
O riM tF M jp
N o t Fie E jecnaon To Ortete leg '6 0
r^r
0Mart * XO>>^SyMamOv*-\AUTOXEC RAT
******
p u g g J b o T
j
V W w A q w 1 rt |
* M W y tw yc o w
goo^ co*H
Ethical Hacking and C ounterm easures Copyright by EC-COlMCil All Rights Reserved. Reproduction is S trictly Prohibited.
M odule Flow
V iru s and W orm s C on cep ts
CEH
Types o f V iruses
P en etratio n Testing
C ounter m easures
M a lw a re Analysis
M o d u le F lo w
P r io r t o th is , w e h a ve d iscu sse d v a r io u s ty p e s o f v iru s e s . Now we w i ll discuss c o m p u t e r w o r m s a n d h o w t h e y a re d i f f e r e n t f r o m viru s e s .
V iru s a n d W o rm s C o nc e p t
M a lw a r e A nalysis
T yp es o f V iruses
C o u n te rm e a s u re s
<4 /
C o m p u te r W o rm s
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
C o m p u te r W o rm s
Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction
CEH
Most of the worms are created only to replicate and spread across a network, consuming available computing resources; however, some worms carry a payload to damage the host system
Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet; these botnets can be used to carry further cyber attacks
C o m p u te r W o rm s
C o m p u t e r w o r m s a re m a l i c io u s p r o g r a m s t h a t r e p lic a te , e x e c u te , a n d s p re a d across n e t w o r k c o n n e c t i o n s i n d e p e n d e n t l y , w i t h o u t h u m a n i n t e r a c t i o n . M o s t w o r m s a re c r e a t e d o n l y t o r e p lic a te a n d s p re a d acro ss a n e t w o r k , c o n s u m i n g a v a ila b le c o m p u t i n g re s o u r c e s ; h o w e v e r , s o m e w o r m s c a r r y a p a y lo a d t o d a m a g e t h e h o s t s y s te m . A w o r m d o e s n o t r e q u i r e a h o s t t o r e p li c a t e , a lt h o u g h in s o m e cases o n e m a y a rg u e t h a t a w o r m ' s h o s t is t h e m a c h in e it has i n f e c t e d . W o r m s a re a s u b t y p e o f v iru s e s . W o r m s w e r e c o n s id e r e d m a in ly a m a in fra m e p ro b le m , but a fte r m ost o f th e w o rld 's s y s te m s w ere
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
\
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
W o rm A w o r m , a f t e r b e in g i n s t a l l e d o n a s y s te m , can r e p lic a t e it s e lf a nd s p re a d b y u sin g IRC, O u t l o o k , o r o t h e r a p p lic a b le m a ilin g p r o g r a m s . A w o r m ty p ic a lly does n o t m o d ify any sto re d pro gram s.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
W o rm A n a ly s is : S tu x n e t
0 -
Stuxnet isa threat targeting a specific industrial control system likely in Iran, such as a g as pipeline or power plant
J The goal of Stuxnet isto sabotage that facility by reprogram m ing program m able log ic controllers (P L C s) to operate as the attackers intend them to, m ost likely out of their specified boundaries
S tu x n e t c o n ta in s m a n y fe a tu re s s u c h a s:
1
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution Updates itself through a peer-to-peer mechanism within a LAN
Spreads in a LAN through a vulnerabilityinthe Windows Print Spooler Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability Copies and executes itself on remote computers through network shares running a WinCC database server Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded
Exploits a total of four unpatched Microsoft vulnerabilities Contacts a command and control server that allows the hacker to download and execute code, including updated versions Contains a Windows rootkit that hide its binaries and attempts to bypass security products Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system
h ttp ://w w w .sy m a n te c .co m
1 0
W o rm A n a ly s is : S tu x n e t
S o u rc e : h t t p : / / w w w . s y m a n t e c . c o m S t u x n e t is a c o m p le x t h r e a t a n d m a l w a r e w i t h d iv e rs e m o d u l e s a n d f u n c t io n a l it ie s . T his is m o s t l y u se d t o g ra b t h e c o n t r o l a n d r e p r o g r a m i n d u s t r i a l c o n t r o l s y s t e m s (ICS) b y m o d if y in g c o d e o n p r o g r a m m a b l e lo g ic c o n t r o l l e r s (PLCs), w h i c h c r e a te a w a y f o r t h e a t t a c k e r t o i n t r u d e i n t o t h e c o m p l e t e s y s te m a n d la u n c h an a t t a c k by m a k in g c h a n g e s in t h e c o d e a n d ta k e u n a u t h o r i z e d c o n t r o l o n t h e s y s te m s w i t h o u t t h e k n o w l e d g e o f t h e o p e r a t o r s . S t u x n e t c o n ta in s m a n y f e a t u r e s such as: e S e lf- re p lic a te s e x e c u tio n Q Q S p re a d s in a LAN t h r o u g h a v u l n e r a b i l i t y in t h e W i n d o w s P r i n t S p o o l e r S p re a d s t h r o u g h S M B b y e x p l o i t i n g t h e M i c r o s o f t W i n d o w s S e rv e r S ervice RPC H a n d lin g R e m o t e C od e E x e c u tio n V u l n e r a b i l i t y C op ies a n d e x e c u te s it s e lf o n r e m o t e c o m p u t e r s t h r o u g h n e t w o r k s h a re s r u n n i n g a W in C C d a t a b a s e s e r v e r th ro u g h re m o v a b le d r iv e s e x p lo itin g a v u ln e ra b ility a ll o w i n g a u to -
Ethical Hacking and C ounterm easures Copyright by EC-C0linCil All Rights Reserved. Reproduction is S trictly Prohibited.
9 9 9
e x e c u te c o d e , i n c lu d in g u p d a t e d v e rs io n s
Contains a Windows rootkit that hide its binaries and attempts to bypass security products
Ethical Hacking and C ounterm easures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.
W o rm A n a ly s is : S tu x n e t
( C o n t d )
CEH
W hen injecting into atrusted p ro cess, S tuxnet m ay keep the injected code inthe trusted pro cess or instruct the trusted processto inject the code into another currently ru n n in gp ro cess W henever an export iscalled, Stuxnet typically injects the entire D L Linto another p rocess and then just c allsthe particular export Stuxnet hook Ntdll.dll to m onitor for dB*! requ ests to load specially crafted file < nam es; these specially craftedfilenam es are m apped to another locationinstead - a locationspecified b yW 32.Stuxnet
S tuxnet c o n sists of a large .dll file that contains m any different exports an d resources and two encrypted configuration b lo cks The dropper com ponent ofStuxnet is aw rapper programthat contains all of the above com ponents stored in sid e itself in a section nam e "stub" W hen the threat isexecuted, the w rapper extractsthe .d ll file fromthe stu b section, m apsit into m em ory a sa m odule, and c allsone of the exports
It u s e s a sp ecial m ethod d esig ned to b ypass behavior blocking and host intrusion-protection based technologiesthat m onitor LoadLibrarycalls
W lH k tiH W
h ttp :/ / w w w .s y m a n te c .co m
W o r m A n a l y s i s : S t u x n e t ( C o n t d )
S o u rc e : h t t p : / / w w w . s y m a n t e c . c o m S t u x n e t c o n s is ts o f a la rg e .dll file t h a t c o n t a in s m a n y d i f f e r e n t e x p o r t s a nd r e s o u r c e s a n d t w o e n c r y p t e d c o n f i g u r a t io n blo cks. It h o o k s N t d ll . d l l t o m o n i t o r f o r r e q u e s ts t o lo a d s p e c ia lly
c r a f t e d f ile n a m e s ; th e s e s p e c ia lly c r a f t e d f i l e n a m e s a re m a p p e d t o a n o t h e r l o c a t io n in s te a d , a l o c a t io n s p e c ifie d by W 3 2 . S t u x n e t . T h e d r o p p e r c o m p o n e n t o f S t u x n e t is a w r a p p e r p r o g r a m t h a t c o n t a in s all c o m p o n e n t s s t o r e d in s id e i t s e lf in a s e c tio n n a m e " s t u b . " W h e n t h e t h r e a t is e x e c u te d , t h e w r a p p e r e x tr a c ts t h e .dll file f r o m t h e s tu b s e c tio n , m a p s it i n t o m e m o r y as a m o d u l e , a n d calls o n e o f t h e e x p o r ts . W h e n e v e r an e x p o r t is c a lle d , S t u x n e t t y p i c a l l y in je c ts th e e n t i r e DLL i n t o a n o t h e r p ro c e s s a n d t h e n j u s t calls t h e p a r t i c u l a r e x p o r t . W h e n i n j e c t i n g i n t o a t r u s t e d p ro ce ss, S t u x n e t m a y k e e p t h e i n je c te d c o d e in t h e t r u s t e d p ro c e s s o r i n s t r u c t t h e t r u s t e d p ro c e s s t o i n j e c t t h e c o d e i n t o a n o t h e r c u r r e n t l y r u n n i n g p ro ce ss. It uses a sp ecial m e t h o d d e s ig n e d t o b ypass b e h a v i o r b lo c k in g a n d h o s t i n t r u s i o n - p r o t e c t i o n based te c h n o l o g i e s t h a t m o n i t o r Load L ib ra r y calls.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
W o rm A n a ly s is : S tu x n e t
( C o n t d )
Check CFG Infects removable drives Inject in service, call export 32 Inject in Step 7 & call export 32
c EH
Infects Step 7 projects
......... A..........
Create global m utexes
--------* -------Create rootkit service reg keys Inject in Step 7 & call export 32
Set file tim es * Create global mutex Decrypt resource 201 & 242 & w rite to disk ------------- * ------------Version OK
Exit
C re ate .p n f & cfe files Decrypt & load self from disk. Call export 6 - get version
Date<06/24/2012
M rxd s.sys
M rxcls.sys
W o r m A n a l y s i s : S t u x n e t ( C o n t d )
S o u rc e : h t t p : / / w w w . s y r n a n t e c . c o m
I n f e c tio n R o u tin e F lo w
S t u x n e t ch e c k s if it has a d m i n i s t r a t o r r ig h ts o n t h e c o m p u t e r . S t u x n e t w a n t s t o ru n w i t h t h e h ig h e s t p r iv ile g e p o s s ib le so t h a t it has p e r m is s io n t o t a k e w h a t e v e r a c tio n s it likes o n t h e c o m p u t e r . If it d o e s n o t h a v e A d m i n i s t r a t o r r ig h ts , it e x e c u te s o n e o f t h e t w o z e r o - d a y e s c a la tio n o f p r iv ile g e a tta c k s d e s c r ib e d in t h e f o l l o w i n g d ia g r a m . If t h e p ro c e s s a lr e a d y has t h e r ig h ts it r e q u ir e s , it p r o c e e d s t o p r e p a r e t o call e x p o r t 16 in t h e m a in .dll file . It calls e x p o r t 16 b y u sin g t h e in j e c t i o n t e c h n i q u e s d e s c r ib e d in t h e I n je c tio n T e c h n i q u e s e c tio n . W h e n t h e p ro c e s s d o e s n o t h a v e a d m i n i s t r a t o r r ig h ts o n t h e s y s te m , it tr i e s t o a t t a in th e s e p riv ile g e s by u sin g o n e o f t w o z e r o - d a y e s c a la t io n o f p riv ile g e a tta c k s . T h e a t t a c k v e c t o r u sed is b ase d o n t h e o p e r a t i n g s y s te m o f t h e c o m p r o m i s e d c o m p u t e r . If t h e o p e r a t i n g s y s te m is W i n d o w s V ista , W i n d o w s 7, o r W i n d o w s S e rv e r 2 0 0 8 R2, t h e c u rre n tly u n d is c lo s e d Task
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
If e x p l o i t e d , b o t h o f th e s e v u ln e r a b i l it ie s r e s u lt in t h e m a in .dll file r u n n i n g as a n e w pro ces s, e i t h e r w i t h i n t h e csrss.exe p ro c e s s in t h e case o f t h e w in 3 2 k .s y s v u l n e r a b i l i t y o r as a n e w ta s k w i t h a d m i n i s t r a t o r r ig h t s in t h e case o f t h e Task S c h e d u le r v u ln e r a b i l it y . T h e c o d e t o e x p l o i t t h e w in 3 2 k .s y s v u l n e r a b i l i t y is s t o r e d in r e s o u r c e 2 50 . D e ta ils o f t h e W in 3 2 k .s y s V u l n e r a b i l i t y a n d t h e Task S c h e d u le r v u l n e r a b i l i t y c u r r e n t l y a re n o t re le a s e d as p a tc h e s a re n o t y e t a v a ila b le . A f t e r e x p o r t 15 c o m p le t e s t h e r e q u i r e d ch ecks, e x p o r t 16 is ca lle d . E x p o r t 16 is t h e m a in in s t a l l e r f o r S t u x n e t. It ch e cks t h e d a t e a n d t h e v e r s io n n u m b e r o f t h e c o m p r o m i s e d c o m p u t e r ; d e c r y p ts , c r e a te s , a n d in s ta lls t h e r o o t k i t file s a n d r e g is t r y keys; in je c ts it s e lf i n t o t h e s e rv ic e s .e x e p ro c e s s t o in f e c t r e m o v a b l e d riv e s ; in je c ts i t s e lf i n t o t h e S te p 7 p ro c e s s t o in f e c t all S tep 7 p r o je c ts ; sets u p t h e g lo b a l m u t e x e s t h a t a re used t o c o m m u n i c a t e b e t w e e n d i f f e r e n t c o m p o n e n t s ; a n d c o n n e c t s t o t h e RPC s e rv e r. E x p o r t 16 f i r s t ch e c k s t h a t t h e c o n f i g u r a t i o n d a ta is v a lid , a f t e r t h a t it c h e c k s t h e v a lu e " N T V D M TRACE" in t h e f o l l o w i n g r e g is t r y key: H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ M S - D O S E m u la tio n ( C o n t d )
Error
>
Equal
< r~
Past deadline
<----- Date<06/24/2012
^ D ate OK
C heck O S
XP o r less V ista o r h ig h e r
V Set D A C L
E xit
V
C r e a te .p n f &
Rootkit files
.cfgfiles
j . File OK
Date<06/24/2012
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
C EH
0 0 M MV Y f~ C ts c b c S y s tc fl!R e s r a r e ID ra fc l:W ta fc r n s S e a rity r C h a r g e 2 0 T e x t O R D s a b fe 1 0 S e a n ry te CR a n d o m ly A c tiv a te a > o a d s I- UTsalto'WSrprBowic I -L o o p S o u n d C h a n c e o fa c tiv a T r o p 3 y ( 0 3 d s : IVD s o b fc M 5 c o S c a n ty rr td e D e d c to p 1 IN| C H A N C E r D tditR u iC a nn d r Dsabte Sh_:d:vwn 1 D t s a M e M a a r e 1 HdrAI Drives WI n d u S e [C ]N o tc e R e m o v e lw I D s s b te L 0 3 0 r Dsabte Task Manager 1 - He 3 e a f c l e w i n d o w s O u tp utP a th : I- DkW ;W nfcMIWeb F V o tc c to n P Osobfc Keybord r *Search Corcard n C o rru p tA n tiv iru s r5 r u xB -n o rt rC o m p le T o E X E S u p p o r t r BsabteMDuse rChangeC om puter 1 CptrWaw PM e 3 3 a g e B 0 x U R L : S c r e a d lr g O p tio n s Tifle: S ta rtjp : M .te 5 0 e *rt r C h a n g e C h v e Ic o n f ~ C hangFETilrBar' FG lo b a lR g tb yS ta rtu p n * *I* C U .E X Z .K O : D d * : Text rL o c o iR c c o fr vS ta rt-p Patv |C :\> V n d 0 w :Y J 0 1 |1 rW n to g o n S h e lM o c k Icon: A d d T o C o n te x tM e n u1 ---------rS ta rtA # S e r v c e f~C h a n g eW n M e A a * to y e rT t I r Otletr o f flkler rC h a n ? C o d *T tu t tab r rngk! 'itjr t14 > r* n (hS ta r tu p I Ita la n S to rtjp
r < S 1 m a nS ta rtu p f~ S ot***' Stam p
P o y lo o d s : le n je ltv o s s e CA c tiv a te P a y lo a d sO n D a te f C
I -B lu e S c r e m O f tn fe c tto n O p B o r e : r In fe c tB a tF ie s I In fe c t A sP ie s I -W e c tV o cR fc s E x tr a s : rH id e W r u s file s
IfY o u Ik e dT h a P r o g r a m P ie tw e
rD e a U lcR c s c d t
Owner:
Tw it(M a *001flf)i
f O n !:lr P 1 ia r> 1.
r Chaw Reo Owner
PC h a n c e W a to p c r
fe10rlIU:
I ----------r ! r m _ ? J
I ----------r C h a n g eR e gO rg sn sa b o n
OfQansator!:
U R L :
l~ K e y b o a r d D Ik o
PA d d T o F a v o r ite s r
r
CRIMor**
Owncer*<
PE x e c u te D a W a a tfe d
W o rm M a k e r: In te rn e t W o rm M a k e r T h in g
In te rn e t W o rm M a k e r T h in g is a t o o l s p e c ific a lly d e s ig n e d f o r g e n e r a t in g a w o r m . T he se g e n e r a t e d I n t e r n e t w o r m s t r y t o s p re a d o v e r n e t w o r k s t h a t a re b a s ic a lly p re s e t in vasio n p ro xy a tta c k s t h a t t a r g e t t h e host te c h n ic a lly , p o is o n it, a n d m a k e a base a n d p la n s t o la u n c h t h e a t t a c k in f u t u r e . T h e w o r m s w o r k i n d e p e n d e n t l y . A n I n t e r n e t w o r m se nd s c o p ie s o f i t s e lf via v u ln e r a b l e c o m p u t e r s o n t h e I n t e r n e t .
Ethical Hacking and C ounterm easures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is S trictly Prohibited.
Vernon
r^
CfcMWf -n rd iii i S w i h f Om M Norton Saa**y
j w + t M **1rtan Scr** > 0d r Q
B O m
d w
'
A*vMadau<(ue
1 1 r
- Owng N 0 0 Tt ng* F
r RxSOMnorou! r **KtlMNn
r S r * K tr t r t o
r* * YI S oaJ
r lapSLrt
r n o t M in e
I ---------C C u k iU r t
r Whcttor*
EM UM
O In U > H N M a
r i * inr
r CualooiCadt
O ueut*a:
r Cw^Te*s>DB1
r omaetFrfil ' I
r C n * AnM nj*
r
r Q BM D a g n ! S
K * kwlx
r C h a n g eO ft*Ic o n
D ll E1E. ICO. to *
r 1acj1 iU 9u .l 1
r r *H ggvM H M r lM t tr a a
r D am aFte r
T ( r * * Stork
r
r
OwttCMTDi
r fim wiUart
r S p a n * Stork
rm ^ u l d w i ).
* a y t t t Haunq A PVjgr p
r Nndtnvks
T MMnSUrtk
_
Urrto*Dea
Add To F*nte
r
r
te n rid W im
CRiNarar
r O trn g tT m m
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
M o d u le F lo w
C EH
Types o f V iruses
P en etratio n Testing
C o m p uter W orm s
C ounter m easures
M o d u le F lo w
M a l w a r e a na lysis is d e f i n e d as t h e a c tio n o f t a k i n g m a l w a r e s e p a r a t e ly a p a r t f o r s t u d y i n g it. It is u s u a lly p e r f o r m e d f o r v a r io u s r e a s o n s such as f o r f i n d i n g t h e v u l n e r a b i l i t i e s t h a t a re e x p l o i t e d f o r s p r e a d in g t h e m a l w a r e , t h e i n f o r m a t i o n t h a t w a s s to le n , a n d p r e v e n t i o n t e c h n i q u e s t o be ta k e n a g a in s t it f r o m e n t e r i n g t h e s y s te m o r n e t w o r k in f u t u r e .
T yp es o f V iruses
C o u n te rm e a s u re s
4
s
C o m p u te r W o rm s
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
C EH
W h a t Is a S h e e p D ip C o m p u te r ?
m a lw a re . T his " s h e e p d i p p e d " c o m p u t e r is is o la te d f r o m o t h e r c o m p u t e r s o n t h e n e t w o r k t o b lo c k a n y v iru s e s f r o m e n te rin g th e s y s te m . B e fo r e t h i s p r o c e d u r e is c a rr ie d o u t, any d o w n lo a d e d p r o g r a m s a re sa ved o n e x t e r n a l m e d ia such as C D -R O M s o r f l o p p y d is k e t t e s . A s h e e p d ip c o m p u t e r is in s ta lle d w i t h p o r t m o n i t o r s , file s m o n it o r s , n e t w o r k m o n it o r s , a nd a n t i v i r u s s o f t w a r e a n d c o n n e c ts t o a n e t w o r k o n l y u n d e r s t r i c t l y c o n t r o l l e d c o n d i t i o n s . A s h e e p d ip c o m p u t e r : 0 0 0 0 Runs p o r t a n d n e t w o r k m o n i t o r s Runs user, g r o u p p e r m is s io n , a n d p ro c e s s m o n i t o r s Runs d e v ic e d r i v e r a n d f i l e m o n i t o r s Runs r e g is t r y a n d k e r n e l m o n i t o r s S h ee p d ip p i n g r e fe r s t o t h e a n a ly s is o f s u s p e c t file s , i n c o m i n g m essa ge s, e tc . f o r
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
CEH
if
Anti-virus system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. They are used a long with sheep dip computers
Netw ork
Anti-Virus System
a * .....
System 1 System 2 Allowed Traffic Anti-Virus Anti-Spyware
a
System 3
Anti-Trojan
Anti-Spamware
Reflected ** Traffic
Internet
Anti-Phishing
EE
Email-Scanner
A n tiv iru s S en so r S y s te m s
A n a n t i v i r u s s y s te m is a c o ll e c t i o n o f c o m p u t e r s o f t w a r e t h a t d e t e c t s a n d a n a ly ze s v a r io u s m a l i c io u s c o d e t h r e a t s such as v iru s e s , w o r m s , a n d T ro ja n s . T h e y a re u sed a lo n g w i t h s h e e p d ip c o m p u t e r s .
Network
Anti-Virus System
B
S y s te m
..... H
1
S y s te m
2
Allowed Traffic
Anti Virus
Anti Spyware
Reflected Traffic
1 M
Allowed Traffic
U
System 3
Anti Trojan
Anti Spamware
Internet
m
Anti-Phishing Email-Scanner
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
C EH
* fc c a
0
Install guest OS into the Virtual PC/ VMWare Install VMWare or Virtual PC on the system
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M a lw a re A n a ly sis P ro c e d u re : P re p a r in g T e s tb e d
M a l w a r e a na lys is p r o v id e s in - d e p t h i d e n t if ie s e m e r g i n g te c h n ic a l t r e n d s f r o m u n d e r s t a n d i n g o f e a ch in d iv id u a l s a m p le a nd la rg e c o lle c t io n s o f m a lw a re s a m p le s . T h e th e
s a m p le s o f m a l w a r e a re m o s t l y c o m p a t i b l e w i t h t h e W i n d o w s b i n a r y e x e c u t a b l e . M a l w a r e a na lys is is c o n d u c t e d w i t h a na lys is p r e p a r i n g T e s tb e d : 0 0 0 In sta ll V M W a r e o r V i r t u a l PC o n t h e s y s te m In sta ll g u e s t OS i n t o t h e V i r t u a l P C / V M W a r e Is o la te t h e s y s te m f r o m t h e n e t w o r k b y e n s u r in g t h a t t h e NIC c a rd is in " h o s t o n l y " mode 0 0 D isab le t h e s h a r e d f o l d e r s a n d t h e g u e s t i s o l a t i o n C o p y t h e m a l w a r e o v e r t o t h e g u e s t OS a v a r i e t y o f goals. T h e f o l l o w i n g is t h e p r o c e d u r e f o r m a l w a r e
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
0 String values found in the binary with the help of string extracting tools such as B inText e The packaging and com pressing technique used with the help of com pression and decom pression tools such as U P X B in Te x t
1 -1
Swxeh | r,1* | Htto |
UPX
Administrator: C:\Windows\system32\cmd.exe
D:sCEH T0013 \CEH v 8 Module 07 U lru s e s and W ornsNConpression l\UPXNupx306#supx306t#>upx.exe U ltim a t e P a c k e r f u r e X e c u ta b le s Copyr i if 1 1 1. <C> 1996 2011 IPX 3.R*w Markus O berliiinw r. L a s z lo M o ln ar 0. Jo h n Rr I Usage: upx I I2 3 4 5 6 7 *9 d It Mil. 1 I- q u f k ] -I d -t -h -< j - o F IL k ~f -k F ile .. lyp e e im p ress f a s t e r decom press t * s t com pressed f 11 g i v n o r h e lp It q u l* t w r i t o u tp u t t o ' P I L k ' f o r c e c o n p ro s c io n o f o u a p ic io u o I kocp backup f i l o e x e c u ta b le s to <de>conpre3a 1-0 f i l e ! P ile .. com prass b u t t e r l i s t ronppRssRd f i l e d is p la y u r n ion imnb d is p la y t o f t w M lie
fbw i
iM fp w
O C C D 3C 000040 000030000110 O C C 03C 000228 O C C 03000Q 250 O C C 03000G 278 O O G 03G 00029f O CCC3C0013C
1 0 1 T f H ~
dau
Qitbc
0 M Z u 3 lsf ro c M 0 1F a 1u 1e P e iC rt
KEMIE132 Gnorj|_RcpoMM FIh To Oo Mo FtoToKoop
A :000000C0928 0C 0030001528 /. m nvin: OC003000IA44 /. h i if: OC003000IA70 A XO XO O CCE9C O C C 03C 001A 3C A 3C O X O O C C C C 3 0C CC30001AC 8 A :O O O O O O C C E F O 0C 0030001A FO a :coocaxtfiB O C 003C 1001B 18
L o w n o F lw
inm
R*pcrtnaFlw
h ttp://www. mcafee.com
h ttp://upx.sourceforge.net
Copyright by EG-Goilicil. All Rights Reserved. Reproduction is Strictly Prohibited
M a lw a re A n a ly sis P ro c e d u re
S te p 1: P e r f o r m s ta tic a n a ly sis w h e n t h e m a l w a r e is in a c tiv e S te p 2: C o lle c t i n f o r m a t i o n a b o u t : Q Q S trin g v a lu e s f o u n d in t h e b in a r y w i t h t h e h e lp o f s tr in g e x t r a c t i n g t o o l s such as B in T e x t T h e p a c k a g in g a n d c o m p r e s s i n g t e c h n i q u e d e c o m p r e s s i o n t o o l s such as UPX u sed w i t h t h e h e lp o f c o m p r e s s i o n a nd
BinText
S o u rc e : h t t p : / / w w w . m c a f e e . c o m B in T e x t can e x t r a c t t e x t f r o m a n y k in d o f file a n d in c lu d e s t h e a b i l it y t o f i n d p la in ASCII t e x t , U n ic o d e ( d o u b l e b y te ANSI) t e x t , a n d r e s o u r c e s trin g s , p r o v id i n g u s e fu l i n f o r m a t i o n f o r e ach it e m in t h e o p t i o n a l " a d v a n c e d " v i e w m o d e .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
BinText 3.0.3
Search | Filter | Help |
F ile(0s c a n |C:M Js e rs A d m n ts tra to rN D e s k to p V s e tipe x e I? A d van cedv ie w F ilep o s A 00000000004D A 000000000110 A 000000000228 A 000000000250 A 000000000278 A 00000000029F A 0 0 0 0 000006B E A 00000000090C A 000000000928 A O O O O O O O O O E 4 4 A 000000000E 70 A O O O O O O O O O E 9 C A O O O O O O O O O E C 8 A 000000000E F 0 A 000000000F 18
a n n n n nnnnnF 44 < [ III
B ro w s e
M e mp o s I 00003000004D 0 000030000110 0 000030000228 0 000030000250 0 000030000278 0 00003000029F 0 0000300012 B E 0 0000300015 0 C 0 000030001528 0 000030001A 44 0 000030001A 70 0 000030001A 9 C 0 000030001A C 8 0 000030001A F 0 0 000030001818 0 nnnrtw n1R 44 n U N 373
Tim etaken:0.109 s e c s Te x ts iz e : 37340b y te s(36.4 6 K ) A fT e x t !T h isp ro g ra mc a n n o tb eru ninD O Sm o d e u R icheW l te x t d a ta rs c 0 re (o c 0M Z u 3 Is P ro c e s s o c F e a tu re P re s e n t K E R N E L 32 G e n e ra l.A p p N a m e G e n e talR eportee F te s T o D e le te F ie s T o K e e p L o g g n g F la g s R e p c n tn g F la g s V
llin m w .
h j
R e a d y
A N : 1840
R S :0
find | S ave |
U PX
S o u rc e : h t t p : / / u p x . s o u r c e f o r g e . n e t UPX a c h ie v e s an e x c e l l e n t c o m p r e s s i o n r a t i o a n d o f f e r s v e r y f a s t d e c o m p r e s s i o n . It t y p i c a l l y c o m p r e s s e s b e t t e r t h a n W i n Z ip / z i p / g z i p . 3S
Administrator: C:\Windows\system32\cmd.exe
D :\C E H -T o o ls \C E H v 8 M o du le 0 7 U ir u s e s and Worms\C o m p re s s io n and D ecom press l\U P X \u p x 3 0 8 w \u p x 3 0 8 w > u p x .e x e U l t i m a t e P acket* f o r e X e c u ta b le s C o p y r ig h t <C> 19 9 6 - 2011 JPX 3 .0 8 w M arku s O b e rh u m e r, L a s z lo M o ln a r & John R e is e r Dec 1 2 t h U sag e: upx [ 1 2 3 4 5 6 7 8 9 d l t h UL ] l-q v fk ] 1 -0 f i l e ] -9 1 -U -L -w file s file .. com press b e t t e r l i s t co m p re ssed d is p la y v e rs io n d is p la y s o ftw a re be v e rb o s e
Commands: -1 com press f a s t e r -d decom press -t t e s t co m p re ssed f i l e -h g i v e more h e lp O p tio n s : -q be q u i e t - 0 F IL E w r i t e o u tp u t to ' F I L E ' -f f o r c e c o m p re s s io n o f s u s p ic io u s -k k e e p b a cku p f i l e s F ile .. e x e c u t a b le s t o < de>com press ry p e 'u p x h e l p ' f o r more d e t a i l e d h e lp .
v is it
h ttp : //u p x .s f .n e
FIGURE 7 .2 7 : UPX W o rk in g in C o m m a n d P ro m p t
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
U r t 1 f w 4 ilh iu l lU t b M
CEH
3. Set up network connection and check that it is not giving any errors
r > tn o
Filter Tools Options Help
Run the virus and monitor the process actions and system information with the help of process monitoring tools such as Process Monitor and Process Explorer
L il J
U I
Time of Day Process Name
]
PID Operation 2384 CreateFieMapp 2384 ^ CloseW e CreateFie ReadFie ReadFile ReadFie ,TCP Receive ,TCP Send ReadFie ReadFie ReadFie ReadFie
Path Resut Detail C \Wndows\System32'wnageres <* SUCCESS C \Windows\Systen132Nw1ageres dl SUCCESS C \Lbers\Admostrator\^pp Data\Local\... SUCCES S C \Window\Mcro*oft NETXFramework... SUCCESS C XWindowsXMcrosoft NETXFramework... SUCCESS C\Window3\fAcT0soft.NETXFramework... SUCCESS WIN-MSSELCK4K41 1056 >WIN-MSS... SUCCESS WIN-MSSELCK4K41:1055 > WIN-MSS. SUCCESS C\Windows \H cro soft. NETXFramevvork.. SUCCESS
SyncType SyncTy
P ro ce ss M o n ito r
Desw ed Access: S Offset: 7.623.168. Offset: 7.557.632. Offset: 7.574.016... Length 1. seqnum Length 1. startime Offset: 9.322.496. CXWindowsXAAcrosoft NETXFramework ..SUCCESS Offset: 9.547.776. C XWindowsXMcrosoft NETXFramework... SUCCESS Offset: 9.535.483. CXWindowsXfAcrosoft.NETXFramewoik... SUCCESS Offset: 7.803.392.
http://technet.m icrosoft.com
Copyright by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t d)
S te p 3: Set u p n e t w o r k c o n n e c t i o n a n d c h e c k t h a t it is n o t g iv in g a n y e r r o r s S te p 4: Run t h e v ir u s a n d m o n i t o r t h e p ro c e s s a c tio n s a n d s y s te m i n f o r m a t i o n w i t h t h e h e lp o f p ro c e s s m o n i t o r i n g t o o l s such as P ro ces s M o n i t o r a n d P ro ces s E x p l o r e r
m
.
l^_
Process M onitor
S o u rc e : h t t p : / / t e c h n e t . m i c r o s o f t . c o m
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
PID Operation 2384 2 k Create FileMapp. 2384 ;rk Close File 2384 ;A Create File 4100 9k Read File 4100 2 k Read File 4100 2 k Read File 2760 s*VTCP Receive TCP Send Read File 4100 y k Read File 4100 2 k Read File 4100 irk Read File
Path Result Detail C:\Windows\System32\imageres.dllSUCCESS SyncType: SyncTy.. C:\W1ndows\System32\imageres.dll SUCCESS C:\Users\Administrator\AppData\Local\...SUCCESS Desired Access: S... C:\W1ndows.Microsoft NET.Framework ...SUCCESS Offset:7,623,168,.. C:\Windows\MicrosoftNET\Framework.SUCCESS Offset:7,557,632,... C:\Windows\Microsoft.NET\Framework... SUCCESS Offset:7,574,016,.. WIN-MSSELCK4K41:1056->WIN-MSS...SUCCESS Length: 1. seqnum:. WIN-MSSELCK4K41:1055 >WIN-MSS...SUCCESS Length: 1. startime:.. C:\Windows\Microsoft. NET.Framework... SUCCESS Offset:9,322,496,.. C:\Windows\Microsoft.NET\Framework... SUCCESS Offset:9,547.776,... C:\Windows\Microsoft.NET\Framework... SUCCESS Offset:9,535.488... C:\Windows\Microsoft.NET\Framework... SUCCESS Offset:7,803,392,..
n u t __ 1____ 1 1 1
n u r n r
1 r r i v ___ i i n n
T3 n
ir i
n 1r v ? c g 1 r _ a g _ _!
T m i i n ___
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
( ^H
( r t i f W d t t h . u l Nm I w(
N etR esident 5. Record network traffic information using the connectivity and log packet content monitoring tools such as NetResident and TCPView
He sear* ve* Evens rods -ep AlDafe | F te OM j>*aJ-ess S3ve ^ Dees V j Event Octal =totocd ^,W e b W Web Web Web web ,y, Web ^ Web ^ Web ^ Web ^ web y / Web W Web ^ wb W teb Party A I Pot! A W W -UUQN3... 1076 VV1N-IXQ N3... 1104 WIH-LXQN3... 1109 WW-IXQN3 1110 W 1H-LXQN3... 1111 W 1N-LXQ N3 1114 1114 W 1H1XQN3... \V1N-LXCN3 1145 VV1N -IW 3N 3 1147 WIN-LXQN3... 1163 W 1N-LXQN3... 1114 W1N-UQN3... 1164 W 1N4.XQN3... 1076 W 1N-IXQN3 1205 5 arty B mystart-bni... m5003sM-n... maa03s&4-n... maa03s04-n... ra303s:4*v.. maa03eD4-n... nos03M-n... rnaa03st>4-n... nao03*&4-n... nas03:4n... (** 3 &4-... moo03*04-n... mvctrt*xU... 0.04-... Po:B 80 443 *43 *43 443 90 1 80 80 443 443 B C 80 8 C 80
Cr04>5 * &0-p = E
:.dre3
Date KV5/2012 2::. 1 36 !(VS/2012 2:1.. :0/5/2012 2:1 1 36 - 10/5/2012 2:1.. 1 - 10/5/2012 2:1.. 20 10/5/20122:1 - 10/5/2012 2:1.. 10/5/2012 2:1 - 10/5/2012 2:1 10/5/2012 2:1.. 10/5/3012 2:1 - 10/5/2012 2:1.. :0/5.'I012 2:1 - 10/5/2012 2:1
LastLpdated :0/5/3012 2:14:3. 10/5/20122:1^:4.. 10/5/2012 2:14:4. 10/5/2012 2:14:4. 10/5/2012 2:14:4.. 10/5/2012 2:14:5. 10/5/20122:14:5.. 10/5/2012 2:14:5. 10/5/3012 2:14:5. 10/5/2012 2:14:5.. 10/5/2012 2:14:5. 10/5/2012 2:14:5. 10/5/3012 3:15:0. 10/5/3012 3: t5:2.
rvralDH^
T O ...
V a l u 4
52777990230736.52777991632076.52777992527295.5277798-180851-1.52777983170746 52777984394614
a
h ttp ://w w w . tamos, com
M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t d)
S te p 5: R eco rd n e t w o r k t r a f f i c i n f o r m a t i o n u s in g c o n n e c t i v i t y a n d lo g p a c k e t c o n t e n t m o n i t o r i n g t o o l s such as N e t R e s i d e n t a n d T C P V ie w S te p 6: D e t e r m i n e t h e file s a d d e d , p ro c e sse s s p a w n e d , a n d c h a n g e s t o t h e r e g is t r y w i t h th e h e lp o f r e g is t r y m o n i t o r i n g t o o l s such as R e g S h o t
NetResident
S o u rc e : h t t p : / / w w w . t a m o s . c o m is a n e t w o r k c o n te n t a n a ly s is a p p lic a tio n d e s ig n e d to m o n ito r, s to r e , a nd
N e t R e s id e n t
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
S NetResident - Evaluation Version Fte Search View Events Tools Help Al Data | Events ' Groups * Groups 0 0 0 Dates 0 S 10/5/2012 H 0 ^ Protocols Refresh | y Fiter - I Count 1 36 1 36 1 20 IP Address * | , Date u 10/5/2012 2:1... u 10/5/2012 2:1... 10/5/2012 2:1... a 10/5/2012 2: L.. 10/5/2012 2:1... a 10/5/2012 2:1... Q 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... o 10/5/2012 2:1... a 10/5/2012 2:1... a 10/5/2012 2:1... 10/5/2012 2:1... <1 Save * ^ Delete |1^) Event Detail | Protocol ^ ^ ^ ^ ^ Web Web Web Web Web Web Party A WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... WIN-LXQN3... Port A 1076 1104 1109 1110 1111 1114 1114 1145 1147 1163 1114 1164 1076 1205 U Party B mystarHon.1... maa03s04-n... maa03s04in... maa03s04-tn... maa03s04-in... maa03s04in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... maa03s04-in... mystart-ton.i... maa03s04-in...
. n x
Last Updated 10/5/2012 2:14:3.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:4.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:14:5.. 10/5/2012 2:15:0.. 10/5/2012 2:15:2..
W Web
^ ^ Web Web
Iw t D d ii_________________________________________________
S' ' ' ) I I I r j L^j More... *
POST req u e st to h ttp ://n ew s.g o o g !e.co .in /n ew s/x h r/rh c?au th u ser= 0 Tag Value
cid
52777990230736.52777991632076.52777992527295.52777984808514.52777983170746.52777984394614
J __________________________________________________________
180 bytes [ Q Connected
\~ T \
1,067,459
Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
( ^H
(rtifWd
| tth.ul
Nm Iw(
7. Collect the following information using debugging tools such as OllyDbg and ProcDump: Service requests Attempts for incoming and outgoing connections DNStables information
M a l w a r e A n a l y s i s P r o c e d u r e ( C o n t d)
S te p 7: C o lle c t t h e f o l l o w i n g i n f o r m a t i o n u sin g d e b u g g in g t o o l s such as O l l y D b g and P rocD um p: 0
1
O llyD bg
S o u rc e : h t t p : / / w w w . o l l y d b g . d e
O lly D b g is a 3 2 - b i t a s s e m b l e r - l e v e l a n a ly z in g d e b u g g e r f o r M i c r o s o f t W i n d o w s
E m p h a s is o n
b i n a r y c o d e a n a ly s is m a k e s it p a r t i c u l a r l y u s e fu l in cases w h e r e s o u r c e is u n a v a ila b le .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
L k l]
H<>S12 => 9C (1 5 6 .1 . fiw : M EPP_iER 0 _r^ n d [CGt P r o e * t H4e
g40 M sL ! W l0 \<
004010*0
m>. ECx.x
PUSH ECX 3 l L <JM P.IKER fC L32.G M Pf0c*ssM f0>
j __
ECX OOOOOOOO COX 0 M 9 I0 M OLL'.CGO. <rVcxdw lErt ry P o m t > e b x t f o ?0000
. ? 0 . E 87 2 E 8 0 0 0 0 CALL 'J M P .t*E R f L 3 2 .H c m io e > OR EOX.EOX . o 0co JI1Z SHORT OLLVOOG. 00401006 0 0 *0 1 0 0 0 .v7 S 0 0 004C10OC . 0 ERX.0FO 8 F O 0 0 O O 0 O E 8B 6 F F F F F F W 00401001 COLL 0LLV066.0040106C PUSH EOX 0 O 4 O 1 O 8 6 . > SO PUSH EOX 00401007 . 6 0 F 3 S1 8 0 1 4 0 0 0 004O1OOS . F DUORO PTR O S !1400110) CALL OLLVOOG.00400304 0O4O1OOE . E O 1 1 C 3 O O O 00 PUSH F 3 S 1 B 0 1 4 & PUSH DMORO PTR DS1 (4801103 O04O1OC3 . F .E 8 1 0 c 3 0 5 6 50 0 0 4 e 1 o c 9 CALL OLLVOOG.004OO3E8 004010CE SF POP EDI 004e10CF > ? . 6 9 9 C 0 0 0 0 0 9 RETN W J ECX.9C 0 0 4 0 1 0 0 0 OR ECX.ECX 0 0 4 0 1 0 0 s . 0 e c 9 0 < M 0 1 0 07 .~ 7 41 9 JE SHORT OLLVOOG. 004010F2 O 0 4 O 1 O O S . E 8 C E C 2 0 O O O CALL OLLVOOG.0O4OO3OC .0 31 B 8 1 4 B O 0 nou 0 o*e 1 o o OUOPO PTR O S ;C 400ilB 3.E flX Cflp ERX.0 00e1ec3 . 8 3 F 3 0 0 .*73 SI JNB SHORT XLVO 0G .00401079 004e1aE6 00401OES . 6 8 F C O O O O e e nou eox . ofc 0 04 010ED . E 87 0 F F F F F F CALL OLLVOOG.0040106C RETN 0O401OF2 >C 3 00401OF3 > t0 3 3 0 \m \u m CP OMOPO PTR OS*[4 0 0 1 1 0 0 . 00401OFft . JO SHORT OLLVOOG. 00401124 7 2 2 F3 51 8 0 1 4 8 0 0 PUSH 0*OR PTR OS: [400110) 0 04 010FC . F 8 ed ; 5 h 6 5 CULL OLLVOOG.004003C4 1 0 2 .E 1 OR EOX.EOX 1107 00401003 00401000 00401109 00401100 00401 IOC 00401 IOC 00401113
v m 0040100?
kltoao
HtaoOltoe
ESP O018FF88
E S 0 0 2 63 2 bit 0 (F F F F F F F F I C S0 0 2 3 (F F F F F F F F > S S 0 0 2 8 32blt 3 2 bIt 0 9 (F F F F F F F F I O S 0 0 2 8 32bit 0(F F F F F F F F 1 F S 00*3 32bit 0(F 7 F O 9 C 0 0 0 1 F F 1 6 $0 0 2 0 32bit F F F F F F F )F LtttErr E ftftO R _ ttO O _ M O T _ F O U M O< 0 0 0 0 0 0 ? E 1
OLLVOOG. 0O4RO3C4
jM nw
h a mm am
JE SHORT OLLVOOG. 00401124 PUSH EOX PUSH 0 CRLL JMP.tKERJCL32.GtProcH*o> PUSH ERX CRLL <JMP.t:EKHLL32.H*eFf>
rc - :! >
RETURN t o 0019FF9C
Ethical Hacking and C ounterm easures C opyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Urt>fW4 ttfciul Nm Im
h t t p :/ / w w w .h e x -r a y s .c o m
D issem b ler
The dissembler displays the instruction execution of various programs in symbolic form, even if the code is available in a binary form. It displays the instruction execution of the processor in the form of maps. It enables its users to identify viruses as well. For example, if any screensavers or "gif" files are trying to spy on any internal applications of the user, IDA Pro Tool reveals this immediately. IDA Pro is developed with the latest techniques that enable it to trace difficult binary codes. These are displayed in readable execution maps.
D ebugger
The debugger is an interactive tool that complements the dissembler to perform the task of static analysis in one single step. It bypasses the obfuscation process, which helps the assembler to process the hostile code in-depth.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
IDA Pro is a tool that allows you to explore any software interruptions and vulnerabilities and to use it as tamper resistance. It is an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment. This can also be used to protect your essential privacy rights. This is used by antivirus companies, research companies, software development companies, agencies, and military organizations.
IDA -C:\Program Files (x86)\IDA Demo 6.3\qwingraph.exe
File Edit Jump Search View Debuggei Options Windows Help 1 ? ^ ^ f a ! r
~ I I * B
III
(71 Finctxms wndow j IDA View-A Q | | g ] Hex View-A |
IM :!
I Q S Enure________ |
Z 3
1*5[j * Exports
ft] Structures
Line 2 of 944
1
sub le a push push c a ll push le a push c a ll add mou c a ll how
'C :\ P r o g r a m F ile s fu n c t io n 'm a in '. . . f ile * C :\ P r o g r a n 1 F i l e s f u n c t io n to ' O n Lo ad ' in p u t f ile ... in p u t th e th e a n a ly s in g F L IR T e x p lo r e s ig n a t u r e :
Function name sub_401070 sub.401200 sub.401230 sub_4012F0 sub_4O13A0 sub.4015A0 sub_402EA0 $ub.402EC0 sub_403140 sub_403330 sub.403500 sub.403680 sub.403900 sub.403920 sub.403960 sub_403A40 sub 403B30
uar_C= dword p t r -OCh uar_8= duord p t r -8 o a r ^ ' dword p t r -< * h In s ta n c e - duord p t r < 1 h P re u In sta n ce - dword p tr lpCndLine- duord p t r OCh nShowCnd- dword p tr 10h es p , 18h ea x , [esp18huar_1i] eax OFFFFFFFFh ds:GetConnandLineW eax e c x , [espZ<ihuar_10] ecx d s : ? f ronWCharftrray0QString0QTBBSfl?ftU120PBGH02 ; QT: :Q S trin g ::F ro m W C h a rA rra y (u sh o rt const esp , OCh e c x , eax ds:?toLocal8BitBQ String6Q TBBQ BE?A UQ ByteA rrayQ 2Q XZ ; QT: : Q S t r in g : : t o L o c a l8 B it (u o id ) edx, [esp*18h*w ar_10]
( x 8 6 )\ ID A ( x 8 )\ ID A
e x e c u t in g
Y o u m ay s t a r t U s in g
file
r ig h t
now . ru n t
M ic r o s o f t V is u a lC
2- 10/n e t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r EH V
tttK 4 l IU (h M
M VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms, Trojans, etc.
C
1 ft
htips: 'vk'^w.virustotaLconn ' e/C5'5'd625c39d3d5d9l041b9720a30c2fb1e757e603695d3478687c27c392fdt.an.aly$s^Statistics DocantflUlidn FAQ About Join our community
Community
Sign m 1
&
i r u
total *K
0 ^ 0
& riru!to
M u m m l!* (** 1 2 V B
12.* "
Kutulf WifiTrojarvMMueker 10 36288 BOCWm m xm 23 G1 Bach(fc>orW 1n.32 MoSuckei gen Win32 Tro!an-gen Bac CoorMmuc kw
http://www.virustotal.com
AVG
|p5|
VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans, and all kinds of malware detected by antivirus engines. Features: 0 0 0 0 0 Free and independent service Uses multiple antivirus engines Comprised of real-time automatic updates of virus signatures Gives detailed results from each antivirus engine Has real-time global statistics
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C i *P ^ 0^0//06(>5 >>>1 >1 < 497;00}^(^ 7>(*147 6*7> 27)/% ^ 0
<
3 /iru! to t a l
S! / i r u s t o t a l
MwnumMtwt 3JM B
*N
^ ** J71 4 1 V-071rM 00U TC (?rem t |M > **9 0 ) * 0 0
W taTropnM Dttickw1 0 3 (2 8 8 O O CM otutM 2 Ol mfray snt*t toscjn a URL o r starchth rtu g hth* /ruTc d Bactdoor\V nX 2M oSucktf 9
W W 2T r 0 |J0 9 * n
BactO ooi M 1ucM
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
,
ltfc.nl M m hat
Metascan Online
h ttp :/ / w w w . metascan-online, com
Bitdefender QuickScan
h ttp :/ / w w w . bitdefender. com
GFI SandBox
h ttp :/ / w w w . gfi. com
> ___ j
ThreatExpert
h ttp :/ / w w w . threatexpert.com
UploadMalware.com
h ttp :/ / w w w . uploadmalware. com
Fortinet
h ttp ://w w w .fo rtigu a rd . com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
CEH
T y p e s
o f
V ir u s e s
P e n e t r a t io n T e s tin g
C o m p u te r W o rm s
M a lw a r e A n a ly s is
M odule Flow
So far, we have discussed various viruses and worms and malware analysis. Now we will discuss the countermeasures to be applied to protect against viruses and worms, if any are found. These countermeasures help in enhancing security.
Malware Analysis
Types of Viruses
Countermeasures
y y
Computer Worms
Penetration Testing
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristics of the
Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors
The interceptor monitors the operating system requests that are written to the disk
S can n in g
Q The moment a virus is detected in the wild, antivirus vendors across the globe start writing scanning programs that look for its signature strings (characteristic of the virus). The strings are identified and extracted from the virus by these scanner writers. The resulting new scanners search memory files and system sectors for the signature strings of the new virus. The scanner declares the presence of a virus once it finds a match. Only known and pre-defined viruses can be detected. Virus writers often create many new viruses by altering the existing one. What looks like a new virus, may have taken just a few minutes to be created. Attackers make these changes frequently to throw off the scanners.
In addition to signature recognition, new scanners make use of various other detection techniques such as code analysis. Before looking into the code characteristics of a virus, the scanner examines the code at various locations in an executable file. In another possibility, the scanner sets up a virtual computer in the RAM and tests the programs by executing them in the virtual space. This technique, called "heuristic scanning," can also check and remove messages that might contain a computer virus or other unwanted content. e The major advantages of scanners are: They can check programs before they are executed. Q It is the easiest way to check new software for any known or malicious virus. Q The major drawbacks to scanners are: Q Old scanners could prove to be unreliable. With the tremendous increase in new viruses old scanners can quickly become obsolete. It is best to use the latest scanners available on the market. Q Even a new scanner is never equipped to handle all new challenges, since viruses appear more rapidly than new scanners can be developed to battle them.
In te g rity C h e c k in g
0 Integrity checking products perform their functions by reading and recording integrated data to develop a signature or base line for those files and system sectors. Integrity products check any program with built-in intelligence. This is really the only solution that can take care of all the threats to data. The most trusted way to know the amount of damage done by a virus is provided by these integrity checkers, since they can check data against the originally established base line.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A disadvantage of a basic integrity checker is that it cannot differentiate file corruption caused by a bug from corruption caused by a virus. However, there are some advanced integrity checkers available that are capable of analyzing and identifying the types of changes that viruses make. A few integrity checkers combine some of the antivirus techniques with integrity checking to create a hybrid. This also simplifies the virus checking process.
In te rc e p tio n
0 The main use of an interceptor is for deflecting logic bombs and Trojans.
Q The interceptor controls requests to the operating system for network access or actions that cause a threat to the program. If it finds such a request, the interceptor generally pops up and asks if the user wants to allow the request to continue. There are no dependable ways to intercept direct branches to low-level code or direct instructions for input and output instructions by the virus. In some cases, the virus is capable of disabling the monitoring program itself. Some years back it took only eight bytes of code for a widely used antivirus program to turn off its monitoring functions.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
V iru s a n d W o rm s C o u n te r m e a s u r e s
Install anti-virus software that detects and removes infections as they appear
CEH
Generate an anti-virus policy for safe computing and distribute it to the staff
Pay attention to the instructions while downloading files or any programs from the Internet
Update the anti-virus software regularly Avoid opening the attachments received from an unknown sender as viruses spread via e-mail attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up
Schedule regular scans for all drives after the installation of anti-virus software Do not accept disks or programs without checking them first using a current version of an antivirus program
V irus an d W orm s C o u n te rm e a su re s
Preventive measures need to be followed in order to lessen the possibility of virus infections and data loss. If certain rules and actions are adhered to, the possibility of falling victim to a virus can be minimized. Some of these methods include: 0 0 Install antivirus software that detects and removes infections as they appear Generate an antivirus policy for safe computing and distribute it to the staff Pay attention to the instructions while downloading files or any programs from the Internet Update the antivirus software on the a monthly basis, so that it can identify and clean out new bugs Avoid opening the attachments received from an unknown sender as viruses spread via email attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up Schedule regular scans for all drives after the installation of antivirus software Do not accept disks or programs without checking them first using acurrent version of an antivirus program
0 0 0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
V iru s a n d W o rm s C o u n te r m e a s u r e s
(C o n t'd )
EH
Run disk clean up, registry scanner and defragmentation once a week
Turn on the firewall if the OS used Do not boot the machine with infected bootable system disk is Windows XP
Block the files with more than one file type extension
QW
Be cautious with the files being sent through the instant messenger
^1
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Community
2.478,268 people protected
Computerl
SO T..
5 n or1 tV n m :.
IM o t ir e s | | t-njneiCoTi-niritr Nofices
Summary
1 DtUledHfctory (
H is to r^ ^ ^
Cuera-^v* ) j I at sranrxvl 10yS/20126:46:50PM
Scan
Scan Complete Res Seamed: Threars Defected: Threats Removed: llapsed lime: 203228 306 396 0:4:49
j
I
Maximize Y
Uoorade to immunet Plus 3.0 and you wiH recove:
^ iy Br
AnWr\js81Anawywj(fl Em ail Da'jbaw Sunt I A dvan ced RootkitRem oval En h an cedCom ota T hd *Offlineprotection T ech n ical Suptwt I
^ J T aT
Scan History |
http://www.im m unet.com
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
C o m p an io n A ntivirus: Im m u n e t
Source: http://www.immunet.com Companion Antivirus means that Immunet is compatible with existing antivirus solutions. Immunet adds an extra, lightweight layer of protection for greater peace of mind. Since traditional antivirus solutions detect on average only 50% of online threats, most users are under protected, which is why every PC can benefit from Immunet's essential layer of security. Immunet Protects detection power relies on ETHOS and SPERO, the heuristics-based engine and the cloud engine. Users of the Plus version also benefit from a third engine called TETRA, which provides protection when not connected to the Internet.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
ImmunGtlO
$d ,
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Anti-virus Tools
AVG Antivirus
http ://free . avg. com
Urt1fw4
CEH
ilhiul lUtbM
F-Secure Anti-Virus
http://w w w .fsecure, com
BitDefender
h ttp :/ / w w w . bit defender, com
N
i L
Kaspersky Anti-Virus
' 12/ .
h ttp ://w w w .k a sp e rs k y.co m
E
!y 9 |
Norton AntiVirus
h ttp :/ / w w w . s ym antec. com
A ntivirus Tools
Antivirus tools prevent, detect, and remove viruses and other malicious code from your system. These tools protect your system and repair viruses in all incoming and outgoing email messages and instant messenger attachments. In addition, these tools monitor the network's traffic for malicious activities. A few antivirus tools that can be used for the purpose of detecting and killing the viruses in the systems are listed as follows: 0 0 0 0 0 0 0 0 0 0 AVG Antivirus available at http://free.avg.com BitDefender available at http://www.bitdefender.com Kaspersky Anti-Virus available at http://www.kaspersky.com Trend Micro Internet Security Pro available at http://apac.trendmicro.com Norton Anti-Virus available at http://www.svmantec.com F-Secure Anti-Virus available at http://www.f-secure.com Avast Pro Antivirus available at http://www.avast.com McAfee Anti-Virus Plus 2013 available at http://home.mcafee.com ESET Smart Security 5 available at http://www.eset.com Total Defense Internet Security Suite available at http://www.totaldefense.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
C EH
T y p e s
o f
V ir u s e s
C o m p u te r W o rm s
C o u n te rm e a s u re s
M a lw a r e A n a ly s is
M odule Flow
Penetration testing must be conducted against viruses and worms, as they are the most widely used means of attack. They do not require extensive knowledge to use. Hence, you should conduct pen testing on your system or network before a real attacker exploits it
Malware Analysis
Types of Viruses
Countermeasures
y y
Computer Worms
^ Z )Penetration Testing
This section provides insight into virus and worm pen testing.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Install an anti-virus program on the network infrastructure and on the end-user's system Update the anti-virus software to update your virus database of the newly identified viruses Scan the system for viruses, which helps to repair damage or delete files infected with viruses
4 v i\ \
J
VIRUS .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S et the anti-virus to
Virus is removed?
>
System is safe
V ____
Go to safe m ode and
IX
Set the anti-virus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible or delete them if not Ifthe virus is not removed then go to safe mode and delete the infected file manually
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
itk iu l
t U t k m
Scan the system for running processes, registry entries, startup programs, files and folders integrity and services If any suspicious process, registry entry, startup program or service is discovered, check the associated executable files Collect more information about these from publisher's websites if available, and Internet Check the startup programs and determine if all the programs in the list can be recognized with known functionalities Check the data files for modification or manipulation by opening several files and comparing hash value of these files with a pre-computed hash
Q Use tools such as jvl6 Power Tools 2012 and Reg Organizer 0 Scan for Windows services Use tools such as SrvManand ServiWin
<
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Check the critical OS file modification or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy Document all your findings in previous steps; it helps in determining the next action if viruses are identified inthe system Isolate infected system from the network immediately to prevent further infection Sanitize the complete system for viruses using an updated anti-virus
8 t)
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule S um m ary
Virus is a self-replicating program that produces its own code by attaching copies
| 0
of itself into other executable codes whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre determine logical circumstance is met Viruses are categorized according to file they infect and the way they work Lifecycle of virus and worms include designing, replication, launching, detection, incorporation and elimination stages Computer gets infected by Virus, worms and other malware due to not running the latest anti-virus application, not updating and not installing new versions of plug-ins, installing the pirated software, opening the infected e-mail attachments or downloading files without checking properly for the source Several virus and worm development kits such as JPS Virus Maker are available in wild that can be used create malware without any technical knowledge Virus detection methods include system scanning, file integrity checking and monitoring OS requests Virus and worm countermeasures include installing anti-virus software and following anti-virus policy for safe computing
M odule S u m m ary
A virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes, whereas worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction. Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre-determined logical circumstance is met. Viruses are categorized according to file they infect and the way they work. The lifecycle of virus and worms include designing, replication, launching, detection, incorporation, and elimination stages. A computer gets infected by viruses, worms, and other malware due to not running the latest antivirus application, not updating and not installing new versions of plug-ins, installing pirated software, opening infected email attachments, or downloading files without checking properly for the source. Several virus and worm development kits such as JPS Virus Maker are available in the wild that can be used create malware without any technical knowledge.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Virus and worm countermeasures include installing antivirus software and following antivirus policies for safe computing.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.