Ce hv8 module 07 viruses and worms

Ethical Hacking and Countermeasures
Viruses and W orm s

Exam 312-50 C ertified Ethical Hacker

V iru se s and W orm s
M o d u le 07

Engineered by Hackers. Presented by Professionals.

M

E th ic a l H a c k in g

a n d

C o u n te rm e a s u re s v 8

M o d u le 0 7 : V iru s e s a n d W o r m s
E xam 3 1 2 -5 0

M odule 07 Page 1007

Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is S trictly Prohibited.

Viruses and W orm s


CEH

Secu rity N ew s
I GlobalResearch

H om e

P ro d u c ts

About

5«rv*ccs

O ctobe r 1 9 ,2 0 1 2

G lo b al C y b e r-W arfa re T a c tic s : N e w F la m e -lin k e d
M a lw a re used in “ C y b e r-E s p io n a g e ”
A n e w c y b e r e s p io n a g e p ro g ra m lin k e d t o th e n o to r io u s F lam e and Gauss m a lw a re has bee n d e te c te d by Russia's K aspersky Lab.
T he a n ti-v iru s g ia n t's c h ie f w a rn s t h a t g lo b a l c y b e r w a rfa r e is in " f u ll s w in g " a n d w ill p ro b a b ly e s c a la te in 2013.
T h e v iru s , d u b b e d m in iF la m e , a n d a lso k n o w n as SPE, has a lre a d y in fe c te d c o m p u te rs in Ira n , L e b a n o n , France, t h e U n ite d
S ta te s a n d L ith u a n ia . It w as dis c o v e re d in July 20 1 2 a n d is d e s c rib e d as "a small and highly flexible malicious program designed

to steal data and control infected systems during targeted cyber espionage operations," Kaspersky Lab said in a s ta te m e n t p o s te d
o n its w e b s ite .
T he m a lw a re w a s o rig in a lly id e n tifie d as an a p p e n d a g e o f F lam e - th e p ro g ra m used f o r ta rg e te d c y b e r e spionage in th e M id d le
East a n d a c k n o w le d g e d to be p a r t o f jo in t U S -ls ra e li e ffo r ts t o u n d e rm in e Iran 's n u c le a r p ro g ra m .
B u t la te r, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF la m e is a n "interoperable tool th a t could be used as an independent
malicious program, o r concurrently as a plug-in f o r both the Flame and Gauss m alw are."
^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c re a to rs o f F lam e a n d G a u s s ^ ^ ^ ^ ^ —

http ://www. globa/research, ca
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

S e c u rity N e w s
an

M

G lo b a l C y b e r - W a r fa r e T a c tic s : N e w

M

M a lw a re u s e d in

F la m e - lin k e d

“ C y b e r-E s p io n a g e ”

S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a
A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n
d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e
is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 .
T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran,
L e b a n o n , F rance, t h e

U n ite d States, a n d

L ith u a n ia . It w a s d is c o v e r e d

in July 2 0 1 2 a n d

is

d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l
in fe c te d

s y s te m s

d u r in g

ta rg e te d

cyber

e s p io n a g e

o p e ra tio n s ,"

K a sp e rsky

Lab said

in a

s t a t e m e n t p o s te d o n its w e b s i t e .
The m a lw a re

w a s o r i g i n a l l y i d e n t if ie d

as an a p p e n d a g e o f F lam e, t h e

p ro g ra m

u sed f o r

t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli
e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m .


Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil

Viruses and W orm s


B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld
be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e
a n d Gauss m a l w a r e . "
T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd
Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s .
" M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e
c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n
b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e
a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said.
H ig h - p r e c is io n a tta c k to o l
So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky
Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y
i n f e c t e d b y t h o s e v iru se s .
" M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in
w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt
A l e x a n d e r G o s te v e x p la in e d .
"F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s
o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d
a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd
c y b e r-e s p io n a g e ."
T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is
r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m ,
A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t.
K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t
m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , "
t h e f i r m said.
‘C y b e r w a rfa re

i n f u ll s w i n g ’

M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r
w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He
u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s
a g e n c y r e p o r ts .
S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i,
t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ."
" T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last
A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in
g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said.
He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e
M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is



Viruses and W orm s


like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r
w h a t is b e h in d i t . "
Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss,
b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s .

C o p y r i g h t © 2 0 0 5 - 2 0 1 2 G lo b a lR e s e a r c h .c a
B y R u s s ia T o d a y

http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-incyber-espionage/5308867



Viruses and W orm s


CEH

M odule O b jectives
J

Introduction to Viruses

J

Computer Worms

J

Stages of Virus Life

J

Worm Analysis

J

Working of Viruses

J

Worm Maker

J

Indications of Virus Attack

J

Malware Analysis Procedure

J

How does a ComputerGet Infected
by Viruses

J

Online Malware Analysis Services

y

Virus Analysis

J

Virus and Worms Countermeasures

J

Types of Viruses

J

Antivirus Tools

J

Virus Maker

J

Penetration Testing for Virus

Copyright © by

EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C

M o d u le O b je c tiv e s
T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s
a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e
e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h
it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le
t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u
a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t
a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e .
T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h :
0

I n t r o d u c t i o n t o V iru s e s

0

C o m p u te r W o rm s

0

Stages o f V ir u s Life

0

W o r m A n a ly s is

0

W o r k i n g o f V iru s e s

0

W o rm M aker

0

I n d ic a tio n s o f V ir u s A t t a c k

0

M a l w a r e A n a ly s is P r o c e d u r e

0

How

0

O n lin e M a l w a r e A n a ly s is Services

0

V ir u s a nd W o r m s

D oes

a

C o m p u te r

V iru se s?
0

T y p e s o f V iru s e s

In f e c t e d

by

C o u n te rm e a su re s

V ir u s A n a ly s is

0

Get

Modute07

!M a k e r

0

A n t i v i r u s T o o ls

Ethical H a c k if^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i l l C i l

Viruses and W orm s


Module Flow

Virus and
Worms
Concepts

Typ e s of
Viruses

Penetration
Testing

Com puter
Worms

Countermeasures

M alware
Analysis

Copyright © by

E&Ctlllcil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le F lo w
T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u
a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists
v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e
has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n
t h e w e b a re h ig h lig h t e d .

M alware Analysis

V ir u s a n d W o r m s C o n c e p t

,‫• נ‬

Types of Viruses

‫— /י‬

Computer W orm s

fj| Countermeasures
||‫־‬
^

Penetration Testing

V ‫— ׳׳‬



Viruses and W orm s


Introduction to V iru se s

C EH

_l A virus is a self-replicating program that produces its own copy by attaching itself
to another program, computer boot sector or document
J

Viruses are generally transmitted through file downloads, infected disk/flash
drives and as email attachments

V ir u s C h a r a c t e r is t ic s

Alters Data

Infects Other Program

V

%
Corrupts Files and
Programs

Transforms Itself

m

F*

Encrypts Itself

m

Copyright © by

Self Propagates

%
#
1 f §

1

-C

‫ ןא‬I n t r o d u c t i o n to V i r u s e s
C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l
c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le
c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a
c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t
o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as
soon

as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d

logical

c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s :
0

T r o ja n s a n d r o o t k i t s

0

V iru s e s

0

W o rm s

A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s . W o r m s s p re a d
a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o
o t h e r n e t w o r k s . T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y
d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n . T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld
t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s .



Viruses and W orm s


Virus and Worm Statistics

75,000,000

60,000,000

45,000,000

30,000,000

15,000,000

2010

2008

Copyright © by

2011

2012
http://www.av-test. org

E&Ctinctl. All Rights Reserved. Reproduction is Strictly Prohibited.

^ V iru s a n d W o rm S ta tis tic s
S o u rc e : h t t p : / / w w w . a v - t e s t . o r g
T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in
t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd
w orm s

in t h e

year 2008,

w he re a s

in t h e

ye ar 2012, th e

c o u n t d ra s tic a lly

in c r e a s e d

to

7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g
e x p o n e n t ia l ly y e a r b y ye a r.



Viruses and W orm s


7 5 .0 0 0 .0 0 0

6 0 .0 0 0 .0 0 0

4 5 .0 0 0 .0 0 0

3 0 .0 0 0 .0 0 0

1 5 .0 0 0 .0 0 0

0
2008

2009

2010

2011

2012

FIGURE 7.1: Virus and Worm Statistics


Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil

Viruses and W orm s


Design

Replication

Launch

D eveloping virus

V iru s replicates fo r

code using

a perio d o f tim e

It gets activated w ith
th e user p e rfo rm in g

p ro g ra m m in g

w ith in th e ta rg e t

certa in action s such

languages or

system and th e n

as ru n n in g an

c o n s tru c tio n kits

spreads its e lf

in fected program

Incorporation

Detection

Users in s ta ll

Elim ination

A n tiv iru s s o ftw a r e

A v iru s is id e n tifie d

a n tiv iru s u p d a te s

d e v e lo p e rs

as t h re a t in fe c tin g

a n d e lim in a te th e

a s s im ila te d efenses

ta rg e t system s

v iru s th re a ts

a g a in s t th e viru s

S t a g e s o f V i r u s L ife
C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o
e lim in a tio n .

1.

Design:
A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e
w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s .

2.

Replication:
A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e .

3.

Launch:
It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an
in fe c te d p ro g ra m .

4.

Detection:
A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le
d a m a g e t o t h e t a r g e t s y s te m 's d a ta .



Viruses and W orm s

5.


Incorporation:
A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s .

6.

Elimination:
Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g
user g ro up s



Viruses and W orm s


Working of Viruses: Infection
Phase
Infection
Phase

J

In the infection phase, the virus replicates itself
and attaches to an .exe file in the system

Before Infection

After Infection

*
C lean File

V iru s In fe c te d
File

Copyright © by

E -G
G 0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rk in g o f V iru se s: In fe c tio n P h a s e
V ir u s e s

a tta c k

a ta rg e t

h o s t's

s y s te m

by

u sin g

v a r io u s

m e th o d s .

They

a tta c h

t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in
e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t:
©

S e lf s t a r t

©

In f e c t o t h e r h a r d w a r e

©

Cause p h y s ic a l d a m a g e t o a c o m p u t e r

©

T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s

G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e .
In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m .
P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m .
V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads
t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as:
©

H o w w i ll t h e v ir u s in f e c t?

©

H o w w i ll it s p re a d ?

©

H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ?



Viruses and W orm s


O b v io u s ly , v iru s e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d in o r d e r t o f u n c t i o n . T h e r e a re m a n y w a y s
t o e x e c u te p r o g r a m s w h i l e a c o m p u t e r is r u n n in g . For e x a m p le , a n y s e tu p p r o g r a m calls f o r
n u m e r o u s p r o g r a m s t h a t m a y be b u i l t i n t o a s y s te m , a n d s o m e o f th e s e a re d i s t r i b u t i o n
m e d i u m p r o g r a m s . T hu s, if a v ir u s p r o g r a m a lr e a d y exists, it can be a c tiv a te d w i t h t h is k in d o f
e x e c u t i o n a n d in f e c t t h e a d d it io n a l s e t u p p r o g r a m as w e ll.
T h e r e a re v ir u s p r o g r a m s t h a t in f e c t a n d k e e p s p r e a d in g e v e r y t i m e t h e y a re e x e c u te d .

Some

p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y
a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r
e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r
t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n .
R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s .
In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e
a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e
v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n .
Q

A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t
file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s
f o r v iru s in f e c tio n s .

©

B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is
b o o te d

Before Infection

A fte r Infection

.exe

N

_u

Clean File

Virus Infected
File

FIGURE 7.2: Working of Viruses in Infection Phase



Viruses and W orm s


Working of Viruses: Attack
D U

^ ^

r cu
V t

o q p

11

Urt‫׳‬fW
< ttkxjl Nm Im

J

Viruses are programmed with trigger events to activate and corrupt systems

J

Some viruses infect each time they are run and others infect only when a certain
predefined condition is met such as a user's specific ta sk , a day, time, or a
particular event

Unfragmented File Before Attack
File: A

1

1
1

Page:2

J _____________ 1
Page:3

A

Page: 1

File: B

1

A

Page:2

Page: 1

Page:3

File Fragmented Due to Virus Attack
Page: 1
File: A

Page:3
File: B

Page:3
File: A

Page: 1
File: B

Copyright © by

Page:2
File: B

Page:2
File: A

E&
Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W o rk in g o f V iru se s: A tta c k P h a s e
O n c e v iru s e s s p re a d t h e m s e l v e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g
t h e fi l e s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be
a c t i v a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v i r u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd
p e r f o r m a c tiv it ie s such as d e l e t i n g f i l e s a n d in c r e a s in g s e s s io n t i m e .
T h e y c o r r u p t t h e i r t a r g e t s o n l y a f t e r s p r e a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s
t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as:
Q

D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta file s, t h e r e b y c a u s in g t h e s y s te m t o s lo w
down

e

P e r f o r m in g

ta sks

not

r e la t e d

to

a p p lic a tio n s ,

such

as p la y in g

m u s ic

and

c r e a tin g

a n im a tio n s



Viruses and W orm s


U n f r a g m e n t e d F ile B e fo r e A t t a c k

File: A
Page: 1

Page: 2

File: B
Page: 3

Page: 1

Page: 2

Page: 3

A

F ile F r a g m e n t e d D u e t o V ir u s A t t a c k

Page: 1
File: A

Page: 3
File: B

Page: 1
File: B

Page: 3
File: A

Page: 2
File: B

A

Page: 2
File: A
A

FIGURE 7.3: Working of Viruses in Attack Phase

R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e
a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g
o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g
t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se:
©

V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d

0

S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's
m em ory

0

M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e
h o s t t o t h e f u l le s t e x t e n t



Viruses and W orm s


W h y Do People Create Computer
Viruses

r cu
|

UrtifWd

ttkiul Km Im

Computer Viruses
Inflict damage to competitors

J
J
J

Financial benefits

Research projects

Play prank

Vandalism

Cyber terrorism
Distribute political messages
V u ln e r a b le S y s te m

Copyright © by

E&

W hy Do P e o p le C re a te C o m p u te r V iru se s?
S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m
C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y
d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a
d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f
v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are
a c t u a lly

in te n d e d

to

be g o o d

fo r

a s y s te m . T he se

a re

d e s ig n e d

to

im p ro v e

a s y s te m 's

p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files.
S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e :
e

I n flic t d a m a g e t o c o m p e t i t o r s

e

R esearch p r o je c ts

0

Pranks

Q

V a n d a lis m

e

A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s

©

D is t r i b u t e p o litic a l m essa ge s

0

F ina ncia l g ain



Viruses and W orm s

Q

Id e n tity th e ft

Q

S pyw are

Q


C r y p t o v ir a l e x t o r t i o n



Ethical Hacking and Counterm easures
Viruses and W orm s


P rocesses ta k e
m o re re s o u rc e s
a n d tim e

C o m p u te r s lo w s
dow n when
p r o g ra m s s ta rt

C o m p u te r fre e z e s
fr e q u e n t ly o r
e n c o u n te rs e r ro r

I n d ic a tio n s o f V iru s A tta c k s
A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s
w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e
m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r
t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m :
Q

P r o g r a m s ta k e lo n g e r t o loa d

Q

T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s

Q

T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used

9

U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m

0

T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s

Q

T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s

Q

File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n

Q

T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e

©

A p r o g r a m 's size k e e p s c h a n g in g

Q

T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n



Viruses and W orm s


H o w does a Computer Get
Infected by Viruses
W h e n a user accepts files and d o w nloads w ith o u t checking
p ro p e rlyfo rth e source

‫ן‬

ing infected e-mail attachm ents

Installing pirated so ftw are

Not updatingand not installing new versions o f plug-ins

: runningthe latest anti-virus application


H ow D o es a C o m p u te r G et In fe c te d b y V iru se s?
T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r
m e t h o d s a re as f o l lo w s :
©

W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e .

©

A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on
t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e
s y s te m .

©

A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d
s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim

d o w n lo a d s

i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d .
©

Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n
b ug s m a y e x p o s e y o u r s y s te m t o viru s e s .

©

W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use
la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s



Viruses and W orm s


C o m m o n T e c h n i q u e s U s e d to
D istrib u te M a lw a re o n th e W eb

H

B la c k h a t S e a rc h E n gin e
O p tim iza tio n (SEO )

CEH

M a lv e rtis in g

Ranking malware pages highly
in search results

Embedding malware in ad-networks
that display across hundreds of
legitimate, high-traffic sites

S o c ia l E n g in eered
C lic k -ja c k in g

C o m p ro m ise d L e g itim a te
W e b sites

Tricking users into clicking on
innocent-looking webpages

Hosting embedded malware that
spreads to unsuspecting visitors

S p e a rp h is h in g S ites

Drive-by D o w n lo ad s

Mimicking legitimate institutions,
such as banks, in an attempt to
steal account login credentials

‫^ ״‬
‫ ן ן ו‬jl.

Exploiting flaws in browser
software to install malware
just by visiting a web page
Source: Security Threat Report 2012 (http://www.sophos.com )
Copyright © by

^

-C

C o m m o n T e c h n i q u e s U s e d to D i s t r i b u t e M a l w a r e o n
th e W eb

S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m )

Blackhat Search Engine Optimization (SEO): U s in g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e
p a g e s h ig h in se arch re s u lts

Social Engineered Click-jacking: T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g
w e b p ages t h a t c o n t a i n m a l w a r e

Spearphishing Sites: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks,
in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s

Malvertising: E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y ac ro s s h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites

Compromised Legitimate W ebsites: H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g
v is ito rs

Drive-by Downloads: T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by
v is itin g a w e b p age



Viruses and W orm s


Virus Hoaxes and Fake
Antiviruses
A tta c k e rs d is g u is e m a lw a r e s as a n a n t iv ir u s
a n d t r ic k u s e rs t o in s ta ll th e m in t h e ir

c o n ta in v ir u s a tta c h m e n ts

s y s te m s

W a r n in g m e s s a g e s p r o p a g a tin g t h a t a

O n c e in s ta lle d th e s e fa k e a n tiv iru s e s c a n

c e r ta in e m a il m e s s a g e s h o u ld n o t b e v ie w e d

d a m a g e t a r g e t s y s te m s s im ila r t o o t h e r

a n d d o in g s o w ill d a m a g e o n e 's s y s te m

J

H o axes a re fa ls e a la rm s c la im in g r e p o r ts
a b o u t a n o n - e x is tin g v ir u s w h ic h m a y

J

m a lw a re s

ntAsc rmv/Aflo m u warning among rniCNDS.rAMiiv and contacts Ho* •houM t* »k«t d*'•*
tbv mat fmv Jwyv Co ikx cptn «1» i‫׳‬i«im«« with 4 1etMchmvH vntlltvO >OSTCAAO 'ROM •Uir.O ■
y
1
RtMONATION Of BARACK OBAMA . regjrdl«»l0f WhO sent IttO you It IS J vlruStlWt Opers A
KttrtAftUlMAOt, then Dim* th -whole run) C a « ol YOU' computer.
«
rih b lIvmNHMlWdiliuumnl UyCNN Uni

1

Im Hid) U• I
k
••

jy M lllW A

1
4

(*•sif jctivtvirasawf Thevirw ...1 .discoveredbv McAfee v«terdiv. «ndthp‫׳‬p nortear

1>

A W C

*
*
*

tifa ft-0WI1 1l'W« IN MN'R NV M A n NA
i* F R A r)T4 AN flA 0 n lF 0 tA IIV NrOT rn

l ‫ «י‬HUM

j*for :h&

tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonk«vL

»‫׳‬
—
wi ss*‫־‬
f rr‫•־‬
‫״‬
‫״‬

jy y |r J !!L
l:
—

=«=— ‫נ‬

0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.

Copyright © by E GG

V iru s H o ax e s a n d F a k e A n tiv iru s e s
V iru s H o a x e s
A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a
h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls
s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s
a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . "
©

H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s

©

T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in

e m a il

m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m
©

In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s

©

T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s

M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o
be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t.
T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso
se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n
b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y .



Viruses and W orm s


T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e
i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by
r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g :
Q

If it is p o s te d

by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h

a n o th e r source
©

If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an
e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e

0

If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o
th e c o rre s p o n d in g fe d e ra l r e g u la tio n

Q

O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n
a n t i v i r u s s o f t w a r e v e n d o r sites

Q

If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o
a u th e n tic a te th e in fo rm a tio n
Subject: FORWARD THIS W ARNIN G A M O N G FRIENDS, FAMILY AND CONTACTS
PLEASE FORWARD THIS WARNING AM O N G FRIENDS, FAMILY AND CONTACTSI You should be alert during
the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM BEJING or
'RESIGNATION OF 8ARACK O B A M A , regardless of who sent it to you. It is a virus that opens A
POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer.
This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most
destructive virus ever. The virus was discovered by McAfee yesterday, and there is no repair yet for this
kind of virus.
This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.
COPY THIS E MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU WILL
BENEFIT ALL OF US.
End-of-mail
Thanks.

FIGURE 7.3: Hoaxes Warning Message

F a k e A n tiv iru s e s
Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r
s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d
access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m .
Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave
d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s
v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age
w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se
f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e
u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e .
S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s
in c lu d e :
©

E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o
s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s
f o r s o f t w a r e i n s t a lla t io n .



Viruses and W orm s

Q


Search e n g in e o p tim iz a tio n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o

p u b lic o r c u r r e n t

s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e
r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e
fa k e a n tiv ir u s .
Q

C o m p ro m is e d w e b s ite s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e
a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g
o n t h e s ite 's p o p u l a r i t y .

J
a
Protection

a

- acy
‫׳‬w

I
P a th

q

0,

'S (‫י‬

M
p 0 < *© ‫ י#י*י‬S
« M1 r»
4

Inlrctiom

I

C w » C « C ^ S JN t5 ^ c ^ « U Jr^ 4 ifV * g 0 a 5 7 2

35

SMtWI

FIGURE 7.4: Example of a Fake Antivirus



Viruses and W orm s


Virus Analysis: DNSChanger
DNSChanger (Alureon) modifies the DNS
settings on the victim PC to divert
Internet traffic to malicious websites in
order to generate fraudulent ad revenue,
sell fake services, or steal personal
financial information

CEH

J

<W >

It acts as a bot and can be organized into a
BotNet and controlled from a remote
location

J

It spreads through emails, social
engineering tricks, and untrusted
downloads from the Internet

UHU

$
DNSChanger malware achieves the DNS
redirection by modifying the following
registry key settings against a interface
device such as network card

HKEY_LOCAL_MACHINESYSTEMCurrentControl
SetServicesTcpipParameterslnterfaces%Ra
ndom C %NameServer
LSID

t
J

<K >

DNSChanger has received significant
attention due to the large number of
affected systems worldwide and the fact
that as part of the BotNet takedown the FBI
took ownership of the rogue DNS servers to
ensure those affected did not immediately
lose the ability to resolve DNS names

http://www. totaldefense. com
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

V iru s A n a ly sis: D N S C h a n g e r
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m
D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd
u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd
c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e
s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd .
D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s
w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e
DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS
n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o
m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al
p e r s o n a l f in a n c ia l i n f o r m a t i o n .



Viruses and W orm s


Virus Analysis: DNSChanger
( C o n t ’d )

The rogue DNS servers can exist in any of the following ranges:
L

DNSChanger

64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255
77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255
85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255

DNSChanger sniffs the
credential and redirects the
request to real website
Real Website
ww.xrecyritY-tP1
IP: 200.0.0.45

DNSChanger infects victim's
computer by change her DNS IP
address to: 64.28.176.2

Attacker runs DNS Server in
Russia (IP: 64.28.176.2)

http://www. tota!defense,com


tout V i r u s A n a l y s i s : D N S C h a n g e r ( C o n t ’d)
’

S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m

T h e r o g u e DNS s e rv e rs can e x is t in a n y o f t h e f o l l o w i n g ran ge s:

64.28.176.0 - 64.28.191.255 , 67.210.0.0 ‫552.51.012.76 ־‬
77.67.83.0 - 77.67.83.255 , 93.188.160.0 - 93.188.167.255
85.255.112.0 - 85.255.127.255 , 213.109.64.0 - 213.109.79.255



Viruses and W orm s


W h al is the IP
address of
w w w . *security. corn

©

>

DNSChanger sniffs the
credential and redirects the
request to real website

Fake Website
IP: 65.0.0.2

»

‫י‬
Real Website
wvAv.xsecuritv.com
IP: 200.0.0.45

©

DNS Request do
to 64.28.176.2

>
DNSChanger infects victim's
computer by change her DNS IP
address to: 64.28.176.2

©

□
Attacker runs DNS Server in
Russia (IP: 64.28.176.2)

FIGURE 7.5: Virus Analysis Using DNSChanger

T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e
a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r
i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is
m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e
a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e
s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r .
H e re , t h e

v ic tim

sent

DNS

Request

‫״‬w h a t

is t h e

IP a d d re s s

o f w w w .x s e c u rity .c o m ‫״‬

to

( 6 4 .2 8 .1 7 6 .2 ). T h e a t t a c k e r g a v e a re s p o n s e t o t h e r e q u e s t as w w w . x s e c u r i t v . c o m . w h i c h is
l o c a te d a t 6 5 .0 .0 .2 . W h e n v i c t i m ' s b r o w s e r c o n n e c t s t o 6 5 .0 .0 .2 , it r e d ir e c ts h im o r h e r t o a fa k e
w e b s i t e c r e a te d b y t h e a t t a c k e r w i t h IP: 6 5 .0 .0 .2 . D N S C h a n g e r s n iffs t h e c r e d e n t i a l (u s e r n a m e ,
p a s s w o r d s ) a n d r e d ir e c ts t h e r e q u e s t t o real w e b s i t e (w w w . x s e c u r i t y . c o m ) w i t h IP: 2 0 0 .0 .0 .4 5 .


Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil

Viruses and W orm s


M odule Flow

CEH

V iru s and
W orm s
C on cep ts

C o m p uter
W orm s

P en etratio n
Testing

C ounter•
m easures

M a lw a re
Analysis

Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

■ = || M o d u l e F l o w
P r io r t o th is , w e h a v e d is cu sse d a b o u t v iru s e s a n d w o r m s . N o w w e w i ll discuss a b o u t
d i f f e r e n t ty p e s o f viru s e s .

V iru s a n d W o rm s C o nc e p t

i •

y

—

v‫׳‬

C

X

M a lw a r e A nalysis

T y p e s o f V ir u s e s

C o m p u te r W o rm s

C o u n te rm e a s u re s

^

)

P e n e tra tio n T es tin g

—

This s e c tio n d e s c r ib e s a b o u t d i f f e r e n t ty p e s o f V iru se s.



Viruses and W orm s

System or
Boot Sector
Viruses


Stealth Virus/
Tunneling
Virus

Cluster
Viruses

Encryption

Polymorphic

Metamorphic

Sparse
Infector
Virus

Direct Action
or Transient

Multipartite

T y p e s of V iru se s
So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m

c o n c e p ts . N o w w e w ill discuss

v a r io u s t y p e s o f viru s e s .
T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s ,
m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g

v iru s e s , e n c r y p t i o n

v iru s e s , m e t a m o r p h i c

v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n
by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a
re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t
c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in
d e ta il o n t h e f o l l o w i n g slides.

T y p e s of V iru se s
V iru s e s a re cla s s ifie d d e p e n d i n g o n t w o c a te g o r ie s :
Q

W h a t Do T h e y In fe c t?

©

H o w Do T h e y In fe c t?



Viruses and W orm s


W hat Do They In fe ct?
System or Boot Sector V iruses
_

f*.

T h e m o s t c o m m o n t a r g e t s f o r a v iru s a re t h e s y s te m s e c to rs , w h i c h a re n o t h i n g b u t

t h e M a s t e r B o o t R e c o rd a n d t h e DOS B o o t R e c o rd S y s t e m s e c to r s . T h e s e a re t h e a re a s o n th e
d isk t h a t are e x e c u t e d w h e n t h e PC is b o o t e d . E ve ry d isk has a s y s te m s e c to r o f s o m e s o rt. T h e y
s p e c ia lly in f e c t t h e f l o p p y b o o t s e c to r s a n d r e c o r d s o f t h e h a rd disk. For e x a m p le : Disk K iller
a n d S to n e v iru s .

F ile V iruses
E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l
file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y
f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s .

M u ltip a rtite V irus
T h e y i n f e c t p r o g r a m file s, a n d t h is f ile in t u r n a ffe c ts t h e b o o t s e c to r s su ch as In v a d e r ,
Flip, a n d T e q u ila .

C lu ste r V iruses
C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e
t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l
p ro g ra m .

M acro V irus
M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s
c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e
a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r
ty p e s . T h e y a re u s u a lly s p re a d via an e m a il.

How Do They In fe ct?
‫־־‬
‫׳‬

■

Stealth V iruses
T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d

c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m
o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s
s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth
v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r
p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e .
Life‫:־‬

T u n n elin g V iruses
T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m

r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . T o p e r f o r m t h is a c tiv it y , t h e y
even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.



Viruses and W orm s

c_ —


E n cry p tio n V iruses
T his t y p e o f v ir u s c o n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a n d a d e c r y p t i o n m o d u l e .

T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .

iri)
, ‫״ ״‬

P o ly m o rp h ic V iruses
T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in

t h e s y s te m . It is d i f f i c u l t t o t r a c e t h e m , since t h e y c h a n g e t h e i r c h a r a c te r is t ic s e a ch t i m e t h e y
in f e c t, e.g., e v e r y c o p y o f t h is v ir u s d if f e r s f r o m its p r e v io u s o n e . V i r u s d e v e l o p e r s h a v e e v e n
c r e a t e d m e t a m o r p h i c e n g in e s a n d v ir u s w r i t i n g t o o l k its t h a t m a k e t h e c o d e o f an e x is t in g v ir u s
lo o k d i f f e r e n t f r o m o t h e r s o f its k in d .

M e ta m o rp h ic V iruses
A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d
i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h
t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e .
T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x
e x te n s iv e c o d e .

O v erw ritin g F ile or C avity V iruses
S o m e p r o g r a m file s h a v e a re as o f e m p t y space. T his e m p t y sp ace is t h e m a in t a r g e t o f
th e s e viru s e s . T h e C a v i t y V ir u s , also k n o w n as t h e S pace F ille r V ir u s , s to r e s its c o d e in th is
e m p t y space. T h e v ir u s in s ta lls it s e lf in th is u n o c c u p ie d sp ace w i t h o u t a n y d e s t r u c t io n t o t h e
o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in f e c t.

S parse In fec to r V iruses

a®

A sp arse i n f e c t o r v iru s i n f e c ts o n l y o c c a s i o n a l l y (e.g., e v e r y t e n t h p r o g r a m e x e c u te d )

o r o n l y file s w h o s e le n g t h s fa ll w i t h i n a n a r r o w ra n g e .

C o m p an io n V iruses
T h e c o m p a n i o n v ir u s s to re s it s e lf b y h a v in g t h e i d e n t i c a l f i l e n a m e as t h e t a r g e t e d
p r o g r a m file . As s o o n as t h a t f ile is e x e c u t e d , t h e v ir u s in f e c ts t h e c o m p u t e r , a nd h a r d d is k d a ta
is m o d if ie d .

C am o u flag e V iruses

^
W

-------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s

o f t h e user. T he se v iru s e s a re n o t

d i f f i c u l t t o f i n d since a n t i v i r u s p r o g r a m s h a v e a d v a n c e d t o t h e p o i n t w h e r e such v iru s e s are
e a sily t r a c e d .

Shell V iruses
_____

T his v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be



Viruses and W orm s


c o m p a r e d t o an " e g g s h e l l / ‫ ׳‬m a k in g i t s e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n by t h e v ir u s c o d e a n d t h e v i r u s
a s s u m e s its i d e n t it y .

F ile E xtension V iru ses
F.
File e x t e n s i o n v ir u s e s c h a n g e t h e e x te n s io n s o f file s ; .TXT is safe, as it in d ic a te s a p u r e
t e x t file . If y o u r c o m p u t e r 's f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a file
n a m e d BA D .T X T .V B S , y o u w i ll see o n l y B A D .TXT.

> '« f| Add -on V iru ses
M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g
o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p
i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t c o d e .
H o w e v e r , t h e v iru s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e file is
c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d .

In tru siv e V iruses
‫־־‬

T his f o r m o f v ir u s o v e r w r i t e s its c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's

p r o g r a m c o d e , o r s o m e t i m e s it o n l y o v e r w r i t e s p a r t o f it. T h e r e f o r e , t h e o rig in a l c o d e is n o t
e x e c u te d p r o p e r ly .

D irec t A ction or T ra n sie n t V iruses
T r a n s fe r s all c o n t r o l s t o t h e h o s t c o d e w h e r e it reside s, se le c ts t h e t a r g e t p r o g r a m t o
be m o d if ie d , a nd c o r r u p t s it.

=—

T e rm in a te a n d Stay R e sid en t V iru ses (TSRs)

ffr

A TSR v i r u s r e m a in s p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se ssio n, e v e n

a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g
t h e s y s te m .



Viruses and W orm s


System or Boot Sector Viruses CEH
Boot Sector Virus
Boot sector virus moves MBR to
another location on the hard disk
and copies itself to the original
location of MBR

Execution
©

o

When system boots, virus
code is executed first and then
control is passed to original
MBR

Before Infection

After Infection

Virus Code

MBR
Copyright © by E&

S y s te m o r B oot S e c to r V iru s e s
m

S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e

disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m
is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d .
T h e t w o ty p e s o f s y s te m s e c to r s are:
Q

M B R ( M a s te r B o o t R ecord)
M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be
lost.

0

DBR (DO S B o ot R ecord)
T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l
p o i n t o f a t t a c k f o r viru s e s .

T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s
c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e
f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s .
S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s .



Viruses and W orm s

1


Virus Rem oval
S y s te m s e c t o r v iru s e s a re d e s ig n e d t o c r e a te t h e illu s io n t h a t t h e r e is n o v ir u s o n t h e
s y s te m . O n e w a y t o d ea l w i t h t h is v ir u s is t o a v o id t h e use o f t h e W i n d o w s o p e r a t i n g

s y s t e m , a n d s w it c h t o L in ux o r M a cs, b e c a u s e W i n d o w s is m o r e p r o n e t o th e s e a tta c k s . L inux
a n d M a c i n t o s h h a v e a b u i l t - i n s a f e g u a r d t o p r o t e c t a g a in s t th e s e v iru s e s . T h e o t h e r w a y is t o
c a r r y o u t a n t i v i r u s ch e c k s o n a p e r io d ic basis.

Before Infection

G
After Infection
V

O
Virus Code

FIGURE 7.6: System or Boot Sector Viruses



Viruses and W orm s


File and Multipartite Viruses

CEH

F ile a n d M u ltip a rtite V iru s e s
F ile Viruses
File v iru s e s i n f e c t file s t h a t a re e x e c u te d o r i n t e r p r e t e d in t h e s y s te m such as C O M , EXE,
SYS, OVL, OBJ, PRG, M N U , a n d BAT file s. File v iru s e s can be e i t h e r d i r e c t - a c t i o n ( n o n - r e s i d e n t )
o r m e m o r y - r e s i d e n t . O v e r w r i t i n g v iru s e s ca use i r r e v e r s i b l e d a m a g e t o t h e files. T h e s e v iru s e s
m a i n l y t a r g e t a r a n g e o f o p e r a t i n g s y s te m s t h a t in c lu d e W i n d o w s , UNIX, DOS, a n d M a c i n t o s h .

C h a ra c te riz in g F ile V iruses
File v iru s e s a re

m a i n l y c h a r a c te r iz e d

and

d e s c r ib e d

b ase d

on

th e ir

p h ysica l

b e h a v io r o r

c h a r a c te r is t ic s . T o cla ssify a file v ir u s is b y t h e t y p e o f file t a r g e t e d by it, such as EXE o r C O M
file s, t h e b o o t s e c to r , e tc. A f ile v ir u s can also be c h a r a c t e r iz e d b ase d o n h o w it i n f e c ts t h e
t a r g e t e d file (also k n o w n as t h e h o s t files):
Q

P re p e n d in g : w r i t e s it s e lf i n t o t h e b e g in n in g o f t h e h o s t file 's c o d e

Q

A p p e n d in g : w r i t e s it s e lf t o t h e e n d o f t h e h o s t file

©

O v e rw ritin g : o v e r w r i t e s t h e h o s t file 's c o d e w i t h its o w n c o d e

Q

In s ertin g : in s e rts it s e lf i n t o gaps in s id e t h e h o s t file 's c o d e



Viruses and W orm s


©

C o m p a n io n : r e n a m e s t h e o rig in a l f ile a n d w r i t e s it s e lf w i t h t h e h o s t file 's n a m e

©

C av ity in fe c to r: w r i t e s it s e lf b e t w e e n file s e c tio n s o f 3 2 - b i t file

File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y
r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t
t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m
f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c
o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is
d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d
f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e
d e c r y p t i o n p ro c e s s .
E xecu tio n o f P aylo ad:
©
©

T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e

©

Q

D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n

C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s

M ultip artite Viruses
A m u l t i p a r t i t e v ir u s is also k n o w n as a m u l t i - p a r t v i r u s t h a t a t t e m p t s t o a t t a c k b o t h

t h e b o o t s e c t o r a n d t h e e x e c u ta b le o r p r o g r a m file s a t t h e s a m e t i m e . W h e n r g w v ir u s is
a t t a c h e d t o t h e b o o t s e c to r , it w i ll in t u r n a f f e c t t h e s y s te m file s , a n d t h e n t h e v ir u s a tta c h e s t o
t h e file s, a n d t h is t i m e it w ill in t u r n i n f e c t t h e b o o t s e c to r .

FIGURE 7.7: File and Multipartite Viruses



Viruses and W orm s


CEH

M a c r o V ir u s e s

14

Urt fw

ilhiul lUtbM

0

0
11.
Infects Macro Enabled Documents

0

Attacker

User

0
r

0

0
‫ץ‬
0 Macro viruses infect
templates or convert
infected documents
into template files,
while maintainingtheir
appearance of ordinary
documentfiles

0 Most macro viruses are
written using macro
language Visual Basic
for Applications (VBA)

r

V

0

0

0

0

Copyright © by E -CIllicit Al 1Rights Reserved. Reproduction is Strictly Prohibited.
Ca

M a c ro V iru se s
M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s
c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is
t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l
Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o
t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s
a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta
file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an
e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s
in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file
a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y
e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o
c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can
also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f
t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files.



Viruses and W orm s


Infects M acro Enabled Documents

Attacker

User
FIGURE 7.8: Macro Viruses



Viruses and W orm s


C EH

C lu s te r V ir u s e s
C luster V iruses
J

a

Cluster viruses modify directory table entries so that it
points users or system processes to the virus code instead
of the actual program

:‫ ב‬I ■ ■ ■
‫] * :ן‬

V iru s Copy
J

There is only one copy of the virus on the disk infecting
all the programs in the computer system

Launch Its e lf
J

It will launch itself first when any program on the
computer system is started and then the control is
passed to actual program

Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited
-C

C lu s te r V iru se s
C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e
t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l
p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e
v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s .
C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e .
T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r
s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n
t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m .



Viruses and W orm s


S te a lth /T u n n e lin g V ir u s e s

CEH

These viruses evade the anti-virus software by intercepting its requests
to the operating system
A virus can hide itself by intercepting the anti-virus software's request to
read the file and passingthe request to the virus, instead of the OS
The virus can then return an uninfected version of the file to the antivirus software, so that it appears as if the file is "clean"

Hides Infected
TCPIP.SYS

i f

Here you go

Original TCPIP.SYS
Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C

S te a lth /T u n n e lin g V iru se s
I

S te a lth V ir u s e s
T h e s e v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s by a c tiv e ly a lt e r in g a nd

c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m
o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s
s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s t e a l t h
v i r u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hu s, it ta k e s o v e r
p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v ir u s co d e .
T h e s t e a lt h v iru s h id e s it s e lf f r o m a n t i v i r u s s o f t w a r e by h id in g t h e o rig in a l size o f t h e file o r
t e m p o r a r i l y p la c in g a c o p y o f it s e lf in s o m e o t h e r d r iv e o f t h e s y s te m , t h u s r e p la c in g t h e
i n f e c t e d file w i t h t h e u n i n f e c t e d file t h a t is s t o r e d o n t h e h a r d d riv e .
A s t e a lt h v ir u s h id e s t h e m o d if ic a t i o n s t h a t it m a k e s . It ta k e s c o n t r o l o f t h e s y s te m 's f u n c t io n s
t h a t re a d file s o r s y s te m s e c to r s a n d , w h e n a n o t h e r p r o g r a m r e q u e s ts i n f o r m a t i o n t h a t has
a lr e a d y b e e n m o d i f i e d by t h e v iru s , t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t i n g
p r o g r a m in s te a d . T his v ir u s a lso re s id e s in t h e m e m o r y .
T o a v o id d e t e c t i o n , th e s e v iru s e s a lw a y s t a k e o v e r s y s te m f u n c t i o n s a n d use t h e m t o h id e t h e i r
p re s e n c e .



Viruses and W orm s


O n e o f t h e c a rr ie r s o f t h e s t e a lth v ir u s is t h e r o o t k i t . In s ta llin g a r o o t k i t g e n e r a l l y r e s u lts in t h is
v ir u s a t t a c k b e c a u s e r o o t k i t s a re in s t a lle d via T ro ja n s , a n d t h u s a re c a p a b le o f h id in g a n y
m a lw a re .
R e m o v a l:
Q

A lw a y s d o a c o ld b o o t ( b o o t f r o m w r i t e - p r o t e c t e d f l o p p y d isk o r CD)

©

N e v e r use DOS c o m m a n d s such as FDISK t o fix t h e v iru s

e

Use a n t i v i r u s s o f t w a r e

/

Tunneling Viruses
T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m

r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . To p e r f o r m th is a c tiv it y , t h e y
even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.
Give me the system file

tcpip.syi to icon

Anti-virus
Software

Hides Infected
TCPIP.SYS

*

VIRUS

Here you go
Original TCPIP.SYS
FIGURE 7.9: Working of Stealth/Tunneling Viruses



Viruses and W orm s


CEH

E n c r y p tio n V ir u s e s
‫־׳י‬

‫י‬
This type of virus uses simple
encryption to encipher the code

Virus Code

V
r

The virus is encrypted with
a different key for each
infected file

V.

AV scanner cannot directly
detect these types of
viruses using signature
detection methods

‫ץ‬
Encryption
Virus 2

Encryption
Virus 3

-/

Copyright © by E&

E n c ry p tio n V iru se s
T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e .
T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .
T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key.
©

T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd
an e n c r y p t e d c o p y o f t h e c o d e .

Q

For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys,
b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d .
It is n o t

p o s s ib le f o r t h e v ir u s s c a n n e r t o

d ir e c t ly

d e te c t th e

v ir u s

by m e a n s o f

s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d .
e

T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is
g e n e r a t e d a n d sa ved b y t h e r o o t v iru s .



Viruses and W orm s


Virus Code

Encryption
Virus 1

Encryption
Virus 2

Encryption
Virus B

FIGURE 7.10: Working of Encryption Viruses



Viruses and W orm s


CEH

P o ly m o r p h ic C o d e
J

Polymorphic code is a code that mutates while keeping the original algorithm intact

J

To enable polymorphic code, the virus has to have a polymorphic engine (also called
mutating engine or mutation engine

J

A well-written polymorphic virus therefore has no parts that stay the same on each
infection

39Encrypted Mutation
Engine

Encrypted Virus
Code

Decryptor Routine

............
Decryptor
routine decrypts
virus code and
mutation engine

New Polymorphic
Virus
User Runs an
Infected Program

RAM

P o ly m o rp h ic C o d e
P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n .
T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A
r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m .
A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a
s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n
a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing
th e codes.
V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f
t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e
s y s te m 's disk.



Viruses and W orm s


Encrypted Mutation
Engine (EME)
ncrypted M utation
j ‫ י‬Encry
Engine
i I

A

©

Encrypted Virus
Code

I

Decryptor Routine

A

Instruct to •
0

i

• Instruct to

Decryptor
routine decrypts
virus code and
mutation engine

New Polymorphic

*

©

Virus Does the Damage

User Runs an
Infected Program

Virus

RAM

FIGURE 7.11: How Polymorphic Code Work

P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e
d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t
t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n
e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e
w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s .
W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a
p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s
c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n
e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s ,
w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a
r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n
e n g in e

to

g en erate

a new

ra n d o m iz e d

d e c ry p tio n

ro u tin e ,

w h ic h

has t h e

c a p a b i l it y

of

d e c r y p t i n g v iru s . H ere, t h is n e w c o p y o f b o t h t h e v ir u s c o d e a n d m u t a t i o n e n g in e is e n c r y p t e d
by t h e v iru s . T hu s, t h is v iru s , a lo n g w i t h t h e

n e w ly e n c ry p te d v iru s co d e and e n c ry p te d

m u t a t i o n e n g in e (EM E), a p p e n d s t h is n e w d e c r y p t i o n r o u t i n e o n t o a n e w p r o g r a m , t h e r e b y
c o n t i n u i n g t h e pro cess .
P o l y m o r p h ic v iru s e s t h a t re s p re a d b y t h e a t t a c k e r in t a r g e t e d s y s te m s a re d i f f i c u l t t o d e t e c t
b e c a u s e h e r e t h e v ir u s b o d y is e n c r y p t e d a n d t h e d e c r y p t i o n r o u t i n e s c h a n g e s e ach t i m e f r o m
in f e c t i o n t o i n f e c t i o n a n d n o t w o in f e c t i o n s lo o k t h e s a m e ; th is m a k e it d i f f i c u l t f o r t h e v iru s
s c a n n e r t o i d e n t i f y t h is v iru s .



Viruses and W orm s


M e ta m o r p h ic V ir u s e s
M e ta m o rp h ic V iru s e s

M e ta m o rp h ic C o d e

Metamorphic viruses
rewrite themselves
completely each time they
are to infect new
executable

Metamorphic code can
reprogram itself by
translating its own code into
a temporary representation
and then back to the normal
code again

CEH

UrtMM itkNjI lUilwt

MotaphoR V I by tHE moNTAL D illlei/2 9*

For example, W32/Simile
consisted of over 14000
lines of assembly code,
90% of it is part of the
metamorphic engine

E3

M
etaphoRV bj •H m LDI# /29*
I
E tfJTA < h

E l

a V tA
.) arian

c T e"U official” V t C
.) h n
arian
at IAHM 1 IL bY iH ni Ntnl cttllller/^JA
J
fc

m tA G 1b B tH•
E PH R Y

A
1LER/2*

r£TAfSC« iCbVlHE n£W dFIIUi/2^
»4l

E l

[1E

b.) V a ria n t B

I

d .) T h e .D v a ria n t ( w h ic h w a s th e
* o ffic ia l' C o f t h e o rig in a l a u th o r)

Copyright © by E&

M e ta m o rp h ic V iru se s
S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are
c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n .
A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e
t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e
o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e .
This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x
e x te n s iv e c o d e .
T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re :
W in 3 2 /S im ile :
T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is
c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess.
Z m ist:
Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e
i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e
e x e c u ta b le .



Viruses and W orm s


□

a.) Variant A

c.) The "Unofficial" Variant C

Im ElAPHOR 1b BY tHe MeNTAI drilLER/29A

12

mEtAPHOR 1b BY tHe MeNTAI di!LER/
r o in

b.) Variant B

aA

m

mETAPhOr 1C bY tHE mENtal dRllle1/29A

Q

mETAPhOr 1C bY (HE mENtal dRlller/29A

‫ .....ו‬ok...‫ך‬

d.) The .D variant (which was the
"official" C of the original author)
FIGURE 7.12: Metamorphic Viruses Screenshot


Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil

Viruses and W orm s


File Overwriting or Cavity Viruses

CEH

Cavity Virus overwrites a part of the host file with a constant
(usually nulls), without increasingthe length of the file and
preserving its functionality

Sales and marketing management is the
leading authority for executives in the sales
and marketing management industries
The suspect, Desmond Turner, surrendered to
authorities at a downtown Indianapolis fast-food
restaurant

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Null

Original File
Size: 45 KB

Null

Null

N U ll

Null

Null

Null

Null

Null

■2> a
■ 3

Null

Infected File
Size: 45 KB


F ile O v e r w r itin g o r C a v ity V iru s e s
T h e s e are also k n o w n as s p a c e -fille r s since t h e y m a i n t a i n a c o n s t a n t file -s iz e w h i l e
i n f e c t e d b y in s t a llin g t h e m s e l v e s i n t o t h e t a r g e t p r o g r a m . T h e y a p p e n d t h e m s e l v e s t o t h e e n d
o f file s a n d also c o r r u p t t h e s t a r t o f files. T his t r i g g e r e v e n t f i r s t a c tiv a te s a n d e x e c u te s t h e v iru s
c o d e , a n d l a t e r t h e o rig in a l a p p li c a t i o n p r o g r a m .
S o m e p r o g r a m file s h a ve a re a s o f e m p t y sp ace . T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e
v iru s e s . T h e C a v it y V ir u s , a lso k n o w n as t h e Space F ille r V iru s , s to re s its c o d e in t h is e m p t y
space. T h e v iru s in s ta lls it s e lf in t h i s u n o c c u p ie d space w i t h o u t a n y d e s t r u c t i o n t o t h e o rig in a l
c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in fe c t.
T his t y p e o f v ir u s is r a r e ly used b e c a u s e it is d i f f i c u l t t o w r i t e . A n e w W i n d o w s file ca lle d th e
P o r t a b l e E x e c u t a b le it d e s ig n e d f o r t h e fa s t lo a d in g o f p r o g r a m s . H o w e v e r , it lea ves a c e r ta in
g ap in t h e f ile w h i l e it is b e in g e x e c u t e d t h a t can be used by t h e Space F ille r V ir u s t o i n s e r t
its e lf. T h e m o s t p o p u l a r v ir u s f a m i l y is t h e CIH v ir u s .

Original File
Size: 45 KB

I

h

.............................................................................^

PDF

L

>1

Infected File
Size: 45 KB

PDF

FIGURE 7 .1 3 : File O v e r w ritin g o r C a v ity V iru s



Viruses and W orm s


S p a r se I n fe c to r V ir u s e s
M

ir
S parse In fe c to r Virus
J

Sparse infector virus infects only occasionally (e.g. every
tenth program executed), or only files whose lengths fall
within a narrow range

D iffic u lt to D e te c t
J

By infecting less often, such viruses try to minimize the
probability of being discovered

In fe c tio n Process

Wake up on 15* of
every month and execute code

-C

S p a rse In fe c to r V iru se s
Sparse i n f e c t o r v iru s e s in f e c t o n l y o c c a s io n a lly (e.g., e v e r y t e n t h p r o g r a m e x e c u t e d o r
o n p a r t i c u l a r d a y o f t h e w e e k ) o r o n l y file s w h o s e l e n g t h s fa ll w i t h i n a n a r r o w r a n g e . By
i n f e c t i n g less o f t e n , th e s e v iru s e s t r y t o m in i m i z e t h e p r o b a b i l i t y o f b e in g d is c o v e r e d .

Wake up on 15th of
every month and execute code

FIGURE 7.14: Working of Sparse Infector Viruses



Viruses and W orm s


Companion/Camouflage Viruses I C EH

A Companion virus creates a companion file for each
executable file the virus infects

A

Therefore, a companion virus may save itself as notepad.com and every
time a user executes notepad.exe (good program), the computer will load
notepad.com (virus) and infect the system

Virus infects the system with
a file notepad.com and saves
it in c:winntsystem32directory
...

1
Attacker

1

/

£

N otepad.exe

Notepad.com

-C

C o m p a n io n /C a m o u fla g e V iru se s
Com panion Viruses
4

T h e c o m p a n i o n v ir u s s to r e s it s e lf b y h a v in g t h e id e n t ic a l file n a m e as t h e t a r g e t e d

p r o g r a m f i l e . As s o o n as t h a t f ile is e x e c u te d , t h e v ir u s i n f e c ts t h e c o m p u t e r , a n d h a rd d isk d a ta
is m o d if ie d .
C o m p a n io n v iru s e s use DOS t h a t r u n C O M file s b e f o r e t h e EXE file s are e x e c u te d . T h e v ir u s
in s ta lls an id e n t ic a l C O M file a nd i n f e c ts t h e EXE files.
S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / C o m p a n i o n V i r u s e s . h t m l
H e re is w h a t h a p p e n s : S u p p o s e a c o m p a n i o n v ir u s is e x e c u t in g o n y o u r PC a n d d e c id e s it is t i m e
t o in f e c t a file . It lo o k s a r o u n d a n d h a p p e n s t o f i n d a f ile c a lle d PGM.EXE. It n o w c r e a te s a file
ca lle d P G M .C O M , c o n t a i n i n g t h e v iru s . T h e v ir u s u s u a lly p la n t s t h is file in t h e s a m e d i r e c t o r y as
t h e .EXE file , b u t it c o u ld p la ce it in a n y d i r e c t o r y o n y o u r DOS p a t h . If y o u t y p e P G M a n d press
E n te r, DOS e x e c u te s P G M .C O M in s te a d o f PG M .E XE . (In o r d e r , DOS w ill e x e c u te C O M , t h e n
EXE, a n d t h e n BAT file s o f t h e s a m e r o o t n a m e , if t h e y a re all in t h e s a m e d ir e c t o r y . ) T h e v iru s
e x e c u te s ,

p o s s ib ly i n f e c t i n g

m o r e file s , a n d t h e n

lo a d s a n d

e x e c u te s

PGM.EXE. T h e

u ser

p r o b a b l y w o u l d fa il t o n o t i c e a n y t h i n g is w r o n g . It is easy t o d e t e c t a c o m p a n i o n v i r u s j u s t by
t h e p r e s e n c e o f t h e e x tr a C O M f ile in t h e s y s te m .



Viruses and W orm s


Virus infects the system with
a file notepad.com and saves
It In c:wlnntsystem32 directory

Attacker

V
Notepad.exe

Notepad.com

FIGURE 7.15: Working of Companion/Camouflage Viruses



Ce hv8 module 07 viruses and worms

Ce hv8 module 07 viruses and worms

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Ce hv8 module 07 viruses and worms

Ähnlich wie Ce hv8 module 07 viruses and worms (20)

Ce hv8 module 07 viruses and worms