Weitere ähnliche Inhalte
Ähnlich wie Ce hv8 module 07 viruses and worms (20)
Ce hv8 module 07 viruses and worms
- 2. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
V iru se s and W orm s
M o d u le 07
Engineered by Hackers. Presented by Professionals.
M
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 0 7 : V iru s e s a n d W o r m s
E xam 3 1 2 -5 0
M odule 07 Page 1007
Ethical Hacking and C ounterm easures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 3. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
CEH
Secu rity N ew s
I GlobalResearch
H om e
P ro d u c ts
About
5«rv*ccs
O ctobe r 1 9 ,2 0 1 2
G lo b al C y b e r-W arfa re T a c tic s : N e w F la m e -lin k e d
M a lw a re used in “ C y b e r-E s p io n a g e ”
A n e w c y b e r e s p io n a g e p ro g ra m lin k e d t o th e n o to r io u s F lam e and Gauss m a lw a re has bee n d e te c te d by Russia's K aspersky Lab.
T he a n ti-v iru s g ia n t's c h ie f w a rn s t h a t g lo b a l c y b e r w a rfa r e is in " f u ll s w in g " a n d w ill p ro b a b ly e s c a la te in 2013.
T h e v iru s , d u b b e d m in iF la m e , a n d a lso k n o w n as SPE, has a lre a d y in fe c te d c o m p u te rs in Ira n , L e b a n o n , France, t h e U n ite d
S ta te s a n d L ith u a n ia . It w as dis c o v e re d in July 20 1 2 a n d is d e s c rib e d as "a small and highly flexible malicious program designed
to steal data and control infected systems during targeted cyber espionage operations," Kaspersky Lab said in a s ta te m e n t p o s te d
o n its w e b s ite .
T he m a lw a re w a s o rig in a lly id e n tifie d as an a p p e n d a g e o f F lam e - th e p ro g ra m used f o r ta rg e te d c y b e r e spionage in th e M id d le
East a n d a c k n o w le d g e d to be p a r t o f jo in t U S -ls ra e li e ffo r ts t o u n d e rm in e Iran 's n u c le a r p ro g ra m .
B u t la te r, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF la m e is a n "interoperable tool th a t could be used as an independent
malicious program, o r concurrently as a plug-in f o r both the Flame and Gauss m alw are."
^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c re a to rs o f F lam e a n d G a u s s ^ ^ ^ ^ ^ —
http ://www. globa/research, ca
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u rity N e w s
an
M
G lo b a l C y b e r - W a r fa r e T a c tic s : N e w
M
M a lw a re u s e d in
F la m e - lin k e d
“ C y b e r-E s p io n a g e ”
S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a
A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n
d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e
is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 .
T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran,
L e b a n o n , F rance, t h e
U n ite d States, a n d
L ith u a n ia . It w a s d is c o v e r e d
in July 2 0 1 2 a n d
is
d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l
in fe c te d
s y s te m s
d u r in g
ta rg e te d
cyber
e s p io n a g e
o p e ra tio n s ,"
K a sp e rsky
Lab said
in a
s t a t e m e n t p o s te d o n its w e b s i t e .
The m a lw a re
w a s o r i g i n a l l y i d e n t if ie d
as an a p p e n d a g e o f F lam e, t h e
p ro g ra m
u sed f o r
t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli
e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m .
M odule 07 Page 1008
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 4. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld
be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e
a n d Gauss m a l w a r e . "
T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd
Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s .
" M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e
c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n
b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e
a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said.
H ig h - p r e c is io n a tta c k to o l
So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky
Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y
i n f e c t e d b y t h o s e v iru se s .
" M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in
w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt
A l e x a n d e r G o s te v e x p la in e d .
"F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s
o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d
a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd
c y b e r-e s p io n a g e ."
T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is
r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m ,
A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t.
K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t
m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , "
t h e f i r m said.
‘C y b e r w a rfa re
i n f u ll s w i n g ’
M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r
w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He
u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s
a g e n c y r e p o r ts .
S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i,
t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ."
" T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last
A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in
g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said.
He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e
M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is
M odule 07 Page 1009
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 5. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r
w h a t is b e h in d i t . "
Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss,
b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s .
C o p y r i g h t © 2 0 0 5 - 2 0 1 2 G lo b a lR e s e a r c h .c a
B y R u s s ia T o d a y
http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-incyber-espionage/5308867
M odule 07 Page 1010
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 6. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
CEH
M odule O b jectives
J
Introduction to Viruses
J
Computer Worms
J
Stages of Virus Life
J
Worm Analysis
J
Working of Viruses
J
Worm Maker
J
Indications of Virus Attack
J
Malware Analysis Procedure
J
How does a ComputerGet Infected
by Viruses
J
Online Malware Analysis Services
y
Virus Analysis
J
Virus and Worms Countermeasures
J
Types of Viruses
J
Antivirus Tools
J
Virus Maker
J
Penetration Testing for Virus
Copyright © by
EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C
M o d u le O b je c tiv e s
T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s
a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e
e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h
it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le
t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u
a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t
a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e .
T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h :
0
I n t r o d u c t i o n t o V iru s e s
0
C o m p u te r W o rm s
0
Stages o f V ir u s Life
0
W o r m A n a ly s is
0
W o r k i n g o f V iru s e s
0
W o rm M aker
0
I n d ic a tio n s o f V ir u s A t t a c k
0
M a l w a r e A n a ly s is P r o c e d u r e
0
How
0
O n lin e M a l w a r e A n a ly s is Services
0
V ir u s a nd W o r m s
D oes
a
C o m p u te r
V iru se s?
0
T y p e s o f V iru s e s
In f e c t e d
by
C o u n te rm e a su re s
V ir u s A n a ly s is
0
Get
Modute07
!M a k e r
0
A n t i v i r u s T o o ls
Ethical H a c k if^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i l l C i l
All Rights Reserved. Reproduction is S trictly Prohibited.
- 7. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Module Flow
Virus and
Worms
Concepts
Typ e s of
Viruses
Penetration
Testing
Com puter
Worms
Countermeasures
M alware
Analysis
Copyright © by
E&Ctlllcil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u
a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists
v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e
has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n
t h e w e b a re h ig h lig h t e d .
M alware Analysis
V ir u s a n d W o r m s C o n c e p t
,• נ
Types of Viruses
— /י
Computer W orm s
fj| Countermeasures
||־
^
Penetration Testing
V — ׳׳
M odule 07 Page 1012
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 8. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Introduction to V iru se s
C EH
_l A virus is a self-replicating program that produces its own copy by attaching itself
to another program, computer boot sector or document
J
Viruses are generally transmitted through file downloads, infected disk/flash
drives and as email attachments
V ir u s C h a r a c t e r is t ic s
Alters Data
Infects Other Program
V
%
Corrupts Files and
Programs
Transforms Itself
m
F*
Encrypts Itself
m
Copyright © by
Self Propagates
%
#
1 f §
1
EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C
ןאI n t r o d u c t i o n to V i r u s e s
C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l
c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le
c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a
c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t
o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as
soon
as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d
logical
c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s :
0
T r o ja n s a n d r o o t k i t s
0
V iru s e s
0
W o rm s
A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s . W o r m s s p re a d
a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o
o t h e r n e t w o r k s . T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y
d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n . T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld
t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s .
M odule 07 Page 1013
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 9. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Virus and Worm Statistics
75,000,000
60,000,000
45,000,000
30,000,000
15,000,000
2010
2008
Copyright © by
2011
2012
http://www.av-test. org
E&Ctinctl. All Rights Reserved. Reproduction is Strictly Prohibited.
^ V iru s a n d W o rm S ta tis tic s
S o u rc e : h t t p : / / w w w . a v - t e s t . o r g
T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in
t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd
w orm s
in t h e
year 2008,
w he re a s
in t h e
ye ar 2012, th e
c o u n t d ra s tic a lly
in c r e a s e d
to
7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g
e x p o n e n t ia l ly y e a r b y ye a r.
M odule 07 Page 1014
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 10. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
7 5 .0 0 0 .0 0 0
6 0 .0 0 0 .0 0 0
4 5 .0 0 0 .0 0 0
3 0 .0 0 0 .0 0 0
1 5 .0 0 0 .0 0 0
0
2008
2009
2010
2011
2012
FIGURE 7.1: Virus and Worm Statistics
M odule 07 Page 1015
Ethical Hacking and C ounterm easures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 11. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Design
Replication
Launch
D eveloping virus
V iru s replicates fo r
code using
a perio d o f tim e
It gets activated w ith
th e user p e rfo rm in g
p ro g ra m m in g
w ith in th e ta rg e t
certa in action s such
languages or
system and th e n
as ru n n in g an
c o n s tru c tio n kits
spreads its e lf
in fected program
Incorporation
Detection
Users in s ta ll
Elim ination
A n tiv iru s s o ftw a r e
A v iru s is id e n tifie d
a n tiv iru s u p d a te s
d e v e lo p e rs
as t h re a t in fe c tin g
a n d e lim in a te th e
a s s im ila te d efenses
ta rg e t system s
v iru s th re a ts
a g a in s t th e viru s
S t a g e s o f V i r u s L ife
C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o
e lim in a tio n .
1.
Design:
A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e
w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s .
2.
Replication:
A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e .
3.
Launch:
It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an
in fe c te d p ro g ra m .
4.
Detection:
A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le
d a m a g e t o t h e t a r g e t s y s te m 's d a ta .
M odule 07 Page 1016
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 12. Ethical Hacking and Countermeasures
Viruses and W orm s
5.
Exam 312-50 C ertified Ethical Hacker
Incorporation:
A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s .
6.
Elimination:
Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g
user g ro up s
M odule 07 Page 1017
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 13. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Working of Viruses: Infection
Phase
Infection
Phase
J
In the infection phase, the virus replicates itself
and attaches to an .exe file in the system
Before Infection
After Infection
*
C lean File
V iru s In fe c te d
File
Copyright © by
E -G
G 0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.
W o rk in g o f V iru se s: In fe c tio n P h a s e
V ir u s e s
a tta c k
a ta rg e t
h o s t's
s y s te m
by
u sin g
v a r io u s
m e th o d s .
They
a tta c h
t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in
e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t:
©
S e lf s t a r t
©
In f e c t o t h e r h a r d w a r e
©
Cause p h y s ic a l d a m a g e t o a c o m p u t e r
©
T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s
G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e .
In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m .
P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m .
V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads
t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as:
©
H o w w i ll t h e v ir u s in f e c t?
©
H o w w i ll it s p re a d ?
©
H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ?
M odule 07 Page 1018
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 14. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
O b v io u s ly , v iru s e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d in o r d e r t o f u n c t i o n . T h e r e a re m a n y w a y s
t o e x e c u te p r o g r a m s w h i l e a c o m p u t e r is r u n n in g . For e x a m p le , a n y s e tu p p r o g r a m calls f o r
n u m e r o u s p r o g r a m s t h a t m a y be b u i l t i n t o a s y s te m , a n d s o m e o f th e s e a re d i s t r i b u t i o n
m e d i u m p r o g r a m s . T hu s, if a v ir u s p r o g r a m a lr e a d y exists, it can be a c tiv a te d w i t h t h is k in d o f
e x e c u t i o n a n d in f e c t t h e a d d it io n a l s e t u p p r o g r a m as w e ll.
T h e r e a re v ir u s p r o g r a m s t h a t in f e c t a n d k e e p s p r e a d in g e v e r y t i m e t h e y a re e x e c u te d .
Some
p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y
a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r
e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r
t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n .
R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s .
In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e
a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e
v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n .
Q
A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t
file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s
f o r v iru s in f e c tio n s .
©
B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is
b o o te d
Before Infection
A fte r Infection
.exe
N
_u
Clean File
Virus Infected
File
FIGURE 7.2: Working of Viruses in Infection Phase
M odule 07 Page 1019
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 15. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Working of Viruses: Attack
D U
^ ^
r cu
V t
o q p
11
Urt׳fW
< ttkxjl Nm Im
J
Viruses are programmed with trigger events to activate and corrupt systems
J
Some viruses infect each time they are run and others infect only when a certain
predefined condition is met such as a user's specific ta sk , a day, time, or a
particular event
Unfragmented File Before Attack
File: A
1
1
1
Page:2
J _____________ 1
Page:3
A
Page: 1
File: B
1
A
Page:2
Page: 1
Page:3
File Fragmented Due to Virus Attack
Page: 1
File: A
Page:3
File: B
Page:3
File: A
Page: 1
File: B
Copyright © by
Page:2
File: B
Page:2
File: A
E&
Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
W o rk in g o f V iru se s: A tta c k P h a s e
O n c e v iru s e s s p re a d t h e m s e l v e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g
t h e fi l e s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be
a c t i v a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v i r u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd
p e r f o r m a c tiv it ie s such as d e l e t i n g f i l e s a n d in c r e a s in g s e s s io n t i m e .
T h e y c o r r u p t t h e i r t a r g e t s o n l y a f t e r s p r e a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s
t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as:
Q
D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta file s, t h e r e b y c a u s in g t h e s y s te m t o s lo w
down
e
P e r f o r m in g
ta sks
not
r e la t e d
to
a p p lic a tio n s ,
such
as p la y in g
m u s ic
and
c r e a tin g
a n im a tio n s
M odule 07 Page 1020
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 16. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
U n f r a g m e n t e d F ile B e fo r e A t t a c k
File: A
Page: 1
Page: 2
File: B
Page: 3
Page: 1
Page: 2
Page: 3
A
F ile F r a g m e n t e d D u e t o V ir u s A t t a c k
Page: 1
File: A
Page: 3
File: B
Page: 1
File: B
Page: 3
File: A
Page: 2
File: B
A
Page: 2
File: A
A
FIGURE 7.3: Working of Viruses in Attack Phase
R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e
a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g
o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g
t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se:
©
V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d
0
S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's
m em ory
0
M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e
h o s t t o t h e f u l le s t e x t e n t
M odule 07 Page 1021
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 17. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
W h y Do People Create Computer
Viruses
r cu
|
UrtifWd
ttkiul Km Im
Computer Viruses
Inflict damage to competitors
J
J
J
Financial benefits
Research projects
Play prank
Vandalism
Cyber terrorism
Distribute political messages
V u ln e r a b le S y s te m
Copyright © by
E&
Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
W hy Do P e o p le C re a te C o m p u te r V iru se s?
S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m
C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y
d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a
d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f
v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are
a c t u a lly
in te n d e d
to
be g o o d
fo r
a s y s te m . T he se
a re
d e s ig n e d
to
im p ro v e
a s y s te m 's
p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files.
S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e :
e
I n flic t d a m a g e t o c o m p e t i t o r s
e
R esearch p r o je c ts
0
Pranks
Q
V a n d a lis m
e
A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s
©
D is t r i b u t e p o litic a l m essa ge s
0
F ina ncia l g ain
M odule 07 Page 1022
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 18. Ethical Hacking and Countermeasures
Viruses and W orm s
Q
Id e n tity th e ft
Q
S pyw are
Q
Exam 312-50 C ertified Ethical Hacker
C r y p t o v ir a l e x t o r t i o n
M odule 07 Page 1023
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 19. Ethical Hacking and Counterm easures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
P rocesses ta k e
m o re re s o u rc e s
a n d tim e
C o m p u te r s lo w s
dow n when
p r o g ra m s s ta rt
C o m p u te r fre e z e s
fr e q u e n t ly o r
e n c o u n te rs e r ro r
I n d ic a tio n s o f V iru s A tta c k s
A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s
w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e
m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r
t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m :
Q
P r o g r a m s ta k e lo n g e r t o loa d
Q
T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s
Q
T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used
9
U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m
0
T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s
Q
T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s
Q
File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n
Q
T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e
©
A p r o g r a m 's size k e e p s c h a n g in g
Q
T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n
M odule 07 Page 1024
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 20. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
H o w does a Computer Get
Infected by Viruses
W h e n a user accepts files and d o w nloads w ith o u t checking
p ro p e rlyfo rth e source
ן
ing infected e-mail attachm ents
Installing pirated so ftw are
Not updatingand not installing new versions o f plug-ins
: runningthe latest anti-virus application
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
H ow D o es a C o m p u te r G et In fe c te d b y V iru se s?
T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r
m e t h o d s a re as f o l lo w s :
©
W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e .
©
A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on
t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e
s y s te m .
©
A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d
s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim
d o w n lo a d s
i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d .
©
Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n
b ug s m a y e x p o s e y o u r s y s te m t o viru s e s .
©
W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use
la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s
M odule 07 Page 1025
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 21. Ethical Hacking and Counterm easures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
C o m m o n T e c h n i q u e s U s e d to
D istrib u te M a lw a re o n th e W eb
H
B la c k h a t S e a rc h E n gin e
O p tim iza tio n (SEO )
CEH
M a lv e rtis in g
Ranking malware pages highly
in search results
Embedding malware in ad-networks
that display across hundreds of
legitimate, high-traffic sites
S o c ia l E n g in eered
C lic k -ja c k in g
C o m p ro m ise d L e g itim a te
W e b sites
Tricking users into clicking on
innocent-looking webpages
Hosting embedded malware that
spreads to unsuspecting visitors
S p e a rp h is h in g S ites
Drive-by D o w n lo ad s
Mimicking legitimate institutions,
such as banks, in an attempt to
steal account login credentials
^ ״
ן ן וjl.
Exploiting flaws in browser
software to install malware
just by visiting a web page
Source: Security Threat Report 2012 (http://www.sophos.com )
Copyright © by
^
EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C
C o m m o n T e c h n i q u e s U s e d to D i s t r i b u t e M a l w a r e o n
th e W eb
S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m )
Blackhat Search Engine Optimization (SEO): U s in g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e
p a g e s h ig h in se arch re s u lts
Social Engineered Click-jacking: T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g
w e b p ages t h a t c o n t a i n m a l w a r e
Spearphishing Sites: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks,
in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s
Malvertising: E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y ac ro s s h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites
Compromised Legitimate W ebsites: H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g
v is ito rs
Drive-by Downloads: T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by
v is itin g a w e b p age
M odule 07 Page 1026
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 22. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Virus Hoaxes and Fake
Antiviruses
A tta c k e rs d is g u is e m a lw a r e s as a n a n t iv ir u s
a n d t r ic k u s e rs t o in s ta ll th e m in t h e ir
c o n ta in v ir u s a tta c h m e n ts
s y s te m s
W a r n in g m e s s a g e s p r o p a g a tin g t h a t a
O n c e in s ta lle d th e s e fa k e a n tiv iru s e s c a n
c e r ta in e m a il m e s s a g e s h o u ld n o t b e v ie w e d
d a m a g e t a r g e t s y s te m s s im ila r t o o t h e r
a n d d o in g s o w ill d a m a g e o n e 's s y s te m
J
H o axes a re fa ls e a la rm s c la im in g r e p o r ts
a b o u t a n o n - e x is tin g v ir u s w h ic h m a y
J
m a lw a re s
ntAsc rmv/Aflo m u warning among rniCNDS.rAMiiv and contacts Ho* •houM t* »k«t d*'•*
tbv mat fmv Jwyv Co ikx cptn «1» i׳i«im«« with 4 1etMchmvH vntlltvO >OSTCAAO 'ROM •Uir.O ■
y
1
RtMONATION Of BARACK OBAMA . regjrdl«»l0f WhO sent IttO you It IS J vlruStlWt Opers A
KttrtAftUlMAOt, then Dim* th -whole run) C a « ol YOU' computer.
«
rih b lIvmNHMlWdiliuumnl UyCNN Uni
1
Im Hid) U• I
k
••
jy M lllW A
1
4
(*•sif jctivtvirasawf Thevirw ...1 .discoveredbv McAfee v«terdiv. «ndthp׳p nortear
1>
A W C
*
*
*
tifa ft-0WI1 1l'W« IN MN'R NV M A n NA
i* F R A r)T4 AN flA 0 n lF 0 tA IIV NrOT rn
l «יHUM
j*for :h&
tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonk«vL
»׳
—
wi ss*־
f rr•־
״
״
jy y |r J !!L
l:
—
=«=— נ
0llicil. All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © by E GG
V iru s H o ax e s a n d F a k e A n tiv iru s e s
V iru s H o a x e s
A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a
h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls
s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s
a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . "
©
H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s
©
T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in
e m a il
m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m
©
In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s
©
T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s
M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o
be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t.
T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso
se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n
b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y .
M odule 07 Page 1027
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 23. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e
i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by
r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g :
Q
If it is p o s te d
by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h
a n o th e r source
©
If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an
e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e
0
If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o
th e c o rre s p o n d in g fe d e ra l r e g u la tio n
Q
O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n
a n t i v i r u s s o f t w a r e v e n d o r sites
Q
If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o
a u th e n tic a te th e in fo rm a tio n
Subject: FORWARD THIS W ARNIN G A M O N G FRIENDS, FAMILY AND CONTACTS
PLEASE FORWARD THIS WARNING AM O N G FRIENDS, FAMILY AND CONTACTSI You should be alert during
the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM BEJING or
'RESIGNATION OF 8ARACK O B A M A , regardless of who sent it to you. It is a virus that opens A
POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer.
This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most
destructive virus ever. The virus was discovered by McAfee yesterday, and there is no repair yet for this
kind of virus.
This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.
COPY THIS E MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU WILL
BENEFIT ALL OF US.
End-of-mail
Thanks.
FIGURE 7.3: Hoaxes Warning Message
F a k e A n tiv iru s e s
Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r
s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d
access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m .
Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave
d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s
v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age
w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se
f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e
u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e .
S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s
in c lu d e :
©
E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o
s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s
f o r s o f t w a r e i n s t a lla t io n .
M odule 07 Page 1028
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 24. Ethical Hacking and Countermeasures
Viruses and W orm s
Q
Exam 312-50 C ertified Ethical Hacker
Search e n g in e o p tim iz a tio n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o
p u b lic o r c u r r e n t
s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e
r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e
fa k e a n tiv ir u s .
Q
C o m p ro m is e d w e b s ite s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e
a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g
o n t h e s ite 's p o p u l a r i t y .
J
a
Protection
a
- acy
׳w
I
P a th
q
0,
'S (י
M
p 0 < *© י#י*יS
« M1 r»
4
Inlrctiom
I
C w » C « C ^ S JN t5 ^ c ^ « U Jr^ 4 ifV * g 0 a 5 7 2
35
SMtWI
FIGURE 7.4: Example of a Fake Antivirus
M odule 07 Page 1029
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 25. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Virus Analysis: DNSChanger
DNSChanger (Alureon) modifies the DNS
settings on the victim PC to divert
Internet traffic to malicious websites in
order to generate fraudulent ad revenue,
sell fake services, or steal personal
financial information
CEH
J
<W >
It acts as a bot and can be organized into a
BotNet and controlled from a remote
location
J
It spreads through emails, social
engineering tricks, and untrusted
downloads from the Internet
UHU
$
DNSChanger malware achieves the DNS
redirection by modifying the following
registry key settings against a interface
device such as network card
HKEY_LOCAL_MACHINESYSTEMCurrentControl
SetServicesTcpipParameterslnterfaces%Ra
ndom C %NameServer
LSID
t
J
<K >
DNSChanger has received significant
attention due to the large number of
affected systems worldwide and the fact
that as part of the BotNet takedown the FBI
took ownership of the rogue DNS servers to
ensure those affected did not immediately
lose the ability to resolve DNS names
http://www. totaldefense. com
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
V iru s A n a ly sis: D N S C h a n g e r
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m
D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd
u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd
c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e
s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd .
D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s
w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e
DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS
n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o
m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al
p e r s o n a l f in a n c ia l i n f o r m a t i o n .
M odule 07 Page 1030
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 26. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Virus Analysis: DNSChanger
( C o n t ’d )
The rogue DNS servers can exist in any of the following ranges:
L
DNSChanger
64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255
77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255
85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255
DNSChanger sniffs the
credential and redirects the
request to real website
Real Website
ww.xrecyritY-tP1
IP: 200.0.0.45
DNSChanger infects victim's
computer by change her DNS IP
address to: 64.28.176.2
Attacker runs DNS Server in
Russia (IP: 64.28.176.2)
http://www. tota!defense,com
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
tout V i r u s A n a l y s i s : D N S C h a n g e r ( C o n t ’d)
’
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m
T h e r o g u e DNS s e rv e rs can e x is t in a n y o f t h e f o l l o w i n g ran ge s:
64.28.176.0 - 64.28.191.255 , 67.210.0.0 552.51.012.76 ־
77.67.83.0 - 77.67.83.255 , 93.188.160.0 - 93.188.167.255
85.255.112.0 - 85.255.127.255 , 213.109.64.0 - 213.109.79.255
M odule 07 Page 1031
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 27. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
W h al is the IP
address of
w w w . *security. corn
©
>
DNSChanger sniffs the
credential and redirects the
request to real website
Fake Website
IP: 65.0.0.2
»
י
Real Website
wvAv.xsecuritv.com
IP: 200.0.0.45
©
DNS Request do
to 64.28.176.2
>
DNSChanger infects victim's
computer by change her DNS IP
address to: 64.28.176.2
©
□
Attacker runs DNS Server in
Russia (IP: 64.28.176.2)
FIGURE 7.5: Virus Analysis Using DNSChanger
T o in f e c t t h e s y s te m a nd s te a l c r e d e n tia ls , t h e a t t a c k e r has t o f i r s t ru n DNS s e rv e r. H e re t h e
a t t a c k e r r u n s his o r h e r D N S s e r v e r in Russia w i t h an IP o f, say, 6 4 .2 8 . 1 7 6 . 2 . N e x t, t h e a t t a c k e r
i n f e c ts t h e v i c t i m ' s c o m p u t e r by c h a n g in g his o r h e r DNS IP a d d re s s t o : 6 4 .2 8 .1 7 6 .2 . W h e n th is
m a l w a r e has i n f e c t e d t h e s y s te m , it e n t i r e l y c h a n g e s t h e DNS s e ttin g s o f t h e i n f e c t e d m a c h in e
a n d fo r c e s all t h e DNS r e q u e s t t o g o t o t h e D N S s e rv e r ru n b y t h e a tta c k e r . A f t e r a lt e r in g th e
s e t t i n g o f t h e DNS, a n y r e q u e s t t h a t is m a d e b y t h e s y s te m is s e n t t o t h e m a l i c io u s DNS s e r v e r .
H e re , t h e
v ic tim
sent
DNS
Request
״w h a t
is t h e
IP a d d re s s
o f w w w .x s e c u rity .c o m ״
to
( 6 4 .2 8 .1 7 6 .2 ). T h e a t t a c k e r g a v e a re s p o n s e t o t h e r e q u e s t as w w w . x s e c u r i t v . c o m . w h i c h is
l o c a te d a t 6 5 .0 .0 .2 . W h e n v i c t i m ' s b r o w s e r c o n n e c t s t o 6 5 .0 .0 .2 , it r e d ir e c ts h im o r h e r t o a fa k e
w e b s i t e c r e a te d b y t h e a t t a c k e r w i t h IP: 6 5 .0 .0 .2 . D N S C h a n g e r s n iffs t h e c r e d e n t i a l (u s e r n a m e ,
p a s s w o r d s ) a n d r e d ir e c ts t h e r e q u e s t t o real w e b s i t e (w w w . x s e c u r i t y . c o m ) w i t h IP: 2 0 0 .0 .0 .4 5 .
M odule 07 Page 1032
Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 28. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
M odule Flow
CEH
V iru s and
W orm s
C on cep ts
C o m p uter
W orm s
P en etratio n
Testing
C ounter•
m easures
M a lw a re
Analysis
Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.
■ = || M o d u l e F l o w
P r io r t o th is , w e h a v e d is cu sse d a b o u t v iru s e s a n d w o r m s . N o w w e w i ll discuss a b o u t
d i f f e r e n t ty p e s o f viru s e s .
V iru s a n d W o rm s C o nc e p t
i •
y
—
v׳
C
X
M a lw a r e A nalysis
T y p e s o f V ir u s e s
C o m p u te r W o rm s
C o u n te rm e a s u re s
^
)
P e n e tra tio n T es tin g
—
This s e c tio n d e s c r ib e s a b o u t d i f f e r e n t ty p e s o f V iru se s.
M odule 07 Page 1033
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 29. Ethical Hacking and Countermeasures
Viruses and W orm s
System or
Boot Sector
Viruses
Exam 312-50 C ertified Ethical Hacker
Stealth Virus/
Tunneling
Virus
Cluster
Viruses
Encryption
Polymorphic
Metamorphic
Sparse
Infector
Virus
Direct Action
or Transient
Multipartite
T y p e s of V iru se s
So fa r, w e h a v e d iscu ss e d v a r io u s v ir u s a n d w o r m
c o n c e p ts . N o w w e w ill discuss
v a r io u s t y p e s o f viru s e s .
T his s e c tio n h ig h lig h ts v a r io u s ty p e s o f v iru s e s a n d w o r m s such as file a n d m u l t i p a r t i t e v ir u s e s ,
m a c r o v iru s e s , c lu s t e r viru s e s , s t e a l t h / t u n n e l i n g
v iru s e s , e n c r y p t i o n
v iru s e s , m e t a m o r p h i c
v iru s e s , shell viru s e s , a n d so o n . C o m p u t e r v iru s e s a re t h e m a l i c io u s s o f t w a r e p r o g r a m s w r i t t e n
by a t ta c k e r s t o i n t e n t i o n a l l y e n t e r t h e t a r g e t e d s y s te m w i t h o u t t h e u s e r 's p e r m i s s i o n . As a
re s u lt, t h e y a f f e c t t h e s e c u r it y s y s te m a n d p e r f o r m a n c e o f t h e m a c h in e . A f e w o f t h e m o s t
c o m m o n ty p e s o f c o m p u t e r v iru s e s t h a t a d v e r s e l y a f f e c t s e c u r it y s y s te m s a re d iscu s se d in
d e ta il o n t h e f o l l o w i n g slides.
T y p e s of V iru se s
V iru s e s a re cla s s ifie d d e p e n d i n g o n t w o c a te g o r ie s :
Q
W h a t Do T h e y In fe c t?
©
H o w Do T h e y In fe c t?
M odule 07 Page 1034
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 30. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
W hat Do They In fe ct?
System or Boot Sector V iruses
_
f*.
T h e m o s t c o m m o n t a r g e t s f o r a v iru s a re t h e s y s te m s e c to rs , w h i c h a re n o t h i n g b u t
t h e M a s t e r B o o t R e c o rd a n d t h e DOS B o o t R e c o rd S y s t e m s e c to r s . T h e s e a re t h e a re a s o n th e
d isk t h a t are e x e c u t e d w h e n t h e PC is b o o t e d . E ve ry d isk has a s y s te m s e c to r o f s o m e s o rt. T h e y
s p e c ia lly in f e c t t h e f l o p p y b o o t s e c to r s a n d r e c o r d s o f t h e h a rd disk. For e x a m p le : Disk K iller
a n d S to n e v iru s .
F ile V iruses
E x e c u ta b le file s a re i n f e c t e d b y file v iru s e s , as t h e y i n s e r t t h e i r c o d e i n t o t h e o r ig in a l
file a n d g e t e x e c u te d . File v iru s e s a re la r g e r in n u m b e r , b u t t h e y a re n o t t h e m o s t c o m m o n l y
f o u n d . T h e y i n f e c t in a v a r i e t y o f w a y s a n d can be f o u n d in a la rg e n u m b e r o f file ty p e s .
M u ltip a rtite V irus
T h e y i n f e c t p r o g r a m file s, a n d t h is f ile in t u r n a ffe c ts t h e b o o t s e c to r s su ch as In v a d e r ,
Flip, a n d T e q u ila .
C lu ste r V iruses
C lu s te r v iru s e s i n f e c t file s w i t h o u t c h a n g in g t h e f ile o r p la n t in g e x tr a file s ; t h e y c h a n g e
t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l
p ro g ra m .
M acro V irus
M i c r o s o f t W o r d o r a s i m i l a r a p p li c a t i o n can be i n f e c t e d t h r o u g h a c o m p u t e r v iru s
c a lle d a m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e
a p p li c a t i o n is t r i g g e r e d o r s o m e t h i n g else. M a c r o v iru s e s a re s o m e w h a t less h a r m f u l t h a n o t h e r
ty p e s . T h e y a re u s u a lly s p re a d via an e m a il.
How Do They In fe ct?
־־
׳
■
Stealth V iruses
T h e se v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s b y a c t i v e l y a l t e r i n g a n d
c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m
o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s
s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s te a lth
v ir u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hus, it ta k e s o v e r
p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v i r u s c o d e .
Life:־
T u n n elin g V iruses
T h e s e v ir u s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s te m
r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . T o p e r f o r m t h is a c tiv it y , t h e y
even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.
M odule 07 Page 1035
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 31. Ethical Hacking and Counterm easures
Viruses and W orm s
c_ —
Exam 312-50 C ertified Ethical Hacker
E n cry p tio n V iruses
T his t y p e o f v ir u s c o n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a n d a d e c r y p t i o n m o d u l e .
T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .
iri)
, ״ ״
P o ly m o rp h ic V iruses
T h e s e v iru s e s w e r e d e v e lo p e d t o c o n f u s e a n t i v i r u s p r o g r a m s t h a t scan f o r v iru s e s in
t h e s y s te m . It is d i f f i c u l t t o t r a c e t h e m , since t h e y c h a n g e t h e i r c h a r a c te r is t ic s e a ch t i m e t h e y
in f e c t, e.g., e v e r y c o p y o f t h is v ir u s d if f e r s f r o m its p r e v io u s o n e . V i r u s d e v e l o p e r s h a v e e v e n
c r e a t e d m e t a m o r p h i c e n g in e s a n d v ir u s w r i t i n g t o o l k its t h a t m a k e t h e c o d e o f an e x is t in g v ir u s
lo o k d i f f e r e n t f r o m o t h e r s o f its k in d .
M e ta m o rp h ic V iruses
A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d
i n t o t h e t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . T his t e c h n i q u e , in w h i c h
t h e o rig in a l a l g o r i t h m r e m a in s in t a c t, is u sed t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e .
T his is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v iru s c o n s is ts o f c o m p le x
e x te n s iv e c o d e .
O v erw ritin g F ile or C avity V iruses
S o m e p r o g r a m file s h a v e a re as o f e m p t y space. T his e m p t y sp ace is t h e m a in t a r g e t o f
th e s e viru s e s . T h e C a v i t y V ir u s , also k n o w n as t h e S pace F ille r V ir u s , s to r e s its c o d e in th is
e m p t y space. T h e v ir u s in s ta lls it s e lf in th is u n o c c u p ie d sp ace w i t h o u t a n y d e s t r u c t io n t o t h e
o rig in a l c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in f e c t.
S parse In fec to r V iruses
a®
A sp arse i n f e c t o r v iru s i n f e c ts o n l y o c c a s i o n a l l y (e.g., e v e r y t e n t h p r o g r a m e x e c u te d )
o r o n l y file s w h o s e le n g t h s fa ll w i t h i n a n a r r o w ra n g e .
C o m p an io n V iruses
T h e c o m p a n i o n v ir u s s to re s it s e lf b y h a v in g t h e i d e n t i c a l f i l e n a m e as t h e t a r g e t e d
p r o g r a m file . As s o o n as t h a t f ile is e x e c u t e d , t h e v ir u s in f e c ts t h e c o m p u t e r , a nd h a r d d is k d a ta
is m o d if ie d .
C am o u flag e V iruses
^
W
-------- T h e y d is g u is e t h e m s e l v e s as g e n u in e a p p li c a t i o n s
o f t h e user. T he se v iru s e s a re n o t
d i f f i c u l t t o f i n d since a n t i v i r u s p r o g r a m s h a v e a d v a n c e d t o t h e p o i n t w h e r e such v iru s e s are
e a sily t r a c e d .
Shell V iruses
_____
T his v ir u s c o d e f o r m s a la y e r a r o u n d t h e t a r g e t h o s t p r o g r a m 's c o d e t h a t can be
M odule 07 Page 1036
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 32. Ethical Hacking and Counterm easures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
c o m p a r e d t o an " e g g s h e l l / ׳m a k in g i t s e lf t h e o rig in a l p r o g r a m a n d t h e h o s t c o d e its s u b r o u t i n e . H e re , t h e o rig in a l c o d e is m o v e d t o a n e w l o c a t io n by t h e v ir u s c o d e a n d t h e v i r u s
a s s u m e s its i d e n t it y .
F ile E xtension V iru ses
F.
File e x t e n s i o n v ir u s e s c h a n g e t h e e x te n s io n s o f file s ; .TXT is safe, as it in d ic a te s a p u r e
t e x t file . If y o u r c o m p u t e r 's f i l e e x t e n s i o n s v i e w is t u r n e d o f f a n d s o m e o n e s e n d s y o u a file
n a m e d BA D .T X T .V B S , y o u w i ll see o n l y B A D .TXT.
> '« f| Add -on V iru ses
M o s t v iru s e s a re a d d - o n v iru s e s . T his t y p e o f v ir u s a p p e n d s its c o d e t o t h e b e g in n in g
o f t h e h o s t c o d e w i t h o u t m a k in g a n y c h a n g e s t o t h e l a t t e r . T hu s , t h e v ir u s c o r r u p t s t h e s t a r t u p
i n f o r m a t i o n o f t h e h o s t c o d e , a n d places it s e lf in its p la ce, b u t it d o e s n o t t o u c h t h e h o s t c o d e .
H o w e v e r , t h e v iru s c o d e is e x e c u t e d b e f o r e t h e h o s t c o d e . T h e o n l y in d i c a t i o n t h a t t h e file is
c o r r u p t e d is t h a t t h e size o f t h e file has in c re a s e d .
In tru siv e V iruses
־־
T his f o r m o f v ir u s o v e r w r i t e s its c o d e e i t h e r b y c o m p l e t e l y r e m o v i n g t h e t a r g e t h o s t's
p r o g r a m c o d e , o r s o m e t i m e s it o n l y o v e r w r i t e s p a r t o f it. T h e r e f o r e , t h e o rig in a l c o d e is n o t
e x e c u te d p r o p e r ly .
D irec t A ction or T ra n sie n t V iruses
T r a n s fe r s all c o n t r o l s t o t h e h o s t c o d e w h e r e it reside s, se le c ts t h e t a r g e t p r o g r a m t o
be m o d if ie d , a nd c o r r u p t s it.
=—
T e rm in a te a n d Stay R e sid en t V iru ses (TSRs)
ffr
A TSR v i r u s r e m a in s p e r m a n e n t l y in m e m o r y d u r in g t h e e n t i r e w o r k se ssio n, e v e n
a f t e r t h e t a r g e t h o s t p r o g r a m is e x e c u te d a n d t e r m i n a t e d . It can be r e m o v e d o n l y b y r e b o o t i n g
t h e s y s te m .
M odule 07 Page 1037
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 33. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
System or Boot Sector Viruses CEH
Boot Sector Virus
Boot sector virus moves MBR to
another location on the hard disk
and copies itself to the original
location of MBR
Execution
©
o
When system boots, virus
code is executed first and then
control is passed to original
MBR
Before Infection
After Infection
Virus Code
MBR
Copyright © by E&
Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S y s te m o r B oot S e c to r V iru s e s
m
S y s te m s e c t o r v iru s e s can be d e f i n e d as t h o s e t h a t a f f e c t t h e e x e c u t a b l e c o d e o f t h e
disk, r a t h e r t h a n t h e b o o t s e c t o r v ir u s t h a t a ffe c ts t h e DOS b o o t s e c t o r o f t h e disk. A n y s y s te m
is d iv i d e d i n t o a reas, c a lle d s e c to rs , w h e r e t h e p r o g r a m s a re s to r e d .
T h e t w o ty p e s o f s y s te m s e c to r s are:
Q
M B R ( M a s te r B o o t R ecord)
M BR s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a ta w i ll be
lost.
0
DBR (DO S B o ot R ecord)
T h e DOS b o o t s e c t o r is e x e c u t e d w h e n e v e r t h e s y s te m is b o o t e d . T his is t h e c r u c ia l
p o i n t o f a t t a c k f o r viru s e s .
T h e s y s te m s e c t o r co n s is ts o f 5 1 2 b y t e s o f m e m o r y . Because o f th is , s y s te m s e c t o r v iru s e s
c o n c e a l t h e i r c o d e in s o m e o t h e r d isk space. T h e m a in c a r r i e r o f s y s te m s e c t o r v iru s e s is t h e
f l o p p y disk. T h e se v iru s e s g e n e r a lly re s id e in t h e m e m o r y . T h e y can also be c a u se d b y T ro ja n s .
S o m e s e c t o r v iru s e s also s p re a d t h r o u g h i n f e c t e d file s , a n d t h e y a re ca lle d m u l t i p a r t v iru s e s .
M odule 07 Page 1038
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 34. Ethical Hacking and Countermeasures
Viruses and W orm s
1
Exam 312-50 C ertified Ethical Hacker
Virus Rem oval
S y s te m s e c t o r v iru s e s a re d e s ig n e d t o c r e a te t h e illu s io n t h a t t h e r e is n o v ir u s o n t h e
s y s te m . O n e w a y t o d ea l w i t h t h is v ir u s is t o a v o id t h e use o f t h e W i n d o w s o p e r a t i n g
s y s t e m , a n d s w it c h t o L in ux o r M a cs, b e c a u s e W i n d o w s is m o r e p r o n e t o th e s e a tta c k s . L inux
a n d M a c i n t o s h h a v e a b u i l t - i n s a f e g u a r d t o p r o t e c t a g a in s t th e s e v iru s e s . T h e o t h e r w a y is t o
c a r r y o u t a n t i v i r u s ch e c k s o n a p e r io d ic basis.
Before Infection
G
After Infection
V
O
Virus Code
FIGURE 7.6: System or Boot Sector Viruses
M odule 07 Page 1039
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 35. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
File and Multipartite Viruses
CEH
F ile a n d M u ltip a rtite V iru s e s
F ile Viruses
File v iru s e s i n f e c t file s t h a t a re e x e c u te d o r i n t e r p r e t e d in t h e s y s te m such as C O M , EXE,
SYS, OVL, OBJ, PRG, M N U , a n d BAT file s. File v iru s e s can be e i t h e r d i r e c t - a c t i o n ( n o n - r e s i d e n t )
o r m e m o r y - r e s i d e n t . O v e r w r i t i n g v iru s e s ca use i r r e v e r s i b l e d a m a g e t o t h e files. T h e s e v iru s e s
m a i n l y t a r g e t a r a n g e o f o p e r a t i n g s y s te m s t h a t in c lu d e W i n d o w s , UNIX, DOS, a n d M a c i n t o s h .
C h a ra c te riz in g F ile V iruses
File v iru s e s a re
m a i n l y c h a r a c te r iz e d
and
d e s c r ib e d
b ase d
on
th e ir
p h ysica l
b e h a v io r o r
c h a r a c te r is t ic s . T o cla ssify a file v ir u s is b y t h e t y p e o f file t a r g e t e d by it, such as EXE o r C O M
file s, t h e b o o t s e c to r , e tc. A f ile v ir u s can also be c h a r a c t e r iz e d b ase d o n h o w it i n f e c ts t h e
t a r g e t e d file (also k n o w n as t h e h o s t files):
Q
P re p e n d in g : w r i t e s it s e lf i n t o t h e b e g in n in g o f t h e h o s t file 's c o d e
Q
A p p e n d in g : w r i t e s it s e lf t o t h e e n d o f t h e h o s t file
©
O v e rw ritin g : o v e r w r i t e s t h e h o s t file 's c o d e w i t h its o w n c o d e
Q
In s ertin g : in s e rts it s e lf i n t o gaps in s id e t h e h o s t file 's c o d e
M odule 07 Page 1040
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 36. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
©
C o m p a n io n : r e n a m e s t h e o rig in a l f ile a n d w r i t e s it s e lf w i t h t h e h o s t file 's n a m e
©
C av ity in fe c to r: w r i t e s it s e lf b e t w e e n file s e c tio n s o f 3 2 - b i t file
File v iru s e s a re also cla ssifie d b ase d o n w h e t h e r t h e y a re n o n - m e m o r y r e s i d e n t o r m e m o r y
r e s id e n t. N o n - m e m o r y r e s i d e n t v iru s e s s e a rch f o r EXE fi l e s o n a h a r d d r iv e a n d t h e n i n f e c t
t h e m , w h e r e a s m e m o r y r e s i d e n t v iru s e s sta ys a c tiv e ly in m e m o r y , a n d t r a p o n e o r m o r e s y s te m
f u n c t io n s . File v iru s e s a re said t o be p o l y m o r p h i c , e n c r y p t e d , o r n o n - e n c r y p t e d . A p o l y m o r p h i c
o r e n c r y p t e d v ir u s c o n t a in s o n e o r m o r e d e c r y p t o r s a n d a m a in co d e . M a i n v ir u s c o d e is
d e c r y p t e d b y t h e d e c r y p t o r b e f o r e i t s ta rts . A n e n c r y p t e d v ir u s u s u a lly uses v a r ia b le o r fi x e d k e y d e c r y p t o r s , w h e r e a s p o l y m o r p h i c v iru s e s h a ve d e c r y p t o r s t h a t a re r a n d o m l y g e n e r a t e d
f r o m i n s t r u c t i o n s o f p r o c e s s o rs a n d t h a t c o n s is t o f a l o t o f c o m m a n d s t h a t a re n o t used in t h e
d e c r y p t i o n p ro c e s s .
E xecu tio n o f P aylo ad:
©
©
T im e b o m b : A f t e r a s p e c ifie d p e r io d o f t i m e
©
Q
D ir e c t a c tio n : I m m e d i a t e l y u p o n e x e c u t io n
C o n d i t i o n t r ig g e r e d : O n ly u n d e r c e r ta in c o n d it io n s
M ultip artite Viruses
A m u l t i p a r t i t e v ir u s is also k n o w n as a m u l t i - p a r t v i r u s t h a t a t t e m p t s t o a t t a c k b o t h
t h e b o o t s e c t o r a n d t h e e x e c u ta b le o r p r o g r a m file s a t t h e s a m e t i m e . W h e n r g w v ir u s is
a t t a c h e d t o t h e b o o t s e c to r , it w i ll in t u r n a f f e c t t h e s y s te m file s , a n d t h e n t h e v ir u s a tta c h e s t o
t h e file s, a n d t h is t i m e it w ill in t u r n i n f e c t t h e b o o t s e c to r .
FIGURE 7.7: File and Multipartite Viruses
M odule 07 Page 1041
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 37. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
CEH
M a c r o V ir u s e s
14
Urt fw
ilhiul lUtbM
0
0
11.
Infects Macro Enabled Documents
0
Attacker
User
0
r
0
0
ץ
0 Macro viruses infect
templates or convert
infected documents
into template files,
while maintainingtheir
appearance of ordinary
documentfiles
0 Most macro viruses are
written using macro
language Visual Basic
for Applications (VBA)
r
V
0
0
0
0
Copyright © by E -CIllicit Al 1Rights Reserved. Reproduction is Strictly Prohibited.
Ca
M a c ro V iru se s
M i c r o s o f t W o r d o r s i m i l a r a p p li c a t i o n s can be i n f e c t e d t h r o u g h a c o m p u t e r v i r u s
c a lle d m a c r o v iru s , w h i c h a u t o m a t i c a l l y p e r f o r m s a s e q u e n c e o f a c tio n s w h e n t h e a p p li c a t i o n is
t r i g g e r e d o r s o m e t h i n g else. M o s t m a c r o v iru s e s a re w r i t t e n u s in g t h e m a c r o la n g u a g e V is u a l
Basic f o r A p p l i c a t i o n s (V B A ) a n d t h e y i n f e c t t e m p l a t e s o r c o n v e r t i n f e c t e d d o c u m e n t s i n t o
t e m p l a t e file s, w h i l e m a i n t a i n in g t h e i r a p p e a r a n c e o f o r d i n a r y d o c u m e n t file s. M a c r o v ir u s e s
a re s o m e w h a t less h a r m f u l t h a n o t h e r ty p e s . T h e y a re u s u a lly s p re a d via an e m a il. P ure d a ta
file s d o n o t a l l o w t h e s p re a d o f v iru s e s , b u t s o m e t i m e s t h e lin e b e t w e e n a d a ta f ile a n d an
e x e c u t a b l e f i l e is e a sily o v e r l o o k e d by t h e a v e r a g e u se r d u e t o t h e e x te n s iv e m a c r o la n g u a g e s
in s o m e p r o g r a m s . In m o s t cases, j u s t t o m a k e t h in g s easy f o r users, t h e lin e b e t w e e n a d a ta file
a n d a p r o g r a m s ta r t s t o b lu r o n l y in cases w h e r e t h e d e f a u l t m a c r o s a re s e t t o ru n a u t o m a t i c a l l y
e v e r y t i m e t h e d a ta file is lo a d e d . V ir u s w r i t e r s can e x p l o i t c o m m o n p r o g r a m s w i t h m a c r o
c a p a b i l it y such as M i c r o s o f t W o r d , Excel, a n d o t h e r O ffic e p r o g r a m s . W i n d o w s H e lp file s can
also c o n t a i n m a c r o c o d e . In a d d it io n , t h e la t e s t e x p l o i t e d m a c r o c o d e e xists in t h e fu ll v e r s io n o f
t h e A c r o b a t p r o g r a m t h a t re a d s a n d w r i t e s PDF files.
M odule 07 Page 1042
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 38. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Infects M acro Enabled Documents
Attacker
User
FIGURE 7.8: Macro Viruses
M odule 07 Page 1043
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 39. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
C EH
C lu s te r V ir u s e s
C luster V iruses
J
a
Cluster viruses modify directory table entries so that it
points users or system processes to the virus code instead
of the actual program
: בI ■ ■ ■
] * :ן
V iru s Copy
J
There is only one copy of the virus on the disk infecting
all the programs in the computer system
Launch Its e lf
J
It will launch itself first when any program on the
computer system is started and then the control is
passed to actual program
Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited
-C
C lu s te r V iru se s
C lu s te r v iru s e s in f e c t file s w i t h o u t c h a n g in g t h e file o r p la n t in g e x tr a file s t h e y c h a n g e
t h e DOS d i r e c t o r y i n f o r m a t i o n so t h a t e n t r i e s p o i n t t o t h e v ir u s c o d e in s te a d o f t h e a c tu a l
p r o g r a m . W h e n a p r o g r a m r u n s DOS, it f i r s t lo a d s a n d e x e c u te s t h e v iru s c o d e , a n d t h e n t h e
v ir u s lo c a te s t h e a c tu a l p r o g r a m a n d e x e c u te s it. D ir-2 is an e x a m p le o f t h is t y p e o f v iru s .
C lu s te r v iru s e s m o d i f y d i r e c t o r y t a b l e e n t r i e s so t h a t d i r e c t o r y e n t r i e s p o i n t t o t h e v ir u s c o d e .
T h e r e is o n l y o n e c o p y o f t h e v ir u s o n t h e d is k i n f e c t i n g all t h e p r o g r a m s in t h e c o m p u t e r
s y s te m . It w i ll la u n c h i t s e lf f i r s t w h e n a n y p r o g r a m o n t h e c o m p u t e r s y s te m is s t a r t e d a n d t h e n
t h e c o n t r o l is p assed t o t h e a c tu a l p r o g r a m .
M odule 07 Page 1044
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 40. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
S te a lth /T u n n e lin g V ir u s e s
CEH
These viruses evade the anti-virus software by intercepting its requests
to the operating system
A virus can hide itself by intercepting the anti-virus software's request to
read the file and passingthe request to the virus, instead of the OS
The virus can then return an uninfected version of the file to the antivirus software, so that it appears as if the file is "clean"
Hides Infected
TCPIP.SYS
i f
Here you go
Original TCPIP.SYS
Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C
S te a lth /T u n n e lin g V iru se s
I
S te a lth V ir u s e s
T h e s e v iru s e s t r y t o h id e t h e m s e l v e s f r o m a n t i v i r u s p r o g r a m s by a c tiv e ly a lt e r in g a nd
c o r r u p t i n g t h e c h o s e n s e rv ic e call i n t e r r u p t s w h e n t h e y a re b e in g ru n . R e q u e s ts t o p e r f o r m
o p e r a t i o n s in r e s p e c t t o th e s e se rv ic e call i n t e r r u p t s a re r e p la c e d by v iru s c o d e . T h e se v iru s e s
s ta te fa lse i n f o r m a t i o n t o h id e t h e i r p r e s e n c e f r o m a n t i v i r u s p r o g r a m s . For e x a m p le , t h e s t e a l t h
v i r u s h id e s t h e o p e r a t i o n s t h a t it m o d i f i e d a n d g ive s fa ls e r e p r e s e n t a t i o n s . T hu s, it ta k e s o v e r
p o r t i o n s o f t h e t a r g e t s y s te m a nd h id e s its v ir u s co d e .
T h e s t e a lt h v iru s h id e s it s e lf f r o m a n t i v i r u s s o f t w a r e by h id in g t h e o rig in a l size o f t h e file o r
t e m p o r a r i l y p la c in g a c o p y o f it s e lf in s o m e o t h e r d r iv e o f t h e s y s te m , t h u s r e p la c in g t h e
i n f e c t e d file w i t h t h e u n i n f e c t e d file t h a t is s t o r e d o n t h e h a r d d riv e .
A s t e a lt h v ir u s h id e s t h e m o d if ic a t i o n s t h a t it m a k e s . It ta k e s c o n t r o l o f t h e s y s te m 's f u n c t io n s
t h a t re a d file s o r s y s te m s e c to r s a n d , w h e n a n o t h e r p r o g r a m r e q u e s ts i n f o r m a t i o n t h a t has
a lr e a d y b e e n m o d i f i e d by t h e v iru s , t h e s t e a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t i n g
p r o g r a m in s te a d . T his v ir u s a lso re s id e s in t h e m e m o r y .
T o a v o id d e t e c t i o n , th e s e v iru s e s a lw a y s t a k e o v e r s y s te m f u n c t i o n s a n d use t h e m t o h id e t h e i r
p re s e n c e .
M odule 07 Page 1045
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 41. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
O n e o f t h e c a rr ie r s o f t h e s t e a lth v ir u s is t h e r o o t k i t . In s ta llin g a r o o t k i t g e n e r a l l y r e s u lts in t h is
v ir u s a t t a c k b e c a u s e r o o t k i t s a re in s t a lle d via T ro ja n s , a n d t h u s a re c a p a b le o f h id in g a n y
m a lw a re .
R e m o v a l:
Q
A lw a y s d o a c o ld b o o t ( b o o t f r o m w r i t e - p r o t e c t e d f l o p p y d isk o r CD)
©
N e v e r use DOS c o m m a n d s such as FDISK t o fix t h e v iru s
e
Use a n t i v i r u s s o f t w a r e
/
Tunneling Viruses
T h e s e v iru s e s t r a c e t h e s te p s o f i n t e r c e p t o r p r o g r a m s t h a t m o n i t o r o p e r a t i n g s y s t e m
r e q u e s ts so t h a t t h e y g e t i n t o BIOS a n d DOS t o in s ta ll th e m s e lv e s . To p e r f o r m th is a c tiv it y , t h e y
even tu n n e l u n d e r a n tiv iru s s o ftw a re p ro g ra m s.
Give me the system file
tcpip.syi to icon
Anti-virus
Software
Hides Infected
TCPIP.SYS
*
VIRUS
Here you go
Original TCPIP.SYS
FIGURE 7.9: Working of Stealth/Tunneling Viruses
M odule 07 Page 1046
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 42. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
CEH
E n c r y p tio n V ir u s e s
־׳י
י
This type of virus uses simple
encryption to encipher the code
Virus Code
V
r
The virus is encrypted with
a different key for each
infected file
V.
AV scanner cannot directly
detect these types of
viruses using signature
detection methods
ץ
Encryption
Virus 2
Encryption
Virus 3
-/
Copyright © by E&
Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
E n c ry p tio n V iru se s
T his t y p e o f v ir u s co n s is ts o f an e n c r y p t e d c o p y o f t h e v iru s a nd a d e c r y p t i o n m o d u l e .
T h e d e c r y p t i n g m o d u l e r e m a in s c o n s t a n t , w h e r e a s t h e d i f f e r e n t keys a re u sed f o r e n c r y p t i o n .
T h e s e v iru s e s g e n e r a l l y e m p l o y XO R o n e a ch b y te w i t h a r a n d o m i z e d key.
©
T h e v ir u s is e n c i p h e r e d w i t h an e n c r y p t i o n k e y t h a t co n s is ts o f a d e c r y p t i o n m o d u l e a nd
an e n c r y p t e d c o p y o f t h e c o d e .
Q
For e a ch i n f e c t e d file , t h e v ir u s is e n c r y p t e d b y u sin g a d i f f e r e n t c o m b i n a t i o n o f keys,
b u t t h e d e c r y p t i n g m o d u l e p a r t r e m a in s u n c h a n g e d .
It is n o t
p o s s ib le f o r t h e v ir u s s c a n n e r t o
d ir e c t ly
d e te c t th e
v ir u s
by m e a n s o f
s ig n a t u r e s , b u t t h e d e c r y p t i n g m o d u l e ca n be d e t e c t e d .
e
T h e d e c r y p t i o n t e c h n i q u e e m p lo y e d is x o r e a ch b y te w i t h a r a n d o m i z e d ke y t h a t is
g e n e r a t e d a n d sa ved b y t h e r o o t v iru s .
M odule 07 Page 1047
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 43. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Virus Code
Encryption
Virus 1
Encryption
Virus 2
Encryption
Virus B
FIGURE 7.10: Working of Encryption Viruses
M odule 07 Page 1048
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 44. Ethical Hacking and Counterm easures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
CEH
P o ly m o r p h ic C o d e
J
Polymorphic code is a code that mutates while keeping the original algorithm intact
J
To enable polymorphic code, the virus has to have a polymorphic engine (also called
mutating engine or mutation engine
J
A well-written polymorphic virus therefore has no parts that stay the same on each
infection
39Encrypted Mutation
Engine
Encrypted Virus
Code
Decryptor Routine
............
Decryptor
routine decrypts
virus code and
mutation engine
New Polymorphic
Virus
User Runs an
Infected Program
RAM
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
P o ly m o rp h ic C o d e
P o l y m o r p h ic v iru s e s m o d i f y t h e i r c o d e f o r e a ch r e p li c a t i o n in o r d e r t o a v o i d d e t e c t i o n .
T h e y a c c o m p lis h t h is b y c h a n g in g t h e e n c r y p t i o n m o d u l e a nd t h e i n s t r u c t i o n s e q u e n c e . A
r a n d o m n u m b e r g e n e r a t o r is used f o r i m p l e m e n t i n g p o l y m o r p h i s m .
A m u t a t i o n e n g in e is g e n e r a l l y used t o e n a b le p o l y m o r p h i c c o d e . T h e m u t a t o r p r o v id e s a
s e q u e n c e o f i n s t r u c t i o n s t h a t a v i r u s s c a n n e r can use t o o p t i m i z e an a p p r o p r i a t e d e t e c t i o n
a lg o r i t h m . S lo w p o l y m o r p h i c c o d e s a re u sed t o p r e v e n t a n t i v i r u s p r o f e s s i o n a l s f r o m accessing
th e codes.
V ir u s s a m p le s , w h i c h a re b a it file s a f t e r a s ing le e x e c u t i o n is i n f e c t e d , c o n t a i n a s i m i l a r c o p y o f
t h e viru s . A s im p le i n t e g r i t y c h e c k e r is used t o d e t e c t t h e p r e s e n c e o f a p o l y m o r p h i c v iru s in th e
s y s te m 's disk.
M odule 07 Page 1049
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 45. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Encrypted Mutation
Engine (EME)
ncrypted M utation
j יEncry
Engine
i I
A
©
Encrypted Virus
Code
I
Decryptor Routine
A
Instruct to •
0
i
• Instruct to
Decryptor
routine decrypts
virus code and
mutation engine
New Polymorphic
*
©
Virus Does the Damage
User Runs an
Infected Program
Virus
RAM
FIGURE 7.11: How Polymorphic Code Work
P o l y m o r p h ic v iru s e s c o n s is t o f t h r e e c o m p o n e n t s . T h e y a re t h e e n c r y p t e d v i r u s c o d e , t h e
d e c r y p t o r r o u t i n e , a n d t h e m u t a t i o n e n g in e . T h e f u n c t i o n o f t h e d e c r y p t o r r o u t i n e is t o d e c r y p t
t h e v ir u s c o d e . It d e c r y p t s t h e c o d e o n l y a f t e r t a k i n g c o n t r o l o v e r t h e c o m p u t e r . T h e m u t a t i o n
e n g in e g e n e r a t e s r a n d o m i z e d d e c r y p t i o n r o u t in e s . T his d e c r y p t i o n r o u t i n e s v a rie s e v e r y t i m e
w h e n a n e w p r o g r a m is i n f e c t e d by t h e viru s .
W i t h a p o l y m o r p h i c v iru s , b o t h t h e m u t a t i o n e n g in e a n d t h e v ir u s c o d e a re e n c r y p t e d . W h e n a
p r o g r a m t h a t is i n f e c t e d w i t h a p o l y m o r p h i c v ir u s is ru n b y t h e user, t h e d e c r y p t o r r o u t i n e ta k e s
c o m p l e t e c o n t r o l o v e r t h e s y s te m , a f t e r w h i c h it d e c r y p t s t h e v iru s c o d e a n d t h e m u t a t i o n
e n g in e . N e x t, t h e c o n t r o l o f y o u r s y s te m is t r a n s f e r r e d by t h e d e c r y p t i o n r o u t i n e t o t h e v iru s ,
w h i c h lo c a te s a n e w p r o g r a m t o in f e c t. In R A M ( R a n d o m Access M e m o r y ) , t h e v ir u s m a k e s a
r e p lic a o f it s e lf as w e l l as t h e m u t a t i o n e n g in e . T h e n t h e v ir u s in s t r u c t s t h e e n c r y p t e d m u t a t i o n
e n g in e
to
g en erate
a new
ra n d o m iz e d
d e c ry p tio n
ro u tin e ,
w h ic h
has t h e
c a p a b i l it y
of
d e c r y p t i n g v iru s . H ere, t h is n e w c o p y o f b o t h t h e v ir u s c o d e a n d m u t a t i o n e n g in e is e n c r y p t e d
by t h e v iru s . T hu s, t h is v iru s , a lo n g w i t h t h e
n e w ly e n c ry p te d v iru s co d e and e n c ry p te d
m u t a t i o n e n g in e (EM E), a p p e n d s t h is n e w d e c r y p t i o n r o u t i n e o n t o a n e w p r o g r a m , t h e r e b y
c o n t i n u i n g t h e pro cess .
P o l y m o r p h ic v iru s e s t h a t re s p re a d b y t h e a t t a c k e r in t a r g e t e d s y s te m s a re d i f f i c u l t t o d e t e c t
b e c a u s e h e r e t h e v ir u s b o d y is e n c r y p t e d a n d t h e d e c r y p t i o n r o u t i n e s c h a n g e s e ach t i m e f r o m
in f e c t i o n t o i n f e c t i o n a n d n o t w o in f e c t i o n s lo o k t h e s a m e ; th is m a k e it d i f f i c u l t f o r t h e v iru s
s c a n n e r t o i d e n t i f y t h is v iru s .
M odule 07 Page 1050
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 46. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
M e ta m o r p h ic V ir u s e s
M e ta m o rp h ic V iru s e s
M e ta m o rp h ic C o d e
Metamorphic viruses
rewrite themselves
completely each time they
are to infect new
executable
Metamorphic code can
reprogram itself by
translating its own code into
a temporary representation
and then back to the normal
code again
CEH
UrtMM itkNjI lUilwt
MotaphoR V I by tHE moNTAL D illlei/2 9*
For example, W32/Simile
consisted of over 14000
lines of assembly code,
90% of it is part of the
metamorphic engine
E3
M
etaphoRV bj •H m LDI# /29*
I
E tfJTA < h
E l
a V tA
.) arian
c T e"U official” V t C
.) h n
arian
at IAHM 1 IL bY iH ni Ntnl cttllller/^JA
J
fc
m tA G 1b B tH•
E PH R Y
A
1LER/2*
r£TAfSC« iCbVlHE n£W dFIIUi/2^
»4l
E l
[1E
b.) V a ria n t B
I
d .) T h e .D v a ria n t ( w h ic h w a s th e
* o ffic ia l' C o f t h e o rig in a l a u th o r)
Copyright © by E&
Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M e ta m o rp h ic V iru se s
S o m e v iru s e s r e w r i t e t h e m s e l v e s t o in f e c t n e w l y e x e c u te d files. Such v iru s e s are
c o m p le x a n d use m e t a m o r p h i c e n g in e s f o r e x e c u t io n .
A c o d e t h a t can r e p r o g r a m it s e lf is c a lle d m e t a m o r p h i c c o d e . T his c o d e is t r a n s l a t e d i n t o t h e
t e m p o r a r y c o d e , a n d t h e n c o n v e r t e d b a ck t o t h e n o r m a l c o d e . This t e c h n i q u e , in w h i c h t h e
o rig in a l a l g o r i t h m r e m a in s in t a c t , is used t o a v o id p a t t e r n r e c o g n i t i o n o f a n t i v i r u s s o f t w a r e .
This is m o r e e f f e c t i v e in c o m p a r i s o n t o p o l y m o r p h i c c o d e . T his t y p e o f v ir u s c o n s is ts o f c o m p le x
e x te n s iv e c o d e .
T h e c o m m o n l y k n o w n m e t a m o r p h i c v iru s e s a re :
W in 3 2 /S im ile :
T his v ir u s is w r i t t e n in a s s e m b ly la n g u a g e a n d d e s t i n e d f o r M i c r o s o f t W i n d o w s . T his p ro c e s s is
c o m p le x , a n d n e a r ly 9 0 % o f v i r u s c o d e s a re g e n e r a t e d b y t h is pro cess.
Z m ist:
Z m is t is also k n o w n as t h e Z o m b ie . M is t f a l l is t h e f i r s t v i r u s t o use t h e t e c h n i q u e c a lle d " c o d e
i n t e g r a t i o n . " T his c o d e in s e rts i t s e lf i n t o o t h e r c o d e , r e g e n e r a t e s t h e c o d e , a n d r e b u ild s t h e
e x e c u ta b le .
M odule 07 Page 1051
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 47. Ethical Hacking and Counterm easures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
□
a.) Variant A
c.) The "Unofficial" Variant C
Im ElAPHOR 1b BY tHe MeNTAI drilLER/29A
12
mEtAPHOR 1b BY tHe MeNTAI di!LER/
r o in
b.) Variant B
aA
m
mETAPhOr 1C bY tHE mENtal dRllle1/29A
Q
mETAPhOr 1C bY (HE mENtal dRlller/29A
.....וok...ך
d.) The .D variant (which was the
"official" C of the original author)
FIGURE 7.12: Metamorphic Viruses Screenshot
M odule 07 Page 1052
Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 48. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
File Overwriting or Cavity Viruses
CEH
Cavity Virus overwrites a part of the host file with a constant
(usually nulls), without increasingthe length of the file and
preserving its functionality
Sales and marketing management is the
leading authority for executives in the sales
and marketing management industries
The suspect, Desmond Turner, surrendered to
authorities at a downtown Indianapolis fast-food
restaurant
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Null
Original File
Size: 45 KB
Null
Null
N U ll
Null
Null
Null
Null
Null
■2> a
■ 3
Null
Infected File
Size: 45 KB
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
F ile O v e r w r itin g o r C a v ity V iru s e s
T h e s e are also k n o w n as s p a c e -fille r s since t h e y m a i n t a i n a c o n s t a n t file -s iz e w h i l e
i n f e c t e d b y in s t a llin g t h e m s e l v e s i n t o t h e t a r g e t p r o g r a m . T h e y a p p e n d t h e m s e l v e s t o t h e e n d
o f file s a n d also c o r r u p t t h e s t a r t o f files. T his t r i g g e r e v e n t f i r s t a c tiv a te s a n d e x e c u te s t h e v iru s
c o d e , a n d l a t e r t h e o rig in a l a p p li c a t i o n p r o g r a m .
S o m e p r o g r a m file s h a ve a re a s o f e m p t y sp ace . T his e m p t y sp ace is t h e m a in t a r g e t o f th e s e
v iru s e s . T h e C a v it y V ir u s , a lso k n o w n as t h e Space F ille r V iru s , s to re s its c o d e in t h is e m p t y
space. T h e v iru s in s ta lls it s e lf in t h i s u n o c c u p ie d space w i t h o u t a n y d e s t r u c t i o n t o t h e o rig in a l
c o d e . It in s ta lls it s e lf in t h e file it a t t e m p t s t o in fe c t.
T his t y p e o f v ir u s is r a r e ly used b e c a u s e it is d i f f i c u l t t o w r i t e . A n e w W i n d o w s file ca lle d th e
P o r t a b l e E x e c u t a b le it d e s ig n e d f o r t h e fa s t lo a d in g o f p r o g r a m s . H o w e v e r , it lea ves a c e r ta in
g ap in t h e f ile w h i l e it is b e in g e x e c u t e d t h a t can be used by t h e Space F ille r V ir u s t o i n s e r t
its e lf. T h e m o s t p o p u l a r v ir u s f a m i l y is t h e CIH v ir u s .
Original File
Size: 45 KB
I
h
.............................................................................^
PDF
L
>1
Infected File
Size: 45 KB
PDF
FIGURE 7 .1 3 : File O v e r w ritin g o r C a v ity V iru s
M odule 07 Page 1053
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 49. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
S p a r se I n fe c to r V ir u s e s
M
ir
S parse In fe c to r Virus
J
Sparse infector virus infects only occasionally (e.g. every
tenth program executed), or only files whose lengths fall
within a narrow range
D iffic u lt to D e te c t
J
By infecting less often, such viruses try to minimize the
probability of being discovered
In fe c tio n Process
Wake up on 15* of
every month and execute code
Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C
S p a rse In fe c to r V iru se s
Sparse i n f e c t o r v iru s e s in f e c t o n l y o c c a s io n a lly (e.g., e v e r y t e n t h p r o g r a m e x e c u t e d o r
o n p a r t i c u l a r d a y o f t h e w e e k ) o r o n l y file s w h o s e l e n g t h s fa ll w i t h i n a n a r r o w r a n g e . By
i n f e c t i n g less o f t e n , th e s e v iru s e s t r y t o m in i m i z e t h e p r o b a b i l i t y o f b e in g d is c o v e r e d .
Wake up on 15th of
every month and execute code
FIGURE 7.14: Working of Sparse Infector Viruses
M odule 07 Page 1054
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 50. Ethical Hacking and Countermeasures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Companion/Camouflage Viruses I C EH
A Companion virus creates a companion file for each
executable file the virus infects
A
Therefore, a companion virus may save itself as notepad.com and every
time a user executes notepad.exe (good program), the computer will load
notepad.com (virus) and infect the system
Virus infects the system with
a file notepad.com and saves
it in c:winntsystem32directory
...
1
Attacker
1
/
£
N otepad.exe
Notepad.com
Copyright © by EC auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
-C
C o m p a n io n /C a m o u fla g e V iru se s
Com panion Viruses
4
T h e c o m p a n i o n v ir u s s to r e s it s e lf b y h a v in g t h e id e n t ic a l file n a m e as t h e t a r g e t e d
p r o g r a m f i l e . As s o o n as t h a t f ile is e x e c u te d , t h e v ir u s i n f e c ts t h e c o m p u t e r , a n d h a rd d isk d a ta
is m o d if ie d .
C o m p a n io n v iru s e s use DOS t h a t r u n C O M file s b e f o r e t h e EXE file s are e x e c u te d . T h e v ir u s
in s ta lls an id e n t ic a l C O M file a nd i n f e c ts t h e EXE files.
S o u rc e : h t t p : / / w w w . c k n o w . c o m / v t u t o r / C o m p a n i o n V i r u s e s . h t m l
H e re is w h a t h a p p e n s : S u p p o s e a c o m p a n i o n v ir u s is e x e c u t in g o n y o u r PC a n d d e c id e s it is t i m e
t o in f e c t a file . It lo o k s a r o u n d a n d h a p p e n s t o f i n d a f ile c a lle d PGM.EXE. It n o w c r e a te s a file
ca lle d P G M .C O M , c o n t a i n i n g t h e v iru s . T h e v ir u s u s u a lly p la n t s t h is file in t h e s a m e d i r e c t o r y as
t h e .EXE file , b u t it c o u ld p la ce it in a n y d i r e c t o r y o n y o u r DOS p a t h . If y o u t y p e P G M a n d press
E n te r, DOS e x e c u te s P G M .C O M in s te a d o f PG M .E XE . (In o r d e r , DOS w ill e x e c u te C O M , t h e n
EXE, a n d t h e n BAT file s o f t h e s a m e r o o t n a m e , if t h e y a re all in t h e s a m e d ir e c t o r y . ) T h e v iru s
e x e c u te s ,
p o s s ib ly i n f e c t i n g
m o r e file s , a n d t h e n
lo a d s a n d
e x e c u te s
PGM.EXE. T h e
u ser
p r o b a b l y w o u l d fa il t o n o t i c e a n y t h i n g is w r o n g . It is easy t o d e t e c t a c o m p a n i o n v i r u s j u s t by
t h e p r e s e n c e o f t h e e x tr a C O M f ile in t h e s y s te m .
M odule 07 Page 1055
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.
- 51. Ethical Hacking and Counterm easures
Viruses and W orm s
Exam 312-50 C ertified Ethical Hacker
Virus infects the system with
a file notepad.com and saves
It In c:wlnntsystem32 directory
Attacker
V
Notepad.exe
Notepad.com
FIGURE 7.15: Working of Companion/Camouflage Viruses
M odule 07 Page 1056
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is S trictly Prohibited.