ATHENA CEH v7 module 07

Module — > ectives Introduction to Virus Stages of Virus Life Working of Virus Virus Analysis Types of Viruses Writing a Simple Virus Program Computer Worms Malware Analysis Procedure

Trang 2

“This doesn’t mean that

there are fewer threats or that the cyber-crime market

is shrinking Quite the

opposite; it continues to expand, and by the end of

2010 we will have logged more new threats in Collective Intelligence than in

2009 Yet it seems as though hackers are applying economies of scale, reusing old malicious code or

prioritizing the distribution of

existing threats over the creation new ones”, Corrons concluded

Ư?V€XÔtodaycom

IT Perspective for Decision Makers

PandaLabs, Panda Security’s anti-malware laboratory, stated that, in the first ten months of the year the number of threats created and distributed account for one third of all viruses that exist

These means that 34 percent of all malware ever created has appeared in the last ten months

The company’s collective intelligence database, which automatically detects, analyzes and classifies 99.4 percent of the threats received, now has 134 million separate files, 60 million of which are malware (viruses, worms, trojans and other threats)

The report further added that, up to October this year, some 20 million new strains of malware

have been created (including new threats and variants of existing families), the same amount as in

the whole of 2009 The average number of new threats created every day has risen from 55,000

or create new ones so as to evade detection This is why it is so important to have protection technologies such as collective intelligence, which can rapidly neutralize new malware and reduce the risk window to which users are exposed during these first 24 hours

Trang 3

Module — > ectives

Introduction to Virus Stages of Virus Life Working of Virus Virus Analysis Types of Viruses

Writing a Simple Virus Program Computer Worms

Malware Analysis Procedure Virus Detection Methods

Virus and Worms Countermeasures

Trang 4

WWW.ATHENA.EDU.VN

Trang 5

Introduction to

Â virus ¡s a that produces its own code by attaching copies of itself

into other executable codes

Some viruses ‘S as soon as their code is executed; other viruses lie dormant

until a pre-determined logical circumstance is met

3 : ; m——T Corrupts

Transforms bp : p Itself 3 1), Files and

Self Propagates

Trang 6

| Top 13 countries with servers

e mm hosting malicious code

Trang 7

Incorporation

Anti-virus software developers assimilate defenses against the

virus

Trang 8

Working of Viruses: - -‹-“ i456

4 Inthe infection phase, the virus replicates itself and attaches to an exe file in the system

“ Some viruses infect each time they are run and executed completely and others infect only

when users’ trigger them, which can include a day, time, or a particular event

Before Infection After Infection

_ > Start of Program o**tss> Start of Program : es

Trang 9

\) Some viruses have bugs that replicate and perform activities such as file deletion and

increase the session’s time

J They corrupt the targets only after spreading completely as intended by their developers

Unfragmented File Before Attack File: A File: B

Trang 10

Why Do People Create Computer

Trang 11

Indications of Virus Attack

If the system acts in an

unprecedented manner, you can suspect a virus attack

~

False Positives

However, not all glitches can

®) ® ® be attributed to virus attacks

Trang 12

How does a Computer get

Infected by Viruses?

TƯ

When a user accepts files and downloads without checking properly for the source

Not running the latest

Not updating and not : Opening infected

installing new œ e-mail attachments versions of plug-ins Installing pirated software

Trang 13

Virus Hoaxes

Hoaxes are false alarms claiming reports about a non-existing virus which may contain virus attachments

J Warning messages propagating that a certain email message should not be viewed and

doing so will damage one’s system

"RESIGNATION OF BARACK OBAMA|, regardless of who sent it to you It is a virusthat opens A

POSTCARD IMAGE, then ‘burns’ the whole hard C disc of your computer

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept

COPY THIS E-MAIL, AND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US

Trang 14

Virus Analysis: W32/Sality.AA

W32/Sality-AA deletes all files found

on the system with extension ".vdb"

and ".avc" and files that start "drw"

and end " key"

The virus logs system information

_and keystrokes to certain windows

_and periodically submits to a_

remote website

It modifies <Windows>\system.ini by adding the following:

Trang 15

Virus Analysis: \o2/oal

W32/Toal-A is an email-aware virus that arrives as an attachment called BinLaden_Brasil.exe

J The subject of the email will be related to the conflict in Afghanistan This is chosen randomly

from a large selection including:

_ té K4 BA Qi® GOTT ZEUS _JEOVA KRISHNA OxALA DI ste penn ete a “a

To: yy

Subject: USA against geneva ot ELLA - - AM ànGh

° x Sep 1 P yFPaoATéobDs MA Di0 |G : convention ? “3 hain: dani: saan sản Sims 40- s6 sn Sie dã MA DIO [GOTT ZI

2 & KV apts ‘SSS pavA TUPA DIOR PEGS ¿0r? uy JET

Attached: BinLaden_Brasil.exe se F ———

ie | ayy ne

S005 -.n<

dc ac —— DMên hề Bọ lon me VÝm ơi Lây 7N HA9t0)0 BI

QD - r- WINDOWS USS EVER RWHEHE

Mososet at kat Beeents Ol) CLUS th You hil mone geauie per day then AIDS, giving maney Sed canes to other countess 47

DB Contec! Part News you ae beeling the tome of paul Gen pomse

eo" |nro » Sao | COND) an song thse mmềed 2

one e2 S\êyd})C rự(Ð7Ì ;rphie chhay§A| CYEA) KV 1/2/20) 544 (26 1/2 Mai

ha 0 GOTT ZEUS JEOVA KRISHNA Oodle | Ũ

A

sia Dio aH Or Ge thin RA

MA _ DIO GOTT ZEUS JEOVA KPESHNA OXAIA DIEU GOO)

ONES RR? PIMA ee ees DEUS

Been) SESARAR BHP Bes | Lect cow [wows wovmre32 Rind =—=

Trang 16

Virus Analysis: W32/Toal-A

The blank message has MIME Header encoded to exploit vulnerabilities in IE 5.01/5.5 that run an attachment automatically when the email is viewed

The virus adds its pathname to the "shell=" line in the [Boot] section of

<Windows>\System.ini; this causes the virus to be run automatically each time

the machine is restarted

TRUNG TAM DAO TAO AN NINH MANG & QUAN TRI MANG

WWW.ATHENA.EDU.VN

Trang 17

Virus Analysis:

| Each time you launch The virus looks for the

| Windows Explorer, the : active anti-

virus will run and infect virus products scanners the files HH.EXE and and attempts to

Explorer.exe terminate them

Various colorful slogans will be displayed across the desktop, along with

a message box

w.« ` a4 * ta«« ta ` ' " o

Ohhhh ís this the famous American Way of Life ? HAMAHAMA !'!! \

The text is masked intentionally to hide offensive content

o9) 7018 500 220g

Trang 18

Virus Analysis: \o2/o0al-*%

ALA 010 GOTT ZEUS _IEOVA KPUSRWA DRANG T PERL UGOUE SHIVA FEMI UIBUAY

° củi 22 flaopy, ALA DIOS J0: eee ie ee, ee ee ee VÔ TỰ CC cụ ÔỐ

oe gai JO GOTT ZeMe PRD ECustina OXALA DIEU GOD SHIVA TUPA DIOS DEUS

emer dn atone ' “i ;

NY CJ grap Worem/1-Wom/W32.BinLeden HIVA” TUPA’ DIOS! DEMIS” GOTT US JE]

Bề vé =

‡ hơn Bush, pou mmed more hazhesh i your ALA DIG) GOTT

be Why to take the Amazon from brazil ¢ you ike pokton ?

A Dib Goff sais OVA 65) Beazihen ppl wants the USA dectucton, not Beout president, erating Bush's bate

MS-DOS ‡ Progsam Files ‘You ave nol the cope of the word and Wodd Trade Center yess the fist

Prompt RECYCLED Now you take the freedom fron your own people and the world it lauaghang -

=) SIWwSs Ohhh is thir the famous American Way of Life ? HAHAHAHA If PAE MY Tire

@ 3 = Senet BUGS EVERYWHERE

Mxrocolt AI &#) RetesxGOTT ZEUS JBC Youkillenore people per day than AIDS, gfving money and ams to other courties |[°, DI #1 dt

BW Cortrol Paz»l / Now you are feeling the laste of your Own porson ») SHIVA TUPA DIOS DEUS

(lfthhhi am sony _ It tant sweet ?

Cx

e* loio VN ĐH TayÐ UVA KA

Internet =o NV = £ trteine! Explorer

i 2 Network Neighborhood ALA DIO GOTT ZEUS JEOVA KRISHNA O>»@u4 DIE UGOTID ZEMS A JEQVA KIRSHNAELGXALA DIEU GOD SHIVA TUPA DIOS DEUS ALA DIO GOTT ZEUS JEOVA] KRISHNA OXALA DIEU GOD SHIVA TUPA DIOS DEUS

sta Oto MebyttOaeG Rs | pedke esti ^ 1) 206A) & ¡ ĐỨC Q ha!

KHISHNA O3 [FHIVDTTANN H7? VINH Tt Ses Te is

ALA DIO GOTT ZEUS JEOV ˆ

ALA_ DIEU GOD SHA

EOWA KRISH

ALA DIA HOZGRET eS vŸiØKhuY491|Xe diX9L4;dMFd/690 röBJVA,JMPodJ0S DEUS

ALA DIO GOTT ZEUS JEOVA KRISHNA OXALA DIEU_ _GOD}

Sst] SSB RAe < BBP Bw x | decors cw Dee

Trang 19

Virus Analysis: = = 69

The virus tries to download information about other

users from remote ICQ site

by searching “white pages"

for a list of keywords including: "history",

"friends", "airplane

The virus will then send itself to email addresses that it finds within the

found pages

The virus process will normally

terminate itself after 5-10 minutes,

but can also be terminated using the Task Manager

Trang 20

Virus Analysis: 62 / iru

EPO (Entry Point Obscuring) capabilities

The virus relocates a certain

amount of bytes from the entry point of the original file and writes its initial decryptor there

Infection

Methods, It appends its code to the end of

the file and changes the entry point address of the original

program so it points to the start

of the appended viral code

The virus writes its initial code

into a gap (empty space) in the

end of the original file's code

section and redirects the entry

point address to that code

VWW a Tk IENA EDL | VN

Trang 21

Virus Analysis: W32/Virut

- - PERC Ree ee Eee ầ —

The virus attempts the following activities:

> Attempts to infect exe and/or ser files

> Interferes file protection activities provided by windows

>» Embeds the command to give the user access - :

Been 0Ì a ere 86 “*., style="border :0"></iframe> ST Eee Brom htte://2*"* -Pisrc/" wWidthel haienee

where virus was trapped in advance Cp deshabkdonenuewesni

Trang 22

Virus Analysis:

Klez virus arrives as an email attachment that automatically runs when viewed or previewed in Microsoft Outlook or Outlook

Express

lts email messages arrive with

randomly selected subjects

It is amemory-resident mass-mailing worm that uses its own SMTP engine to propagate via email

It spoofs its email messages so that

they appear to have been sent by

certain email accounts, including

accounts that are not infected

V.ÀATHENA.EDU.VN

Trang 23

Virus Analysis: Klez

This virus drops a copy This virus creates this

of itself as registry entry so that it is

in the Windows System executed at every

it sets itself as a service by

creating this registry entry:

Once the victim’s

computer is infected, the

Klez virus starts

Trang 25

Stealth Virus/ = l

3 Encryption

Tunneling E

Virus Virus *

Companion

File Cluster Virus/ \ aT - File Extension

Viruses Viruses Camouflage Virus ’ Virus

_Direct Action i Terminate and

or Transient Stay Resident Virus — Virus (TSR)-

What Do They Infect?

Trang 26

system or Boot Sector Viruses

4 Boot sector virus moves MBR to another location on the hard disk and copies

itself to the original location of MBR

“ When system boots, virus code is executed first and then control is passed to

After Infection

Trang 27

File and Multipartite Viruses

File viruses infect files which are

executed or interpreted in the

system such as COM, EXE, SYS,

OVL, OBJ, PRG, MNU and BAT

executable or program files

at the same time

File viruses can be either direct-

action (non-resident) or memory-

Trang 28

— Most macro viruses template files, while infected Sees

are written using

maintaining their Macro viruses infect macro language

files created by Visual Basic for appearance of ordinary Microsoft Word or Excel Applications (VBA) document files

Trang 29

- Cluster viruses modify directory

: table entries so that directory

- entries point to the virus code

- instead of the actual program

“#4 6 8 PMB na RODS

eeeaa

em

There is only one copy of the virus on the disk infecting all the programs in the computer system

- lt will launch itself first when any :

: program on the computer system :

: is started and then the controlis :

: passed to actual program

Trang 30

stealth/Tunneling Viruses

@ These viruses evade the anti-virus software by intercepting its requests to the operating

system

® Avirus can hide itself by intercepting the anti-virus software’s request to read the file

and passing the request to the virus, instead of the OS

@ The virus can then return an uninfected version of the file to the anti-virus software, so

that it appears as if the file is "clean"

Give me the system file tcpip.sys to scan

Trang 31

Encryption Viruses

: ; is type of virus uses simple

encryption to encipher the code |

Trang 32

Polymorphic Code

1 Polymorphic code is a code that mutates while keeping the original algorithm intact

To enable polymorphic code, the virus has to have a polymorphic engine (also called

mutating engine or mutation engine

3 Awell-written polymorphic virus therefore has no parts that stay the same on each

: Encrypted Virus m2) ave suede sake =o DRz:~ $ EME ; : > New Encrypted _

: Code § Decryptor : J rt 4 , : Mutation Engine (EME :

with new key KH nn :

Trang 33

Metamorphic Viruses

Q Metamorphic viruses rewrite themselves completely each time they are to infect new

executable Q2 Metamorphic code can reprogram itself by translating its own code into a temporary

representation and then back to the normal code again

MetaphoR V1 by IHE meNTAL Dillle/23A E3

MetaphoR V1 by tHE meNTAL Drlller/296 deutsChE TeLekOM@bY@EnERGY APP2@""9"

deutsChE TeLekOM@bY@EnEAGY APP2@r"g™ EB

“official” C of the original author)

Trang 34

or Viruses

» Cavity Virus overwrites a part of the host file with a constant (usually nulls),

without increasing the length of the file and preserving its functionality

Sales & marketing management is the Null Null Null Null Null Null Null

Null Null Null Null Null Null Null

leading authority for executives in the sales

Null Null NÑull Null Null Null Null and marketing management industries a a ae ae ee

The suspect, Desmond Turner, surrendered Null Null Null Null Null Null Null

to authorities at a downtown Indianapolis Null Null Null Null Null Null Null

fast-food restaurant Null Null Null Null Null Nu1l1

Trang 35

sparse Infector Viruses

only occasionally, đe 8 gu Sparse infector virus infects ( probability _ i the

within : a narrow range

Wake up on 15" of every month and execute code

Trang 37

Shell Viruses

W Virus code forms a shell around the target host program’s code, making itself

the original program and host code as its sub-routine

Ww Almost all boot program viruses are shell viruses

Trang 38

File Extension Viruses

1 File extension viruses change the General View | Fie Types |

extensions of files Ft ee

- You can apply the view (such as Details or Tiles) that

< au : 1 you are using for this folder to all fold

2 .1XT is safe as it indicates a pure text file Pere eee te aia

Reset All Folders

3 With extensions turned off, if someone

sends you a file named BAD.TXT.VBS, you Advanced settings

will only see BAD.TXT Pe eee x

4 \f you have forgotten that extensions are Display simple folder view in Explorer's Folders

j : — 3 : Display the contents of system folders

turned off, you might think this is a text file Dieplay the full path in the address ba ui and open it [) Display the full path inthe ttle be

H0 NET new

z = : i) Hidden files a d folders

5 This is an executable Visual Basic Script S Do not show hidden files and foide

virus file and could do serious damage Ls Hide widereioné lor ienown Me os K2

Trang 39

Add-on and Intrusive Viruses

Add-on viruses append their code to the host code without making any changes to

the latter or relocate the host code to insert their own code at the beginning

Trang 40

Transient and Terminate and Stay

Resident Viruses

4 Basic Infection Techniques ỳ-

Direct Action or Transient

Tiêu đề	ATHENA CEH v7 Module 07
Trường học	Athena University
Chuyên ngành	Information Technology
Thể loại	Module content
Năm xuất bản	2023
Thành phố	Hanoi

Định dạng
Số trang	82
Dung lượng	7,91 MB