CEHv8 module 07 viruses and worms

Học viện Công Nghệ Thông Tin Bach Khoa Working of Viruses: Some viruses have tri s to activate and corrupt systems } Some viruses have bugs that repli | activi such as file deletion

Trang 2

Học viện Công Nghệ Thông Tin Bach Khoa

These means that 34 percent of a

The company’s collective intelligence database, which automatically Gctects, analyzes and classifies 99.4 percent of the threats received, now has 134 million separate files, 60 million of hich are mal ware (viruses, worms, trojans and other threats}

ra Tha report further added that, to October this year, some 20 million new strains of mahwere

is shrinking Quite the

the whole of 2005 The average nu mber of new threats created every day has risen from 55,/

3

2010 we will Nave oggec : :

more ore new new threats in threats in : Despite these dramatik numbers, the speed with which the mumber of new thréats is growing has z< đe ˆ Collective Intelligence than in Cropped since 2009 Since 2003, “new thrests have increased at a rate of 100 percent or more

a a ae ares Yet <0 far in 2010 the rate of growth & around 50 percent”, explains Luis Corrons, technica

2009 Yet it seems as though

hackers are applying Grector, Pandatlabs

SN oe a - ty The company further informeac that, although more malicious softwere Is createc, ts : an ts

econonmes et

Ð =4 percent of melware samples are active for just 24 hours, as opposed to the lifespa

i cu

+ imonths enjoyed by the threats of previous $y years They now Infect fust a few systems

opesr As antivirus solutions become able to cetect new malware, hackers mo dify them pones so as to evade detection This is why it & so important to have protection

gies such as collective intelligence, which can rapkily neutralize new malwere and recuce =

risk window to which users are exposed during these first 24 hours £

: trctpr.//0wwwecxo'cedsycc(c

Trang 3

IViodule

Stages of Virus Life } What is Sheep Dip Computer?

} Writing a Simple Virus Program | Anti-virus Tools

Trang 4

Trang 5

Transforms itself

Trang 6

eerie sie eee |

Trang 7

Developing virus code Users install anti-virus

using programming updates and eliminate

languages or the virus threats

construction kits

5

Incorporation

Anti-virus software developers assimilate defenses against the

virus

2

Replication

Virus replicates for a

period of time within

4

Detection

A virus is identified as threat infecting target

Launch

It gets activated with the user performing

certain actions such as

Trang 8

4 In the infection phase, the virus replicates itself and attaches to an exe file in the system

4 Some viruses infect each time they are run and executed completely and others infect only

when users’ trigger them, which can include a day, time, or a particular event

Before Infection After Infection

File Header File Header

= =ñằA.A "X%: : ip ` 3 ip sececescedese 3 “exe oes

« >> Start of Program goosk > Start of Program as Clean File : : Virus Infected

End of Program : End of Program : File

Trang 9

Working of Viruses:

Some viruses have tri s to activate and corrupt systems

} Some viruses have bugs that repli | activi such as file deletion and

increase the session’s time

| They : only after spreading completely as intended by their developers

Unfragmented File Before Attack

Page:i Page: 3 Page: i Page: 3 Page: 2 Page: 2 File: A File: B File: B File: A File: B File: A

Trang 10

Why Do People Create Computer

Trang 11

However, not all glitches can

be attributed to virus attacks

Trang 12

properly for the source

i : `

versions of plug-ins Installing pirated software

Trang 13

|} Subject: FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS

PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS! You should be alert during the next few days Do not open any message with an attachment entitled "POSTCARD FROM BEIJING’ or

"RESIGNATION OF BARACK OBAMA |, regardiess of who sent it to you It is a virusthat opens A POSTCARD IMAGE, then ‘burns’ the whole hard C disc of your computer

[This is the worst virus announced b y CNN last evening It has been classified by Microsoft as the most iidestructive virus ever The virus was discovered by McAfee yesterday, and there is no repair yet for this

[kind of virus

t

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept

COPY THIS E-MAIL, AND SEND IT TO YOUR FRIENDS REMEMBER: IF YOU SENDIT TO THEM, YOU WILL

BENEFIT ALL OF US End-of-mail

' Thanks

Trang 14

ĐẠI HỌC

wi SsBK ACAD

W32/Sality-AA is a virus that also

acts as a keylogger and spreads via

email by piggy-backing on

W32/Netsky-T worm

it infects files of ".exe" and ".scr”

on all drives excluding those under <Windows>

W32/Sality-AA creates the files

* <System>\vcmgcd32.d11 5 The virus logs system information

; 12, : s “

— = and periodically submits toa

remote website

W32/Sality-AA deletes all files found

on the system with extension ”.vdh” ( It modifies <Windows>\system.ini by

and “.avc” and files that start "drw” adding the following:

® DEVICE=<random string>

Trang 15

Virus Analysis:

ìÌ W32/Toal-A is an email-aware virus that arrives as an attachment called E

The subject of the email will be related to the conflict in Afghanistan This is chosen randomly

from a large selection including:

` Fe cv ee san đo 959 eet arate nde Tanke Core eae Re đợt ¬

- lê mm =1 BÊ tt s=ase bet mse cme pete os! be ad! 6 ee

" ra _— “na Tee © Oe Su tere ree ow Ằ i oe | et res tt

Trang 16

Virus Analysis: W32/Toal-A

The blank message has MIME Header encoded to exploit vulnerabilities in IE 5.01/5.5 that run an attachment automatically when the email is viewed

if the attached file is executed, it drops the library file INVICTUS.DLL to the Windows System directory and the virus itself to the Windows directory, using a random 3-letter name consisting of the upper case characters 'A-O'

The virus may also make a copy of itself in the C:\ directory; these copies of the virus will have their file attributes set to hidden and read-only

The virus adds its pathname to the "shell=" line in the [Boot] section of

<Windows>\System ini; this causes the virus to be run automatically each time

the machine is restarted

The virus makes the C: drive shareable by setting various subkeys of:

BHKLM\Software\Microsoft\Windows\CurrentVersion\Network\ZLanMan\3B inraden \

Trang 17

Various colorful slogans will be displayed across

the desktop, along with

The text is masked intentionally to hide offensive content

Trang 18

luấ Death “oxi e4 se xe tă & xe

- Wiley & tebe the Qenazer v ca bu ới ở sa.) he âc: 7

“ca?! Beecke col warts fe LA Geernton ot Peo weedeat eveirg Dect 1 bets

Pregeam Fie You me fot De cope of the att, ancl Workt | cade ( svẩse seo le 6cØ

og ' Now pou Labe te feeder tome 2x4 s2 g6 gâảeđ aret he wort! i Hea

Sự a (!r?tt 6 Bức the Sa sexe Arica Wie of Life 7 Haase I

P WUGS EVEHV WHERE

âo « tư: P@94< s Vou *}Đ “xoa go câo 9y Cor Qe NOS gewg morey ond ng to he cortens

2) Cortes Pernt foow pou soe fcsfteag 2s lasớo c( vn, 2s 24sez,

Kel bd Ug femmes nip , ’

SY Sehedtied Te ị et em ry, Rant quae

za rĩeme F se» m

= Gag cư ím ny tot ot

DOTS ZEUS JEOVA #7514M6A

ory XU WfOVA KEMWU04N

ALA TO 0 6GOTT TUS IF OWA

MA moO 6GoTT Fut tov

Trang 19

The virus tries to download

formation about other

+ users from remote ICQ site &

- by searching “white pages" &))—<“

including: “history”,

"friends", “airplane”

The virus process will normally

terminate itself after 5-10 minutes,

but can also be terminated using the Task Manager

Trang 20

Virus Analysis:

Virut is a family of polymorphic memory-resident appending file that have EPO (Entry Point Obscuring) capabilities

The virus a certain

amount of bytes from the entry point of the original file and writes its initial decryptor

there

wv

The virus writes its initial code l5 4 it to the

: bang | and changes the entry

hạn Xô point address of the original

end of the original file's code

program so it points to the start

of the appended viral code

section and redirects the entry

point address to that code

Trang 21

nfected files in toa 7

5 web server — - le, ot se

^ The virus attempts the following activities: Tạ 2S,

to give the user access

to the php, asp, htm and htm! files in the site in®,

where virus was trapped in advance or SOS Sap Sack eps egs

Trang 22

Virus Analysis: Klez

Klez virus arrives as an email attachment that automatically runs when viewed or previewed in Microsoft Outlook or Outlook Express

Its email messages arrive with

randomly selected subjects

it is a memory-resident

mass-mailing worm that uses its own SMTP engine to

propagate via email

It spoofs i†s email messages so that

they appear to have been sent by

certain email accounts, including

accounts that are not infected

Trang 23

Execution _ _—_ &utorun

Once the victim'”s

computer is infected, the

Klez virus starts

hee tite hee)

other users through

Trang 24

Trang 25

Eerseessa/ é Encryption ‘ Polymorphic } Metamorphic j

Virus Virus Virus

Direct Action = Terminate and

or Transient Ệ Stay Resident

Virus — _ Virus (TSR)

What Do They Infect?

Trang 26

itself to the original location of MBR

3 When system boots, vi 3 and then control is passed to

Trang 27

ĐẠI HỌC

wi SsBK ACAD

File and Miultipartite Viruses

File viruses infect files which are

File viruses can be either direct- ' d Í “2

action (non-resident) or memory- ) TF Multipartite virus that

resident ` `ếã , attempts to attack both the

* c- « vÁ

J , >> executable or program files

_ a

Trang 28

Infects Miacro Enabled Documents

+ Macro viruses infect

are written using template files, while

Trang 29

- Cluster viruses rnodify directory

-_ table entries so that directory

entries point to the virus code instead of the actual program

There is only one copy of the virus on the disk infecting all

- the programs in the computer

me) <8

ị it will launch itself first when —

7 program on the computer system -

: passed to actual program

Trang 30

@ These viruses ev the anti-virus software by intercepting its requests to the operating

system

and passing the request to the virus, instead of the OS

@ The virus can then an uninfected version of the file to the anti-virus software, so

that it appears as if the file is "clean"

Give me the system

file tcpip.sys to scan

Trang 31

This type of virus uses simple

encryption to encipher the code

-

The virus is encrypted with a different

key for each infected file

AV scanner cannot directly detect these

types of viruses using signature

Encryption Encryption Encryption

Virus 1 Virus 2 Virus 3

Trang 32

To enable polymorphic code, the virus has to have a p

mutating engine or mutation engine

A well-written polymorphic virus therefore | on each

D> eeryptor routine mutation engine : Virus Code , Se ee ee eee reese eeeees >> New Virus

: Tấn New Polymorphic

Virus

1ser Huns an infected Program

Trang 33

Viruses

wy Metamorphic viruses themselves completely each time they are to infect new

executable

ey Metamorphic code can itself by translating its own code into a temporary

representation and then back to the normal code again For example, W32/Simile consisted of over 14000 lines of assembly code, 90% of it is part of the metamorphic engine

MetaphoFt V1 by tHE meNTAL Dilller/23a deuwtsCht TelckOM@bY@EnEAGY APP2@—o~ EB}

Metechoft V1 by 0Œ rẽ @iTẠI Dư k»/234 d=¿:CÐE Tel cáO4G0y@€rERGY APP2@—"g

mEAPHOR 1b BY tHe MeNTAl SILER /234 mE TAPH Or IC bY SHE mE Niel Fillies /294

b.) Variant B d.) The D variant (which was the

“official” C of the original author)

Trang 34

Cavity Virus overwrites a part of the host file with a constant (usually nulls), without increasing the length of the file and preserving its functionality

Sales & marketing management is the Null Null Null Null Null Null Null

leading authority for executives in the sales Nu1ll Null Null Null Null Nu11l Null i LA I ốc cố nan

The suspect, Desmond Turner, surrendered Null Null Null Null Null Null Null

to authorities at a downtown Indianapolis Null Null Null Null Null Null Null

fast-food restaurant Null Nuil Null Null Null Null

Ds

Original File Size: 45 KB

Trang 35

only occasionally (e.g every probability } tenth program executed), or

only files whose

Wake up on 15* of : every month and execute code </ j

,

`

Trang 36

⁄ Viruses

A Companion virus creates a for each executable file the virus infects

Therefore, a companion virus may save itself as and every time a

user executes notepad.exe (good program), the computer will load notepad.com

Virus infects the system with a file Notepad.exe

notepad.com and saves it in c:\winnt\system32 directory

Notepad.com

Trang 37

Viruses

the original program and host code as its sub-routine

Trang 38

Folder Options 2) x!)

2 .1XT is safe as it indicates a pure text file

3 With extensions turned off, if someone

sends you a file named | , you Rovanced sattngs

a3

4 If you have forgotten that extensions are ea One ¢ foider vie ˆ

Cj

5 This is an 2

” in Windows

Trang 39

—

ñdđd-on and Intrusive Viruses

Add-on viruses append their code to the host code without making any changes to

the latter or relocate the host code to insert their own code at the beginning

Trang 40

all the controls of the

host code to where it during the entire work

Selects the target program to session even after the target

be modified and corrupts it host’s program is executed and

terminated; can be removed

only by

Tiêu đề	Viruses and Worms
Trường học	Học viện Cụng Nghệ Thụng Tin Bach Khoa
Chuyên ngành	Cybersecurity
Thể loại	lecture notes
Năm xuất bản	2010
Thành phố	Hanoi

Định dạng
Số trang	82
Dung lượng	5,35 MB