Tài Liệu An Ninh Mạng Viruses And Worm

Introduction to Virures  A virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes  Some viruses affect computers as so

Viruses and Worm

Introduction to Virures

 A virus is a self-replicating program that

produces its own code by attaching copies of itself into other executable codes

 Some viruses affect computers as soon as their code is executed; other viruses lie dormant until

a pre-determined logical circumstance is met

within the target

system and then

spreads itself

3 Launch

The virus will be activated when user performing certain action such

as running an infected program

3 Detection

A virus is identified as threat infecting target systems

4 Incorporation

Anti Virus software developer

assimilate defenses against the virus

5 Elimination

Users install anti virus updates and eliminate the virus threat

Stage of Virus

Working of viruses: Infection phase

 In the infection phase, the virus replicates itself and

attaches to an exe file in the system

 Some viruses infect each time they are run and

executed completely

 The others infect only when user’s trigger them, which

can include a day, time, or a particular event

Clean

exe

file

Infected exe file

Working of viruses: Attack Phase

 Some viruses have trigger event to activate and corrupt systems

 Some viruses have bugs that replicate and perform activities

such as file deletion and increase the session’s time

 Viruses can corrupt the targets only after spreading completely

as intended by their developer

Inflict damage to competitors Financial benefit

Research project Play prank

Cyber terrorism Vandalism

Distribute political message

Why do people create computer

viruses ?

 Viruses writer can have various reason for creating and spreading virus

Indications of Virus Attack

manner, you can suspect a virus attack For example,

process take more resource and time

 False Positive: however, not all glitches can be attributed

to virus attack

• Files and folders are missing

• Hard drive is accessed often

How does a computer get infected by viruses ?

 Not running the latest anti-virus application

 Not update and not installing new versions of plug-ins

 Install pirates software

 Opening infected email attachments

 When user accepts files and download without checking properly the source

Virus Hoaxes

– existing virus which may contain virus attachments

message should not be viewed and doing so will

damage one’s system

W32/Sality.AA is a virus that also act as a keylogger and spreads via

email by piggy – backing on W32/Netsky-T worm

It infect files of “.exe” and “ scr” on all driver excluding those under

Window

W32/Sality – AA create the files: <system>\vcmgcd32.dll and

<system>\vcmgcd32.dll_

The virus logs system information and keystrokes to certain windows

and periodically submits to a remote website

W32/Sality-AA deletes all files found on the system with the extension “.vdb” and “.avc” and file s that start “drw” and end “.key”

It modifies <Window>\system.ini by adding the following:

[MCIDRV_VER]

DEVICE = <random string>

Virus Analysis: W32/Sality.AA

Virus Analysis: W32/Total - A

 W32/Total – A is an email – aware virus that arrives as an attachment called

Binladen_Brasil.exe

 The subject of the email will be related to the conflict in Afghanistan

Virus Analysis: W32/Total - A

 The blank message has MIME header encoded to exploit

vulnerabilities in IE 5.01/5.5 that run an attachment automatically when the email is viewed

 If the attached file is executed, it drops the library file

INVICTUS.DLL to the window system directory and the virus itself

to the window directory, using a random 3 – letter name consisting

of the upper case character ‘ A – O ‘

 The virus may also make a copy of itself in the C:\ directory; these copied of virus will have their file attribute set to hidden and read only

 The virus adds its pathname to the “shell=” line in the [Boot]

section of <Window>\System.ini; this cause the virus to be run

automatically each time the machine is restart

 The virus makes the C: drive shareable by setting various subkeys

of

HKLM\Software\Microsoft\Windows\Currentversion\Network\Lanman\Binlade n

Virus Analysis: W32/Virut

appending file infectors that have EPO ( entry Point Obscuring ) capabilities

Infection Method

Virus Analysis: W32/Virut

Virus Analysis: Klez

 It spoofs its email messages so that they

appear to have been sent by certain email account, including accounts that are not infected

 Its email message arrive with randomly

selected subjects

 Klez virus arrives as an email attachment that automatically runs when viewed or previewed

in Microsoft Outlook or Outlookexpress

 It is a memory resident mass worm that uses its own SMTP engine to propagate via email

Virus Analysis: Klez

Type of Virus

 File overwriting or Cavity Virus

Type of Virus

 Shell Virus

 File Extension Virus

 Add on and Intrusive Viruses

 Transient and Terminate and Stay Resident Virus

System or Boot Sector Viruses

location on the hard disk and copies itself to

the original location of MBR

first and then control is passed to original MBR

File and Multipartite Viruses

 File viruses infect files which are executed or interpreted in the system such as COM,

EXE, SYS, OVL, OBJ, MNU, and BAT file

 File virus can be either direct action (non

resident ) or memory resident

 Multipartite virus that attempt to attack both

the boot sector and execute or program file at the same time

Macro Viruses

 Macro Viruses infect files create by Microsoft Word or Excel

 Most macro viruses are written using macro

language Visual Basic for application (VBA)

infected documents into template files,

while maintaining their appearance of ordinary document files

Cluster Virus

 Cluster virus modify directory table entries

so that so that directory entries point to the virus code instead of the actual program

 There is only one copy of virus on the disk

infecting all the programs in the computer system

 Virus will launch itself first when any

program on the computer system is started and

then the control is passed to actual program

Stealth/Tunneling Viruses

 These viruses evade anti-virus software by intercepting its

requests to the operating system

 A virus can hide itself by intercepting the anti-virus

software’s request to read the file and passing the request to the virus, instead of the OS

 The virus can then return an uninfected version of the file to

the anti-virus software, so that it appears as if the file is

"clean"

Encryption Virus

 This type of virus uses simple encryption to encipher the code

 The virus is encrypted with a different key for each infected file

 AV scanner can not directly detect these type of viruses using signature detection methods

Polymorphic Code

 Polymorphic code is code that mutate while keeping the

original algorithm intact

 To enable polymorphic code, the virus has to have

polymorphic engine ( also called mutating engine or

mutation engine )

 A well – written polymorphic virus therefore has no parts that stay the same on each infection

Metamorphic Virus

 Metamorphic viruses rewrite themselves

completely each time they are to infect new execute

 Metamorphic code can reprogram itself by

translating its own code into temporary representation and then back to the normal code again

 For example W32/Simile consisted of over

14000 lines of assembly code, 90% it is part of the metamorphic engine

File overwriting or Cavity Viruses

 Cavity viruses overwrites a part of host file with constant ( usually nulls ), without increasing the length of file and preserve its functionality

Sparse Infector Virus

 Sparse infector virus infect only occasionally For

example every tenth program or only files whose

lengths fall within a narrow range

 By infecting less often, such viruses try to minimize

the probability of being discovered

Wake on Monday of every week and execute code

Companion/Camouflage Virus

execute file the virus infects

notepad.com and every time a user execute notepad.exe ( good program ), the computer will load notepad.com ( virus ), and infect the system

Virus infect the system with the a file

notepad.com and save it in

C:\winnt\system32 directory

Shell Viruses

 Virus code forms a shell around the target

host program’s code, make itself the original

program and host code as its sub-routine

 Almost all boot program viruses are shell

viruses

File extension Viruses

 File extension virus changes the

BAD.txt.vbs, you only see BAD.txt

 If you have forgetten that extensions are turn off, you might think this is a text file and open it

 Then it execute Visual Basic Scripts and could do serious damage

 Countermeasure is turn off “Hide file extensions ” in windows

Add on and Intrusive Viruses

 Add on viruses append their code to the host

code without making any changes to later or relocate the host code to insert their own code at the beginning

 Intrusive viruses overwrite the host code partly

or completely with the viral code

Transient and Terminate and Stay

Resident Viruses

 Basic infection

techniques of direct action or transient

virus : transfer all

the controls of the host code to where

virus reside

 Select the target

program to be modified and corrupts it

Basic infection techniques of terminate and stay resident virus

( TSR ) is remain permanently in the memory during the

entire network session even after the target host’s program is

executed and terminate;

can be rem0ve by reboot system

Writing a simple virus

Writing a simple virus

Writing a simple virus

Writing a simple virus

Computer Worms

replicate, execute, and spread across the network

connections independently without human interaction

spread across the network, consume available computer resource However some worms carry a payload to

damage the host system

infected computers, which turns them into zombies and

create botnet; these botnets can be used to carry

further cyber attacks

How is a worm different from a virus ?

 Worm is special type of virus that can replicate itself and use memory, but can not attach itself

to other program

 A worm takes advantage of file or information transport features on computer systems and spread through infected network automatically but a virus does not

Example of worm infection: Conficker worm

 The conficker worm is a computer worm that

infects computers and spread itself to other computer across a network automatically, without human interaction

• Users are locked out of the directory

• Autorun.inf files are places in the recycled directory

or trash bin

• Access to security related sites is blocked

• Traffic is sent through port 445 on non – Directory Services Server

• Access to administrator shared drives is deny

What does conficker worm do ?

 The conficker worm can also

disable important services on your

computer

 In Autoplay dialog box, the option

open folder to view files –

Publisher not specifies was

added by the worm

 The highlighted option, open

folder to view files – using

Window explorer is the option

that Windows provides and the

option you should use

 If you select the first option, the

worm executes and can begin to

spread itself to other computers

How does the conficker worm work ?

Worm analysis: W32/Netsky

 W32/Netsky – A is a worm that spread using email and Window network shares

 It searches all map drives for files with these extensions in order to find email addresses: MSG, OFT, SHT, DBX, TBB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, PL, HTM, PHP, TXT, EML

 The worm will also attempt to copy itself into root folder of drives C: to Z: using many

different names

Worm analysis: W32/Netsky

Worm analysis: W32/Bagle.CE

Worm Maker: Internet Work Maker Thing