CEHv8 module 07 viruses and worms

However, it leaves a certain gap in the file while it is being executed that can be used by the Space Filler Virus to insert itself.. Infected File Size: 45 KB Null Null Null Null Null N

Trang 1

Viruses and Worms

Module 07

Trang 3

A n e w c y b e r e s p io n a g e p ro g ra m linked t o th e n o to r io u s F lam e a n d G au ss m a lw a r e h a s b e e n d e t e c te d by R ussia's K aspersky Lab

T h e an ti-v iru s g ia n t's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e is in "full sw in g " a n d will p ro b a b ly e s c a l a te in 2 0 1 3

T h e v iru s, d u b b e d m in iF la m e , a n d a lso k n o w n a s SPE, h a s a lr e a d y in f e c te d c o m p u te r s in Ira n , L e b a n o n , F ran ce, t h e U n ite d

S ta t e s a n d L ith u a n ia It w a s d isc o v e re d in July 2 0 1 2 a n d is d e s c rib e d a s "a small and highly flexible malicious program designed

to steal data and control infected systems during targeted cyber espionage operations," K aspersky Lab s a id in a s ta t e m e n t p o s te d

Trang 4

B u t la t e r , K a s p e rs k y Lab a n a ly s t s d i s c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld

be u sed as an i n d e p e n d e n t m a l i c io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - i n f o r b o t h t h e F la m e

a n d G auss m a l w a r e "

T h e a n a ly s is a lso s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a n d Gauss, as b o t h v ir u s e s can use m in i F l a m e f o r t h e i r o p e r a t i o n s

Trang 8

In tro d u c tio n to V iru s e s

_l A v ir u s is a s e lf- r e p lic a tin g p r o g r a m t h a t p r o d u c e s its o w n c o p y b y a tt a c h in g its e lf

c o d e s T h is v i r u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ir e o f t h e u ser Like a real v ir u s , a

c o m p u t e r v i r u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s H o w e v e r , v ir u s e s can i n f e c t

Trang 10

FIGURE 7 1 : V iru s a n d W o r m S ta tis tic s

M o d u le 0 7 P a g e 1 0 1 5 Ethical H acking a n d C o u n te r m e a s u r e s C o p y rig h t © by EC-C0l1nCil

Trang 13

A f t e r I n f e c t i o n

B e f o r e I n f e c t i o n

*

V iru s I n f e c te d File

Trang 15

C o p y r ig h t © b y E & C a u a c tl A ll R ig h ts R e s e rv e d R e p ro d u c tio n is S tr ic tly P ro h ib ite d

Trang 16

FIGURE 7 3 : W o rk in g o f V iru s e s in A tta c k Phase

R e f e r t o t h i s f i g u r e , w h i c h has t w o file s , A a n d B In s e c t i o n o n e , t h e t w o f ile s a re l o c a t e d o n e

Trang 21

M im ic k in g le g itim a te in s titu tio n s , ״ ^

such as banks, in an a tte m p t to ו ן ן j l stea l a c c o u n t lo g in c re d e n tia ls

C o p y r ig h t © b y E C -C auactl A ll R ig h ts R e s e rv e d R e p ro d u c tio n is S tr ic tly P ro h ib ite d

Trang 22

ntAsc rmv/Aflo mu warning among rnitNDS.rAMiiv and contacts Ho* •houM t* »w*t d*'•*

tk* mat r«w Jwvv Co ikx cptn «11y with 411 *tMchmvH vntltfvO >OSTCARO 'ROM •Uir.O ■

RtSIONATION Of BARACK OBAMA ifgjrdlMiOfWhO S«nt It to you It ft J VlfUStfUt 0p«1» A

humiahi, imaoi, m«n torns־ the whole run) c dsc 01 you׳ computer.

rih b 11W W IN M Ml«» 41 > IUUIIL v O UyCMNUlU I1IK Hid) U••• 1 llOtlTM jfMlllWA I •' HUM

dtstr jctivtvirM^ver Theviiw 1 discovered bv McAfee v«t«div «nd thp׳p 14 nor tear jc for :h i

1> tS e to S e tto fa lU ie llo d D iM , m Iivictl.r viu lxifo im a tb ok«

Trang 23

This is th e w o r s t v ir u s a n n o u n c e d b y C N N la st e v e n in g I t has b e e n c lassified b y M ic r o s o f t as th e m o s t

d e s tr u c tiv e v ir u s e v e r The v iru s w a 5 d is c o v e re d b y M c A fe e y e s te rd a y , a n d th e r e is n o re p a ir y e t f o r th is

k in d o f v iru s This v iru s s im p ly d e s tro y s th e Z e ro S e cto r o f th e H a rd Disc, w h e r e th e v ita l in fo r m a tio n is ke p t.

COPY THIS E M A IL , A N D SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO TH E M , YOU W ILL BENEFIT ALL OF US.

E n d -o f-m a il Thanks.

FIGURE 7 3 : H o a xe s W a rn in g M e ssa g e

F a k e A n t i v i r u s e s

Fake a n t i v i r u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r

s y s t e m a n d o u t b r e a k t h e r e g is t r y a n d s y s t e m file s t o a l l o w t h e a t t a c k e r t o t a k e f u l l c o n t r o l a n d access t o y o u r c o m p u t e r It a p p e a r s a n d p e r f o r m s s i m i l a r l y t o a rea l a n t i v i r u s p r o g r a m

Trang 24

FIGURE 7 4 : E x a m p le o f a Fake A n tiv iru s

Ethical H acking a n d C o u n te rm e a s u re s C o p y rig h t © by EC-C0UnCil

M o d u le 0 7 P a g e 1029

Trang 26

Real Website

ww.xrecyritY-tP1

IP: 200.0.0.45

h ttp://www tota !defense, com

Attacker runs DNS Server in Russia (IP: 64.28.176.2)

DNSChanger infects victim's computer by change her DNS IP address to: 64.28.176.2

Trang 29

m a c r o v iru s e s , c l u s t e r v iru s e s , s t e a l t h / t u n n e l i n g v iru s e s , e n c r y p t i o n v iru s e s , m e t a m o r p h i c

v iru s e s , s h ell v iru s e s , a n d so o n C o m p u t e r v ir u s e s a re t h e m a l i c i o u s s o f t w a r e p r o g r a m s w r i t t e n

Trang 33

is d iv i d e d i n t o a re as , c a lle d s e c to r s , w h e r e t h e p r o g r a m s a re s t o r e d

T h e t w o t y p e s o f s y s t e m s e c t o r s a re :

0 M B R ( M a s t e r B o o t R e c o rd )

M B R s a re t h e m o s t v i r u s - p r o n e z o n e s b e c a u s e if t h e M B R is c o r r u p t e d , all d a t a w i l l be lost

f l o p p y disk T h e s e v iru s e s g e n e r a l l y r e s id e in t h e m e m o r y T h e y can also be c a u s e d b y T ro ja n s

S o m e s e c t o r v ir u s e s a lso s p r e a d t h r o u g h i n f e c t e d file s , a n d t h e y a re c a lle d m u l t i p a r t v ir u s e s

m

M o d u le 0 7 P a g e 1038

Trang 36

FIGURE 7 7 : File a n d M u lt ip a r t it e V iru s e s

M o d u le 0 7 P a g e 1041

Trang 37

V iru ses a n d W o rm s

Urt1fw4 ilh iu l lUtbM

011

In fects M acro Enabled D o c u m e n ts0

0

U s e r

A tta c k e r0

Trang 38

Infects Macro Enabled Documents

FIGURE 7 8 : M a c ro V iru s e s

M o d u le 0 7 P a g e 1043

Trang 39

J C lu s te r viru se s m o d ify d ire c to ry ta b le e n trie s so th a t it

p o in ts users o r sys te m processes t o th e v iru s co d e in s te a d

J It w ill la u n c h its e lf fir s t w h e n a n y p ro g ra m on th e

c o m p u te r syste m is s ta rte d a n d th e n th e c o n tro l is passed t o a c tu a l p ro g ra m

Trang 40

S tealth/Tunneling Viruses CEH

Trang 41

FIGURE 7 9 : W o rk in g o f S te a lth /T u n n e lin g V iru s e s

M o d u le 0 7 P a g e 1 0 4 6

Trang 42

E n c ry p tio n V iru s e s CEH

V iru s C o d e

V

Encryption Virus 3 Encryption

Virus 2

יי׳־

Trang 43

FIGURE 7 1 0 : W o rk in g o f E n c ry p tio n V iru s e s

M o d u le 0 7 P a g e 1048

Trang 44

routine decrypts virus code and

Trang 45

V iru ses a n d W o rm s

New Polymorphic Virus

E n c ry p te d M u t a t io n

E n g in e (E M E )

0 • • I n s t r u c t t o A

Instruct to

Decryptor routine decrypts virus code and mutation engine

Trang 46

M e ta m o rp h ic V iru s e s CEH

U rtiffe tf itkN jI lU ilw t

For e x a m p le , W 3 2 /S im ile

c o n s is te d o f o v e r 1 4 0 0 0 lines o f a ss e m b ly code,

a te m p o ra ry re p re s e n ta tio n and th e n back to th e n o rm a l code again

MotaphoR V I by tHE moNTAL D illle i/2 9 * E3 MetaphoR VI bj •HE mtfJTAL D<I# h /29*

E l

c.) The "U nofficial” Variant C a.) V ariant A

at IA H M J1 IL b Y iH fc atNtal cttllller/^JA r£TAfSC« iCbVlH E n£W»4l dFIIUi/2^

[1E ImEtAPHGR 1b BY 1H• A1LER/2*\

E l

d.) The D variant (which was the

*official' C of the original author) b.) Variant B

C o p y r ig h t © b y E & C a u a c tl A ll R ig h ts R e s e rv e d R e p ro d u c tio n is S tr ic tly P ro h ib ite d

Trang 47

Viruses and Worms

□

mETAPhOr 1C bY tHE mENtal dRllle1/29A Q mETAPhOr 1C bY (HE mENtal dRlller/29A

ו ok ך

d.) The D variant (which was the

"official" C of the original author)

FIGURE 7.12: Metamorphic Viruses Screenshot

ImElAPHOR 1b BY tHe MeNTAI drilLER /29A

m

mEtAPHOR 1b BY tHe MeNTAI

ן ד ה ח drilLER/29A

Trang 48

F i l e O v e r w r i t i n g o r C a v i t y V i r u s e s C E H

Cavity Virus overwrites a part of the host file with a constant (usually nulls), without increasingthe length of the file and preserving its functionality

This type of virus is rarely used because it is difficult to write A new W in d o w s file called the

Po rta b le Executable it designed for the fast loading of programs However, it leaves a certain gap in the file while it is being executed that can be used by the Space Filler Virus to insert itself The most popular virus fam ily is the CIH virus.

Infected File Size: 45 KB

Null Null Null Null Null Null

Null Null Null Null Null NUll

Null Null Null Null Null Null

Sales and marketing management is the

leading authority for executives in the sales

and marketing management industries

The suspect, Desmond Turner, surrendered to

authorities at a downtown Indianapolis fast-food

restaurant

Trang 49

Viruses and Worms

S p a r s e I n f e c t o r V i r u s e s

Sparse infector viruses infect only occasionally (e.g., every tenth program executed or

on particular day of the week) or only files whose lengths fall w ithin a n a rro w range By infecting less often, these viruses try to m in im ize the probability of being discovered.

Wake up on 15th of every month and execute code

FIGURE 7.14: Working of Sparse Infector Viruses

Trang 50

1 /

£

Notepad.com

1

Virus infects the system with

a file notepad.com and saves

it in c:\winnt\system32directory

Notepad.exe Attacker

Source: h ttp://w w w ckn ow com /vtu tor/C om pan ion V iru ses.h tm l

Here is w hat happens: Suppose a com panion virus is executing on your PC and decides it is tim e

to infect a file It looks around and happens to find a file called PGM.EXE It now creates a file called P G M C O M , containing the virus The virus usually plants this file in the same directory as the EXE file, but it could place it in any directory on yo u r DOS path If you type P G M and press Enter, DOS executes P G M C O M instead of PGM EXE (In order, DOS will execute C O M , then EXE, and then BAT files of the same root name, if they are all in the same directory.) The virus executes, possibly infecting m ore files, and then loads and executes PGM.EXE The user probably w ould fail to notice anything is wrong It is easy to detect a c o m p a n io n virus just by the presence of the extra C O M file in the system.

Trang 51

Viruses and Worms

V

Virus in fects th e system w ith

a file n o te p a d c o m and saves

It In c :\w ln n t\s y s te m 3 2 d irectory

Notepad.com Notepad.exe

FIGURE 7.15: Working of Companion/Camouflage Viruses

Attacker

Trang 52

S h e l l V i r u s e s c

(citifwd E H

IthMJl lUckM

[4U«1

J Virus code forms a shell aro u n d th e targ et host program 's code, making

itself th e original program and host code as its sub-routine

J Almost all boot program viruses are shell viruses

Ilf A shell virus code form s a layer around the target host program's code that can be

com pared to an "egg s h e ll/' making itself the original program and the host code its sub- routine Here, the original code is moved to a new location by the virus code and the virus assumes its identity.

B e f o r e I n f e c t i o n

Original Program

A f t e r I n f e c t i o n

Original Program Virus Code

FIGURE 7.16: Working of Shell Viruses

Trang 53

Exam 3 12 -5 0 Certified Ethical Hacker Ethical Hacking and Countermeasures

Viruses and Worms

Advanced settings:

Fies and Folders

□ Always show icons, never thumbnails

I I Always show menus

@ Display Me icon on thumbnails

0 Display He size nfoimation m folder tps

□ Display the full path in the Mle bar

Jl Hdden Mes and folders

O Dont show hidden files, folders, or dnves (§) Show hidden files, folders, and dnves

y Hide emgty dnves in the Computer folder

V Ude folder merge conflicts

J If you have forgotten that extensions are turned off, you might think this is a

te xt file and open it

J This is an executable Visual Basic Script virus file and could do serious damage

J Countermeasure is to turn o ff "Hide file extensions" in Windows

Source: h ttp://w w w cknow com /vtutor/FileExtensions.htm l

Q TXT is safe as it indicates a pure text file

Q W ith extensions are turned off, if som eone sends you a file named BAD.TXT.VBS, you can only see BAD.TXT

Q If you have forgotten that the extensions are actually turned off, you might think this is

a text file and open it

0 This is an executable Visual Basic Script virus file that could do serious damage

The counterm easure is to turn off "H ide file exten sion s" in W indow s, as shown in the following screenshot:

Định dạng
Số trang	106
Dung lượng	4,9 MB