Viruses and Worms - SCF Faculty Site Homepage
advertisement
7.1 Virus, characteristics of a virus, working of a virus, and virus hoaxes Exam Focus: Virus, characteristics of a virus, working of a virus, and virus hoaxes. Objective includes: Understand a virus. Characteristics of a virus. Learn the working of a virus. Understand the motive behind writing a virus. Understand how does a computer get infected by viruses. Gain insights on virus hoax. Virus A virus is an executable file that infects documents, has replacing ability, and avoids detection. Viruses are designed to corrupt or delete data files from the hard disk. The virus harms the operating system by replacing one or more programs. The virus slows down the speed of the operating system by replicating itself. IDA Pro is a virus analysis tool. The following are the characteristics of a virus: It infects other program. It alters data. It corrupts files and programs. It encrypts itself. It propagates by itself. It transforms itself. Virus databases Virus databases include all information about a virus such as the date of creation of the virus, working of the virus, methods of prevention from the virus, etc. Many antivirus companies and network security communities gather all the information regarding the virus so that they can create awareness among users. Alwil's AVAST database, F-Secure AntiVirus database, Kaspersky AntiVirus database, and McAfee's Virus Information Library are some good examples of virus databases. Classifications of a virus Viruses can be classified in the following ways: 1. Classification by size o Tiny viruses: Tiny viruses are viruses having a size of not more than 500 bytes. o Large viruses: Large viruses are viruses having a size of more than 1500 bytes. 2. Classification by functionalities o Run-time viruses: Run-time viruses are viruses which infect a program when it is running. o TSR viruses: TSR viruses infect the files upon opening or closing; they can also infect a file when it is running. TSR viruses can install themselves in the memory and this part can remain active even after the program has ended. This way, these viruses can install themselves as resident extensions. Components of a virus There are mainly three components of a virus: 1. Replicator: A replicator is used to spread a virus throughout the system. 2. Concealer: The concealer is used to conceal the program from notice by the everyday user and the virus scanner. 3. Bomb/Payload: The bomb/payload part contains the logic to delete or slow down the system, which makes the viruses damaging. Working of viruses Viruses work in the following two phases: Infection phase: In this phase, the virus replicates itself and attaches to an .exe file in the system. Some viruses infect each time when they are run and executed completely. However, some viruses infect only when they are triggered by users. This can include a day, time, or particular event. Attack phase: There are some viruses that have trigger events for activating and corrupting systems. There are also some viruses that have bugs. These bugs replicate and perform activities such as file detection and increase the session's time. These viruses corrupt the target only when they have spread as planned by their developers. Basic infection techniques The following are the basic infection techniques: Direct action or transient virus: The direct action or transient virus is used to transfer all the controls of the host code to its residing place. It corrupts the target program that is to be modified after selecting it. Terminate and stay resident virus (TSR): Even after the host program of the target is executed and terminated, the terminate and stay resident virus remains permanently in the memory during the entire work session. The system should be rebooted to remove the virus. Why do people create computer viruses? People create computer viruses due to the following reasons: To inflict damage to competitors To gain financial benefits To research projects To play prank To perform cyber terrorism To distribute political messages Indications of a virus attack The following are indications of a virus attack: More resources and time are taken by processes. The computer beeps with no display. An operating system cannot be uploaded. When programs start, the computer slows down. The victim receives antivirus alerts. The computer freezes frequently or encounters an error. The victim finds some files and folders missing. The hard drive is often accessed. There is a change in the drive's label. The timestamp of files and folders has changed. There is an unusual floppy or disk access. The disk space usage has increased abnormally. The victim is getting abnormal write-protect errors. The victim is getting strange characters in the directory listing of filenames. The victim is getting strange messages, graphic displays, and programs and the system hangs. The browser window freezes. How does a computer get infected by viruses? A computer gets infected by viruses in the following ways: A computer is not running the latest antivirus application. A computer is not updating and installing new versions of plug-ins. A computer is installing pirated software. In a computer, infected e-mail attachments are open. A user accepts files and downloads without checking properly for the source. Virus hoaxes Virus hoaxes are considered as false reports about non-existent viruses. In these reports, the writer of virus hoaxes often claims to do impossible things. The network administrator shuts down his network due to the false reports. This in turn affects the company's work. These virus hoaxes falsely claim to specify an extremely dangerous virus, and declare that a reputed company has issued the report. 7.2 Understand the difference between a virus and a worm, and understand the life cycle of virus Exam Focus: Understand the difference between a virus and a worm, and understand the life cycle of virus. Objective includes: Understand virus analysis. Understand the difference between a virus and a worm. Understand the life cycle of a virus. Identify the types of viruses. W32/Sality.AA W32/Sality.AA is a virus. It acts as a keylogger. Piggy-banking on W32/Netsky-T worm spreads W32/Sality.AA virus through email. W32/Sality.AA infects files of ".exe" and ".scr" on all drives excluding those that are under < Windows>. u<System>\vcmgcd32.d11 and <System>\vcmgcd32.d11 files are created by W32/Sality.AA. The virus logs system information and keystrokes to specific windows and periodically submits to a remote website. W32/Sality.AA deletes all files that are found on the system having extension ".vdb" and ".avc" and files that start "drw" and end ".key". It adds the following to modify <Windows >\system.ini: [MCIDRV_VER] DEVICE=<random string> W32/Toal-A W32/Toal-A is an email-aware virus. It arrives as an email attachment, known as BinLaden_Brasil.exe. The following steps are taken during virus analysis of W32/Toal-A: 1. The blank message has MIME Header encoded to exploit vulnerabilities in IE 5.01/5.5 that run on attachment automatically when the email is viewed. 2. If the attachment file is executed, it drops the library file INVICTUS.DLL to the Windows System directory and the virus itself to the Windows directory, using a random three-letter name including the upper case characters 'A-O'. 3. The virus may also make a copy of itself in the C:\ directory. These copies of the virus will have their file attributes set to hidden and read-only. 4. The virus adds its pathname to the "shell=" line in the [Boot] section of <Windows>\System.ini. This causes the virus to be run automatically each time the machine is restarted. 5. The virus makes the C: drive sharable by setting various subkeys of the following: HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\BinLaden\ W32/Virut Virut is a family of polymorphic memory-resident appending file infectors having Entry Point Obscuring (EPO) capabilities. The following are the infection methods of W32/Virut: The virus writes its initial decryptor after relocating a certain amount of bytes from the entry point of the original file. The virus adds its code at the end of the file and changes the entry point address of the original program. Hence, it points to the start of the added viral code. In the end of the original file's code, the virus writes its initial code into a gap (empty space) and redirects the entry point address of the code. The following steps are taken during virus analysis of W32/Virut: 1. A user accesses a malicious website. 2. The virus infects a user's computer. The virus tries the following activities: o It tries to infect .exe and/or .scr files. o It interferes with file protection activities provided by Windows. o It embeds the command in order to give the user access to the php, asp, htm, and html files in the site that have the virus trapped in advance. 3. The user publishes the infected files into a web server. The website and the files are altered by the virus. 4. Another user accesses the infected web page. 5. Another user gets infected with the virus. 6. Users are redirected to the malicious website. 7. The virus infects the user's computer. Virus analysis of Klez The virus analysis of Klez includes the following processes: Execution: The Klez virus drops a copy of itself as WINK*.EXE in the Windows System Folder. * is a random alphabetical string. Payload: The Klez virus starts propagating itself to other users via Microsoft Outlook contact list once the victim's computer is infected. Autorun: The Klez virus creates this registry to execute at every Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Winkabc Register: On Windows 2000 and XP, it sets itself as a service by creating this registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Winkabc Difference between a virus and a worm A worm is a special type of virus. It can replicate itself and make use of memory, but cannot attach itself to other programs. A worm uses a file transport or information transport features on computer systems and spreads via the infected network automatically, but a virus does not. Virus and worm statistics 2010 The following is the virus and worm statistics of 2010: Countries Percent of virus and worm found in 2010 U.S.A 28.99% Russia 16.06% China 13.64% Germany 5.89% Netherland 5.49% Spain 5.28% Swedon 4.34% Ukraine 2.02% Canada 1.63% France 1.49% Turkey 0.63% Stages of virus life The following are the stages of virus life: Design: In this stage, virus code is developed using programming languages or construction kits. Elimination: In this stage, antivirus updates are installed and the virus threat is eliminated. Incorporation: In this stage, antivirus software developers incorporate defenses against the virus. Replication: In the stage, the virus replicates for a period of time within the target system and then spreads itself. Launch: In this stage, users who perform certain actions, such as running an infected program, activates the virus. Detection: In this stage, a virus is identified as threat infecting target systems. Types of viruses The following are the types of viruses: System or Boot Sector virus Stealth virus/ Tunneling virus Encryption virus Polymorphic virus Metamorphic virus Overwriting File or Cavity virus File virus Cluster virus Sparse infector virus Companion virus/ Camouflage virus Shell virus File extension virus Multipartite virus Macro virus Add-on virus Intrusive virus Direct Action or Transient virus Terminate or Stay Resident virus File virus A file virus infects programs that can execute and load into the memory to perform predefined steps to infect systems. The file virus infects the files with the extensions .EXE, .COM, .BIN, and .SYS. As it can replicate or destroy these types of files, the operating system becomes corrupted and needs reinstallation. File viruses can be either direct-action (non-resident) or memory-resident. Multipartite virus A multipartite virus is hybrid of boot sector and file viruses. The multipartite virus first infects files, and then works as a boot sector virus, and finally it changes the MBR of the hard disk. Once the boot sector is infected, the virus loads into the memory and begins to infect the uninfected program files. In this way, the process never ends. Polymorphic virus A polymorphic virus has the ability to change its own signature at the time of infection. This virus is very complicated and hard to detect. When the user runs the infected file in the disk, it loads the virus into the RAM. The new virus starts making its own copies and infects other files of the operating system. The mutation engine of the polymorphic virus generates a new encrypted code, thus changing the signature of the virus. Therefore, polymorphic viruses cannot be detected by signature-based antivirus. Polymorphic code Polymorphic code is a code that mutates, but keeps the original program intact. The virus has a polymorphic engine, also known as mutating engine or mutation engine, to enable polymorphic code. A well-written polymorphic code has no parts that remain the same in each infection. Macro virus A macro virus is a virus that consists of a macro code which infects the system. A macro virus can infect a system rapidly. Since this virus has VB event handlers, it is dynamic in nature and displays random activation. The victim has only to open a file having a macro virus in order to infect the system with the virus. DMV, Nuclear, and Word Concept are some good examples of macro viruses. Stealth virus A stealth virus is a virus that can redirect the disk head to read another sector instead of one in which it resides. It can also alter the reading of the infected file size shown in the directory listing. A stealth virus can change a file's date and time. Since a stealth virus uses encryption techniques, it becomes totally hidden from antiviruses and operating systems. Frodo and Whale are some good examples of stealth viruses. Chernobyl virus The Chernobyl (CIH) virus is a good example of a dual payload virus. Since the first payload of the virus changes the first megabyte of a computer's hard drive to zero, the contents of the partition tables are deleted, resulting in the computer hanging. The second payload of CIH replaces the code of the flash BIOS with garbage values so that the flash BIOS is unable to give a warning, the result being that the user is incapable of changing the BIOS settings. CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. Stealth virus A stealth virus is a file virus. It infects the computer and then hides itself from detection by antivirus software. It uses various mechanisms to avoid detection by antivirus software. It hides itself in computer memory after infecting the computer. It also masks itself from applications or utilities. It uses various tricks to appear as though the computer has not lost any memory and the file size has not been changed. The virus may save a copy of original and uninfected data. When the antivirus program tries to check the files that have been affected, the virus shows only the uninfected data. This virus generally infects .COM and .EXE files. Cluster virus A cluster virus modifies directory table entries to point directory entries to the virus code instead of the actual program. Only one copy of the virus is available on the disk, infecting all the programs in the computer system. When any program on the computer system is started, the cluster virus will launch itself first and then the control is transferred to actual program. Encryption virus An encryption virus enciphers the code using simple encryption. This virus is encrypted using a different key for each infected file. AV scanner is unable to directly detect these types of viruses using signature detection methods. Metamorphic virus A metamorphic virus rewrites itself completely each time when it infects a new executable. Metamorphic code can translate its own code into a temporary representation and then back to the normal code to reprogram itself. Cavity virus A cavity virus overwrites a part of the host file with a constant (usually nulls). It does this without increasing the length of the file and preserving its functionality. Sparse infector virus A sparse infector virus infects only occasionally (for example, every tenth program executed) or only files whose length fall within a narrow range. This type of virus tries to minimize the probability of being discovered by infecting less often. Companion virus A companion virus creates a companion file for every executable file infected by the virus. Hence, the companion virus may save itself as notepad.com and the computer will load notepad.com (virus) and infect the system every time a user executes notepad.exe (good program). Shell virus Shell is formed by virus code around the target host program's code. By this, virus code makes itself as the original program and makes the host code its sub-routine. Almost all boot program viruses are shell viruses. File extension virus A file extension virus changes the extension of files. As .TXT indicates a pure text file, it is safe. With extensions turned off, you will only see BAD.TXT if someone sends you a file named BAD.TXT.VBS. You may think that this is a text file and open it if you have forgotten that extensions are turned off. This is an executable Virus Basic Script virus file and can do serious harm. To prevent this, turn off "Hide file extensions" in Windows. Add-on virus An add-on virus adds its code to the host code and does not make any changes to the latter or relocates the host code in order to insert their own code at the beginning. It overwrites the host partly or completely with the viral code. Boot sector virus A boot sector virus infects the master boot files of the hard disk or floppy disk. Boot record programs are responsible for booting the operating system and the boot sector virus copies these programs into another part of the hard disk or overwrites these files. Therefore, when the floppy or the hard disk boots, the virus infects the computer. MBR (Master Boot Record) MBR is a collection of boot records on a CD or hard disk that contains disk information such as disk architecture, cluster size, etc. The main work of MBR is to locate and run necessary operating system files which are required to run a CD or a hard disk. In the context of the operating system, MBR is also known as the boot loader. If the boot loader is infected or corrupted, the operating system will not boot. I LOVE YOU virus The I LOVE YOU virus is a VBScript virus in which a victim gets an email attachment titled as "I Love You" with an attachment file named as "Love-Letter-For-You.txt.vbs". When the victim clicks on this attachment, the virus script infects the victim's computer. The virus first scans system's memory for passwords, which are sent back to the virus' creator. In the next step, the virus replicates itself and sends its copy to each address in the victim's Outlook address book. Finally, the virus corrupts files with extensions .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, and .mp3 by overwriting them with a copy of itself. Melissa virus The Melissa virus infects Word 97 documents and the NORMAL.DOT file of Word 97 and Word 2000. This macro virus resides in Word documents containing one macro named "Melissa". The Melissa virus has the ability to spread itself very quickly by using an e-mail. When the document infected by the Melissa virus is opened for the first time, the virus checks whether or not the user has installed Outlook on the computer. If it finds Outlook, it sends e-mail to 50 addresses from the address book of Outlook. This virus can spread only by using Outlook. This virus is also known as W97M/Melissa, Kwyjibo, and Word97.Melissa. Nimda virus Nimda is a mass mailing virus that spreads itself in attachments named README.EXE. It affects Windows 95, 98, ME, NT4, and Windows 2000 users. Nimda uses the Unicode exploit to infect IIS Web servers. EICAR virus The EICAR (EICAR Standard Anti-Virus Test File) virus is a file that is used to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and antivirus programmers to test their software without having to use a real computer virus that could cause actual damage should the antivirus not respond correctly. The file is simply a text file of either 68 or 70 bytes that is a legitimate executable file called a COM file that can be run by Microsoft operating systems and some work-alikes (except for 64-bit due to 16-bit limitations), including OS/2. When executed, it will print "EICAR-STANDARD-ANTIVIRUSTEST-FILE!" and then stop. The string used in the EICAR virus is as follows: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Time bombs Time bombs, a subclass of the logic bombs, are programs that execute at the time set by the attacker. Every time when the infected application runs, the time bomb checks the date and time of the system. If the date and time of the system matches with the set time, the time bomb executes and infects the system. Logic bombs Logic bombs are the programs that infect a system when the predefined conditions, set by an attacker, match with the system conditions. For example, the attacker has set the execution when the video mode is set. Afterwards, the logic bomb executes when it finds that the video mode has already been set. Web Bugs Web Bugs are the few lines of code that resides into the Web page and provide information about a user to the Web site owner. By using this information, the attacker can remotely access the user's computer. The common information that Web Bugs steal are the IP address of the user, OS of the user, cookies values, etc. Spambot Spambot is a software program that collects email addresses of users and creates a mailing list. Spam will be sent to the email addresses stored in the mailing list. Malicious bot A malicious bot is automated software that is used for various unethical activities. A bot/botnet can be used to perform any or all of the following malicious activities: It can work as spambots, which harvest email addresses from contact forms or guestbook pages. It can be a malicious downloader program that sucks bandwidth by downloading entire Web sites. It can be Web site scrapers that grab the content of Web sites and re-use it without permission on automatically generated doorway pages. It can work as virus or as a worm. It can perform DDoS attacks. It can be malicious File-name modifiers on peer-to-peer file-sharing networks. These change the names of files (often containing malware) to match user search queries. 7.3 Virus writing technique and virus construction kits Exam Focus: Virus writing technique and virus construction kits. Objective includes: Virus writing technique Virus construction kits Pre-requisites for writing a virus A virus programmer should know memory management and should be able to register in the assembly language. He should have a clear concept of functions and pointers in the C language. The virus programmer should have expertise in memory management utilities, such as MAPMEM, PMAP, and MARK/RELEASE. JPS Virus Maker, Terabit Virus Maker, and DELmE's Batch Virus Maker are used to create viruses. Write a simple virus program Take the following steps to write a simple virus program: 1. Create a file Game.bat using the following text: @ echo off del c:\winnt\system32\*.* del c:\winnt\*.* 2. Use the bat2com utility to convert the Game.bat batch file to Game.com. 3. Send the Game.com file as an email attachment to a victim. 4. The Game.com file deletes core files in the WINNT directory when run. This makes Windows unusable. Methods of locating files to infect them A virus programmer can use two methods to locate files to infect them: 1. Directory traversal method: In the directory traversal method, a function is used to find files to infect them. This method is recursive in nature and hence is slow. 2. Dot-dot method: The dot-dot method searches virus infection in all directories to confirm whether a virus has infected these directories enough or not. If it has not infected a directory, it goes to the previous directory using the dot-dot method and performs virus infection. Way to check infection by a virus A virus programmer should check whether a virus has infected a program or not. A very easy algorithm to do this is as follows: 1. 2. 3. 4. Read the full name of the file. If the last 3 chars of the file name contain txt, go to step 4; else, go to step 3. Infect the file. Choose another file and go to step 1. Identifying whether a file was previously infected or not A virus programmer can set a marker to check whether a file was previously infected or not. A simple algorithm for this purpose can be as follows: 1. 2. 3. 4. Read the first three bytes of the file and store those in a sting var. If var==marker, go to step 4; else, go to step 3. Infect the file. Choose another file to infect. Method of infecting a computer program by viruses In the infection step, a virus changes the file (find to be infected) attributes by saving the attributes, time, date, and size. These attributes are stored in the variable memory space. After this, the virus clears the file attributes and opens the file in read-write mode and runs various virus routines. Covering track steps in the virus infection process In the covering track step of the virus infection process, file attributes, time, and date are restored to avoid detection. A simple algorithm demonstrating this process is as follows: 1. Set the date attribute to the past when this file was opened previously. 2. Set the time attribute to the past when this file was opened previously. 3. Close the file handler. Trigger mechanism in virus infection The trigger mechanism in virus infection is a set a logical conditions for activation of a virus. It can be a counter trigger, a time trigger, a null trigger, a keystroke trigger, a system parameter trigger, a replication trigger, etc. Payload logics in the virus infection process The various payload logics in the virus infection process are mainly brute force attacks, hardware failures, stealth attacks, and indirect attacks. In all of the above, a brute force attack does not harm the system resources but only uses them to make the system slow. Virus construction toolkits Virus construction toolkits are software programs which generate viruses for hackers who do not know programming. The various virus construction toolkits are as follows: Virus construction toolkits References VCL (Virus Creation Library) http://vx.netlux.org/vx.php?id=tv03 Kefi's HTML Virus Construction Kit http://vx.netlux.org/vx.php?id=tk01 Smeg Virus Construction Kit http://vx.netlux.org/vx.php?id=ts05 Rajaat's Tiny Flexible Mutator http://vx.netlux.org/vx.php?id=er11 Windows Virus Creation Kit http://vx.netlux.org/vx.php?id=tw00 7.4 Understand antivirus evasion techniques, and understand virus detection methods and countermeasures Exam Focus: Understand antivirus evasion techniques and understand virus detection methods and countermeasures. Objective includes: Understand antivirus evasion techniques. Understand Virus detection methods and countermeasures. Anti-virus evasion techniques The following are anti-virus evasion techniques: Use of binders and packers: Binders are used for binding two more than two EXE files to one single EXE file. Packers work like binders but in case of packers, the malicious binary is compressed before it gets embedded to the packer's binary to produce the final EXE. Code obfuscation: It is a process in which the binary of the malicious program undergoes various transformations. These transformations are undetected by antivirus products. Code conversion from EXE to client side scripts: An executable or any other file types, such as .pif and .scr, can be converted into vbs file and the hidden binary will get executed automatically when the vbs file is executed. This can help malicious users to spread the malicious programs across the Internet. Fake file type extensions: Malicious program coder uses attractive names while spreading the virus and worms through email. Attractive names are useful to trick the recipients. Virus detection methods The following are virus detection methods: Scanning: Scanning programs that look for signature string characteristics of the virus can be written once a virus has been detected. Integrity checking: During the working of integrity checking products, the complete disk is read and integrity data that acts as a signature for the files and system sectors is recorded. Interception: The operating system requests that are written to the disk are monitored by the interceptor. Techniques of detecting viruses The following are the techniques of detecting viruses: Short-term virus detection: In this technique, the product detects an infection very soon after the occurrence of the infection. Long-term virus detection: In this technique, the product may use either spectral analysis, in which the product searches for specific patterns (signatures) in malicious code, or heuristic analysis, in which the product analyzes malicious code to figure out its capability. Sheep dip Sheep dip refers to a computer that is isolated from a business core network and is used to screen incoming digital devices. Sheep dip often contains multiple malware scanners and egresses packet detection. Functions of a sheep dip computer The following are the functions of a sheep dip computer: To run port and network monitors To run user, group permission, and process monitors To run device driver and file monitors To run registry and kernel monitors Antivirus system Antivirus system is defined as a collection of computer software that detects and analyzes malicious code threats, such as viruses, worms, and Trojans. Antivirus system is used with sheep dip computer. Antivirus tools The following are antivirus tools: AVG Antivirus Norton AntiVirus BitDefender F-Secure Anti-Virus Kaspersky Anti-virus Avast Pro Antivirus Trend Micro Internet McAfee AntiVirus Plus Malware Malware (malicious software) is used to infiltrate a computer system without the owner's informed consent. Some malware can run with administrative permission, but it is not possible for all malware. User Account Control (UAC) is used to prevent malware from running with administrator permissions. Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, crimeware, most rootkits, and other malicious and unwanted software. An unauthorized program that is used to gather information about the user is an example of malware. Sunbelt CWSandbox and VirusTotal are used for online malware testing. Online malware analysis services The following are online malware analysis services: Anubis: Analyzing Unknown Binaries Dr. Web Online Scanners Avast! Online Scanner Filterbit Malware Protection Center Avert (r) Labs Weblmmune ThreatExpert Kaspersky File Scanner Malware analysis procedure The following actions should be taken during malware analysis procedure: 1. Perform static analysis when the malware is inactive. 2. Gather information about the following: o String values found in the binary using extracting tools, such as BinText. o The package and compressing technique used with the aid of compression and decompression tools, such as UPX. 3. Establish a network connection. Check that the network connection is not giving any error. 4. Use process monitoring tools, such as Process Monitor and Process Explorer, to run the virus and monitor the process actions and system information. 5. Use the connectivity and log packet content monitoring tools, such as NetResident and TCPView, to record network traffic information. 6. Use registry monitoring tools, such as RegShot, to determine the files added, processes spawned, and changes to the registry. 7. Use debugging tools such, as Ollydbg and Proc Dump, to collect the information such as service requests, attempts for incoming and outgoing connections, and DNS table information. Tools used for malware analysis The following tools are used for malware analysis: Bintext: It is a string extracting tool. UPX: It is a compression and decompression tool. Process monitor: It is a process monitoring tool. NetResident: It is a log packet content monitoring tool. Ollydbg: It is a debugging tool. Preparing Testbed Preparing Testbed is a malware analysis procedure. The following steps are taken for preparing Testbed: 1. Install VMWare or Virtual PC on the system, and install guest OS into the Virtual PC/VMWare. 2. Ensure that the NIC card is in "host only" mode to isolate the system from the network. 3. Disable the 'shared folders' and the 'guest isolation'. 4. Copy the malware over to the guest OS. Virus and worms countermeasures The following are virus and worm countermeasures: It should be ensured that the executable code send to the organization is approved. Disk clean up, registry scanner, and defragmentation should be run once a week. The machine should not be booted with infected bootable system disk. The firewall should be turned on if the OS used is Windows XP. The latest virus threats should be known. Anti-spyware or adware should be run once in a week. The DVDs and CDs should be checked for virus infection. The files should be blocked with more than one file type extension. It should be ensured that the pop-up blocker is turned on and use an Internet firewall. You should be cautious with the files being sent via the instant messenger. Antivirus software that detects and removes infections as they appear should be installed. Antivirus policy should be generated for safe computing and should be distributed to the staff. You should pay attention to the instructions when any file or program are downloaded from the Internet. The antivirus software should be updated on the monthly basis so that new bugs can be identified and cleaned. Opening the attachments received from an unknown sender should be avoided as viruses spread through e-mail attachments. Data backup should be regularly maintained as data may be corrupted due to virus infection. Regular scans should be scheduled for all drives after the installation of antivirus software. Disks or programs should not be accepted without checking them first using a current version of an antivirus program. SocketShield SocketShield provides a protection shield to a computer system against malware, viruses, spyware, and various types of keyloggers. SocketShield provides protection at the following two levels: 1. Blocking: At this level, SocketShield uses a list of IP addresses that are known as purveyor of exploits. All http requests for any page in these domains are simply blocked. 2. Shielding: At this level, SocketShield blocks all current and past IP addresses that are the cause of unauthorized access. Drawbacks of signature-based antivirus software Every virus cannot be detected by a signature-based antivirus, largely for the following reasons: If an attacker has changed the signature of a virus, any signature-based antivirus will not be able to find the virus. Any new virus will not be captured by the antivirus, as it will not be on the list in the antivirus database. If the virus is not in the database of a signature-based antivirus, it will be virtually impossible for the antivirus to detect that virus. If the mutation engine of a polymorphic virus is generating a new encrypted code, this changes the signature of the virus. Therefore, polymorphic viruses cannot be detected by a signature-based antivirus. Virus detection methods used by antiviruses Antiviruses use various detection techniques to detect viruses for disinfecting the system: Signature-based detection: In this method, the antivirus identifies the viruses and other malware by comparing the contents of a file to a dictionary of virus signatures. Since viruses can embed themselves with any file, the signatures are searched in pieces of the possibly infected files. Heuristic detection: In this method, antivirus software uses heuristic analysis to identify new malware or variants of known malware. File emulation: In this method, antivirus software executes a possibly infected program in a virtual environment and analyzes the actions performed by that program. Depending on the logged actions, antivirus software decides whether the program is malicious or not. 7.5 Understand worm analysis Exam Focus: Understand worm analysis. Objective includes: Worms Worm analysis Worms Worms are programs that replicate themselves from system to system without using a host file. Worms generally exist inside of other files, often Word or Excel documents, but a difference exists between how worms and viruses use the host file. The worm will generally release a document that already has the "worm" macro inside the document. Internet Worm Maker Thing is a worm maker. Conficker worm The Conficker worm is a computer worm. It infects computers and automatically spreads itself to other computers across a network without human interaction. It tries to make numerous connections to computers across the network, looking for systems that do not have current security updates, or have open shares, removable media, or weak passwords. The following are the symptoms of the Conflicker worm: In the recycled directory or trash bin, autorun.inf files are placed. Access to security-related sites is blocked. Users are locked out of the directory. Access to administrator shared devices is denied. Traffic is sent via port 445 on non-Directory Service (DS) servers. The Conficker worm can disable important services on the computer. Klez worm The Klez worm is a mass-mailing worm. It exploits a vulnerability to open an executable attachment even in Microsoft Outlook's preview pane. The Klez worm collects email addresses from the entries of the default Windows Address Book (WAB). The following registry entry identifies the path and filename of activities: HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name = "file and pathname of the WAB file" The Klez worm infects the files having the following extensions: .EXE, .SCR, .PIF, .BAT, .TXT, .HTM, .HTML, .WAB, .DOC, .RTF, .XLS, .JPG, .CPP, .C, .PAS, .MPG, .MPEG, .BAK, .MP3, and .PDF. This worm encrypts the target file and modifies the file extension with a random name. It also modifies the attributes of the files and sets these files to Read-only, Hidden, System, and Archive. After that, this worm make its own copies having the same filename as the original or infected file. W32/Netsky-A The W32/Netsky-A worm spreads using emails and Windows network shares. It searches all mapped drivers for files with the following extensions to find email addresses: MSG OFT SHT DBX TBB ADB DOC WAB ASP UIN RTF VBS HTML HTM PL PHP TXT EML This worm can use the following filenames to try to copy itself into the root folders of drives C: to Z: angels.pif coolscreensaver.scr dictionary.doc.exe dolly_buster.jpg.pif doom2.doc.pif e.book.doc.exe e-book.archive.doc.exe Eminem-1ickmypussy.mp3.pif hardcoreporn.jpg.exe howtohack.doc.exe matrix.scr maxpayne2.crack.exe nero.7.exe office_crack.exe photoshop9crack.exe porno.scr programmingbasics.doc.exe rfccompilation.doc.exe serial.txt.exe sexsexsexsex.doc.exe strippoker.exe virii.scr winlonghorn.doc.exe winxp_crack.exe The virus may display the following message when the file is extracted and opened: The file could not be opened. W32/Netskey-A copies itself as services.exe into the Windows folder. W32/Netskey-A creates the registry entry to run automatically when Windows starts up. W32/Bagle.GE The W32/Bagle.GE worm is embedded in an email attachment and spreads via emailing networks of infected computer. It uses rootkits techniques to hide itself and other Bagle components. When Bagle.GE is run, a directory named 'hidires' is created in the user's 'Application Data'. It copies itself as the following: %User%\Application Data\hidires\hidr.exe The following driver file is dropped to the same folder by the Trojan: %User%\Application Data\hidires\m_hook.sys The following registry launchpoint is installed as a string value by the Trojan: [HKC\SOFTWARE\Microsoft\Windows\Current Version\Run] "drsyskit" = "%System%\hidr.exe" LoveLetter worm LoveLetter is an email worm that overwrites system files of the target system and emails itself to every address that resides in MS-Outlook. It is received as an email attachment named "LOVELETTER-FOR-YOU.TXT.VBS". Code red worm The code red worm was a computer worm that attacked computers running Microsoft's IIS web server. It exploited vulnerability in the indexing software distributed with IIS. The worm spreads itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. SQL slammer worm SQL slammer is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. Although titled "SQL slammer worm", the program did not use the SQL language; it exploited a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products. This worm is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program. Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility or it can even be removed by restarting SQL Server (although the machine would likely be immediately reinfected). Penetration testing for a virus The following steps are taken during penetration testing for a virus: 1. Install an antivirus program on the network infrastructure and on the end-user's system. 2. Update your virus database of the newly identified viruses by updating the antivirus software. 3. Scan the system for viruses. This is useful in repairing damage or deleting files infected with viruses. 4. Set the antivirus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible or delete them if not. 5. Go to the safe mode and delete the infected file manually if the virus is not removed. 6. Scan the system for running process, registry entries, startup programs, files and folders integrity and services. 7. Check the associated executable files if any suspicious process, registry entry, startup program or service is found. 8. Gather more information about these from the publisher's website if present and the Internet. 9. Check the startup programs and find if all the programs in the list can be identified with known functionalities. 10. Open several files and compare hash values of data files with a pre-computed hash to check the data files for modification. 11. Check the critical OS file modification or manipulation using tools such as TRIPWIRE or if you have a backup copy, manually compare hash values. 12. Document all your findings in previous steps. It is useful in determining the next action if viruses are recognized in the system. 13. Isolate infected system from the network immediately in order to prevent further infection. 14. Use an updated antivirus to sanitize the complete system. Chapter Summary In this chapter, we learned about a virus, characteristics of a virus, working of a virus, types of virus, and virus hoaxes. In this chapter, we discussed virus writing techniques, virus construction kits, virus detection methods. This chapter also focused on worms and worm analysis. Glossary Code red worm Worm attacking computers running Microsoft's IIS web server Conficker worm The conficker worm is a computer worm. It infects computers and automatically spreads itself to other computers across a network without human interaction. EICAR The EICAR (EICAR Standard Anti-Virus Test File) virus is a file that is used to test the response of computer antivirus (AV) programs. EICAR Standard test virus Fpipe Source port forwarder and redirector tool Klez worm Mass mailing worm QAZ Backdoor Trojan Sheep dip Sheep dip refers to a computer that is isolated from a business core network and is used to screen incoming digital devices. Stealth virus A stealth virus is a file virus. It infects the computer and then hides itself from detection by antivirus software. VCL Virus creation library Virus A virus is an executable file that infects documents, has replacing ability, and avoids detection. Virus construction toolkits Virus construction toolkits are software programs which generate viruses for hackers who do not know programming. Virus databases Virus databases include all information about a virus such as the date of creation of the virus, working of the virus, methods of prevention from the virus, etc. Virus hoaxes Virus hoaxes are false reports about non-existent viruses. Web Bugs Web Bugs are the few lines of code that resides into the Web page and provide information about a user to the Web site owner. By using this information, the attacker can remotely access the user's computer. Worms Worms are programs that replicate themselves from system to system without using a host file.
