CEHv8 module 07 viruses and worms
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.9 MB, 106 trang )
Viruses and Worms
Module 07
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
V iru s e s and W orm s
M o d u le 07
Engineered by Hackers. Presented by Professionals.
M
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 0 7 : V iru s e s a n d W o r m s
E xam 3 1 2 -5 0
M o d u le 0 7 P ag e 1007
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0linCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S ecurity N ew s
CEH
I G lo b a lR e s e a rc h
H om e
P r o d u c ts
A bout
5 « rv *c c s
O c to b e r 1 9 ,2 0 1 2
G lo b a l C y b e r-W a rfa re
M a lw a re u s e d
T a c tic s : N ew
F la m e -lin k e d
in “ C y b e r - E s p i o n a g e ”
A n e w c y b e r e s p io n a g e p ro g ra m linked to th e n o to r io u s F lam e a n d G au ss m a lw a re h a s b e e n d e t e c te d by R ussia's K aspersky Lab.
T he an ti-v iru s g ia n t's c h ief w a rn s t h a t global cy b e r w a r f a r e is in "full sw in g " a n d will p ro b a b ly e s c a la te in 2013.
T h e virus, d u b b e d m in iF lam e, a n d a lso kn o w n a s SPE, h as a lr e a d y in fe c te d c o m p u te r s in Iran , L e b an o n , France, t h e U n ite d
"a small and highlyflexible malicious program designed
to steal data and control infected systems during targeted cyber espionage operations," K aspersky Lab said in a s ta te m e n t p o s te d
S ta te s a n d L ith u an ia. It w as d isco v e red in July 2 0 1 2 a n d is d e s c rib e d a s
o n its w e b s ite .
T he m a lw a re w a s originally id e n tified a s a n a p p e n d a g e of F lam e - th e p ro g ra m u se d fo r ta r g e te d cy b e r e s p io n a g e in th e M iddle
E a st a n d a c k n o w le d g e d to b e p a rt o f jo in t U S-lsraeli e f f o r ts to u n d e rm in e Iran 's n u c le a r p ro g ram .
B ut later, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF lam e is a n " in t e r o p e r a b l e t o o l t h a t c o u l d b e u s e d a s a n in d e p e n d e n t
m a lic io u s p r o g r a m , o r c o n c u r r e n t ly a s a p l u g - i n f o r b o t h t h e F la m e a n d G a u s s m a lw a r e . "
^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e ra tio n b e tw e e n th e c r e a to r s o f F lam e a n d G a u s s ^ ^ ^ ^ ^ —
h t t p ://w w w . g lo b a /re s e a rc h , ca
C o p y rig h t © b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
S e c u r ity
an M M
N e w s
G lo b a l C y b e r - W a r fa r e T a c tic s : N e w
M a lw a re u s e d in
F la m e - lin k e d
“ C y b e r-E s p io n a g e ”
S o u rc e : h t t p : / / w w w . g l o b a l r e s e a r c h . c a
A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n
d e t e c t e d b y Russia's K a s p e rsky Lab. T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e
is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in 2 0 1 3 .
T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran,
L e b a n o n , F rance, t h e
U n ite d States, a n d
L ith u a n ia . It w a s d is c o v e r e d
in July 2 0 1 2 a n d
is
d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l
in fe c te d
s y s te m s
d u r in g
ta rg e te d
cyber
e s p io n a g e
o p e ra tio n s ,"
K a sp e rsky
Lab said
in a
s t a t e m e n t p o s te d o n its w e b s i t e .
The m a lw a re
w a s o r i g i n a l l y i d e n t if ie d
as an a p p e n d a g e o f F lam e, t h e
p ro g ra m
u sed f o r
t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli
e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m .
M o d u le 0 7 P ag e 1008
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld
be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e
a n d Gauss m a l w a r e . "
T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd
Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s .
" M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e
c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss. Since t h e c o n n e c t i o n
b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e
a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said.
H ig h - p r e c is io n a tta c k to o l
So f a r j u s t 5 0 t o 6 0 cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky
Lab. B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y
i n f e c t e d b y t h o s e v iru se s .
" M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l . M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in
w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt
A l e x a n d e r G o s te v e x p la in e d .
"F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s
o f i n f o r m a t i o n . A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d
a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd
c y b e r-e s p io n a g e ."
T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is
r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m ,
A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t.
K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t
m o d i f i c a t i o n s o f t h e p r o g r a m . " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d 2 0 1 0 - 2 0 1 1 , "
t h e f i r m said.
‘C y b e r w a rfa re
in fu ll s w in g ’
M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r
w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g . He
u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s
a g e n c y r e p o r ts .
S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i,
t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in 2 0 1 3 ."
" T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last
A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in
g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said.
He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e
M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s . O u r f i r m is
M o d u le 0 7 P ag e 1009
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r
w h a t is b e h in d i t . "
Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss,
b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s .
Copyright © 2005-2012 GlobalResearch.ca
By Russia Today
h ttp ://w w w .g lo b a lre s e a rc h .c a /g lo b a l-c v b e r-w a rfa re -ta c tic s -n e w -fla m e -lin k e d -m a lw a re -u s e d -in c y b e r-e s p io n a g e /5 3 0 8 8 6 7
M o d u le 0 7 P ag e 1010
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
M o d u le O b je c tiv e s
CEH
J
I n t r o d u c tio n to V iru s e s
J
C o m p u te r W o rm s
J
S tages o f V iru s Life
J
W o r m A n a ly s is
J
W o r k in g o f V iru s e s
J
W o rm M a k e r
J
In d ic a tio n s o f V iru s A tta c k
J
M a lw a r e A n a ly s is P ro c e d u re
J
H o w d o e s a C o m p u te r G e t In fe c te d
J
O n lin e M a lw a r e A n a ly s is S e rvice s
b y V iru s e s
y
V iru s A n a ly s is
J
V iru s a n d W o rm s C o u n te rm e a s u re s
J
T y p e s o f V iru s e s
J
A n tiv ir u s T o o ls
J
V iru s M a k e r
J
P e n e tra tio n T e s tin g f o r V iru s
C o p y rig h t © b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
M o d u le
O b je c tiv e s
T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s
a v a ila b le to d a y . It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s . This m o d u l e
e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h
it a ffe c ts s y s te m s . T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le
t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s . T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u
a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t
a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e .
T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h :
0
I n t r o d u c t i o n t o V iru s e s
0
C o m p u te r W o rm s
0
Stages o f V ir u s Life
0
W o r m A n a ly s is
0
W o r k i n g o f V iru s e s
0
W o rm M aker
0
I n d ic a tio n s o f V ir u s A t t a c k
0
M a l w a r e A n a ly s is P r o c e d u r e
0
How
0
O n lin e M a l w a r e A n a ly s is Services
0
V ir u s a nd W o r m s
D oes
a
C o m p u te r
V iru se s?
0
V ir u s A n a ly s is
0
T y p e s o f V iru s e s
Modute07
!M a k e r
Get
In f e c t e d
by
C o u n te rm e a su re s
0
A n t i v i r u s T o o ls
Ethical H a ck if^ a n J P ( f i W ^ t F ^ J i a W e T e M m g t f 0 P yV t f l t t 1 n c i l
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
M o d u le F lo w
V iru s
a n d
T y p e s o f
W o rm s
V iru s e s
C o n c e p ts
P e n e tra tio n
C o m p u te r
T e s tin g
W o rm s
C o u n te r-
M a lw a re
m e a s u re s
A n a ly s is
C o p y rig h t © b y R - C m B C I . A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
M o d u le
F lo w
T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u
a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs. It lists
v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m . T h e w o r k i n g o f v iru s e s in e a c h p h a s e
has w i ll be d iscu sse d in d e ta il. T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n
t h e w e b a re h ig h lig h t e d .
V ir u s a n d W o r m s C o n c e p t
M a l w a r e A n a ly s is
,• נ
T y p e s o f V ir u s e s
f|j|| ־C o u n t e r m e a s u r e s
י/ —
C o m p u te r W o rm s
^
P e n e t r a t i o n T e s t in g
V— ׳ ׳
M o d u le 0 7 P ag e 1012
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
In tro d u c tio n to V iru s e s
_l
CEH
A v iru s is a s e lf- r e p lic a tin g p r o g r a m t h a t p r o d u c e s its o w n c o p y b y a tta c h in g its e lf
to a n o th e r p r o g r a m , c o m p u te r b o o t s e c to r o r d o c u m e n t
J
V iru s e s a re g e n e ra lly tr a n s m itte d th r o u g h file d o w n lo a d s , in fe c te d d is k /fla s h
d riv e s a n d as e m a il a tt a c h m e n ts
V ir u s
C h a r a c te r i s t ic s
Alters Data
Infects Other Program
V
%
Corrupts Files and
Programs
Transforms Itself
m
F*
Encrypts Itself
m
Self Propagates
%
#
1 f§ 1
C o p y rig h t © b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
ןאI n t r o d u c t i o n
to
V ir u s e s
C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l
c o m p u t e r s . W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t . A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le
c o d e s. T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user. Like a real v iru s , a
c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s. H o w e v e r , v iru s e s can i n f e c t
o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users. S o m e v iru s e s a f f e c t c o m p u t e r s as
soon
as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d
logical
c i r c u m s t a n c e is m e t . T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s :
0
T r o ja n s a n d r o o t k i t s
0
V iru s e s
0
W o rm s
A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s . W o r m s s p re a d
a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o
o t h e r n e t w o r k s . T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y
d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n . T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld
t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s .
M o d u le 0 7 P ag e 1013
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
V
Exam 3 1 2 -5 0 C ertified Ethical H acker
i r u s
a n d
W
o r m
S
t a t i s t i c s
7 5 ,0 0 0 ,0 0 0
6 0 ,0 0 0 ,0 0 0
4 5 ,0 0 0 ,0 0 0
3 0 ,0 0 0 ,0 0 0
1 5 ,0 0 0 ,0 0 0
2010
2008
2011
2012
C o p y rig h t © b y E & C t in c t l. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
^
V ir u s
a n d
W
o r m
S ta tis tic s
S o u rc e : h t t p : / / w w w . a v - t e s t . o r g
T his g ra p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in
t h e r e c e n t y e a rs. A c c o r d i n g t o t h e g r a p h , o n l y 1 1 ,6 6 6 , 6 6 7 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd
w orm s
in t h e
year 2008,
w he re a s
in t h e
ye ar 2012, th e
c o u n t d ra s tic a lly
in c r e a s e d
to
7 0 ,0 0 0 ,0 0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g
e x p o n e n t ia l ly y e a r b y ye a r.
M o d u le 0 7 P ag e 1014
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
7 5 .0 0 0 .0 0 0
6 0 .0 0 0 .0 0 0
4 5 .0 0 0 .0 0 0
3 0 .0 0 0 .0 0 0
1 5 .0 0 0 .0 0 0
0
2008
2009
2010
2011
2012
FIGURE 7 .1 : V iru s a n d W o rm S ta tis tic s
M o d u le 0 7 P ag e 1015
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
D e s ig n
R e p lic a tio n
L aunch
Developing virus
code using
program m ing
languages or
co n stru c tio n kits
Virus replicates for
a p eriod o f tim e
w ithin th e ta rg e t
sy stem a n d th e n
s p read s itself
It g ets activ ated w ith
th e u ser perform ing
certain actio n s such
as running an
infected pro g ram
In c o rp o ra tio n
D e te c tio n
U sers install
E lim in a tio n
A ntivirus s o f tw a r e
A virus is id e n tified
a n tiv iru s u p d a te s
a n d e lim in a te th e
d e v e lo p e rs
a ss im ila te d e fe n s e s
a g a in s t th e virus
a s th r e a t in fectin g
ta r g e t s y ste m s
virus th r e a ts
S ta g e s
o f V ir u s
L ife
C o m p u t e r v ir u s a tta c k s s p re a d t h r o u g h v a r io u s sta ge s f r o m i n c e p t io n t o d e s ig n t o
e lim in a tio n .
1.
D e s ig n :
A v ir u s c o d e is d e v e lo p e d by u s in g p r o g r a m m i n g la n g u a g e s o r c o n s t r u c t i o n kits. A n y o n e
w i t h basic p r o g r a m m i n g k n o w l e d g e can c r e a te a viru s .
2.
R e p l ic a t i o n :
A v ir u s f i r s t r e p lic a te s it s e lf w i t h i n a t a r g e t s y s te m o v e r a p e r io d o f t i m e .
3.
Launch:
It is a c t i v a t e d w h e n a u s e r p e r f o r m s c e r t a i n a c tio n s such as t r i g g e r i n g o r r u n n i n g an
in fe c te d p ro g ra m .
4.
D e te c tio n :
A v ir u s is i d e n t if ie d as a t h r e a t i n f e c t i n g t a r g e t s y s te m s . Its a c tio n s ca use c o n s id e r a b le
d a m a g e t o t h e t a r g e t s y s te m 's d a ta .
M o d u le 0 7 P ag e 1016
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
5.
Exam 3 1 2 -5 0 C ertified Ethical H acker
In c o rp o ra tio n :
A n t i v i r u s s o f t w a r e d e v e l o p e r s a s s e m b l e d e f e n s e s a g a in s t t h e viru s .
6.
E lim in a tio n :
Users a re a d v is e d t o in s ta ll a n t i v i r u s s o f t w a r e u p d a te s , t h u s c r e a t i n g a w a r e n e s s a m o n g
user g ro up s
M o d u le 0 7 P ag e 1017
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
W
Exam 3 1 2-50 C ertified Ethical H acker
o r k in g
o f
V ir u s e s :
I n f e c t i o n
P h a s e
Infection
Phase
J
In th e in fe c tio n p h a s e , th e v iru s r e p lic a te s its e lf
a n d a tta c h e s to a n .exe file in th e s y s te m
B e fo re
In fe c tio n
A fte r In fe c tio n
*
C le an File
V irus In fe c te d
File
C o p y rig h t © b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
W
o r k in g
V ir u s e s
a tta c k
o f V ir u s e s :
a ta rg e t
h o s t's
In fe c tio n
s y s te m
by
P h a s e
u sin g
v a r io u s
m e th o d s .
They
a tta c h
t h e m s e l v e s t o p r o g r a m s a n d t r a n s m i t t h e m s e l v e s t o o t h e r p r o g r a m s by m a k in g use o f c e r ta in
e v e n ts . V iru s e s n e e d such e v e n ts t o ta k e p la ce sin ce t h e y c a n n o t:
©
S e lf s t a r t
©
In f e c t o t h e r h a r d w a r e
©
Cause p h y s ic a l d a m a g e t o a c o m p u t e r
©
T r a n s m i t t h e m s e l v e s u sin g n o n - e x e c u t a b l e file s
G e n e r a lly v iru s e s h a ve t w o phases, t h e i n f e c t i o n p h a s e a n d t h e a t t a c k p h a s e .
In t h e i n f e c t i o n p ha se, t h e v i r u s r e p li c a t e s i t s e lf a n d a t t a c h e s t o an .e xe f ile in t h e s y s te m .
P r o g r a m s m o d i f i e d by a v ir u s i n f e c t i o n can e n a b le v ir u s f u n c t i o n a l i t i e s t o ru n o n t h a t s y s te m .
V iru s e s g e t e n a b le d as s o o n as t h e i n f e c t e d p r o g r a m is e x e c u te d , since t h e p r o g r a m c o d e leads
t o t h e v ir u s c o d e . V ir u s w r i t e r s h a v e t o m a i n t a i n a b a la n c e a m o n g f a c t o r s such as:
©
H o w w i ll t h e v ir u s in f e c t?
©
H o w w i ll it s p re a d ?
©
H o w w i ll it re s id e in a t a r g e t c o m p u t e r ' s m e m o r y w i t h o u t b e in g d e t e c t e d ?
M o d u le
07
P ag e 1 0 1 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by E C - C 0 U n C il
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
O b v io u s ly , v iru s e s h a v e t o b e t r i g g e r e d a n d e x e c u t e d in o r d e r t o f u n c t i o n . T h e r e a re m a n y w a y s
t o e x e c u te p r o g r a m s w h i l e a c o m p u t e r is r u n n in g . For e x a m p le , a n y s e tu p p r o g r a m calls f o r
n u m e r o u s p r o g r a m s t h a t m a y be b u i l t i n t o a s y s te m , a n d s o m e o f th e s e a re d i s t r i b u t i o n
m e d i u m p r o g r a m s . T hu s, if a v ir u s p r o g r a m a lr e a d y exists, it can be a c tiv a te d w i t h t h is k in d o f
e x e c u t i o n a n d in f e c t t h e a d d it io n a l s e t u p p r o g r a m as w e ll.
T h e r e a re v ir u s p r o g r a m s t h a t in f e c t a n d k e e p s p r e a d in g e v e r y t i m e t h e y a re e x e c u te d .
Some
p r o g r a m s d o n o t in f e c t t h e p r o g r a m s w h e n f i r s t e x e c u te d . T h e y re s id e in a c o m p u t e r ' s m e m o r y
a n d in f e c t p r o g r a m s a t a l a t e r t i m e . Such v ir u s p r o g r a m s as TSR w a i t f o r a s p e c ifie d t r i g g e r
e v e n t t o s p re a d a t a l a t e r s ta ge . It is, t h e r e f o r e , d i f f i c u l t t o r e c o g n iz e w h i c h e v e n t m i g h t t r i g g e r
t h e e x e c u t i o n o f a d o r m a n t v ir u s i n f e c t i o n .
R e fe r t o t h e f i g u r e t h a t f o l l o w s t o see h o w t h e EXE file i n f e c t i o n w o r k s .
In t h e f o l l o w i n g f ig u r e , t h e .EXE file 's h e a d e r , w h e n t r i g g e r e d , e x e c u te s a n d s ta r t s r u n n i n g t h e
a p p li c a t i o n . O n c e t h is file is i n f e c t e d , a n y t r i g g e r e v e n t f r o m t h e file 's h e a d e r can a c t i v a t e t h e
v ir u s c o d e t o o , a lo n g w i t h t h e a p p li c a t i o n p r o g r a m as s o o n as it is ru n .
Q
A f ile v ir u s i n f e c ts b y a t t a c h i n g its e lf t o an e x e c u t a b l e s y s te m a p p li c a t i o n p r o g r a m . T e x t
file s su ch as s o u r c e c o d e , b a tc h file s, s c r ip t files, e tc., a re c o n s id e r e d p o t e n t i a l t a r g e t s
f o r v iru s in f e c tio n s .
©
B o o t s e c t o r v iru s e s e x e c u te t h e i r o w n c o d e in t h e f i r s t p la ce b e f o r e t h e t a r g e t PC is
b o o te d
B e fo re
In fe c tio n
A fte r
In fe c tio n
.exe
N
_u
C le a n F ile
V ir u s I n f e c t e d
F ile
FIGURE 7 .2 : W o rk in g o f V iru s e s in In fe c tio n Phase
M o d u le 0 7 P ag e 1019
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
W
Exam 3 1 2 -5 0 C ertified Ethical H acker
o r k in g
D U
^
o f
V ir u s e s :
A t t a c k
cu
r
V t
o q p
^
U rt׳fW<
J
V iru s e s a re p r o g r a m m e d w ith tr ig g e r e v e n ts t o a c tiv a te a n d c o r r u p t s y s te m s
J
S o m e v iru s e s in fe c t e a c h tim e th e y a re r u n a n d o th e r s in fe c t o n ly w h e n a c e r ta in
11
ttkxjl Nm Im
p r e d e fin e d c o n d itio n is m e t s u c h as a u s e r's s p e c ific t a s k , a day, tim e , o r a
p a r tic u la r e v e n t
U n fra g m e n te d
F ile B e f o r e A tta c k
File: A
1
Page: 1
P a g e :2
11
J
___________________ 1
P a g e :3
A
File: B
1
P a g e :2
P age: 1
P a g e :3
A
F ile F r a g m e n te d
D u e to
V iru s A tta c k
Page: 1
P a g e :3
P age: 1
P a g e :3
P a g e :2
P a g e :2
F ile : A
F ile : B
F ile : B
F ile : A
F ile : B
F ile : A
C o p y rig h t © b y E & C a u a c tl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
W
o r k in g
o f V ir u s e s : A tta c k
P h a s e
O n c e v iru s e s s p re a d t h e m s e lv e s t h r o u g h o u t t h e t a r g e t s y s te m , t h e y s t a r t c o r r u p t i n g
t h e file s a n d p r o g r a m s o f t h e h o s t s y s te m . S o m e v iru s e s h a v e t r i g g e r e v e n ts t h a t n e e d t o be
a c t iv a t e d t o c o r r u p t t h e h o s t s y s te m . S o m e v ir u s e s h a v e bugs t h a t r e p lic a t e th e m s e lv e s , a nd
p e r f o r m a c tiv it ie s such as d e l e t i n g f ile s a n d in c r e a s in g s e s s io n t i m e .
T h e y c o r r u p t t h e i r t a r g e t s o n ly a f t e r s p re a d in g as i n t e n d e d b y t h e i r d e v e lo p e r s . M o s t v iru s e s
t h a t a t t a c k t a r g e t s y s te m s p e r f o r m a c tio n s such as:
Q
D e le tin g file s a n d a l t e r i n g c o n t e n t in d a ta files, t h e r e b y c a u s in g t h e s y s te m t o s lo w
down
e
P e r f o r m in g ta sks
not
r e la t e d
to
a p p lic a tio n s ,
such
as p la y in g
m u s ic
and
c r e a tin g
a n im a t io n s
M o d u le 0 7 P ag e 1020
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
U n fra g m e n te d
F ile
B e fo re
A tta c k
File: A
P age: 1
P age: 2
File: B
P age: 3
P age: 1
P age: 2
P age: 3
A
F ile
F ra g m e n te d
D u e to
V iru s A tta c k
P age: 1
P age: 3
P age: 1
P age: 3
P age: 2
P age: 2
F ile: A
F ile : B
F ile: B
F ile : A
F ile : B
F ile : A
A
A
FIGURE 7 .3 : W o rk in g o f V iru s e s in A tta c k Phase
R e fe r t o t h is f i g u r e , w h i c h has t w o file s, A a n d B. In s e c tio n o n e , t h e t w o file s a re l o c a te d o n e
a f t e r t h e o t h e r in an o r d e r l y f a s h io n . O n c e a v ir u s c o d e i n f e c ts t h e file , it a lte r s t h e p o s i t i o n i n g
o f t h e file s t h a t w e r e c o n s e c u t i v e l y p la c e d , t h u s l e a d in g t o in a c c u r a c y in f ile a llo c a tio n s , c a u s in g
t h e s y s te m t o s l o w d o w n as users t r y t o r e t r i e v e t h e i r file s. In t h i s p ha se:
0
V iru s e s e x e c u te w h e n s o m e e v e n ts a re t r i g g e r e d
Q
S o m e e x e c u te a n d c o r r u p t via b u i l t - i n b u g p r o g r a m s a f t e r b e in g s t o r e d in t h e h o s t's
m em ory
e
M o s t v iru s e s a re w r i t t e n t o c o n c e a l t h e i r p re s e n c e , a t t a c k in g o n l y a f t e r s p r e a d in g in t h e
h o s t t o t h e f u l le s t e x t e n t
M o d u le 0 7 P ag e 1021
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
W
h y
Exam 3 1 2 -5 0 C ertified Ethical H acker
D o
P e o p le
C r e a t e
C o m
p u t e r
r
V ir u s e s
UrtifWd
C
o m
c
u
| ttkiul
Km Im
p u t e r V ir u s e s
I n f lic t d a m a g e t o c o m p e tito r s
J
J
J
F in a n c ia l b e n e fits
R e s e a rc h p r o je c ts
P la y p r a n k
V a n d a lis m
C y b e r te r r o r is m
D is tr ib u te p o litic a l m e ssa g e s
V u ln e r a b le S y s te m
C o p y rig h t © b y E & C a u a c tl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
W h y
D o
P e o p le
C re a te
C o m p u te r V ir u s e s ?
S o u rc e : h t t p : / / w w w . s e c u r i t y d o c s . c o m
C o m p u t e r v iru s e s a re n o t s e lf - g e n e r a t e d , b u t a re c r e a te d b y c y b e r - c r i m i n a l m in d s , i n t e n t i o n a l l y
d e s ig n e d t o ca use d e s t r u c t i v e o c c u r r e n c e s in a s y s te m . G e n e ra lly , v iru s e s a re c r e a te d w i t h a
d is r e p u t a b l e m o t i v e . C y b e r - c r im i n a l s c r e a te v iru s e s t o d e s t r o y a c o m p a n y 's d a ta , as an a c t o f
v a n d a lis m o r a p ra n k , o r t o d e s t r o y a c o m p a n y 's p r o d u c ts . H o w e v e r , in s o m e cases, v iru s e s are
a c t u a lly
in te n d e d
to
be g o o d
fo r
a s y s te m . T he se
a re
d e s ig n e d
to
im p ro v e
a s y s te m 's
p e r f o r m a n c e b y d e l e t in g p r e v io u s ly e m b e d d e d v iru s e s f r o m files.
S o m e r e a s o n s v iru s e s h a v e b e e n w r i t t e n in c lu d e :
e
I n flic t d a m a g e t o c o m p e t i t o r s
0
R esearch p r o je c ts
0
Pranks
0
V a n d a lis m
©
A t t a c k t h e p r o d u c t s o f s p e c ific c o m p a n i e s
©
D is t r i b u t e p o litic a l m essa ge s
0
F ina ncia l g ain
M o d u le 0 7 P ag e 1022
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Q
Id e n tity th e ft
Q
S pyw are
Q
C r y p t o v ir a l e x t o r t i o n
M o d u le 0 7 P ag e 1023
Exam 3 1 2 -5 0 C ertified Ethical H acker
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
P ro c e s s e s ta k e
m o r e re s o u rc e s
a n d tim e
C o m p u te r slo w s
dow n w hen
p ro g r a m s s ta r t
C o m p u te r fre e z e s
fr e q u e n tly o r
e n c o u n te r s e rro r
In d ic a tio n s
o f V ir u s
A tta c k s
A n e f f e c t i v e v iru s t e n d s t o m u l t i p l y r a p id l y a n d m a y in f e c t a n u m b e r o f m a c h in e s
w i t h i n t h r e e t o f iv e days. V iru s e s ca n in f e c t W o r d fi l e s w h i c h , w h e n t r a n s f e r r e d , can in f e c t t h e
m a c h in e s o f t h e u sers w h o r e c e iv e t h e m . A v ir u s can also m a k e g o o d use o f f ile s e rv e rs in o r d e r
t o i n f e c t file s . T h e f o l l o w i n g a re i n d i c a t i o n s o f a v i r u s a t t a c k o n a c o m p u t e r s y s te m :
©
P r o g r a m s ta k e lo n g e r t o loa d
0
T h e h a r d d r iv e is a lw a y s fu ll, e v e n w i t h o u t in s t a llin g a n y p r o g r a m s
©
T h e f l o p p y d is k d r iv e o r h a r d d r i v e r u n s w h e n it is n o t b e in g used
©
U n k n o w n file s k e e p a p p e a r i n g o n t h e s y s te m
©
T h e k e y b o a r d o r t h e c o m p u t e r e m i t s s tr a n g e o r b e e p in g s o u n d s
0
T h e c o m p u t e r m o n i t o r d is p la y s s tr a n g e g r a p h ic s
0
File n a m e s t u r n s tr a n g e , o f t e n b e y o n d r e c o g n i t i o n
0
T h e h a r d d r iv e b e c o m e s in a c c e s s ib le w h e n t r y i n g t o b o o t f r o m t h e f l o p p y d r i v e
©
A p r o g r a m 's size k e e p s c h a n g in g
0
T h e m e m o r y o n t h e s y s te m s e e m s t o be in use a nd t h e s y s te m s lo w s d o w n
M o d u le 0 7 P ag e 1024
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
H o w
Exam 3 1 2 -5 0 C ertified Ethical H acker
d o e s
I n f e c t e d
a
b y
C
o m
p u t e r
G e t
V ir u s e s
W h e n a u s e r a c c e p ts f i l e s a n d d o w n l o a d s w i t h o u t c h e c k in g
p r o p e r ly f o r t h e s o u rc e
ן
in g in f e c t e d e - m a i l a t t a c h m e n t s
I n s t a llin g p i r a t e d s o f t w a r e
N o t u p d a t i n g a n d n o t i n s t a llin g n e w v e r s io n s o f p lu g - in s
: r u n n i n g t h e la t e s t a n t i - v i r u s a p p l i c a t i o n
C o p y rig h t © b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
H o w
D o e s
a C o m p u te r G e t In fe c te d
b y
V ir u s e s ?
'\ ׳y;.-.vAy.
T h e r e a re m a n y w a y s in w h i c h a c o m p u t e r g e ts i n f e c t e d b y viru s e s . T h e m o s t p o p u l a r
m e t h o d s a re as f o l lo w s :
0
W h e n a u s e r a c c e p ts file s a n d d o w n l o a d s w i t h o u t c h e c k in g p r o p e r l y f o r t h e s o u rc e .
0
A t t a c k e r s u s u a lly se n d v i r u s - in f e c t e d file s as e m a il a t t a c h m e n t s t o s p re a d t h e v ir u s on
t h e v i c t i m ' s s y s t e m . If t h e v i c t i m o p e n s t h e m a il, t h e v ir u s a u t o m a t i c a l l y i n f e c ts t h e
s y s te m .
0
A t t a c k e r s i n c o r p o r a t e v iru s e s in p o p u l a r s o f t w a r e p r o g r a m s a n d u p lo a d t h e i n f e c t e d
s o ftw a re on w e b s ite s in te n d e d to d o w n lo a d s o ftw a re . W h e n th e v ic tim
d o w n lo a d s
i n f e c t e d s o f t w a r e a n d in s ta lls it, t h e s y s te m g e ts i n f e c t e d .
0
Failing t o in s ta ll n e w v e r s io n s o r u p d a t e w i t h la t e s t p a t c h e s i n t e n d e d t o fix t h e k n o w n
b ug s m a y e x p o s e y o u r s y s te m t o viru s e s .
0
W i t h t h e in c r e a s in g t e c h n o l o g y , a tt a c k e r s also a re d e s ig n in g n e w v iru s e s . Failing t o use
la t e s t a n t i v i r u s a p p li c a t i o n s m a y e x p o s e y o u t o v i r u s a t t a c k s
M o d u le 0 7 P ag e 1025
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
C o m m o n T e c h n iq u e s
D is tr ib u te
B la c k h a t S e a rc h
O p tim iz a tio n
M a lw a r e
U s e d
o n
CEH
th e W e b
H
E n g in e
(S E O )
to
R anking m a lw a re pages h ig h ly
M a lv e rtis in g
E m be dding m a lw a re in a d -n e tw o rks
th a t d ispla y across h u n d re d s o f
in search re sults
le g itim a te , h ig h -tra ffic sites
S o c ia l E n g in e e re d
C o m p ro m is e d
C lic k -ja c k in g
W e b s ite s
L e g itim a te
T ric k in g users in to c lic k in g on
H o stin g e m b e d d e d m a lw a re th a t
in n o c e n t-lo o k in g w ebp age s
spreads to u n su sp e ctin g v is ito rs
S p e a rp h is h in g
D riv e -b y D o w n l o a d s
S ite s
M im ic k in g le g itim a te in s titu tio n s ,
such as banks, in an a tte m p t to
steal a c c o u n t login cre d e n tia ls
״
^
E x p lo itin g fla w s in b ro w s e r
ן ן וjl.
s o ftw a re to in s ta ll m a lw a re
ju s t by v is itin g a w e b page
Source: S ecurity T hreat R eport 2012 (h ttp ://w w w .so p h o s.co m )
C o p y rig h t © b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
C o m m o n
^
th e
T e c h n iq u e s
U s e d
to
D is tr ib u te
M a lw a r e
o n
W e b
S o u rc e : S e c u r ity T h r e a t R e p o r t 2 0 1 2 ( h t t p : / / w w w . s o p h o s . c o m )
B l a c k h a t S e a rc h E n g in e O p t i m i z a t i o n (SEO): U sin g t h is t e c h n i q u e t h e a t t a c k e r r a n k s m a l w a r e
p a g e s h ig h in se arch re s u lts
S o cial E n g in e e r e d C lic k - ja c k in g : T h e a t t a c k e r s t r i c k t h e users i n t o c lic k in g o n i n n o c e n t - l o o k i n g
w e b p ages t h a t c o n t a i n m a l w a r e
S p e a r p h is h i n g S ite s: T his t e c h n i q u e is used f o r m im i c k i n g l e g i t i m a t e in s t it u t i o n s , such as ban ks,
in an a t t e m p t t o ste al a c c o u n t lo g in c r e d e n t i a l s
M a l v e r t i s i n g : E m b e d s m a l w a r e in ad n e t w o r k s t h a t d is p la y acro ss h u n d r e d s o f l e g i t i m a t e , h ig h t r a f f i c sites
C o m p r o m i s e d L e g i t i m a t e W e b s it e s : H o s t e m b e d d e d m a l w a r e t h a t s p re a d s t o u n s u s p e c t i n g
v is ito rs
D r i v e - b y D o w n l o a d s : T h e a t t a c k e r e x p l o i t s f l a w s in b r o w s e r s o f t w a r e t o in s ta ll m a l w a r e j u s t by
v is itin g a w e b p age
M o d u le 0 7 P ag e 1026
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
V i r u s
Exam 3 1 2 -5 0 C ertified Ethical H acker
H o a x e s
a n d
F a k e
A n t i v i r u s e s
J
J
H o ax es a r e f a l s e a l a r m s c la im in g r e p o r t s
A tta c k e r s d is g u is e m a lw a r e s a s a n a n t iv ir u s
a b o u t a n o n - e x i s t in g v ir u s w h ic h m a y
a n d tric k u s e r s to in sta ll th e m in th e ir
c o n ta in v iru s a t t a c h m e n t s
s y ste m s
W a rn in g m e s s a g e s p r o p a g a tin g t h a t a
O n c e in s ta lle d t h e s e fa k e a n tiv ir u s e s c a n
c e rta in e m a il m e s s a g e s h o u ld n o t b e v ie w e d
d a m a g e t a r g e t s y s t e m s s im ila r t o o th e r
a n d d o in g s o will d a m a g e o n e 's s y s te m
m a lw a r e s
***
tifai*ft-F0RWAI1r)T14l'WA«NINflAM0Nn'RlFN0VtAMIIVANnrONTArn
ntAsc rmv/Aflo mu warningamong rnitNDS.rAMiivandcontactsHo* •houMt* »w*t d*'•*
tk*mat r«wJwvvCoikxcptn « y
with411*tMchmvHvntltfvO>OSTCARO'ROM•Uir.O ■
RtSIONATIONOf BARACKOBAMA. ifgjrdlMiOfWhOS«nt It to you Itft J VlfUStfUt0p«1»A
humiahi, imaoi, m«n torns־thewhole run)c dsc you ׳computer.
rih b 11WWINMMl«»41>IUUIILvOUyCMNUlU I1IKHid) U••• 1llOtlTMjfMlllWA I•' HUM
11
01
1
A
W
C
» —׳
dtstr jctivtvirM^ver Theviiw ... .discovered bv McAfee v«t«div. «nd thp׳p 14nor tear jc for :h i
1>
tS
e
Z
e
toS
e
tto
fa
lU
iello
d
D
iM
.,m
Iivictl.rviu
lxifoim
atbonk«vL
w -
i f s r s r * •״״־־
j y
y
| r J
l
:—
! ! L
=«=—
נ
C o p y rig h t © b y EC -C auactl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
V ir u s
H o a x e s
a n d
F a k e
A n tiv ir u s e s
V iru s H o a x e s
A v ir u s h o a x is s i m p l y a b lu ff. V iru s e s , by t h e i r n a t u r e , h a v e a lw a y s c r e a te d a
h o r r i f y i n g i m p r e s s io n . H oa x es a re t y p i c a l l y u n t r u e sca re a le r t s t h a t u n s c r u p u l o u s in d iv id u a ls
s e n d t o c r e a te h a v o c . It is f a i r l y c o m m o n f o r i n n o c e n t users t o pass th e s e p h o n y m essa ge s
a lo n g t h i n k i n g t h e y a re h e lp in g o t h e r s a v o id t h e " v i r u s . "
0
H oa xes a re fa lse a la r m s c la im in g r e p o r t s a b o u t n o n - e x i s t i n g v iru s e s
0
T he se w a r n i n g m essages, w h i c h can b e p r o p a g a t e d r a p id ly , s t a t in g t h a t ac e r ta in
e m a il
m e s s a g e s h o u ld n o t be o p e n e d , a n d t h a t d o i n g so w o u l d d a m a g e o n e 's s y s te m
0
In s o m e cases, th e s e w a r n i n g m essa ge s t h e m s e l v e s c o n t a i n v iru s a t t a c h m e n t s
0
T he se possess t h e c a p a b i l it y o f v a s t d e s t r u c t i o n o n t a r g e t s y s te m s
M a n y h o a x e s t r y t o " s e l l" t h in g s t h a t a re t e c h n i c a l l y n o n s e n s e . N e v e rth e le s s , t h e h o a x e r has t o
be s o m e w h a t o f an e x p e r t t o s p re a d h o a x e s in o r d e r t o a v o id b e in g i d e n t if ie d a n d c a u g h t.
T h e r e f o r e , it is a g o o d p r a c tic e t o lo o k f o r t e c h n i c a l d e t a i ls a b o u t h o w t o b e c o m e i n f e c t e d . A lso
se arch f o r i n f o r m a t i o n in t h e w i ld t o le a rn m o r e a b o u t t h e h o a x , e s p e c ia lly by s c a n n in g b u l l e t i n
b o a r d s w h e r e p e o p le a c tiv e ly discuss c u r r e n t h a p p e n in g s in t h e c o m m u n i t y .
M o d u le 0 7 P ag e 1027
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Exam 3 1 2 -5 0 C ertified Ethical H acker
T ry t o c ro s s c h e c k t h e i d e n t i t y o f t h e p e r s o n w h o has p o s te d t h e w a r n i n g . A lso l o o k f o r m o r e
i n f o r m a t i o n a b o u t t h e h o a x / w a r n i n g f r o m s e c o n d a r y s o u rc e s . B e fo re j u m p i n g t o c o n c lu s io n s by
r e a d in g c e r t a i n d o c u m e n t s o n t h e I n t e r n e t , c h e c k t h e f o l l o w i n g :
Q
If it is p o s te d
by n e w s g r o u p s t h a t a re s u s p ic io u s , c r o s s c h e c k t h e i n f o r m a t i o n w i t h
a n o th e r source
©
If t h e p e r s o n w h o has p o s te d t h e n e w s is n o t a k n o w n p e r s o n in t h e c o m m u n i t y o r an
e x p e r t , c ro s s c h e c k t h e i n f o r m a t i o n w i t h a n o t h e r s o u r c e
0
If a g o v e r n m e n t b o d y has p o s te d t h e n e w s , t h e p o s tin g s h o u ld also h a v e a r e f e r e n c e t o
th e c o rre s p o n d in g fe d e ra l r e g u la tio n
Q
O n e o f t h e m o s t e f f e c t i v e c h e c k s is t o lo o k u p t h e s u s p e c te d h o a x v i r u s b y n a m e o n
a n t i v i r u s s o f t w a r e v e n d o r sites
Q
If t h e p o s tin g is te c h n ic a l, h u n t f o r sites t h a t w o u l d c a t e r t o t h e t e c h n i c a l i t i e s , a n d t r y t o
a u th e n tic a te th e in fo rm a tio n
S u b je c t: FO R W AR D THIS W A R N IN G A M O N G FRIENDS, FA M ILY AN D CONTACTS
PLEASE FORW ARD THIS W A R N IN G A M O N G FRIENDS, FAM ILY A N D CONTACTSI You s h o u ld be a le rt d u rin g
th e n e xt fe w days. D o n o t o p e n a n y m essage w ith a n a tta c h m e n t e n title d 'POSTCARD FR O M BEJING o r
'R ESIG N ATIO N OF 8A R A C K O B A M A , regardless o f w h o se n t it t o y o u . It is a v iru s th a t o p e n s A
POSTCARD IM AG E, th e n 'b u rn s ' th e w h o le h a rd C disc o f y o u r c o m p u te r.
This is th e w o r s t v ir u s a n n o u n c e d by CN N last e ve n in g . It has been classified by M ic r o s o ft as th e m o s t
d e s tr u c tiv e v ir u s ev e r. The v iru s w a 5 d is c o v e re d b y M c A fe e y e s te rd a y , a n d th e re is n o re p a ir y e t fo r th is
k in d o f v iru s.
This v iru s s im p ly d e s tro y s th e Z e ro S ector o f th e H ard Disc, w h e re th e v ita l in fo rm a tio n is ke p t.
COPY THIS E M A IL, AN D SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM , YOU W ILL
BENEFIT ALL OF US.
E n d -o f-m a il
Thanks.
FIGURE 7 .3 : H oaxe s W a rn in g M e ssage
F a k e A n tiv iru s e s
Fake a n tiv ir u s e s is a m e t h o d o f a f f e c t i n g a s y s te m b y h a c k e rs a n d it can p o is o n y o u r
s y s te m a n d o u t b r e a k t h e r e g is t r y a n d s y s te m file s t o a l l o w t h e a t t a c k e r t o t a k e f u ll c o n t r o l a n d
access t o y o u r c o m p u t e r . It a p p e a rs a n d p e r f o r m s s i m i l a r l y t o a real a n t i v i r u s p r o g r a m .
Fake a n t i v i r u s p r o g r a m s f i r s t a p p e a r o n d i f f e r e n t b r o w s e r s a n d w a r n users t h a t t h e y h ave
d i f f e r e n t s e c u r i t y t h r e a t s o n t h e i r s y s te m , a n d t h is m e s s a g e is b a c k e d u p b y r e a l s u s p ic io u s
v iru s e s . W h e n t h e u s e r tr ie s t o r e m o v e t h e v ir u s e s , t h e n t h e y a re n a v ig a te d t o a n o t h e r p age
w h e r e t h e y n e e d t o b u y o r s u b s c r ib e t o t h a t a n t i v i r u s a n d p r o c e e d t o p a y m e n t d e ta ils . T he se
f a k e a n t i v i r u s p r o g r a m s a re b e e n f a b r i c a t e d in s u ch a w a y t h a t t h e y d r a w t h e a t t e n t i o n o f t h e
u n s u s p e c t i n g u s e r i n t o in s t a llin g t h e s o f t w a r e .
S o m e o f t h e m e t h o d s used t o e x t e n d t h e usage a n d in s t a l l a t i o n o f fa k e a n t i v i r u s p r o g r a m s
in c lu d e :
©
E m a il a n d m e s s a g in g : A t t a c k e r s use s p a m e m a il a n d social n e t w o r k i n g m e ss a g e s t o
s p re a d t h is t y p e o f i n f e c t e d e m a il t o users a n d p r o b e t h e u s e r t o o p e n t h e a t t a c h m e n t s
f o r s o f t w a r e i n s t a lla t io n .
M o d u le 0 7 P ag e 1028
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
Q
Exam 3 1 2 -5 0 C ertified Ethical H acker
S e a rch e n g in e o p t i m i z a t i o n : A t t a c k e r s g e n e r a t e p ages r e la t e d t o
p u b lic o r c u r r e n t
s e a rch t e r m s a n d p la n t t h e m t o a p p e a r as e x t r a o r d i n a r y a n d t h e la t e s t in s e a rch e n g in e
r e s u lts . T h e w e b p ages s h o w a le rts a b o u t i n f e c t i o n t h a t e n c o u r a g e t h e u s e r t o b u y t h e
fa k e a n tiv ir u s .
Q
C o m p r o m i s e d w e b s i t e s : A t t a c k e r s s e c r e t l y b r e a k i n t o p o p u l a r sites t o in s ta ll t h e fa k e
a n tiv ir u s e s , w h i c h can be used t o e n tic e users t o d o w n l o a d t h e f a k e a n t i v i r u s b y r e ly in g
o n t h e s ite 's p o p u l a r i t y .
J
a
Protection
a
-׳wacy
I
P a th
C \w » C « C ^ S \J N t5 ^ c ^ e e U J r^ 4 ifV * g 0 a 5 7 2
I n lr c t io m
35
I
SMtacat
FIGURE 7 .4 : E xa m p le o f a Fake A n tiv iru s
M o d u le 0 7 P ag e 1029
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
V iru ses a n d W o rm s
V
i r u s
Exam 3 1 2 -5 0 C ertified Ethical H acker
A
n a l y s i s :
D
N
S
C
J
D N S C h a n g e r (A lu re o n ) m o d i f ie s t h e DNS
h a n g e r
CEH
It a c ts a s a b o t a n d c a n b e o r g a n iz e d in to a
s e t t i n g s o n t h e v ic tim PC t o d iv e r t
B o tN e t a n d c o n tr o lle d f r o m a r e m o te
I n t e r n e t tra ffic t o m a lic io u s w e b s ite s in
lo c a tio n
o rd e r to g e n e ra te fra u d u le n t a d re v e n u e ,
<W >
J
It s p r e a d s t h r o u g h e m a il s , s o c ia l
sell fa k e s e r v ic e s , o r s t e a l p e r s o n a l
e n g i n e e r i n g tr i c k s , a n d u n tr u s te d
f in a n c ia l i n f o r m a ti o n
d o w n lo a d s f r o m t h e I n t e r n e t
$
D N S C h a n g e r m a lw a r e a c h ie v e s t h e DNS
J
t
UHU
D N S C h an g e r h a s r e c e iv e d s ig n ific a n t
r e d ir e c tio n b y m o d ify in g t h e fo llo w in g
a t te n t io n d u e to t h e la rg e n u m b e r o f
r e g i s t r y k e y s e tt in g s a g a in s t a in te r f a c e
a f f e c te d s y s t e m s w o r ld w id e a n d t h e f a c t
t h a t a s p a r t o f t h e B o tN e t t a k e d o w n t h e FBI
d e v ic e s u c h a s n e t w o r k c a rd
H K E Y _ L O C A L _ M A C H IN E \S Y S T E M \C u r r e n tC o n tr o l
S e t\S e r v ic e s \T c p ip \P a r a m e te r s \ln te r fa c e s \% R a
<K>
to o k o w n e r s h ip o f t h e r o g u e DNS s e r v e r s to
e n s u r e t h o s e a f f e c te d d id n o t im m e d ia te ly
lo s e t h e a b ility t o r e s o lv e D NS n a m e s
n d o m C L SID % N a m e S e r v e r
h t t p : / /w w w . to ta ld e fe n s e . c o m
C o p y rig h t © b y E & C a u a c tl. A ll R ig h ts R e se rve d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
V ir u s
A n a ly s is :
D N S C h a n g e r
S o u rc e : h t t p : / / w w w . t o t a l d e f e n s e . c o m
D N S C h a n g e r ( A l u r e o n ) is m a l w a r e t h a t s p re a d s t h r o u g h e m a ils , s o c ia l e n g i n e e r i n g tr i c k s , a nd
u n t r u s t e d d o w n l o a d s f r o m t h e I n t e r n e t . It a cts as a b o t a n d can be o rg a n iz e d i n t o a b o t n e t a nd
c o n t r o l l e d f r o m a r e m o t e l o c a tio n . T his m a l w a r e a c h ie v e s DNS r e d i r e c t i o n b y m o d i f y i n g t h e
s y s te m r e g is t r y k e y s e ttin g s a g a in s t an i n t e r f a c e d e v ic e such as n e t w o r k c a rd .
D N S C h a n g e r has r e c e iv e d s i g n ific a n t a t t e n t i o n d u e t o t h e large n u m b e r o f a f f e c t e d s y s te m s
w o r l d w i d e a n d t h e f a c t t h a t as p a r t o f t h e b o t n e t t a k e d o w n , t h e FBI t o o k o w n e r s h i p o f r o g u e
DNS s e r v e r s t o e n s u r e t h o s e a f f e c t e d d id n o t i m m e d i a t e l y lose t h e a b i l it y t o re s o lv e DNS
n a m e s . T his can e v e n m o d i f y t h e DNS s e ttin g s o n t h e v i c t i m ' s PC t o d i v e r t I n t e r n e t t r a f f i c t o
m a lic io u s w e b s i t e s in o r d e r t o g e n e r a t e f r a u d u l e n t a d r e v e n u e , sell f a k e s e rv ic e s , o r ste al
p e r s o n a l f in a n c ia l i n f o r m a t i o n .
M o d u le 0 7 P ag e 1030
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
