Virus Worms Xplendor

8/2/2019 Virus Worms Xplendor

1/23

Virus & Worms Virus Analysis

By

Sunny Vaghela


2/23

Session Flow

Spyware Overview.

Difference between Virus, Worms & Trojans. Virus Life Cycle.

Modes of transmission

Methods to Avoid detection

Virus Analysis Virus Detection


3/23

Spyware Overview

Spyware is a piece of software that gets installed on computer without your

consent.

It collects your personal information without you being aware of it.

Change how your computer or web browser is configured and bombard you with

online advertisements.

Spyware programs are notorious for being difficult to remove on your own and

slows down your PC.

A program gets installed in the background while you are doing something else on

Internet.

Spware has fairly widespread because your cable modem or DSL connection is

always connected.


4/23

Difference Between Virus,Worms & Trojans

Virus is an application that self replicates by injecting its code into other data

files.Virus spreads and attempts to consume specific targets and are normallyexecutables.

Worm copies itself over a network.It is a program that views the infection point

as another computer rather than as other executables files on an already infected

computer.

Trojan is a program that once executed performs a task other than expected.


5/23

Modes of Transmission

IRC

ICQ Email Attachments

Physical Access

Browser & email Software Bugs

Advertisements

NetBIOS Fake Programs

Untrusted Sites & freeware Software


6/23

Virus Properties

Your computer can be infected even if files are just copied

Can be Polymorphic.

Can be memory or non-memory resident

Can be a stealth virus

Viruses can carry other viruses

Can make the system never show outward signs

Can stay on the computer even if the computer is formatted.


7/23

Virus Properties

Most of the viruses operate in two phases.

1. Infection Phase In this phase virus developers decide

- When to Infect program

- Which programs to infect

Some viruses infect the computer as soon as virus file installed in computer.

Some viruses infect computer at specific date,time or perticular event.

TSR viruses loaded into memory & later infect the PCs.

1. Attack Phase - In this phase Virus will

- Delete files.

- Replicate itself to another PCs.

- Corrupt targets only


8/23

Virus Indications

Following are some of the common indications of Virus when it infects system.

Files have strange name than the normal.

File extensions can also be changed.

Program takes longer time to load than the normal.

Computers hard drives constantly runs out of free space.

Victim will not be able to open some programs. Programs getting corrupted without any reasons.


9/23

Trojans

Trojans Trojans works on Client/Server model.

Hacker Server Victim

Hacker Client Victim

Reverse Connection TrojansVictim will connect to Clients Computer afterInfection phase.

Example: Poison Ivy

Direct Connection Trojans -- Client will connect to server after infection phase.

Example: Prorat


10/23

Virus Types

Following are some of the common indications of Virus when it infects system.

Macro Virus Spreads & Infects database files.

File Virus Infects Executables.

Source Code Virus Affects & Damage source code.

Network Virus Spreads via network elements & protocols.

Boot Virus Infects boot sectors & records.

Shell VirusVirus Code forms shell around target hosts genuine program & host

it as sub routine.

Terminate & stay resident virus remains permanently in the memory during the

work session even after target host is executed & terminated.


11/23

Methods to Avoid Detection

Same last Modified Date.

Overwriting Unused areas of the .exe files.

Killing tasks of Antivirus Software

Avoiding Bait files & other undesirable hosts

Making stealth virus

Self Modification on each Infection

Encryption with variable key. Polymorphic code


12/23

Same last Modified Date

Same last Modified Date.

In order to avoid detection by users, some viruses employ different kinds of

deception.

Some old viruses, especially on the MS-DOS platform, make sure that the "last

modified" date of a host file stays the same when the file is infected by the virus.

This approach sometimes fool anti-virus software.


13/23

Killing Antivirus Tasks

Some viruses try to avoid detection by killing the tasks associated with antivirus

software before it can detect them.


14/23

Avoiding Bait files

Bait files (or goat files) are files that are specially created by anti-virus software,

or by anti-virus professionals themselves, to be infected by a virus.

Many anti-virus programs perform an integrity check of their own code.

Infecting such programs will therefore increase the likelihood that the virus is

detected.

Anti-virus professionals can use bait files to take a sample of a virus


15/23

Stealth Request

Some viruses try to trick anti-virus software by intercepting its requests to the

operating system.

The virus can then return an uninfected version of the file to the anti-virus

software, so that it seems that the file is "clean".


16/23

Self Modifications

Some viruses try to trick anti-virus software by modifying themselves on each

modifications

As file signatures are modified, Antivirus softwares find it difficult to detect.


17/23

Encryption with variable key

Some viruses use simple methods to encipher the code.

The virus is encrypted with different encryption keys on each infections.

The AV cannot scan such files directly using conventional methods.


18/23

Virus Analysis

IDA Pro tool:

It is dissembler & debugger tool

Runs both on Linux & windows

Can be used in Source Code Analysis, Vulnerability Research & Reverse

Engineering.


19/23

Autoruns


20/23

Process Monitor


21/23

Process Explorer


22/23

Process Explorer


23/23

Virus Creation Kit & Virus Databases

Virus Creation Kits.

Virus Creation laboratory 1.0

Windows virus creation kit

The smeg virus creation kit

Virus Databases

Norman Virus Encyclopedia

F-Secure Virus Info Center

Symantec Antivirus Research Center

Trend Micro Virus Encyclopedia

Documents

Virus Worms Xplendor