CEH Lab Manual Viruses and Worms Module 07 Module 07 - Viruses and Worms Viruses and Worms A virus is a sef-rep/icatingprogram thatproduces its own code by attaching copies of it onto other executable codes Some viruses affect computers as soon as their codes are executed; others lie dormant until a predetermined logical circumstance is met ICON KEY £Z7 Valuable information Test your knowledge = m Web exercise Workbook review Lab Scenario A com puter virus attaches itself to a program or tile enabling it to spread from one com puter to another, leaving infections as it travels The biggest danger with a worm is its capability to replicate itself 011 your system, so rather than your com puter sending out a single worm, it could send out hundreds or thousands o f copies o f itself, creating a huge devastating effect A blended threat is a more sophisticated attack that bundles some o f the worst aspects of viruses, worms, Trojan horses and malicious code into one single threat Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack The attacker would normally serve to transport multiple attacks 111 one payload Attacker can launch D os attack or install a backdoor and maybe even damage a local system 01 ־network systems Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that damage 01 ־steal the organization’s information You need to construct viruses and worms and try to inject them 111 a dummy network (virtual machine) and check whether they are detected by antivirus programs 01 ־able to bypass the network firewall Lab Objectives The objective o f this lab is to make students learn how to create viruses and worms 111 this lab, you will learn how to: ■ Create viruses using tools ■ Create worms using worm generator tool Lab Environment & Tools dem onstrated in To earn ־this out, you need: this lab are available in ■ A computer running Window Server 2012 as host machine D:\CEHTools\CEHv8 ■ Window Server 2008, Windows and Windows running 011 virtual Module 07 Viruses machine as guest machine and Worms C E H L ab M an u al Page 530 ■ A web browser with Internet access ■ Administrative privileges to run tools E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms Lab Duration Tune: 30 Minutes Overview of Viruses and Worms A virus is a self-replicating program that produces its own code by attaching copies o f it onto other executable cod es Some viruses affect computers as soon as their codes are executed: others lie dormant until a predetermined logical circumstance is m et Computer worms are malicious programs that replicate, execute, and spread across network connections independently without human interaction Most worms are created only to replicate and spread across a network consuming available computing resources However, some worms carry a payload to damage the host system = TASK Overview Lab Tasks Recommended labs to assist you 111 creating Viruses and Worms: ■ Creating a virus using the |PS Vims Maker tool ■ Yinis analysis using IDA Pro ■ Yinis Analysis using Vims Total ■ Scan for Viruses using Kaspersky Antivirus 2013 ■ Vkus Analysis Usuig OllyDbg ■ Creating a Worm Using the Internet W orm Maker Tliing Lab Analysis Analyze and document the results related to the lab exercise Give your opinion on your target’s security posture and exposure P L EA S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB C E H L ab M an u al Page 531 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms Creating a Virus Using the JPS Virus Maker Tool JP S Virus Maker is a tool to create viruses It also has afeature to convert a vims into a lvorm ICON KEY Valuable information s Test your knowledge ב: Web exercise ea Workbook review Lab Scenario 111 recent rears there has been a large growth 111 Internet traffic generated by malware, that s, Internet worms and viruses This traffic usually only impinges on the user when either their machine gets infected or during the epidemic stage o f a new worm, when the Internet becomes unusable due to overloaded routers Wliat is less well-known is that there is a background level o f malware traffic at times o f non-epidemic growth and that anyone plugging an unhrewalled machine into the Internet today will see a steady stream o f port scans, back-scatter from attem pted distributed denial-of-service attacks, and hostscans We need to build better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms will damage or steal the organization’s information You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, w hether they are detected by an antivirus and if they bypass the firewall Lab Objectives H Tools dem onstrated in The objective of tins lab is to make students learn and understand how to make this lab are viruses and worms available in Lab Environment D:\CEHTools\CEHv8 Module 07 Viruses To earn ־out die lab, you need: and Worms ■ JPS tool located at D:\CEH-Tools\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker C E H L ab M an u al Page 532 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms ■ A computer running Windows Server 2012 as host machine ■ Windows Server 2008 running on virtual machine as guest machine י Run tins tool on Windows Server 2008 ■ Administrative privileges to run tools Lab Duration Time: 15 Minutes Overview of Virus and Worms A virus is a self-replicating program diat produces its own code by attaching copies o f it onto odier e x e cu ta b le co d es Some vinises affect computers as soon as dieir codes are e x ecu ted ; odiers lie dormant until a predetermined logical circumstance is met Lab Tasks k* TASK 1 Launch your Windows Server 2008 vutual machine Make a Virus Navigate to Z:\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker Launch die JPS Virus Maker tool Installation is not required for JPS Virus maker Double-click and launch the jp s.exe hie The JPS (Virus Maker 3.0) window appears JPS ( Virus I ta k e r 3.0 ) Virus O p tio n s: Note: Take a S napshot of the virtual m achine before launching th e JPS Virus Maker tool Ui The option, Auto Startup is always checked by default and start the virus whenever the system boots on C E H L ab M anual Page 533 □ □ □ □ □ □ □ □ □ □ □ □ □ □ Disable Registry Disable MsConfig Disable TaskManager Disable Yahoo Disable Media Palyer Disable Internet Explorer Disable Time Disable Group Policy Disable Windows Explorer Disable Norton Anti Virus Disable McAfee Anti Virus Disable Note Pad Disable Word Pad Disable Windows □ D isa b le D H C P Client □ □ □ □ □ □ □ □ □ Disable Taskbar Disable Start Button Disable MSN Messenger Disable CMD Disable Secuiity Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ Hide Services Hide Outlook Express Hide Windows Clock Hide Desktop Icons Hide A l Proccess in Taskmgr Hide A l Tasks in Taskmgr Hide Run Change Explorer Caption Clear Windows XP Swap Mouse Buttons Remove Folder Options Lock Mouse & Keyboard Mute Sound Always CD-ROM Tun Off Monitor Crazy Mouse Destroy Taskbar Destroy Offlines (YIMessenger) Destroy Protected Strorage Destroy Audio Service Destroy Clipboard T erminate Windows Hide Cursor Auto Startup E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 07 - Viruses and Worms FIGURE 1.1: JPS Virus Maker main window & This creation o f a virus is only for knowledge purposes; don’t misuse this tooL JPS lists die Virus Options; check die options that you want to embed 111 a new vkus tile JPS ( Virus M aker 3.0 ) Virus O p tio n s: □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ m A list o f names for the virus after install is shown in the Name after Install drop-down list O Disable Registry Disable MsConfig Disable TaskManager Disable Yahoo Disable Media Palyei Disable Internet Explorer Disable Time Disable Group Policy Disable Windows Explorer Disable Norton Anti Vims Disable McAfee Anti Viius Disable Note Pad Disable Word Pad Disable Windows Disable DHCP Client Disable Taskbar Disable Stait Button Disable MSN Messengei Disable CMD Disable Secuiity Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver Restart O Name After Install: || Hide Services Hide Outlook Express Hide Windows Clock Hide Desktop Icons Hide All Proccess in Taskmgt Hide All Tasks in Taskmgr Hide Run Change Explorer Caption Clear Windows XP Swap Mouse Buttons Remove Folder Options Lock Mouse Keyboard Mute Sound Allways CD-ROM TurnOff Monitor Crazy Mouse Destroy T askbar Destroy Offlines (YIMessenger) Destroy Protected Strorage Destroy Audio Service Destroy Clipboard T erminate Windows Hide Cursor Auto Startup O Turn Off LogOff |R u nd ll3 About □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ J O Server Name: Cieate V itus! Hibrinate O None |S e n d e r.e x e ~~| |» | J P S V ir u s M a k e r FIGURE 1.2: JPS Virus Maker main window with options selected Select one o f die radio buttons to specify when die virus should start attacking die system after creation O Restart O Turn Off O L o g U ff Name A fte r Install: Rundll32 About J O Hibrinate Server Name: O None Sender.exe Create Virus! JPS Virus Maker 3.0 FIGURE 1.3: JPS Vkus Maker main window with Restart selected m A list o f server names is present in the Server N ame drop-down list Select any server name Select the name o f the service you want to make virus behave like from die Name after Install drop-down list FIGURE 1.4: JPS Vkus Maker main window with die Name after Install option Select a server name for die virus from die Server Name drop-down list C E H L ab M anual Page 534 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms O Restart O Log Off Nam e A fte r In s ta ll: D o n 't forget to change die settings for every new virus creation Otherwise, by default, it takes the same name as an earlier virus O OTurnDff R un d ll3 O Hibrinate S e rv e r N am e: None S v c h o s t.e x e ■S vchost.exe Q I K ernel32.exe ■ I s p o o l s v e x e ■ ALG.EXE s v c h o s t e x e ■ Create Virus! JPS Virus Maker 3.0 ־ FIGURE 1.5: JPS Vims Maker main window with Server Name option Now, before clicking on Create Virus! change setting and vinis options by clicking die icon Create Virus! JPS Virus Maker 3.0 FIGURE 1.6: JPS Vkus Maker main window with Settings option 10 Here you see more options for the virus Check die options and provide related information 111 die respective text field m TASK נPS ( Virus M aker 3.0 ) Virus Options: Make a Worm □ Change XP Password: J p @ sswQ(d □ Change Computer Name: ןTest □ Change IE Home Page jwww !uggyboy c om □ Close Custom Window: [Y a h o o Me ■;nget □ Disable Custom Service :HAIertef □ Disable Custom Process :[ypaget.exe □ Open Custom Website : | □ Run Custom Command: | -,-!ey blogta c :וחי □ Enable Convert to Worm ( auto copy to path's) lUsa Y ou can select any icon from the change icon options Anew icon can be added apart from those on the list [!□I | Copy After : | Worm Name : Sec'־ Change Ic o n : O O O O O Transparnet Love Icon Flash Icon Flash Icon Font Icon O O O O O Doc Icon PDF Icon IPG Icon BMP Icon Help Icon O EXE Icon O O O O BAT Icon Setup Icon Setup2 Icon ZIP Icon JPS Virus Maker 3.0 FIGURE 1.7: JPS Virus Maker Settings option 11 You can change Windows XP password IE home page, c lo se custom window, disable a particular custom service, etc 12 You can even allow the virus to convert to a worm To diis, check die Enable Convert to Worm checkbox and provide a Worm Name C E H L ab M anual Page 535 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 07 - Viruses and Worms 13 For die worm to self-replicate after a particular time period, specify die time (111 seconds) 111 die Copy after held 14 You can also change the virus icon Select die type of icon you want to view for die created vims by selecting die radio button under die Change Icon section IPS ( Virus M aker 3.0 ) Virus Options: Make sure to check all the options and settings before clicking on Create Virus! □ Change X P Password : | □ Change Computer Name | j P S □ Change IE Home Page |www ^ - □ Close Custom Window : [Y a h o o ' Me ••nqei □ Disable Custom Seivice : J Alerter □ Disable Custom Process : I □ Open Custom Website : | □ Run Custom Command: | ,» c< □ Enable Convert to Worm ( auto copy to path's) C o p y A fte r : W orm N am e : |fe d e v i| | I S e c 's O T ran sp arn et O D o c Ic o n O EXE Ic on O O O O L ove Ic o n O PDF Ic o n F lash I c o n O F lash I c o n O BMP Icon F o n t Ic o n O H elp Icon O O O O O Restart O Turn Off O LogOff N a m e A fte r In stall: R u n d l3 Features Change X P Password Change Computer Name Change IE Home Page Close Custom Windows Disable Custom Service Disable Process O pen Custom Website Run Custom Command Enable Convert To W orm - Auto Copy Server To Active Padi W ith Custom N ame & Time Change Custom Icon For your created Virus (15 Icons) f! JPG Ic on O BAT Ic o n S e t u p Ic on S e tu p Icon ZIP Icon Hibrinate S e r v e r N am e: O None S v c h o s t e x e I JPS Virus Maker 3.0 _ FIGURE 1.8: JPS Virus Maker main window with Options 15 After completing your selection o f options, click Create Virus! FIGURE 1.9: JPS Virus Maker Main window with Create Vkus! Button 16 A pop-up window with the message Server Created Successfully appears Click OK J P S ( V iru s M a k e r 3.0 ) FIGURE 1.10: JPS Virus Maker Server Created successfully message C E H L ab M anual Page 536 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms 17 The newly created virus (server) is placed automatically 111 the same folder as jp s.exe but with name Svchost.exe 18 N ow pack tins virus with a binder or virus packager and send it to the victim machine ENJOY! Lab Analysis Document all die tiles, created viruses, and worms 111 a separate location P LE AS E TALK TO Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D TO T HI S LAB T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved T o m ak e V irus options are used: JP S V irus M aker T ool ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Disable Yahoo Disable Internet Explorer Disable N orton Antivirus Disable McAfree Antivirus Disable Taskbar Disable Security Restore Disable Control Panel Hide Windows Clock Hide All Tasks 111 Task.mgr Change Explorer Caption Destroy Taskbar Destroy Offlines (YIMessenger) Destroy Audio Services Terminate Windows Auto Setup Questions C E H L ab M an u al Page 537 Infect a virtual machine with the created viruses and evaluate the behavior o f die virtual machine Examine whether the created viruses are detected or blocked bv any antivirus programs or antispyware E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms In te rn e t C o n n ectio n R eq u ired □ Y es No P latform S upported !Labs C E H L ab M an u al Page 538 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms Lab Virus Analysis Using OllyDbg OllyDbg is a debugger that emphasises binary rode analysis, nhich is useful when source code is not available It traces registers, recognises procedures, A P I calls, snitches, tables, constants and strings, as well as locates routinesfrom objectfiles and libraries I CON KEY £ Valuable information > > Test your knowledge = Web exercise m Workbook review Lab Scenario There are literally thousands of malicious logic programs and new ones come out all the time, so that's why it's important to keep up-to-date with the new ones that come out Many websites keep track of tins There is no known method tor providing 100% protection for any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances of being infected by one of those malicious programs Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms will damage or steal the organization’s information 111 this lab ollvDbg is used to analyze viruses registers, procedures, API calls, tables, libraries, constants, and strings Lab Objectives The objective of tins lab is to make students learn and understand analysis of the viruses & Tools d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv8 Module 07 V iruses and Worms Lab Environment To earn ־out die lab, you need: ■ OllyDbg tool located at D:\CEH-Tools\CEHv8 Module 07 V iruses and W orms\Debugging Tool\OllyDbg ■ A computer running Windows S erver 2012 as host macliine ■ You can also download the latest version of OllyDbg from the link http: / / www.ollvdbg.de / י Run tins tool on Windows S erver 2012 Admnnstrative privileges to mn tools C E H L ab M an u al Page 569 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Comicil All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms Lab Duration Tune: 10 Minutes Overview of OllyDbg The debugging engine is now more stable, especially if one steps into the exception handlers There is a new debugging option, "Set permanent breakpoints 011 system calls." When active, it requests OllyDbg to set breakpoints 011 KERNEL32.Unl1andledExcepdonF11ter Q, NTDLL.KiUserExceptionDispatcherQ, NTDLL.ZwContinue(), and NTDLL.NtQuen’InformationProcess(} Lab Tasks — ** t a s k 11 Launch die OllyDbg tool Installation is not required for OllyDbg Doubleclick and launch die ollydbg.exe file Debug a Virus The OllyDbg window appears O llyDbg File View Debug Trace O ptions W indow s Help lii ► j±j_11J H IM uj jJijMj m 1- 1' ם _bj_mj_hj H Y o u can also d o w n lo a d the latest ve rsio n o f O lly D b g fro m d ie lin k h ttp ://w w w o lly d b g d e OllyDbg v2.00 (intermediate version • under development!) Ready F I G U R E 5.1: O lly D b g m ain w ind ow Go to File from menu bar and click Open Browse to D:\CEH-T00 ls\CEHv8 Module 07 V iruses and W orm sW irusesW irus Total\tini.exe Click Open C E H L ab M anual Page 570 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 07 - Viruses and Worms — O llyDbg File View Debug Trace O ptions W indow s [&l [ ] , EOX :,2 [4 0 ,0 ^ ] , 611E Watches Search results 0 0 X i n i < M o d u le E n try P q 7E 546000 018FF88 ■ 0018FF90 00000000 0 0 t i n i < M o d u le E n try P q ־ ES CS SS DS FS GS Run trace INT3 breakpoints M em ory breakpoints recognize U T F -8 strings 00 ■ read, m o dule tin i M em ory map 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 |=J 002B 002 002B 002B 005 002B b it b it b it b it b it b it ( FFFFFFFF) | ( FFFFFFFF) ( FFFFFFFF) ( FFFFFFFF) 7E54F000(FF F), ( FFFFFFFF) Hardware breakpoints t in File Odd 0O4W^- 63 00 00 00 3 00 4 00 00 6 00 b j— 6F 6D 00 00 00 00 00 00 00 00 00 00 MM 00 00 00 00 00 00 00 00 00 00 00 06 — 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 m m m m m m m m m m m m 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 06 06 06 06 06 06 06 06— 06 v Open Log window Paused F I G U R E 5.4: Select log inform ation The output of log data t1111.exe is shown 111 die following figure O llyD bg - tini.exe File J T B reakpoints: OllyDbg su p p o rts all com m on kinds of breakpoints: INT3, m em ory and h ardw are You m ay specify num ber of p a s s e s and s e t conditions for p a u se View Debug Trace O ptions W indow s _ ם x Help ►j±]J!J ^±ij>[J!H ^l-UJ _l J.e JmJZj.£j:d _bJm]_hJ ■g CPU - m ain thread, m o dule tin i Log data A d d re s s Mes• )O lly D b g v 0 0 01000 7S4C0000 0000226600000000 0 00000 74E 80000 ( in t e r m e d ia t e v e r s io n - 00 ■ u n d e r d e v e lo p m e n tf F i l e ' ׳D :\C E H -T 00 1snCEHv8 M o d u le 07 U ir u s e s and W o r n s \ U ir u s e s \ U ir u s T o t a l \ t i n i e « e New p r o c e s s CID 0 0 1F4) c r e a t e d M ain t h r e a d ( I D 0 0 0 ) c r e a t e d U n lo a d n o d u le 00 0 0 U n lo a d n o d u le 754C0000 U n lo a d n o d u le 00 0 0 U n lo a d n o d u le 00 0 0 M o d u le D :\C E H -T o o ls \C E H v M o d u le 07 U ir u s e s a n d W o r n s \ U ir u s e s \ U ir u s T o t a l \ t i n i e x e Modu I e C s \W i n dows\SVSTEM32\UIS0CK32 d l l D i f f e r e n t PE h e a d e rs in f i l e and in n e n o ry )? S y s te n u p d a te i s p e n d in g ( M o d u Ie C s in d o w s \S V S T E M \b c r y p tP r in i t iv e s d11 D i f f e r e n t PE h e a d e rs in f i l e and in n e n o ry )? S y s te n u p d a te i s p e n d in g ( M o d u le C s\W in dow s\S V S T E M 32\C R V P T B fiS E dlI D i f f e r e n t PE h e a d e rs in f i l e and in n e n o ry M o d u l " ^ i l l dd r€ SVSTEM32"S C l' d n D i f f e r e n t PE h e a d e rs in f i l e and in n e n o ry ( S y s te n u p d a te i s p e n d in g ? ) M o d u Ie C s\W i ndous\SVSTEM 32\KER N EL32 DLL D i f f e r e n t PE h e a d e rs in f i l e and in n e n o ry ( S y s te n u p d a te i s p e n d in g ? ) 768E0000 M o d u le C :\W indow s\S V S T E M 32\R P C R T 4.d11 D i f f e r e n t PE h e a d e rs in f i l e and in n e n o ry ( S y s te n u p d a te i s p e n d in g ? ) 76 9 0 0 M o d u Ie C: MU i ndow s\S Y S T E M 32\N S I d11 D i f f e r e n t PE h e a d e rs in f i l e and in n e n o ry 7^.41:0000 Entry point of main module Paused F I G U R E 5.5: O utput o f L o g data inform ation o f tinLese Click View from die menu bar, and click E xecutable m odule (Alt+E) 10 Hie output of E x ecutable m odules is shown 111 die following figure C E H L ab M anual Page 572 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 07 - Viruses and Worms O llyD bg - tini.exe File | View | Debug Trace O ptions W indow s Help B |«|xJ ►lilnj M liiliilll ^iJJj _!J1 J h |J jc jd b J m ] hJ ]=] CPU - m ain thread, m o dule tin i ca 00 ■ Executable m odules W atches: W atch is an expression evaluated each Base time die program pauses Y o u can use registers, constants, 74E 80000 90000 753F 0000 00000 754C0000 768E 0000 90000 76B 60000 76E 20000 76E 70000 7 50000 77D40000 address expressions, Boolean and algebraical operations o f any com plexity IBS 00 0 0 74E810C0 75 9 5 753F 1005 7540PC84 754D0005 7690E42S 76 91520 76 61005 76E210B1 76E7C575 00 0 0 7706302C 00 0 00 0 00 0 0 0001C 000 0 30000 000RC000 00 0 0 00 3 0 0 004F 000 000B1000 ,״.״ F ile WS0CK32 b c r y p tP r im CRYPTBPSE S s p iC li KERNEL32 RPCRT N SI se ch o s t WS2_32 n s w c rt KERNELBRSE n td l I v e r s io n 0 0 0 0 0 0 0 0 0 0 0 0 ,,,,,, ■roolssCEH^S Out? 67 Uin m C:\WLndows\SVSTEM32\W S0CK32.dlI n C: Mil i n dow s\SYSTEM 32N bcry p t P r i n i t m C :\W indow s\S V S T E M 32\C R V P T B fiS E dI n C: \W i n dous\S V S T E M 32\S sp i C I i d11 m C :\U )indous\S V S TE M 32\K E R N E L3 2.D LL ni C :\W in d o u s \S V S T E M \R P C R T d lI m C: Mil indow s\S V S T E M 32\N S I d l l m C :\W in d o w s \S V S T E M \s e c h o s t.d ll m C :\W in d o w s \S V S T E M \W S _ d ll ni C s in d o u s N S V S T E M \ n s v c r t d ll n C s \ y i ndows\SVSTEM32\KERNELBASE d nj C :\W in dow s\S V S T E M sn td 1 d11 00 00 00 00 00 00 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 00 00 00 00 00 E v 00 00 ° x ־ 00 00 00 00 00 00 00 00 00 0 10G - 0018FFB4 0018FFB8 0018FFBC 00’RFFra 0C 24F950 P -$ FFFFFP80 ?■ 0018FF9C £ t flftflftftfiftfl Entry point of main module P aused F I G U R E 5.6: O utp ut o f executable modules o f tini.exe 11 Click View from the menu bar, and then click Memory Map (Alt+M) 12 Tlie output of Memory Map is shown in die following figure O llyD bg ־tini.exe File b IViewl Debug |« |xj Trace ► y j i! O ptions iiliiliiliil W indow s Help _ !j_ E jM ] jr j.c j j b J m ) hj ן=ן 000 CPU - m ain thread, m o dule tin i 1A ^ O lly D b g su p p o rts four different decoding m odes: MASM, Ideal, HLA and AT&T ₪ A d d re s s 00 85000 0018C 000 0018E 000 00 90000 001Q0000 001E 0000 00 90000 00 00000 00 0 00 02000 00 03000 00 10000 00 50000 74E80000 74E81000 74E84000 74E85000 75 90000 91000 753DC000 753DD000 753F 0000 753F 1000 753F 5000 753F 6000 75 00000 01000 16000 17000 754C000O D0000 M em ory m ap S i 2e 06^(36000 0 02000 0 02000 00 04000 00 02000 00 04000 0 07000 00 01000 0 01000 0 01000 0 00000 00 75000 0 03000 00 01000 0 03000 0 01000 0 03000 0 01000 0004B 000 0 01000 0 04000 0 01000 0 04000 0 01000 0 03000 0 01000 0 15000 0 01000 0 05000 0 01000 Owner S e c t io n C o n ta in s S ta c k o f n a in t t t t in in in in i i i i WS0CK32 WS0CK32 WS0CK32 WS0CK32 b c r y p tP r b c r y p tP r b c r y p tP r b c r y p tP r CRVPTBAS CRYPTBAS CRVPTBAS CRVPTBAS S s p iC li S s p L C li S s p iC li S s p iC li KERNEL32 ־.־.־ - ־.־.־ KERNEL32 te x t r d a t a d a ta PE h e a d e r Code In p o rts D a ta PE h e a d e r PE h e a d e r PE h e a d e r PE h e a d e r PE h e a d e r 0 ■ Type P r iv P r iv t P r iv Map P r iv P r iv P r iv In g In g In g In g Map P r iv In g In g In g In g In g In g In g In g In g In g In g In g In g In g In g In g In g In g Access RW Sua RUJ Gua RW R RW RW RW R R E R RW Cop R RW R R E RW R R R E RW R R R E RW R R R E RW R R R E I n i t i a l a c c Mapped as A RU G u a rd e d RW G u a rd e d RW R RW RW ב־ RW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW R \D e v ic e \H a rd < RW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW RWE CopyOnW V RWE CopyOnW Entry point of main module = V /\ V׳ P aused F I G U R E 5.7: O utp ut o f M e m o ry m ap o f tiui.exe 12 Click View from die menu bar, and dien click T h reads (Alt+T) 13 Tlie output of T h reads is shown 111 the following figure C E H L ab M anual Page 573 Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 07 - Viruses and Worms *י L > ' O llyD bg - tini.exe File View \T\ Debug Trace O ptions W indow s _ Threads _ _ IId e n t !w in d o w ’ s t i t Le| L a s t e r r o r I E n tr y I T IB I S usp e n d I P r i o r i t ERROR SUCCESS (8 ! t in i ■32Text & Dsable *eged* P DsaWe6tplorer.exe P Chance Rea Cv\ner O n er: r [ ־־Change Clock Text »a#1 ( ז » זMax Chars): r r ־H ckBIIG^es_ Chance v/atoace־ Da t1Or LRL: [Hggyboy p Change Reg Crgansaticn I- CPJ Monstar Oconboton: r r If You Liked Ttiis Proy an ®base \Ac1t W• On ht© :/ftorusteam fa(lemetwo׳k.0ומ If You Know Anything *bout VBS Prog־amming Help Suopor: This Projects/ Mahno A Plucr (See Readme) Thanks rControl Panel rr| [I Add To Context Menu r CfctrU: a fdcfc׳ URL: I FIGURE6.3: Selecttheoptionforcreatingworm 10 Check die Change H om epage check box In die URL held, enter http: / / \\Ayw.powrgym.com 11 Check die D isable Windows Security Disable Norton Security Uninstall Norton Script Blocking D isable Micro Security, Disable Run Command Disable Shutdow n Disable Logoff Disable W indows U pdates No S earch Com m and Sw ap M ouse button, and Open W ebpage check boxes 12 Check the C hange IE Title bar, c h a n g e win Media Player Txt, Open Cd drive, and Lock w orkstation check boxes F ־ Internet W orm M aker Thing Version 00 : ־Public Edition INTERNET WORM MAKER THING V4 Payloads: p Chnge homepage (» Actr/ate Pavloads On Date Don’t forget to change the settings for everynewvirus creation Otherwise, bydefault, it takes the same name as an earlier virus Autkr: נ^־ | Juggyboy OR Verson r-r C Randorriy Acttvote PeVoecb chance of aai /ating payloads: |/aur tycten k e*ler in [5 CH A N CE P Indjde [Cl Mobce p HkI* ANDnvec Output Path: p Disable Task ve1v3jc ׳ [ETv/om i p Compfe To EXE Sjpport W 01«bl« Keybord p D&abfc*Mocse p Mes&sgeBox S j cocmo Cptons Cta ׳tx): P Global Regso > Startuo r Local Regist'v Ssrtup Tlte: |׳/wAVi.poivergym com r DiseticSrsterRestore P Dca&te WrfeOAS Seaxity P Chn0PM003ZText P DaabfeNoi ton Security (P unnstall Norton script Blsrtm P DaabfeMauoSearitr P Doable Run Cotrmnd P Dca< Shutdown Dsaftleiocpff ( P Daable WrdoAs Update P No C-ca d ׳Coirmand p Swap Mouoe Buttons P Cpen Webpage URL: |'/wav\ po*«rgym a ir Hacked P Chxioe IE Title Bat vessage: 1a r sys־em s Hacked P v/riooon 5hdl hock r Start As Server i-i^rrarcn •» r OntockFvrI ?I URL! r MtteSpeske's Gcttkti Sta־t_o P Spansn S ta 'to r Ftend ־StatLC P Italian StarLo P Change Reg Owner |juaytx>y Loop Sound Mde Desktop P Infect Vh* HIm r- Head* Maiwart r Remove r- □5d Hc©< 1“ Start Ac Service □ מsable Mouse Iv NessaoeSo* Tide: |f־dcd Mcwogc: |rajf system Is HacXed Icon: [1 קיו־noton _*J P Engleh SU־tjp f~ O 'ru n Startup I- Spm th^tirtip P French Sta'tup I- la ia r startLC W OfecOfcRegedt W DoaDfcExploret.exe [v Change Reg Owro־ Owner: |jjgg>bo/ [v Change Reg Organisation Crgansaticn: F I G U R E 6.5: Select the option fo r creating w orm 18 Check die C hange D ate check box, and enter die DD, MM, YY respective fields 111 die 19 Check die Loop Sound, Hide D esktop, Disable M alware Remove Disable W indows File Protection, C om puter Antivirus, and C hange C om puter N am e check boxes 20 Check the Change die Drive Icon, Add To C ontext Menu, C hange Clock Text, K eyboard Disco, and Add To Favorites check boxes C E H L ab M anual Page 580 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 07 - Viruses and Worms TSTS1 Intern et W orm M aker T hin g : V ersion ■4.00: Pub ic Edition INTERNET WORM MAKER THING V4 Worm Nam? P Change Homepage |jB Worn URL: Author: I'jVivivi powergym cam |luggyboy p Dsable Windows Securty I- Blue Screen Of Dead• P D6atte s*sten R sstxe Infecton Options: P c h arts fCD32Tett r p Dsable Norton Searifcy C Rancorriy Actwate Paybads Chance o fad v a tn a payloads: |ycu ־system b e ־fcc1 i n [i p Indude [C] NoSce p HceAIIDrves aw cE Output Pat* p Cisaote Task Marager |C:\Womn p CtsacJe Keybord P comcfe TO tx t suxxrt p C«aote^cu3« p Message 60x Spread rg Opbanc r Local flcjijfr ; יtg rto r Wnbgon Shdi Itnt Dsable Logoff □sable Windows Update No Search Command SN90 Mouse Buttons Open V\'eboage P Change [E Title Bar Mcosagc: Text: |1a r svstem shacked [kVonnabcn T] p Crghh Startup p Disade Regedit f” German Startjo 1“ spansh staruo & T o o ls dem o n strated in th is lab are available in D:\CEHTools\CEHv8 Module 07 V iruses and Worms 1“ French startup [~ Italian Sartuo p Hide Desktop Disable Malware ’ I ^?fc>:/>v»v».oowerg/n י r Hide VirLS Res Doable Wrdows File Protecton URL: Sende* Nan♦־: f~ Infect Vbe Files p Corrupt Antivirus n Charge Comau ter Name I- Custom Code ^W^>oy Iccn- I- Start As Service [“ OudockFm Inflect Bat Files V in'eci vbsPile? p Lcoo Sojnc I'jWvr.powergym.com Esdcad V Clobd Regatiy Startup p p p p p p p P p URL: Tide Star tu> Tite: Lhnstall Norton Scrpt Bladcrg |־ladcad Dsable Mono Security Message: Ps9t)le Run comand y v j sy slai is Hecxec Dibble Shutdown p Disable E>pcrer.exe P Opened Drives p Mjtc Speaker: p Charg# Drive [eon P D rk x e rfc ClL, DC, ICO: Index; Path; |c w ™ i w [i P Add To Context M#ru P Defe* a FckJer p Chang# Clock T#vt Path Tort (Max Chare): I p Change Reg OAner P Lock Workstation p O w g e Walpapcr I- Hoik Dll ׳Id.es Cvrrer: r Download File More’ Patn Or LRL: W Keyboard Disco |^g g־/bcy URL: ? If You Liked This Program Plecse Veit Me Or http://wriJSteam.falHwiehvork ran If You »ww Anythrg Al»Jt VES Prcg-amming Help Suppo'tlhs Project By Mating APugn (See Readme) Thants Control Panel p ^dc To Favorites•: p Change Reg Organisation p CPJ Marwfer Organisation; p Giance Tr»e Hair Execute Downloaded Generate Worm Nare: VSn IS- |־S־ F I G U R E 6.6: Select the option fo r creating w orm 21 Check the Exploit W indows Admin Lockout Bug and Blue S creen of Death check boxes 22 Check the Infect Bat Files check box from Infection Options 23 Check the Hide Virus Files check box from Extras 24 Click G en erate Worm n r 111 Control Panel In tern et W orm M aker T h in g : V ersion 0 Pub ic Edition INTERNET WORM MAKER THING V4 Fa/oads: