Viruses and Worms Module 07 Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s Exam -5 C ertified Ethical H acker V iru s e s and W orm s M o d u le 07 Engineered by Hackers Presented by Professionals M E th ic a l H a c k in g a n d C o u n te rm e a s u re s v M o d u le : V iru s e s a n d W o r m s E xam -5 M o d u le P ag e 1007 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0linCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s Exam -5 C ertified Ethical H acker S ecurity N ew s CEH I G lo b a lR e s e a rc h H om e P r o d u c ts A bout « rv *c c s O c to b e r ,2 G lo b a l C y b e r-W a rfa re M a lw a re u s e d T a c tic s : N ew F la m e -lin k e d in “ C y b e r - E s p i o n a g e ” A n e w c y b e r e s p io n a g e p ro g m linked to th e n o to r io u s F lam e a n d G au ss m a lw a re h a s b e e n d e t e c te d by R ussia's K aspersky Lab T he an ti-v iru s g ia n t's c h ief w a rn s t h a t global cy b e r w a r f a r e is in "full sw in g " a n d will p ro b a b ly e s c a la te in 2013 T h e virus, d u b b e d m in iF lam e, a n d a lso kn o w n a s SPE, h as a lr e a d y in fe c te d c o m p u te r s in Iran , L e b an o n , France, t h e U n ite d "a small and highlyflexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations," K aspersky Lab said in a s ta te m e n t p o s te d S ta te s a n d L ith u an ia It w as d isco v e red in July 2 a n d is d e s c rib e d a s o n its w e b s ite T he m a lw a re w a s originally id e n tified a s a n a p p e n d a g e of F lam e - th e p ro g m u se d fo r ta r g e te d cy b e r e s p io n a g e in th e M iddle E a st a n d a c k n o w le d g e d to b e p a rt o f jo in t U S-lsraeli e f f o r ts to u n d e rm in e Iran 's n u c le a r p ro g ram B ut later, K aspersky Lab a n a ly s ts d is c o v e re d t h a t m in iF lam e is a n " in t e r o p e r a b l e t o o l t h a t c o u l d b e u s e d a s a n in d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t ly a s a p l u g - i n f o r b o t h t h e F la m e a n d G a u s s m a lw a r e " ^ ^ ^ ^ T h e a n a l y s i s a lso s h o w e d n e w e v id e n c e o f c o o p e tio n b e tw e e n th e c r e a to r s o f F lam e a n d G a u s s ^ ^ ^ ^ ^ — h t t p ://w w w g lo b a /re s e a rc h , ca C o p y rig h t © b y EC -C auactl A ll R ig h ts R e se rve d R e p ro d u c tio n is S tr ic tly P ro h ib ite d S e c u r ity an M M N e w s G lo b a l C y b e r - W a r fa r e T a c tic s : N e w M a lw a re u s e d in F la m e - lin k e d “ C y b e r-E s p io n a g e ” S o u rc e : h t t p : / / w w w g l o b a l r e s e a r c h c a A n e w c y b e r e s p io n a g e p r o g r a m lin k e d t o t h e n o t o r i o u s F la m e a n d G auss m a l w a r e has b e e n d e t e c t e d b y Russia's K a s p e rsky Lab T h e a n t i v i r u s g ia n t 's c h ie f w a r n s t h a t g lo b a l c y b e r w a r f a r e is in " f u l l s w i n g " a n d p r o b a b l y e s c a la te in T h e v iru s , d u b b e d m in iF la m e , a nd also k n o w n as SPE, has a lr e a d y i n f e c t e d c o m p u t e r s in Iran, L e b a n o n , F rance, t h e U n ite d States, a n d L ith u a n ia It w a s d is c o v e r e d in July 2 a n d is d e s c r ib e d as "a s m a ll a n d h ig h ly f le x ib le m a lic io u s p r o g r a m d e s ig n e d t o ste a l d a ta a n d c o n t r o l in fe c te d s y s te m s d u r in g ta rg e te d cyber e s p io n a g e o p e tio n s ," K a sp e rsky Lab said in a s t a t e m e n t p o s te d o n its w e b s i t e The m a lw a re w a s o r i g i n a l l y i d e n t if ie d as an a p p e n d a g e o f F lam e, t h e p ro g m u sed f o r t a r g e t e d c y b e r e s p io n a g e in t h e M i d d l e East a n d a c k n o w l e d g e d t o be p a r t o f j o i n t US-lsraeli e f f o r t s t o u n d e r m i n e Ira n 's n u c l e a r p r o g r a m M o d u le P ag e 1008 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s Exam -5 C ertified Ethical H acker B u t la t e r , K a sp e rsky Lab a n a ly s ts d is c o v e r e d t h a t m i n i F l a m e is an " i n t e r o p e r a b l e t o o l t h a t c o u ld be used as an i n d e p e n d e n t m a lic io u s p r o g r a m , o r c o n c u r r e n t l y as a p lu g - in f o r b o t h t h e Flam e a n d Gauss m a l w a r e " T h e a na lysis also s h o w e d n e w e v id e n c e o f c o o p e r a t i o n b e t w e e n t h e c r e a t o r s o f F la m e a nd Gauss, as b o t h v iru s e s can use m in i F la m e f o r t h e i r o p e r a t i o n s " M i n i F l a m e ' s a b i l it y t o be used as a p lu g - in b y e i t h e r F lam e o r Gauss c le a r ly c o n n e c ts t h e c o ll a b o r a t i o n b e t w e e n t h e d e v e l o p m e n t t e a m s o f b o t h F la m e a n d Gauss Since t h e c o n n e c t i o n b e t w e e n F la m e a n d S t u x n e t / D u q u has a lr e a d y b e e n r e v e a le d , it can be c o n c l u d e d t h a t all th e s e a d v a n c e d t h r e a t s c o m e f r o m t h e s a m e 'c y b e r w a r f a r e ' f a c t o r y , " K a s p e r s k y Lab said H ig h - p r e c is io n a tta c k to o l So f a r j u s t t o cases o f in f e c t i o n h a v e b e e n d e t e c t e d w o r l d w i d e , a c c o r d in g t o K a sp e rs ky Lab B u t u n lik e F lam e a n d Gauss, m in iF la m e in m e a n t f o r in s t a l l a t i o n o n m a c h in e s a lr e a d y i n f e c t e d b y t h o s e v iru se s " M i n i F l a m e is a h ig h - p r e c is io n a t t a c k t o o l M o s t lik e ly it is a t a r g e t e d c y b e r w e a p o n used in w h a t can be d e f i n e d as t h e s e c o n d w a v e o f a c y b e r a t t a c k , " K a s p e rsk y's C h ie f S e c u r ity E x p e rt A l e x a n d e r G o s te v e x p la in e d "F ir s t, F la m e o r Gauss a re used t o in f e c t as m a n y v i c t i m s as p o s s ib le t o c o lle c t la rg e q u a n t i t i e s o f i n f o r m a t i o n A f t e r d a ta is c o lle c te d a n d r e v i e w e d , a p o t e n t i a l l y i n t e r e s t i n g v i c t i m is d e f i n e d a n d i d e n t if ie d , a n d m in iF la m e is in s t a lle d in o r d e r t o c o n d u c t m o r e in - d e p t h s u r v e il l a n c e a nd c y b e r-e s p io n a g e " T h e n e w l y - d i s c o v e r e d m a l w a r e can also t a k e s c r e e n s h o t s o f an i n f e c t e d c o m p u t e r w h i l e it is r u n n i n g a s p e c ific p r o g r a m o r a p p li c a t i o n in such as a w e b b r o w s e r , M i c r o s o f t O ffic e p r o g r a m , A d o b e R eader, i n s t a n t m e s s e n g e r se rv ic e o r FTP c lie n t K a sp e rsky Lab b e lie v e s m in i F la m e 's d e v e lo p e r s h a v e p r o b a b l y c r e a te d d o z e n s o f d i f f e r e n t m o d i f i c a t i o n s o f t h e p r o g r a m " A t t h i s t i m e , w e h a v e o n l y f o u n d six o f th e s e , d a t e d - 1 , " t h e f i r m said ‘C y b e r w a rfa re in fu ll s w in g ’ M e a n w h i l e , K a s p e rs k y Lab's c o - f o u n d e r a n d CEO E u ge n e K a s p e rs k y w a r n e d t h a t g lo b a l c y b e r w a r f a r e ta c tic s a re b e c o m i n g m o r e s o p h is t ic a t e d w h i l e also b e c o m i n g m o r e t h r e a t e n i n g He u rg e d g o v e r n m e n t s t o w o r k t o g e t h e r t o f i g h t c y b e r w a r f a r e a n d c y b e r - t e r r o r i s m , X in h u a n e w s a g e n c y r e p o r ts S p e a k in g a t an I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n io n T e le c o m W o r l d c o n f e r e n c e in D u b a i, t h e a n t i v i r u s t y c o o n said, " c y b e r w a r f a r e is in fu ll s w in g a nd w e e x p e c t it t o e s c a la te in " " T h e la t e s t m a lic io u s v ir u s a t t a c k o n t h e w o r l d ' s la r g e s t o il a n d gas c o m p a n y , Saudi A r a m c o , last A u g u s t s h o w s h o w d e p e n d e n t w e a re t o d a y o n t h e I n t e r n e t a nd i n f o r m a t i o n t e c h n o l o g y in g e n e r a l, a n d h o w v u ln e r a b l e w e a r e ," K a sp e rs ky said He s t o p p e d s h o r t o f b la m i n g a n y p a r t i c u l a r p la y e r b e h in d t h e m a s s iv e c y b e r - a t t a c k s across t h e M i d d l e East, p o i n t i n g o u t t h a t " o u r j o b is n o t t o i d e n t i t y h a c k e rs o r c y b e r - t e r r o r i s t s O u r f i r m is M o d u le P ag e 1009 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s Exam -5 C ertified Ethical H acker like an X -ra y m a c h in e , m e a n i n g w e can scan a n d i d e n t i f y a p r o b l e m , b u t w e c a n n o t say w h o o r w h a t is b e h in d i t " Iran, w h o c o n f i r m e d t h a t it s u f f e r e d an a t t a c k b y F la m e m a l w a r e t h a t ca u s e d s e v e re d a ta loss, b la m e s t h e U n i t e d S ta te s a nd Israel f o r u n l e a s h i n g t h e c y b e r - a tta c k s Copyright © 2005-2012 GlobalResearch.ca By Russia Today h ttp ://w w w g lo b a lre s e a rc h c a /g lo b a l-c v b e r-w a rfa re -ta c tic s -n e w -fla m e -lin k e d -m a lw a re -u s e d -in c y b e r-e s p io n a g e /5 8 M o d u le P ag e 1010 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s Exam -5 C ertified Ethical H acker M o d u le O b je c tiv e s CEH J I n t r o d u c tio n to V iru s e s J C o m p u te r W o rm s J S tages o f V iru s Life J W o r m A n a ly s is J W o r k in g o f V iru s e s J W o rm M a k e r J In d ic a tio n s o f V iru s A tta c k J M a lw a r e A n a ly s is P ro c e d u re J H o w d o e s a C o m p u te r G e t In fe c te d J O n lin e M a lw a r e A n a ly s is S e rvice s b y V iru s e s y V iru s A n a ly s is J V iru s a n d W o rm s C o u n te rm e a s u re s J T y p e s o f V iru s e s J A n tiv ir u s T o o ls J V iru s M a k e r J P e n e tra tio n T e s tin g f o r V iru s C o p y rig h t © b y EC -C auactl A ll R ig h ts R e se rve d R e p ro d u c tio n is S tr ic tly P ro h ib ite d M o d u le O b je c tiv e s T h e o b j e c t iv e o f th is m o d u l e is t o e x p o s e y o u t o t h e v a r io u s v iru s e s a n d w o r m s a v a ila b le to d a y It g ive s y o u i n f o r m a t i o n a b o u t all t h e a v a ila b le v iru s e s a n d w o r m s This m o d u l e e x a m in e s t h e w o r k i n g s o f a c o m p u t e r v iru s , its f u n c t i o n , c la s s ific a tio n , a n d t h e m a n n e r in w h i c h it a ffe c ts s y s te m s T his m o d u l e w ill go i n t o d e ta il a b o u t t h e v a r io u s c o u n t e r m e a s u r e s a v a ila b le t o p r o t e c t a g a in s t th e s e v ir u s i n f e c tio n s T h e m a in o b j e c t iv e o f th is m o d u l e is t o e d u c a t e y o u a b o u t t h e a v a ila b le v iru s e s a nd w o r m s , i n d i c a t i o n s o f t h e i r a t t a c k a nd t h e w a y s t o p r o t e c t a g a in s t v a r io u s v iru s e s , a n d t e s t i n g y o u r s y s te m o r n e t w o r k a g a in s t v iru s e s o r w o r m s p re s e n c e T his m o d u l e w i ll f a m i l i a r i z e y o u w i t h : I n t r o d u c t i o n t o V iru s e s C o m p u te r W o rm s Stages o f V ir u s Life W o r m A n a ly s is W o r k i n g o f V iru s e s W o rm M aker I n d ic a tio n s o f V ir u s A t t a c k M a l w a r e A n a ly s is P r o c e d u r e How O n lin e M a l w a r e A n a ly s is Services V ir u s a nd W o r m s D oes a C o m p u te r V iru se s? V ir u s A n a ly s is T y p e s o f V iru s e s Modute07 !M a k e r Get In f e c t e d by C o u n te rm e a su re s A n t i v i r u s T o o ls Ethical H a ck if^ a n J P ( f i W ^ t F ^ J i a W e T e M m g t f P yV t f l t t n c i l All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s Exam -5 C ertified Ethical H acker M o d u le F lo w V iru s a n d T y p e s o f W o rm s V iru s e s C o n c e p ts P e n e tra tio n C o m p u te r T e s tin g W o rm s C o u n te r- M a lw a re m e a s u re s A n a ly s is C o p y rig h t © b y R - C m B C I A ll R ig h ts R e se rve d R e p ro d u c tio n is S tr ic tly P ro h ib ite d M o d u le F lo w T his s e c tio n in t r o d u c e s y o u t o v a r io u s v iru s e s a n d w o r m s a v a ila b le t o d a y a n d g ive s y o u a b r i e f o v e r v i e w o f e a ch v ir u s a n d s t a t i s t i c s o f v iru s e s a n d w o r m s in t h e r e c e n t y e a rs It lists v a r io u s t y p e s o f v iru s e s a nd t h e i r e f fe c ts o n y o u r s y s te m T h e w o r k i n g o f v iru s e s in e a c h p h a s e has w i ll be d iscu sse d in d e ta il T h e t e c h n i q u e s used b y t h e a t t a c k e r t o d i s t r i b u t e m a l w a r e o n t h e w e b a re h ig h lig h t e d V ir u s a n d W o r m s C o n c e p t M a l w a r e A n a ly s is ,• נ T y p e s o f V ir u s e s f|j|| ־C o u n t e r m e a s u r e s י/ — C o m p u te r W o rm s ^ P e n e t r a t i o n T e s t in g V— ׳ ׳ M o d u le P ag e 1012 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s Exam -5 C ertified Ethical H acker In tro d u c tio n to V iru s e s _l CEH A v iru s is a s e lf- r e p lic a tin g p r o g r a m t h a t p r o d u c e s its o w n c o p y b y a tta c h in g its e lf to a n o th e r p r o g r a m , c o m p u te r b o o t s e c to r o r d o c u m e n t J V iru s e s a re g e n e lly tr a n s m itte d th r o u g h file d o w n lo a d s , in fe c te d d is k /fla s h d riv e s a n d as e m a il a tt a c h m e n ts V ir u s C h a r a c te r i s t ic s Alters Data Infects Other Program V % Corrupts Files and Programs Transforms Itself m F* Encrypts Itself m Self Propagates % # f§ C o p y rig h t © b y EC -C auactl A ll R ig h ts R e se rve d R e p ro d u c tio n is S tr ic tly P ro h ib ite d ןאI n t r o d u c t i o n to V ir u s e s C o m p u t e r v i r u s e s h a v e t h e p o t e n t i a l t o w r e a k h a v o c o n b o t h b u sin e ss a n d p e r s o n a l c o m p u t e r s W o r l d w i d e , m o s t b u sin e sse s h a ve b e e n i n f e c t e d a t s o m e p o i n t A v ir u s is a se lfr e p li c a t i n g p r o g r a m t h a t p r o d u c e s its o w n c o d e b y a t t a c h i n g c o p ie s o f it i n t o o t h e r e x e c u ta b le c o d e s T his v ir u s o p e r a t e s w i t h o u t t h e k n o w l e d g e o r d e s ire o f t h e user Like a real v iru s , a c o m p u t e r v ir u s is c o n t a g i o u s a n d can c o n t a m i n a t e o t h e r file s H o w e v e r , v iru s e s can i n f e c t o u t s i d e m a c h in e s o n l y w i t h t h e a ss ista n ce o f c o m p u t e r users S o m e v iru s e s a f f e c t c o m p u t e r s as soon as t h e i r c o d e is e x e c u t e d ; o t h e r v iru s e s lie d o r m a n t u n t i l a p r e - d e t e r m i n e d logical c i r c u m s t a n c e is m e t T h e r e a re t h r e e c a te g o r ie s o f m a lic io u s p r o g r a m s : T r o ja n s a n d r o o t k i t s V iru s e s W o rm s A w o r m is a m a lic io u s p r o g r a m t h a t can in f e c t b o t h local a n d r e m o t e m a c h in e s W o r m s s p re a d a u t o m a t i c a l l y b y in f e c t i n g s y s te m a f t e r s y s te m in a n e t w o r k , a n d e v e n s p r e a d in g f u r t h e r t o o t h e r n e t w o r k s T h e r e f o r e , w o r m s h a ve a g r e a t e r p o t e n t i a l f o r c a u s in g d a m a g e b e c a u s e t h e y d o n o t r e ly o n t h e u s e r's a c tio n s f o r e x e c u t i o n T h e r e a re also m a l i c i o u s p r o g r a m s in t h e w i ld t h a t c o n t a i n all o f t h e f e a t u r e s o f th e s e t h r e e m a lic io u s p r o g r a m s M o d u le P ag e 1013 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s V Exam -5 C ertified Ethical H acker i r u s a n d W o r m S t a t i s t i c s ,0 0 ,0 0 ,0 0 ,0 0 ,0 0 ,0 0 ,0 0 ,0 0 ,0 0 ,0 0 2010 2008 2011 2012 http://www.av-test.org C o p y rig h t © b y E & C t in c t l A ll R ig h ts R e se rve d R e p ro d u c tio n is S tr ic tly P ro h ib ite d ^ V ir u s a n d W o r m S ta tis tic s S o u rc e : h t t p : / / w w w a v - t e s t o r g T his g p h ic a l r e p r e s e n t a t i o n g ive s d e t a i le d i n f o r m a t i o n o f t h e a t t a c k s t h a t h a v e o c c u r r e d in t h e r e c e n t y e a rs A c c o r d i n g t o t h e g r a p h , o n l y 1 ,6 6 , 6 s y s te m s w e r e a f f e c t e d b y v iru s e s a nd w orm s in t h e year 2008, w he re a s in t h e ye ar 2012, th e c o u n t d s tic a lly in c r e a s e d to ,0 0 ,0 0 s y s te m s , w h i c h m e a n s t h a t t h e g r o w t h o f m a l w a r e a tta c k s o n s y s te m s is in c r e a s in g e x p o n e n t ia l ly y e a r b y ye a r M o d u le P ag e 1014 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s V iru ses a n d W o rm s Exam -5 C ertified Ethical H acker 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2008 2009 2010 2011 2012 FIGURE : V iru s a n d W o rm S ta tis tic s M o d u le P ag e 1015 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking and Countermeasures Viruses and Worms V i r u s Exam 312-50 Certified Ethical Hacker D e t e c t i o n M S can n in g In te g rity C h eck in g Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristics of the Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors e t h o d s C E H In te rc e p tio n The interceptor monitors the operating system requests that are written to the disk Copyright © by EtGlUiCil All Rights Reserved Reproduction is Strictly Prohibited V iru s D e te c tio n M e th o d s A virus scanner is an im portant piece of software that one should have installed on the PC If there is no scanner, there is high chance that the system can be hit by and suffer from a virus A virus p ro te c to r should be run regularly on the PC, and the scan engine and virus signature database have to be updated often A n tiviru s so ftw a re is of no use if it does not know w hat to look for in the latest virus One should always re m e m be r that an antivirus program cannot stop everything The rule of thum b is if an email looks like a suspicious one, e.g., if one is not expecting an email from the sender or does not know the sender or if the header looks like som ething that a known sender w ould not norm ally say, one must be careful about opening the email, as there might be a risk of becoming infected by a virus The M y D o o m and W N o v a rg A @ m m w orm s infected many Internet users recently These w orm s infected most users through email The three best m ethods for antivirus detection are: © Scanning Q Integrity checking © Interception In addition, a com bination of som e of these techniques can be m ore effective Module 07 Page 1097 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker S c a n n in g Q The m om ent a virus is detected in the wild, antivirus vendors across the globe start writing scanning programs that look for its signature strings (characteristic of the virus) © The strings are identified and extracted from the virus by these scanner writers The resulting new scanners search m e m ory files and system sectors for the signature strings of the new virus The scanner declares the presence of a virus once it finds a match Only known and pre-defined viruses can be detected Virus writers often create many new viruses by altering the existing one W t looks like a new virus, may have taken just a few minutes to be created A tta ck e rs make these changes frequently to throw off the scanners © In addition to signature recognition, new scanners make use of various other detection techniques such as code analysis Before looking into the code characteristics of a virus, the scanner examines the code at various locations in an executable file © In another possibility, the scanner sets up a virtual com puter in the RA M and tests the programs by executing them in the virtual space This technique, called "heuristic scanning," can also check and rem ove messages that might contain a c om pute r virus or other unwanted content e The major advantages of scanners are: © They can check programs before they are executed Q Q It is the easiest way to check new software for any known or m alicious virus The major drawbacks to scanners are: Q Old scanners could prove to be unreliable W ith the trem endous increase in new viruses old scanners can quickly becom e obsolete It is best to use the latest scanners available on the market Q Even a new scanner is never eq u ip p e d to handle all new challenges, since viruses appear m ore rapidly than new scanners can be developed to battle them In te g rity C h e c k in g Integrity checking products perform their functions by reading and recording integrated data to develop a signature or base line for those files and system sectors Q Integrity products check any program with built-in intelligence This is really the only solution that can take care of all the threats to data The most trusted way to know the a m ount of damage done by a virus is provided by these integrity checkers, since they can check data against the originally established base line Module 07 Page 1098 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Viruses and Worms Q Exam 312-50 Certified Ethical Hacker A disadvantage of a basic integrity checker is that it cannot differentiate file c o rruption caused by a bug from corruption caused by a virus Q However, there are some advanced integrity checkers available that are capable of analyzing and identifying the types of changes that viruses make A few integrity checkers com bine some of the antivirus techniques with integrity checking to create a hybrid This also simplifies the virus checking process In te rc e p tio n The main use of an interceptor is for deflecting logic bom bs and Trojans Q The interceptor controls requests to the operating system for network access or actions that cause a threat to the program If it finds such a request, the interceptor generally pops up and asks if the user wants to allow the request to continue There are no dependable ways to intercept direct branches to low-level code or direct instructions for input and output instructions by the virus In some cases, the virus is capable of disabling the m on ito rin g program itself Some years back it took only eight bytes of code for a w idely used antivirus program to turn off its m onitoring functions Module 07 Page 1099 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker V iru s a n d W o rm s C o u n te rm e a s u re s C E H Install anti-virus software that detects and removes infections as they appear Generate an anti-virus policy for safe computing and distribute it to the staff Pay attention to the instructions while downloading files or any programs from the Internet Update the anti-virus software regularly Avoid opening the attachments received from an unknown sender as viruses spread via e-mail attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up Schedule regular scans for all drives after the installation of anti-virus software Do not accept disks or programs without checking them first using a current version of an antivirus program Copyright © by EC-Cauactl All Rights Reserved Reproduction is Strictly Prohibited V iru s a n d W o rm s C o u n te r m e a s u r e s Preventive measures need to be followed in order to lessen the possibility of virus infections and data loss If certain rules and actions are adhered to, the possibility of falling victim to a virus can be m inim ized Some of these m ethods include: Install antivirus software that detects and removes infections as they appear © Generate an antivirus policy for safe co m p u tin g and distribute it to the staff Pay attention to the instructions while d o w n lo a d in g files or any programs from the Internet Update the antivirus softw a re on the a m onthly basis, so that it can identify and clean out new bugs Avoid opening the attachm ents received from an unknow n sender as viruses spread via email attachm ents Possibility of virus infection may corrupt data, thus regularly maintain data back up Schedule regular scans for all drives after the installation of antivirus software Do not accept disks or program s w ithou t checking them first using acurrent version of an antivirus program Module 07 Page 110 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker V iru s a n d W o rm s C o u n te rm e a s u re s (Cont'd) Run disk clean up, registry scanner and defragmentation once a week Ensure the executable code sent to the organization is approved Turn on the firew all if the OS used is Windows XP Do not boot the machine with infected bootable system disk Run anti-spyware or adware once in a week Know about the latest virus threats Block the files with more than one file type extension Check the DVD and CDs for virus infection Q W E H Be cautious with the files being sent through the instant messenger Ensure the pop-up blocker is turned on and use an Internet firewall ^1 Copyright © by EC-Cauactl All Rights Reserved Reproduction is Strictly Prohibited V i r u s a n d W o r m s C o u n t e r m e a s u r e s ( C o n t ’d ) Ensure the executable code sent to the organization is approved Run disk clean up, registry scanner, and d e fra g m en ta tio n once a w eek Do not boot the machine with infected b o o ta b le system disk Turn on the firewall if the OS used is W indow s XP Keep inform ed about the latest virus threats Run anti-spyw are or adw are once in a w eek Check the DVDs and CDs for virus infection Block the files with m ore than one file type extension Ensure the pop-up blocker is turned on and use an Internet firew all Be cautious w ith the files being sent through the instant messenger Module 07 Page 1101 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker C o m p a n io n A n tiv iru s : I m m u n e t C E H ■Immunet 1□ A Community 2.478,268 people protected Community! System is not infected Set the anti-virus to quarantine or delete the virus Virus is removed? >׳ System is safe IX V _ Go to safe mode and delete the infected file manually Set the anti-virus software to compare file contents with the known computer virus signatures, identify infected files, quarantine and repair them if possible or delete them if not Ifth e virus is not removed then go to safe mode and delete the infected file manually Copyright © by EC-Cauactl All Rights Reserved Reproduction is Strictly Prohibited P e n e t r a t i o n T e s t i n g f o r V i r u s e s ( C o n t ’d ) Step4: Set the antivirus to qu a n tin e or delete the virus Set your antivirus software to com pare file contents with the known c om puter virus signatures, identify infected files, qu a n tine and repair them if possible, or delete them if not Step5: Go to safe m o d e and delete the infected file m anu a lly Ifthe virus is not removed, then go to safe m ode and delete the infected file manually Module 07 Page 1107 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Viruses and Worms Exam 312-50 Certified Ethical Hacker P e n e t r a t i o n T e s t i n g Use tools such as What's Running and Winsonar f o r V i r u s (C ont’d) £ UrtifM £ H | tUtkm itkiul Scan th e system fo r ru n n in g processes, registry e ntries, sta rtu p program s, file s and fo ld e rs in te g rity and services Q If a ny suspicious process, registry entry, s ta rtu p program o r service is Use tools such as jv l6 PowerTools 2012 and Reg Organizer discovered, check th e associated e x e c u ta b le files C ollect m o re in fo rm a tio n a b o u t th e se fro m pub lish er's w e bsites if Use tools such as SrvManand ServiWin Scan fo r W indow s services available, and In te rn e t Check th e s ta rtu p program s and d e te rm in e if all th e program s in th e list can be recognized w ith know n fu n c tio n a litie s Use tools such as Starter, Security AutoRun, and Autoruns Scan fo r sta rtu p programs Check th e data files fo r m o d ific a tio n o r m a n ip u la tio n by o p e ning several files and com p a rin g hash value o f th e se files w ith a p re -c o m p u te d hash Scan fo r file s and fold ers in te g rity