Professional Documents
Culture Documents
Other Malware
CONTENT
Definition of Virus/Malware Classification of V/M New generation viruses New technology How to design a powerful V/M
Classification of Viruses
BOOT Viruses
DOS Viruses
Windows Viruses Macro Viruses Script Viruses Java Viruses Palm Viruses
Macro Viruses
When an infected Global Document is opened in Word, it Template will copy its macro Global codes in the Global Macros Template
With the Macro Virus resident in the Global Template, it can now reproduce copies of itself to other documents opened.
WORD Content
WORD Content
WORD Macros
WORD Macros
Macro Viruses
When an infected XLStart sheet is opened in Excel, it will create Directory an excel file in the Startup directory \Microsoft Office\Office\XLStart Files
With the Macro Virus resident every time Excel is opened, it can now infect every sheet opened in Excel
EXCEL Sheet
EXCEL Sheet
Excel Macros
Excel Macros
Macro Viruses
Using DFVIEW.EXE to view a Word 2K Document
Normal File
Infected File
Macro Viruses
Other locations of macro viruses in Excel
Windows Viruses
Header &Table
INFECTED FILE
Host Program
Windows Viruses
unusual entries in the Task Manager list unusual slowdown of system
Windows Viruses
Checking the Registry for possible Virus residence
\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce HKEY_CLASSES_ROOT\exefile\shell\open\command ( Where the only entry should be (Default)= "%1" %* )
Script Viruses
If a mail or a web page has some malicious scripts Thus enabling them to replicate to other mail recipients or web page users
These malicious scripts utilizes Scripting Host execution capabilities of Browsers and Mail Systems
Script Viruses
Script Viruses in E-mails / Web
Clicking Yes will e-mail Script, Upon receiving anrun the with which it, the following message script inmight contain malicious will appearsee that the mail Now codes. Clicking No will show this you can message. has some script in it because of
this script icon Now you can verify the contents of the saved HTM file if it has some malicious codes or not
Java Viruses
security loopholes exploited by virus writers annoying while some infect depends on the security settings for the virus to run has the extension *.CLASS
Java Viruses
Two Types of Java Viruses
Java Applet
99% of Java Viruses Just create some annoying events
Java Application
Capable of doing anything that Executable Programs like Disk I/O
Palm Viruses
Net Hacking tools are malicious codes that has the sole purpose of controlling computers remotely and to exploit some backdoors in some systems.
Joke Malware
Ordinary executable programs created to make fun of users.
You can only go back to what you are will not infect or do anyafter you it will just doing damage, solve the puzzle annoy you.
usually difficult to halt or terminate the program unusual function of devices (mouse, keyboard)
a program that drops a Virus or other Malware used by novice programmers to create viruses unnecessary addition of files
EXE Header
E9 fd 03 04 01 02 02 00
Pattern Info
Name: TEST-ABC First byte: 0xe9 (JMP xx) Jump depth: 0x00 File offset: 0x84 Signature: 0x65, 0x7a, 0x4e, 0x2a
JMP
Program Body
0x400
Virus Body
0x484
65 7a 4e 2a
Found !!!
Virus TEST-ABC
Target: IIS Servers with exploitable flaw Infect: Attack IIS servers via HTTP, utilize Indexing Service (IDA) buffer /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN overflow, embed the virus code in NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN memory NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3% Effect : Spit out hundreds of u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801 %u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078 attacking threads, cause network %u0000%u00=a congestion : leave backdoor for CodeRed.C
hacker
IIS Unicode Web Traversal Security Hole Share Folders Browse infected Web site Infect Win32 EXE files Infect html, ASP files, append < script language="JavaScript" > window.open("readme.eml", null, "resizable=no,top=6000,left=6000")< / script >
New Technology
Behavior Monitor
Pitfall Can not clean High False Positive Hard to Identify malicious behavior
Infect
Spare space in section (size of exe file not changed) Modify the entry point in PE header Combine codes in spare space to whole code Modify the import table to load the main module Note: this code must be earsed after infected.
Hiding
Use CreateRemoteThread
Advantage:
No unusual process in task manager Require high programming skill, you must be very careful and do everything yourself Not work on Windows 9x platform Need unusual entry in registry
Disadvantage:
Hiding (cont)
Theres an import table in PE file, when system execute the .exe file, it walks through the import table and loads all .dll file in the import table into memory. Load the main module of V/M, in DllMain function, hook the DLL_PROCESS_ATTACH message No unusual entry in registry and task manager Easy to programming Works on all windows platform
Advantage
Hiding (cont)
Encrypt
Common encrypt algorithm (you only need cheat scan engine ), such as XOR, complex algorithm has unique signature. difference encrypt keys (HD serial-number, CPU info) on difference computer, Hard to generate the pattern. Compress the V/M (zlib is enough, its common on windows platform) Only Decrypt when needed
Spread
Suggestion: not too aggressive, spread silently. More silent, more spread.
Destroy
In X86 protection mode, need enter Ring 0 mode Send grand garbage to network, DoS attack.
Q&A