07 - Viruses and Worms

A virus is a self-replicating program that produces its own code by attaching copies of it onto other executable codes. Some viruses affect computers as soon as their codes are executed; others lie dormant until a predetermined logical circumstance is met.

Module Objective

The objective of this lab is to make students learn how to create viruses and worms. In this lab, you will learn how to:

  • Create viruses using tools
  • Create worms using worm generator tool

Scenario

A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. A blended threat is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. The attacker would normally serve to transport multiple attacks in one payload. An attacker can launch Dos attack or install a backdoor and maybe even damage a local system or network systems.

Since you are a security expert, the IT director instructs you to test the network for any viruses and worms that damage or steal the organization’s information. You need to construct viruses and worms and try to inject them in a dummy network (virtual machine) and check whether they are detected by antivirus programs or able to bypass the network firewall.

I. Creating a Virus Using the JPS Virus Maker Tool

In recent years there has been a large growth in Internet traffic generated by malware, that is, Internet worms and viruses. This traffic usually only impinges on the user when either their machine gets infected or during the epidemic stage of a new worm when the Internet becomes unusable due to overloaded routers. What is less well-known is that there is a background level of malware traffic at times of non-epidemic growth and that anyone plugging an unfirewalled machine into the Internet today will see a steady stream of port scans, back-scatter from attempted distributed denial-of-service attacks, and host scans. We need to build better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks.

Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms will damage or steal the organization’s information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behaviour, whether they are detected by an antivirus and if they bypass the firewall.

Lab Objectives

The objective of this lab is to make students learn and understand how to make viruses and worms.

Lab Analysis

In this lab you have learnt how to use encrypting/decrypting commands and generating hashes and checksum files. Document all the files, created viruses, and worms in a separate location.

II. Virus Analysis Using IDA Pro

Virus, worms, or Trojans can erase your disk, send your credit card numbers and passwords to a stranger, or let others use your computer for illegal purposes like denial of service attacks. Hacker mercenaries view Instant Messaging clients as their personal banks because of the ease by which they can access your computer via the publicly open and interpretable standards. They unleash a Trojan horse, virus, or worm, as well as gather your personal and confidential information. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage or steal the organization’s information. You need to construct viruses and worms, try to inject them in a dummy network (virtual machine), and check their behaviour, whether they are detected by any antivirus programs or bypass the firewall of an organization.

Lab Objectives

The objective of this lab is to make students learn and understand how to make viruses and worms to test the organization’s firewall and antivirus programs.

In this lab, you have learnt how to make viruses and worms to test the organization’s firewall and antivirus programs.

Lab Analysis

In this lab, you have learnt how to make viruses and worms to test the organization’s firewall and antivirus programs. Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

III. Virus Analysis Using OllyDbg

There are literally thousands of malicious logic programs and new ones come out all the time, so that's why it's important to keep up-to-date with the new ones that come out. Many websites keep track of this. There is no known method for providing 100% protection for any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances of being infected by one of those malicious programs.

Lab Analysis

In this lab, you have learnt how to perform analysis of the viruses. Document all the files, created viruses, and worms in a separate location.

IV. Scan for Viruses using Kaspersky Antivirus 2013

Today, many people rely on computers to do work, and create or store useful information. Therefore, it is important for the information on the computer to be stored and kept properly. It is also extremely important for people on computers to protect their computer from data loss, misuse, and abuse. For example, it is crucial for businesses to keep information they have security so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions. A computer security risk is any action that could cause loss of information, software, data, processing incompatibilities, or cause damage to computer hardware, a lot of these are planned to do damage.

Lab Analysis

In this lab, you have learnt how to scan your infected computers by using Kaspersky Antivirus 2013. Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

V. Creating a Worm Using Internet Worm Maker Thing

Since you are a security expert, your IT director instructs you to test the network to determine whether any viruses and worms will damage or steal the organization’s information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behaviour, whether they are detected by an antivirus and if they bypass the firewall.

Lab Analysis

In this lab, you have learnt how to use make viruses and worms. Document all the files, created viruses, and worms in a separate location.

Module Syllabus

  • Introduction to Viruses
  • Virus and Worm Statistics 2010
  • Stages of Virus Life
  • Working on Viruses: Infection Phase
  • Working on Viruses: Attack Phase
  • Why Do People Create Computer Viruses?
  • Indications of Virus Attack
  • How does a Computer get Infected by Viruses?
  • Virus Hoaxes
  • Virus Analysis:
    • W32/Sality AA
    • W32/Toal-A
    • W32/Virut
    • Klez
  • Types of Viruses
    • System or Boot Sector Viruses
    • File and Multipartite Viruses
    • Macro Viruses
    • Cluster Viruses
    • Stealth/Tunneling Viruses
    • Encryption Viruses
    • Polymorphic Code
    • Metamorphic Viruses
    • File Overwriting or Cavity Viruses
    • Sparse Infector Viruses
    • Companion/Camouflage Viruses
    • Shell Viruses
    • File Extension Viruses
    • Add-on and Intrusive Viruses
  • Transient and Terminate and Stay Resident Viruses
  • Writing a Simple Virus Program
    • Terabit Virus Maker
    • JPS Virus Maker
    • DELmE's Batch Virus Maker
  • Computer Worms
  • How is a Worm Different from a Virus?
  • Example of Worm Infection: Conficker Worm
    • What does the Conficker Worm do?
    • How does the Conficker Worm Work?
  • Worm Analysis:
    • W32/Netsky
    • W32/Bagle.GE
  • Worm Maker: Internet Worm Maker Thing
  • What is Sheep Dip Computer?
  • Anti-Virus Sensors Systems
  • Malware Analysis Procedure
  • String Extracting Tool: Bintext
  • Compression and Decompression Tool: UPX
  • Process Monitoring Tools: Process Monitor
  • Log Packet Content Monitoring Tools: NetResident
  • Debugging Tool: Ollydbg
  • Virus Analysis Tool: IDA Pro
  • Online Malware Testing:
    • Sunbelt CWSandbox
    • VirusTotal
  • Online Malware Analysis Services
  • Virus Detection Methods
  • Virus and Worms Countermeasures
  • Companion Antivirus: Immunet Protect
  • Anti-virus Tools
  • Penetration Testing for Virus