ceh v8 labs module 07 viruses and worms

C E H L a b M a n u a l

V i r u s e s a n d

W o r m s

M odule 07

Module 07 - Viruses and Worms

V ir u s e s a n d W o r m sA vims is a sef-replicatingprogram that produces its own code by attaching copies of it onto other executable codes. Some viruses affect computers as soon as their codes are executed; others lie dormant until a predetermined logical circumstance is met.

L a b S c e n a r io

A computer virus attaches itself to a program or tile enabling it to spread from one computer to another, leaving infections as it travels. The biggest danger with a worm is its capability to replicate itself 011 your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands o f copies o f itself, creating a huge devastating effect. A blended threat is a more sophisticated attack that bundles some o f the worst aspects o f viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. The attacker would normally serve to transport multiple attacks 111 one payload. Attacker can launch Dos attack 01־ install a backdoor and maybe even damage a local system 01־ network systems.

Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that damage 01־ steal the organization’s information. You need to construct viruses and worms and try to inject them 111 a dummy network (virtual machine) and check whether they are detected by antivirus programs 01־ able to bypass the network firewall.

L a b O b je c t iv e s

The objective o f this lab is to make students learn how to create viruses and worms.

111 this lab, you w ill learn how to:

■ Create viruses using tools

■ Create worms using worm generator tool

L a b E n v ir o n m e n t

To earn־ this out, you need:

■ A computer running Window Server 2012 as host machine

■ Window Server 2008, Windows 7 and Windows 8 running 011 virtual machine as guest machine

■ A web browser with Internet access

■ Administrative privileges to run tools

& Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 07 Viruses and Worms

ICON KEY£Z7 Valuable

information

Test yourknowledge

= Web exercise

m Workbook review

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

CEH Lab Manual Page 530


L a b D u ra tio n

Tune: 30 Minutes

O v e r v ie w o f V ir u s e s a n d W o r m s

A virus is a self-replicating program that produces its own code by attaching copies o f it onto other executable codes. Some viruses affect computers as soon as their codes are executed: others lie dormant until a predetermined logical circumstance is met

Computer worms are malicious programs that replicate, execute, and spread across network connections independently without human interaction. Most worms are created only to replicate and spread across a network consuming available computing resources. However, some worms carry a payload to damage the host system.

= TASK 1 L a b T a s k s

Overview Recommended labs to assist you 111 creating Viruses and Worms:

■ Creating a virus using the |PS Y us Maker tool־11

■ Vims analysis using ID A Pro

■ Yinis Analysis using Virus Total

■ Scan for Viruses using Kaspersky Antivirus 2013

■ Yinis Analysis Using OllyDbg

■ Creating a Worm Using the Internet Worm Maker Tiling

L a b A n a ly s is

Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

CEH Lab Manual Page 531 Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


C r e a t in g a V ir u s U s in g t h e J P S

V ir u s M a k e r T o o lJPS V irus Maker is a tool to create viruses. I f also has a feature to convert a virus into a irorm.


111 recent rears there lias been a large growth 111 Internet traffic generated by malware, that is, Internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected 01־ during the epidemic stage o f a new worm, when the Internet becomes unusable due to overloaded routers. W liat is less well-known is that there is a background level o f malware traffic at times o f non-epidemic growth and that anyone plugging an unhrewalled machine into the Internet today w ill see a steady stream o f port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We need to build better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks.

Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organization’s information. You need to constructviruses and worms, try to inject them into a dummy network (virtual machine),and check their behavior, whether they are detected by an antivirus and i f they bypass the firewall.

L a b O b je c t iv e sH Toolsdemonstrated in Tlie objective o f tins lab is to make students learn and understand how to makethis lab are viruses and worms.

ICON KEY1._ Valuable

information

s Test yourknowledge

:ב Web exercise

ea Workbook review


To earn־ out die lab, you need:

■ JPS tool located at D:\CEH-Tools\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker

available in D:\CEH- Tools\CEHv8 Module 07 Viruses and Worms




■ A computer running Windows Server 2012 as host machine

■ Windows Server 2008 running on virtual machine as guest machine

Run tins tool on Windows Server 2008 י


L a b D u ra tio n

Time: 15 Minutes

O v e r v ie w o f V ir u s a n d W o r m s

A virus is a self-replicating program diat produces its own code by attaching copies o f it onto odier executable codes. Some vinises affect computers as soon as dieir codes are executed; odiers lie dormant until a predetermined logical circumstance is met.

L a b T a s k s

1. Launch your Windows Server 2008 virtual machine.

2. Navigate to Z:\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker.

3. Launch die JPS Virus Maker tool. Installation is not required for JPS Virus maker. Double-click and launch the jps.exe hie.

4. The JPS (Virus Maker 3.0) window appears.

JPS ( Virus I taker 3.0 )

□ Hide Services□ Hide Outlook Express□ Hide Windows Clock□ Hide Desktop Icons□ Hide Al Pioccess in T askmgr□ Hide Al Tasks in Taskmgr□ Hide Run□ Change Explorer Caption□ Clear Windows XP□ Swap Mouse Buttons□ Remove Folder Options□ Lock Mouse & Keyboard□ Mute Sound□ Always CD-ROM□ Tun Off Monitor□ Crazy Mouse□ Destroy Taskbar□ Destroy Offlines (YIMessenger)□ Destroy Protected Strorage□ Destroy Audio Service□ Destroy Clipboard□ T erminate Windows□ Hide Cursor□ Auto Startup

V iru s O p t io n s :

□ Disable Registry□ Disable MsConfig□ Disable TaskManager□ Disable Yahoo□ Disable Media Palyer□ Disable Internet Explorer□ Disable Time□ Disable Group Policy□ Disable Windows Explorer□ Disable Norton Anti Virus□ Disable McAfee Anti Virus□ Disable Note Pad□ Disable Word Pad□ Disable Windows□ Disable DHCP Client□ Disable Taskbar□ Disable Start Button□ Disable MSN Messenger□ Disable CMD□ Disable Security Center□ Disable System Restore□ Disable Control Panel□ Disable Desktop Icons□ Disable Screen Saver

k* TASK 1

Make a Virus

Note: Take a Snapshot of the virtual machine before launching the JPS Virus Maker tool.

U i The option, Auto Startup is always checked by default and start the virus whenever the system boots on.


CEH Lab Manual 33


FIGURE 1.1: JPS Virus Maker main window5. JPS lists die Virus Options; check the options that you want to embed 111 a

new virus hie.

JPS ( Virus Maker 3.0 )

& This creation of a virus is only for knowledge purposes; don’t misuse this tooL

m A list of names for the virus after install is shown in the Name after Install drop-down list.

Virus O ptions:

□ Disable Registry □ Hide Services□ Disable MsConfig □ Hide Outlook Express□ Disable TaskManagei □ Hide Windows Clock□ Disable Yahoo □ Hide Desktop Icons□ Disable Media Palyei □ Hide All Proccess in Taskmgt□ Disable Internet Explorer □ Hide All Tasks in Taskmgr□ Disable Time □ Hide Run□ Disable Group Policy □ Change Explore! Caption□ Disable Windows Explorer □ Clear Windows XP□ Disable Norton Anti Vitus □ Swap Mouse Buttons□ Disable McAfee AntiVirus □ Remove Folder Options□ Disable Note Pad □ Lock Mouse 1 Keyboard□ Disable Word Pad □ Mute Sound□ Disable Windows □ Allways CD-ROM□ Disable DHCP Client □ TurnOff Monitor□ Disable Taskbar □ Crazy Mouse□ Disable Stait Button □ Destroy T askbar□ Disable MSN Messenger □ Destroy Offlines (YIMessenget)□ Disable CMD □ Destroy Protected Strorage□ Disable Security Center □ Destroy Audio Service□ Disable System Restore □ Destroy Clipboard□ Disable Control Panel □ T erminate Windows□ Disable Desktop Icons □ Hide Cursor□ Disable Screen Saver □ Auto Startup

O Restart O LogOff O Turn Off O Hibrinate O None Name After Install: |Rundll32 J Server Name: |Sender.exe

About | | Cieate Virus* ~~| | » |

JPS Virus Maker 3.0

FIGURE 1.2: JPS Virus Maker main window with options selected6. Select one o f die radio buttons to specify when die virus should start

attacking die system after creation.

O Restart O L o g U ff O Turn Off O Hibrinate O None

Rundll32 J Server Name: Sender.exeName After Install:

Create Virus!About

JPS Virus Maker 3.0J

FIGURE 1.3: JPS Virus Maker main window with Restart selected7. Select the name o f the service you want to make virus behave like from die

Name after Install drop-down list.

FIGURE 1.4: JPS Virus Maker main window with die Name after Install optionSelect a server name for die virus from die Server Name drop-down list.

m A list of server names is present in the Server Name drop-down list. Select any server name.

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



O Restart O Log Off OTurnDff O Hibrinate O None

Server Name: Svchost.exeName After Install: Rundll32■Svchost.exe Q ־I Kernel32.exe ■I spo o lsv .e x e ■ ALG.EXEsvchost.exe■

Create Virus!

JPS Virus Maker 3.0

FIGURE 1.5: JPS Vims Maker main window with Server Name option9. Now, before clicking on Create Virus! change setting and vinis options by

icon.clicking die

Create Virus!

JPS Virus Maker 3.0

FIGURE 1.6: JPS Virus Maker main window with Settings option10. Here you see more options for the vims. Check die options and provide

related information 111 die respective text held.

נ PS ( Virus M aker 3.0 )

Virus O ptions:

□ Change XP Password: J p @ sswQ(d

□ Change Computer Name: ן Test

□ Change IE Home Page j www !uggyboy com

□ Close Custom Window: [Yahoo1 Me ■;nger□ Disable Custom Service :■Alerter

□ Disable Custom Process :[ypaget.exe

□ Open Custom Website : | -,-!ey blogta c :וחי□ Run Custom Command: |

Don't forget to change die settings for every new virus creation. Otherwise, by default, it takes the same name as an earlier virus.

m TASK 2

Make a Worm

lUsa You can select any icon from the change icon options. Anew icon can be added apart from those on the list.

□ Enable Convert to Worm ( auto copy to path's)

Worm Name : | Copy After : | 1 [!□I Sec'־.

Change Ic o n :

O Transparnet O Doc Icon O EXE IconO Love Icon O PDF Icon O BAT IconO Flash Icon 1 O IPG Icon O Setup 1 IconO Flash Icon 2 O BMP Icon O Setup2 IconO Font Icon 3 O Help Icon O ZIP Icon

JPS Virus Maker 3.0

FIGURE 1.7: JPS Virus Maker Settings option11. You can change Windows XP password. IE home page, close custom

window, disable a particular custom service, etc.

12. You can even allow the virus to convert to a worm. To do diis, check die Enable Convert to Worm checkbox and provide a Worm Name.

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



13. For die worm to self-replicate after a particular time period, specify die time (111 seconds) 111 die Copy after held.

14. You can also change the virus icon. Select die type o f icon you want to view for die created vims by selecting die radio button under die Change Icon section.

IPS ( Virus Maker 3.0 )

V iru s O p t io n s :

□ Change XP Password : |

□ Change Computer Name |jP S□ Change IE Home Page | www ^ -

□ Close Custom Window : [Yahoo' Me ••nger□ Disable Custom Seivice : J Alerter□ Disable Custom Process : I□ Open Custom Website : | .. ,» . c<

□ Run Custom Command: |

□ Enable Convert to Worm ( auto copy to path's)

Copy After : f! | I Sec's

O EXE Icon O BAT Icon O Setup 1 Icon O Setup2 Icon O ZIP Icon

O Doc Icon O PDF Icon O JPG Icon O BMP Icon O Help Icon

Worm Name : |fedevi|

O Transparnet O Love Icon O Flash Icon 1 O Flash Icon 2 O Font Icon 3

O Restart O LogOff O Turn Off O Hibrinate O NoneServer Name: Svchost.exeName After Install: Rundl32

JPS Virus Maker 3.0I_

FIGURE 1.8: JPS Vkus Maker main window with Options15. After completing your selection o f options, click Create Virus!

FIGURE 1.9: JPS Vkus Maker Main window with Create Vkus! Button16. A pop-up window with the message Server Created Successfully appears.

Click OK.

JPS ( Virus Maker 3.0 )

Make sure to check all the options and settings before clicking on Create Virus!

Features Change XP Password Change Computer Name Change IE Home Page Close Custom Windows Disable Custom Service Disable Process Open Custom Website Run Custom Command Enable Convert To Worm - Auto Copy Server To Active Padi With Custom Name & Time Change Custom Icon For your created Virus (15 Icons)

FIGURE 1.10: JPS Vkus Maker Server Created successfully message

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



17. The newly created virus (server) is placed automatically 111 the same folder as jps.exe but with name Svchost.exe.

18. Now pack tins virus with a binder or virus packager and send it to the victim machine. ENJOY!

L a b A n a ly s is

Document all die tiles, created viruses, and worms 111 a separate location.


T o o l/U t il ity In fo rm ation Collected/O bjectives Achieved

To make V irus options are used:

■ Disable Yahoo■ Disable Internet Explorer■ Disable Norton Antivirus■ Disable McAfree Antivirus■ Disable Taskbar■ Disable Security Restore

JPS V irus M aker ■ Disable Control PanelToo l ■ Hide Windows Clock

■ Hide A ll Tasks 111 Task.mgr■ Change Explorer Caption■ Destroy Taskbar■ Destroy Offlines (YIMessenger)■ Destroy Audio Services■ Terminate Windows■ Auto Semp

Q u e s t io n s

1. Infect a virtual macliine with the created vkuses and evaluate the behavior o f die virtual macliine.

2. Examine whedier the created viruses are detected or blocked by any antivirus programs or antispyware.




In ternet Connection Required

□ Yes

P latform Supported

0 No

0 !Labs

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



V ir u s A n a ly s is U s in g IDA P r oComputer n orms are malicious programs that replicate, execute, and spread themselves across netirork connections independently, nithont human interaction.

■ co n k e y ־ ־ L a b S c e n a r io

Virus, worms, or Trojans can erase your disk, send your credit card numbers and passwords to a stranger, 01־ let others use your computer for illegal purposes like denial o l service attacks. Hacker mercenaries view Instant Messaging clients as their personal banks because o f the ease by which they can access your computer via the publicly open and interpretable standards. They unleash a Trojan horse, virus, 01־ worm, as well as gather your personal and confidential information. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage 01־ steal the organization’s information. You need to construct viruses and worms, try to inject them 111 a dummy network (virtual machine), and check their behavior, whether they are detected by any antivirus programs 01־ bypass the firewall o f an organization.


The objective of tins lab is to make students learn and understand how to make vinises and worms to test the organization’s firewall and antivirus programs.


To earn* out die lab, you need:

■ IDA Pro located at D:\CEH-T00ls\CEHv8 Module 07 Viruses and Worms\Malware Analysis Tools\IDA Pro


■ Windows Server 2008 running 011 virtual machine as guest machine

■ Run tins tool 011 Windows Server 2008

■ You can also download the latest version o f IDA Pro from the linkhttp: / / www.hex-ravs.com / products / ida / lndex.shtml

IS 7 Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 07 Viruses and Worms

/ Valuable information

S Test yourknowledge ________£_____

flB Web exercise

m Workbook review

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.hex-ravs.com



L a b D u ra tio n

Time: 15 Minutes


Computer worms are malicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm payloads to install backdoors in infected computers, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.

L a b T a s k s

1. Go to Windows Server 2008 Virtual Machine.

2. Install IDA Pro, which is located at D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Malware Analysis Tools\IDA Pro.

3. Open IDA Pro, and click Run 111 die Open File-Security Warning dialogbox.

Open File - Security W arning

The publisher could not be verified Are you sure you want to run this software?

Name: .. .rs\Administrator\Pesktop\idademo63_windows.exe Publisher: Unknown Publisher

Type: ApplicationFrom: C: '!]Users \Administrator desktop 'jdademoo 3_windo...

CancelRun

I? Always ask before opening this file

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run ~

FIGURE 2.1: IDA Pro About.4. Click Next to continue die installation.

TASK 1

IDA Pro

m You have to agree the License agreement before proceeding further on this tool




- xj

Welcome to the IDA Demo v6.3 Setup Wizard

This will install IDA Demo v6.3 on your computer.

It is recommended that you dose all other applications before continuing.

Click Next to continue, or Cancel to exit Setup.

Cancel

\ Setup - IDA Demo v6_S

I M

DemoVersion 6.3

Hex-Rays 2012

ט Read the License Agreement carefully before accepting.

FIGURE 2.2: IDA Pro Setup5. Select the I accept the agreement radio button for the ID A Pro license

agreement.

6. Click Next.

^ Setup - IDA Demo v63

License AgreementPlease read the following important information before continuing.

Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.

z\

Cancel

IDA License Agreement

SPECIAL DEMO VERSION LICENSE TERMS

This demo version of IDA is intended to demonstrate the capabilities of the foil version of IDA whose license terms are described hereafter. The demo version of IDA may not, under any circumstances, be used in a commercial project.

The IDA computer programs, hereafter described as 'the software’ are licensed, not sold, to you by Hex-Rays SA pursuant to the

(• I accept the agreementC I do not accept the agreement

Next >< Back

S ' Reload die input fileThis command reloads the same input file into the database. IDA tries to retain as much information as possible in the database. All the names, comments, segmentation information and similar will be retained.

FIGURE 2.3: IDA Pro license.7. Keep die destination location default, and click Next.

CEH Lab Manual Page 541 Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


a Add breakpointThis command adds a breakpoint at the current address. If an instruction exists at diis address, an instruction breakpoint is created. Or else, IDA offers to create a hardware breakpoint, and allows the user to edit breakpoint settings.

8. Check the Create a desktop icon check box, and click Next.

H Trace windowIn tills window, you can view some information related to all traced events. The tracing events are the information saved during the execution of a program. Different type of trace events are available: instruction tracing events , function tracing events and write, read/write or execution tracing events.

9. The Ready to Install window appears; click Install.

^ Setup - IDA Demo v63 J H 3

Select Additional TasksWhich additional tasks should be performed?

Select the additional tasks you would like Setup to perform while installing IDA Demo v6.3, then dick Next.

Additional icons:W Create a desktop icon

< Back j Next > \ Cancel

FIGURE 3.5: Creating IDA Pro shortcut

FIGURE 24: IDA Pro destination folder




\ Setup ־

Ready to InstallSetup is now ready to begin installing IDA Demo v6.3 on your computer.

Click Install to continue with the installation, or dick Back if you want to review or change any settings.

:Destination locationפ־C: ,'Program Files (x86)\IDA Demo 6.3

Additional tasks:Additional icons:

Create a desktop icon

L j

< Back Install Cancel

FIGURE 26: IDA Pro install10. Click Finish.

. Setup - IDA Demo v63

Completing the IDA Demo v6.3 Setup Wizard

Setup has finished installing IDA Demo v6.3 on your computer. The application may be launched by selecting the installed icons.

Click Finish to exit Setup.

R Launch IDA Demo

1 0 *

DemoVersion 6.3

I Hex-Rays 2012

Finish

FIGURE 2.7: IDA Pro complete installation11. The IDA License window appears. Click I Agree.

This command adds an execution trace to the current address.

Add execution trace

LJ Instruction tracingThis command starts instruction tracing. You can then use all die debugger commands as usual: the debugger will save all the modified register values for each instruction. When you click on an instruction trace event in the trace window, IDA displays the corresponding register values preceding the execution of this instruction. In the 'Result' column of the Trace window, you can also see which registers were modified by this instruction.

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



IDA License Agreement

SPECIAL DEMO VBISION LICENSE TERMS

This demo version of IDA is intended to demonstrate the capabilities of the full version of IDA whose license terms are described hereafter. The demo version of IDA may not, under any circumstances, be used in a commercial project.

The IDA computer programs, hereafter described as 'the software" are licensed, not sold, to you by Hex-Rays SA pursuant to the terms and conditions of this Agreement. Hex-Rays SA reserves any right not expressly granted to you. You own the media on which the software is delivered but Hex-Rays SA retains ownership of al copies of the software itself. The software is protected by copyright law.

The software is licensed on a "per user" basis. Each copy of the software can only be used by a single user at a time. This user may instal the software on his office workstation, personal laptop and home computer, provided that no other user uses the software on those computers. This license also allows you to

Make as many copies of the installation media as you need for backup or installation purposes. Reverse-engineer the software. Transfer the software and all rights under this license to an other party together with a copy of this license and all material, written or electronic, accompanying the software, provided that the other party reads and accepts the terms and conditions of this license. You lose the right to use the software and all other rights under this license when transferring the software.

Restrictions

You may not distribute copies of the software to another party or electronically transfer the software from one computer to another if one computer belongs to another party.

You may not modify, adapt, translate, rent, lease, resell, distribute,rr rrmxtm rW1\/;»hva •A!rvrlcc K»caiH 1 irvnn cnft\A>Ar<» nr *rtv/ rvart

I Disagree |I Agree

FIGURE 2.8: IDA Pro License accepts.12. Click die New button in die Welcome window.

\ IDA: Quick start

New I Disassemble a new file

f t

Go | Work on your own

Previous | Load the old disassembly

W Display at startup

The configuration files are searched in the ID A. EXE directory. In the configuration files, you can use C, C++ style comments and include files. If no file is found, IDA uses default values.

// Compile an IDC script.// The input should not contain functions that are/ / currendy executing - otherwise the behavior of the replaced// functions is undefined.// input - if isfile != 0, then this is die name of file to compile/ / otherwise ithold the text to compile// returns: 0 - ok, otherwise it returns an error message.

string CompileEx(stri11g input, long isfile);

// Convenience macro:

#define Compile(file) CompileEx(file, 1)

FIGURE 2.9: IDA Pro Welcome window.13. A file browse window appears; select Z:\CEHv8 Module 07 Viruses and

Worms\Viruses\Klez Virus Livel\face.exe and click Open.




■j?rr_ ־3|»| :aarod'iec | . | tvp.

_ ^ f^ 2 i20U12S0_=ieFod£_ -;?.:):3:0;^^ Apsfcatisr•V26■ZZQ 3 9:52 PM Apdc335r :3/2003 1:02 AM Application

200310:36 /־27׳, ... Apdraiior

־״־ »D9n־0

Povari* Lr*3 U Desktop

jil Dqcutc-CP « ״ .g} kuct:Qf Recently C־en5edP S&atch»I I PiMc

FIGURE 2.10: IDA Pro file browse window.14. The Load a new file window appears. Keep die default settings and click

OK

^ Load a new file

Load file Z:\CEHv8 Module 07 Viruses and Worms\V1rusesV0ez Virus Live!\face.exe as

BAnalysis

W Enabled

W Indicator enabled

Kernel options 2

Processor options

Portable executable for 80386 (PE) [pe.ldw]

Processor type

Intel 80x86 processors: metapc

Loading segment 10x00000000

Loading offset |0ג

Options

W Create segments

Load resources

1✓ Rename DLL entries

P Manual load

F Rll segment gaps

17 Make imports segment

V Create FLAT group

DLL directory | C:\W1ndows

OK Cancel Help

This command starts function tracing. You can then use all debugger commands as usual: the debugger will save all addresses where a call to a function or a return from a function occured.

Function tracing

Sl Add/Edit an enumActionname: AddEnumAction name: EditEnumThese commands allow you to define and to edit an enum type. You need to specify:- name of enum- its serial number (1 ,2 .. .)

representation of enum members

FIGURE 2.11: Load a new file window.15. I f any warning window prompts appear, click OK.




16. The Please confirm window appears; read die instructions carefully and click Yes.

IDA-View has now a new mode: proximity view.This mode allows you to browse the interrelations between functions and data items.When inside a function, press to toggle the proximity viewer and '+ ' to zoom back into a function.

Do you want to switch to proximity view now?

m Select appropriate options as per your requirement

I־־ Don't display this message again

FIGURE 2.12: Confirmation wizard.17. The final window appears after analysis.

File Edt Jjmp Search View Debuacer Options Windows Help

^ Hill ״י ■»- II **] *fa »|»|>a ||g|g|Mrii *f + X|ll ► O O FW dlfrlrf Ija irrIII

hex View-A J j [a] Structures l ש =ajrrs j gf] Imports □ 1 m Exports ם I

i t

100.03% <4193,30 | (377,171:1 |300C73I2 0C4073Z2: WinMain

Finction rone71 sub_ 0:0C03 sub_<011983 sub_«01284 3 sub.■•(): 3 subjIOUfA 71 StartAddress T j tub_0:74*־B3 sub_1017■* 3 sub_-<0:8C8 ub.-Wietl 3 sub_<0;8t9 3 tub_«01AIE3 sub_<O*02־ 717\ sub_40220C 3 ־ub_<023:9

mMltM'i, '־

:3€)MDA Eemo S. 3\idc\9nleai. idc ’Compiling f i l e 'C:\Fr3grem F ill Executing runc-lar. ' OaLo=a' . . .IDA is an a lys in g th e in p u t r i l e . . .You may s ta r t to exp lo re th e in p u t f i l e r ig h t

!Pawn

FIGURE 2.13: IDA Pro window after analysis.18. Click View ־־ Graphs ־־> Flow Chart from die menu bar.

&TMP or TEMP: Specifies the director)' where the temporary files will be created.

a Add read/write traceThis command adds a read/write trace to the current address.Each time the given address will be accessed in read or write mode, the debugger will add a trace event to the Trace window




k ־ ׳׳־/• * s i X l It ב |r® debugger »J | fc | ^ ] f l )

----------------3־

FuncfoncaDs CtH4F12

Xrefisto אג1

^ Xrefs from .S i User *refs * a r t . .

| | §1 Imports J m Exports

4

Deougger Opliors Windows Help

Open stbvtews ו

oofears־Q Cacuator. .

Ful screen r Output ivirdcw ,« Graph Cvervew ^ Reiert sa־pt3

Database snapshot manager...

jp] Pmt segment registers ן Print nterral flags

?F ll

Alt+F9 CtH 4-Shift+T

ct!1+5paceF

rtoe י= Ctri+NuT1pad+-•fr UOTiOC

ttoeal 3*. unr*oealX Occfc hidden o'co

Seuc hdden items

CtH-lNunpodi ■f

File Edt Jurro Sea־<±

LOO.OO»[T4i9C.-־ -:j :114,25) OOCO’ 312 C0<0312־ : M ir.M air.(I,

Illf Functions vwndow

Flticoot rame3 SUbj-OlOOO3 Sllb_401198 3 sub_4012S4 3 5ub_«013A93 sub_4013FA 71 StartAddrcss J sub_017»3»־ sub_<017^ 3 *ub_4018C8

S sub_4018«lsub_*018F9

3 9ub_401A:E71 subj01־EC23 «ub_4032CC 3 sul_402319

0 SUb_־«O26־« C383 *uh_40»007] sub_402D72 71 Sub_402DCE־Subj02 [7 ©■־*5ub_020 [7ל40680_*»

2 1 sub_-i02EE0 «[window!Oltpu:

E xecuting fu n c t io n ,m ain*__Conpilina f i l e 'C:\Eroara2! F i le s (x£6)\IEA Demo S.3\idc\cnload.idc' Executing fur-etian ,On Load י . .IDA i a analysing the input f i l e . . .Toa may 3 - a r t to exp lo re one lapuc r i l e r ig h t now.

IDC |Display flow chart c f the cuirene function

B Create alignment directiveAction name: Make AlignmentThis command allows you to create an alignment directive.

FIGURE 2.14: IDA Pro flow chart menu.19. A Graph window appears with die flow; zoom to view clearly.

Debugger Option;Edit Jump Search

JD Jx jRk View Zoom Move HepIII

nov ©tp, 6-ef.Ha ](xer! ea-c j preciu!xen 2 ; im ionteqfiaM

JLenp byte.41nni4, P|jz ehort 10c.4d74;d|

.־הדt Wl»o

[«ftp*v*r_8!, 0 l«©p*v*r_4|, 0 04m, [«tp*vrv1co»t4nr4M«]ן <®p*-3«־v1»3Urtr4bH.lj8«vv«««»»], 0ff**t 5*r־v1c«Mil# •w 1 lp9»rvlo«3trtTt01•(«&p*?«rvl «034.׳r< Tab 1* . 1 pflccvtocfr 0©], effort lot_4l7־»r» d«: 3t1rt3erv 1 osctrID Up* to her A

1 »0c_«»7«* pwft

J=cExecuting runctC o g p ilin g f i l e Executing fu n c t

i s an a lys ir. 57 !4% (0 0) 8 nodes, 2£ edge segments, 0 crossirgs You may S ta r t t u 1-n.pxi l.—m. xi.juu liil j..l).1u t.un.--

Function name7 ] sub_H01 כ0כ 71 sub_4011963 sub_401284 71 Sub_H013^9 3 SUb_4013R\71 StartAdcresssub_4017-e ־׳י■7 ] sub_4017 E 7 ] sub_0130371 SUb_<DlMl 3 sub_4013B 71 6ub_401A IE 71 SUb_401E02 3 sub 40220C7 ] eub_402319 71 5ub_H0 )*«3 sub 40268כ 71 sub_40234D 71 subjoacs 3 sub 402DCD3 «ub_402D723 sub jezxt 3 sub 02EED

IDC

id le Dcwn

ca Zoom in to have a better view of the details

FIGURE 2.15: IDA Pro flow chart




FIGURE Z16: IDA Pro zoom flow chart.~ 1 1 |x ם

3

[ 3 WnGraph32 Graph at _WnMain«>16jFte Mew 2001 How Hejp ___________________________________

[|a|1K 3. % * ♦ IIIR* © ® §5 * *י

ט Zoom in to have a better view of the details

byte_410004, 0 short loc_407420

rtru e

push o ffse t byte_4100D4; lpFileName c a ll sub_4CJ5B0Ftes t eax, eax pop ecxjnz

arp dword_4938F8, 0jz short loc_407449

short loc_407457

Jend [et)p+-var_8l , 0and [ebp+-var_4J, 0lea eax, [ebp+Ser v iceStartTable]rov [ebp^ServiceStartTable.lpServiceName], o ffse t ServiceNare push eax ; lpServiceStartTablerov [ebp+ServiceStartTable .lpServiceProc], o ffse t loc_4073C3c a ll d s :S ta rtServ ispatcherA־iceCtrlD־

nor eax, eaxleaveretn lOh

|ca11 sub_4tn2F2|

i f 1 __A85.71% (-153,-240) 8 nodes, 28 edge segments, 0 crossings

FIGURE 217: EDA Pro zoom flow chart20. Click View ־־ Graphs ־־ Function Calls from die menu bar.




] | 13jJ Impotls | [f+] Expoits

t J ' f m X I ► שFlow chart F I2

✓ Print flow c!a׳t labels

1 Xrefisfran 1 User xrefe :Kart..

7

~odbdrs ►p] Camahr. . r

Hi screen r Output tvird«w

Graoh Cvervev>

F ll | JRecent sarpts Alt+F9Database snapshot manager... Ctri+Shift+T

Ip] Pnnt segment registers ctri+5paceן Print nterral flags F

= ftoe Ctr1+Numpad+-

Hweal v}, urmoean^ Dccfc Hddcn o־co

Seuc hdden items

Ct7H4J1mpod-f *

LOO.00%[ (419C, - 6 i (ל r s d |000073Ei !00407112: U d fa inb .z .z tz > J־

IIIFunction rame

01000_»7] sub 3 sub JQ1198

4012£4_21 sub 21 SUb_*013A9 3 sub_*013FA

,71 StartAddress »4017_I sub^017_*7] sub 21 5ub_-1018ce 7] sub_*018*l

3 sub_<018F9 7] 5ub_-H)lA£ 7] sub_<01EC2

3 «ib_40:?cr 02319_*7] 9ub

C5 [7_4026־ub 2] «1h_<0?fiP0 sub 21־_K)28©־2 sub_<02C3B 3 tub_4O3D0D

K)2D72_21־ sub 02DCE_71«־ Sub s0XE0_7־] *ub_____11.

258 Line 7 ofvwncow

Executing fu n c t io n ,m a in • . . .C o n p ilin a f i l e י C :\E roaran F i le s (x£6 )\IE & Dem3 6 .3 \ id c \o n lo a d . id c 'Ix a c u tin g fu r.e tia n ,O n lo ad •.-- IDA is an a lys in g ta e in p u t f i l e . . .Tou may 3 - a r t to exp lo re one input; r i l e r ig h t now.

10C |־־Display graph of fucction ca lls

FIGURE 2.18: IDA Pro Function calk menu.21. A qindow showing call flow appears; zoom to have a better view.

S Empty input file

The input file doesn't contain any instructions data. i.e. there is ־01nothing to disassemble.Some file formats allow the simation when the file is not empty but it doesn't contain anything to disassemble. For example, COFF/OMF/EXE formats could contain a file header which just declares that there are no executable sections in the file.

FIGURE 2.19: IDA Pro call flow of face.




FIGURE 2.20: IDA Pro call flow of face with zoom.22. Click Windows ־־ Hex View-A.

TH3־L*־ l«1 X J ► O Q | to debugger - ? f

I V IDA Z:\CCItve Module 07 Vituses and Worms\V1ruscs\Klcz Virus Live1 \focc.cxcFile Edt Jump Sea׳d* Vtew De9ugger Opbors I Windows I Help

v*ns j 51 Import J [I♦] Export־E כ10 □—*

1+ *111 * j] % ] & ־1 I f ® I Load desktop...rP Sjve decctop. .

___________________________ i £ Delete desktop...D?! IDA View Reset desktopIII

7 | Functions wooov»

Reset hidden messages. .

Shift+F6

Alt־H=3

© Windows list Next v\lndow

Previous window ״] Ctose windo/v

Focus command Ine

jT] Functions window Ait 41! 1 IDA WewA At42

Alt 44Alt+5 At-K) Alt 47

I Al Structure3

01] Enums

ports!5 ״H0 Export

100.00* [ (4190,-76) | (1S2, 21) |0000?3£^ -04073E2: WmMslc(x, x, x,x '

~n—1_zj

7 ] Sub_־H)10C0 71 sub_011־־S82 sub_4012S4 7 ] SUb_013־־A9 [Z ] sub_^013FA71 StartAddressSUb_4017^J ־'■

3 sub_4017^E6ub_^018C8

3 SUb_40JB41 3 sub_^018E9 7 ] 6ub_401A£ 7 ] sub_-0£C2 3 sub_40220C7 ] 5ub_4023193 sub_<0*<6 7 ) sub_<0»80 7 ] 3ub_*028־© 3 sub_402C» 3 sub_403XC 7 ] 5ab_-K)2D72 H sub_402xt Vn sub.OPFFO1L

6.3\ide\onload idc

Line 7 of 258

[T] Outpu: wncov.־--A'-י-' . TTBK i 'BUU

Executing f r a c t io n •m a in * ...Compi1ing f i l e 'C rvlrograa Fil•■ (xSCJVICA Dema ix ־ cutiag fur.ctisr. ,Onl-o&d1 - - -IDA is an a lys in g tne input- r i l e . . .You may s ta r t to exp lo re cfce inp ut; f i l e r ig h t a!

roc rl .ב i e Down

H Emptr input file

The input file doesn't contain any instructions or data. i.e. there is nothing to disassemble.Some file formats allow the simation when the file is not empty but it doesn't contain anything to disassemble. For example, COFF/OMF/EXE formats could contain a file header which just declares that there are no executable sections in the file.

FIGURE 221: IDA Pro Hex View-A menu.23. The tollowmg is a window showing Hex View-A.




Zi\C£Mv8 f־Kxkj*e 07 /irusndiHl Wonm\V)nn»<f*\Kk^ V1ru5» Lvc!\ldtc.cxc

Hilt s־ la r4 0S I # ■s+ ״ & X II ► □ □ |no cebugger

'ftew Debugger Op boro Windows help

*I4 |j|g 0 |Tile Edit Junp Ssaci

II1• slII • ׳ ♦י יhr

d!DAMe>v-A 10]hexvew-AQ | גל] Structures [JO fruns | £1) [irports | (j*\ ExponsFunctions windovr

z i9 X

cton na־ne - 004073B2 00 00 00 FF 35 1C 39 49 00 FF 15 58 DO 40 00 E8 . . . 5 . 9 1 . .x - e .Fsjb_־KD10X 8C4073B2 93 D8 FF FF 85 CO 74 05 E8 33 FF FF FF C9 C2 04 o ■*־ a * t .F 3sjb_40113S 5G4073C2 00 68 7C 73 40 60 68 DC 33 49 00 FF 15 34 DO 40 .tl|s@ .h 3 1 . .4 -0

9C4073D2 00 60 00 03 1C 39 49 00 E8 9D FF FF FF C2 08 08 . j .U .9 I .F .sub_401234464073E2 8B EC 81 EC fiO 01 00 60 8D 85 60 FE FF FF 58 Ui'8 .8 d ___ Y \ P

SJb_4013A9 8P4073F? 6B 0? FF 15 F 0 01 40 00 FB FF F1 FF FF 85 CO 74 j . .a -Q .F ft a + tsub_4013FA 0G4O74O2 54 E8 F5 F9 FF FF 80 3D D4 06 41 60 00 74 OF 68 T F ) Q ־ = ♦ .A . • t . hStartAodress 8P40741? D4 08 41 80 F8 F4 E6 FF FF 85 CQ 59 75 37 83 3D ♦ . A .F()1 a«-V117a=SJb_־W17<* 9G407422 F8 38 49 00 00 74 20 83 65 F8 00 83 65 FC 00 8D " 8 1 . - t a e ° .a e n . .sjb_40174E flP40743? 45 F ft r.7 45 F0 nr. 33 49 00 50 C7 45 F4 C3 73 48 E=!E= 31 -P ! E(+«;PSJb.'WlSDfi 9G407 442 00 FF 15 U4 D 0 40 00 E8 r o D7 FF FF 85 CO 74 05 . . .-@ .Fu» a » t .

sjb 401841 0P4O745? FB 9R FF FF FF 33 CO 09 0? 00 55 8R EC RB 8n F t ! 3 + ■ * 8 4 )115. ־. ■ I00407462 38 01 00 E0 r6 on 00 00 53 r6־ TF 75 '3( E8 10 0D 8 . . F t . . . S U u . F . .cub_4018E5 0 0 4 0 /4 /2 UO 00 8B D8 33 F6 3b Db 59 89 5D F4 8V 75 FB 89 e3״ F : ! YeJ ( eu. ! ' ♦ .

SJb ■401A1E 00407482 75 rc 75 87 33 CO E9 DD 00 86 00 57 68 80 38 01 u n u .3 * T ! . . .U h g 8 .SJb_401K)2 0040/4y2 10 8D 85 /4 U/ FE FE 56 50 1H 5.1 02 00 00 b:i C4 .3־ ..a t ! ! UPFP. .eub_4022X 00407*102 oc 33 CO 8D BD 78 C7 FE FF 3B 45 OC 73 66 8B <1D E .s fi 'H; | |♦ *א .3.SJb_40231־S 004074B2 08 88 OC OH 84 C9 74 OD 88 8C IE 46 48 89 / ל FC . ^ . . a * t . § . .F « e u nsub_40264e 00407MC2 3B 45 0C 72 E9 3B 45 OC 73 4n 8B C8 8e 55 08 80 ;E .rT ;E . sJIl+IU .CCjb_40263C 0040/402 3U 11 00 fb 06 41 3B 4D 0U r / F1 BB D1 28 DO 83 < . . u . A ; M . r t I ־ + ־ a

SJb 40280 0O4O74E2 FB 00 73 11 38 C1 73 C1 8B 55 08 8A 14 10 88 14 • . s . ; - s - i 'U . e . .© .004074F2 IE 46 40 EB EF 81 7D F8 10 27 00 60 73 OF FF 45 S. E. < ״* .• ..FQUll.

SJb_402C3C 00407502 F8 89 47 FC 89 17 83 C7 08 8B C1 EB 9C 89 75 FC °eC n e .2 J .1 -d£ounCjb_402D00 00407512 33 F6 EB 48 88 45 F8 89 75 FC 88 F8 Cl E7 03 8D 3+dH1E״ e u n i* ־ t . .SJb.402C72 0040752? 5C 37 04 53 F8 64 00 00 00 8B F 0 RB 45 F8 57 89 \7 .S F d . . A*-YF°W»sjL 402CCE 00407532 06 8D 85 74 C7 FE FF 50 8D 46 04 50 E8 BD 06 00 . . a t ׳ ; P .F .P F ♦ ..sjb 402EC - I

1 H

0040754? 00 FF 75 FT RD 44 37 04 FF 75 F4 50 Ffi BD 06 00 . un .D7 . 11 ( PF . .00407552 00 80 45 16 83 C4 1C 89 18 80 5D r 4 53 E8 87 06 . i ’ E .a .e . i ] ( S F 5 •

T ] Dutpu: v.irdovi

Executing fu n c tio n n־ ^ in ' ._ .C on p iling f i l e 'C:\Prcgrazn F ile s x8S)\IDA Demo 6׳. .3 \ id c \o n lo a d . id s i io c i i r in c fim s tio a *Or-losd1 . .IDA is analysing ־.Le In p u t r i l e . . .You nay s ta r t to exp lore the in p u t f i l e r ig h t now.

IDC [”Disk: S4GS

F I G U R E 2 .22 : I D A P r o H e x V ie w - A resu lt.

24. Click Windows ־־ Structures.I V IDA Z:\CCItve Module 07 Vituses and Worms\V1ruscs\Klcz Virus Live1 \focc.cxc

File Sdt Jump Sea׳d־ View De3ugger Opbors I Wirdowsl Help

* — □ 1 0 כ E־v*ns | ft!} Imports | (ן♦] Export

1+ *111 * j] % ] & ־1 I f ® I Load desktop...rP Sjve decctop. .

___________________________ !£ Delete desktop...III[Jcj IE A View ■ Rcse t desktop7 | Functions woeov»

8 X

. . . ■5-91- .X -(a .F 0♦ a+t.F3 +-. .111 [email protected]_3I. -**־@ . j . U . 9 1 - F .U18.8a a'| Pj . .a-G .F ft a+t TF)• £=«-.A. .t.h + .A.F(>1 a+Vu7a- “81..t de°.den.. E־ |E=_3I.P!E(+S@ . . [email protected]* a+t. FCJ 3++-. .1118*1 8 . .F t . . .SU U.F.. . . 3 ;*נ> ; V e ](e u ״ e unu.3M;. . .wny8. ..at!! UPFP.. .a- .3+.+x!! ;E.sFi'M.o. .a«-t .0 .. FOcun;E . r T ; E .sJ l'+ V U .C <. .u .A ;M.r±l‘-4—3 • . s . ; - S - K U . & . .3 . .F 0 d n .> °. ' . . s . E *ofino. 2 J . 1-dl'i‘iin 3:dH i'Eetf11ni‘0 t . . \ 7 .S F d .. .i- i'E °W e . . h t \ \ P .F .P F + . . . un.D7. u ( P F i . . 1 F . a - . P . i ] ( S F g .

58 no un no f 8 FF FF C9 C2 01* FF 15 3 * DO 40 FF FF C2 08 OB 60 FE FF FF 50 FF FF 85 C0 7U 0O 00 74 OF 6859 75 37 83 3D 83 65 FC 00 8D 45 F4 C3 73 40 FF 85 C0 74 05 55 SB EC B8 8C 75 0C E8 ־ID 00 F4 89 75 F8 89

1 57 68 80 38 01

Reset hidden messages. ..

3 49 00 8 9D FF 0 8D 858 FF E1 U CO 111 F 85 CO 5 F8 00 0 50 C7 B D7 FF 7 10 00 3 56 FF9 89 5D

0 E8 5 0 02 00F 3B 115 0n 738 PC 1E **6 >103 '*A 80 C8 80

© Windows list Next v\lndow Previous window Ctose windoA׳Focus commard Ine

F6

Shift+F6

AH4P3

|71 Functions window AH+1f =] IDA View־A Alt+2[o] hex V1ew־A Alt 43

Alt 44I״] Enums Alt 4551 inports At4<>g ] Exports Alt47

00 73 OF EB 9C 89 T8 C1 E7 8B 45 F8 50 E8 BO 50 E8 BO FI1 53 F8

8D *46 (V. FF 75 F4 18 RB 5D

FB OB 73 11 3B C1 73 C11E 46 40 EB EF 81 7D F8F8 80 47 FC 89 17 83 C733 T6 ED 48 8D 45 T8 895C 37 0*♦ 53 E8 64 Oft 0006 8D 85 74 C7 FE FF 5000 FF 75 FC 8D 44 37 0400 BR 45 10 83 C4 10 89

0040730? 0O4073B2 004073C2 0040 /3 02 064073E2 0A4073F2 00407402 00407412 00407422 0040 /432 00407442 00407452 00407462 00407472 0040 /482 00407492 0040740? 00407482 0O4074C2 00407402 0O4074E2 0O4074F2 004075 02 00407512 00407522 00407532 00407542 0040755?JQOG73E2 I004073E2 : WinMiin (x,x, x, x)

Ftncaon rarae7 ] Sub_־H)10C0 71 Sub_011־־S8 7 ] sub_4012S4 7 ] SUb_013־־A9 [Z] sub_ 013FA71 StartAddressSUb_4017 ־'■ J

3 sub_4017 E6ub_ 018C8

7 ] sub_40JB413 sub_ 018E9 7 ] sub_401A£ 7 ] SUb_-01EC2 3 sub_<022CC 7 ] 5ub_402319 7 ] sub_<0 *<6 7 ) sub_<0»80 7 ] 3ub_*028־©3 sub_402C3B 3 sub_«)2D0D 7 ] 5ab_-K)2D72 H sub_402xt Vn sub_40/EF01L Line 7 of 258

חן Outpu: vwnoowTL' n m u —--e--■g - -a-1 J:1 t3 •.jl'. v . ureiExecuting fu r.c tio n •m a in * ...Compi 1 ing f i l e •C:\Erograa F il« a (xfl£)\IDA. D«1 ix ־ cutiag fur.ctisr. ,Oaloai1 . . .IDA Is an a lys in g tne in p u t r i l e . . .You may s ta r t to exp lo re th e in p u t f i l e r ig h t

6.2\ide\onload.idc

roc rl .ב i e Down

FIGURE 2.23: IDA Pro Hex Structure menu

25. The following is a liiidow showing Structures (to expend structures click Ctrl and +).




File Edt Jumo Sea־d־ View Dexjqcer Opbors Windows Hdp

3I v lns a o F ^ d I *!lain a r r

III7 ] Functions vwnoovr 5 X | QgiCAView-A | [0] hex View-A (X Structures Q | Exmrs | g j Imports | 0 Exparts

BQQ0GGOG0600609006006090 CPPEH RECORD s tru c ; (5 izeof-0x18 ) ; SR EF : s t a r t e r06006000 ; c r tLC M ap S tr in q A ir . . .06006090 o ld esp dd ? ; XREF: start+23Tu00006030 ; s t a r t : lo c iiOfi'iUSTr . . .0000009*1 exc p tr dd ? ; XREF: s t a r t : lo c J!0852Ftr ; o F fse t06006008 r e g is t r a t io n C113 EXCEPTION REGISTRATION ? ; XREF: s t a r t : lo c *408*4CVtu06006008 . . . 10fiTw־crtLC M ap strinq fH :00006018 CPPEH RECORD ends06006018

24. CPPEH SZCORD:G0G0

Flticoot rame7] SUbj-OlOOO 3 SUb_ 011S87] sub_<012S4| 2] SUb_4013A9 3 sub_4013FA

,T l StartAddrcss »017_>7] sub^017_>7] sub7] 3ub_4018ce 7] sub_^018*l 3 sub_*018F97] Jub_-K)1A£ 7] sub_«01EC2 3 «ub_<0??CC

02319_3 sub ־ »026_>Ssub

jh_4036a0»j)20־0 ] sub_-K7] 5ub_402C3800«40_3 *ub7] sub_-K)2D72 7] SubjSOZXE3 sub_40I£E0

1>

VtfnGOWj l ojtpu:

ע

E xecuting fu r .c ti3 n ,m ain*__C o n p ilin a f i l e 'C :\E rogram F i le s (x£ 6 '\IE A Demo € .3 \ id c \o n lo a d . id c ' Exacuting fu n e tiD n *Onload1. . .IDA i : an a lys in g th e in p u t f i l e . . .Toa may 3 - a r t to exp lo re t i e Inpao r.־ i l e r ig h t now.

IDCD isk . 343B

FIG U R E 2.24: ID A Pro Hex Structure result

■ lafxl

to 11 u an* rQ פו 1 |r\0 debuggerb xj► ש

;ture* Q | dD Enuns | Imports | ||+] Exports

£eof-0x18) ; XREF: s t a r t e r; __ crtLcnapstringfljr ...; XREF: start+23Tu ; s ta rt :1 0 c J4 f l8 5 U 3 tr . . .; XREF: s ta r t : lo c J1 0 8 5 2 F t r ; o f fs e t

10N_REG ISTR AT I OH ? ; XREF : s ta r t : lo c J* 0 8 4 c M u ; __ crtLCM«1pStrlngA+l0fiTw ...

26. Click Windows Enums.I V IDA Z:\CCItve Module 07 Viruses and Worms\V1ruscs\Klcz Virus Uvc!\»occ.cxc

File Edt Juro Sea-d* View Deouooer Opttors | Wirdows | Help

3 Hill » - -|||y=, *1! *b I ♦ ,Ml Load desk tcp,.,׳ || B II I $ Save deolctop...

- __________________________________ & Delete desktop...f runcbons vymdovr S X ICA View- Reset desktop

Reset hidden messages. .־־Windows list Next window Previous window Cose window Focus command Ine

F6

Shift 4F6 Alt4P3

' [71 Functions wndow Alt-tl!3] IDA View ■A Alt 42[y] hex V1ew־A At+3ia I Strixturca At י י

Alt 45^2 Imports At 46( 3 Exporto Alt-47

24. CPPEH PZCOXD: COOO

Ftncaon raree7] SUbjKHOCO 71 sub_4011983 sub_4012£47 ] SUb_-013־A9 3 sub_^013FA 71 StartAddress

SUb_-0־I7-B3 sub_4017 E 7 ] sub_*018C8 7 ] sub_<018*l 3 sub_*018E9 7 ! 5ub_401A:E3 5ub_0£*־C23 sub_<0?2CC 7 ] Jub_102319 V sub_<02b־«3 sub_<0?68071 9ub_4028־©71 Sub_«02C3B3 «Jb_40/TX10 3 6ub_40X72S sub_402XE

cub 403T0<1Line 7 of 258

[§1 Outpu: wncow

S .3 \id c \o n lo

ז*- -•*H *'-«■ 1 -1־:1■ Executing fu r.c tia n *main’Com piling f i l o •C:\rrogra31 F i lc a (»S6:\IEA. Doj Executing £u r.c ti3n 'O sI-3ei' . . .IDA la an a lys in g the in p u t r i l e . . .You may ssart to explore the input f ile right

IDC IH ie Sown

FIGURE 2.25: IDA Pro Emims menu.

27. A qindow appears, showing die Enum result.





File Edt Juno Sea-d־ View Deougger Opliors Windows HelpxT בן - ז

U 1 4 * & 1 % 1 *Im Iiisi » I j , *־ e S d i f c l f r l i i a i r r

: ■ III ף

/ Functions vwnoovr S X [|^ICA\/iew-A | [0]hexVlew־A J (X Structures JD Enure Q J Imports | (!*] Exparts

Function name י ; I n s / D e l / C t r l - E : c r e a t e / d e le t e / e d i t e n u m e ra tio n ty p e s -3 sub_*01000 3 sub_^011S8 [7 ] sub_«012S42 ] SUb_*013A9 3 Sub_4013FA ^ StartAddrcss

ו

; H /C t r l N : c r e a t e / e d i t a s y n b o l ic c o n s ta n t ; U : d e le te a s y m b o lic c o n s ta n t ; ; o r : : s e t a comment f o r th e c u r r e n t i t e n

; F o r b i t f i e l d s th e l i n e p r e f ix e s d is p la y th e b itm a s k

T j sub_*017^b7 ] sub_<017^ 21 5ub_־l018ce 71 sub_4018*l 3 sub_*018F9 7 ] 8ub_401A£ 7 ] sub_<01EC23 ftA_40220C j ] sub_«02319 T \ sub_4026־■® 3 «jb_4056a0 7 ] 5ub_־H)20■© 7 ] SubJ02C3B3 *ub_40X>007 ] sub_־H)2D72 71 sub_0־־Z>CE3 sub • ־0־ EE0 d* 1 ►Line 7 of 258 Z.

[ f l Outpu: wndow 15 X

Executing fu n c tio nC o n p ilin a f i l e 'C :\ Eroaran Fi le s (x£6 )\ID A Demo S .3 \ id c \o n lo a d . id c '. . .

IDA. i a an a lys in g Che m puc £ Tou may 3 - a r t to exp lo re t׳r.e

i l e . . .In p u t r i l e r ig h t now. H־

idc r

j34

FIGURE 2.26: IDA Pro Eiiums result.

L a b A n a ly s is

Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posUire and exposure.



ID A Pro

File name: face.exe

O utput:

■ View functional calls■ Hex view-A■ View structures■ View enums




Q u e s t io n s1. Analyze the chart generated with die dow chart and function calls; trv to

find die possible detect that can be caused bv the virus file.

2. Try to analyze more virus files from die location D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Live!.

0 No

In ternet Connection Required

□ Yes

Platform Supported

0 1Labs0 Classroom




3V ir u s A n a ly s is U s in g V ir u s T o ta lComputer worms are malicious programs that rep/i cate, execute, and spread themselves across network connections independently, without human interaction.


111 today's online environment it's important to know what risks lie ahead at each click. Even־ day millions o l people go online to find information, to do business, to have a good time. There have been many warnings issues, about theft o f data: identity theft, phishing scams and pharming; most people have at least heard o f denial-of-service attacks and "zombie" computers, and now one more type o f online attack has emerged: holding data for ransom. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage 01־ steal the organization’s information. 111 this lab we explain how to analyze a virus using online virus analysis services.


The objective o f tins lab is to make students learn and understand how to make viruses and worms to test the organization’s firewall and antivirus programs.

• Analyze virus files over the Internet




■ A web browser with Internet connection

L a b D u ra tio n

Time: 15 Minutes

I C O N K E Y

/ Valuableinformation

y* Test yourknowledge

s \\”eb exercise

m Workbook review






Computer worms are malicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm payloads to install backdoors in infected computers, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.

L a b T a s k s

1. Open a web browser 111 the Windows Server 2012 host machine,

2. Access die website http: / / www.v1n 1stotal.com.VirusTotal Free O nline Virus, Malware and URL Scanner M ozilla Fircfox

[F ie Edit /!ew History Bookmarks Tools Help

e l k i ' Google

1 1>1 VrusTotal ־ Free Online Virus, Malware ג...

^ A hrtpcj'/unv yv 1rurtotal.com

■A Comnuiity Sta'isticb Ducjir entatior FAQ About

► H v ir u s t o t a lVirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms trojans, and all kinds of malware

No fie sc cc:cJMaximum Tile size 321/18

Dy clicking 'Scan itf. you consent 10 ou! Terms of Ser\ice and allow VirusTotal 10 char• this Mo with the security corrmunny See our Privacy Policy tor details.

You may prefsr to scar a URL or search through the VirusTotal datasst

Englsh EspanכRlnn I Twitter I r.nntar.tlfivinisrota: r.nm I fi.inal•* rrniios I Tnfi I Prvar.v

FIGURE 3.1: Virus Total Home Page3. The A "mis Total website is used to analyze online viruses.

Click die Choose file button, and select a vims hie located 111 D:\CEH- Tools\CEHv8 Module 07 Viruses and WormsWiruses\tini.exe.

4.

5. Click Open.

ASK 1ך• —

VirusTotal Scanning service



http://www.v1n1stotal.com


VirusTotal Tree Online Virus, M alware and URL Scanner M ozilla H rcfox

EFSearch Viruses

File Upload

(^ ) vO ~ ^1 CEHv8Module07v'ru5Ma•• ► Viruses

- tm •Name Date mocEficd Type Siz

J_. Win32.Botvoice.A 4/12/20111:10 PM File fclderJ . Wm32Cd_infected@Ch 4/12/20111:10 PP File fclderJ_. Win32.Loretto.E©ch pm ו:ו0 4/12/2011 File fclder

Win32.Minip2p©Ch 4 12/20111:10 PM File fclderJ . Win32 Wamet.B.MassiveW@RMM 4/12/2011 bio PM File fclderJ* worm_cris 4/12/20111:10 PM File fclderJ yanetha 4/12/20*11:10 PM File fclderJ . ysor 4/12/2011 1:10 PM File fclderJ . levach 9/22/20122:16 PM File fclderU netbu»17.rar 4/4/2011 5:48 PM WinRARorchivc

| ■ ' tini cxc 02 AM ApplicationA/A/20)1 H7 PM WiaRAR ZIP arehiv*

Organize ״־ New folder

£ 0o *nJca ' י

Recent p J 1 Music

L1bra1׳»?0? Documet J 1 Music “S i Pictures 8 /deos

•® Compute! Um !■©<01 03 . ■ L©<al&sr ■1 10(11 D1« v

You may prefer to scan a URL 01 search thicugh the VirusTotal dataset

Espaficl ־ Engl shHlnn I Iwittor I rnntapffeflvmifitiral rnm I :•imnie riming I IrS 1 Pru/arv nnlirv

FIGURE 3.2: Select a file for Virus analysis6. Click Scan it!.

־VirusTotal Tree Online Virus, M a'warc and URL Scanner M ozilla Firefox

Eie Edit Vew Hiilory Bocknidrki looli Help 1 VrutTatil ־ hr** Onhn# Virus, Malware it.. | 4־

P C ־* I 151 ^#Googl ״־ ari י׳.- ,wwwvmictotal.n

A Community Statistics Documentation faq About

£2 v i r u s t o t a iVirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans and all kinds of malware

Choose FileMaximum fie size. 32MB

By clicking ,Scan itr. you consent to our Terms of Service and allow VirusTotal to share this file with the security commurwy See our Privacy Policy tbr details

You may pr»lw to scan a URL or search through tho VirusTotal dataset

Engl!«h - bspariclBing I Twill ft! I f^nlarJjShiruslnial com 1 beanie a-axa 1 Tc£ 1 Privacy nnlicv

FIGURE 3.3: Qick Send button to send the files for analysis7. The selected tile w ill be sent to die server for analysis.

8. Click Reanalyse.

H=y1 You can upload any infected file to analyze

& T o o ls demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 07 Viruses and Worms




VirusTotal Tree Online Virus, Malware and URL Scanner M ozilla Firefox

fie £dr. View History Ecckmarks Tools Help'/rwTotil - frte Onhne Virus. Malware a... | 4־

^ ♦ fi https•/ w\ virustotalcom

91File already analysed

This file was already analysed by VirusTotal cr 2012-09-21 17:32:24.

Detection ratio 40/43

You can take a look at the last analysis cc analyse it agar now.

Choose HI#Maximum Me s!2e 32MB

By clicking ,Scan it!* you consent to our ta rns of Seruce and allow Viruslotal to share this file with the security communty See our Pnvacy Policy for details

You may prefer to scan a URL 01 search thicugh the VirusTotal dataset

FIGURE 3.4: Sending File9. The selected hie analysis queues are scanned, as shown in die following

figure.

Antivirus scan fo r b7513cc75c68bdcc96c814544717c413 at UTC

| f ie Edit V ca Ustory Bookmarks Tools Help

I j & Antivirus sr»n ferh/M i##/Vt!HbrUryt>r... j 4־

VirusTotal M ozilla fire fo x “ I ם x

ו4 י f t ^rtj>c׳/v»wwv1r1.1rtot»l.co1n/t11<*/%S4hb;4H1<WHtt;b0hji»9b1f»‘>y/r0rt^1H«o ( C Googl• P ״־ | # 1

i 1 Community Statistics Documentaihn FAQ About Join our com mu׳ פ

1 stv ir u s t o t a l

O Your £13 is at position 4397 in the analysis queue.

SHA256: 9654bb748199882b0fb29b1fa597cOcfe3b9d61Oadi4183aDbUCf3fafEee527

File name־ tin! exe

VWar# d«taiB

Comments Votes Additional information

l BuqBoppor idontifoc thic filo ac Tinv.aoni More info htto ׳/BuaBoooor c:>1r./M3lwaro rf0.MD5/b7/b76l3co75c&8bd0c96c811׳S447170413 aeo1 #tr> #bkdr c #tini

n t l M 2 years *יע oy 1 ighrpo rtiuy

You havo not signod in. Only rogictorod ucorc can loavo comments sign in and ha%o a voice!

Sgn h Join the community

.

L >

FIGURE 3.5: Scanned File10. A detailed report w ill be displayed after analysis.

CEH Lab Manual Page 558 Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


m Antivirus scan for b7513ec75c68bdec96c8l4644717e413 at UTC VirusTotal Mozilla Firefox I ־ I ם ! xm[ Filr Fdit View Hiitary root' M i. TooJ\ H«־lpj |>1 Antivirus s:3 ־׳ •0־ t . 5' icc/icbfcbiccVfcc.. | +

1 ^ i h!tpsy/w*w/virustotalxonrvfil€/9eS4bo74S'9M32b0fb29blfa597c0de3b9d610adf4l83a0M40fJfaf5ee527׳analy51s/1344J0418t \ t v C Google P ■י 141 * 1

A Statistics Documentation FAQ About Join our community Sigo in ׳

i S v i r u s t o t a l

SHA266 9654bb748199882b0lb29b1fa597c0cfe3b9d610adid 188aDM4 Of3fa5ee527

© 5 ® 0

SHA1:

MD5

Fit• 520

File name

File lype

Detect 0ר ratio

Anal/sis dale

3f8e7SdO*3e33e8eebOdd991f22ccObb44aOB98c

b7513ee75c68bdec96c814W4717e413

3.0 KB ( 3072 bytos )

tro exe

'Art03? EXE

39/42

2012-09-22 08 56 26 UTC ( 1 minute ago )

AMore deuic

Antivirus Result Update

Agntjm Backdoor.Tiny'AaycdfDNCxtfi 20120921

AntiVir BDS/Tini B 20120922

" ............ ......................... ___

FIGURE 3.6: Fie Queued for analysis1a -ו°ו «ד Antivirus scan for b7513ee75c68bdec96c814644717e413 at UTC VirusTotal Mozilla Firefox

F!lt» Fdit Vi־v« HkJor/ Fo i trw lv 70014 M*|p

scar forb513׳־cc75<Mbd«c%c. | ■

httpR//vm־.vvwustotal om t . c 4 bb;4«ll/>tt׳^> bOtb2ybifa59rcOcfcibydOK>adf418fi*Ot)44C1»aricc ;/an»V'tt'>^W « ' C״ i f Gooqlc ־

Documentation FAQ About

►1 Art!™:I <־ A Ml

Antivirus Result ll|1drtl♦*

Agnfcum Backdoor TinyiAaycdfDNCwQ 20120921

AntiVir BDSffini B 20120922

Artiy-AVL Backdoor/Win32.Try.g&n 20120911

Avast Win32:Tmy־XU [TnJ 20120921

AVG BackDoorTiny A 20120922

BrtDefender Backdoor.Tiny.B 20120922

ByteHero 20120918

CAT QuickCal Backdoor.Tiny.c.n3 20120922

OamAV Trojan Tiny-1 20120922

Comirtouch W32fMal\varelda0d 20120921

Comodo Backdoor Win32.Tny.B 20120922

Dr Web BackDooi Tiny 88 20120922

bmsJDCt Backdoor Win32.Trry.c!K 20120919

eSafe Win32 BackDoor IQ B 20120920

FIGURE 3.7: Analyzing die file

L a b A n a ly s is

Analyze and document die results related to die lab exercise. Give your opinion 011 your target’s security posture and exposure.

Ediical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.





Scan Report shows:

■ SHA256■ SHA1

Virus Total ■ MD5■ File size■ File name■ File type■ Detection ration■ Analysis date

Q u e s t io n s1. Analyze more vims files to m D:\CEH-Tools\CEHv8 Module 07 Viruses

and WormsWiruses with the demonstrated process.

Internet Connection Required

0 Yes □ No

P latform Supported

0 Classroom □ iLabs




S c a n fo r V ir u s e s U s in g K a s p e r s k y

A n tiv ir u s 2 0 1 3Computer n ׳onus are malicious programs that replicate, execute, and spread themselves across nehvork connections independently, mthout human interaction.


Today, many people rely o il computers to do work and create or store useful information. Therefore, it is important tor the information on the computer to be stored and kept properly. I t is also extremely important for people on computers to protect their computer from data loss, misuse, and abuse. For example, it is crucial for businesses to keep information they have secure so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions. A computer security risk is any action that could cause loss o f information, software, data, processing incompatibilities, 01־ cause damage to computer hardware.

Once you start suspecting that there is spyware 011 your computer system, you must act at once. The best thing to do is to use spyware remover software. The spyware remover software is a kind o f program that scans the computer tiles and settings and eliminates those malicious programs that you actually do not want to keep 011 your operating system. In tliis lab Kaspersky Antivirus 2013 program detect the malicious programs and vulnerabilities in the system.


The objective o f tins lab is to make students learn and understand how to make viruses and worms to test the organization’s tirewall and antivirus programs.



” Kaspersky Antivirus 2013 is located at D:\CEH-T00 ls\CEHv8 Module 07 Viruses and Worms\Anti-Virus Tools\Kaspersky Anti-Virus

ICON KEY_ Valuable

information

Test yourknowledge

Web exercise

m Workbook review


Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



■ You can also download the latest version o f Kaspersky Antivirus 2013 from the link http://www.kaspe1־sla־.com/anti-virus

■ I f vou decide to download the latest version, then screenshots shown 111 the lab might differ

■ Run tins tool in Windows 7 virtual machine

■ Active Internet connection

L a b D u ra tio n

Time: 15 Minutes


Computer worms are malicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm pavloads to install backdoors in infected computers, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.

L a b T a s k s

Note: Before running tins lab, take a snapshot o f your virtual machine.

1. Start the Windows 7 Virtual Machine.

2. Before scaminig die disk, nifect die disk w idi vinises.

3. Open die CEH-Tools folder and browse to the location Z:\CEH- Tools\CEHv8 Module 07 Viruses and WormsYViruses.

4. Double-click die tini.exe file.

— TASK 1

Scan the System to Detect Virus

m Download the Kaspersky Antivirus 2013 from the linkhttp://www. kasper sky. com/ anti-virus

■ 1

1MFIGURE 4.1: Tini Virus file

Open die CEH-Tools folder and browse to the location Z:\CEHv8 Module 07 Viruses and Worms\Viruses\netbus17.

5.

6. Double-click the Patch.exe file.

m Advanced anti-phishing technologies proactively detect fraudulent URLs and use real-time information from the cloud, to help ensure you’re not tricked into disclosing your valuable data to phishing websites.



http://www.kaspe1%d6%besla%d6%be.com/anti-virus

http://www


7. Open die CEH-Tools folder and browse to the location Z:\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Live!.

8. Double-click die face.exe tile.

CodeRed.aBlaster

u

AVKillah

יזיChernobel

+ *

Doomjuice.a Doomjuice.b

HD-killharddisk Living

»־

digital doom

DrDeathviruses

ParparosaLnwtg

Kaspersky Protects against all viruses by combining cloud- basedfunctionality and powerful security technologies that runs on your PC

FIGURE 4.3: Face Virus file9. Note diat diese tools will not reflect any changes.

10. Go to die location D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Anti-Virus Tools\Kaspersky Anti-Virus.

11. Install Kaspersky Antivirus 2013 software 111 Windows 7.

12. W’lule installing it will ask for activation; click Activate Trial Version and dien click Next.

13. The main window o f Kasperskv Antivirus 2013 as show 111 below figure.

m Kaspersky Anti-Virus 2013 works beliind-the- scenes — defending you and your PC against viruses, spyware, Trojans, rootkits and other threats




1 * 1 _ ' X ׳ י

hi oReports Settings

Computer is protected! Threats: malware \/ Protection components: enabled V ' Databases: have not updated for a long time s/ License: 30 days remaining

© oA

X 5 >Scan Update Tools Quarantine

Help Support My Kaspersky Account Licensing

FIGURE 4.4: Kaspersky main window14. Select Scan Icon.

y=J.Ka spersky Antivirus 2013 is fully compatible widi Microsoft’s latest operating system

15. Select Full Scan to scan the computer (Windows 7 Virtual Machine).

KA$PER$KYICloud protection

' a ’ _ ' x "hi Q

Reports Settings

XComputer is protected! Threats: malware

V Protection components: enabled >/ Databases: have not updated for a long time

■ ■ V License: 30 days remaining

Help

A

® O XScan Update Tools

Support My Kaspersky Account

5 >Quarantine

Licensing

FIGURE 4.5: Kasperskv׳ Scan window

Cloud protectionKA$PER$KY!




hi OReports SettingsCloud protection

k a J p e r J k y i

For a custom scan of an object drag it here orbrowse tor it

Back Scan Manage tasks

Full Scan Critical Areas Scan

Scans your entire computer A quick scan of objects that are loaded^ We recommend you run a Full Scar ^ with the operating system at startup. It

immediately after installing the does not require much timeapplication. Note that this may takesometime

Vulnerability ScanScans your system and applications

^ for vulnerabilities that may allow for malicious attacks

Help Support My Kaspersky Account

FIGURE 4.6: Kaspersky Starting fall scan16. It w ill display die Full scan window. Click Scan now.

Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 07 Viruses and Worms

Q. — X

hi &Reports Settings

> that are loaded tem at startup. It !time.

Cloud protection

Scan

Kaspersky Anti-Virus 2013

Full Scan

Databases are out of date.New threats can be mrssed durng scanning. We strongly recommend to wait untJ the update is completed.

S c a n a f t e r th e u p d a te ( re c o m m e n d e d )Scan task w i be run after the databases are updated

^ S c a n n o wScan task w i be run before update is completed

You are using ג trial version.You are advtsed to purchase a com m ercial version.

For a custom scan of an object drag it here orDrowse for it

KA$PER$KYI

Scans your entire comd We recommend you ru immediately alter insta application. Note that tl sometime

Vulnerability ScanScans your system an(

^ for vulnerabilities that n malicious attacks

LicensingHelp Support My Kaspersky Account

FIGURE 4.7: Scanning process17. Kaspersky Antivirus 2013 scans die computer. (It w ill be take some

time so be patient.)

m Kaspersky Anti-Virus 2013 is optimised so that it does not have a significant impact on network activity, the installation of programs, the launch of web browsers or die launch of programs.




i!i &Reports Settings

Q. ' “ 1 x

Cloud p ro te c t io n

Scan

k a $p e r $k

Critical Areas ScanAnnirk Qran nf nhiprta that are loaded

— x tartup. ItRemainina. - n11״ules_ n Task Manager

Full Scan 50%Scanning: C:\Wlndows\wrnsxs\amd64_miao 30d42t42615860\flpres dll mulRemaining: 9 minutesScanned: •13.118 rilesThreats: 6Neutralized: 0

®כWhen scan is complete keep the computer turned on

Close


m Even if your PC and the applications running on it haven’t been updated with die latest fixes, Kaspersky Anti- Virus 2013 can prevent exploitation of vulnerabilities by:

• controlling the launch of executable files from applications with vulnerabilities

• analysing the behaviour of executable files for any similarities with malicious programs

• restricting the actions allowed by applications with vulnerabilities

FIGURE 4.8: Scanning process18. The Virus Scan window appears; it w ill ask lor to perform a special

disinfection procedure.

19. Click Yes, disinfect w ith reboot (recommended).

Kaspersky Anti-Virus 2013

VIRUS SCAN

Active malware detected.

Trojan program:Backdoor.Win32.Netbus.170 ©

Location:c:\Windows\patch.exe

Do you want to perform a special disinfection procedure?

m The main interface window is optimised to help boost performance and ease of use for many popular user scenarios — including launching scans and fixing problems

^ Yes, disinfect with reboot (recommended)The most reliable disinfection method, after which the computer will be rebooted. We recommend you dose all running applications and save your data._________

!#• Do not runObject will be processed according to the selected action, The computer will not be rebooted.

You are using a trial version.You a re advised to purchase a com m ercial version.

Apply to all objects

FIGURE 4.9: Detecting die malware




20. The Advanced Disinfection scan will start; it will scan the complete system (tins may take some tune).

1a 1- 1 1' ד

_ x •ts Settings

!age tasks

loaded rtup It

k a J p e r J k y ir» Task Manager

Advanced Disinfection 49%Object: C \Windows\System32\msasn 1 dllRemaining: <1 minuteScanned: 2,648 tilesThreats: INeutralized: 1

Full Scan 'SCompleted: <1 minute ago Scanned: 83,366 files Threats: 5 Neutralized: 4

Vulnerability


FIGURE 4.10: Advanced Disinfection scanning21. The cleaned vinises will appears, as shown in the following figure.

► Today, 9/24/2012

Scan View w |

Object Event Time -

D Full Scan: completed 33 minutes ago (events: 38. objects: 83366. time: 00:14:33)

Task completed 9/24/2012 5:33:55 PMA KeyHook.dll Will be deleted on reboot... 9/24/2012 5:33:55 PM

KeyHook.dll Backed up: Backdoor.Win... 9/24/2012 5:33:55 PMO KeyHook.dll Detected: Backdoor.Win3... 9/24/2012 5:33:55 PM

tini.exe Not processed: Backdoor.... 9/24/2012 5:33:54 PMO tini.exe Detected: Backdoor.Win3... 9/24/2012 5:33:40 PMA patch.exe Will be deleted on reboot... 9/24/2012 5:33:40 PM

patch.exe Backed up: Backdoor.Win... 9/24/2012 5:33:40 PM© patch.exe Detected: Backdoor.Win3... 9/24/2012 5:33:35 PM

patch.exe Deleted: Backdoor.Win32.... 9/24/2012 5:33:34 PMNetBus.exe Deleted: Backdoor.Win32.... 9/24/2012 5:33:34 PM

m *

r% Detailed report

0 Detected threats

8 Protection Center

Components

^ 2 File Anti-Virus

t l . Mail Anti-Virus

Web Anti-Virus

^ IM Anti-Virus

® System Watcher

Group: Full Scan

Events: 38

Help Save..

FIGURE 4.11: Cleaned infected files

L a b A n a ly s is

Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and exposure.







Kaspersky Antiv irus 2013

Result:

List o f detected vulnerabilities 111 the system

Q u e s t io n s1. Using die tinal report, analyze die processes affected by the virus hies.

0 No

Internet Connection Required

□ Yes

P latform Supported

0 !Labs0 Classroom




Lab

V ir u s A n a ly s is U s in g O lly D b gOllyDbg is a debugger that emphasises binaiy rode analysis, nhich is useful when source code is not available. It traces registers, recognises procedures, _4 P I calls, sn ׳itches, tables, constants and strings, as well as locates routines from objectfiles and libraries.


There are literally thousands ot malicious logic programs and new ones come out all the time, so that's why it's important to keep up-to-date w ith the new ones that come out. Many websites keep track o f tins. There is no known method for providing 100% protection for any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances o f being infected by one o f those malicious programs. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organization’s mformation. 111 this lab ollvDbg is used to analyze viruses registers, procedures, AP I calls, tables, libraries, constants, and strings.


The objective o f tins lab is to make students learn and understand analysis o f the viruses.



■ OllyDbg tool located at D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Debugging Tool\OllyDbg


■ You can also download the latest version o f OllyDbg from the link http: / / www.ollvdbg.de /

Run tins tool on Windows Server 2012 י

I C O N K E Y

£_ Valuableinformation

>> Test yourknowledge

= Web exercise

m Workbook review


Admnnstradve privileges to mn tools

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.


http://www.ollvdbg.de


L a b D u ra tio n

Tune: 10 Minutes

Overview of OllyDbgThe debugging engine is now more stable, especially i f one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints 011 system calls." When active, it requests OllyDbg to set breakpoints 011 KERNEL32.Unl1a11dledExceptionF11ter Q, NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue(), and NTDLL.NtQuen’InlormationProcess(}.

L a b T a s k s— 11 .** t a s k 1 1. Launch die OllyDbg tool. Installation is not required for OllyDbg. Double-

click and launch die ollydbg.exe tile.Debug a Virus

2. The OllyDbg window appears.

5 OllyDbg 1 - ' ם 1 File View Debug Trace Options Windows Help

l i i ►j±j_11J H I M 9 uj jJijM j _b j_mj_hj H

OllyDbg v2.00 (intermediate version • under development!) Ready

m You can also download the latest version of OllyDbg from die link http://www.ollydbg.de

FIGURE 5.1: OllyDbg main window3. Go to File from menu bar and click Open...

4. Browse to D:\CEH-T00ls\CEHv8 Module 07 Viruses and WormsWirusesWirus Total\tini.exe,

5. Click Open.



http://www.ollydbg.de


m Data formats. Dump windows display data in all common formats: hexadecimal, ASCII, UNICODE, 16-and 32-bit signed/unsigned/liexadeci mal integers, 32/64/80-bit floats, addresses, disassembly (MASM, IDEAL, HLA or AT&T).

6. The output o f CPU-main thread, module tini is shown in die following figure.

m OllyDbg can debug multithread applications. You can switch from one thread to another, suspend, resume and kill threads or change dieir priorities.

7. Click View from die menu bar, and dien click Log (Alt+L).

OllyDbg - tini.exeFile View Debug Trace Options Windows Help»|<4_xj ►j♦]״] MlUiiJll] l|_u] _Lj_Ej_Mj Tj_cj-״| Bj Mj_Hj

־ o XCPU - main thread, module tiniPUSH OFFSET t in i■00403014 PUSH 101CALL < JMP.&WS0CK32.«115>PUSH 6 PUSH 1 PUSH 2COLL <JMP.&WS0CK32.023>MOU DWORD PTR DS:[4031O2D.EOX MOU WORD PTR DS:[403106 2 ,נ MOU DWORD PTR DS:[403100],0 MOU WORD PTR DS:[403108],61 IE PUSH 10PUSH OFFSET t in i .00403106 PUSH DWORD PTR DS:[4031023 COLL <JMP.&WS0CK32.#2>p u s h ni.ir.Rn p t r n fi-r4 ft310?1

68 1430400068 01010000 E8 B7020000 60 06 60 01 60 02E8 D0020000 03 02314000 66: C70S 0631׳ C705 0031400! 66:C705 0831׳ 60 1068 06314000 FF35 02314001 E8 85020000 60 05FF3c; Q?3140fll

EAX 754E83CD KERNEL32.754E83CD —ECX 00000000EDX 00401000 t in i.<ModuleEntryPcEBX 7F4D9000ESP 0018FF88EBP 0018FF90{-SI 00000000EDI 00000000EIP 00401000 t in i.<ModuleEntryPcC 0 ES 002B 32bit 0(FFFFFFFF)P 1 CS 0023 32bit 0(FFFFFFFF)A 0 SS 002B 32bit 0(FFFFFFFF)Z 1 DS 002B 32bit 0(FFFFFFFF)S 0 FS 0053 32bit 7F4DF000(FFF

ז 0 GS 002B 32bit 0(FFFFFFFF)u 00 0 LastErr 00000000 ERROR_SUCCEFL 00000246 (NO,NB,E,BE,NS,PE,C

RETURN to KERNEL32.754E־

RETURN to ntdl1.77D99A3.eM6t.?uJw.Ehfi=wMk

£ t.

00401005 0040100ft 0040100F 00401011 00401013 00401015 0040101ft 0040101F 00401028 00401032 0040103B 0040103D 00401042 00401048 0040104D

754E830B ■aNu

............. • rr.-lri IStack [0018FFS4:=0 Inn=t in i.00403014

t in i.<ModuI eEntryPoint>

7F4D9000 0018FFD4 77D99A3F 7F4D9000 6B4E77CD 00000000 00000000 7F4D9000 116F2FC7 FFFFF802 0BD7CB80 FFFFFA80 0018FF9C 00000000

0018FF8C0018FF900018FF940018FF980018FF9C0018FFft00018FFfi40018FFO80018FFAC0018FFB00018FFB40018FFB80018FFBC001ftFFP.PI

Address He00403000 65 65 00 63 6F 6D 6D 61-----00403010 63 6F 60 00 00 00 00 00 00 00 00 00 0000403020 00 00 00 00 00 00 00 00 00 00 00 00 0e—00403030 00 00 00 00 00 00 00 00 00 00 00 00 0600403040 00 00 00 00 00 00 00 00 00 00 00 00 0600403050 00 00 00 00 00 00 00 00 00 00 00 00 0s00403060 00 00 00 00 00 00 00 00 00 00 00 00 0600403070 00 .1.• 00 00 00 00 00 00 00 00 Ml• 0600403080 00 00 00 00 00 00 00 00 00 00 00 00 0600403090 00 00 00 00 00 00 00 00 00 00 00 00 06004030A0 00 00 00 00 00 00 00 00 00 00 00 00 06004030B0 00 00 00 00 00 00 00 00 00 00 00 00 06004030C0 00 00 00 00 00 00 00 00 00 00 00 00 06 v

PausedEntry point of main moduleFIGURE 5.3: CPU utilization of tinLexe

—OllyDbgFile View Debug Trace Options Windows Help

[&l<4 xj ►j+jjE *M W E uJ *]™I »J

% Select 32-bit executable and specify arguments

Look in: | . Virus Total V j ^ EH!)•*•

Name י*־ Date modified T)| [■j! tini.exe 6/23/2005 4:03 AM a|

Open<lFilename: |tm1.exe

Cancelפופו

files of type: | Executable file f exe)

Arguments:

OllyDbg v2.00 (intermediate version ■ under development!) ReadyFIGURE 5.2: Select tini-exe Vitus total

Etliical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


Module 07 - V iruses and W orm s

£ 0 Full U N IC O D E support. A ll operations available for A SC II strings are also available for U N IC O D E, and vice versa. OllyDbg is able to recognize U T F-8 strings.

F IG U R E 5.4: Select log information

8. The output of log data t1111.exe is shown 111 die following figure.

J T Breakpoints: OllyDbg supports all com m on kinds of breakpoints: IN T3, m em ory and hardw are. You m ay specify num ber of passes and set conditions for pause

FIG U R E 5.5: Output of Log data information of tinLese

9. Click V ie w from die menu bar, and click E xecutab le m odule (Alt+E).

10. Hie output of Executab le m odules is shown 111 die following figure.

xO ם _ lly D b g - tin i.exe

File View Debug Trace Options Windows Help

►j±]J!J ^±ij>[J!H l-UJ _lJ.eJmJZj.£j:d _bJm]_hJ ■gC P U - m a in th re a d , m o d u le t in i

0 0 ■Log dataAddress Mes•

OllyDbg v2.00 ( intermediate version - under developmentf)D:\CEH-T00 1snCEHv8 Module 07 Uiruses and Worns\Uiruses\Uirus T o ta l\ t in i. exe'׳ F ile

New process CID 000011F4) created Main thread (ID 00000060) created

00260000 Unload nodule Unload nodule 754C0000

00260000 Unload nodule 00260000 Unload nodule

Module D:\CEH-Tools\CEHv8 Module 07 Uiruses and Worns\Uiruses\Uirus To ta l\tin i.exeModu I e C s \W i n dows\SVSTEM32\UIS0CK32 .d l l

D ifferent PE headers in f i le and in nenory (Systen update is pending)?

ModuIe Csindows\SVSTEM32\bcryptPr in i t ives. d11 D ifferent PE headers in f i le and in nenory

(Systen update is pending)?Module Cs\Windows\SVSTEM32\CRVPTBfiSE.dlI

D ifferent PE headers in f i le and in nenoryM o d u l"^ i l l ddr€ SVSTEM32"S C l ' d n

Different PE headers in f i le and in nenory (Systen update is pending?)

ModuIe C s\W i ndous\SVSTEM32\KERNEL32.DLL D ifferent PE headers in f i l e and in nenory (Systen update is pending?)

Module C:\Windows\SVSTEM32\RPCRT4.d11D ifferent PE headers in f i l e and in nenory (Systen update is pending?)

ModuIe C: MU i ndows\SYSTEM32\NSI. d11D ifferent PE headers in f i le and in nenory

00401000f1M2 ru־u־u־־7S4C000000260000002600000040000074E80000

7.4!: 0000 768E0000

76990000

PausedEntry point of main module

O lly D b g - tin i.exe

File | View | Debug Trace Options Windows Helpj J j J jwJxl_cJ1d |=J

0 0 ■read, m o d u le t in isisters (FPU)

754E83CD KERNEL32. 754E83C000401000 X in i . <ModuieEntryPq 7E5460000018FF88 ■0018FF90 0000000000401000 t i n i . <ModuIeEntryPq ES 002B 32bit 0(FFFFFFFF) | CS 0023 32bit 0(FFFFFFFF)SS 002B 32bit 0(FFFFFFFF)DS 002B 32bit 0(FFFFFFFF)FS 0053 32bit 7E54F000(FFF), GS 002B 32bit 0(FFFFFFFF)

2.a23> [403102],EOX 403106:,2 [4031003,0 ^03108],611E

Executable modules Memory map Threads CPUWatches Search results Run trace

INT3 breakpoints Memory breakpoints Hardware breakpoints

63 6F 6D 00 00 00 00 00 00 00 00 00bj—00MM 00 00 00 00 00 00 00 00 00 00 00 06—

00 00 00 00 00 00 00 00 00 00 00 00 0C00 00 00 00 00 00 00 00 00 00 00 00 0600 00 00 00 00 00 00 00 00 00 00 00 0600 00 00 00 00 00 00 00 00 00 00 00 06m m m m m m m m m m m m 0600 00 00 00 00 00 00 00 00 00 00 00 0600 00 00 00 00 00 00 00 00 00 00 00 0600 00 00 00 00 00 00 00 00 00 00 00 0600 00 00 00 00 00 00 00 00 00 00 00 06—00 00 00 00 00 00 00 00 00 00 00 00 06 v

004004004004004004004004004004004004004004004

File...t in Odd0 O 4 W ^ -00403010004030200040303000403040004030500046306000403070

PausedOpen Log window


C EH Lab Manual Page 572


O llyD bg - tin i.exe

File | View | Debug Trace Options Windows HelpB |« |x J ► lilJL M li i l i i l l l ^ ]JJj _ ! J1 Jh | J jc jd bJm]hJ ]=]

־ ° xCPU - m a in th read, m o d u le t in i

0 0 ■■r o o ls sC E H ^ S O u t ? 6 7 U in .

m C:\WLndows\SVSTEM32\WS0CK32.dlI n 1 C: Mil i n dows\SYSTEM32Nbcry pt Pr i n i t m C:\Windows\SVSTEM32\CRVPTBfiSE.dI n 1 C: \W i n dous\SVSTEM32\Ssp i C Ii. d11 m C:\U)indous\SVSTEM32\KERNEL32.DLL ni C:\Windous\SVSTEM32\RPCRT4.dlI m C: Mil indows\SVSTEM32\NSI .d ll m C:\Windows\SVSTEM32\sechost.dll m C:\Windows\SVSTEM32\WS2_32.dll ni CsindousNSVSTEM32\nsvcrt.dll n 1 C s\y i ndows\SVSTEM32\KERNELBASE.d n 1 C: \W i ndows\SVSTEM32sn t d11.d11

Executable m odu lesFLle version

6.2.8400.06.2.8400.06.2.8400.06.2.8400.0 6.2.8400.86.2.8400.06.2.8400.06.2.8400.06.2.8400.0 7.0.8400.06.2.8400.06.2.8400.0

WS0CK32bcryptPrimCRYPTBPSESspiCliKERNEL32RPCRT 4NSIsech ost WS2_32 nswcrt KERNELBRSE ntdl I

74E810C075394955753F10057540PC84754D00057690E42S769915207686100576E210B176E7C5757706302C

IBS0000800000051000000090000001C00000130000000RC00000008000000330000004F000000B10000000500000156000

Base

74E8000075390000753F000075400000754C0000768E00007699000076B6000076E2000076E700007705000077D40000

0C24F950 P-$.FFFFFP80 ?■ 0018FF9C £ t . flftflftftfiftfl........

0018FFB40018FFB80018FFBC00’RFFra

0E00 00 00 00 00 00 00 00 00 00 00 001 0G-00 00 00 00 00 00 00 00 00 00 00 00 0Ev 00 00 00 00 00 00 00 00 00 00 00 00״.״, ,,,,,, ----PausedEntry point of main module

F IG U R E 5.6: Output of executable modules of tini.exe

11. Click V ie w from the menu bar, and dien click M em ory M ap (Alt+M).

12. The output of M em ory M ap is shown in die following figure.O llyD bg tin ־ i.exe

File IViewl Debug Trace Options Windows Helpb |«|xj ► yji! iiliiliiliil _!j_EjM]jrj.cj j bJ m)hj ן=ן

0 0 0CPU - m a in th read, m o d u le t in i

₪ M e m o ry m ap 0 0 ■1 A

Address Si2e Owner Sect ion Contains Type Access In i t ia l acc Mapped as A00085000 06 (36000 Pr iv RW Sua RU Guarded0018C000 00002000 Pr iv RUJ Gua RW Guarded =0018E000 00002000 Stack of nain t Pr iv RW RW00190000 00004000 Map R R001Q0000 00002000 Pr iv RW RW001E0000 00004000 Pr iv RW RW00290000 00007000 Pr iv RW RW ב־00400000 00001000 t in i PE header Ing R RWE CopyOnW00401000 00001000 t in i .text Code Ing R E RWE CopyOnW00402000 00001000 t in i . rdata Inports Ing R RWE CopyOnW00403000 00000000 t in i .data Data Ing RW Cop RWE CopyOnW00410000 00075000 Map R R \Dev ice\Hard<00550000 00003000 Pr iv RW RW74E80000 00001000 WS0CK32 PE header Ing R RWE CopyOnW74E81000 00003000 WS0CK32 Ing R E RWE CopyOnW74E84000 00001000 WS0CK32 Ing RW RWE CopyOnW74E85000 00003000 WS0CK32 Ing R RWE CopyOnW V75390000 00001000 bcryptPr PE header Ing R RWE CopyOnW ----75391000 0004B000 bcryptPr Ing R E RWE CopyOnW /\753DC000 00001000 bcryptPr Ing RW RWE CopyOnW753DD000 00004000 bcryptPr Ing R RWE CopyOnW753F0000 00001000 CRVPTBAS PE header Ing R RWE CopyOnW753F1000 00004000 CRYPTBAS Ing R E RWE CopyOnW753F5000 00001000 CRVPTBAS Ing RW RWE CopyOnW753F6000 00003000 CRVPTBAS Ing R RWE CopyOnW75400000 00001000 SspiCli PE header Ing R RWE CopyOnW75401000 00015000 SspLCli Ing R E RWE CopyOnW75416000 00001000 SspiCli Ing RW RWE CopyOnW75417000 00005000 SspiCli Ing R RWE CopyOnW754C000O 00001000 KERNEL32 PE header Ing R RWE CopyOnW754D0000 .־ .־ .־ - .־ .־ .־ KERNEL32 Ing R E RWE CopyOnW V

V׳


FIG U R E 5.7: Output of Memory map of tiui.exe

12. Click V ie w from die menu bar, and dien click Threads (Alt+T).

13. The output of Threads is shown 111 the following figure.

ca Watches: Watch is an expression evaluated each time die program pauses. You can use registers, constants, address expressions, Boolean and algebraical operations of any complexity

^ O l ly D b g supports four different decoding modes: MASM, Ideal, HLA and A T & T




L > ' XO llyD bg - tin i.exeי *File View Debug Trace Options Windows Help

\T\ _____________ _______ Threads __________ - g |xOld IIdent !window’ s t i t Le| Last error I Entry I TIB I Suspend IP r io r it User t ine A

I

ERROR SUCCESS (88! t in i ■ <Mo. 7E54F808 8Main 88888868

w0000

0000

0000

W0000

0000

W0000

W0000

W־0000

W־0000

W0000

W0000

W־0000

0e0e

0018FFB40018FFB80018FFBCflftlftFFf-ft00 00 00 00 00 00 00 00 00 00 00 00 0e v

8C24F950 P-5.FFFFFA88 ?■ 0818FF9C £ t. flflflflflflfifl....


FIG U R E 5.8: Output of threads

Lab AnalysisDocument all die tiles, created viruses, and worms m a separate location.


Tool/Utility Information Collected/Objectives Achieved

OllyDbg

Result:■ CPU-main thread■ Log data■ Executable modules■ Memory map■ Threads




Questions1. Using die hiial report, analyze die processes affected by the virus hies.

0 NoInternet Connection Required

□ YesPlatform Supported

0 !Labs0 Classroom




C re a tin g a W o rm U s in g In te rn e t

W o rm M a k e r T h in gInternet Worn/ Maker Thing is a tool to create norm'. It a/so has a feature to convert a vims into a n or///.

Lab Scenario111 recent years there has been a large growth in Internet traffic generated by malware, that is, internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected or during the epidemic stage of a new worm, when the Internet becomes unusable due to overloaded routers. Wliat is less well-known is that there is a background level of malware traffic at times of non-epidemic growth and that anyone plugging an unfirewalled machine into the Internet today will see a steady stream of port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We must better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks.Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms will damage or steal the organization’s information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, whether they are detected by an antivirus and if they bypass the firewall.

Lab ObjectivesThe objective of tins lab is to make students learn and understand how to make viruses and worms.

Lab EnvironmentTo earn־ out die lab, you need:

■ In ternet W orm M aker Thing located at D:\CEH-T00ls\CEHv8 Module 07 Viruses and W orms\W orms M akerM ntem et W orm M aker Thing\G enerator.exe

ICON KEY1._ Valuable

informations Test your

knowledge:ב Web exerciseea Workbook review

H Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 Module 07 Viruses and W orms




■ A computer running W indows Server 20 12 as host machine■ Run this tool on W indows Server 2012

■ Administrative privileges to nin tools

Lab DurationTime: 10 Minutes

Overview of Virus and WormsA virus is a s e lf-rep lic a tin g program that produces its own code by attaching copies of it onto other e x e c u ta b le codes. Some vinises affect computers as soon as their codes are e x ec u te d ; others lie dormant until a predetermined logical circumstance is met.

Lab Tasks1. Launch die In te rn et W orm M aker Thing tool. Installation is not required

for In te rn et W orm M aker Thing. Double-click and launch die G enerator.exe tile.

TASK 1

M ake a W orm

2. The In ternet W orm M aker Thing window appears.םד=ד1

r BueSaeen Of Death Infection Options: r Infect Bat Files

r infect vbs Nes r MfenvteNes

r Hide Virus Fibs

Internet Worm Maker Thing: Version ■4.00: Pubi c Edition

Generate Warm

ז י ־

If You Iked Ths Frooran tease Voit Me Onhttps/Zxructearr. failcmctAO'k. con If You Know AnythnQ About YBS Programing Mdp Stupor t This Pfojcct By Matorg A Wugr (See Readme). Thinks

Con ti01 Pand

INTFRNFT WORM MAKFR THING V4

Dkabe Syttnn Ractore r Our»g• M0033T«r Title:

I- Loop Sound r Hide Desktop p Disabfc Malware

Rrrrove 1— Discbe Winders

File ProtectionV CcrruDT Artwrus

V Ctiange Dnve Icon CLL, EKE, ICO: Index:(C:\WndowcVJ01 |1

Add To Context Menu r Chooge Clock Text

Text ^lox 8 Chars):

1-----I” Hack Dll ? |r Keyboard Disco r AddToFo/ontes

Outocx n n 1 _ URL;

r MuteSoeakefs

r Delete a Fk Path:

r Charge •'.alpooer Path Or URL:

r CPU Monster

r chanoerme

Change Homepage URL:

Ir Doable 'Mrdows Secunty ״r Doable Morten Security r Uninstall Ncrton Snnpt Sbdang P Disable Macro Security

Dsable Run CommrdV Dsable ShutdaAn (” Dsable Logofff” Disable 'Mndows UpdircV No Search command I- Swap Mouse Butters r Open Webpage URL:

Paybaee-C Activate Payloads On Dote

I-- 3

I- Change IE Title Bar Text:

r open cd onves Lock Workstation

r DOAnbadhle URL;

Execute DowHoadec

ORr Rardonly A ivace Payoads Chance of activating pay bads:1M | CHANCE

r H<fc All Drives [“ Dsable Ta^ Manager

r Dsable Keybord r Dsable Moose r~ Message Box rde:

r Dooole Regcdt r Disoolc Explorer. exe r Change Reg Ownerp ----״I” Change Reg Organisation Crgansaticn:

r r(v Induck [C] Ncti:e Ouipu* Path:

FCoixJie To EXE Support

Sheading Optoas

Siartup:I- Global Pegsfr׳־ Sta*tjp

I- Local Regwtry Star xo r V/Wagon 91H Hoot I- Start At Smve

Englsh StS'tap

f~ Ge־nan starao r ioamsh itarxof~ P׳erch SVj־Ljp r laiiarstartLO

6 N ote: T a k e a S napshot o f th e v irtu a l m ach in e b efore launching th e In te rn e t W orm M ak er Thing too l.

FIG U R E 6.1: Internet Worm maker thing main window

Enter a W .וך 03. orm Nam e, Author. Version. M essage, and O utput Path tor diet y ! The option, AutoStartup is always checked C re a te d W O flll.by default and start dievirus whenever die system 4. Check die Com pile to EXE support check box.

5. 111 startup: select English Startup.boots on.




r־׳: °Internet Worm Maker Thing: Version 4.00: Pubic Edition

r Sue Screen Of Death Infecfon Cptions: r infect Bat -1es

r I 1fe:t Vbs Pies

f” infect vbc r!c5r Hide Virus Fibs

If You Lked TH5 Pr ogr an *lease Veit M* Onht©://xrusteafr. falemetA0׳k.0>וו If You Know Anything About /BS Programing Heip SLppor! This Project By Maklro A PkKJr (Sec Readme). Thanks

r Control Panei

Gererate Worm

INTERNET WORM MAKER THING V4

t~ l>wbe System Restye

F~ Change M0032Texr Tife:

Loop Sound l~ rtde Desktop[— Disable Mdwere

Remove Oiseble V/indovss —ן

File Protection V Ccrruot Anth/tcs Change Computer —ן

Name

r :Chaige Drive Icon CU, EXE, ICO Index ״|c:\Wr>dowsY!OT [I

f־~ le d To Context Menu

J־־ Chanoe ClodcText Text (Max 8 Chars):Ir Ha« ill Gates Jj V KevooardDBco

V~ ACd lora/ornes None;

I” Outooc rtn 1 * I

V Mutetoeakers r DrtetealHePad־:

I-----r DdeteaFofcfci

r clwnoe .'.ataoefPeth Or URL:

I- CPU Monster

r Change Tine

r Change horrepogc

I- Disable Wndows Security 1“ Disable Norton Securityr uninstall Norton 5:nDt sbefcra r Disable Macro Security |” Disable Run Commrrf I” Disable Shutdown Osable logoff ־"](” Deable Window! Update r״ No Seorch Commend r swap Mouse Buttons I- Open Webpage URL 1

C Activate Payloads Cn Dote

I” Chanoe IE Title Bat

Text:

r Change Win Media PbrerTxt Text:r

OpenCd Drives I- Lock Workstaton

Dowibad File ^re? |URL:

—d-Evai-i ■fa

r DisaoteReoedt

r 01saDleExplorer.exe

V O־anoe Reo Owner

Oner:

I------Change Reg Organisation

Ogansatkn:

ORC Rardonly Activate Payloads Chance of actvawg poybads: 1M | CHANCE

Hde Al Drives

r DsaWe־ad< Manager r Dsabk Keybord r Osable Mouse r WewajeSox TKJe:

|JB Worm

Author:[xigsiroyr r|>0jr system is ef ec f? Indud? [C] Nobre

Oulpu: Path:|c:\W0.»W Conjle To CXI S<xxxjt l

SDreadnc Op tons

Startup:־1 (JobalKeosry sta'tjo r LxdReOstiySteflo r wmlixjon Sid Mcxx r Start As Set vice W Englsh Ste'tjpi I- Cc׳nan Startup

I- Spanish Starxp r Perch Sta־tjp I־־ Itaiar Startup

ט A list of names for the virus after install is shown in the Name after Install drop-down list.

FIG U R E 6.2: Select die options for creating Worm

6. Select die A ctivate Payloads on Data radio button, and lor Chance of activating payloads, enter 5.

7. Check die Hide All Drives. D isable T ask Manager, D isable keyboard. Disable Mouse and M essage Box check boxes.

8. Enter Tile, Message, and Select Icon as Inform ation from die drop-down list.

9. Check die Disable Regedit, D isable Explorer.exe and change Reg ow nercheck boxes.




Internet Worm Maker Thing : Version 4.00 Public Edition

r Blue Screen Of Deatn Infecton Opbore: r infec: Bat Piesr Irifect vbs FlesP I! ifect Ybe Files

r Hide Virus Fifes

If You Liked Ttiis Proy an ®base \Ac1t W• Onht© :/ftarusteam. fa1lemetwo׳k.0ומ If You Know Anything About /BS Prog־amming Help Suopor: This Projects/ Mahno A Plucr (See Readme). Thanks.

rControl Panel

Generate Worn*

INTERNET WORM MAKER THING V4DO MM YY

P Loop Sound

r HMeDesktcp-ן Dsable Malware Remove r- Usable Wndovrs

=le Protection I- Corrupt Antivirus

P DsaWe S>s rr Resxre

P Owro?NX>32Text

r OutJockR* 1 ? IURL:

r Charge Drive Icon DLL, EXE, ICO: Index:(EvvSndowsv50i [Ir Add To Context Menu

Charge Clock Text ־־]

ז » ז (Max 8 Chars):

r *evboard Dsco

P Add to Pavontes Name:

1------------URL:

I

P Charge Homepoge URL:

P Disable Windows Security P Dissble Norton Security P Uninstall rwton script Blocanc r Disable Macro Security | Disable Rin Commnd P Disable Shutdown P Disable Logoff r Disable Windows Ubdate I” No Search CommandP 5wao Mouse Buttons P Open Webpage URL:

Putexeaters

r OieteaMe

Palh:

I-------------r CfctrU: a fdcfc׳ »a#1

I-------------r Chance v/atoace־

*atiOrLRL:

I-------------I- CPJ Vonstar

r Chance Tree hour Mn

r Charge ie Tide BaText:

r Change Win Medo Playe! Txt Text:

r~r~ Open Cd Dnvea I” Lock Works tabor

P Download Rle More? j URL:

Payloads:(• Activate Payloads On Date

ORC Rcndornl 1 Ac tv ate Pa <loads Chance o־ activating payloads: 1W |i CHANCE

p Hkie Al Drives p Dcjdc ~3ck Marager

p Deafck Kcybord

P Deade Mocse V Message Box rrte:[SdedMessage:

|your *yttern is H*rked

lean:

inforrraoon T ]

Dsable *eged*

P DsaWeEtplorer.exe P Chance Reo Cwner Oner:[Hggyboy

p Change Reg Crgansaticn Oconboton:

|po«ver G>rr|

|JB Worn Author: l jgcyooy

r r|y0jr system rs ef^ed

P Indtde [C] Nodce Ouipj: Path:|C;\Worm

P CoTuieToEKE Suaxxt

Spreadng Opton*

Startup:P Uobal Keosrv btaituc

־1 Loos RecfcA! y S'ua luo r wmtogon S*J hoolr StartAsSavke

p Dngksh Sta'tjp P Ge'man Starxp P Spanish Starap I- Perch Sta'tjp P Italian Startup

F IG U R E 6.3: Select the option for creating worm

10. Check die Change Hom epage check box. 111 die URL held, enter http: / / \\Ayw.powrgym.com.

11. Check die Disable W indows Security. D isable Norton Security. Uninstall Norton Script Blocking, D isable M icro Security. Disable Run Command. Disable Shutdown. D isable Logoff. D isable W indows Updates. No

Search Comm and, Sw ap Mouse button, and Open W ebpage check boxes.12. Check the Change IE T itle bar, change w in M edia P layer T xt, Open Cd

drive, and Lock w orkstation check boxes.F ־

r Slue Screen Of Death infectwn opaons:P Infect Bat PiesP Infcct Vb* Hies P Infert Vh* Hl#«

r Hde Vrui Hec

Public Edition :4 00 ־ Internet Worm Maker Thing Version

If rou Lked This Prog־an Pteaa? Wat Me anhtlp: //xrusteam. fialtennetv.'ork car If rou Know Anytirc About VES Programming Help Support Ths f*ojert By Malone A Ptugm (See Readme). Thanks.

Control Pond------

Generate worm

INTERNET WORM MAKER THING V4r Change Cate

DD MM YY

r Loop Sound r Mde Desktopr- Head* Mawar#

Remove r- D5<Kc Windows

Pie P> oUs-liwi r Corrupt Artwruc

r Charge Drive Icon DLL, EXE, ICO: Index:|C.’Wndowsl/'l01 |l

r Add To Context Menu l~ Change aodc Text

Text 03«׳x 8 Chars):

1 r Hack Bll Gates _?J

r KeyboofdDbco r Add To Favorites None:

P Disetic Srsterr Restore r Ch»x)eh10032Text T1«c:

V Outock Fvr I ? I URL!

P MuteSpccke's P Ceietea =le Path:

Ir Deteiea=0Ue׳

P Change v.alpaper Path Or lAL:

r CPU VonKer P change *me

w AVi .poivergym .com|׳/

P Dsa&te WndOAC Seoxity P DaabfeNoi ton Security

P מ1(י11ןיז unnstall Norton script P DaabfeMauoSearitr P Doable Run Conrnnd P Dca&lt Shutdown

(7 Dsaftleiocpff P Daable WrdoAs Update

Conmend ׳P No C-ca d p Swap Mouoe Buttone P Cpenv/ebpage

:URL

p Chnge homepage

|'/wav\ .po*«rgym a ir

P Chx»oe IE Title Bat

P openeddrwes p Lodi Worotobon]P □oArload Fie Myc־ | URL:

P CxemteDowiibaJed

Payloads:(» Actr/ate Pavloads On Date

־ נOR

Hacked

vessage:

1a r sys־em s Hacked

i-i^rrarcn •»

(7 Dsaoie RegeCi: p DsaoieExplorer.exe P Change Reg Owner

|juaytx>y

17 Change «eg oro0nsat»n Organisation:|power Grm

C Randorriy Acttvote PaVoocb chance of aai /ating payloads: in [5 CHANCEp HKjeANDrvtt p Doable Task Menage׳W Disable Kcyoorc p DiWilr Noifie p Mes&sgeBox Tlte:

Autfw;| Juggyboy

Verson.

r - r|/our cyctMnKeelerP Indjde [Cl Soxe Output Path:[ETv/omip Ccmpifc To EXE Support

Sj eoctno Cptons

Cta׳ tuj:P Global RegsO > Surtuo r Local Regist'y SsrtupP v/niooon 5bdl hock

r Start As Servce p Engiish S3np r GeTTKn Sta־t_oP Spanen Sta'to r Ft end־ SiaiLC r Italian StarLo

D on’t forget to change die settings for every new virus creation. Otherwise, by default, it takes the same name as an earlier virus.




FIG U R E 6.4: Select the option for creating worm

13. Check die Print M essage, Disable system Restore, and Change NOD32

T e x t check boxes.14. Enter a T itle and M essage 111 die respecdve fields.15. Enter die URL as http: / /w~\v\v.po\vrgvm.com and die Sender N am e as

juggyboy.

16. Check die M ute speakers. D ele te a Folder. Change W allpaper, and CPU M onster check boxes.

17. Select die Change T im e check box enter hour and 111111 the respecdve fields.T = T g !Internet Worm Maker Thing: Version 4.00: Publ c Editionr*־

INTERNET WORM MAKER THING V4pa/twes:(• Actuate Payloads Cn Date| B Worm

Ajlhar:

ORC Randonl/ Activate Payloads Cha׳ve of actvairg paybads:1 fN [5 CHANCE

HdeAl Drives

I? DsaWe TasJc Manager S' DsaWe Keybord

^ □sable Mouse Iv NessaoeSo*Tide:|f־dcdMcwogc:

|rajf system Is HacXed

Icon:noton _*J קיו־1]

W OfecOfcRegedt W DoaDfcExploret.exe [v Change Reg Owro־Owner:|jJ99>bo/

[v Change Reg Organisation Crgansaticn:

Version:

r r(yojt system is eEetf W Indud: [C] Ncbic OulputPath:(c:\Wom

(7 Coroie To EKE Support

Saieadmc OpUro jStartup:V Global Rcgotr Sto־tjp

r l»cd Rcgstr/ Starxo r Wml&gcn &>d Hc©<1“ Start Ac Service P Er*gleh SU־tjp f~ O'run Startup I- Spmth^tirtip

P French Sta'tup I- laiar startLC

FIG U R E 6.5: Select the option for creating worm

18. Check die Change D ate check box, and enter die DD, MM, YY 111 die respecdve fields.

19. Check die Loop Sound, Hide Desktop, Disable M alw are Rem ove. Disable W indows File Protection, Com puter Antivirus, and Change Com puter

N am e check boxes.20. Check the Change die Drive Icon, Add To C ontext Menu, Change Clock

T ext, Keyboard Disco, and Add To Favorites check boxes.




T S T S 1

I- Blue Screen Of Dead• Infecton Options: r Inflect Bat FilesV in'ect vbsPile? f~ Infect Vbe Files

r Hide VirLS Rles

I- Custom Code

If You Liked This Progrorr Plecae Veit M• Orhrtp://wriJStMn .falHw>ehvortc can If You Know Anythrg Abojt VES Prcg-amming Help Suppo'tlhs Project By Mating A Pugn (See Readme). Thants.

Control Panel

Generate Worm

Internet Worm Maker Thing : Version ■4.00: Pub ic Edition


!7 Lcoo Sojnc

!7 Hide Desktop Disable Malware

Di3able Wrdows File Protect on

p Corrupt Antivirus q Charge Comou ter

Nane

p Charg# Drive [eon CXI, DC, ICO: Index;

|cw5™iw [iP Add To Context Menu

p Chang# Clock T#vt

Tort (Max 8 Chare):

I- H01kDllG±es ? W Keyboard Disco p ^dc To Favorites•: Nare:

17 D6afc*e s*sten Rsscxe

P charts fCD32Tett Tite:lack2d־|

Message:y v j syslai is Hecxec

[“ DudockFm 1 ’ I URL:tfc>:/>v»v».o0werg/n י

Sende* Nan־♦:

p Mjtc Speaker:

P D rkxe rfc

Path:

1------------P Defe* a KUer

Path

Ip Owge Walpoper

Patn Or LRL:

p CPJ Monts'

p Giance Trie Hmt VSr

P Change HomepageURL:

I'jVivivi .D0wero/m cam

p Disable Windows Securty p Disable Norton Searity p Lhnstall Morton Serpt Blodcrg p Disable Mocro Secunty p □sable Run comand p Dibble Shutdown p Disable Logoff p □sable Windows Update p No Scorch Command P sawd Mouse Buttons p Open V\'eboage URL: jWw.oowergym.com׳|

P Change [E Title Bar Text:

P Opened Drives

P Lock Workstation

r Download File More’

URL:

Worm Nam?

C Rancorriy Actrvate Paybads

Chance ofadvatna payloads:

1W [ i o*MCE

p HceAIIDrves

p Cisaote Task Marager

p CtsacJe Ke/bcrd

p D«aoleMcu3«

p Message 60x

nd#Esdcad

Mcosagc:

|1a r svstern shacked Irenr

[kVonnabcn T ]

p Disable Regedit

p Disable E>pcrer.exe

p Change Reg OAner

Cvrrer־:|^gg־/boy

p Change Reg Organisation

Crgarisabon:

pBV/orrAuthor:|luggyboy

|ycu־ system be־fcd

p Indude [C] NoSce Output Pafc|c:\WocmP come* TO tx t suxxrt

Sprcsdrg Opbonc

Star xuV Clobd Regatiy Startup r Locol Repsfry Starto r Wnbgon Slid Itnl,

I- Stait AiScivtc p Crgkh startup

f” German StartLX)1“ SDaTSh staruo 1“ French starnc [~ Italian Startuo

IS- Execute Downloaded־ [5־

F IG U R E 6.6: Select the option for creating worn

21. Check the Exploit W indows Admin Lockout Bug and Blue Screen of Death check boxes.

22. Check the In fect Bat Files check box from In fection Options.

23. Check the Hide Virus Files check box from Extras.

24. Click G enerate W orm 111 Control Panel.

n r Internet Worm Maker Thing: Version 4.00Pub ic Edition

Expiat Windows Admin Lockout Bjg

p Blue Screen Of Death Infecton Options:P Infect Bot Filesr Infect Vbs Files- I” Infect vbe Files Extras:P Jllde Vji

Pbans

Generotc Worm

[f You Liked This Program PleaseVisit M2 Onnttp :/par jstean .falfcnncbvork a t If You Know Anyding Abojt VES cxramminc Help suoco't Ths׳3Project By Mating A Pugh (See Readme). Thanks.

Control Panel


p Disable Srsten Restore p Char geNCC32 Text Titc:

p Loop Sound p HkJ« Desktop p Disable Malware

Renove r j Disable Wrdows

Fit Protection p Corrupt Antivirus rr Char ge Compute׳

p Charge Drive [con CLL, EXE, ICO: Index:|C:\VUrd(MM Di fl

p Add To Context Mcnj

p Chenge CbckText

Text (Max 8 Chars):

If " Hack an Gates ? 1

P Kevtxiard Disco P Add To Favorites hare:

packed

owe^sten«Hacccc׳1|

r □Lrtockrm 1 * IURL:

tto:/>vn״j<n«rg/rv1 iertier ftanre:

|hxa׳t>ov

P MjreSpMters p Dete^aFfe

P Change HonepaD?:URL

jV1 ww .oowergym .com|׳

P Dsable Windows Security p Disable Norton SecurityP uinstall Morton saot Blodcrap Disable Macro Securty p Disable Run Comuid P Dsable 91utdown p Dioablc Logoff p Disable Windows Update p No Search Command p SA<ap Mouse Duttons P open weboaoe

1 URLjWw .powergym.com׳|

P Chanoe IE Title Bar

:rext

v Ciance v/aloaoer

Path cr URL:

I-------------p CPJNoast׳

p QwngeTne Hour Mr(ET־ :\ir־

Fayoads:<♦ Actva־e PaVoads On Date

p OpenCdDnves p Lock Workstation

Download Rle More7LRL:|jtggyboy

P Execute Do«vnbaded

P Change Reg crgansation craartsaoon:

Worm fsam?:

C RanCcrriy Activate Paybads

Choice of octrrotng payloocb. :w [i OWCE P hide Al Dr ves

P cisaote task Maraoer

P LisaoteKe/bcrd

P Lisaote recuse

P MessaceBox 1«e:

[ttacxec

Message|yolt system e Hacked

jlnfermaticn ^

p Disade Regedit

P DisadeE>daer.e>e

P Chanoe Reg OAnei

Cvrrer:

|JB Worr

Au*or:fxoovboy

r r| you• cytor11 Reefed p Indudc (C] No*ce CutputPatk|C :\Wanr

p Corrplc To EXE Support

*ore rtnp rmnw |

Star&p:r Global RegKtry Startup r Local Regictr v i tart jo r Wnogon Shel Hook [~ Start As Serves p Ergish StartLp \~ German Startjo

Spansh Startjo r French Startup

f~ Italian Sartuo

& T o o ls dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 Module 07 Viruses and W orms

FIG U R E 6.7: Select die option for creating worn!



25. Tlie worm is successfully created. Tlie following window appears. Click OK.


Information! X

^ ) 1 Y o u r n ew w o rm .v b s has Deen m ade!

OK

26. Tlie created w orm .vbs file is located at die C: drive.

Lab AnalysisDocument all die files, created viruses, and worms 111 a separate location.


Tool/Utility Information Collected/Objectives AchievedTo make Worms options are used:

■ Hide all drives■ Disable Task Manager■ Disable keyborad■ Disable mouse■ Message box

Internet Worm ■ Disable RegeditMaker Thing ■ Disable Explorer.exe

■ Change Reg Owner■ Change HomePage■ Disable Windows security■ Disable Nortorn security■ Disable Run command■ Disable shutdown




Questions1. Examine whether the created worms are detected or blocked by any

antivirus or antispyware programs.

Internet Connection Required□ Yes

Platform Supported0 Classroom

0 No

0 iLabs

Ethical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.


ceh v8 labs module 07 viruses and worms

Technology

e r t o o

w o f v ir u s e s

n d w o rm s

b s c e n

b e n v ir o n

lv ir u s e s

wormsv ir u s e s

viruses machine