Professional Documents
Culture Documents
Lab
M a n u a l
V ir u s e s a n d W orm s
M o d u le 07
V ir u s e s a n d W o rm s
A vims is a sef-replicatingprogram thatproduces its own code by attaching copies of it onto other executable codes. Some viruses affect computers as soon as their codes are executed; others lie dormant until apredetermined logical circumstance is met.
I CON KEY
Z7 Valuable information Test your knowledge
=
L a b S c e n a r io
A computer virus attaches itself to a program or tile enabling it to spread from one computer to another, leaving infections as it travels. The biggest danger w ith a w orm is its capability to replicate itself 011 your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands o f copies o f itself, creating a huge devastating effect. A blended threat is a more sophisticated attack that bundles some o f the worst aspects o f viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. The attacker would normally serve to transport multiple attacks 111 one payload. Attacker can launch Dos attack 01 install a backdoor and maybe even damage a local system 01 network systems. Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that damage 01 steal the organizations information. You need to construct viruses and worms and try to inject them 111 a dummy network (virtual machine) and check whether they are detected by antivirus programs 01 able to bypass the network firewall.
Web exercise
m Workbook review
L a b O b je c t iv e s
The objective o f this lab is to make students learn how to create viruses and worms. 111 this lab, you w ill learn how to: Create viruses using tools Create worms using worm generator tool & Tools L a b E n v ir o n m e n t demonstrated in To earn this out, you need: this lab are available in A computer running Window Server 2012 as host machine D:\CEHTools\CEHv8 Window Server 2008, Windows 7 and Windows 8 running 011 virtual Module 07 Viruses machine as guest machine and Worms A web browser w ith Internet access Administrative privileges to run tools
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b D u r a t io n
Tune: 30 Minutes
O v e r v ie w o f V ir u s e s a n d W o r m s
A virus is a self-replicating program that produces its own code by attaching copies o f it onto other executable codes. Some viruses affect computers as soon as their codes are executed: others lie dormant until a predetermined logical circumstance is m et Computer worms are malicious programs that replicate, execute, and spread across network connections independently without human interaction. Most worms are created only to replicate and spread across a network consuming available computing resources. However, some worms carry a payload to damage the host system.
= TAS K 1
Overview
Lab
T asks
Recommended labs to assist you 111 creating Viruses and Worms: Creating a virus using the |PS Y 11 us Maker tool Vims analysis using ID A Pro Yinis Analysis using Virus Total Scan for Viruses using Kaspersky Antivirus 2013 Yinis Analysis Using OllyDbg Creating a W orm Using the Internet W orm Maker Tiling
L a b A n a ly s is
Analyze and document the results related to the lab exercise. Give your opinion on your targets security posture and exposure.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C r e a t in g a V ir u s U s i n g t h e J P S V ir u s M a k e r T o o l
JP S V irus M aker is a tool to create viruses. I f also has afeature to convert a virus into a irorm.
I CON KEY L a b S c e n a r io
1 1 1 recent rears there lias been a large growth 111 Internet traffic generated by malware, that is, Internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected 01 during the epidemic stage o f a new worm , when the Internet becomes unusable due to overloaded routers. W liat is less well-known is that there is a background level o f malware traffic at times o f non-epidemic growth and that anyone plugging an unhrewalled machine into the Internet today w ill see a steady stream o f port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We need to build better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organizations information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, whether they are detected by an antivirus and i f they bypass the firewall.
1._ Valuable
information
L a b O b je c t iv e s
H Tools demonstrated in Tlie objective o f tins lab is to make students learn and understand how to make this lab are viruses and worms. available in L a b E n v ir o n m e n t D:\CEHTools\CEHv8 Module 07 Viruses To earn out die lab, you need: and Worms JPS tool located at D:\CEH-Tools\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
A computer running Windows Server 2012 as host machine Windows Server 2008 running on virtual machine as guest machine Run tins tool on Windows Server 2008 Administrative privileges to run tools
L a b D u r a t io n
Time: 15 Minutes
O v e r v ie w o f V ir u s a n d W o r m s
A virus is a self-replicating program diat produces its own code by attaching copies o f it onto odier executable codes. Some vinises affect computers as soon as dieir codes are executed; odiers lie dormant until a predetermined logical circumstance is met.
Note: Take a Snapshot of the virtu al machine before launching the JPS Virus Maker tool.
Disable Registry Disable MsConfig Disable TaskManager Disable Yahoo Disable Media Palyer Disable Internet Explorer Disable Tim e Disable Group Policy Disable Windows Explorer Disable Norton Anti Virus Disable McAfee Anti Virus Disable Note Pad Disable Word Pad DisableWindows Disable DHCP Client Disable Taskbar Disable Start Button Disable MSN Messenger Disable CMD Disable Security Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver
Hide Services Hide Outlook Express Hide Windows Clock Hide Desktop Icons Hide Al Pioccess in Taskm gr Hide Al Tasks in Taskm gr Hide Run Change Explorer Caption Clear Windows XP Swap Mouse Buttons Remove Folder O ptions Lock Mouse & Keyboard Mute Sound Always CD-ROM Tun O ff M onitor Crazy Mouse Destroy Taskbar Destroy Offlines (YIMessenger) Destroy Protected Strorage Destroy Audio Service Destroy Clipboard Term inate Windows Hide Cursor Auto Startup
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
JPS lists die Virus Options; check the options that you want to embed 111 a new virus hie.
JPS ( Virus M aker 3.0 ) Virus O p tio n s:
m A list ofn a m e sfo r th eviru s afte rinstall is s h o w ninth eN a m ea fte r Install d ro p d o w nlist.
Disable Registry Disable MsConfig Disable TaskManagei Disable Yahoo Disable Media Palyei Disable Internet Explorer Disable Tim e Disable Group Policy Disable Windows Explorer Disable Norton Anti Vitus Disable McAfee AntiVirus Disable Note Pad Disable Word Pad Disable Windows Disable DHCP Client Disable Taskbar Disable Stait Button Disable MSN Messenger Disable CMD Disable Security Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver Restart
Hide Services Hide Outlook Express Hide Windows Clock Hide Desktop Icons Hide All Proccess in Taskm gt Hide All Tasks in Taskm gr Hide Run Change Explore! Caption Clear Windows XP Swap Mouse Buttons Remove Folder O ptions Lock Mouse 1 Keyboard Mute Sound Allways CD-ROM TurnOff M onitor Crazy Mouse Destroy Taskbar Destroy Offlines (YIMessenget) Destroy Protected Strorage Destroy Audio Service Destroy Clipboard Term inateWindows Hide Cursor Auto Startup
OHibrinate ONone
~~| | |
||
Cieate Virus*
Create Virus!
J
FIGURE 1 .3 :JPSV iru sM a k e rm a inw in d o ww ithR e s ta rts e le c te d
7.
Select the name o f the service you want to make virus behave like from die Name after Install drop-down list.
FIGURE 1 .4 :JPSV iru sM a k e rm a inw in d o ww ithd ieN a m ea fte rIn sta llo p tio n
Select a server name for die virus from die Server Name drop-down list.
CEH Lab Manual Page 534 Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
O Restart
O Log Off
OTurnDff
O Hibrinate
O None
Don't fo rg e tto c h a n g ed ie s e ttin g sfo r everyn e wviru sc re a tio n . O th e rw ise, b yd e fa u lt,it ta k e sth es a m en a m ea sa n e a rlierv iru s.
Create Virus!
JPS Virus Maker 3.0
m TAS K 2
Virus O p tio n s:
Make a Worm
Change XP Password: J p @ sswQ (d Change Com puter Name: Test Change IE Home Page
j w w w !uggyboy com
Close CustomWindow: [Yahoo1Me ;n g e r Disable Custom Service :Alerter Disable Custom Process : [ypaget.exe Open CustomWebsite : | -,-!ey blogta c :
[!I Sec'.
lU s a Youc a ns e le cta n y iconfro mth ec h a n g eico n o p tio n s. A n ewiconc a nb e a d d e da p a rt fro mth o s eo n th elist.
Change Ic o n :
ODoc Icon OPDF Icon OIPG Icon OBMP Icon OHelp Icon
O EXE Icon BAT Icon Setup 1 Icon Setup2 Icon ZIP Icon
O O O O
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
13. For die worm to self-replicate after a particular time period, specify die time (111 seconds) 111 die Copy after held. 14. You can also change the virus icon. Select die type o f icon you want to view for die created vims by selecting die radio button under die Change Icon section.
IPS ( Virus M aker 3.0 )
V ir u s O p t i o n s :
Change XP Password :
Close CustomWindow : [Yahoo' Me n g e r Disable Custom Seivice : J Alerter Disable Custom Process : I Open CustomWebsite : | .. , . c<
f!
I Sec's
O Doc Icon O PDF Icon JPG Icon O BMP Icon Help Icon
O O
O EXE Icon BAT Icon Setup 1 Icon Setup2 Icon ZIP Icon
O O O O
ORestart OLogOff OTurn Off Fe a tu re s C h a n g eXP P a ssw o rd C h a n g eC o m p u te rN a m e C h a n g eIE H o m eP a g e C lo seC u s to mW in d o w s D isab leC u s to mS ervice D isab leP ro ce ss O p e nC u s to mW e b site R u nC u s to mC o m m a n d En ab le C o n vertToW o rm -A u toC o p yServerT o ActivePadiWithC u s to m N a m e& T im e C h a n g eC u s to mIconFor yo u rc re a te dVirus (1 5 Icon s)
OHibrinate ONone
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
17. The newly created virus (server) is placed automatically 111 the same folder as jps.exe but w ith name Svchost.exe. 18. N ow pack tins virus w ith a binder or virus packager and send it to the victim machine. ENJOY!
L a b A n a ly s is
Document all die tiles, created viruses, and worms 111 a separate location.
T o o l/ U t ilit y
In fo rm a tio n C o lle cte d /O b je ctive s Achieved T o m ake V iru s options are used: Disable Yahoo Disable Internet Explorer Disable N orton Antivirus Disable McAfree Antivirus Disable Taskbar Disable Security Restore Disable Control Panel Hide Windows Clock Hide A ll Tasks 111 Task.mgr Change Explorer Caption Destroy Taskbar Destroy Offlines (YIMessenger) Destroy Audio Services Terminate Windows A uto Semp
Q u e s t io n s
1. 2. Infect a virtual macliine with the created vkuses and evaluate the behavior o f die virtual macliine. Examine whedier the created viruses are detected or blocked by any antivirus programs or antispyware.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
V ir u s A n a l y s i s U s i n g IDA P r o
Computer n orms are malicious programs that replicate, execute, and spread themselves across netirork connections independently, nithont human interaction.
con
k ey
L a b S c e n a r io
Virus, worms, or Trojans can erase your disk, send your credit card numbers and passwords to a stranger, 01 let others use your computer for illegal purposes like denial o l service attacks. Hacker mercenaries view Instant Messaging clients as their personal banks because o f the ease by which they can access your computer via the publicly open and interpretable standards. They unleash a Trojan horse, virus, 01 worm , as well as gather your personal and confidential information. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage 01 steal the organizations inform ation. You need to construct viruses and worms, try to inject them 111 a dummy network (virtual machine), and check their behavior, whether they are detected by any antivirus programs 01 bypass the firewall o f an organization.
/ Valuable information
S Test your knowledge ________ _____
Workbook review
L a b O b je c t iv e s
The objective of tins lab is to make students learn and understand how to make vinises and worms to test the organizations firewall and antivirus programs. IS 7 Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
L a b E n v ir o n m e n t
To earn* out die lab, you need: IDA Pro located at D:\CEH-T00 ls\CEHv8 Module 07 Viruses and Worms\Malware Analysis Tools\IDA Pro as host machine
Windows Server 2008 running 011 virtual machine as guest machine Run tins tool 011 Windows Server 2008 You can also download the latest version o f IDA Pro from the link http: / / www.hex-ravs.com / products / ida / lndex.shtml
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b D u r a t io n
Time: 15 Minutes
O v e r v ie w o f V ir u s a n d W o r m s
Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm payloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.
The publisher could not be verified Are you sure you want to run this software?
Name: .. .rs\Administrator\Pesktop\idademo63_windows.exe Publisher: Unknown Publisher Type: Application
Cancel
This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run~
FIGURE 2 .1 :IDAProA b o u t.
4. Click Next to continue die installation.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
xj
IM
FIGURE 2 .2 :IDAProS e tu p
5. 6. Select the I accept the agreement radio button for the ID A Pro license agreement. Click Next.
^ Setup - IDA Demo v63 License Agreement Please read the following important information before continuing.
S'R e lo a dd iein p u t file T h is c o m m a n dre lo a d sth e s a m ein p u t filein toth e d a ta b a s e . IDA trie sto re ta ina sm u c hin fo rm a tio n a sp o s s ib leinth ed a ta b a s e . All th en a m e s ,c o m m e n ts , s e g m e n ta tio nin fo rm a tio n a n dsim ila rwill b ere ta in e d .
Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation. IDA License Agreement SPECIAL DEMO VERSION LICENSE TERMS This demo version of IDA is intended to demonstrate the capabilities of the foil version of IDA whose license terms are described hereafter. The demo version of IDA may not, under any circumstances, be used in a commercial project. The IDA computer programs, hereafter described as 'the software are licensed, not sold, to you by Hex-Rays SA pursuant to the
z\
< Back
Next >
Cancel
FIGURE 2 .3 :IDAProlic e n s e .
7. Keep die destination location default, and click Next.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
a A d db re a k p o in t T h is c o m m a n da d d sa b re a k p o in ta tth ec u rre n t a d d re s s . If a nin stru ctio n e x is tsa td iis a d d re s s ,a n in stru ctio nb re a k p o in tis c re a te d . Or e ls e , IDA o fferstoc re a teah a rd w a re b re a k p o in t, a n da llo w sth e u s e rtoed it b re a k p o in t s e ttin g s .
JH
Select the additional tasks you would like Setup to perform while installing IDA Demo v6.3, then dick Next. Additional icons:
HT racew in d o w In tillsw in d o w ,y o uc a n views o m ein fo rm a tio n re la te dtoall tra c e de v e n ts . T h etra c in ge v e n tsa reth e in fo rm atio ns a v e dd u rin g th ee x e c u tio nofap ro g ra m . D ifferent ty p eoftra c e e v e n tsa rea v a ila b le : in stru ctio ntra cin ge v e n ts, fu n ctio ntra c in ge v e n tsa n d w rite, re a d /w riteo r e x e c u tio ntra c in ge v e n ts .
< Back
Next >
Cancel
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
\ Setup
Ready to Install
Setup is now ready to begin installing IDA Demo v6.3 on your computer.
Click Install to continue with the installation, or dick Back if you want to review or change any settings. Destination location: C: ,'Program Files (x86)\IDA Demo 6.3 Additional tasks: Additional icons: Create a desktop icon
Lj
< Back Install Cancel
LJ In structio ntra c in g T h is c o m m a n ds ta rts in stru ctio ntra c in g . Youc a n th e nu s eall d ied e b u g g e r c o m m a n d sa su s u a l: th e d e b u g g e rwill s a v eall th e m o d ifie dre g is te rv a lu e sfo r e a c hin stru ctio n .W h eny o u clicko na nin stru ctio ntra c e e ve n tinth etra c ew in d o w , IDA d is p la y sth e c o rre s p o n d in gre g is te r v a lu e sp re ce d in gth e e x e c u tio nofth is in stru ctio n . In th e'R esu lt' co lu m nofth eT race w in d o w ,y o uc a na ls os e e w h ichre g is te rsw e re m o d ifie db yth is in stru ctio n .
FIGURE 2 6 :IDAProin s ta ll
10. Click Finish.
. Setup - IDA Demo v6 3
10*
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
T h eco n fig u ra tio nfile s a res e a rc h e dinth e IDA .EXE d ire cto ry. In th e co n fig u ratio nfiles, y o uc a n u s eC ,C + +s ty le c o m m e n tsa n din clu d efile s . If n ofileis fo u n d , IDA u s e sd e fa u ltv a lu e s .
SPECIAL DEMO VBISION LICENSE TERMS This dem o version of IDA is intended to demonstrate the capabilities of the full version of IDA whose license terms are described hereafter. The dem o version of IDA may not, under any circumstances, be used in a com m ercial project. The IDA computer programs, hereafter described as 'the software" are licensed, not sold, to you by Hex-Rays SA pursuant to the terms and conditions of this Agreement. Hex-Rays SA reserves any right not expressly granted to you. You own the m edia on which the software is delivered but Hex-Rays SA retains ownership of al copies of the software itself. The software is protected by copyright law. The software is licensed on a "per user" basis. Each copy of the software can only be used by a single user at a tim e. This user may instal the software on his office workstation, personal laptop and home com puter, provided that no other user uses the software on those computers. This license also allows you to Make as many copies of the installation m edia as you need for backup or installation purposes. Reverse-engineer the software. Transfer the software and all rights under this license to an other party together with a copy of this license and all material, written or electronic, accompanying the software, provided that the other party reads and accepts the terms and conditions of this license. You lose the right to use the software and all other rights under this license when transferring the software. Restrictions
// C o m p ilea nIDC sc rip t. // T h ein p u ts h o u ldn o t co n tainfu n c tio n sth a ta re // c u rre n d ye x e c u tin go th e rw is eth eb e h a vio rof th ere p la c e d // fu n c tio n sisu n d e fin e d . // in p u t -if isfile !=0 , th e nth isisd ien a m eoffile toc o m p ile // o th e rw is eit h o ldth ete x ttoc o m p ile // re tu rn s : 0-o k , o th e rw is eit re tu rn sa n e rro rm e s s a g e . strin gC om p ileEx (stri11g in p u t, lo n gisfile);
You may not distribute copies of the software to another party or electronically transfer the software from one computer to another if one computer belongs to another party. You may not modify, adapt, translate, rent, lease, resell, distribute,
I Agree
I Disagree |
FIGURE 2 .8 :IDAProL ic e n s ea c c e p ts .
12. Click die New button in die Welcome window.
\ ID A : Quick s ta rt
New
Go
f // C o n v e n ie n c em a c ro :
Previous | Load the old disassembly
FIGURE 2 .9 :IDAProW e lc o m ew in d o w .
13. A file browse window appears; select Z:\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Livel\face.exe and click Open.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
0 D9n
_j?rr
Function tracing
T h is c o m m a n ds ta rts fu n ctio ntra c in g . Youc a n th e nu s eall d e b u g g e r c o m m a n d sa su s u a l: th e d e b u g g e rwill s a v eall a d d re s s e sw h e reacall toa fu n ctio no rare tu rnfro ma fu n ctio no c c u re d .
g} k u c t:
|| :aarod'iec | . | tvp. _ ^ f^ 2 i 2 0U12S0_=ieFod_ -;?.:):3:0;^^ Apsfcatisr V 2 6 Z Z Q 39:52PM Apdc335r ^:3/2003 1:0 2A M A p p licatio n 20031 0 :3 6 /2 7,... Apdraiior
S l Add/Edit an enum
Action name: AddEnum Action name: EditEnum These commands allow you t o define and t oe d i t an enum t y p e . You need t o s p e c i f y : - name of enum - its serial number
FIGURE 2 .1 0 :IDAProfileb ro w s ew in d o w .
14. The Load a new file window appears. Keep die default settings and click
OK
^ Load a new file
Load file Z:\CEHv8 Module 07 Viruses and Worms\V1rusesV0ez Virus Live!\face.exe as Portable executable for 80386 (PE) [pe.ldw]
B
Analysis
(1 ,2 .. .)
representation of enum members
W Enabled
Loading offset |0 Options
W Indicator enabled
W Create segments
Load resources 1 Rename DLL entries P Manual load F Rll segment gaps 17 Make imports segment Processor options Kernel options 2
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
16. The Please confirm window appears; read die instructions carefully and click Yes.
IDA-View has now a new mode: proximity view. This mode allows you to browse the interrelations between functions and data items. When inside a function, press to toggle the proximity viewer and '+ ' to zoom back into a function. Do you want to switch to proximity view now?
^ Hill -II* * ]* f a^ ||>a ||g|g|Mrii *f + X|ll OO F W dlfrlrf Ija ir r III hex View-A J j [a] Structures l =ajrrs j gf] Imports 1 m Exports I
Finction rone
71 sub_^0:0C0
T j tub_0:74* B
i t
', m MltM'i
100.03% <4193,30 | (377,171:1 |300C73I2 0C4073Z2: WinMain
a A d drea d /w ritetra c e T h is c o m m a n da d d sa re ad /w ritetra c etoth e cu rren ta d d re s s . Eachtim eth eg ive n a d d re s swill b ea c c e s s e din re a do rw ritem o d e , th e d e b u g g e rwill a d datra c e e ve n t toth eT racew in d o w
Compiling f i l e 'C:\Fr3grem F ill :3)MDA Eemo S. 3 \ id c\ 9 n le ai. id c Executing runc-lar. ' OaLo=a' . . . IDA i s a n a ly s in g th e in p u t r i l e . . . You may s t a r t to e x p lo re th e in p u t f i l e r ig h t
!Pawn
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
File Edt
Jurro Sea<
s i X l It
| r debugger
J | fc | ^ ]
fl) ---------------- 3
Ill
f Functions vwndow Q r
oofears Cacuator. . Ful screen Output ivirdcw , Graph Cvervew ^ Reiert sapt3 Database snapshot manager... jp] Pmt segment registers Print nterral flags Alt+F9 CtH4-Shift+T ct!1 +5pace F Ctri+NuT1pad+CtH-lNunpodi f ? F ll ^ FuncfoncaDs 1 Xrefisto Xrefs from CtH4F12 | | 1 Imports
J mE x p o r t s
BC re a tea lig n m e n t d irective A ctionn a m e :M a k e A lig n m e n t T h is c o m m a n da llo w sy o u toc re a tea na lig n m e n t d irective.
Flticoot rame
.S i User *refs * a r t. .
= rtoe fr U O TiO C ttoeal 3*. unr*oeal X Occfc hidden o'co Seuc hdden item s
S
3 3
LOO.OO[T4i9C.- -:j
E x e c u tin g fu n c tio n ,m a in *_ _ Con pilin a f i l e 'C :\Eroara 2! F ile s (x6)\IEA Demo S.3 \ id c \ cn lo ad .id c' Executing fur-etian ,OnLoad . . IDA i a an alysing the in put f i l e . . . Toa may 3 - a r t t o e x p lo re one la p u c r i l e r ig h t now. IDC | D isplay flow c h art c f the cuirene fu n ction
JD Jx j
III
Function name 7 ] sub_H01 0 71 sub_401196 sub_401284 71 Sub_H013^9 SUb_4013R\ 71 StartAdcress 7] 7] 71 sub_4017-e sub_4017^E sub_01303 SUb_<DlMl sub_4013B 6ub_401A IE SUb_401E02 sub 40220C eub_402319 5ub_H0^)* sub 40268 sub_40234D su b jo acs sub 402DCD ub_402D72 s u b je z x t sub 02EED
ca
3 3
no v Ha (xer! !xen
JL
enp |jz byte.41nni4, P ehort 1 0 c.4d 74;d|
3
71 71 3 7] 71 3 71 71
.
t Wlo
3 3 3 3
1 0c_7*
pwft
[ftp*v*r_8!, 0 lp*v*r_4|, 0 04m , [tp*vrv1cot4nr4M] < p*-3v13Urtr4bH.lj8v v], 0ff**t 5*r v1cMil# w 1 lp9rvlo3trtTt01 (&p*?rvl 034.r<T ab1 * .1pflccvtocfr0 ], effort lot_4l7 r d: 3t1rt3erv1osctrIDUp*toherA
J=c
E x e c u tin g ru n c t C o g p ilin g f i l e E x e c u tin g fu n c t i s a n a ly s ir. 57 !4% (0 0) 8 nodes, 2 edge segments, 0 crossirgs You may S t a r t t u IDC id l e Dcwn
-1 n . p x il . m .x i . ^ j u uliil j..l).1ut . u n .
FIGURE 2 .1 5 : IDA Pro flow chart
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
~ 1 1 x|
jFte M ew
2001
How
Hejp
___________________________________
[|a|1K 3. % * IIIR* 5 * *
byte_4 10004, 0 sh ort loc_407420
tru e
arp jz
jn z
[et)p+-var_8l , 0 [ebp+-var_4J, 0 eax, [ebp+Ser v ice S ta rtT a b le ] [ebp^ ServiceStartT able.lp ServiceN am e], o ffs e t ServiceNare eax ; lp Serv iceSta rtT a b le [ebp+ServiceStartTable .lp S e r v ic e P r o c ], o ffs e t loc_4073C3 d s :S ta r tS e r v iceC trlD ispatcherA
|ca11
sub_4tn2F2|
__ A
if1
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
tJ'fm X I
III
Function rame sub ] 7 _ sub 1198 3 sub _ 40124 SUb_*013A9 sub_*013FA 3 StartAddress 7 1 ,
~odbdrs p ] Camahr. . H i screen r Output tvirdw Graoh Cvervev> Recent sarpts Database snapshot manager... Ip] Pnnt segment registers Print nterral flags Alt+F9 Ctri+Shift+T ctri+5pace F Ctr1+Num pad+Ct7H4J1m pod-f* Hweal v}, urmoean
J Q
0 10 0 0
2 1
r | J
1 Xrefisfran 1 User xrefe :Kart..
] | 13jJ Impotls
| [f+] Expoits
2 1
I s u b _ 4 0 1 7
sub ] 7 _*017^
5 u b _ 1 0 1 8 c e
2 1
= ftoe
1 h _ < 0 ?fiP 0
. 1 1 _____
S Empty input file The i n p u tf i l ed o e s n ' t c o n t a i nany i n s t r u c t i o n s 01 d a t a .i . e .t h e r ei s nothing t od i s a s s e m b l e . Some f i l ef o r m a t s allowt h es i m a t i o n when t h ef i l ei sn o t empty b u ti td o e s n ' t c o n t a i nany t h i n gt o d i s a s s e m b l e . For example, COFF/OMF/EXE f o r m a t s could c o n t a i na f i l eheader whichj u s t d e c l a r e st h a tt h e r ea r e no e x e c u t a b l es e c t i o n s i nt h ef i l e .
sub _K( 28 sub_<02C3B 2 tub_4O3D0D 3 sub _K)2D72 Sub 71_ 02DCE ub* ] 7 _s0XE0
2 1 2 1
]2
L in e7of 2 5 8 v w n c o w
LOO.00%[ (419C, - 6 ) i r s
E x e c u tin g fu n c tio n ,m a in . .. C o n p ilin a f i l e C :\E ro a ra n F ile s (x 6 )\IE & Dem3 6 .3 \ id c \o n lo a d . id c ' I x a c u tin g fu r.e tia n ,O n lo a d .-IDA i s a n a ly s in g ta e in p u t f i l e . . . Tou may 3 - a r t t o e x p lo re one in p u t; r i l e r ig h t now. 10C |
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
22. Click Windows ^Hex View-A. Some f i l ef o r m a t s I V I D A Z : \ C C It v eM o d u l e 0 7 V it u s e s a n d W o r m s \ V 1 r u s c s \ K lc z V ir u sL iv e 1 \ f o c c . c x c allow t h es i m a t i o n File Edt Jump Sead* Vtew De9ugger Opbors I Windows I Help when t h ef i l ei sn o t L * l1 X J O Q | to debugger 1 + *111 * j] % ] & 1 ^ I f I Load desktop... empty b u ti td o e s n ' t r P Sjve decctop. . III ___________________________ i Delete desktop... c o n t a i nany t h i n gt o 7 | Functions wooov D ? !ID A V i e w R e s e td e s k t o p * 10 Ev*ns j 51 Import d i s a s s e m b l e . For Reset hidden messages. . 7 ] Sub_H)10C0 example, 7 1 sub_011S8 Windows list COFF/OMF/EXE 2 sub_4012S4 Next v\lndow 7 ] SUb_013A9 Previous window Shift+F6 f o r m a t s could c o n t a i na [Z ] sub_^013FA ] Ctose windo/v AltH = 3 71 StartAddress f i l eheader whichj u s t Focus com m and Ine ' SUb_4017^J d e c l a r e st h a tt h e r ea r e 3 sub_4017^E jT] Functions window Ait41 6ub_^018C8 no e x e c u t a b l es e c t i o n s ! 1 IDA WewA At42 3 SUb_40JB41 3 sub_^018E9 i nt h ef i l e .
7 ] 6ub_401A 7 ] sub_-0C2 3 7] 3 7) 7] 3 3 7] sub_40220C 5ub_402319 sub_<0*<6 sub_<080 3ub_*028 sub_402C sub_403XC 5ab_-K)2D72 I Al Structure3 Enums ]01 5H ! ports Export 0 Alt44 Alt+ 5 At-K) Alt 47
J [I] Export
H sub_402xt V n sub.OPFFO
1L
Line 7 of 258 [T] Outpu: wncov.
--A'-' . TTBK i 'BUU E x e c u tin g f r a c t io n m a in * ... Compi1in g f i l e 'C rv lro g ra a Fil (xSCJVICA Dema 6.3\ide\onload idc ix cu tia g fur.ctisr. ,Onl-o&d1- -IDA i s a n a ly s in g tn e input- r i l e . . . You may s t a r t to e x p lo re cfce in p u t; f i l e r ig h t a!
~ n
_zj
1
r o cr
.l i e Down
FIGURE 2 2 1 :IDAProH e xV ie w Am e n u .
23. The tollowmg is a window showing Hex View-A.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Zi\CMv8 fKxkj*e 07 /irusndiH l Wonm\V)nn<f*\Kk^ V 1ru 5 Lvc!\ld tc.cxc Tile Edit Junp Ssaci 'ftew Debugger Opboro Windows help
II1 ^slII
Functions windovr cton na ne sjb_KD10X sjb_40113S sub_401234 SJb_4013A9 sub_4013FA StartAodress SJb_ W17<* sjb_40174E SJb.'WlSDfi sjb 401841 cub_4018E5 SJb 401A 1E SJb_401K)2 eub_4022X SJb_40231 S sub_40264e Cjb_40263C SJb 40280 SJb_402C3C Cjb_402D00 SJb.402C72 sjL 402CCE sjb 402EC 1 T ] Dutpu: v.irdovi -
* I4 |j|g 0 |
d!DAMe>v-A 004073B2 8C4073B2 5G4073C2 9C4073D2 464073E2 8P4073F? 0G4O74O2 8P40741? 9G407422 flP40743? 9G407 442 0P4O745? 00407462 0 0 4 0 /4 /2 00407482 0 0 4 0 /4 y 2 00407*102 004074B2 00407MC2 0 0 4 0 /4 0 2 0O4O74E2 004074F2 00407502 00407512 0040752? 00407532 - I 0040754? 00407552 H 00 93 00 00 6B 54 D4 F8 45 00 FB 38 UO 75 10 oc 08 3B 3U FB IE F8 33 5C 06 00 00 00 D8 68 60 8B 0? E8 08 38 F ft FF 9R 01 00 rc 8D 33 88 45 11 00 46 89 F6 37 8D FF 80 00 FF 7C 00 EC FF F5 41 49 r.7 15 FF 00 8B 75 85 CO O C 0C 00 73 40 47 EB 04 85 75 45 FF FF 73 03 81 15 F9 80 00 45 U4 FF E0 D8 87 /4 8D O H 72 fb 11 EB FC 48 53 74 FT 16
0S I # s + &
II
|no cebugger
H ilt s la r hr
| (j*\ Expons
| 1 ) [irports E8 04 40 08 58 74 68 3D 8D 48 05 8n 0D 89 01 C4 < 1 D FC 80 83 14 45 FC 8D 89 00 00 06
. . . 5 . 9 1 . .x - e .F o * a * t.F 3 .tl|s @ .h 3 1 . . 4 - 0 . j .U .9 I.F . Ui'8 . 8 d ___ Y \ P j . .a -Q .F ft a + t T F ) Q = .A . t . h . A .F()1 a-V117a= " 8 1 . - t a e .a e n .. E=!E = 31 -P ! E(+;P . . .-@ .F u at. F t! 3 + * 8 4 )1 1 5 . . I 8 ..F t...S U u .F .. . . ! ' 3 F : ! Y e J ( e u e u n u .3 * T !...U h g 8 . . . a t ! ! UPFP . . . 3 . 3 * . ; | | E . s fi'H .^ ..a * t. ..F e u n ;E .r T ;E . s JI l+ IU .C < . .u.A;M.rtI+a . s . ; - s - i ' U . e . . . . FQUll . < * . . . S . E e C n e .2 J . 1 -d ou n 3+dH1E e u n i * t . . \7 .S F d . . A*-YFW . . a t ; P . F . P F .. . un .D7 . 1 1( PF ^ . . . i E .a . e . i ] ( S F 5 z i 9 X
Executing fu n c tio n n ^ i n '._ . C o n p ilin g f i l e 'C :\Prcgrazn F ile s . x8S )\ID A Demo 6 . 3 \id c \o n lo a d .id s ii o c i i r i n c fim s tio a *Or-losd1 . . IDA i s a n a ly s in g .Le In p u t r i l e . . . You nay s t a r t to e x p lo re th e in p u t f i l e r ig h t now. IDC [ Disk: S4GS
F I G U R E 2 .2 2 : I D A P r o H e x V i e w - A r e s u lt.
M o d u l e 07 V it u s e s a n d W o r m s \ V 1 r u s c s \ K lc z V ir u sL iv e 1 \ f o c c . c x c
Opbors I Wirdowsl Help 1 ^ I f I Load desktop... rP Sjve decctop. . 1 + *111 * j] % ] &
___________________________ ! Delete desktop... 7 | Functions woeov [Jcj IE A View Rcse t desktop Ftncaon rarae 7] 71 7] 7] [Z] 71 Sub_ H)10C0 Sub_011 S8 sub_4012S4 SUb_013 A9 sub_^013FA StartAddress 00 40730? 0O4073B2 004073C2 0 0 4 0 /3 0 2 064073E2 0A4073F2 00 407402 00407412 00 407422 0 0 4 0 /4 3 2 00407442 00407452 00407462 00 407472 0 0 4 0 /4 8 2 00407492 0040740? 00407482 0O4074C2 00407402 0O4074E2 Reset hidden messages. .. Windows list Next v\lndow Previous window Ctose windoA Focus commard Ine |71 Functions window f^= ] IDA ViewA [o] hex V1ewA AH+1 Alt+2 Alt43 Alt 44 I ]Enums 51 inports g ] Exports FB 1E F8 33 5C 06 00 00 OB 46 80 T6 37 8D FF BR 73 11 4 0 EB 47 FC ED48 0*53 85 7 4 75 FC 45 1 0 3B EF 89 8D E8 C7 8D 83 C1 81 17 45 64 FE 44 C4 Alt45 A t4< > Alt47 73 7D 83 T8 Oft FF 37 10 C1 F8 C7 89 00 50 04 89 F6 Shift+F6 AH4P3
III
1 0
E v*ns no FF 15 FF FE FF 00 75 65 F4 85 SB 0C 89 68 00 73 >10 80 un C9 3* C2 FF 85 74 37 FC C3 C0 EC E8 75 80 no C2 DO 08 FF C0 OF 83 00 73 74 B8 ID F8 38
| ft!} Imports
f8
| ( ] Export .X -(a .F
3 8 0 8
' SUb_4017^J 3 sub_4017^E 6ub_^018C8 7] 3 7] 7] 3 7] 7] 7) 7] 3 3 7] sub_40JB41 sub_^018E9 sub_401A SUb_-01EC2 sub_<022CC 5ub_402319 sub_<0 * < 6 sub_<080 3ub_*028 sub_402C3B sub_)2D0D 5ab_-K)2D72
F 5 0 B 3 9 0 F 8 3
71 00 0
01* 40 OB 50 7U 68 3D 8D 40 05 8C 00 89 01
0 a+t.F3 U . a
j. . j.U .9 1 - F .
...
5-91-
.1 1 1 b@.h_3I. * * @
+-. P
a+t
TF) = -.A . .t.h + .A.F a+Vu7a81..t de.den.. E| E=_3I.P!E(+S@ . . .-@.Fu* a+t. FCJ 3+ + -. .1 11 8*1 8. . F t . . .SU U.F.. . . 3 < ; ; *V e ](e u e unu.3M;. . .wny8. ..at!! UPFP.. .a.3+.+x!! ;E.sFi'M .o. .a-t .0 .. FOcun
; E . r T ; E .s J l'+ V U .C
18 8 ( > 1
a'|
.a - G .F ft
< . .u .A ;M.rl4 3
00 EB T8 8B 8D *46 (V. 5 0 FF 75 F4 5 0 18 RB 5D FI1 73 9C C1 45 E8 E8 53 OF 89 E7 F8 BO BO F8
0 O 4 0 7 4 F 2
004075 02 00 407512 00407522 00407532 00407542 00 40755?
*ofino. 2J . -dl'iiin
3 :d H i'Eetf11ni0 t . . \ 7 . S F d . . .i- i'E W e . . h t \ \ P .F .P F + .. . u n .D 7 . u ( P F i . . 1 F .a - .P .i](S F g .
H sub_402xt Vn sub_40/EF0
1L
Line 7 of 258
Outpu: vwnoow g^-^-a-1 J:1 t3 .jl'. v . urei TL'^ n m u --e-- E x e c u tin g fu r.c tio n m a in * ... Compi 1in g f i l e C:\Erograa F il a (xfl)\IDA. D1 ix cu tia g fur.ctisr. ,O a lo a i1. . . IDA I s a n a ly s in g tn e in p u t r i l e . . . You may s t a r t to e x p lo re th e in p u t f i l e r ig h t roc
r
.l i e Down
25. The following is a liiid o w showing Structures (to expend structures click Ctrl and +).
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
File Edt
Iv^lns
III
7 ] Functions vwnoovr Flticoot rame SUbj-OlOOO ]7 SUb_^011S8 | sub_<012S4 ]7 SUb_4013A9 ]2 sub_4013FA T l StartAddrcss, sub ] 7 _>017 sub ] 7 _>017^ 3 u b _ 4 0 1 8 c e ]7 sub_^018*l ] 7 sub_*018F9 Jub_-K)1A ] 7 sub_01EC2 ] 7 ub_<0??CC sub 3 _^0231 9 sub_>026 5 X | QgiCAView-A BQQ0GGOG 06006090 06006090 06006000 06006090 00006030 0000009*1 06006008 06006008 00006018 06006018 | [0] hex View-A ( X Structures Q |
aoF^
Exmrs | g j Imports
d I*!lain a r r
| 0 Exparts
s tru c dd ?
; SREF: s ta rte r ; c r t L C M a p S t r in q A ir . . . ; X R E F : start+ 2 3 T u ; s t a r t : l o c iiOfi'iUSTr . . . dd ? ; X R E F : s t a r t : l o c J!0 8 5 2 Ftr ; o F f s e t C1 1 3 EXCEPTION REGISTRATION ? ; X R E F : s t a r t : l o c *408*4CVtu : c r t L C M a p s t r in q fH 10fiTw . . . ends
; (5 iz e o f- 0 x 1 8 )
jh _4 0 3 6 a 0
j ] sub_-K( 20 0
& Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
> 1
j l ojtpu: VtfnGOW
E x e c u tin g fu r . c ti3 n ,m a in *__ C o n p ilin a f i l e 'C :\E ro g ra m F ile s (x 6 '\IE A Demo . 3 \id c \o n lo a d .id c ' E x a c u tin g fu n e tiD n *O nload1. . . IDA i : a n a ly s in g th e in p u t f i l e . . . Toa may 3 - a r t to e x p lo re t i .e In pa o r i l e r ig h t now. IDC D is k . 343B
Enums. lafxl
ID AZ : \ C C It v eM o d u l e 0 7 V ir u s e s a n d W o r m s \ V 1 r u s c s \ K lc z V ir u sU v c ! \ o c c . c x c
Sea-d* View Deouooer Opttors | Wirdows | Help
-|||y= ,* 1 !
* b
I , M l Loaddesktcp,.,
$ Save deolctop... Reset desktop Reset hidden messages. . Windows list Next window Previous window Cose window Focus com m and Ine ' [71 Functions wndow !3 ] IDA View A [y] hex V1ewA
ia I
b
;ture* Q
xj Q
| dD Enuns
|r\0 debugger
1 to1 ^ 1 u an* r
| ||+] Exports
3 sub_^013FA
7] S U b jK H O C O 71 s u b _ 4 0 1 1 9 8 3 sub_40124 7] S U b _ 0 1 3 A 9
71 StartAddress
; XR EF: s t a r t e r
_ crtLcnapstringfljr ... ; _
3 sub_4017^E
S U b _ 0 I7 B
3 3 5ub_0* C 2 3 sub_<0?2CC
7 ] Jub_102319 V sub_<02b
Strixturca
^ 2 Imports ( 3 Exporto
3 sub_<0?680
71 9ub_4028
71 Sub_02C3B
3 6ub_40X72
< 1
3 Jb _ 4 0 / T X 1 0
E x e c u tin g fu r.c tia n *m ain C o m p ilin g f i l o C :\rrog ra 31 F ilc a (S6:\IEA. Doj E x e c u tin g u r.c ti3 n 'O s I-3 e i' . . . IDA l a a n a ly s in g th e in p u t r i l e . . .
1:H *' 1 1 *- *
S .3 \id c \o n lo
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
- xT File Edt Juno Sea-d View Deougger Opliors Windows Help U 1 4 * & 1 % 1 : / 3 3 [7 ] 2] 3 ^ Tj 7] 21 71 3 7] 7] 3 j] T\ 3 7] 7] 3 7] 71 3
*Im I i i s i I j , *e S
| [0]hexVlewA : : : : J (X Structures JD Enure Q J Imports c r e a t e / d e l e t e / e d i t e n u m e ra tio n ty p e s c r e a t e / e d i t a s y n b o l i c c o n s ta n t d e l e t e a s y m b o lic c o n s ta n t s e t a com m ent f o r t h e c u r r e n t i t e n p r e f i x e s d i s p l a y th e b itm a s k
d i f c l f r l i i a i r r
I I I
S X [|^ICA\/iew-A | (!*] Exparts ; In s /D e l/C tr l- E ; H /C tr l N ; U ; ; or : ; For b it f ie ld s
Functions vwnoovr sub_*01000 sub_^011S8 sub_012S4 SUb_*013A9 Sub_4013FA StartAddrcss sub_*017^b sub_<017^ 5ub_ l018ce sub_4018*l sub_*018F9 8ub_401A sub_<01EC2 ftA_40220C sub_02319 sub_4 026 jb_4056a0 5ub_H)20 SubJ02C3B *ub_40X>00 sub_H)2D72 sub_0Z>CE sub 0 EE0
Function name
th e l i n e
d Z. 15 X
r ig h t now.
r 3 j
T o o l/ U t ilit y
ID A Pro
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Q u e s t io n s
1. Analyze the chart generated with die dow chart and function calls; trv to find die possible detect that can be caused bv the virus file. 2. Try to analyze more virus files from die location D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Live!.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
3
V ir u s A n a l y s i s U s i n g V ir u s T o t a l
Computer worms are maliciousprograms that rep/icate, execute, and spread themselves across network connections independently, without human interaction.
I C O N K E Y
L a b S c e n a r io
111 today's online environment it's important to know what risks lie ahead at each click. Even day millions o l people go online to find inform ation, to do business, to have a good time. There have been many warnings issues, about theft o f data: identity theft, phishing scams and pharming; most people have at least heard o f denial-of-service attacks and "zombie" computers, and now one more type o f online attack has emerged: holding data for ransom. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage 01 steal the organizations information. 111 this lab we explain how to analyze a virus using online virus analysis services.
/ Valuable information
y* Test your
knowledge
\\eb exercise
m Workbook review
L a b O b je c t iv e s
The objective o f tins lab is to make students learn and understand how to make viruses and worms to test the organizations firewall and antivirus programs. & Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms Analyze virus files over the Internet
L a b E n v ir o n m e n t
To earn out die lab, you need: A computer running Windows Server 2012 as host machine A web browser with Internet connection
L a b D u r a t io n
Time: 15 Minutes
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
O v e r v ie w o f V ir u s a n d W o r m s
Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm payloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.
Lab T asks
ASK 1
1. 2.
Open a web browser 111 the Windows Server 2012 host machine, Access die website http: / / www.v 1n 1stotal.com.
V irusTotal [F ie Edit /!ew Free O n lin e Virus, M alw are and URL Scanner M ozilla F ircfox History Bookmarks Tools Help
11 > 1 VrusTotal Free Online Virus, Malware ... ^ A A hrtpcj'/unv^yv 1rurtotal.com Comnuiity Sta'isticb Ducjir entatior FAQ About e l k i ' Google
H v ir u s t o t a l
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms trojans, and all kinds of malware
No fie sc cc:cJ Maximum Tile size 321/18 Dy clicking 'Scan itf. you consent 10 ou! Terms of Ser\ice and allow VirusTotal 10 char this Mo with the security corrmunny See our Privacy Policy tor details.
You may prefsr to scar a URL or search through the VirusTotal datasst
Englsh Espan Rlnn I Twitter I r.nntar.tlfivinisrota: r.nm I fi.inal* rrniios I Tnfi I Prvar.v
FIGURE 3 .1 :V iru sT o ta lH o m eP a g e
3. 4. 5. The A"mis Total website is used to analyze online viruses. Click die Choose file button, and select a vims hie located 111 D:\CEHTools\CEHv8 Module 07 Viruses and WormsWiruses\tini.exe. Click Open.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
F
(^ ) v O ~ ^1 Organize New folder Name
VirusTotal
Tree Online Virus, M alw are and URL Scanner File U pload
M ozilla H rcfox
E
Search Viruses
CEHv8Module07v'ru5Ma Viruses
-t m
Date mocEficd 4/12/20111:10 PM 4/12/20111:10 PP^ 4/12/2011 0: pm 4^12/20111:10 PM 4/12/2011 Type File fclder File fclder File fclder File fclder File fclder File fclder File fclder File fclder File fclder WinRARorchivc Application WiaRAR ZIP arehiv* Siz
J_. Win32.Botvoice.A J . Wm32Cd_infected@Ch J_. Win32.Loretto.Ech Win32.Minip2pCh J . Win32Wamet.B.MassiveW@RMM J* worm_cris J yanetha J . ysor J . levach U netbu17.rar | ' tini cxc
b ioPM
H = y 1Youc a nu p lo a da n y in fectedfiletoa n a ly z e
Compute!
U m! < 0 1 0 3
. L<al&s r
11 0 ( 1 1
D 1 v
You may prefer to scan a URL 01 search thicugh the VirusTotal dataset
Engl sh Espaficl Hlnn I Iwittor I rnntapffeflvmifitiral rnm I :imnie riming I IrS 1Pru/arv nnlirv
*
faq
Community
Statistics
Documentation
About
& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
2 v i r u s t o t a i
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans and all kinds of malware
Choose File Maximum fie size. 32MB By clicking ,Scan itr. you consent to our Terms of Service and allow VirusTotal to share this file with the security commurwy See our Privacy Policy tbr details
You may prlw to scan a URL or search through tho VirusTotal dataset
Engl!h - bsparicl Bing I Twill ft! I f^nlarJjShiruslnial com 1 beanie a-axa 1Tc 1Privacy nnlicv
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
VirusTotal
M ozilla Firefox
91
Choose HI#
Maximum Me s!2 e 32MB By clicking ,Scan it!* you consent to our ta rn s of Seruce and allow Viruslotal to share this file with the security communty See our Pnvacy Policy for details
You may prefer to scan a URL 01 search thicugh the VirusTotal dataset
FIGURE 3 .4 :S e n d in gFile
9. The selected hie analysis queues are scanned, as shown in die following figure.
A n tiviru s scan fo r b7513cc75c68bdcc96c814544717c413 a t UTC | fie Ij Edit VirusTotal M o zilla fire fo x I x
V ca
&
4
Antivirus srn ferh/M i##/Vt!HbrUryt>r... j 4 f t ^rtj>c/vwwv1r1.1rtotl.co1n/t11<*/%S4hb;4H1<WHtt;b0hji9b1f>y/r0rt^1Ho ( Community Statistics Documentaihn FAQ About C | Googl
1 s tv ir u s t o t a l
O Your 13 is at position 4397 in the analysis queue. 9654bb748199882b0fb29b1fa597cOcfe3b9d61Oadi4183aDbUCf3fafEee527 tin! exe V War# dtaiB
Comments
Votes
Additional information
l BuqBoppor idontifoc thic filo ac Tinv.aoni More info htto /BuaBoooor c:>1r./M3lwaro rf0.MD5/b7/b76l3co75c&8bd0c96c811S447170413 aeo 1 #tr> #bkdr c #tini n t l M 2 years * oy 1 ighrpo^rtiuy
You havo not signod in. Only rogictorod ucorc can loavo comments sign in and ha%o a voice! S gn h Join the community .
L FIGURE 3 .5 :S c a n n e dFile
10. A detailed report w ill be displayed after analysis.
>
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
VirusTotal
Mozilla Firefox
I I !
x m
[ Filr Fdit View Hiitary root' M i. TooJ\ H lp j |> 1 Antivirus s:3 0t . 5' icc/icbfcbiccVfcc.. | + 1 ^ i h!tpsy/w*w/virustotalxonrvfil/9eS4bo74S' 9M32b0fb29blfa597c0 de3 b9d610adf4l 83a0M 40fJfaf5ee527analy51s/1344J 0418t \ t v C A Statistics Documentation FAQ About 1 41 Google Join our community Sigo in P * 1
i S
i r
SHA266 SHA1: MD5 Fit 520 File name File lype Detect 0 ratio Anal/sis dale
9654bb748199882b0lb29b1fa597c0cfe3b9d610adid 188aDM4 Of3fa5ee527 3f8e7SdO*3e33e8eebOdd991f22ccObb44aOB98c b7513ee75c68bdec96c814W4717e413 3.0 KB ( 3072 bytos ) tro exe 'Art03? EXE 39/42 2012-09-22 08 56 26 UTC ( 1 minute ago ) A M ore deuic 5 0
1 -
C i f Gooqlc
ll|1d rtl * 20120921 20120922 20120911 20120921 20120922 20120922 20120918 20120922 20120922 20120921 20120922 20120922 20120919 20120920
FIGURE 3 .7 :A n a ly z in gd iefile L a b A n a ly s is
Analyze and document die results related to die lab exercise. Give your opinion 011 your targets security posture and exposure.
Ediical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
T o o l/ U tilit y
In fo rm a tio n C o lle cte d /O b je ctive s Achieved Scan R eport shows: SHA256 SHA1 MD5 File size File name File type Detection ration Analysis date
V iru s Total
Q u e s t io n s
1. Analyze more vims files to m D:\CEH-Tools\CEHv8 Module 07 Viruses and WormsWiruses w ith the demonstrated process. In te rn e t C onnection R equired 0 Yes P la tfo rm Supported 0 Classroom iLabs No
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
S c a n fo r V ir u s e s U s in g K a s p e r s k y A n t iv ir u s 2 0 1 3
Computer n onus are maliciousprograms that replicate, execute, and spread themselves across nehvork connections independently, mthout human interaction.
I CON KEY
_ Valuable information Test your knowledge Web exercise
L a b S c e n a r io
Today, many people rely o il computers to do w ork and create or store useful inform ation. Therefore, it is im portant tor the inform ation on the computer to be stored and kept properly. It is also extremely im portant for people on computers to protect their computer from data loss, misuse, and abuse. For example, it is crucial for businesses to keep inform ation they have secure so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions. A computer security risk is any action that could cause loss o f inform ation, software, data, processing incompatibilities, 01 cause damage to computer hardware. Once you start suspecting that there is spyware 011 your computer system, you must act at once. The best thing to do is to use spyware remover software. The spyware remover software is a kind o f program that scans the computer tiles and settings and eliminates those malicious programs that you actually do not want to keep 011 your operating system. In tliis lab Kaspersky Antivirus 2013 program detect the malicious programs and vulnerabilities in the system.
m Workbook review
L a b O b je c t iv e s & Tools demonstrated in The objective o f tins lab is to make students learn and understand how to make this lab are viruses and worms to test the organizations tirewall and antivirus programs. available in D:\CEHL a b E n v ir o n m e n t Tools\CEHv8 Module 07 Viruses To earn out die lab, you need: and Worms Kaspersky A ntivirus 2013 is located at D:\CEH-T00 ls\CEHv8 Module 07 Viruses and Worms\Anti-Virus Tools\Kaspersky Anti-Virus
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
You can also download the latest version o f Kaspersky Antivirus 2013 from the link http://w w w .kaspe 1sla.com/anti-virus I f vou decide to download the latest version, then screenshots shown 111 the lab m ight differ Run tins tool in Windows 7 virtual machine Active Internet connection
m D o w n lo a dth e
L a b D u r a t io n
Time: 15 Minutes
O v e r v ie w o f V ir u s a n d W o r m s
Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm pavloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.
1M
m A d v a n c e da n tip h is h in g te c h n o lo g ie sp ro a c tiv e ly d e te c tfra u d u le n tURLsa n d u s er e a ltim ein fo rm a tio n fro mth ec lo u d ,toh e lp e n s u r ey o u ren o ttric k e din to d is c lo s in gy o u rv a lu a b led a ta top h is h in gw e b s ite s .
5. 6.
Open die CEH-Tools folder and browse to the location Z:\CEHv8 Module 07 Viruses and Worms\Viruses\netbus17. Double-click the Patch.exe file.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
7. 8.
Open die CEH-Tools folder and browse to the location Z:\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Live!. Double-click die face.exe tile.
u
Kaspersky Protects against all viruses by combining cloudbased functionality and powerful security technologies that runs on your PC
Chernobel AVKillah Blaster CodeRed.a
digital doom
+
Doomjuice.a
*
Doomjuice.b
DrDeathviruses
killharddisk
HD-
Living
Lnwtg
Parparosa
10. Go to die location D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Anti-Virus Tools\Kaspersky Anti-Virus.
11. Install Kaspersky Antivirus 2013 software 111 Windows 7. 12. W lule installing it will ask for activation; click Activate Trial Version and dien click Next. 13. The main window o f Kasperskv Antivirus 2013 as show 111 below figure.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
1 *
1 _
'
KA$PER$KY!
Cloud protection
hi
Reports Settings
Computer is protected !
Threats:
m a lw a r e
\/ Protection components:
V ' Databases:
s/
Update
5
Quarantine
>
Tools
Licensing
FIGURE 4 .4 :K a s p e rs k ym a inw in d o w
14. Select Scan Icon.
' a _ ' x " KA$PER$KYI y= J.Kas p e rs k yA n tiv iru s 2 0 1 3isfu llyc o m p a tib lew id i M ic ro so ftsla te s to p e ra tin g s y s te m
Cloud protection
hi
Reports Settings
Computer is protected
!
V
Threats:
m a lw a r e e n a b le d 3 0d a y sr e m a in in g
Protection components:
O
Update My Kaspersky Account
X
Tools
5
Quarantine
>
Licensing
FIGURE 4 .5 :K a s p e rs k v S c a nw in d o w
15. Select Full Scan to scan the computer (Windows 7 Virtual Machine).
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
kaJper Jk y i
Back
Cloud protection
hi
Scan
Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
Full Scan
^ Scans your entire computer We recommend you run a Full Scar immediately after installing the application. Note that this may take sometime
Vulnerability Scan
^ Scans your system and applications for vulnerabilities that may allow for malicious attacks For a custom scan of an object drag it here or browse tor it
Help
Support
My Kaspersky Account
KA$PER$KYI
Cloud protection
hi
&
Reports Settings
Scan
2 0 1 3iso p tim is e ds oth a tit d o e sn o th a v eas ig n ific a n t im p a c to nn e tw o rka c tiv ity , th ein s ta lla tio nofp r o g r a m s , th ela u n c hofw e bb ro w s e rs o rd iela u n c hofp r o g r a m s .
m K a s p e rs k yA n tiV iru s
Scans your entire com d We recommend you ru immediately alter insta application. Note that tl sometime
S c a n a f t e r th e u p d a te
(re c o m m e n d e d )
Vulnerability Scan
^ Scans your system an( for vulnerabilities that n malicious attacks
You are using trial version. You a re a d vtsed to pu rcha se a co m m e rcial ve rsion.
Drowsef o ri t
Help
Support
My Kaspersky Account
Licensing
FIGURE 4 .7 :S c a n n in gp r o c e s s
17. Kaspersky Antivirus 2013 scans die computer. (It w ill be take some time so be patient.)
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Q . ' 1 x
th ea p p lic a tio n sru n n in go nit h a v e n tb e e nu p d a te dw ithd ie la te s tfix e s ,K a s p e rs k yA n tiV iru s2 0 1 3c a np re v e n t e x p lo ita tio nofv u ln e ra b ilitie s b y : c o n tro llin gth ela u n c hof e x e c u ta b lefile sfro m a p p lic a tio n sw ith v u ln e ra b ilitie s a n a ly s in gth eb e h a v io u r ofe x e c u ta b lefile sfo r a n ys im ila ritie sw ith m a lic io u sp r o g r a m s re s tric tin gth ea c tio n s a llo w e db ya p p lic a tio n s w ithv u ln e ra b ilitie s
m Evenifyo u rPCa n d
k a $p e r $k
C lou d p r o te c t io n
i!i
&
Reports Settings
Scan
11
FIGURE 4 .8 :S c a n n in gp r o c e s s
18. The Virus Scan window appears; it w ill ask lor to perform a special disinfection procedure. 19. Click Yes, disinfect w ith reboot (recommended).
Kaspersky Anti-Virus 2013 V IR U SS C A N
Active malware detected.
m T h em a inin te rfa c e w in d o wiso p tim is e dtoh e lp b o o s tp e rfo rm a n c ea n de a s e ofu s efo rm a n yp o p u la ru s e r s c e n a rio s in c lu d in g la u n c h in gs c a n sa n dfix in g p ro b le m s
Trojan program:
Backdoor.W in32.Netbus.170
Location: c:\Windows\patch.exe
T h em o s tre lia b led is in fe c tio nm e th o d ,a fterw h ic hth e c o m p u te rw illb ere b o o te d .W er e c o m m e n dy o ud o s ea ll r u n n in ga p p lic a tio n sa n ds a v ey o u rd a ta ._________
!# Do not run
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
20. The Advanced Disinfection scan will start; it will scan the complete system (tins may take some tune).
1 a 1 - 1 1'
k a Jper Jk y i
r Task Manager Advanced Disinfection 49%
Object: C \Windows\System32\msasn1 dll Remaining: < 1 minute Scanned: 2,648 tiles Threats: I Neutralized: 1 _ x ts Settings !age tasks
loaded rtup It
Help
Support
My Kaspersky Account
FIGURE 4 .1 0 :A d v a n c e dD is in fe c tio ns c a n n in g
21. The cleaned vinises will appears, as shown in the following figure.
r% Detailed report
0 Detected threats Protection Center Scan Components ^2 File Anti-Virus Object D Full Scan: completed 33 minutes ago Event View w | Time Today, 9/24/2012
8
& Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
t l . M ail Anti-Virus Task completed W e b Anti-Virus ^ IM Anti-Virus System Watcher A KeyHook.dll KeyHook.dll O KeyHook.dll tini.exe O tini.exe A patch.exe patch.exe patch.exe patch.exe NetBus.exe m W ill be deleted on reboot... 9/24/2012 5:33:55 PM Backed up: Backdoor.Win... 9/24/2012 5:33:55 PM Detected: Backdoor.Win3... 9/24/2012 5:33:55 PM
W ill be deleted on reboot... 9/24/2012 5:33:40 PM Backed up: Backdoor.Win... 9/24/2012 5:33:40 PM Detected: Backdoor.Win3... 9/24/2012 5:33:35 PM
H elp
Save..
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
In fo rm a tio n C o lle cte d /O b je ctive s Achieved Result: List o f detected vulnerabilities 111 the system
Q u e s t io n s
1. Using die tinal report, analyze die processes affected by the virus hies.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
V ir u s A n a l y s i s U s i n g O lly D b g
OllyDbg is a debugger that emphasises binaiy rode analysis, nhich is useful when source code is not available. It traces registers, recognises procedures, _4 P I calls, sn itches, tables, constants and strings, as well as locates routinesfrom objectfiles and libraries.
I C O N K E Y
L a b S c e n a r io
There are literally thousands ot malicious logic programs and new ones come out all the time, so that's why it's im portant to keep up-to-date w ith the new ones that come out. Many websites keep track o f tins. There is no known method for providing 100% protection for any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances o f being infected by one o f those malicious programs. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organizations mformation. 1 1 1 this lab ollvDbg is used to analyze viruses registers, procedures, A P I calls, tables, libraries, constants, and strings.
m Workbook review
L a b O b je c t iv e s
The objective o f tins lab is to make students learn and understand analysis o f the viruses. & Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
L a b E n v ir o n m e n t
To earn out die lab, you need: OllyDbg tool located at D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Debugging Tool\OllyDbg A computer running Windows Server 2012 as host machine You can also download the latest version o f OllyDbg from the link http: / / www.ollvdbg.de / Run tins tool on Windows Server 2012 Admnnstradve privileges to m n tools
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
L a b D u r a t io n
Tune: 10 Minutes
Overview of OllyDbg
The debugging engine is now more stable, especially i f one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints 011 system calls." When active, it requests OllyDbg to set breakpoints 011 KERNEL32.Unl1a11dledExceptionF11ter Q, NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue(), and N TD LL.N tQ uenInlormationProcess(}.
Lab T asks
** t a s k
1.
Debug a Virus
5
File
Launch die OllyDbg tool. Installation is not required for OllyDbg. Doubleclick and launch die ollydbg.exe tile.
1 1
1- 1'
l i i
j j_11J H I M
9 uj jJijM j
_ b j_ mj_ hj H
m Youcana ls o d o w n lo a dth ela te s tversio n ofO llyD bgfro md ielin k h ttp ://w w w .o llyd b g .d e
R e a d y
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
OllyDbg
File View Debug Trace Options Windows Help
[&l<4 xj j+jjE *M W E
m D ata fo rm a ts .D u m p w in d o w sd is p la yd a tainall c o m m o nfo rm a ts : h e x a d e c im a l, ASCII, UNICODE, 1 6 a n d3 2 b it s ig n e d / u n s ig n e d / lie x a d e c i m a l in te g e rs ,3 2 / 6 4 / 8 0 b it flo ats, a d d re s s e s , d is a s s e m b ly(M ASM , IDEAL, HLA o rAT&T).
%
uJ
*]I J
< l
Filename: files of type: Argum ents: |tm 1.exe |Executable file f exe) Open
Cancel
R e a d y
The output o f CPU-main thread, module tini is shown in die following figure.
OllyDbg - tini.exe
File
View
Debug
Trace
Options
Windows
Help
6 80 1 0 1 0 0 0 0 E8 B7020000
m OllyDbgcand e b u g m u ltith re a da p p lic a tio n s. Youc a nsw itchfro mo n e th re a dtoa n o th e r, s u s p e n d , re s u m ea n dkill th re a d so r c h a n g edieirp rio ritie s.
.............
pu sh
ni.ir.Rn p t r
n fi- r4 ft3 1 0 ? 1
EAX 754E83CD ECX 00000000 EDX 00401000 EBX 7F4D9000 ESP 0018FF88 EBP 0018FF90 {-SI 00000000 EDI 00000000 EIP 00401000 C 0 ES 002B P 1 CS 0023 A 0 SS 002B Z 1 DS 002B S 0 FS 0053 0 GS 002B
KERNEL32.754E83CD t in i.<ModuleEntryPc
t in i.<ModuleEntryPc 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 7F4DF000(FFF 32bit 0(FFFFFFFF)
t in i.<ModuI eEntryPoint> Address He 00403000 65 00403010 63 6F 60 00 00 00 00403020 00 00 00 00 00 00 00403030 00 00 00 00 00 00 00403040 00 00 00 00 00 00 00403050 00 00 00 00 00 00 00403060 00 00 00 00 00 00 .1. 00 00 00 00403070 00 00403080 00 00 00 00 00 00 00403090 00 00 00 00 00 00 004030A0 00 00 00 00 00 00 004030B0 00 00 00 00 00 00 004030C0 00 00 00 00 00 00
6 1-----
00 00 00 00 00
00 0e 06 06 0s 06 06 0 6 0 6 06 06 06 v
0018FF8C 0018FF90 0018FF94 0018FF98 0018FF9C 0018FFft0 0018FFfi4 0018FFO8 0018FFAC 0018FFB0 0018FFB4 0018FFB8 0018FFBC 001ftFFP.PI
t. RETURN to ?u Jw .Ehfi
. eM 6
ntdl1.77D99A3
0 0 0 0 0 0 0 0
Paused
Etliical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
O l ly D b g - tin i.e x e
Trace
Options
Windows
Help
j J j J jwJxl_cJ1d
Executable modules Memory map 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 Threads CPU Watches Search results Run trace INT3 breakpoints Memory breakpoints Hardware breakpoints t in Odd 00403010 00403020 00403030 00403040 00403050 00463060 00403070
0O4W ^-
|= J 00
sisters (FPU) 754E83CD KERNEL32. 754E83C0 00401000 Xi n i . <ModuieEntryPq 7E546000 0018FF88 0018FF90
re ad , m o d u le tin i
0 Full U N IC O D E support. A ll operations available for A S C II strings are also available for U N IC O D E , and vice versa. OllyDbg is able to recognize U T F strings.
0 0 0 0 0 0 0 0
t i n i . <ModuIeEntryPq 32bit 0(FFFFFFFF) | 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 7E54F000(FFF), 32bit 0(FFFFFFFF)
-8
File... 63 6F M M 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bj 00 06 0 C 06 06 06 06 06 06 06 06 06 v
Paused
m m m m m m m m m m m m
8. The output of log data t1111.exe is shown 111 die following figure.
O l ly D b g - tin i.e x e
_
_bJm]_hJ
File
View
Debug
Trace
Options
Windows
Help
J T B reakp oin ts: O llyDbg su pports all co m m on kinds o f b reakp o in ts: IN T 3 , m e m o ry and h a rd w a re . You m a y sp e c ify n u m b e r o f passes and s e t co n d itio n s fo r p au se
Address
g 00
F ile ' D:\CEH-T001snCEHv8 Module 07 Uiruses and Worns\Uiruses\Uirus T o ta l\tin i. exe New process CID 000011F4) created 00401000 Main thread (ID 00000060) created f1M 2^ru u u Unload nodule 00260000 7S4C0000 Unload nodule 754C0000 Unload nodule 00260000 Unload nodule 00260000 00400000 Module D:\CEH-Tools\CEHv8 Module 07 Uiruses and Worns\Uiruses\Uirus T o ta l\tin i.e x e 74E80000 Modu I e Cs\Wi ndows\SVSTEM32\UIS0CK32.d ll D ifferent PE headers in f i l e and in nenory )?Systen update is pending( ModuIe Csindows\SVSTEM32\bcryptPr in i t ives. d11 D ifferent PE headers in f i l e and in nenory )?Systen update is pending( Module Cs\Windows\SVSTEM32\CRVPTBfiSE.dlI D ifferent PE headers in f i l e and in nenory
0 0 2 6 0 0 0 0 0 0 2 6 0 0 0 0
D ifferent PE headers in f i l e and in nenory (Systen update is pending?) ModuIe Cs\Wi ndous\SVSTEM32\KERNEL32. DLL D ifferent PE headers in f i l e and in nenory (Systen update is pending?) 768E0000 Module C:\Windows\SVSTEM32\RPCRT4.d11 D iffe ren t PE headers in f i l e and in nenory (Systen update is pending?) 76990000 ModuIe C: M Ui ndows\SYSTEM32\NSI. d11 D ifferent PE headers in f i l e and in nenory
M o d u l" ^
i l l ddr
SVSTEM32"S
C l' d n
7 ^ . 4 ! :0 0 0 0
Paused
9. Click V ie w from die menu bar, and click E x e c u ta b le 10. Hie output of E x e c u ta b le
m o d ules
m o d ule (A lt+E).
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
O lly D b g - tin i.e x e File | View | Debug Trace Options Windows Help
B | |x J lilJL M li i l i i l l l ^ ]JJj _ ! J 1 J h | J j c j d
CPU - m a in th re a d , m o d u le tin i Watches: Watch is an expression evaluated each time die program pauses. You can use registers, constants, address expressions, Boolean and algebraical operations of any complexity
b J m] hJ ]=]
ca
Base 74E80000 75390000 753F0000 75400000 754C0000 768E0000 76990000 76B60000 76E20000 76E70000 77050000 77D40000
E x e c u ta b le m o d u le s FLle version 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.8 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 7.0.8400.0 6.2.8400.0 6.2.8400.0
r o o ls s C E H ^ S O u t ?
00
m C:\WLndows\SVSTEM32\WS0CK32.dlI n1 C: Mil i ndows\SYSTEM32Nbcry pt Pr i n i t m C:\Windows\SVSTEM32\CRVPTBfiSE.dI
6 7 U in .
0 0 0 B 1 0 0 0
N S I
m C:\U)indous\SVSTEM32\KERNEL32.DLL ni C:\Windous\SVSTEM32\RPCRT4.dlI m C: Mil indows\SVSTEM32\NSI .d ll m C:\Windows\SVSTEM32\sechost.dll m C:\Windows\SVSTEM32\WS2_32.dll ni CsindousN SVSTEM 32\nsvcrt.dll n1 Cs\y i ndows\SVSTEM32\KERNELBASE. d n1 C: \Wi ndows\SVSTEM32sn t d11. d11
,.
,,,,,,
----
11. Click V ie w from the menu bar, and dien click M em o ry 12. The output of M em o ry
File IViewl Debug Trace Options
M ap (A lt+M ).
M ap
_!j_EjM]jrj.cjj
bJ m) hj
= 000
CPU - m a in th re a d , m o d u le tin i
Address 00085000 0018C000 0018E000 00190000 001Q0000 001E0000 00290000 00400000 00401000 00402000 00403000 00410000 00550000 74E80000 74E81000 74E84000 74E85000 75390000 75391000 753DC000 753DD000 753F0000 753F1000 753F5000 753F6000 75400000 75401000 75416000 75417000 754C000O 754D 0000
S i 2e 06^(36000 00002000 00002000 00004000 00002000 00004000 00007000 00001000 00001000 00001000 00000000 00075000 00003000 00001000 00003000 00001000 00003000 00001000 0004B000 00001000 00004000 00001000 00004000 00001000 00003000 00001000 00015000 00001000 00005000 00001000 . . . - . . .
Owner
Sect ion
M e m o ry m a p Contains
t t t t
in i in i in i in i
W S0CK32 W S0CK32 W S0CK32 W S0CK32 bcryptPr bcryptPr bcryptPr bcryptPr CRVPTBAS CRYPTBAS CRVPTBAS CRVPTBAS SspiCli SspLCli SspiCli SspiCli KERNEL32 KERNEL32
1A 0 0 Type Access I n it ia l acc Mapped as A Pr iv R W Sua R U Guarded = Pr iv R U J Gua R W Guarded W R W Stack of nain t Pr iv R M ap R R W R W Pr iv R W R W Pr iv R R W Pr iv R W PE header Ing R R W E CopyOnW Code Ing R E R W E CopyOnW Ing R R W E CopyOnW Inports Data Ing R W Cop R W E CopyOnW M ap R R \Dev ice\Hard< W R W Pr iv R Ing R PE header R W E CopyOnW Ing R E R W E CopyOnW Ing R W R W E CopyOnW V Ing R R W E CopyOnW ---PE header Ing R R W E CopyOnW Ing R E R W E CopyOnW /\ W Ing R R W E CopyOnW Ing R R W E CopyOnW Ing R PE header R W E CopyOnW Ing R E R W E CopyOnW Ing R W R W E CopyOnW R W E CopyOnW Ing R PE header Ing R R W E CopyOnW Ing R E R W E CopyOnW Ing R W R W E CopyOnW Ing R R W E CopyOnW Ing R PE header R W E CopyOnW V Ing R E R W E CopyOnW V
Paused
(A lt+T).
*
File View Debug Trace Options
L > '
_____ _____
- g |x
A
Old IIdent !window s t i t Le| Last e rror I Entry I TIB I Suspend IP r io r it User t ine ER R O R SUCCESS (88! t in i <M o. 7E54F808 8 Main 88888868
w W W W W W W W W 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 0e v
Entry point of main module
I
0018FFB4 8C24F950 P-5. 0018FFB8 FFFFFA88 ? 0018FFBC 0818FF9C t. flftlftFFf-ft
flflflflflflfifl....
Paused
Lab Analysis
Document all die tiles, created viruses, and worms m a separate location.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved Result: CPU-main thread Log data Executable modules Memory map Threads
OllyDbg
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Questions
1 . Using die hiial report, analyze die processes affected by the virus hies. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C r e a tin g a W o rm U s in g In te r n e t W o rm M a k e r T h in g
Internet Worn/ Maker Thing i sa t oolt oc r e a t e norm'. Ita/so has afeature t o converta vims i nto a n o r / / / .
Lab Scenario
1 1 1 recent years there has been a large growth in Internet traffic generated by malware, that is, internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected or during the epidemic stage of a new worm, when the Internet becomes unusable due to overloaded routers. Wliat is less well-known is that there is a background level of malware traffic at times of non-epidemic growth and that anyone plugging an unfirewalled machine into the Internet today will see a steady stream of port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We must better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms will damage or steal the organizations information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, whether they are detected by an antivirus and if they bypass the firewall.
Test your kn o w le d g e
Too ls
Lab Objectives
The objective of tins lab is to make students learn and understand how to make viruses and worms.
Lab Environment
To earn out die lab, you need:
In te rn e t W orm M a k e r Thin g T h in g \G e n e ra to r.e x e
M odule 0 7
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
S e rv e r 2 0 1 2
as host machine
S e rv e r 2 0 1 2
Lab Duration
Time: 10 Minutes
Lab Tasks
TASK 1
M a k e a W orm
1 . Launch die In te rn e t W orm M a k e r Thin g tool. Installation is not required for In te rn e t W orm M a k e r Thing. Double-click and launch die G e n e ra to r.e x e tile. 2. The In te rn e t
W orm M a k e r Thing
window appears. = 1
IN T F R N F TW O R M M A K F RT H IN G V 4
PaybaeeC Activate Payloads On Dote Change Homepage U R L : r BueSaeen Of Death Infection Options: r Infect Bat Files r infect vbs Nes I- Loop Sound r Hide Desktop p Disabfc Malware Rrrrove 1 Discbe Winders File Protection V CcrruDT Artwrus r Hide Virus Fibs r MfenvteNes
N o te : T a k e a S n a p s h o t o f th e v irtu a l m a c h in e b e fo re la u n c h in g th e In te r n e t W o rm M a k e r T h in g to o l.
r r
(v Induck [C] Ncti:e Ouipu* Path:
r OR r r Rardonly A^ivace Payoads r Chance of activating paybads: P 1M | C H A N C E r H<fc A ll Drives [ Dsable Ta^ Manager r Dsable Keybord r Dsable M oose
r~ Message Box
CoixJie To E X ESupport
Sheading Optoas Siartup: I- Global Pegsfr Sta*tjp I- Local Regwtry Star xo r V/Wagon 91H Hoot I- Start At Smve Englsh StS'tap
f~ Ge nan starao
rde:
Doable Morten Security Title: Uninstall Ncrton Snnpt Sbdang Disable M acro Security Dsable Run Commrd V Dsable ShutdaAn ( Dsable Logoff Outocx n n 1 _ f Disable 'Mndows Updirc U R L ; V No Search command I- Swap Mouse Butters r Open Webpage U RL: r MuteSoeakefs I- Change IE Title Bar Text: r Delete a Fk Path:
(C:\WndowcVJ01
|1 If You Iked Ths Frooran ^tease Voit M e On https/Zxructearr.failcmctAO'k. con If You Know AnythnQ About Y B S Programing Mdp Stupor t This Pfojcct By Matorg AWugr (See Readme). Thinks Conti0 1Pand Generate W arm
AddTo Context Menu r Chooge ClockText r Dooole Regcdt r Disoolc Explorer.exe r open cd onves Lock Workstation r DOAnbadhle U RL; I Change Reg Organisation Crgansaticn: Execute DowHoadec r CPUMonster r chanoerme r Charge '.alpooer Path Or U R L: r Change Reg Owner Text ^lox 8 Chars):
1 -----
p ----
I H a c kD ll
r Keyboard Disco r AddToFo/ontes
?|
t y ! The option, Auto Startup is always checked by default and start die
. 0 3. Enter a W orm
P ath
tor die
to EXE su p po rt
S tartup .
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
: r
IN T E R N E TW O R M M A K E RT H IN GV 4
r Change horrepogc |JBW orm Author:
C Activate Payloads Cn Dote r t~ l>wbe System Restye
[ x i g s i r o y
r
| >jr s y s te m ise f^ e c
f? Indud? [C] Nobre
Infecfon Cptions:
r
F~ Change M0032Texr
Chance of actvawg poybads: 1M | C H A N C E Hde Al Drives r DsaWead< Manager r Dsabk Keybord r Osable M ouse
r WewajeSox
Oulpu: Path:
|c :\ W.
W Conjle To CXI S<xxxjt l
A list o f names for the virus after install is shown in the Name after Install drop-down list.
SDreadnc Optons
T K J e :
Tife: r uninstall Norton 5:nDt sbefcra r Disable Macro Security | Disable Run Commrrf I Disable Shutdown [" Osable logoff I Outooc rtn 1 * I ( Deable W indow! Update r No Seorch Commend r swap Mouse Buttons I- Open Webpage U RL1
f in f e c tv b cr !c 5
r Hide Virus Fibs
[ Disable Mdwere Remove Oiseble V/indovss File Protection V Ccrruot Anth/tcs Change Computer Name
Startup:
VM u t e t o e a k e r s
I Chanoe IE Title Bat Text:
(JobalKeosry sta'tjo
rD r t e t e a l H e
Pad:
r LxdReOstiySteflo
C U , E X E , I C O I n d e x :
|c:\Wr>dowsY!OT [I If You Lked TH5 Progr an *lease Veit M * On
ht://xrusteafr. falemetA0k.0 > f ~le d To Context Menu
T e x t :
r r DisaoteReoedt 01saDleExplorer.exe V Oanoe Reo Owner Oner:
I ----r DdeteaFofcfci
J C h a n o e C l o d c T e x t
T e x t ( M a x 8 C h a r s ) :
I
r OpenCd Drives
I- LockWorkstaton Dowibad File ^re? | U RL:
If YouKnow Anything About /BS Programing Heip SLppor! This Project By Maklro APkKJr (Sec Readme). Thanks r Control Panei Gererate W orm
rc l w n o e . ' . a t a o e f
Peth Or URL:
r Ha ill Gates Jj
V KevooardDBco V~ ACd lora/ornes
I- CPUMonster
r Change Tine
None;
Ogansatkn:
d-Evai-i fa
A c tiv a te Payloads on D a ta
C h an ce of
enter 5.
Box
D isable M ouse
and M essag e
M essage,
and S e le c t
Icon
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
IN T E R N E TW O R M M A K E RT H IN GV 4
|JBWorn Author:
l^jgcyooy
P Charge Homepoge U R L : P DsaWe S>s^rr Resxre P Disable Windows Security D O M M Y Y r Blue Screen Of Deatn Infecton Opbore: r infec: Bat Pies
r r
|y0 jr system rs ef^ed P Indtde [C] Nodce Ouipj: Path: |C;\Worm P CoTuieToEKE Suaxxt Spreadng Opton* Startup: P Uobal Keosrv btaituc 1 Loos R ecfcA !y S'ua luo
O R P Dissble Norton Security Rcndornl A ctv a teP a< lo a d s P Uninstall rwton script Blocanc Chance o activating payloads: r Disable Macro Security 1W |i C H A N C E | Disable Rin Commnd P Disable Shutdown p Hkie A l Drives P Disable Logoff r OutJockR* 1 ? I p Dcjdc ~3ck Marager r Disable Windows Ubdate U R L: p Deafck Kcybord I No Search Command P 5wao Mouse Buttons P Deade Mocse P Open Webpage V Message Box U R L : rrte:
r Irife ct v b sFles
P I!ifect Ybe Files r Hide Virus Fifes
R e m o v e
r- Usable Wndovrs
=le Protection
I- Corrupt Antivirus
[Sded
Message: |your *yttern is H*rked
lean: inforrraoon T]
Putexeaters
OieteaMe
r w m to g o nS*J h oo l
r StartAsSavke p Dngksh Sta'tjp P Ge'man Starxp P Spanish Starap I- Perch Sta'tjp P Italian Startup
Palh:
( E v v S n d o w s v 5 0 i [I
( Max 8 Chars):
Dsable *eged* P DsaWeEtplorer.exe P Chance Reo Cwner Oner: [Hggyboy p Change Reg Crgansaticn Oconboton: |pover G>rr|
r~
r~ Open Cd Dnvea
If You Liked Ttiis Proy an base \A c1t W On ht:/ftarusteam.fa1lemetwok.0 If You Know Anything About /BS Progamming Help Suopor: This Projects/ Mahno APlucr (See Readme). Thanks. rControl Panel
*atiOrLRL:
1 -----------U R L:
I
F IG U R E 6.3: Select the option for creating worm
10. Check die C h an g e H o m e p a g e check box. 1 1 1 die http: //\\Ayw.powrgym.com. 11. Check die D isa b le
D isab le
UR L
held, enter
Norton S crip t B locking, D isa b le M icro S ec u rity. D isable Run C om m and. S h utd o w n . S ea rc h C o m m an d, S w a p M o use b utton,
and O pen
W ebpage
check boxes.
12. Check the C h an g e IE T itle bar, ch a n g e w in drive, and L o c k w o rk s ta tio n check boxes.
F
Internet Worm Maker Thing
M e d ia P la y e r T x t, O pen Cd
IN T E R N E TW O R M M A K E RT H IN G V 4
Payloads: ( Actr/ate Pavloads On Date p Chnge homepage |/wA V i.poivergym.com r Change Cate D D P Disetic Srsterr Restore r Chx)eh10032Text Tc: P Dsa&te W ndOACSeoxity M M Y Y r Slue Screen Of Death infectwn opaons: P Infect Bat Pies P Infcct V b*Hies P Infert Vh* H l# r Hde Vrui Hec
D o n t forget to change die settings for every new virus creation. O therw ise, by default, it takes the same name as an earlier virus.
r - r
|/our cyctMnKeeler Indjde [Cl Soxe Output Path:
[E T v / o m i
p Ccm pifc To E X E Support Sj eoctno Cptons Cta tuj: P Global RegsO>Surtuo r Local Regist'y Ssrtup P v/niooon 5bdl hock r Start As Servce p Engiish S3np r G eTTK nStat_o P Spanen Sta'to
OR P DaabfeNoi ton Security Randorriy A c ttv o tePaVoocb P unnstall Norton script 1 )11 chance of aai /ating payloads: P DaabfeMauoSearitr in [5 C H A N C E P Doable Run Conrnnd P Dca< Shutdown pH K je A N D rvtt Dsaftleiocpff 7 ( p Doable Task Menage P Daable WrdoAs Update W Disable Kcyoorc P No C-ca d Conmend p Swap M ouoe Buttone p DiWilr Noifie P Cpenv/ebpage p M es&sgeBox U R L: Tlte: |'/wa v \ .po*rgym a ir Hacked P Chxoe IETitle B at vessage:
Remove
r- D5<Kc W indows
Pie P >oUs-liwi
r Corrupt Artwruc
P MuteSpccke's
1 a r sysem s Hacked
I
i-i^rrarcn (7 Dsaoie RegeCi: p DsaoieExplorer.exe P Change Reg Owner |juaytx>y 17 Change eg oro0 nsatn Organisation: |power Grm P CxemteDowiibaJed P openeddrwes p Lodi Worotobon] P oArload Fie Myc| U R L : r CPUVonKer P change *me P Change v.alpaper Path Or lAL:
r Deteiea= 0Ue
1
r HackBll Gates _?J
If rou Lked This Progan Pteaa? Wat M e an htlp: //xrusteam.fialtennetv.'ork car If rou KnowAnytirc About V E S Programming Help Support Ths f*ojert ByM alone APtugm (See Readme). Thanks. Control Pond-----Generate worm
r F te n d S ia iL C
r Italian StarLo
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
13. Check die P rint M es sa g e , T e x t check boxes. 14. Enter a T itle and M e s s a g e 15. Enter die
juggyboy. URL
and C h an g e
N O D 32
111
as
and CPU
T im e
IN T E R N E TW O R M M A K E RT H IN G V 4
pa/twes: ( Actuate Payloads Cn Date
r r
(yojt systemis eEetf
W Indud: [C] Ncbic
1 fN [5
C H A N C E
HdeAl Drives I? DsaWe T asJc Manager S' DsaWe Keybord ^ sable M ouse Iv NessaoeSo* Tide:
Startup: V Global Rcgotr Stotjp r lcd Rcgstr/ Starxo r W m l&gcn &>d H c < 1 Start A c Service P Er*gleh SUtjp
f~ O 'run Startup
|fd c d
Mcwogc:
D a te
111
die
and
C h an g e C o m p u ter
check boxes.
D rive Icon, Add T o C o n te x t M enu, C h an g e C lo ck
and Add
T o F avo rite s
check boxes.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
T STS1
IN T E R N E TW O R M M A K E RT H IN GV 4
W ormNam?
P Change Hom epage
p B V /o rr
Author: |luggyboy
C Rancorriy Actrvate Paybads Chance ofadvatna payloads:
U RL: I'jV ivivi .D 0wero/m cam p Disable Windows Securty p Disable Norton Searity p Lhnstall M orton Serpt Blodcrg p Disable Mocro Secunty p sable Run comand p Dibble Shutdown p Disable Logoff p sable Windows Update p No Scorch Command P sawd Mouse Buttons p Open V\'eboage U RL:
|jW w.oowergym .com
Infecton Options: r Inflect Bat Files !7 Lcoo Sojnc !7 Hide Desktop Disable Malware Di3able Wrdows File Protecton p Corrupt Antivirus q Charge Comouter Nane
I- Custom Code
1W [i
o*MCE
[ DudockFm 1 I U R L:
|c :\ W o c m
P come* T Otx t suxxrt Sprcsdrg Opbonc
Sende* Nan:
n d #
Esdcad
Mcosagc:
Star xu V Clobd Regatiy Startup r Locol Repsfry Starto r Wnbgon Slid Itnl, I- Stait AiScivtc
p Crgkh startup
| 1 a r svstern shacked
Irenr [kVonnabcn p Disable Regedit p Disable E>pcrer.exe p Change Reg OAner T]
Path:
|cw5iw [i
P Add To Context Menu p Chang# Clock T#vt Tort (Max 8 Chare): If You Liked This Progrorr Plecae Veit M Or hrtp://wriJStMn .falHw>ehvortc can If You Know Anythrg Abojt VES Prcg-amming Help Suppo'tlhs Project By Mating A Pugn (See Readme). Thants. Control Panel
Path
P Opened Drives P Lock Workstation r Download File More
f German StartLX )
1 SDaTSh staruo 1 French starnc [~ Italian Startuo
I
p O w ge Walpoper Patn Or LRL:
I- H01kDllGes W Keyboard Disco ?
C v rre r:
|^gg /boy p Change Reg Organisation Crgarisabon:
p ^dc To Favorites:
N a re :
Generate Worm
IS - ]5
66
21. Check the E xp lo it W in d o w s D e ath check boxes. 22. Check the In fe c t 23. Check the H id e 24. Click G e n e ra te
nr
W ormfsam?:
|JBWorr Fayoads:
A dm in L o c ko u t Bug
and
Blue S cree n of
B a t F iles
O ptions.
V iru s Files
IN T E R N E TW O R M M A K E RT H IN G V 4
?P Change HonepaD URL: |jV1 ww.oowergym.com p Disable Srsten Restore p Char geNCC32 Text
Expiat Windows A dm in Lockout Bjg p Blue Screen Of Death Infecton Options: P Infect Bot Files p Loop Sound p H kJ Desktop
|1 owe^stenHacccc
Au*or:
fxoovboy
Titc:
r r
|y o u c y ^ to r1 1 R e e fe d
p Indudc (C ] No*ce CutputPatk |C:\Wanr p Corrplc To E X ESupport
*ore^rtnp rmnw |
:w[i
O W C E
P hide Al Drves P cisaote task Maraoer P LisaoteKe/bcrd P Lisaote recuse P MessaceBox 1e: [ttacxec
p Disable Macro Securty p Disable Run Comuid P Dsable 91utdown p Dioablc Logoff p Disable Windows Update p No Search Command p SA <apM ouse Duttons P open weboaoe
URL1
r In fe c tV b sF ile s I In fe c t vb eF ile s
Extras: P Jllde V ji
r L rto c k rm * I
URL: ^tto:/>vnj<nrg/rv1 iertier ftanre: |hxat>ov P MjreSpMters p Dete^aFfe
p Disable Malware Renove r j Disable Wrdows Fit Protection p Corrupt Antivirus rr Charge Compute
Pbans
Star&p: r Global RegKtry Startup r Local Regictrv i tart jo r Wnogon Shel H ook [~ Start As Serves p Ergish StartLp
\~ German Startjo
|jWw .powergym.com
P Chanoe IE Title Bar rext:
M e s s a g e
|yolt system e Hacked
p Charge Drive [con C LL, EX E , ICO: Index: |C:\VUrd(MM^Di fl [f You Liked This Program Please V isit M 2 On nttp :/parjstean .falfcnncbvork a t If You Know Anyding Abojt V ES 3cxramminc Help suoco't Ths Project By Mating APugh (See Readme). Thanks. Control Panel Generotc Worm p Add To Context Mcnj
p Chenge CbckText Text (M ax 8 Chars): p OpenCdDnves p Lock Workstation Download Rle More7 LRL:
v Ciance v/aloaoer Path cr URL:
I
f " Hackan Gates P Kevtxiard Disco P Add To Favorites ? 1
|jtggyboy
P
C h a n g eR e gcrg a n sa tio n
hare:
craartsaoon:
P Execute Dovnbaded
( E T : \ i r
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
25. Tlie worm is successfully created. Tlie following window appears. Click OK. Information!
X
^ )1
Y o u r n e w w o r m .v b s has Deen m a d e !
OK
Lab Analysis
Document all die files, created viruses, and worms 111 a separate location.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved To make Worms options are used: Hide all drives Disable Task Manager Disable keyborad Disable mouse Message box Disable Regedit Disable Explorer.exe Change Reg Owner Change HomePage Disable Windows security Disable Nortorn security Disable Run command Disable shutdown
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Questions
1 . Examine whether the created worms are detected or blocked by any antivirus or antispyware programs. Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.