Beating a Virus, and the (Trojan) Horse It Rode In On
#1

presented by;
Bibudhendu Bibhraj Dash

[attachment=10328]
Beating a Virus, and the (Trojan) Horse It Rode In On.
Objectives:
Virus history 101
Virus tricks: How to defunct the defunct
Virus examples, demo (yay!)
How to detect an infection
What do I do if I don’t want this virus?

Quick (*QUICK*) overview on debugging viruses
In the beginning, man created the virus, and it was bad.
The first computer virus
Several stories
Pakistani Brain Virus (1986): This is the first widely spread IBM Compatible virus. This is commonly mistaken for the first virus.
Apple Virus 1 (1981): Boot sector infecting virus. Possibly created for pirated games.
Animal (1975) (Univac): “Guess an animal” game. Copied to other users’ home directories when run.
Types of Malicious Code
Virus
MBR Infector
Boot Sector Infector
File Infector
Memory Resident
Polymorphic
Multi-Partite
Macro
Trojan
Key loggers
File Over-writer
Companion
ANSI Bomb
Logic Bomb
Worm
These are beginning to merge with other techniques (virus, trojan, backdoor, etc).
Spyware
HTTP Redirector
HTTP Hi-jacker
Data Miner
Standard Exploit
Benefits of Computer Viruses:
(This page was intentionally left blank.)
Master Boot Record/Boot Sector Viruses
Boot sector virus (Apple Viruses 1,2,3, “Elk Cloner”), Pakistani Brain (x86)
File Infectors
Overwriting virus
COM infector/EXE infector (Prepend/Append target file)
NewEXE/PE Infector
Memory Resident Virus
Intercepts Interrupt Calls (modifies Vector address table (int13 memory address relocated to virus routine. Original int13 moved and called once virus is done)).
Evolved to Stealth Viruses
Stealth viruses monitor for AV like activity and feed you false information. (Displays (freespace+virus_length), displays (memfree+virus_length), shows you original MBR upon request, not infected MBR).
More tricks (Polymorphic viruses)
Modify their code with unimportant commands/data upon each infection.
(Commonly uses NOP, MOV DX,DX, any redundant assembly command (add ax,2, dec ax,2).
Makes creating virus signature much more difficult.
Trojan Horse
A program disguised as something desirable, but has another program hidden inside of it.
/bin/login
WinXPfullCD_reallyworks!!.exe (17k)
Trojan Horse (Unix)
Trojan Horse (DOS/Windows)
ANSI Bomb
Plain .txt file with ANSI codes
Example ( ←[“d”;”del *.*”p )
This lead to Macro viruses
DEMO
Macro Viruses
Written in VBA, VBS, etc.
Examples (Word, Excel, PowerPoint)
Commonly uses “auto” macro’s in Microsoft Office products.
Worms
Worms traditionally do not infect files.
Morris Worm (1988,Vax), Melissa, Calib
Some of the latest e-mail based worms have brought some of the fastest e-mail servers to their knees within hours of release.
*Worms are beginning to be integrated with more viral features. Most of the latest also support software updates.
Graphical Virus Payload Demo
Detecting an Infection
Signs to look for on an infected system:
Decrease in system performance
Unexpected increase in system activity
Large amount of new files
Unexplained decrease in free memory
Unexplained decrease in free drive space*
Detecting an Infection
Virus “features” that tell you there is an infection:
Displays a message
Displays an animated visual effect
Plays a tune*
Adds text to infected files (name of virus or virus author’s alias).
How to throw this garbage away
1st Boot from a KNOWN CLEAN source
MBR virus (in DOS): “fdisk /mbr”
File infector: Restore file from original source/Use trusted Anti-Virus program
Worm: Remove suspect files (search for newly created files)
Trojan: Restore modified files with original clean files.
Problems When Removing Malicious Code
 Automated backups can easily be infected with a virus. (This is a newly increased problem with Windows ME and XP’s backup automated ability.)
 Must be a clean boot device (how many removable disks did you use while you were infected?)
Problems When Removing Malicious Code
 Cannot find/distinguish infected files
 Did not get all infected files removed
Virus Testing/Debugging
Use a “sandbox” environment. (VirtualPC, VMWare, BOCHS, any environment emulator).
Create footprint of “clean” system load.
*nix (Tripwire, AIDE, etc)
Windows (Tripwire, Winalysis, Regshot (for registry changes))
Virus Testing/Debugging
*Make sure system cannot get to live environment before tests
Run suspect code.
Re-run analysis utilities to note any changes made to system.
If virus is protected by compression or encryption agent, LordPE is a good tool to pull a program from RAM back to file on disk.
Debugging Malicious Code
(Requires knowledge of programming/assembly language)
 OllyDbg is free debugger for Windows to step through a desired program.
 Gdb in linux is a good, free debugger for watching each assembly command a program is running.
 IDA (from DataRescue) (not free) is a good Disassembler if you want to reverse engineer a program to assembly.
 SoftICE (not free) is a good realtime debugging agent where you can stop system operation at your will and begin debugging memory or running processes.
Debugging Malicious Code
If studying a worm, setup virtual (or separated) network.
Sniff all traffic from victim PC.
If needed, redirect DNS queries to another fake computer (what does it send that computer?)
If IP, use router to redirect traffic to desired computer.
Got Questions?
Reply

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page
Popular Searches: arabian horse training equipment, vax 31, history of remote administration trojan, spyware and trojan horses ppt, wireless viruses worms and trojan horse risks ppt, reining horse, kicking horse mountain,

[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  ARTIFICIAL INTELLIGENCE IN VIRUS DETECTION AND RECOGNITION seminar project explorer 2 3,345 22-07-2013, 11:44 AM
Last Post: computer topic
  computer virus and anti virus full report computer science technology 12 20,534 28-01-2013, 03:28 PM
Last Post: seminar details
  A survey of usage of Data Mining and Data Warehousing in Academic Institution and Lib seminar class 1 2,118 29-11-2012, 12:56 PM
Last Post: seminar details
  Intelligent Electronic Devices (IEDs) and Supervisory Control and Data Acquisition computer girl 0 1,140 09-06-2012, 06:01 PM
Last Post: computer girl
  The 8051 Microcontroller and Embedded Systems Using Assembly and C computer girl 0 1,035 04-06-2012, 05:41 PM
Last Post: computer girl
  CELLULAR VIRUS ATTACK full report project topics 3 4,797 09-02-2012, 10:24 AM
Last Post: seminar addict
  CELL PHONE VIRUS AND SECURITY seminar class 2 2,704 09-02-2012, 10:24 AM
Last Post: seminar addict
  Lean and Zoom: Proximity-Aware User Interface and Content Magnification seminar class 0 927 05-05-2011, 02:39 PM
Last Post: seminar class
  Efficient and Secure Content Processing and Distribution by Cooperative Intermediarie project topics 5 4,718 03-05-2011, 10:33 AM
Last Post: seminar class
  Remote Administration Trojan's computer science crazy 4 4,971 02-05-2011, 11:34 AM
Last Post: seminar class

Forum Jump: