07 - Viruses and Worms

A virus is a self-replicating program that produces its own code by attaching copies of it onto other executable codes. Some viruses affect computers as soon as their codes are executed; others lie dormant until a predetermined logical circumstance is met.

Module Objective

The objective of this lab is to make students learn how to create viruses and worms. In this lab, you will learn how to:

• Create viruses using tools

• Create worms using worm generator tool

Scenario

A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect.

A blended threat is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. The attacker would normally serve to transport multiple attacks in one payload. An attacker can launch Dos attack or install a backdoor and maybe even damage a local system or network systems.

Since you are a security expert, the IT director instructs you to test the network for any viruses and worms that damage or steal the organization’s information. You need to construct viruses and worms and try to inject them in a dummy network (virtual machine) and check whether they are detected by antivirus programs or able to bypass the network firewall.

I. Creating a Virus Using the JPS Virus Maker Tool

II. Virus Analysis Using IDA Pro

III. Virus Analysis Using OllyDbg

IV. Scan for Viruses using Kaspersky Antivirus

V. Creating a Worm Using Internet Worm Maker Thing

Module Syllabus

• Introduction to Viruses

• Virus and Worm Statistics 2010

• Stages of Virus Life

• Working on Viruses: Infection Phase

• Working on Viruses: Attack Phase

• Why Do People Create Computer Viruses?

• Indications of Virus Attack

• How does a Computer get Infected by Viruses?

• Virus Hoaxes

• Virus Analysis:

  • W32/Sality AA

  • W32/Toal-A

  • W32/Virut

  • Klez

• Types of Viruses

  • System or Boot Sector Viruses

  • File and Multipartite Viruses

  • Macro Viruses

  • Cluster Viruses

  • Stealth/Tunneling Viruses

  • Encryption Viruses

  • Polymorphic Code

  • Metamorphic Viruses

  • File Overwriting or Cavity Viruses

  • Sparse Infector Viruses

  • Companion/Camouflage Viruses

  • Shell Viruses

  • File Extension Viruses

  • Add-on and Intrusive Viruses

• Transient and Terminate and Stay Resident Viruses

• Writing a Simple Virus Program

  • Terabit Virus Maker

  • JPS Virus Maker

  • DELmE's Batch Virus Maker

• Computer Worms

• How is a Worm Different from a Virus?

• Example of Worm Infection: Conficker Worm

  • What does the Conficker Worm do?

  • How does the Conficker Worm Work?

• Worm Analysis:

  • W32/Netsky

  • W32/Bagle.GE

• Worm Maker: Internet Worm Maker Thing

• What is Sheep Dip Computer?

• Anti-Virus Sensors Systems

• Malware Analysis Procedure

• String Extracting Tool: Bintext

• Compression and Decompression Tool: UPX

• Process Monitoring Tools: Process Monitor

• Log Packet Content Monitoring Tools: NetResident

• Debugging Tool: Ollydbg

• Virus Analysis Tool: IDA Pro

• Online Malware Testing:

  • Sunbelt CWSandbox

  • VirusTotal

• Online Malware Analysis Services

• Virus Detection Methods

• Virus and Worms Countermeasures

• Companion Antivirus: Immunet Protect

• Anti-virus Tools

• Penetration Testing for Virus