Virus in Vista..

VIRUS IN VISTA
In fo
rm
at io
Viruses in Vista
n
Page 1
nl
MSc Computer forensics and Information Security
Viruses in Vista
Table of Contents
Acknowledgement Abstract 1. Introduction 1.1. 1.2. 4
Data Protection as well as the Security Improvements Malware in Windows Vista
2.1.
Types of Virus
O n
2. Background on Malware
2.1.1. Boot sector virus 2.1.2. Macro viruses
2.1.3. Parasitic viruses / Infectors file 2.1.4. Encrypted viruses 2.1.5. Date Virus
at io
2.1.6. Stealth virus
2.1.7. Polymorphic viruses 2.2.
Some malicious programs
2.2.1. Worms
rm
2.2.2. Trojan 2.2.3. Rootkit
3. Methods of attacks 3.1. Social engineering
In fo
3.1.1. Mass in E-mailers Vulnerabilities software which are exploited Process of Phishing Process of Pharming
3.2. 3.3. 3.4.
4. Anti Virus 4.1. 4.2. 4.3. 4.4. 4.5. Pattern matching Signature detection Emulation Analysis of frequency X raying Heiristics
U0925517
nl
7 7 9 10 11 11 11 11 11 12 12 13 13 13 13 14 14 14 14 15 15 17 17 17 17 18 18
Page 2
y
5 6
Viruses in Vista
5. About Recent malware 5.1. 5.2. 5.3. 5.4. SpamThru Trojan Trojan Beast Win32. Glieder. AF Winevar
19
7. Some new malware attack exploited Windows 8. Computer worm 8. 1. Examples Worms 8. 1. 1. Email worms
6. First virus for Windows Vista family
8. 2. How to prevent computer worms 9. Practical Implementation 9. 1. Trojan. gozi
at io
8. 1. 2. IM (Instant messaging) worms
Features of Gozi Gozi Installation
rm
Detection of Gozi Removal of Gozi
9. 2. Prorat 1. 9
How it infects the PC? How to use Prorat 1. 9? How to remove Backdoor. prorat?
In fo
Lessons what I have learned Evaluations for malicious softwares Findings
Recommendations Conclusion References Index
U0925517
nl
20 21 22 23 24 24 24 25 25 26 26 26 27 44 45 46 46 49 66 68 69 70 71 74 76 81
Page 3
y
20
19
In fo
rm
U 951 0257
at io
Page 4
nl
Viruses in Vista
ABSTRACT
Viruss plays a major role in todays computer world; this paper
Backdoor. Prorat which are affected to the systems. This Paper presents an overview of the Vista features and Security features which will have
penetrate the system without granting the permission from the system user.
Trojan horses, root kits, worms etc. This guide is designed for all users and for organizations of any size. Here we will provide some Security Guidelines and the Threats caused by malware softwares and Countermeasures. In
this paper I also mentioned a critical evaluation on the well known Trojan horses like Trojan. Gozi, Backdoor. Prorat.
In fo
rm
U0925517
at io
Malware includes computer viruses, worms, dishonest adware, spyware,
maximum impact on users.
Malware is software which is intended to
presents an explanation on the malicious programs like Trojan. Gozi,
nl
Page 5
Viruses in Vista
1. Introduction:
rapid business implementation.
In representing the Vista, Microsoft has tended to show some new
features such as graphical previews of the documents during the use of AltTab switching, aero user interface and the Windows Presentation Foundation. It will be very hard to find an obvious and scientific link between
these productivity, features and improvements in security. Within these five to six years of the development in between XP and Vista OS, Microsoft tried hard on major improvements which are really matters to the businesses. [Microsoft, 2006]
Whatever may the environment would, you are advised to take the security issues seriously? In the world many of the organizations underestimate the importance of the information technology. If any attack on
In fo
rm
main servers in the environment is severe, it could be considerably damage the whole organization progress. For instance, if the malware infects the client computers on the whole network, then the organization may lose most valuable data, and the significant overhead which costs you to restore the secure state. For example, In case your Website is unavailable it also could consequence in major loss of the revenue as well as the clients confidence. Considering a security risk, vulnerability and experience of
examination informs you the tradeoffs between the functionality and security that all the computer systems are subject in the networking environment. Here in this document we consider the main security-related measures which are obtainable in Windows Vista operating system, the vulnerabilities and the countermeasures help the address, and potential negative consequences [if any] connected to the implementing of the each and every countermeasure. Microsoft Vista tried to include major improvements in the four areas which are important to business such as the manageability, security, networking, and mobile computers [Preston Gralla, 2006]
U0925517 Page 6
at io
nl
Windows Vista entered into market in the year 2006 and could see
Viruses in Vista
1. 1 Data Protection as well as the Security Improvements:

In vista operating system Microsoft made quite a lot of changes for data
Windows, and the addition of the Defender antispyware product. But mainly two security features Bit Locker Drive Encryption, UAC [User Account Control] of Vista stand out.
With the User Account Control feature we can reduce the harm a user may unintentionally do to his system. For example reduce the impact of malicious software or malware by making it easier to make use of Windows without administrator privileges.
Bit Locker Drive Encryption, which is useful for laptop computers, allows the laptop users to encrypt the total Windows volume of the computer so that important data stay secured even the computer is stolen or missed [Bill Detwiler, 2007].
1. 2. Malware in Windows Vista:
In fo
rm
Majority of todays malicious software is intended to aim Windows
systems; this is the case where people who use the other operating systems [OS] believe they were not at risk. Though, this is not the case. Malicious programs are also targeting the other operating systems since 1970s; Apple was first under attack in 1982 by Elk Cloner virus, and it wasnt until in 1986 MS-DOS compatible malware had appeared. [John Timmer 2007].
Malicious programs are exists mainly in two forms, among them some are with host (Trojan horses, viruses, trap doors, logic bombs) and some are without host (bacteria, worms). [Chris Imafidon, 2006] As Microsoft Windows gaining a significant market share had created ideal conditions for malware to increase. Though non-Windows operating systems seem security dreamland, users of the other operating systems have to be ready for cybercriminals and malware authors to start targeting them. Viruses attack Vista mainly by updates of Windows.
U0925517
at io
nl
Page 7
protection and security, like developments to Internet Explorer, Firewall for
Viruses in Vista
automatically also installing some malicious softwares.
The well-known
for malwares by the updates of windows.
The well-known security
researcher Frank Boldewin, said The Trojan horses which were spammed in 2007 March end were used a new methods to download Malware in to the computers.
Update of Windows = May be sometimes Update of Malware
Vista Windows = Paradise for Malware
Here it is strongly suggested to install an anti virus scanner. May be not all antivirus scanners will be recognized by Windows Vista, even if these virus scanners are completely fine and properly functional. If your anti-virus
In fo
rm
scanner is installed properly then it will be recognized by windows Vista and automatically Malware Protection line will turn green. Most of the anti-virus programs are required to reboot after installation [Malwarekilla, June 2010].
U0925517
at io
nl
Page 8
Symantec Anti Virus vendors warn that the Windows systems are vulnerable
When the user tries to download the Windows Vista updates, he is
Viruses in Vista
2. Background on Malware:
The term Malware is the short form of the malicious software.
Trojan horses, Spyware, root kits, worms etc all together comes under
malicious softwares. This malicious softwares infects the systems and then travel via networks to infect all the remaining systems.
increase the attacking until infection is spreading all the systems around the remote places. [T. M. Chen, 2003]. Malware attacks are not recent things; they are available since a long time. At the starting stages, malwares are created for disruption.
at io
starting days attempts to remove files erase hard drives. Now a days these are designed to steal the secret data like passwords PIN [Personnel Identification Numbers], numbers of Credit cards and social security numbers provide for a kind of money profits for the malware writers. Now a days the
In fo
rm
malware creators changed the way of creation of malicious code. Malwares are considered as dangerous in todays world because of the damage they were creating are effecting important data of the companies and confidential data of the government. Malicious software holds a virus, root kit, recorder password. Now a days programmers writing these programs by using the available software in the internet. [T. M. Chen, 2003].
Figure 2. 1 Types of malicious programs

U0925517 Page 9
nl
Internet helps to Viruses in
Malicious software are infects a system unknown to the owner. Viruses,
Viruses in Vista
2. 1. Types of Viruses:
Computer worms or viruses are the programs which were intended to disturb the removal of the data, corrupting the data and to infect the viruses
Internet worm was created to calculate the internet size.
all over the internet. In 1988 the 1st Internet worm was created. The 1st But later the
systems which were infected by the worm are running slowly compared to
infects the remaining programs by changing their code and cause damage.
In 1990, it was estimated that 500 virus are available on the internet. Where as in the year 1996, there are more than10000 viruses on internet. In the year, 2002 it is increased to more than 60,000 viruses on internet, in those some of the viruses are most dangerous [J. Munro, 2002]. At present
In fo
rm
there are more than 103,000 viruses on internet [DaBoss, 2009]. More over the Viruses has the capability to infect other programming code. Then if the user of the system tries to use the virus program then it will immediately infects whole system and it will take control of the system and destroys the system very badly. A system virus is a type of program code which can able to change the program or try to affect the program. [Dr. Chris Imafidon, 2006].
But these type of virus are easy to detect and are very flexible to
remove from the system. But now a days present worms and viruses are became more dangerous than that of the previous viruses and worms. Here are some types of viruses. They were as follows [C. Nachenberg, 1997].
U0925517
at io
[Chris Imafidon, 2006]
the previous running.
[E. H. Spafford, 1989].
Virus is the code which
nl
Page 10
Viruses in Vista
2. 1. 1. Boot sector virus: There are about 5 percent boot viruses on

record [MBR] of a system. Master boot record is program which stays on the 1st sector of the hard disk which boots the system without the involvement of the system user.
Because of this reason these boot viruses are more
dangerous when compared to the other types of viruses. When it penetrates in the system the boot virus stays in the memory of the hard disk and it can infect any layer of the system. These boot viruses are very dangerous and they were not easy to erase from the system. But only perfect antivirus software can delete this type of virus. Boot Crazy and AntiEXE etc are the
2. 1. 2. Macro viruses: The macro virus will infects the services such as
Microsoft excel and Microsoft word. The 1st macro virus was created for Microsoft Word 95 [Crispin Cowan CTO, WireX Communications, and Inc. top].
In fo
rm
2. 1. 3. Parasitic viruses / Infectors file: If the files containing some

content are infected with is viruses the content of the file will be unchanged [Richard Barnhart, 1996]. It will penetrate into the memory of the system when the system user runs the infected files. Then the virus will spread into other applications and destroys the system.
2. 1. 4.
Encrypted viruses: These encrypted viruses contain the
decryption engine as well as encryption key [D. J. Sanok, 2005]. These viruses are created to hide the virus scanning methods. This method is used in Cascade virus.
2. 1. 5. Date virus: These data viruses will stay in the system and affects
the system at a particular time or date [C. Nachenberg, 1996]. A virus or worm can gain momentum on the system by using this method. Century, Sunday etc are the examples of this type of viruses.
U0925517
at io
examples of this virus.
nl
Page 11
internet. [J. O. Kephart, 1997]. This type of viruses infects the Master boot
Viruses in Vista
2. 1. 6. Stealth virus: These stealth viruses will exist in the hook ING
the DOS command prompt mode. A worm named Lion installs in a rootkit
and then it will make more than a few hooks to avoid from the antivirus scanner [Akshaya Bhatia, 2008].
2. 1. 7. Polymorphic viruses: This virus also like encrypted virus

contains an engine which can able to change and create new encryption viruses for infection the system. When the user of the system executes the infected program the decryption engine executes the virus and infects the memory of the system. Then the polymorphic virus generates the encryption virus and decryption for the sake of the next infection. These viruses encrypt a copy of it by using the encryption engine in a new file. The virus, 1260 was the 1st well known polymorphic virus created in USA by Mark Washburn in 1990 [P. Szor, 2005].
In fo
rm
U0925517
at io
contains decryption engine as well as encryption key.
nl
This virus also
Page 12
system. This virus tries to suspend systems calls which will be detected in
Viruses in Vista
2. 2. Some malicious programs:
2. 2. 1. Worms: These worms attack the networking connections but they
will not infect the files on the system like viruses. These worms utilize the
heavy damage.
[Bob Page, 1988].
Worms can spread autonomously
without acceptance of the user compared to the viruses. [Chris Imafidon,
software and enters into the system. There are different types of Trojans present in the internet but the functionality of each Trojan would be different. Trojan virus will look as genuine software for the user but it will create a dangerous treat to the system. [Joseph Lo aka Jolo, 2006]. The Trojan virus uses the existing viruses in the system and it will create more damage by
In fo
rm
using the existing viruses. Trojans are mainly do two things one of them is it causes direct damage or cause useful function but copies damageable instructions to other exe files. [Chris Imafidon, 2006]
2. 2. 3. Root kit: The main aim of the Root kit virus is to offer more
controls to the hackers [P. Szor, 2005]. Now a days most of the hackers they were using root kit method to enter into the system by avoiding the antivirus scanner. The most dangerous root kit on internet is Sony root kit. This root kit uses the string $ sys $.
U0925517
at io
2. 2. 2. Trojans: Trojan is a virus which will be embedded in genuine
2006]
networking connection to enter into the network and after that they will create
nl
Page 13
Viruses in Vista
3. Methods of Attacks:
A malware uses many methods to attack the system. Important methods of
utilizing messenger or from a E-mail and with this method the hackers can
bluff the user and made him to do some unwanted actions. [Hacker Tactics, 2001]. This virus transfers through a email in the form of image or a file which can be executed. In many situations, viruses reach destination
through mails from attackers under a picture or an. EXE file, after clicking on it, it installs Trojan in to the system. Another worm Happy99 happened to
it displays fireworks and then .EXE file installs in to PC [Cert incident, 2002].
3. 1. 1. Mass E-mailers: These are holding unusual content such as

viruses can get through the machine via e-mail. Once if the attachment is started by the user the Trojans get activated in background and gain access
In fo
rm
of the system. Later it finds the user address book and automatically delivers it to all in the list. Generally all mailers of mass use socialized techniques of engineering and some tricky concepts which tend user to open the file. Familiar types are Love Letter & Explore Zip. Almost 90% of viruses in 2002 are this type. [T. M. Chen, 2003].
3. 2. Vulnerabilities of software which are Exploited: Computer

& OS smooth articles pertain several vulnerabilities & bugs which are broken for controlling a computer. The term ruin points to a tiny section which belongs to code that may have advantage of bluff which is in software. This is widely reused in several Trojans as well as viruses before correcting the vulnerabilities by the developers via a particular patch. Several damages are renovated to give access from root on a system [Jeremy Kirk, Published: 2010]. It can be done by a single operate, or operate through multiple, each providing level privilege escalation to the attacker. advantageous
U0925517
at io
of vulnerability which
computer through mail, which holds the file Happy99. Exe. When clicking on
n
is
O
particular
A damage caused is about software.

Page 14
nl
3. 1. Social engineering: This method is used to attack the system by
attacks are:
Viruses in Vista
Classification of exploits is done based on vulnerability they cause. Some achievements are 1. Overflow by Buffer 2. Overflow by Heap 3. Overflow by Integer 4. Injecting Code 5. Injection by SQL 6. Scripting from Cross Site. This is difficult to eliminate vulnerabilities of software because that was tough to give whatever goes incorrect with small code piece. Developers can be made familiar of coding in a style which may be difficult there by achievements are normalized. The whole process is familiar as safe coding.
In fo
rm
3. 3. Process of Phishing: The process related to theft of data which

belongs to the users who surf techniques of socialized engineering. This is generally performed through entities which are most trusted. Most abruptly it is done through e-mail. It points the end user to the websites which seem to be a replica of entities which are trusted.
3. 4. Process of Pharming: It is type of hitting in order to redirect the

traffic to a website which is fake. It may be by modifying the file of host on a system or by damaging some particulars. Have been poisoned servers are the one which are compromised. It is utilized for theft of confidential data. Attack against the Pharming is much more a tough job. No antivirus can defend this threat. Tools of Security such as secure coding and OS help to implement the termination of vulnerabilities of software. Both found to be a flop show since the OS is of million lines code. And more over most are seen ineffective in practice. In fact the code is available in huge size. And this has
U0925517 Page 15
at io
nl
Viruses in Vista
to be finally in a single kernel file which is bug free. It is very impossible to write code without bugs. [R. Basili and Barry T. Perricone, 1984]. The infected problem is much complex as all the hackers are dependent on errors
from above that preventing infection is almost impossible because providing apt error caused by user is also much complex.
Hence the software of
security is made dependent on Detecting rather than preventing.
In fo
rm
U0925517
at io
Page 16
nl
by human in orders to compromise the computer. Therefore it is crystal clear
Viruses in Vista
4. Anti Virus
1980s virus in computer has appeared by the presence of anti-virus.
else constantly if there are any malicious bodies found. Day by day the software of antivirus grew up along with the malicious entities such as viruses. The methods utilized by the software of antivirus are given below:
signatures points to protecting a system against malicious entities such as flies which consist code for detecting the viruses. Initially these programs
Then after developers came to know that major infections from the malicious bodies like viruses are with code placing at the entry level of the program. Since the program for scanner always begin the check from the entry level point of related data or program. This process becomes stagnant whenever the polymorphic or encrypted type of viruses evolves [Daniel Newman, Kristina M. Manalo, Ed Tittel Jun 18, 2004].
In fo
rm
4. 2. Emulation: In order to defend from the polymorphic type of viruses

this technique has been evolved. In this a departure type of Processor is involved which loads particularly the executable type of files with regard to this function. Therefore the virus program couldnt know that its been
running in the environment which is emulated. This provides space for the antivirus program for monitoring the activities of virus body in an environment which is enclosed thereby preventing damage caused to the users PC.
4. 3. Frequency analysis: It is no more a method which is stand alone.

This process involves the analysis of presence or absence of specified type of opcode. It is realized most legitimate by the programs in terms of
programming that utilization of DOS abrupt as the 21h exists in its code itself. This abruption is truly seen through malware.
U0925517
at io
see through the executable files and locate the existence of code for virus.
4. 1. Pattern matching or Signature detection: Recognizing the
nl
Page 17
This software generally scans and monitors the computer at particular times
Viruses in Vista
4. 4. X - Raying: Since the malicious viruses are arrived encrypted, the

program of antivirus initiates utilizing the code description which is brute force. Possibility for this exists because it has to known as crystal clear type of attack upon the code which is encrypted. Developers of virus could utilize algorithms which are randomly encrypted, where it becomes damn easy to crack the protocols. Muttik, 2000].
This analysis process is renowned as radiology [I.
4. 5.
Heuristics: The developers of these types of viruses are
of the file execution. Finally they were following new techniques or methods to infect the viruses all over the internet. This virus tries to change their way of techniques to avoid from the scanning of the antivirus software. If it is performed to the file access and page errors [Daniel Newman, 2004].
In fo
rm
U0925517
at io
implementing new types of methods and they dont execute virus at the time
nl
Page 18
Viruses in Vista
5. About Recent malware:

In recent malwares the developers of the malwares are trying to implement new methods of coding to escape from the powerful anti viruses
softwares. Because of this system the new malicious programs are having the capacity to disable the antivirus software and other types of security how good the antivirus softwares are working.
Some types of Trojans are as follows:
5. 1. Spam trough Trojans: This Trojan [Ryan Naraine, 2006] shows

various types of faults the security of the system is having which are not best to protect from the viruses. These Trojan spams enter into the system or
In fo
rm
computer by using the social networking sites or by means of patched files, These types of Trojans tries to disable the security measures of the system and by blocking the antivirus softwares. After wards these Trojans spams will creates another copy of the Kaspersky Anti-Virus softwares in the systems. These viruses create a duplicate file in the hard disk of the system. Viruses once infected will change all types of settings like they will stop the notification of the antivirus when the license of the antivirus is expired. These type of Trojans after infecting the antivirus software tries to find the other types of malicious softwares and clear them so that there will be no
existence of other virus other than this. These type of Trojans will also tries to hack the ip addresses of the systems which were infected. Most of These Trojans had the capacity to avoid from the scanner of antivirus system.
U0925517
at io
n
Page 19
softwares. The rising of this type of malicious softwares will able to show us
nl
Viruses in Vista
5. 2. Trojan Beast: Trojan Beast is a type of Trojan horse which behaves

like a remote administration tool. In the year 2002 the first Trojan beast was discovered. These are the first type of Trojans which established a Because of this server there is no
connection setback in the server.
requirement of the ip address of the user but it will directly connect to the
server. Explorer. Exe was the file which is infected by these Trojans. This
virus penetrates the DLL file in winlogon. Exe, it was considered as method
because of the penetration of these viruses.
infected then the antivirus will restrict the antivirus and as well as the
computer [Dshield, published: Fri, 17 Oct 2003].
5. 3. Win32. Glieder. AF: This is a type of Trojan worm which will

download the files and it will execute the infected files. This type of Trojans will spam the users system by utilizing the other type of Trojan horse called Win32. Bagle. BG. This type of Trojans occurs by means of email or by a
rm
type of zip attachment. [Win32. Glieder. AF, 2005]. These types of files when executed they will create a new file of the same file and it will exist in Nwinshost. exe% System%. winshost. exe. It will This will then create a add-on known as create a boot type of registry like:
In fo
After completing this process it will try to stop the security concern softwares
like firewalls and antivirus etc.
U0925517
at io
windows vista firewall and it will automatically consist the control of the
in Windows 2000, vista. We can see the gaps of the current system security
When the computer gets
nl
Page 20
Viruses in Vista
5. 4. Winevar: This is file with the size of 90 kb. If these files are
executed then they will by a fine name as WINxxxx. The winevar also create a directory like as follows.
These worms will try to scan the systems hard disk content and after completion of the scanning of the system they will try to locate the file by the
same name and immediately they will remove the all the files which were available on the particular folder. In these there are viruses like Fizzer, Bugbear, Klez, which will tries to stop the antivirus software present in the
Actually the antivirus is created to scan the viruses on the system and they will remove the virus and if they found the new virus on internet they will update the new antivirus version so that the new virus will be removed from the system. But if this type of viruses tries to remove the antivirus software then there is no question of protection for the system from viruses. So, the antivirus software companies had to make the softwares which can be protected from these types of viruses. But most of the time virus
In fo
rm
programmers also face some problems for hiding their viruses from the antivirus softwares, so they are using different methods or techniques to solve this problem. All the time these antivirus softwares are facing so many problems to detect and to remove the viruses in PC. Now a days all antivirus software companies updating the softwares with patches as soon as possible to protect the system as well as to protect the name of their companies name in the present market. Sometimes many of the virus
programmers do not want to reveal the details like type of the virus. But presently there is no software present in the market which will give 100 percentage assurance of their antivirus software. It is not possible to detect and delete the virus as soon as possible when it is created. [T. M. Chen, 2003]
U0925517
at io
system.
This method is also called as Armoring [T. M.
nl
Chen, 2003].
Page 21
Viruses in Vista
6. First virus for Windows Vista family

There has been a new virus invented which has become the best virus
command with Monad as in name of that which has got the rid from the
viruses that have been invented in the upgraded versions of the Win OS. This was published in the material by the hacking group that belong to the underground with named as in Ready Ranger Liberation Front from the
interface that took the lead over the security concerns over others. GUI uses the mouse over concept of theory for the purpose of navigation process to make the user fulfill the commands using the text mode that can make the application more powerful unlike the Operating Systems based on Windows named Second Part to Hell is the replica of the one published after the earlier Austrian based virus material named Monad which was published by the Microsoft. This was also proven by the Director of Research named Mikko Hypponen with the Corporation that is based on F secure part of the Second part to hell. Danom the head of the Virus Family is from the name
In fo
rm
Monad i. e.
Microsoft is given by the F-secure. Danom according to the Hypponen was proved to be cautious but at the same time also said to have no harm for the Microsoft users in using that Operating System which is in turn a proof of the virus. According to the Hypponen the new upcoming hackers developing the viruses for the different platforms will not expect to look at the virus based on the Operating Systems of Microsoft so fast. Since there were few issues raised for publishing the Danom like should there be the option for allowing the Monad with the Operating system of Microsoft Windows Vista since the Manod will be used only by the users who are well experienced. There is a topic raised by the hypponen that Software which is to be a pack that is kept standard defaults for Operating System based on Microsoft. Microsoft
Corporation was been burned by a similar software Microsoft Windows Script, in windows 2000 system. Virus writers were exploiting, as he was been working on the system he said.
U0925517
at io
for the predecessor. Recent published virus by the hacker written in DOS
the reversal of the name Monad which was published by
nl
Page 22
named for the Vista.
Viruses took over the advantage over the shell
Viruses in Vista
7. Some new malware attack exploited Windows:

As per the Security vendors, Most of the viruses which have been invented and published in the recent past by the Microsoft have been found
by the writers and be spread upon various operating systems. The security vendors have found that two new malwares raised into the market within the
other files of the system. Stuxnet have been opened which was very crucial by the targets set to that. SCADA which is the to control the data acquisition
been discovered than the stuxnet which also looks at the technical input given or developed the other users. This was earlier displayed in the blog by the Eset Pierre Marc Bureau. The one invented in the recent past is used to install the logger i. e. a keystroke logger which in turn is used to hack the passwords or the data given as input on any of the specific system. Server required to give the components for the attacks is presently located in the USA but with the IP directed to the china customer who is according to the
In fo
rm
bureau. With each of the virus attack done there will be the force applied on the Microsoft corporation to join the weak portion of the software. The next round of the joining for the attacks done is to be done on Aug 10, if the customers attacked with this virus are reached up to certain level then that company will have to forced to join the emergency point for the concerns raised by the [Robert MacMilan, 2010]. Microsoft is presently working on the concern which has been raised so as to solve the issue of joining the patches. According to Randy Abrams said that Stuxnet indicates the very small ratio when compared to that of the earlier ones i. e. it is . 01% of the malwares that is observed on the internet. This can even change its
features. This can even become the most common option for the attackers. This is expected to reach the 100 or 1000s of malwares who are linked up with the vulnerability.
U0925517
at io
from the MNC named Siemens. Less crucial one is the latest one that has
operating systems of Microsoft Corporation. Files to provide cutoff of the
nl
Page 23
Viruses in Vista
8. Computer worms:
Worms are malicious programs which are specially written to design to
software which includes virus as well as Trojans. People frequently install worms accidentally opening a message or an attachment that hold the
e-mail containing additional copies of the worm. Worms can easily penetrate into the networking security and proper antivirus will try stopping the infection
Morris in the year 1988 discovered internet worm. These usually penetrate through emails and they will spread across the internet very quickly. In 1999 the worm named Melissa was discovered, which is spread by the means of e-mail. This worm has the features of the Trojan worm and they will spread the worm by means of internet or emails. [Denning. P, 1989].
In fo
rm
8. 1. Examples of Worms:
8. 1. 1. Email Worms: These email worms spread the means of emails

or the attachments of the emails. This attachment contains the links of some unsecured websites. When the user tries to open the infected emails then the virus will enter into the system and spread into the system as quickly as possible. The virus first infects the system when the email opens and in the second step when the link is opened then automatically it will get infected to the computer. [Mary Landesman]. The well known types of the transmission are as follows: Microsoft Outlook services Windows MAPI functions
U0925517
at io
on the system [By Bradley Mitchell, About. com Guide].
executable codes. If worm is installed in system, it spontaneously generates
nl
Robert Tappan
Page 24
attack the systems through system networks. Worm is type of malicious
Viruses in Vista
8. 1. 2. IM (Instant Messaging) Worms: This type of worms will

messengers. These will penetrate through other website and make the
websites infected of viruses. [Andy Sudduth of Harvard, 1988].
8. 2. How to prevent computer worms:
To help prevent infections and to get rid of worms: Use a firewall.
Update operating system and software you use. [Use Windows Update to automatically update all Microsoft products. ] Use antivirus and antispyware, such as Microsoft Security Essentials, a free download from Microsoft. Please note that files attached to e-mail and links to websites. Use a standard user account instead of an administrator account [By
In fo
rm
Mary Landesman, About. com Guide].
U0925517
at io
O
Page 25
nl
penetrate to the system by means of messengers and as well as instant
Viruses in Vista
9. Practical Implementation
9.1
Name Threat Level Type Alias Identified
. Trojan. Gozi:
: Trojan. Gozi : High : TT_Trojan : Gozi Trojan
: Jan 2007(20-03-2007 Final identification)
Gozi is the famous Trojan which have been spreading before 17 April 2007,
[Brain Prince, 2007], It affected around 5200 hosts ten thousand accounts. The cost of stolen Data is around $2 Million. [John Bambenek, 2007] The data stolen is of memory 3. 3GB [Don Jackson, 2007]. Gozi is connected with Russian Heritage which is helpful for cyber
In fo
rm
criminals. Previous version of Gozi is in 2007. The latest version has many features which are listed below. [Andreas Baumhof, 2010]. systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, and Win 7.
Features of Gozi:
It has an advanced Winsock2 functionality which is useful in stealing the SSL data. It Trojan code is modularized. It can spread through the Internet Explorer. It has a personalized server to extract and store the sensitive data. It has a customer interface to buy the stolen data through online. The value of the data is around $2 million US. The Gozi is stores in the system and hides, after that it starts it tasks like stealing the personal and sensitive data. 2010]
U0925517 Page 26
at io
the new variant of this Trojan is steals the Secure Sockets Layer (SSL) data.
nl
[Andreas Baumhof,
Viruses in Vista
like by malicious Pdf files or by Exploit kits (Like Justexploit).
As we seen early most of the Gozi viruses are transferred through the malicious PDF files. The PDF with MD5 b72163b1d5fbc0f2e88e984bf0ac601e,
exploit the buffer overflow in Adobe Acrobat Reader (CVE-2007-5659). The aim of this PDF is to download the original Gozi known as update. exe having MD5 cd4d37ea17007cbdfa0d9cc96b5fc1dc. This type of distribution is around 65%.
[Andreas Baumhof, 2010]
Justexploit kit:
The Justexploit kits are 27%, the common feature of exploit kits are used for
rm
geographic distribution.
accessing the infected regions.
Australia and Germany. [Andreas Baumhof, 2010]
In fo
STEP1: Identification
A file namely xx_ymvb is stores in to the C:\Documents and settings\<username> which is directory pointed to by the %USERPROFILE% VARIABLE. [BY Don Jackson, 2007]. It is not detected which malware it is particularly at the time of scanning by more than 30 well known antiviruses. Some of those used heuristics identified this as Generic threat or Suspicious file. [Don Jackson, 2007]
U0925517
at io
So only the bad people are infected due to These are mostly installed in US, UK,
Malicious PDF files:
nl
Page 27
Most of the Gozi viruses are transfers to the system as drive by infections,
Gozi Installation:
Viruses in Vista
Figure 9. 1. 1: Identification of Gozi
While conducting a forensic examination on the PC which is infected by this Trojan, data which is recovered from the deleted Internet Explorer cache it is shown that the PC user accessed the web site alchemylab. com the code shown is the following. [Don Jackson, 2007]
In fo
rm
Figure 9. 1. 2 Internet cache code from the infected system
It writes the below code to that web page:
Figure 9. 1. 3 Code written one frame on web page
U0925517
at io
Page 28
STEP2:
nl
Viruses in Vista
One more IFRAME available on the page:
functions which are used to download, run them . EXE file are presented in
Crapanzano, 2003]
Earlier, for the purpose of the analyzing the behavior of any specific reason the tool was structured using which the duplicate executable file is been
In fo
rm
founded and then make use of that in the VMware Virtual machine of Windows XP. Files, System Hardware, System Software, disks were under the monitoration by the tools which belong to the Microsoft company. Ethereal which is now familiar with the name Wire shark can find out and grab the packets which are present on the Network Interface VM. Exploit which has rendered its services through the directory which is not permanent where exactly the malware which has got its execution is present. This all happened soon after the sandbox was into the picture. DLLs after its loading process is done completely, the file to the destination from the source directory will be transferred. There will be the name created for the file with variously picked up names. The registry will look after the files that have been created and saved into the directory and also takes care about the changes done to that particular file and see that it starts running soon after starting the system. [B. Schneier, 1999]
U0925517
at io
the last frame of the webpage those are hosted on same server. [Jamie
Java script Code using ActiveX Data Objects (ADODB) and XMLHTTP
Figure 9. 1. 4 Code written another frame on web page
nl
Page 29
Viruses in Vista
Figure 9. 1. 5 Registry values
the users personal computer i. e. the value allotted to the different keys for e. g. for the key yy_name the value allotted is some x, then the value for another key say yy_address will also be the same as in case of the yy_name key. Same as in case of the other key since its value is same but only thing which varies is its siz that is a big in size with the compressed text in it. The
In fo
rm
tools by windows are used to store the data or information on the files and the registers present in the folder. Regedit does not approves or disclose its data i. e. the entries which are made in that at the same that not even display the profile in the internet. Tools which are to monitor the deleted files of that folder are not founded. The Windows malwares used in the folders does its job in keeping its data highly secured and safe from leaking it out. For which the root kit only according to many of them think it supports such a functionality. The file and the entries into the registers are made seen to everyone using the entries such as run command to prevent the executable file to load its applications by re starting the system in the safe mode. The server on which the file was executed using the hyper text transfer protocols of 80/tcp, the links used to connect the program to the port has started and successfully completed its part. Wire shark as discussed above has dealt in with
detecting the traffic in that particular file or folder [Don Jackson, 2007].
U0925517 Page 30
at io
The key value for all the will be the same but varies when it comes to that of
Figure 9. 1. 6 Gozi Registry entries
nl
Viruses in Vista
STEP3:
Sending a CGI program to the server will be the initial step.
Figure 9. 1. 7 POST request of gozi to certs. cgi
Data format used in sending the request is the MIME. This also includes the header with the content of its type as binary which is totally a different concept. This was again according to the statistical analysis proved as the
duplicate copy from the area of Microsoft company where the storage of data or information is done.
rm
In fo
STEP4:
Hyper text transfer protocols request is to get the file of . cgi format onto the same server which will be the second step.
Figure 9. 1. 9 Request HTTP GET to options. cgi

U0925517 Page 31
at io
Figure 9. 1. 8 certs data posted. cgi
certificates issued to the clients and the information which has been the
nl
Viruses in Vista
A value for some x key might suite the value that has been generated for some other y key at the same time the value for some z key might match with the value of another key that has been generated statically. This is all
entries are same as the parameter values. [Don Jackson, 2007]
The data or information delivered from the server is the binary data then soon after the response is received as OK then the data looks similar to that in the key that is in the register file.
In fo
rm
Figure 9. 1. 11 HTTP 200 response in options data
File within the %USERPROFILE% directory as in the name of xx_tempopt. bin after filled with the data or information. Data or information will be saved in the key by overwriting it on the existing old registry folder. In such
situations the memory occupied by that registry will be more than what that file previously occupied i. e. 3799 bytes of memory allocation is done.
U0925517
at io
Figure 9. 1. 10 HTTP GET request to options. cgi
O
Page 32
nl
possible when there is an option of the values given in the registers as an
Viruses in Vista
There was also a proved statement that due to the data or information which is posted in all the forms through the hyper text transfer protocol and the duplicate content sent through the hyper text transfer protocol will
located at any particular place through the hyper text transfer protocol. This is proved after the packets which were been founded and examined. Some of the things which can be easily caught by the Wire shark Malware is that addresses of the email ids can be easily be seen. 2003]
In fo
rm
The tools of that Malware seeks to maintain its combination of finding the secret codes such as finding out the PINS of various users and sending the data to the destination point from the source point after the request has been made. Throughout the process there has been a circular way of approach done to follow that process. Virtual machine starts restarting after some time. Restarting can even be a chance in providing them the loss of data since during the execution of file, when the system gets restarted then the data can be known across to many of the users. [Don Jackson, 2007]
U0925517 Page 33
at io
Figure 9. 1. 12 SSL/TLS Stolen Data
the secret codes i. e. the PIN code of the ATM card, where the SSN and the
nl
[Jamie Crapanzano,
automatically change its nature with the requests it receives to the server
Viruses in Vista
STEP5: Static Analysis

Importing of the table is done soon after the Upack is filled up with mixing the
made in the memory which were been compressed in structure rebuild in
such cases Upack comes into picture i. e. upack looks after the files in the registry directory during the time of uncompressing. Execution of the Upack code is done only when the PE headers are available in the directory where the execution process happens. Malware Execution from the virtual machine should have to be disturbed and debug that to the hardware. This process is preferred to be done in OllyDbg because to use the plug in which is of much useful. This is written by Joe Stewart who works as a Senior Security Researcher for the Secure Works. As discussed in the above paragraph regarding the OllyDbg, There was a test which has been performed using the system with its specifications as
In fo
rm
listed, Windows XP Professional SP2, 750 MHz Pentium III Micro Processor with its Ram size of 512Mb. OllyDbone Plug ins and the Malware software were used in the PC as per the directions given by the Joe. The issue was raised soon after the execution was done using the malwares installed into the system of OllyDbg. [Jamie Crapanzano, 2003]
Figure 9. 1. 12 OllyDbg Error at the time of Upack-ed EXE loading
U0925517
at io
nl
Page 34
files which can even mangle the header. Any kind of compressions to be
Viruses in Vista
Execution keeps in the tilt stage after the execution is done with result as in ntdll. dll code error and by neglecting that. Executable files in order to work must see that the upack must return the header to any point for the size to
Program keeps running till the execution part is done once it is set. The code
rm
of the program in the PE header looks after the execution by continuously running control F9. Going with the Exception of removing the break on
through the context menu and tuning in back to the memory map which directs you to the destination source can make the debugging possible in that memory location.
In fo
U0925517
at io
Figure 9. 1. 13 Set BonE
Figure 9. 1. 14 GetProcAddress () Finding
n
Page 35
nl
come up with the menu and reach the breaking point. [Don Jackson, 2007]
Viruses in Vista
For the execution part to complete successfully the thing we have to check in is to make use of the controls as follows, For setting a breakpoint we have to make use of F2 control and to run the program till the breakeven occur make
achieve the execution part of the code to complete successfully. TO run the
program till the function sets to return we need to press Contol+F9 soon after for a single step we need to press F7 for the instructions of RETN. This itself
Schneier, 1999] Dumping the memory off the disk i. e.
the data or information as an
executable file we make the Virtual machine link with the utilities of PE_Stub. Testing the import table can be done except the issue that the unpack file cannot be executed so there is no chance for the debugger to come into action.
In fo
rm
U0925517
at io
Figure 9. 1. 15 Importing loops at the end time
is a table known as Import table which follows the concept of loop.
nl
[B.
Page 36
use of F9. Directions by the getProAddress have to be strictly followed to
Viruses in Vista
STEP6:
A single move down here could simply reach the OEP. OEP stands for
compressed state which retains the general memory map which is usable, that is through the main function of the malware.
malwares secrets got revealed. However no further tricks used for antianalysis can show the result.
Figure 9. 1. 16Registry keys and files to restart the system
rm
The Trojan makes virtual memory simpler in such a way to pierce the code through the processes which are been running. Therefore this relative
phenomenon which is utilized for making the registry keys & files useful for the survival of reboot is known to be the rootkit-like. And the particular code is necessary to access the Protected Storage of Windows & for exporting the certificate stores which are available in the PFX format. In fact this is the data which is sent to the server with respect to the program of certs. cgi. So usually the way down this relative code, a person can notice the DLL functions of networking which are required for building & sending the actual request which in fact implements the POST. [Carnegie Mellon University (1999)]
In fo
U0925517
at io
n
Page 37
nl
So presently all the
Original Entry Point. However the code belonging to this is never been in
Viruses in Vista
While going through the code, we are made able to check which was
Windows Functions which are necessary for performing the common tasks which usually needed to complete is much more a helping hand. The one
And this data any of which is brought together as a code else that is drawn from its mother ship is usually encrypted very weakly. Once we are able to locate the loop of decryption then we can grab the way OPTIONS are been crafted. This helps us in concluding from evidence the remaining capabilities related to the malware residing inside the code which might ever been
In fo
rm
reached during the analysis done till then.
U0925517
at io
With the peculiar interest the relative code performs the data of OPTIONS.
that justifies the experience of analysis is familiar as the key.
noticed during the analysis of behavioral.
Having the concept about
nl
Page 38
Figure 9. 1. 17 code that stolen data to the "mothership"
Viruses in Vista
Figure 9. 1. 18 Decrypted data with Internet Protocol address.
STEP7:
In fo
rm
Further examination of the OPTIONS data which is decrypted inside memory of the batch, we are able to find that it consists of:
The URLs & IP address that is required for upload of data which is stolen The required Identifiers which are needed for marking some specific characteristics of forms(HTML) from remaining kinds of pages in web A specific IP address which is required for the registration of options given for downloading and the infection Detailed options which let us know the formatting of data which is stolen[D. Wagner, 1996]
As an add-on for Trojan which is original, two different variants related to side of executable client are available. Later these do not seem to be useful for further attacks. It denotes similar to the area of presentation set for the later release for bringing ahead the detection of anti-virus lead times.
U0925517 Page 39
at io
nl
Viruses in Vista
Since no peculiar address of IP is denoted inside requests of HTTP, the data grabbed or stolen is transformed as files which are flat and are indexed
In fo
rm
based upon infection ID i. e. , sent via parameter of user id. Several number of infection IDs via same address of IP could indicate:
IP address in fact known as address of NAT (hosts lie on corporate network else same home) While the machine get subjected to infection, then it is cleaned, again it is re-infected as on IP address which is assigned for serving a separate machine i. e. , the DHCP is even infected Whenever a collision takes place in specific generated ID i. e. , when two separate hosts carry the similar ID number without any dependency[Carnegie Mellon University, 1999]
For the purpose of the test run there will be a Trojan parameter which can be added and a version_id which will be helpful for the purpose of the wild
U0925517 Page 40
at io
Figure 9. 1. 19 Home page of Gozi
nl
Viruses in Vista
production execution. This will similar variant of GOZI will be utilized for both. The ID, IP, version of the Trojan or the URLs will be infected by the server interface ("signin. hackmebank. com") or by the post data ("password=").
In fo
rm
The front end with consists of the graphics can be sinkable and there is need to perform this installation. "76service"is a default logo which will be allotted for group or individual.
The delivery option will be selected by the client who will be allowed by the features of the frontend. There will be one option called compressed
document. Here file name cannot be found but the file folder can be located. Only in these two things only one will be found. The file which is compressed will be contains 3. 3 GB data which is stolen personal files from the clients from more than 5200 systems. Here the client would be paid with bogus funds and value is set as 1. [Don Jackson, 2007]
U0925517
at io
Figure 9. 1. 20 Default values on the server
Page 41
nl
Viruses in Vista
STEP8:
Managing low prices, logins of customers in the server which can handle
underground economy. Here malicious software is selling as a centralized
database having a centralized server with customized features. The reason to provide these many features to skill developed the counter measures.
For example Gozi is posturing like Computer criminal data in UK, Jackson posted many posts in forums, Internet relay channels because there is more phishing and data which is stolen available commonly.
In fo
rm
There he got instructions how to join in a particular IRC on a particular channel in a day. There no other persons are there except he and me on that particular channel. He operated Jackson with a fake name to contact with him and he said that he will give a kit named Snatch. The price of the kit is $2000 for the new people and he will give it for $1000 to the persons he knew. But he provided only preview account. The customers who are don`t know Russian Language are suggested to translate and follow the site to use AltaVistas Bablefish with free of cost.
U0925517
at io
Figure 9. 1. 21 Searching for sources
n
Page 42
nl
stolen data is key points to an increasing trend for malicious softwares in the
Viruses in Vista
The home page of the 76SERVICE is as shown in below.
In fo
rm
Figure 9. 1. 23 Previous Manager. cgi skin of 76SERVICE
U0925517
at io
Figure 9. 1. 22 The Snatch which is advertised by him
O
Page 43
nl
Viruses in Vista
They are posing like they are adding new features to the kit. The previous version is uses manager. cgi to access whereas latest version uses serv. cgi.
The 76SREVICE trail server is locating the ISP in Georgia, Atlanta at one time, later the server is moved to Midwest America (Oklahoma, Texas), but whereas the server Internet Protocol address is allocated to a Tampa company. They are always keeps on moving.
In fo
rm
Detection of Gozi:
We can identify the presence of Trojan. gozi by checking for the registry values as shown in below figure.
U0925517
at io
Figure 9. 1. 24 Newer Serv. cgi or Serv2. cgi skin of 76SERVICE
Figure 9. 1. 25 Dlls of Gozi
O
Page 44
nl
Viruses in Vista
Removal of Gozi:
To remove the Gozi from the system, as we know Gozi comprises on DLL, Gozi are hidden; it is difficult to delete all DLLs from the system directly. Firstly we need to identify the . dll files of Gozi, after that by using utilities such as Move file from sysinternals delete all the registry entries related to the Gozi. Reboot the system, later check whether the registry entries of Gozi all are deleted or not. Now the system is safe. [Andreas Baumhof, 2010]
In fo
rm
U0925517
at io
Page 45
nl
we need to remove all registry entries which are related to Gozi. DLLs of
Viruses in Vista
9. 2. Prorat 1. 9:
Name Threat level Damaged level Identified Updated Type Alias : Backdoor. prorat. 10b3 [Kaspersky] : Low : Medium : 13-06-2003 : 13-02-2007 : Trojan horse : Prorat
Description : This Trojan helps the attacker to give full access on victims PC; it opens a port in the PC, it written in Delphi, packed with UPX. [Kaoru Hayashi, 2007]
It is a Remote administration tool which is used by the attackers,
In fo
rm
without our permission, the systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, Win 7, whereas Mac, Linux and Unix users are not affected by this Trojan. [Spyware database, 2007]
How it infects the PC: Step1:
It firstly copies itself in to the %Winddir% of %System% folder. different variants with different file name as shown below.
at io
Figure 9. 2. 1
n
It has
Page 46
U0925517
nl
Viruses in Vista
Step2:
It creates . dll files in to the %System%, those are as shown in below.
Figure 9. 2. 2
Step3:
Windows registry values are as shown inbellow.
In fo
rm
U0925517
at io
Figure 9. 2. 3 (a)
Figure 9. 2. 3 (b)
n
Page 47
nl
Viruses in Vista
Step4:
It modifies the data as shown in below
Step5:
It opens a port in the victims PC in the range of 50000-60000, and sends the
In fo
rm
IP address and port Number of victims PC using the ICQ web pager to the ICQ user. There is a chance to inject . dll file into winlogon process as a thread, it terminates the function of security products. [Kaoru Hayashi, 2007]
U0925517
at io
Figure 9. 2. 4
n
Page 48
nl
Viruses in Vista
How to use the Prorat 1. 9: Step1:

Download Prorat 1. 9. Double click on the Prorat 1. 9 as shown below.
In fo
rm
U0925517
at io
Figure. 9. 2. 5
Page 49
nl
Viruses in Vista
Step2:
It will appear as shown in below figure.
In fo
rm
U0925517
at io
Figure 9. 2. 6
Page 50
nl
Viruses in Vista
Step3:
Click on create and the Create Prorat Server(342Kbayt) as shown below
rm
In fo
U0925517
at io
Figure 9. 2. 7
Page 51
nl
Viruses in Vista
Step4:
Click on the Notifications tab and then give the IP address and the E-mail to
In fo
rm
U0925517
at io
Figure 9. 2. 8
Page 52
nl
which we want to receive notifications as shown below.
Viruses in Vista
Step5:
Goto general settings and tick the options according to the user requirement.
rm
In fo
U0925517
at io
Figure 9. 2. 9
Page 53
nl
Viruses in Vista
Step6:
Click on the bind with file tab, tick on bind with server file and select file what
file, click on ok as shown in figures 9. 2. 10 (a), 9. 2. 10 (b), 9. 2. 10 (c).
In fo
rm
U0925517
at io
Figure 9. 2. 10 (a)
Page 54
nl
file we want to bind , after that a dialogue box shows that Server bind with
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 10 (b)
Figure 9. 2. 10 (c)
Page 55
nl
Viruses in Vista
Step7:
Click on the Server Extensions tab we can give any extension as our requirement, here I am clicking on . SCR as shown in figure 9. 2. 11
In fo
rm
U0925517
at io
Figure 9. 2. 11
Page 56
nl
Viruses in Vista
Step8:
Now click on Server Icon and then choose any one icon and then click on that The Blinded server has been created with your settings in the current
12 (c).
In fo
rm
U0925517
at io
Figure 9. 2. 12 (a)
Page 57
nl
directory. Click on OK as shown in figures 9. 2. 12 (a), 9. 2. 12 (b) and 9. 2.
create server, after that a dialogue box is appeared on the screen showing
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 12 (b)
Figure 9. 2. 12 (c)
Page 58
nl
Viruses in Vista
Step9:
Now we can see the binded server is created, create an new zip file, rename
shown in figures 9. 2. 13 (a), 9. 2. 13 (b).
In fo
rm
U0925517
at io
Figure 9. 2. 13 (a)
Page 59
nl
the binded server with the name as your wish, and send it in to a zip file as
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 13 (b)
n
Page 60
nl
Viruses in Vista
Step10:
Send the zip file to the victim.
In fo
rm
U0925517
at io
Figure 9. 2. 14
Page 61
nl
Viruses in Vista
Step11:
Now give the IP address of the victim and connect as shown below figure.
In fo
rm
U0925517
at io
Figure 9. 2. 15
n
Page 62
nl
Viruses in Vista
Step12:
Now we can access the victim pc and we can see all the information
opened, we can turn off, restart, look all the files in the hard disk, services, we can chat with the victim, find the passwords etc as show in below figures.
rm
In fo
U0925517
at io
Figure 9. 2. 16 (a)
Page 63
nl
whatever we want like PC information, applications, message, windows he is
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 16 (b)
Figure 9. 2. 16 (c)
n
Page 64
nl
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 16 (d)
Figure 9. 2. 16 (e)
Page 65
nl
Viruses in Vista
How to remove Backdoor. prorat: Manually:

To remove the Backdoor. prorat manually we must follow the below instructions. [spyware database, 2007]
Step1:
Stop the Processes which are as shown in below.
Step2:
Unregister the . dll files as shown below.
In fo
rm
U0925517
at io
Figure 9. 2. 17
Figure 9. 2. 18
n
Page 66
nl
Viruses in Vista
Step3:
Locate and delete all the files shown in below.
We can use anti-virus tools also and there is a tool Anti-Prorat is available we can use this tool also.
In fo
rm
U0925517
at io
Figure 9. 2. 19
n
Page 67
nl
Viruses in Vista
Lessons what I have learned:

I have learnt lots of things from this module such as viruses, worms,
on Trojan horses, those are Trojan. gozi, Backdoor. prorat.
Gozi is the Trojan horse; it steals the SSL data from the infected PCs
and maintains a central server for the database. The attackers take the membership of Gozi and extracts the data whatever they wants, and hack the accounts of the victims. Gozi affected the systems around 5200 and the accounts more than ten thousands and the black market data is around
$2Millions. The best way to remove Trojan. gozi is first remove the . dll files and then deleting all the gozi registry entries.
Prorat belongs to Trojans family, It is a Remote administration tool which is used by the attackers, without our permission, the systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, Win 7, whereas Mac, Linux and Unix users are not affected by this Trojan. By using this the attacker can take all his passwords, personnel data,
In fo
rm
etc, even he can crash the entire system. [Spyware database, 2007]. We can remove prorat by using best antivirus software. It is very much difficult to identify the malicious softwares. Every time Malicious softwares are illegal, fraud or unwanted
it is not possible for the user to determine whether the malicious software is necessary or not. softwares.
Some famous anti malware software can able to detect and
identify from malicious softwares. We can examine the softwares in following ways Such as: By the source of the program, background of the software, behavior of the software, software impact on the system like performance, security as well as privacy.
U0925517
at io
nl
Page 68
Trojans and much malicious software. Coming to the practical part I worked
Viruses in Vista
Some evaluation criteria for malicious softwares:

1. Privacy: Here the malicious software will collect the data or 2. Security: In case of security the unwanted softwares will disable or stop the functioning of the security features of the user system.
3. Unreliable behavior: Here the unwanted softwares will stop the user from removing the programs.
There a many types of malicious software which are creating trouble to user of the system such as:
Worms: These worms attack the networking connections but they will not
networking connection to enter into the network and after that they will create heavy damage.
Trojan: Trojan is viruses which are implanted in authentic software and enters into the computer. There are so many types of Trojans present in the
In fo
rm
internet but the functionality of the each Trojan would be different. Trojan virus will look as genuine software for the user but it will create a dangerous treat to the system [Joseph Lo aka Jolo, 2006]. The Trojan virus uses the existing viruses in the system and it will create more damage by using the existing viruses. Dialer: dialer is malicious software which will install into the dialer settings of the system without the knowledge of the client and the dials the numbers without the knowledge of the client. Backdoor: This will gain access on the entire system of the user and then it will create a heavy damage to the computer. To protect the system or computer from malicious softwares it is preferable to install a malicious software removal tool.
U0925517
at io
infect the files on the system like viruses.
These worms utilize the
nl
Page 69
information of the user without knowing to the user.
Viruses in Vista
Findings:
In this module I found many things such as:
Types of malicious programs. Types of viruses and worms. Methods of attacks. About Anti-virus.
Practical knowledge of Trojan. gozi and Backdoor. prorat
In fo
rm
U0925517
at io
Page 70
nl
Features of Vista.
Viruses in Vista
RECOMMENDATIONS:
Step1: Network, software applications and operating system should be kept
operating systems must be updated to protect from malicious hackers. Hackers tries to find out the problems in software products and when they find a mistake in the following softwares the hackers immediately prepare a program to create problems in the software as well as they will attack the systems on the internet.
Immediate update of the softwares and antivirus must be required as when
but then the perfect version of the software should download and install in to the computer. In the mean time hackers will try to affect the systems on the world wide systems. So, immediate updating of the software and antivirus should be performed.
In fo
rm
Some famous companies like Microsoft and apple will provide automatic update checks when you on the system but some software vendors they do not provide such options. So it is better to check the website of the software periodically for the updates. So, immediate updates of the software will be recommended to protect our system.
Step 2: It is compulsory to install antivirus software. The viruses and worms can be detected by using some excellent antivirus softwares . These antivirus will use a technique called heuristics which will has the ability to detect the virus which are suspicious.
U0925517
at io
the software vendors find a fault in the software they will immediately rectify it
nl
Page 71
The network softwares, servers of the web, internet browsers and the
up to date.
Viruses in Vista
Step 3: The antivirus should be running In this antivirus software we can implement two types of methods, in the first
when the system started the antivirus will start scanning all the files in the system and protect from antivirus. It is better to go for a real time scanner as when we are in work station mode without interrupting our work the virus will
scan the system files and folders. And periodically it is better to scan a batch file once in a week.
Step 4: Antivirus should be updated frequently
It is better to go for genuine antivirus software than that of pirated antivirus software. When you subscribe an antivirus the vendors of the antivirus softwares will provide virus information updates and also new virus alerts will be provided. If the antivirus subscription is outdated automatically there will be risk from the viruses. So keeping updated antivirus will protect the system
In fo
rm
from viruses.
Step 5: Be aware of phishing The process related to theft of data which belongs to the users who surf techniques of socialized engineering. This is generally performed through entities which are most trusted. Most abruptly it is done through e-mail. It points the end user to the websites which seem to be a replica of entities which are trusted. So, do not provide personal information to any of the fake sites or mails. phone. Good reputed companies will verify your information via
U0925517
at io
n
Page 72
nl
method we can keep the antivirus in the real time mode. In real time mode
Viruses in Vista
Step 6: Data sharing and accessing untrusted websites must be avoided. USB, cds, DVDs, emails and net surfing will increase the risk of infection of
It is not recommended to transfer data from removable disks as they will
not allow there users to use removable disks.
Never open or click on the links from unknown emails, avoid visiting untrusted websites and try to avoid files from unpopular or untrustful websites. These unwanted websites will try to infect the system and try to rob some personal information from the system user.
Future Implementation:
In fo
rm
Now a days many anti-viruses are available in market, as well as
many Malwares are also there, still new Malwares are creating day by day, but there is no ideal anti-virus scanner is available, which means if a new malware is created at this time it is taking time to analyze, to detect and the procedures to remove the malicious programs. Gozi is stealing the SSL data of thousands of accounts, so the banks should provide high standards of security, and the operating systems should be designed in such a way that highly restrict the malicious programs.
U0925517
at io
cause infection to the system. Because of this reason many organizations do
nl
Page 73
We should avoid the following things:
the system.
Viruses in Vista
Conclusion:
In this paper we discussed about Trojan. gozi, Backdoor. Trojan how infects the systems and how to remove these from the infected systems. And also how to improve the consistency of the anti viruses and how to avoid
or protect the system from new viruses or existing viruses. As the antivirus
protect the system from viruses, but also the new viruses which are created are defeating the antivirus softwares. In malwares the developers of the powerful anti viruses softwares. Because of this system the new malicious programs are having the capacity to disable the antivirus software and other types of security softwares.
The rising of this type of malicious softwares will able to show us how good the antivirus softwares are working. To prevent infections and to get
In fo
rm
rid of worms some of these methods should be implemented like Using a firewall in the system, Updating the operating system (VISTA OS) and softwares you use, Using antivirus and spyware softwares, such as Microsoft Security Essentials which are free download from Microsoft and Use a standard user account instead of an administrator account.
Majority of todays malicious softwares are intended to attack
Windows systems, this is the case where people who use the other operating systems [OS] believe they were not at risk, though, and this is not the case. Malicious programs are also targeting the other operating systems such as Apple and Linux operating systems.
U0925517
at io
malwares are trying to implement new methods of coding to escape from the
software companies are implementing new methods or new techniques to
nl
Page 74
Viruses in Vista
Here it is strongly suggested to install an anti virus scanner. May be not all antivirus scanners will be recognized by Windows Vista, even if these virus scanners are completely fine and properly functional. If your anti-virus automatically Malware Protection line will turn green. Most of the anti-virus programs are required to reboot after installation. But the actual fact is that if you were one of the million users of internet we should be careful about the
there is no antivirus software which can protect our worldwide internet immediately when a worm or virus is created.
In fo
rm
U0925517
at io
Page 75
computer virus and protect our self accordingly. According to my research
nl
scanner is installed properly then it will be recognized by windows Vista and
Viruses in Vista
References:
[T. M. Chen, 2003] [Trends in Viruses and Worms. By T. M. Chen, 6[3],
[Dr. Chris Imafidon] [Analysis of two recent worms, Date published: 20-082006] Date accessed: 20-07-2010
[Spafford E. H, 1989] [Spafford E. H. The internet worm program: ACM
SIGCOMM Computer Communication Review, Published 1989. ] Date accessed: 24-07-2010
Date Published: 01-07-2002] Date accessed: 30-07-2010 http://www. extremetech. com/article2/0%2C1558%2C325439%2C00. asp. ] [DaBoss, 2009] [DaBoss. Number of viruses. Published: 03. 05. 2009 http://www. cknow. com/vtutor/NumberofViruses. html] Date accessed: 30-07-2010 [Nachenberg.
at io
C, 1997] [Computer Nachenberg.
[J. Munro, 2002] [J. Munro. Antivirus research and detection techniques,
O
virus-antivirus
In fo
rm
Communications of the ACM, Published: 1997. ] Date accessed: 05-082010
[G. B. Sorkin, 1997] [G. B. Sorkin, D. M. Chess, and S. R. White. Fighting computer viruses. Scientic American, Published: 1997. ] Date accessed: 09-08-2010
[Richard Barnhart, 1996] [Richard Barnhart. Notes on computer viruses. Last updated 23-09-96 http://courses. cs. vt. edu/professionalism/Viruses/viruses. html. ] Date accessed: 09-08-10. Understanding and managing
[C.
Nachenberg, 1996] [C.
polymorphic viruses. Published: 1996. ] Date accessed: 09-08-10.
U0925517
nl
coevolution.
Page 76
Date published: 2003] Date Accessed: 20-07-2010
Viruses in Vista
[Sanok D. J, 2005] [Virus list.
http://www. viruslist.
com/en/viruses/encyclopedia?chapter=153311150. ] Date accessed: 09-08-10. [P. Szor] [The Art of Computer Virus Research and Defense. ] Date accessed: 09-08-10.
[Hacker Tactics, 2001] [Social Engineering Fundamentals, Part I: Hacker
com/connect/articles/social-engineering-fundamentals-part-i-hackertactics ] Date accessed: 14-08-10. Cert incident note Date published: Feb 99.
[Erik Larkin ,2009] [Spotting a PC Infection, Erik Larkin, PC World, Date Published: 02-02-2009] Date accessed: 16-08-10. [Roger Grimes, 2007] [Malware Troubles? Start from Square One, Roger Grimes, PC World, 20-02-2009] Date accessed: 16-08-10.
In fo
rm
[Ryan Naraine, 2006] [Ryan Naraine. Security, Date published: 20. 10. 2006 http://www. eweek. com/article2/0,1895,2034680,00. asp. ] Date accessed: 20-08-10.
[Dshield ,2003] [Dshield. The beast. Date published: Fri, 17 Oct 2003 http://lists. virus. org/dshield-0310/msg00337. html. ] Date accessed: 22-08-10.
[Win32. Glieder. AF, Date Published: 21 Apr 2005, Last Updated: 31 May 2005. http://www3. ca. com/securityadvisor/virusinfo/virus. aspx?id=42627. ] Date accessed: 22-08-2010. [Don Jackson ,2007] [Gozi Trojan, Don Jacson, Date published: March 2007 http://www. secureworks. com/research/threats/gozi/, Date of accesses: 28-Aug-2010]
U0925517
at io
notes/IN-99-02. html. Date accessed: 14-08-10.
Tactics Published: December 18th, 2001] http://www. symantec.
http://www. cert. org/incident
nl
Page 77
Viruses in Vista
[E.
Messmer,1999] [Pentagon gets smart. accessed: 24-08-10.
Published: Sep 99] Date
Corporate Limited Date Published: 2006 February] Date Accessed: 2808-10
[I. Muttik,2000] [Stripping down an AVENGINE. Published: 2000]. Date
[By Robert McMillan , 2005] [Viruses take advantage of new command shell
http://www. infoworld. com/d/security-central/first-family-windows-vista-
[Robert Macmilan, 2010] [New malware variants exploit Windows attack By Robert Macmilan. Date published: 23. 07. 2010 http://www. infoworld. com/d/security-central/new-malware-variants-exploit-windows-attack424] Date accessed: 22-08-10
In fo
rm
[Bob Page, 1988] [A Report on the Internet Worm by Bob Page, November 7, 1988. ] Date accessed: 24-08-10.
[Andreas Baumhof ,2010] [Gozi, Andreas Baumhof Date published: 28-Feb2010, http://www. trustdefender. com/blog/2010/02/28/gozi-a-perfectexample-of-an-older-trojan-re-inventing-itself/ Date of accesses: 28Aug-2010] Date accessed: 28-08-10.
[P. Denning, 1989] [P. Denning, The Internet Worm Vol. 77, Mar-89] Date accessed: 22-08-10.
[Bob Page, 1988] [A Report on the Internet Worm by Bob Page, November 7, 1988] Date accessed: 22-08-10 [Cert incident, 2002] [Love Letter Worm, http://www. cert. org/advisories/ca2000-04. html. ] [John, 2009] [Markoff, John [2009-01-22]. "Worm Infects Millions of Computers Worldwide". New York Times. http://nytimes.
U0925517 Page 78
at io
viruses-unleashed-213] Date accessed: 22-08-10
in beta OSBy Robert McMillan, IDGNS. Date published: 04. 08. 2005
Accessed: 28-08-10.
nl
[R.
Basili and Barry T.
Perricone, 1984] [Matsushita Electric Industrial
Viruses in Vista
com/2009/01/23/technology/internet/23worm. html. Retrieved 2009-0423. ] [Ryan Naraine, 2006] [What Is the Difference: Viruses, Worms, Trojans, and Bots? - Cisco Systems]
[Jamie Crapanzano, 2009] [Jamie Crapanzano [2003]: "Deconstructing
SubSeven, the Trojan Horse of Choice", SANS Institute, Retrieved on
[Carnegie Mellon University [1999]: "CERT Advisory CA-1999-02 Trojan Horses", Retrieved on 2009-06-10. ]
[Gizmo Richards, 2008] [Do you really need a spyware scanner? [Editorial]
[By Mary Landesman] [Best Free Trojan Scanner/Trojan Remover, torresmagnifico, TechSupportAlert, July 2, 2010 -- Emsisoft AntiMalware, PC Tools ThreatFire, Malwarebytes' Anti-Malware, and SUPERAntiSpyware. ]
In fo
rm
[Spyware database, 2007] [Spyware database, uninstall prorat database http://www. uninstall-spyware. com/uninstallProRAT. html] Date access: 03-09-10.
[Kaoru Hayashi, 2007] [[Kaoru Hayashi, Backdoor. Prorat Date published: 13-Feb-2007 http://www. symantec. com/security_response/writeup. jsp?docid=2003-061315-4216-99&tabid=2] Date accessed: 01-09-10.
[Andreas Baumhof, 2010] [Gozi, by Andreas Baumhof, 2010 http://www. trustdefender. com/blog/2010/02/28/gozi-a-perfect-example-of-an-oldertrojan-re-inventing-itself/ Date published: 28-02-2010] Date accessed, 20-08-10. [Jamie Crapanzano , 2003], [Deconstructing SubSeven, the Trojan Horse of Choice, Date Published: 06-11-2009] Date accessed: 26-08-10 [Carnegie Mellon University, 1999], [BitDefender. com Malware and Spam Survey, Published: 1999], Date accessed: 26-08-10
U0925517 Page 79
at io
Gizmo Richards' Support Alert Newsletter, April 17, 2008. ]
2009-06-11. ]
nl
Viruses in Vista
[D. Wagner, 1996] [Carnegie Mellon University (1999): "CERT Advisory CA1999-02 Trojan Horses", Retrieved on 2009-06-10. I. Goldberg, D.
Wagner, R. Thomas, and E. A. Brewer. A secure environment for
Proceedings of the 1996 Usenix Security Symposium. USENIX, July 22-25 1996. ] Date accessed: 02-09-10
[B. Schneier, 1999] [B. Schneier. The Trojan horse race, Communications of the ACM, 42 Sep 1999] Date accessed: 04-09-10.
In fo
rm
U0925517
at io
Page 80
nl
untrusted helper applications: Confining the wiley hacker.
In
Viruses in Vista
Index
Anti-virus Backdoor Backdoor. prorat Bit Locker Boot sector viruses Buffer overflow Bugbear Computer worms Cross site Date virus Dialer Email Worms Emulsion
17 69 46 7 11 15 21 10, 24
Encrypted viruses Fizer
rm
Frequency Analysis Happy99
Heap overflow Heuristics
In fo
Injecting code injection by SQL Instant messaging Worms
Integer overflow Justexploit kit Kaspersky Klez Love letter worm Macro Viruses Malicious PDF file
U0925517
at io
11 69 24 17 11 21 17 14 15 18 15 15 25 15 27 19 21 14 11 27
Page 81
n
15
nl
Viruses in Vista
Malicious programs Malware Mass E-mailers Newtwork Softwares Parasitic viruses Pattern Matching Pharming Phishing Polymorphic virus Privacy Prorat 1. 9 Root kit Security
7 8 14
11 17 15 15 12 69 46 13 69 17 14 19 9
Signature detection Social Engineering
Spam through Trojans Spyware Stealth virus Trojan Beast Trojan. Gozi Trojans UAC
rm
In fo
User Account Control Virus
Vulnarabilities Win32. Bagle. BG Win32. Glieder. AF Winevar Worms X-Raying
U0925517
at io
12 20 26 13 7 7 10 14 20 20 21 13 18
Page 82
nl
71

Virus in Vista..

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Virus in Vista..

Uploaded by

Copyright:

Available Formats

VIRUS IN VISTA

MSc Computer forensics and Information Security

Data Protection as well as the Security Improvements Malware in Windows Vista

2.1.1. Boot sector virus 2.1.2. Macro viruses

2.1.6. Stealth virus

2.1.7. Polymorphic viruses 2.2.

Some malicious programs

2.2.2. Trojan 2.2.3. Rootkit

3. Methods of attacks 3.1. Social engineering

3.2. 3.3. 3.4.

MSc Computer forensics and Information Security

6. First virus for Windows Vista family

8. 2. How to prevent computer worms 9. Practical Implementation 9. 1. Trojan. gozi

8. 1. 2. IM (Instant messaging) worms

Features of Gozi Gozi Installation

Detection of Gozi Removal of Gozi

Lessons what I have learned Evaluations for malicious softwares Findings

Recommendations Conclusion References Index

MSc Computer forensics and Information Security

Viruss plays a major role in todays computer world; this paper

Malware includes computer viruses, worms, dishonest adware, spyware,

maximum impact on users.

Malware is software which is intended to

presents an explanation on the malicious programs like Trojan. Gozi,

MSc Computer forensics and Information Security

rapid business implementation.

In representing the Vista, Microsoft has tended to show some new

MSc Computer forensics and Information Security

1. 1 Data Protection as well as the Security Improvements:

1. 2. Malware in Windows Vista:

Majority of todays malicious software is intended to aim Windows

protection and security, like developments to Internet Explorer, Firewall for

MSc Computer forensics and Information Security

automatically also installing some malicious softwares.

for malwares by the updates of windows.

The well-known security

Update of Windows = May be sometimes Update of Malware

Vista Windows = Paradise for Malware

When the user tries to download the Windows Vista updates, he is

MSc Computer forensics and Information Security

Figure 2. 1 Types of malicious programs

Malicious software are infects a system unknown to the owner. Viruses,

MSc Computer forensics and Information Security

Internet worm was created to calculate the internet size.

[Chris Imafidon, 2006]

the previous running.

[E. H. Spafford, 1989].

Virus is the code which

MSc Computer forensics and Information Security

2. 1. 1. Boot sector virus: There are about 5 percent boot viruses on

Because of this reason these boot viruses are more

2. 1. 3. Parasitic viruses / Infectors file: If the files containing some

Encrypted viruses: These encrypted viruses contain the

examples of this virus.

MSc Computer forensics and Information Security

2. 1. 7. Polymorphic viruses: This virus also like encrypted virus

contains decryption engine as well as encryption key.

MSc Computer forensics and Information Security

2. 2. Some malicious programs:

2. 2. 1. Worms: These worms attack the networking connections but they

[Bob Page, 1988].

Worms can spread autonomously

without acceptance of the user compared to the viruses. [Chris Imafidon,

2. 2. 2. Trojans: Trojan is a virus which will be embedded in genuine