A virus is a self-replicating program that reproduces its code by attaching copies into other executable codes. In other words, viruses create copies of themselves in other programs, then activate on some sort of trigger event (such as a specific user task, a particular time, or an event of some sort). They usually get installed on a system via file attachments, user clicks on embedded e-mails, or the installation of pirated software, and while some are nothing more than just annoyances, many cause substantial harm to the system and, if you’re crazy enough to pay for it, financial loss to the system owner.
Assuming your system does get infected, other than your AV going bananas and alerting that something crazy has happened, just how would you know your system has actually been infected? Well, obvious things like much slower response time, computer and browser freezes, and repeated, continual hard drive accesses should be indicators. Others may not be as immediately obvious—for example, drive letters might change and files and folders may disappear or become inaccessible. In any event, recovery may be as simple as a minor cleaning effort using software designed to clean the infection, or a major undertaking including reloads from known good backups.
There are multiple virus types listed in the official courseware, and it’s impossible to determine which you’ll see on your exam. Therefore, I’ve listed them here for your memorization:
• Ransomeware This malware locks you out of your own system resources and demands an online payment of some sort in order to release them back to you. Usually the payment is smaller than the cost it would take to remove the malware and recover anything lost. Ransomeware is ubiquitous and unfortunately you’ll probably see it somewhere, sometime in your travels. The ransomeware “family” includes examples such as Cryptorbit, CryptoLocker, CryptoDefense, and police-themed.
• Boot sector virus Also known as a system virus, this virus type actually moves the boot sector to another location on the hard drive, forcing the virus code to be executed first. These viruses are almost impossible to get rid of once you get infected. You can re-create the boot record—old-school fdisk or mbr could do the trick for you—but it’s not necessarily a walk in the park.
• Shell virus Working just like the boot sector virus, this virus type wraps itself around an application’s code, inserting its own code before the application’s. Every time the application is run, the virus code is run first.
• Cluster virus This virus type modifies directory table entries so that user or system processes are pointed to the virus code itself instead of the application or action intended. A single copy of the virus “infects” everything by launching when any application is initiated.
• Multipartite virus Attempts to infect both files and the boot sector at the same time. This generally refers to a virus with multiple infection vectors. This link describes one such DOS-type virus: www.f-secure.com/v- descs/neuroqui.shtml. It was multipartite, polymorphic, retroviral, boot sector, and generally a pretty wild bit of code.
• Macro virus Probably one of the most common malware types you’ll see in today’s world, this is usually written with Visual Basic for Applications (VBA). This virus type infects template files created by Microsoft Office, normally Word and Excel. The Melissa virus was a prime example of this.
• Polymorphic code virus This virus mutates its code using a built-in polymorphic engine. This type of virus is difficult to find and remove because its signature constantly changes. No part of the virus stays the same from infection to infection.
• Encryption virus Shockingly, this type of virus uses encryption to hide the code from antivirus scanners.
• Metamorphic virus This virus type rewrites itself every time it infects a new file.
• Stealth virus Also known as a “tunneling virus,” this one attempts to evade antivirus (AV) applications by intercepting the AV’s requests to the operating system (OS) and returning them to itself instead of the OS. The virus then alters the requests and sends them back to AV as uninfected, making the virus now appear “clean.”
• Cavity virus Cavity viruses overwrite portions of host files so as not to increase the actual size of the file. This is done using the null content sections of the file and leaves the file’s actual functionality intact.
• Sparse infector virus These only infect occasionally. For example, maybe the virus only fires every tenth time a specific application is run.
• File extension virus These viruses change the file extensions of files to take advantage of most people having file extension view turned off. For example, readme.txt.vbs might appear as readme.txt with extensions turned off.
Another malware definition you’ll need to know is the worm. A worm is a self-replicating malware computer program that uses a computer network to send copies of itself to other systems without human intervention. Usually it doesn’t alter files, but it resides in active memory and duplicates itself, eating up resources and wreaking havoc along the way. The most common use for a worm in the hacking world is the creation of botnets, which we’ve already discussed. This army of robot systems can then be used to accomplish all sorts of bad things.
When it comes to worms and your exam, in earlier versions of the exam EC-Council wanted you not only to know and understand what a worm does but also to identify specific famous named worms based on a variety of characteristics. For example, the Conficker worm disabled services, denied access to administrator shared drives, locked users out of directories, and restricted access to security-related sites. Symptoms included an “Open folder to view files—Publisher not specified” message in the AutoPlay dialog box (the original, and legitimate, Windows option reads “Open folder to view files using Windows Explorer.”)
In the latest version of the official courseware, however, it doesn’t appear they care much about it at all. In fact, the only one making an appearance is something called “Ghost Eye Worm,” which really isn’t much of a worm at all. It’s a hacking tool that uses random messaging on Facebook and other sites to perform a host of naughty efforts. I’m not positive they’ll ignore worms altogether, so I decided to list these for your perusal, should you happen to see a random question about one of them:
• Code Red Named after the soft drink the eEye Digital guys were drinking when they discovered it, Code Red exploited indexing software on IIS servers in 2001. The worm used a buffer overflow and defaced hundreds of thousands of servers.
• Darlloz Known as the worm for “the Internet of Things,” darlloz is a Linux-based worm that targets running ARM, MIPS, and PowerPC architectures—which are usually routers, set-top boxes, and security cameras.
• Slammer Also known as SQL Slammer, this was a denial-of-service worm attacking buffer overflow weaknesses in Microsoft SQL services. Also called Sapphire, SQL_HEL, and Helkern, it spread quickly using UDP, and its small size (the entire worm could fit inside a single packet) allowed it to bypass many sensors.
• Nimda This worm’s name comes from the word admin spelled backward. Nimda was a successful file infection virus that modified and touched nearly all web content on a machine. It spread so quickly it became the most widespread worm in history within about 22 minutes of its first sighting. Nimda spread through e-mail, open network shares, and websites, and it also took advantage of backdoors left on machines infected by the Code Red worm.
• Bug Bear Propagating over open network shares and e-mail, Bug Bear terminated AV applications and set up a backdoor for later use. It also contained keylogging capabilities.
• Pretty Park Pretty Park spread via e-mail (attempting a send every 30 minutes) and took advantage of IRC to propagate stolen passwords and the like. Running the worm executable often displayed the 3D Pipe screensaver on Windows machines.