Types of Virus
When talking about viruses, it is important that you have an understanding that not all viruses are created equal. You should understand that there are different types even if you don’t memorize all the forms they can take. Knowing the different forms of a virus can be helpful for troubleshooting and diagnosis later.
Creating a virus is a process that can be very complicated. This blog explores 30 Types of Virus in Computer and Life Cycle of a Virus. And also explains how to Launching Worms and Spyware.
With that, let’s get started.
Boot Sector Virus Viruses of this type specifically target the boot sector of a drive or the location where boot information is stored by several operating systems. This type of viruses first appeared back in the MS-DOS days, but they still are alive and well and show up from time to time.
This is a relative newcomer on the scene that propagates by taking advantage of vulnerabilities or functions contained within a web browser. These viruses are known to do anything from changing the home page to forcefully downloading other things onto a victim’s computer.
File Infector Virus
This type of virus is one of the most common ones seen in the wild. To be classified as a file infector virus, the infector must embed itself in a file and then wait for that file to be executed. The difference between this virus and direct action types is that this type overwrites or does other damage to the host file.
This type of malware uses the macro languages built into Microsoft Office applications as well as others. The danger with this virus is that it can be embedded into a harmless document waiting for that document to load and execute the macro.
This type of virus is particularly nasty as it spreads by using multiple methods at once. The method of infection can vary depending on applications, OS version, and even how the author intended the virus to operate.
To fit into this category, a virus will need to rewrite itself over again and again over a period of time. By taking this action, the virus becomes much harder to detect because it will not look the same if it is caught again. Some of the more advanced derivations of this type of virus will even employ encryption to hide their activities.
This broad virus definition applies to any virus that runs and then loads itself into memory, waiting to infect files that match what it is looking for.
Web Scripting Virus
Many websites execute complex code in order to provide interesting content. Of course, this code can sometimes be exploited, making it possible for a virus to infect a computer or take actions on a computer through a website.
This type of virus consists of a payload which is paired with an encryption engine which is used to encrypt the whole virus package. The viruses use encrypted code techniques that make it difficult for antivirus software to detect them.
This is a virus spread via email. Such a virus will hide in an email and when the recipient opens the mail the payload will execute and cause its damage.
Logic Bombs These are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs.
Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched, and the results can be destructive.
Nowadays when the topic of viruses comes up, the subject of worms is just around the corner. Unlike their virus cousins, which require a host program to start their dirty work, worms just need a system to be vulnerable to start their own self-replicating process.
Making the problem even worse is that worms can replicate on their own and leverage the speed and ease of networks to spread quickly.
One oft-cited worm is the Slammer worm from about a decade ago. When it was active, the worm spread so fast and so effectively that it was responsible for widespread outages and denials of service. Although a patch was released six months prior to vulnerable systems, many system administrators failed to apply it.
Our next type of malware is known as spyware, which is specifically intended to collect information for a third party. This type of software operates in the background and out of a user’s sight, quietly collecting information and transmitting it to its creator.
What is collected can be used to target ads, steal identities, generate revenue, alter systems, and capture other information. Additionally, spyware may only be the first wave of attack and open the door to later attacks once the creator knows more about you.
This type of malware can find its way onto a system using any of a number of methods; however, we will only concentrate on a few in this blog.
Methods of infection include any of the following:
Torrent Sites The old adage of “You don’t get something for nothing” is very true on file-sharing networks. While not every piece of software or file on popular torrent and file sharing sites are infected with malware of some kind, it is still more common than many would assume.
Instant Messaging (IM) Instant messaging software has traditionally been designed with openness in mind and not any real form of security. While things have gotten better, the sending of malicious links and such is still possible and still capable of infecting a victim.
Email Attachments Emails are not only a vital part of today’s communication but they have also proven quite the effective mechanism for delivering mal-ware of all types. Embedding a malicious link or attaching a file to an email has been considered effective in combination with a phishing attack.
Physical Access If an attacker gets physical access to a system, it is easy to infect. Popping in a flash drive or plugging in a hardware keylogger can be done in only a moment or two. This can be accomplished by planting a USB device in a high-traffic area where a curious worker may plug it into a system to see what is on it.
Browser Add-ons Many users forget or do not choose to update their browsers as soon as updates are released, so the distribution of spyware becomes easier.
Websites Many websites have employed a tactic known as drive-by downloading, where simply visiting a site is enough to infect a system. This is commonly done through flash animations or scripting of all types.
Another interesting distribution mechanism for malware has come from hardware manufacturers themselves. For example, in early 2015 Lenovo was found to be shipping a piece of malware known as SuperFish preinstalled on many of its computers. This malware was specifically designed to spy on and learn a user’s browsing habits and then present content specifically targeted to their interests.
While the malware may seem irritating but not particularly harmful, consider the fact that the software was found to intercept and remove the security from supposedly secure connections. Once the software was made public, Lenovo had to come clean and admit the software existed and release instructions for its removal.
Not too long after Lenovo suffered a public relations issue with SuperFish, Dell computers also had a similar problem with a SuperFish-like malware on their hardware.
Much like Lenovo, Dell had to deal with the fallout of having malware preinstalled on their systems. As of early 2016, both companies are facing or have faced lawsuits from upset consumers and privacy advocates in regard to SuperFish.
A virus is the oldest form of malware and is by far the most well-known of all the types of malware. What is a virus, though? What is it that separates a virus from all the other types of malware?
Life Cycle of a Virus
Simply put, to be classified as a virus the malware must exhibit that it is a self-replicating application that attaches itself to and infects other executable programs.
Many viruses affect the host as soon as they are executed; others lie in wait, dormant, until a predetermined event or time, before carrying out their instructions.
What can you expect a virus to do once the infection has started?
Infect other programs Replicate
Transform itself into another form of Alter configuration settings
Corrupt or destroy hardware
So why do viruses get created? Well, narrowing it down to one specific reason is tough, but some of the more common ones are to steal information, to damage equipment and software, impact a company’s reputation, perform identity theft, or (in some cases) just because.
When pentesting, you may find that creating a virus is something that is useful to test defenses such as software and policies. However, just a word of caution before going too far, and this advice goes for viruses as well as all types of malware: if you are going to use such tools during a test, take precautions to make sure it does not spread beyond your target.
If you do end up spreading it beyond your intended target, the result could be severe legal penalties and the end of your career. It is better to use malware in a testing environment rather than production, just to play it safe.
Creating a virus is a process that can be very complicated or something that happens with a few button clicks. Advanced programmers may choose to code the malware from scratch.
The less savvy or experienced may have to pursue other options, such as hiring someone to write the virus, purchasing code, or using an “underground” virus-maker application. Finally, at the most basic level, it is even possible to grab the prebuilt code and use it as is.
To complete this exercise, you will need to use Notepad and obtain a copy of Bat2Com from the Internet.
Before you do this exercise, here’s the disclaimer. Do not execute this virus. This exercise is meant to be a proof of concept and this is for illustrative purposes only. Executing this code on your system could result in damage to your system that may require extensive time and skill to fix properly.
1. Create a batch file called virus.bat using Windows Notepad.
2. Enter the following lines of code: @echo off Del c:\windows\system32\*.* Del c:\windows\*.*
3. Save virus.bat.
4. From the command prompt, use Bat2Com to convert virus.bat into http://virus.com.
Of course, to create more complicated viruses you need only look as far as the Internet and search for virus creation kits or virus software development kits (SDK). Doing so will yield a plethora of results from a number of different sources.
Although I cannot document each of these packages individually here, I can say that each offers different options and capabilities that you can explore.
However, if you are going to delve into the world of virus creation toolkits, I warn you to be careful and consider running them on an isolated or standalone system.
Retaining Access with Backdoors and Malware
Once you have gained access to the system, the next step is carrying out the main part of your attack. This stage can involve running applications, modifying the system, or even jumping onto other systems as well as mapping and moving around the network. You’ll also need to retain access by installing backdoors and malware.
Once you have the opportunity to execute applications or do anything on the compromised system, the decision is up to you what you will do. Backdoors are meant to open up an alternative means of gaining access to a system, in a way that gets around security measures. Backdoors can come in the form of rootkits, Trojans, or other similar types.
Applications of this type are designed to compromise the system in such a way as to allow later access to take place. An attacker can use these backdoors to later attack the system.
Malware is any type of software designed to capture, alter, or compromise the system. This will be something we specifically focus on later in this blog. Keyloggers are software or hardware devices used to gain information entered into the keyboard.
Installing a Backdoor with PsTools
There are many ways to plant a backdoor on a system, but let’s look at one provided via the PsTools suite.
The PsTools suite is a collection of tools made available by Microsoft that allows for a number of operations to be performed. Included in this bundle of tools is the utility PsExec, which can execute commands remotely on a target system.
The big benefit of this tool is that no installations are needed on the victim system, only the ability to copy the file to the local system before it can be used.
Let’s take a look at some of the commands that can be used with PsExec.
The following command launches an interactive command prompt on a system named \\kraid: psexec \\kraid cmd
This command executes ipconfig on the remote system with the /all switch and displays the resulting output locally:
psexec \\kraid ipconfig /all
This command copies the program rootkit.exe to the remote system and executes it interactively:
psexec \\kraid -c rootkit.exe
This command copies the program rootkit.exe to the remote system
and executes it interactively using the administrator account on the remote system:
psexec \\kraid -u administrator -c rootkit.exe
As these commands illustrate, it is possible for an attacker to run an application on a remote system quite easily. The next step is for the attacker to decide just what to do or what to run on the remote system. Some of the common choices are Trojans, rootkits, or backdoors.
Other utilities that may prove helpful in attaching to a system remotely are RemoteExec A utility designed to work much like PsExec, but it also makes it easy to restart, reboot, and manipulate folders on the system.
VNC (various versions) This is a basic screen sharing software and is a common and well-known tool. It has proven popular for a number of reasons, such as the fact that it is lightweight and easy to use.
Opening a Shell with LAN Turtle
One other item that I think should be mentioned is something known as the LAN Turtle by Hak5. This utility is disguised as a simple USB Ethernet adapter, but in reality, it is something far more dangerous. The LAN Turtle allows you to perform several attacks such as man-in-the-middle and sniffing, among many others.
One of the more powerful attacks is the ability to open a remote shell on a system. Opening a shell on a system allows you to send commands and perform tasks on a remote system through a command-line interface. Additionally, the tool allows you to set up VPNs all nicely wrapped up in a small form factor package.
Recognizing Types of Malware
Malware has quickly become one of the leading problems plaguing modern technology, with several million new forms of malware created every year (by some estimates, some 1,200 new pieces are created each hour).
Using or creating malware during a penetration test can be helpful, but it can also be a very dangerous tool if used incorrectly.
For example, using a piece of malware to test an antivirus or open up backdoors on a system can be useful, but if the backdoors happen to spread outside the intended target area and infect other systems not being tester, things can go bad really quick.
In today’s world, this type of issue could easily land you in trouble with the law, not to mention the inevitable loss of credibility you may experience. Keep in mind that penalties for infecting systems that aren’t part of your testing area could result in fines or even prison time in some cases.
As stated earlier, not all malware is the same. The term malware is a catch-all term covering a whole family of malicious software.
Stated in broad terms, malware is anything that consumes resources and time while providing nothing in return and uses those resources to perform some operations counter to the system owner’s best interests. To better visualize what malware is, let’s examine the types before we delve deeper into the mechanics of each:
Viruses are designed to replicate and attach themselves to other files on a target system. Viruses require a host program to be run to start the infection process. Viruses as a type of malware have existed since the early 1970s, even before the name computer viruses was coined.
Worms This form of malware has existed in various forms since the late 1980s. While the first generation of worms was not nearly as dangerous as the ones encountered today, but they were nonetheless harmful.
The early generation may not have been as formidable, but they did still exhibit the same characteristics, namely their ability to rapidly multiply and spread without any interaction from a user.
Spyware Designed to gather information about a user’s activities in a stealthy manner.
Trojan Horses Any type of malware in this category is very similar to viruses; however, they use social engineering to entice a user to activate them. Wrapping malware inside of something that the user wants increases the chances that the user will execute the malware and thus cause an infection.
Rootkits are one of the more modern forms of malware that are able to hide within the hardware or software of a system. What makes this type of malware more devastating is that they can be nearly impossible to detect because they infect at the kernel level of the system. Antimalware software, for the most part, does not have access to the kernel or to the other applications on the system.
Cryptoviruses/ransomware This is a new type of malware that is designed to locate and encrypt data on a victim’s hard drive with the intention of holding them for ransom.
Once the victim is infected, they are presented with a message that states they need to pay a certain amount to get the key to unlocking their files.
Malware is a tremendously effective way of compromising a system and gaining passwords and other data. Specifically, malware such as Trojans, spyware, and keyloggers can prove effective, allowing for the gathering of information of all types.
One form is keyboard sniffing or keylogging, which intercepts the password as a user is entering it. This attack can be carried out using hardware- or software-based mechanisms and can potentially gain all sorts of information during the process, not only passwords.
Executing an Oﬄine Attack
Offline attacks represent a form of attack that is not only effective but can be difficult to detect. Offline attacks rely on the attacking party being able to retrieve the password without directly engaging the target itself.
Let’s take a look at an offline attack and extract a hash from a system.
1. Open the command prompt
2. Type pwdump7.exe to display the hashes on a system.
3. Type pwdump7 > C:\hash.txt.
4. Press Enter.
5. Using Notepad, browse to the C: drive and open the hash.txt file to view the hashes.
Precomputed Hashes or Rainbow Tables
A newer and more advanced technique to perform an advanced offline attack is through precomputed hashes, commonly known as rainbow tables. Rainbow tables are the end result of a process where every possible combination of characters is generated within certain limits.
Once all the outcomes have been generated, the attacking party can capture the hash of a password as it moves over the network, comparing it afterward to the list of hashes that have generated, quickly finding a match and retrieving the password itself.
The major drawback of rainbow tables is that they take a considerable amount of time to generate and as such it is not an attack that can be carried out without the setup beforehand.
Another downside of rainbow tables is the lack of ability to crack passwords of unlimited length because generating passwords of increasing length takes increasing amounts of time—more complex rainbow tables must be generated to account for the increased password lengths.
Let’s create a rainbow table to see what the process entails. In most cases, you may not even have to create a rainbow table yourself, and in fact, you may be able to download one instead. Note that on newer versions of Windows, you may need to run the application with administrative privileges.
1. Start the winrtgen.exe tool.
2. Click the Add Table button.
3. In the Rainbow Table Properties window, select NTLM from the Hash drop-down list.
4. Set Minimum Length as 4 and Maximum Length as 9, with a Chain Count of 4000000.
5. Select loweralpha from the Charset drop-down list 4.
6. Click OK.
Windows will begin creating the rainbow table. Note that the creation of the actual rainbow table file will take a serious amount of time depending on the speed of your computer and the settings you chose.
Once these two steps have been performed, we must go about recovering the password.
Once you have created the rainbow table, you can use it to recover a password using the information from pwdump and WinRTGen.
1. Double-click rcrack_gui.exe.
2. Click File Add Hash to open the Add Hash window.
3. If you performed the pwdump hands on, you can open the text file created and copy and paste the hashes in this step.
4. Click OK.
5. Select Rainbow Table from the menu bar, and click Search Rainbow Table. If you performed the WinRTGen hands-on from earlier, you can use that rainbow table here.
6. Click Open.
Although rainbow tables are an effective means of breaking passwords, they can be defeated. This means you should salt the password prior to the hashing process.
A salt is a way of adding pseudo-random values prior to the hashing process, resulting in different and unique outputs. The salt is added to the original password and then hashing is performed. Rainbow tables perform one type of what we know as cryptanalysis in order to thwart this analysis. We can make it tougher by adding in this randomness.
Using Nontechnical Methods
Remember, you don’t always need to actively break a password to get a password—there are other methods.
Though not really a method, using default passwords is a way of obtaining passwords. Default passwords are those that are set by the maker of a device or piece
You may want to keep this list of default pass-word websites handy; using it is an easy way to gain entry into many systems. You may find that default passwords are something you wish to attempt during the enumeration process.
These passwords are always meant to be changed by the customer when they receive the device and set it up. The problem is that not all users take this step and end up leaving the default setting in place. Here are some sites that have collected default passwords:
This is about as low-tech an attack as you can get, but it does work. Guessing a password manually can yield results, especially in those environments where password policies are not present or enforced.
Guessing can work typically by following a process similar to the following:
1. Locate a valid user.
2. Determine a list of potential passwords.
3. Rank possible passwords from least to most likely.
4. Try passwords until access is gained or options are exhausted.