ANALYSIS AND VIRUS DEFRAUDING
Have you ever wondered how anti-virus makers analyze
the virus? How can they issue a step by step that needs to be done to eradicate
virus and release information about how viruses work? In this chapter we will practice analyzing the virus and of course to analyze the virus, we have to run a virus is to be learned behavior, such as copying themselves anywhere and registry data whatever he made.
But the question is how do we run the virus without endangering our data files? There are several solutions, among others
1. Prepare a special computer to run a virus. This means we must have 2 computers, 1 for storing important files, and the other to run malicious programs. This solution was forced to leave out because I had to get out a big budget.
2. Use the virtual machine program to run Windows in a virtual OS
virus and release information about how viruses work? In this chapter we will practice analyzing the virus and of course to analyze the virus, we have to run a virus is to be learned behavior, such as copying themselves anywhere and registry data whatever he made.
But the question is how do we run the virus without endangering our data files? There are several solutions, among others
1. Prepare a special computer to run a virus. This means we must have 2 computers, 1 for storing important files, and the other to run malicious programs. This solution was forced to leave out because I had to get out a big budget.
2. Use the virtual machine program to run Windows in a virtual OS
Download disini Windows
Virtual
Here I am using Windows
virtual to analyze
virus in Windows that I
use it without worrying about viruses that are in a Windows Virtual will spread
to Windows where I worked.
The program I use to run Windows within Windows that is Virtual PC 2007 (http://www. Microsoft.com / Windows / products / winfamily / VirtualPC / default. Mspx). To be able to do something like this, the computer requires a minimum RAM is 512 MB with an empty space on the Windows virtual hard drive for the approximately 2 gigabytes. Actually there is also a Virtual Machine program is better than Virtual PC 2007, VMWare (www.vmware. Com), but this virtual machine is not free.
3. Use Deepfreeze program to lock the state of Windows, which can restore Windows to its original state. This method is less convenient, because after analyzing the virus we still have to make a report the state of the virus. This report files will also be lost along with the virus after the computer restarted, but was moved to a place that is not in-deepfreeze with the risk of the virus will get into the venue.
So the most convenient and economical is to use Virtual PC program. What we need is the program Virtual PC, Windows CD and the program analyzer virus. As for how to install this program are as follows:
1. Run the setup.exe program to install virtual PC program
2. Then press the Next button and accept the agreement the use of this software.
3. Next .... Continue Next ... .. until Install and Finish
The program I use to run Windows within Windows that is Virtual PC 2007 (http://www. Microsoft.com / Windows / products / winfamily / VirtualPC / default. Mspx). To be able to do something like this, the computer requires a minimum RAM is 512 MB with an empty space on the Windows virtual hard drive for the approximately 2 gigabytes. Actually there is also a Virtual Machine program is better than Virtual PC 2007, VMWare (www.vmware. Com), but this virtual machine is not free.
3. Use Deepfreeze program to lock the state of Windows, which can restore Windows to its original state. This method is less convenient, because after analyzing the virus we still have to make a report the state of the virus. This report files will also be lost along with the virus after the computer restarted, but was moved to a place that is not in-deepfreeze with the risk of the virus will get into the venue.
So the most convenient and economical is to use Virtual PC program. What we need is the program Virtual PC, Windows CD and the program analyzer virus. As for how to install this program are as follows:
1. Run the setup.exe program to install virtual PC program
2. Then press the Next button and accept the agreement the use of this software.
3. Next .... Continue Next ... .. until Install and Finish
4. Shortcut
will appear in All Programs,
5. Next will come the Virtual PC Console
6. Select New, then it will exit the wizard to Virtual Machine creation, ie in our Windows OS.Click Next, then it will exit option
5. Next will come the Virtual PC Console
6. Select New, then it will exit the wizard to Virtual Machine creation, ie in our Windows OS.Click Next, then it will exit option
7. Select Create a Virtual Machine to create a new virtual OS. Then press the Next button
8. Determine the location of the Virtual Machine file. This file has large size
9. Then select the
desired virtual OS. For our case this is Windows XP.
10. Then click the Next button. You can choose Using the
Recommended RAM (128 mb), but
I suggest you increase the value of the RAM so that Virtual Windows to work properly, which is about
200 MB.
11. Then click the Next button and select a New Virtual Hard and Next, and set the amount of disk usage such as 10 000
MB, and Next and then Finish last.
12. In the Virtual PC console will form a new Virtual
Machine
13. Prepare your
Windows XP CD to install Windows on a Virtual Machine and press the start
button on the Virtual PC Console.
14. Furthermore, the display will appear blank screen on a Virtual Machine such as when we turn on the computer. Select the menu and Use Phisical CD Drive E:, if your Windows XP CD it is on drive E. Installlah new Windows in the Virtual Machine.
15. After Windows Virtual installed, we can make real connections between our Windows with Windows Virtual them. The trick is:
A.After logging into Windows Virtual, Virtual Machine on the program, select the Action menu, then select Install or Update Virtual Machine Addons.
B.After installing the Addons is, create a sharing folder so that we can exchange data between Windows virtual with Windows we are, how from the Edit menu select Settings, select Share Folder, as Figure below:
14. Furthermore, the display will appear blank screen on a Virtual Machine such as when we turn on the computer. Select the menu and Use Phisical CD Drive E:, if your Windows XP CD it is on drive E. Installlah new Windows in the Virtual Machine.
15. After Windows Virtual installed, we can make real connections between our Windows with Windows Virtual them. The trick is:
A.After logging into Windows Virtual, Virtual Machine on the program, select the Action menu, then select Install or Update Virtual Machine Addons.
B.After installing the Addons is, create a sharing folder so that we can exchange data between Windows virtual with Windows we are, how from the Edit menu select Settings, select Share Folder, as Figure below:
Then press the button to select a folder shared folders on
our Windows
will be shared with Windows virtual, such as sharing a folder named folder. You can set it to always be shared.
Finished the installation of Windows Virtual. For sharing program, you can put the program in a folder be shared, while in Windows Virtual, sharing folders into the drive. In the picture above is drive Y:.
will be shared with Windows virtual, such as sharing a folder named folder. You can set it to always be shared.
Finished the installation of Windows Virtual. For sharing program, you can put the program in a folder be shared, while in Windows Virtual, sharing folders into the drive. In the picture above is drive Y:.
With Windows Virtual, we can
return to initial conditions when damaged by viruses and can also save the changes that we do. The trick after Windows is in shutdown, would appear to commit or Delete option change. If you choose to commit the changes you make in Windows while using Virtual Machine will be stored and vice versa if the Delete so the changes will not be stored and the condition of Windows will be back to normal.
Now we prepare a program for inclusion in the Virtual
Windows are, namely:
1. Winrar, knowing for sharing virus file, we must mengkompressnya so no error occurs when opening the program.
2. Office XP, since most virus-like mengobok meddle document files, such as the file doc, xls and ppt.
3. Programs such as OllyDbg debugger
4. Disassambler programs, such as: PE Explorer from www. heaventools.com. Disassembler addition, this program also as a resource editor and Dependency Scanner
5. Hex Editor program, such as WinHex
return to initial conditions when damaged by viruses and can also save the changes that we do. The trick after Windows is in shutdown, would appear to commit or Delete option change. If you choose to commit the changes you make in Windows while using Virtual Machine will be stored and vice versa if the Delete so the changes will not be stored and the condition of Windows will be back to normal.
Now we prepare a program for inclusion in the Virtual
Windows are, namely:
1. Winrar, knowing for sharing virus file, we must mengkompressnya so no error occurs when opening the program.
2. Office XP, since most virus-like mengobok meddle document files, such as the file doc, xls and ppt.
3. Programs such as OllyDbg debugger
4. Disassambler programs, such as: PE Explorer from www. heaventools.com. Disassembler addition, this program also as a resource editor and Dependency Scanner
5. Hex Editor program, such as WinHex
6. Cracking programs of
other tools such as Unpacker, program to unpack a program that has been
compressed with unpack programs, like upx. Such programs can be downloaded at
www.teamicu.org with Crackers Kit keyword. Do not forget before you start the
program you downloaded, scanned first, understand underground programs often
invite danger. CrackersKit itself is a combination of several software
cracking.
7. Thinstall program from http://thinstall.com. Thinnstall program is actually working to change the program that need to be installed into a portable program. We need this program for capture state of Windows before and after the virus get into Windows to find out the spread of the virus program in the computer registry data plus what is changed by the virus.
8. The program for the analysis of any port opened by the virus
(Who knows the virus opens a backdoor port network), such as Network Security Auditor program from www. nsauditor.com.
7. Thinstall program from http://thinstall.com. Thinnstall program is actually working to change the program that need to be installed into a portable program. We need this program for capture state of Windows before and after the virus get into Windows to find out the spread of the virus program in the computer registry data plus what is changed by the virus.
8. The program for the analysis of any port opened by the virus
(Who knows the virus opens a backdoor port network), such as Network Security Auditor program from www. nsauditor.com.
9. Task Manager program outside of Microsoft products such
as My
Terminate
10. Registry Editor program outside of Microsoft products like TuneUp Registry Editor from www.tune-up.com. This program has the ability to find value and data in the registry, much better than artificial Windows.
Terminate
10. Registry Editor program outside of Microsoft products like TuneUp Registry Editor from www.tune-up.com. This program has the ability to find value and data in the registry, much better than artificial Windows.
Ok, enough introduction to the
software. We live it to the practice of analyzing the virus. After the above
programs installed in Windows Virtual, you must shutdown and choose commit to
change and become a permanent installation in your virtual Windows. Once
completed, we are now ready to analyze Virus!
Basically, to analyze the virus there are 2 phases, namely:
1. Static analysis of the virus, meaning the virus is not operated, we only analyze the codes in it, by:
a. Read the info header of the program, for example, with PE Explorer
b. Looking at Data Resource Program, for example, with PE Explorer
c. Disassembling code to study the behavior, especially the string value, other than that to find out whether the virus is compressed file, for example with UPX in order to diuncomprees back. A little info, the program PE Explorer is equipped with a program to uncompress the program that in-UPX.
d. Scanning dependencies. With this technique we can find a program library files or anything related to this virus program. If no, most likely the virus will not be able to work.
By disassembling using PE Explorer program, we can see what data string contained within a program. From the data string is a chance we can predict the behavior of the virus.
Basically, to analyze the virus there are 2 phases, namely:
1. Static analysis of the virus, meaning the virus is not operated, we only analyze the codes in it, by:
a. Read the info header of the program, for example, with PE Explorer
b. Looking at Data Resource Program, for example, with PE Explorer
c. Disassembling code to study the behavior, especially the string value, other than that to find out whether the virus is compressed file, for example with UPX in order to diuncomprees back. A little info, the program PE Explorer is equipped with a program to uncompress the program that in-UPX.
d. Scanning dependencies. With this technique we can find a program library files or anything related to this virus program. If no, most likely the virus will not be able to work.
By disassembling using PE Explorer program, we can see what data string contained within a program. From the data string is a chance we can predict the behavior of the virus.
2. Analysis
of virus dynamically, so the virus program is operated to attack the system and
we learn the nature and workings of the virus which can be divided into 2,
namely:
A. Analysis of the process, for example:
a. Analysis of the virus in memory. The program used is a debugger program (like OllyDbg) and the process explorer program (such as Process Explorer from www. Sysinternals.com)
b. Analysis of registry access, for example by RegmonNT from ww.sysinternals.com
c. Analysis of the file system access.Where the virus copies itself, for example by using a FilemonNT program from www.sysinternals.com
d. Analysis of changes in the Windows system, either the file system and registry, for example with the program from http:// thinstall.com Thinstall. By using this program we can identify changes that occur in Windows after being attacked by a virus.
B. Network analysis, for example:
a. Analysis of the use of network ports, for example with the program Network Security Auditor of www.nsauditor.com.
b.Sniffing packet data network that sent the virus, for example with the program Network Security Auditor from www.nsauditor.com. With this technique, we can determine what data is transferred over the network computer virus.
Ok, enough theory, now it's time to practice !!!!!!!
Materials to be supplied is the virus samples .... You must have a virus program, which we will analyze ...
There are 2 kinds of viruses that will be our analysis, namely viruses and .Jvirus Tati what so, do not know his name, knowing nemu in the cafe So my virus and dipassword RAR compressed so that when inserted in the computer are not deleted by antivirus programs. So, let us analyze together, certainly within the Windows environment Virtual
A. Analysis of the process, for example:
a. Analysis of the virus in memory. The program used is a debugger program (like OllyDbg) and the process explorer program (such as Process Explorer from www. Sysinternals.com)
b. Analysis of registry access, for example by RegmonNT from ww.sysinternals.com
c. Analysis of the file system access.Where the virus copies itself, for example by using a FilemonNT program from www.sysinternals.com
d. Analysis of changes in the Windows system, either the file system and registry, for example with the program from http:// thinstall.com Thinstall. By using this program we can identify changes that occur in Windows after being attacked by a virus.
B. Network analysis, for example:
a. Analysis of the use of network ports, for example with the program Network Security Auditor of www.nsauditor.com.
b.Sniffing packet data network that sent the virus, for example with the program Network Security Auditor from www.nsauditor.com. With this technique, we can determine what data is transferred over the network computer virus.
Ok, enough theory, now it's time to practice !!!!!!!
Materials to be supplied is the virus samples .... You must have a virus program, which we will analyze ...
There are 2 kinds of viruses that will be our analysis, namely viruses and .Jvirus Tati what so, do not know his name, knowing nemu in the cafe So my virus and dipassword RAR compressed so that when inserted in the computer are not deleted by antivirus programs. So, let us analyze together, certainly within the Windows environment Virtual
1. Virus Tati
Display virus program looks like
Display virus program looks like
Static Analysis
Based on visual appearance: Size: 197 kb
Icon: Folder open then right click on the virus file and select Open with PE Explorer. Based on the info PE Explorer program, it turns out the virus file is compressed with UPX program, and the program PE Explorer directly in unpack.
Based on visual appearance: Size: 197 kb
Icon: Folder open then right click on the virus file and select Open with PE Explorer. Based on the info PE Explorer program, it turns out the virus file is compressed with UPX program, and the program PE Explorer directly in unpack.
This virus was not created with
Visual Basic program, Because it does not use the file msvbvm60.dll.
Approximately what program created it? And it Seems this virus to access the
network Because it uses the file wsock32.dll. Close this form and now We select
the View menu and then Resource to view the resource program, the results cans
be seen in the picture.
Next select the Tools menu, then Dependency Scannner. The result looks like the picture
It turned out that the virus
program has a menu. Why would not you? Are programmers virus checking program module using the menu to access
the module / specific procedure? Most likely the virus
was made with C language, because if the word is made with Delphi will be in
there RC resource that contains data about packageinfo that the program we use
the pascal language, such as Delphi resources made this program.
Ok, now we disassembly of the virus
file out. From the Tools menu select Disassemble, then
see the value of string, who knows to other info.
Wow, the virus to access some
folder location, such as My Documents, Startup, Programs and Start Menu. Does
the virus spread itself to those locations? Maybe so! Unfortunately I am not
good at reading assembly code, so I do not dare reveal the results of his
analysis, disassembly, fear wrong. Next we went into Dynamic analysis.
Dynamic Analysis.
The virus is ready to run, but before sharing a folder from the virtual PC should be turned off first. Who knows the virus get into your PC a virtual drive so that harm your computer we are using. Thinstall Let's run the program, select Setup Capture, the display will appear like the picture.
Dynamic Analysis.
The virus is ready to run, but before sharing a folder from the virtual PC should be turned off first. Who knows the virus get into your PC a virtual drive so that harm your computer we are using. Thinstall Let's run the program, select Setup Capture, the display will appear like the picture.
Select Start, then select
Pre_install scan. Wait until finished taking data before
the virus runs Windows. Then run the virus file, and
restart your virtual Windows.
After logging back into Windows, Thinstall program will ask whether to continue pencapture's or not. Choose continue. Then check the network using NSauditor program and was not seen a virus attempt to open a network port, as shown in the picture.
Now by using Process Explorer program, turn off your virus Tati program is like a picture :
After logging back into Windows, Thinstall program will ask whether to continue pencapture's or not. Choose continue. Then check the network using NSauditor program and was not seen a virus attempt to open a network port, as shown in the picture.
Now by using Process Explorer program, turn off your virus Tati program is like a picture :
Once the virus Tati stopped and
then we learn what changes are done by the virus, so run the next step of the
program last Thinstall and save the results of these changes in a place, like
pictures:
Results
of analysis with Thinstall program can be seen on the snapshot storage
area and found the virus Tati was just entering the common startup
folder, as shown by the image below:
In
addition to the common folder, not found elsewhere with this virus, it
suspicious, but the virus body analysis which we have done is found some
Windows folder location data, this may just be a virus, because the
programmers set the program's behavior is different between Windows
virtual with Windows really so difficult for us to analyze the virus via the Windows virtual. This
action is the more suspicious because there was no registry data are
altered viruses based on the snapshot file thinnstall program. Forced to do in Windows really is and that means you have to prepare a special computer for viruses.So now we analyze the next virus, lho kok tatinya virus be forgotten? Please understand the author does not have a specific computer to run a virus. What is clear by using Thinstall program we are able to see the spread of the virus and what registry data changed by it. Ok, turn off Windows virtual, select Delete undo disk change, to remove changes made virus Tati.
By.4youbro.blogspot.com
Komentar
Posting Komentar