Make friends with the virus is fine, but you must bear to deny the relationship even further.
Igin Most people do not connect with computer viruses and no one wants a virus (including virus makers). But some people enjoy work analyzing computer virus, although impressed "intimate" tinkering with the virus, but without adequate preparation laboratory viruses, system and your data can be ravaged by the virus.
Destruction by the virus
Imagine you are researching and experimenting with the virus in the truest sense, ie a biological virus that could transmit the disease, and infected, would have had to put up a secure and isolated environment. Similarly, by examining the computer virus. Do not let the virus spread pda system that you use everyday. Mean heart researching the virus, became victim of a virus! Not infrequently destructive virus data files (documents, images, video) or the system sepertiregistry Windows, executable files, or other important files. So, prepare a special place in the ready to dissect the virus.
While "viral" is a term often used to generalize all types of malware (because the virus is a type of malware that the first well-known and widely spread), as it grows, understanding the virus has actually been different if the reference to other malware such as worms, Trojans, adware and spyware .
Thus, there is a tidaj maleware infected files and replicate themselves. Therefore, apart menamati faster relative impact is known (the emergence of new files for suspicious, look and messaging viruses), also be aware of the impact of no less bad and dangerous, like malware that make the theft of data or take over the system. This looks relatively more difficult and requires in-depth analysis.
Virtual Environment
Creating a virtual invironment to labotatorium virus is an alternative to analyze other virus.Pilihan is preparing a special computer that is dedicated to research, only the necessary resources relatively higher because you have to prepare the hardware (physical machine), installation, and required backupsistem .
While the virtual machine environment, the program is executed as he walked on the actual machine, but actually he is executed on a copy machine with an operating system platform ynag virtually complete, and does not relate directly to the hardware.
This technology allows a computer machine having one or more virtual machine, which runs masig their respective operating systems. Usefulness of the virtual machine is certainly not for virus analysis, depending on needs. IA can be used to test specific operating systems, testing applications on various operating systems, the need for emulation and so on.
Examples of software to create a virtual machine such as VMWare (vmware.com), Windows from Microsoft's Virtual PC or VirtualBox (virualbox.org).
If the virtual machine emulates the operating system and still need time to boot and enter in a virtual operating system environment then we can try another alternative, by creating a virtual environment in a smaller scale, namely by providing a space / space isolated quarantine when running a programs, and emulate the changes that occur. This space can then be removed again and not terjadiperubahan on the actual system.
Malware or suspicious programs can be run in this environment so that its activities can be analyzed, one application for this purpose is Sandboxie (sandboxie.com), which in isolation is able to run applications such as web browsers, online games, instant messenger, executable files suspicious. Mentioned applications are potentially damaging system, if ridden malware.
Like the virtual machine, sandboxie also access the hardware directly. The difference in sandboxie, you still can not exist on real operating systems (non-virtual). Temtu enabled to do to do a double protection, by doing this technique in the sandbox virtual machine.
Language Courses are used
To investigate the virus, would have to recognize or at least, what constitutes suspicious files for viruses. The virus is basically a normal application like any other program, but the form of codes that are meant to perform a destructive operation, capable of spreading as well as defend themselves. So every language pemrogramanyang can access and perform various operations, it can be used to create malware. Some categories are quite popular programming language in the manufacture of virus / malware, among others:
1. Low-level programming language.
Or low-level programming language, which is closer to the hardware instructions, examples are assembly language. In the reserve code engineering, disassembly term known to translates machine language into assembly language. Programs (including viruses) that are written with low-level programming language would be more efficient and faster, than the high-level programming language.
2. Pemrogrman high-level language
Or high-level programming language, which already uses elements of natural language that is more user friendly and hassle of wrapping machines and operations performed (low-level) from the user. In Indonesia is quite commonly found viruses created with Visual Basic (VB most classic version like VB6, not generation. NET), among others, his trademark is to use runtime library MSVBVM60. etc. that are visible on the body of the virus. Visual basic addition, other high level languages that are often articles used to create viruses and other malware is a C / C + +, Delphi. Requires a high level programming language compiler / interpreteryang translates source code into binary form and can be executed.
3. Script host.
Discuss scripting is often used to membuaat virus is a VBScript. How it works can be compared with the batch file, but with more capabilities and features. Because the form of a script and not through the compilation process into a binary file, VB-type virus code can be read with the script contains a virus file in a text editor. But not all viruses can be read easily VBScript. Various techniques applied to the virus more difficult to analyze. Among others, by providing a variable that has no meaning and was impressed at random. Writing the structure of the program code is not neat, or with ASCII characters, such as the character "A" written by Chr (65).
4. Macro Language.
Pemrogrman language is a built-in on a softrware application enabling program code to embed in the document, which unfortunately can be misused to make a virus. The virus produced by a virus called macros. Viruses of this type of pad time to be popular mid-1990s, ynag use macros / scripting language available in Microsoft Office applications, resulting in documents and spreadsheets from Microsoft Word / Exel can be infected.
5. Cross Site Scripting (XSS).
Utilizing vulneriability on web applications that enable an attacker to inject script dilihatoleh web page visitors. XSS exploit code is generally written in HTML and JavaScript, which is executed on the client / web browser. XSS also allow the theft of cookies, even the research shows that XSS attacks can take over the browser, similar seprti Trojan programs.
Therefore, the files can be suspected as the virus is not limited to executable files (PE files), but can be a file.vbs (VBScript), files a document that brings the macro, even a PDF, as well as URL addresses suspicious.
Virus Feed
Virus laboratories can be used to trap viruses to study further action, namely by giving the feed data are often infected or damaged viruses, such as executable files, documents from Microsoft Office files are often used as the target virus (*. doc, *. xls, *. ppt), mp3 audio files, video files and other formats.
Spread via removable disks can also be simulated by installing a removable disk / flash disk and see what's going to be a virus. Be sure not menyompan important and sensitive data on virtual machinemaupun flash disk.
HEX Editor
After you prepare sebuiah a safe environment to analyze and have a sample file that is suspected as a virus, then equip yourself with the right tools. One of them is a HEX editor to examine the body of the virus. The choice is quite a lot, among others, Hex Workshop (http://www.hexworkshop.com), Hex Editor Neo (http://hhdsoftware.com), and so on. If the viral form of scripts, you can see with a regular text editor. Sometimes you can find a specific message in the virus body, or command a certain fuction that can provide clues about the virus characteristics.
PE Analysis
As I've written in the article entitled "Dissecting the PE file" in the 02/2010 issue, PE files have a structured format that can be analyzed, but need to be opened with a tool PE viewer / analyzer, such as PE Insight, PEviewdan many other similar tools. The information is displayed include the contents of the DOS header, section-owned section ynag API and DLL are used. In some cases, the characteristics of the virus began to be read.
File Identification Tool
If only rely HEX Editor / PE viewer, you may find the virus file that did not show a message and a special character which is understandable. Virus body contains only random characters, in this case, you need a tool to identify the file. Why necessary?
From some of the articles discussed ynag reverse engineering code, may Adna have known what was called the packer. Packer was seing digunkan by the virus to wrap himself in which you Juka static virus body dissected, there was only character-karekter meaningless because the original routine virus has a new on-pack and unpack too when executed,
By knowing the packer used by the virus, allowing you to unpack and dissect the body of the actual virus. Packer ynag available and can be downloaded on the internet very much.
Fortunately there are tools that can quickly identify files, among others, is PeiD (http://www.peid.info), which can identify the packer / compiler type used by an executable file. ExeInfoPE (http://www.exeinfo.cjb.net) may also be considered for the same purposes.
Unpack tool
We know a virus uses a specific packer, which you can do next is to unpack. Generally, a packer application also has a built-in feature that you can use to unpack.
For example the UPX packer (http://upx.sourceforge.net), you can simply add the-d parameter on the command UPX command prompt to decompress / unpack the executable files that are packed with UPX. Other tools like Quick unpack, also tried to unpack in general accordance detected OEP.
Debugger / Disassembler
Advanced analysis of where we need to do a disassembly suspected PE files for viruses, which have been shaped assembly code and then analyzed further. Options tool that is used among other things OllyDbg (http://www.ollydbg.de). W32DAsm (http://www.exetools.com/dissemblers.htm) tau IDA pro (http://www.hex-rays.com/idapro)
At this stage, treatment is more accurately analyzed by a virus. Konsekuansinya, this work takes time and knowledge of the low-level, sometimes resulting assembly code requires a long debugging process, especially when translated from executable files created with bahsa pemrogrman ynag high level.
Anti-emulation
The virus continues to innovate in order to protect himself so hard to dianalisisdan disabled. Anti-emulation techniques developed the virus so that virus makers can avoid emulation.
One technique is to run the instructions that are not supported by the emulator so that caused the error exeption and not a virus program running. Viruses can also try accessing the web pages to detect Internet access, and only run if there is internet access rutinvirus. This also causes the virus is not running on a virtual machine / computer that does not have internet access.
Thus could be a laboratory virus we still can not be prepared to analyze Number qf viruses that have certain techniques that particular case, we might need a special computer dedicated to the analysis of the virus arrives.
Cover
Tool that can be prepared in your laboratory is not limited to viruses that have been mentioned in this article.
Various tools with their functions continues to grow (along with a virus which is also developing technologies), although too many tools are also not effective.
Using the right tools pda exact problem is the most ideal way and this is more an art of analysis may be different on each analyzer virus. Ready to build your own virus laboratory?
Igin Most people do not connect with computer viruses and no one wants a virus (including virus makers). But some people enjoy work analyzing computer virus, although impressed "intimate" tinkering with the virus, but without adequate preparation laboratory viruses, system and your data can be ravaged by the virus.
Destruction by the virus
Imagine you are researching and experimenting with the virus in the truest sense, ie a biological virus that could transmit the disease, and infected, would have had to put up a secure and isolated environment. Similarly, by examining the computer virus. Do not let the virus spread pda system that you use everyday. Mean heart researching the virus, became victim of a virus! Not infrequently destructive virus data files (documents, images, video) or the system sepertiregistry Windows, executable files, or other important files. So, prepare a special place in the ready to dissect the virus.
While "viral" is a term often used to generalize all types of malware (because the virus is a type of malware that the first well-known and widely spread), as it grows, understanding the virus has actually been different if the reference to other malware such as worms, Trojans, adware and spyware .
Thus, there is a tidaj maleware infected files and replicate themselves. Therefore, apart menamati faster relative impact is known (the emergence of new files for suspicious, look and messaging viruses), also be aware of the impact of no less bad and dangerous, like malware that make the theft of data or take over the system. This looks relatively more difficult and requires in-depth analysis.
Virtual Environment
Creating a virtual invironment to labotatorium virus is an alternative to analyze other virus.Pilihan is preparing a special computer that is dedicated to research, only the necessary resources relatively higher because you have to prepare the hardware (physical machine), installation, and required backupsistem .
While the virtual machine environment, the program is executed as he walked on the actual machine, but actually he is executed on a copy machine with an operating system platform ynag virtually complete, and does not relate directly to the hardware.
This technology allows a computer machine having one or more virtual machine, which runs masig their respective operating systems. Usefulness of the virtual machine is certainly not for virus analysis, depending on needs. IA can be used to test specific operating systems, testing applications on various operating systems, the need for emulation and so on.
Examples of software to create a virtual machine such as VMWare (vmware.com), Windows from Microsoft's Virtual PC or VirtualBox (virualbox.org).
If the virtual machine emulates the operating system and still need time to boot and enter in a virtual operating system environment then we can try another alternative, by creating a virtual environment in a smaller scale, namely by providing a space / space isolated quarantine when running a programs, and emulate the changes that occur. This space can then be removed again and not terjadiperubahan on the actual system.
Malware or suspicious programs can be run in this environment so that its activities can be analyzed, one application for this purpose is Sandboxie (sandboxie.com), which in isolation is able to run applications such as web browsers, online games, instant messenger, executable files suspicious. Mentioned applications are potentially damaging system, if ridden malware.
Like the virtual machine, sandboxie also access the hardware directly. The difference in sandboxie, you still can not exist on real operating systems (non-virtual). Temtu enabled to do to do a double protection, by doing this technique in the sandbox virtual machine.
Language Courses are used
To investigate the virus, would have to recognize or at least, what constitutes suspicious files for viruses. The virus is basically a normal application like any other program, but the form of codes that are meant to perform a destructive operation, capable of spreading as well as defend themselves. So every language pemrogramanyang can access and perform various operations, it can be used to create malware. Some categories are quite popular programming language in the manufacture of virus / malware, among others:
1. Low-level programming language.
Or low-level programming language, which is closer to the hardware instructions, examples are assembly language. In the reserve code engineering, disassembly term known to translates machine language into assembly language. Programs (including viruses) that are written with low-level programming language would be more efficient and faster, than the high-level programming language.
2. Pemrogrman high-level language
Or high-level programming language, which already uses elements of natural language that is more user friendly and hassle of wrapping machines and operations performed (low-level) from the user. In Indonesia is quite commonly found viruses created with Visual Basic (VB most classic version like VB6, not generation. NET), among others, his trademark is to use runtime library MSVBVM60. etc. that are visible on the body of the virus. Visual basic addition, other high level languages that are often articles used to create viruses and other malware is a C / C + +, Delphi. Requires a high level programming language compiler / interpreteryang translates source code into binary form and can be executed.
3. Script host.
Discuss scripting is often used to membuaat virus is a VBScript. How it works can be compared with the batch file, but with more capabilities and features. Because the form of a script and not through the compilation process into a binary file, VB-type virus code can be read with the script contains a virus file in a text editor. But not all viruses can be read easily VBScript. Various techniques applied to the virus more difficult to analyze. Among others, by providing a variable that has no meaning and was impressed at random. Writing the structure of the program code is not neat, or with ASCII characters, such as the character "A" written by Chr (65).
4. Macro Language.
Pemrogrman language is a built-in on a softrware application enabling program code to embed in the document, which unfortunately can be misused to make a virus. The virus produced by a virus called macros. Viruses of this type of pad time to be popular mid-1990s, ynag use macros / scripting language available in Microsoft Office applications, resulting in documents and spreadsheets from Microsoft Word / Exel can be infected.
5. Cross Site Scripting (XSS).
Utilizing vulneriability on web applications that enable an attacker to inject script dilihatoleh web page visitors. XSS exploit code is generally written in HTML and JavaScript, which is executed on the client / web browser. XSS also allow the theft of cookies, even the research shows that XSS attacks can take over the browser, similar seprti Trojan programs.
Therefore, the files can be suspected as the virus is not limited to executable files (PE files), but can be a file.vbs (VBScript), files a document that brings the macro, even a PDF, as well as URL addresses suspicious.
Virus Feed
Virus laboratories can be used to trap viruses to study further action, namely by giving the feed data are often infected or damaged viruses, such as executable files, documents from Microsoft Office files are often used as the target virus (*. doc, *. xls, *. ppt), mp3 audio files, video files and other formats.
Spread via removable disks can also be simulated by installing a removable disk / flash disk and see what's going to be a virus. Be sure not menyompan important and sensitive data on virtual machinemaupun flash disk.
HEX Editor
After you prepare sebuiah a safe environment to analyze and have a sample file that is suspected as a virus, then equip yourself with the right tools. One of them is a HEX editor to examine the body of the virus. The choice is quite a lot, among others, Hex Workshop (http://www.hexworkshop.com), Hex Editor Neo (http://hhdsoftware.com), and so on. If the viral form of scripts, you can see with a regular text editor. Sometimes you can find a specific message in the virus body, or command a certain fuction that can provide clues about the virus characteristics.
PE Analysis
As I've written in the article entitled "Dissecting the PE file" in the 02/2010 issue, PE files have a structured format that can be analyzed, but need to be opened with a tool PE viewer / analyzer, such as PE Insight, PEviewdan many other similar tools. The information is displayed include the contents of the DOS header, section-owned section ynag API and DLL are used. In some cases, the characteristics of the virus began to be read.
File Identification Tool
If only rely HEX Editor / PE viewer, you may find the virus file that did not show a message and a special character which is understandable. Virus body contains only random characters, in this case, you need a tool to identify the file. Why necessary?
From some of the articles discussed ynag reverse engineering code, may Adna have known what was called the packer. Packer was seing digunkan by the virus to wrap himself in which you Juka static virus body dissected, there was only character-karekter meaningless because the original routine virus has a new on-pack and unpack too when executed,
By knowing the packer used by the virus, allowing you to unpack and dissect the body of the actual virus. Packer ynag available and can be downloaded on the internet very much.
Fortunately there are tools that can quickly identify files, among others, is PeiD (http://www.peid.info), which can identify the packer / compiler type used by an executable file. ExeInfoPE (http://www.exeinfo.cjb.net) may also be considered for the same purposes.
Unpack tool
We know a virus uses a specific packer, which you can do next is to unpack. Generally, a packer application also has a built-in feature that you can use to unpack.
For example the UPX packer (http://upx.sourceforge.net), you can simply add the-d parameter on the command UPX command prompt to decompress / unpack the executable files that are packed with UPX. Other tools like Quick unpack, also tried to unpack in general accordance detected OEP.
Debugger / Disassembler
Advanced analysis of where we need to do a disassembly suspected PE files for viruses, which have been shaped assembly code and then analyzed further. Options tool that is used among other things OllyDbg (http://www.ollydbg.de). W32DAsm (http://www.exetools.com/dissemblers.htm) tau IDA pro (http://www.hex-rays.com/idapro)
At this stage, treatment is more accurately analyzed by a virus. Konsekuansinya, this work takes time and knowledge of the low-level, sometimes resulting assembly code requires a long debugging process, especially when translated from executable files created with bahsa pemrogrman ynag high level.
Anti-emulation
The virus continues to innovate in order to protect himself so hard to dianalisisdan disabled. Anti-emulation techniques developed the virus so that virus makers can avoid emulation.
One technique is to run the instructions that are not supported by the emulator so that caused the error exeption and not a virus program running. Viruses can also try accessing the web pages to detect Internet access, and only run if there is internet access rutinvirus. This also causes the virus is not running on a virtual machine / computer that does not have internet access.
Thus could be a laboratory virus we still can not be prepared to analyze Number qf viruses that have certain techniques that particular case, we might need a special computer dedicated to the analysis of the virus arrives.
Cover
Tool that can be prepared in your laboratory is not limited to viruses that have been mentioned in this article.
Various tools with their functions continues to grow (along with a virus which is also developing technologies), although too many tools are also not effective.
Using the right tools pda exact problem is the most ideal way and this is more an art of analysis may be different on each analyzer virus. Ready to build your own virus laboratory?
Comments
Post a Comment