3) Rootkits, Web Threats and Internet Forensics Flashcards
What are rootkits?
Programs/malware with the main goal to gain access to the infected system without being detected. Hides from OS.
What types of rootkits do exist?
User mode: Runs in ring 3 of the OS. Can only hide itself from other ring 3 applications (like explorer.exe) but not from kernel mode applications.
Kernel mode: Runs at least partially in kernel mode (ring 0). Much more powerful than user mode rootkits.
What is meant by Hooking?
Hooking is the interception of system calls or messages / events sent between other programms and / or software components. Example: keylogger that sits between Keyboard and Computer.
What are ways to find Rootkits?
- Run AV scan to find obvious rootkits
- Compare User Level view with kernel level view by running key API calls and compare results.
- Look for OS hooks.
List some Rootkit Detection Tools.
Rootkit scanners are: Rootkit buster, GMER, RootRepeal
What is the problem with rootkits and Windows x64?
Win x64 only accepts digitally signed drivers to access kernel mode. Rootkits developers are not able to sign their malicious code. Switch to bootkits. A bootkits tries to intercept the startup routine of a computer.
What is the goal of Web Attacks?
Place a malicious piece of software on the victims computer or get access to sensitive information (PII)
What are the two major categories of web exploits?
Exploits against browser or exploits against browser plugin.
Name the four steps how an attack work.
- Passively analyse the victims browser to find out which exploit kit works best.
- Find vulnerability in the browser where malicous shell code can be place.
- Execution of shell code.
- Shell code normally downloads key payload.
List a few ways how to hide web attacks.
- iframe
- iframe with zero size
- JS with document.write() function
- JS with escape/unscape function to encode ASCII letters eval function
- fromCharCode() translates ASCII numbers to ASCII characters
- argument.callee function of JS. Reference to itself. Used to check with modification where performed.
Name two actions a malicious hop does.
REDIRECT or EXPLOIT
How do attackers obfuscate JavaScripts?
- Write code on one line
- Use document.write() function to put together code snippets (a+b+c)
- Usage of escape function
- Eval function
- fromCharCode()
- Use strange / random variables
- Spaghetti code
- Functions within functions
What are useful steps in analyzing obfuscated JavaScripts?
- Re-define document.write or eval function at the beginning of the script
- Change document.write to alert
- Write out document.write into a textarea
- Use online/offline deobfuscation tools
What does the eval function do?
It checks if the function is a real JavaScript and then executes it.
What is meant by escape/unescape?
Translate characters from letters to ASCII code and back.
What does the fromCharCode() function do?
Translates ASCII numbers to ASCII letters.
Name a few tools to deobfuscate JavaScript.
Revelo, JavaScript Beautifier, CyberChef
With what can the document.write function be replaced? Give a few examples.
alert or textarea
What does the function argument.callee()?
It will return back the content of the function itself. Attacker can check if code has been tampered (checking length, iterate through all characters in the function). => integrity checks.
What is Maltego?
Maltego is data visualising tool for open source intelligence gathering. It shows in a graph reletationships of various entities and can also run automated queries for information gathering (transforms).
What are the most common DNS record types?
- A
- AAAA
- CNAME
- PTR
- MX
- NS
- SOA
- SRV
- TXT
Name so Google Advanced search parameters.
- intitle
- intext
- inurl
- ext
- filetype
How can we find out site visited by a particular company with Maltego?
Find public IP range (via MX records). Look for any websites where this IP is stored (in changelog for example)
Describe how an attacker could use an Open Source Intelligences approach with tools such as Google, Pipl and Maltego to map a list of important employees in an organisation as the first phase in a targeted attacks.
First phase information / intelligence gathering about target person and their relationsship. There is a lot of information available not only via Google but also on social media site. Find alias of a person. The more information present the better will be a targeted attack (CEO fraud) or a social engineering attack.
How can you find any other malicious site you don’t know from a malicious site you already know?
- IPs under same domain
- uses same infrastructure components (DNS records)
- same domain holders
- same ASN
- uses same SSL certs.
Why do Exploit Kits normally first attempt to determine the OS and browser version of the visiting browser?
Te determine which exploits to serve to the victim in order to have the best chance of triggering a successful infection.
Describe what is meant by the term Zero-Day Exploit, and what sort of attacks would these commonly be used in.
An exploit for a vulnerability for which there is no current patch / defence.
Why has the price of Zero-Day Exploit risen to the point that normal criminals can not generally afford them?
Governments are pricing them out of the market to use them for espionage. They are now consider the equivalent of an advanced targeting chip for attacks.
