3) Rootkits, Web Threats and Internet Forensics

Question 1

What are rootkits?

Answer 1

Programs/malware with the main goal to gain access to the infected system without being detected. Hides from OS.

Question 2

What types of rootkits do exist?

Answer 2

User mode: Runs in ring 3 of the OS. Can only hide itself from other ring 3 applications (like explorer.exe) but not from kernel mode applications.

Kernel mode: Runs at least partially in kernel mode (ring 0). Much more powerful than user mode rootkits.

Question 3

What is meant by Hooking?

Answer 3

Hooking is the interception of system calls or messages / events sent between other programms and / or software components. Example: keylogger that sits between Keyboard and Computer.

Question 4

What are ways to find Rootkits?

Answer 4

• Run AV scan to find obvious rootkits
• Compare User Level view with kernel level view by running key API calls and compare results.
• Look for OS hooks.

Question 5

List some Rootkit Detection Tools.

Answer 5

Rootkit scanners are: Rootkit buster, GMER, RootRepeal

Question 6

What is the problem with rootkits and Windows x64?

Answer 6

Win x64 only accepts digitally signed drivers to access kernel mode. Rootkits developers are not able to sign their malicious code. Switch to bootkits. A bootkits tries to intercept the startup routine of a computer.

Question 7

What is the goal of Web Attacks?

Answer 7

Place a malicious piece of software on the victims computer or get access to sensitive information (PII)

Question 8

What are the two major categories of web exploits?

Answer 8

Exploits against browser or exploits against browser plugin.

Question 9

Name the four steps how an attack work.

Answer 9

• Passively analyse the victims browser to find out which exploit kit works best.
• Find vulnerability in the browser where malicous shell code can be place.
• Execution of shell code.
• Shell code normally downloads key payload.

Question 10

List a few ways how to hide web attacks.

Answer 10

• iframe
• iframe with zero size
• JS with document.write() function
• JS with escape/unscape function to encode ASCII letters eval function
• fromCharCode() translates ASCII numbers to ASCII characters
• argument.callee function of JS. Reference to itself. Used to check with modification where performed.

Question 11

Name two actions a malicious hop does.

Answer 11

REDIRECT or EXPLOIT

Question 12

How do attackers obfuscate JavaScripts?

Answer 12

• Write code on one line
• Use document.write() function to put together code snippets (a+b+c)
• Usage of escape function
• Eval function
• fromCharCode()
• Use strange / random variables
• Spaghetti code
• Functions within functions

Question 13

What are useful steps in analyzing obfuscated JavaScripts?

Answer 13

• Re-define document.write or eval function at the beginning of the script
• Change document.write to alert
• Write out document.write into a textarea
• Use online/offline deobfuscation tools

Question 14

What does the eval function do?

Answer 14

It checks if the function is a real JavaScript and then executes it.

Question 15

What is meant by escape/unescape?

Answer 15

Translate characters from letters to ASCII code and back.

Question 16

What does the fromCharCode() function do?

Answer 16

Translates ASCII numbers to ASCII letters.

Question 17

Name a few tools to deobfuscate JavaScript.

Answer 17

Revelo, JavaScript Beautifier, CyberChef

Question 18

With what can the document.write function be replaced? Give a few examples.

Answer 18

alert or textarea

Question 19

What does the function argument.callee()?

Answer 19

It will return back the content of the function itself. Attacker can check if code has been tampered (checking length, iterate through all characters in the function). => integrity checks.

Question 20

What is Maltego?

Answer 20

Maltego is data visualising tool for open source intelligence gathering. It shows in a graph reletationships of various entities and can also run automated queries for information gathering (transforms).

Question 21

What are the most common DNS record types?

Answer 21

• A
• AAAA
• CNAME
• PTR
• MX
• NS
• SOA
• SRV
• TXT

Question 22

Name so Google Advanced search parameters.

Answer 22

• intitle
• intext
• inurl
• ext
• filetype

Question 23

How can we find out site visited by a particular company with Maltego?

Answer 23

Find public IP range (via MX records). Look for any websites where this IP is stored (in changelog for example)

Question 24

Describe how an attacker could use an Open Source Intelligences approach with tools such as Google, Pipl and Maltego to map a list of important employees in an organisation as the first phase in a targeted attacks.

Answer 24

First phase information / intelligence gathering about target person and their relationsship. There is a lot of information available not only via Google but also on social media site. Find alias of a person. The more information present the better will be a targeted attack (CEO fraud) or a social engineering attack.

Question 25

How can you find any other malicious site you don’t know from a malicious site you already know?

Answer 25

• IPs under same domain
• uses same infrastructure components (DNS records)
• same domain holders
• same ASN
• uses same SSL certs.

Question 26

Why do Exploit Kits normally first attempt to determine the OS and browser version of the visiting browser?

Answer 26

Te determine which exploits to serve to the victim in order to have the best chance of triggering a successful infection.

Question 27

Describe what is meant by the term Zero-Day Exploit, and what sort of attacks would these commonly be used in.

Answer 27

An exploit for a vulnerability for which there is no current patch / defence.

Question 28

Why has the price of Zero-Day Exploit risen to the point that normal criminals can not generally afford them?

Answer 28

Governments are pricing them out of the market to use them for espionage. They are now consider the equivalent of an advanced targeting chip for attacks.