Chapter 11 - Trojans & Other Attacks Flashcards
Overt Channesl vs Covert Channels
Overt - legitimate communication channels used by programs. Covert Channels - Used to transport data in unintended ways.
Wrappers
Programs that allow you to bind an executable to an innocent file
Crypters
Use a combination of encryption and code manipulation to render malware undetectable to security programs.
Packers
Use compression to pack the executable which helps evade signature based detection.
Infinity
Exploit Kit
Bleeding Life
Exploit Kit
Crimepack
Exploit Kit
Blackhole
Exploit Kit
What is an exploit kit?
Helps deliver exploits and payloads.
Proxy Server Trojan
Allows attacker to use the target system as a proxy.’
Chebacca
Botnet Trojan
Skynet
Botnet Trojan
Botnet Trojan
Turns the computer into bot
RAT
Remote access Trojan
MoSucker
Remote Access Trojan
Optix Pro
Remote Access Trojan
Blackhole
Remote access trojan
Zeus
E-Banking Trojans
Spyeye
E-Banking Trojans
Command Shell Trojan
Provides a backdoor to connect to through command-line access
Netcat
With malicious intent, can be considered as a trojan
Trojan - Death
Port 2
Trojan - Senna Spy
Port 20
Trojan - Hacker’s Paradise
Port 31, 456
Trojan - TCP Wrappers
Port 421
Trojan - Doom, Satanz Backdoor
Port 666
Trojan - Silencer, WebEx
Port 1001
Trojan - RAT
Port 1095-98
Trojan - SubSeven
Port 1243
Trojan - Shiva-Burka
Port 1600
Trojan - Trojan Cow
Port 2001
Trojan - Deep Throat
Port 6670-71
Trojan - Tini
Port 7777
Trojan - NetBus
Port 12345-6
Trojan - Whack a Mole
Port 12361-3
Trojan - Black Orifice
Port 31337, 31338
Netstat -an
Shows open ports in numerical order
Netstat -b
Displays all active connections and the processing using them
Process Explorer
Microsoft tool that shows you everything about running processes
SysAnalyzer
Registry monitoring tool
Tiny Watcher
Registry monitoring tool
Active Registry Monitor
Registry monitoring tool
Regshot
Registry monitoring tool
Msconfig
Windows program that shows all programs set to start on startup
Tripwire
Integrity verifier that can act as a HIDS in protection against trojans
SIGVERIF
built into Windows to verify the integrity of the system. Log file can be found at c:\windows\system32\sigverif.txt
Virus
Self-replicating program that reproduces by attaching copies of itself into other executable code. . Usually installed by user .
Ransomware
Malicious software designed to deny accesss to a computer until a price is paid; usually spread via email.
WannaCry
Famous ransomware. Within 24 hours, had 230,000 victims; exploited unpatched SMB
Cryptorbit
Ransomware type
Cryptolocker
Ransomware type
CryptoDefense
Ransomware type
Boot Sector Virus
Known as system virus; moves boot sector to another location and then inserts code into the original location.
Shell Virus
Wraps around an application’s code, inserting itself before the application’s
Cluster Virus
Modifies directory table entries so every time a file or folder is opened, the virus runs.
Multipartite Virus
Attempts to infect both boot sector and files; generally referred to as virus with multiple infection methods
Macro Virus
Written in VBA ; infects template files - mostly Word and Excel
Polymorphic Code Virus
Mutates its code by using a polymorphic engine; difficult to find because code is always changing.
Encryption Virus
Uses encryption to hide the code from antivirus
Metamorphic Virus
Rewrites itself every time it infects a new file.
Stealth Virus
Known as tunneling virus; attempts to evade Avs by intercepting their requests and returning them instead of letting them pass to the OS
Cavity Virus
Overwrite portions of host files as to not increase the actual size of the file; uss null content sections
Sparse Infector Virus
Only infects occasionally (e.g. every 10th time)
File Extension Virus
Changes the file extensions of files to take advantage of most people having them turned off (readme.txt.vbs shows as readme.txt
Sonic Bat
Virus maker
Poison
Virus maker
Sam’s Virus Generator
Virus maker
IPS Virus Maker
Virus maker
Worm
Self-replicating malware that sends itself to other computers without human intervention. Often used in botnets, resides in active memory.
Ghost Eye Worm
Hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts
What are the steps to analyzing malware?
- Use a VM with NIC in host-only mode and no open shares. 2. Analyze the malware on the isolated VM in a static state. 3. Run the malware and check out processes . 4. Check and see what files are added, changed, or deleted.
What is a Sheepdip system
A system that is used to check things introduced into a network. It is Airgapped.
Botnets can be controlled over…
HTTP, HTTPS, IRC, ICQ
DDoS Attack Category - Fragmentation Attacks
Attacks take advantage of the system’s ability to reconstruct fragmented packets.
DDoS Attack Category - Volumetric Attacks
Bandwidth attacks; consume all bandwidth for the system of service.
DDoS Attack Category - Application Attacks
Consume the resources necessary for the application to run. Usually against weak code.
DDoS Attack Category - TCP-State-exhaustion attacks
Go after load balancers, firewalls, and application servers.
DDoS Attack - SYN Attack
Send thousands of SYN packets to the machine with a false source address; eventually engages all resources and exhausts the machine.
DDoS Attack - SYN Flood
Sends thousands of SYN packets to; but does NOT SPOOF IP but doesn’t respond to SYN/ACK
DDoS Attack - ICMP Flood
Sends ICMP Echo packets with a spoofed address; eventually reaches limit of packets per second sent.
DDoS Attack - Smurf Attack
Sending a large number of pings to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target.
DDoS Attack - Fraggle
Same as smurf but with UDP packets
DDoS Atttack - Ping of Death
Fragments ICMP messages; after reassembled, the ICMP packet is larger than the maximum size and crashes the system.
DDoS Attack - Teardrop
Overlaps a large number of garbled IP fragments with oversized payloads; causes older systems to crash due to fragment reassembly.
DDoS Attack - Peer to Peer
clients of peer-to-peer file sharing hub are disconnected and directed to connect to the target system.
DDoS Attack - Phlashing
A DoS attack that causes permanent damage to a system; also called bricking a system.
DDoS Attack - LAND attack
Sends a SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes.
Low Orbit Ion Cannon (LOIC)
DDoS tool that floods target with TCP, UDP, or HTTP requests.
Trinity
Linux based DDoS tool
Tribe Flood Network
Uses voluntary botnet systems to launch massive flood attacks
R-U-Dead-Yet (RUDY)
DoS with HTTP POST via long-for field submissions.
Session Hijacking
Attacker waits for session to begin and after the victim authenticates, steals the session for himself.
Session Hijacking steps are:
- Sniff traffic between client and server. 2. Monitor the traffic and predict the sequence number. 3. Desynchronize the session with the client. 4. Predict the session token and take over the session. 5. Inject packets to target server.
Session Hijacking can be predicted by looking at _____________
Predicting can be done by knowing the window size and the packet sequence number. Sequence number increment on Acknowledgement. For example, an ACK of 105 with a window of 200 means you could expect sequence numbering from 105 to 305.
Ettercap
Man-in-the middle tool and packet sniffer on steroids.
Hunt
Sniff, hijack and reset connections
T-Sight
Easily hijack sessions and monitor network connections
Zaproxy
Session Hijacking tool
Paros
Session Hijacking tool
Burp Suite
Session Hijacking tool
Juggernaut
Session Hijacking tool
Hamster
Session Hijacking tool
Ferret
Session Hijacking tool
How can you defend against session hijacking?
Using unpredictable session IDs - Limiting incoming connections. - Minimizing remote access. - Regenerating the session key after authentication. - Use IPSec to encrypt
IPSec - Transport Mode
Payload and ESP trailer are encrypted; IP header is NOT
IPSec - Tunnel Mode
Everything is encrypted; cannot be used with NAT
IPSec - Authentication Header
Guarantees the integrity and authentication of IP packet sender
IPSec - Encapsulating Security Payload (ESP)
Proivdes origin authenticity and integrity as well as confidentiality.
IPSec - Internet Key Exchange (IKE)
Produces the keys for the encryption process.
IPSec - Oakley
Uses Diffie-Hellman to create master and session keys.
Internet Security Association Key Management Protocol (ISAKMP)
Software that facilitates encrypted communication between two endpoints.
